File access conditions
As part of their object-oriented design, all files contain information governing access to them within the context of the file management system. This information is always physically coded in the header of each file. The entire security of smart card file management is based on managing file access privileges, since these privileges form the basis for controlling file access. The access conditions are defined when a file is created, and they usually cannot be modified afterwards. There is a high degree of variation in the permitted file access conditions, depending on the commands present in the operating system. For example, there is no point in defining access conditions for a READ RECORD command if this command is not present in the smart card operating system. For the MF and the DFs (in contrast to the EFs), there is no information stored with respect to data access (read or write privileges). Instead, the access conditions for creating new files are stored together with other information. Depending on the file type, other access conditions may also be stored. For EFs, these conditions relate to accesses to the file contents, and for the MF and DFs, they are the conditions that apply within these organizational structures. In specifying access conditions, a distinction can be made between state-oriented and command-oriented access conditions.With state-oriented conditions, the current security state is compared with the corresponding access condition of the file using a definable logical comparison. There are two options for the current security state: the global security state and the local security state. The global security state is the security state of the MF, which means the state of the smart card as a whole. The local security state is the state of the currently selected directory, which means the state of the DF or the state of the directory above the DF. Both the global security state and the local security state can be altered by successful execution of identification and authentication commands using specific keys. When access to a file is requested, a logical comparison function is used to compare the current security state with the state specified in the file as the access condition. If this comparison is successful, the file may be accessed. For example, read access might be allowed in states 5 and above. In this case, read access would be prohibited in any state lower than state 5. Naturally, it is also possible to specify several different states for a particular type of access. For example, read access could be allowed in states 5, 8 and 9. As a rule, the retry counter (error counter) for the associated secret is reset to zero if the comparison is successful. If the comparison is not successful, the error counter is incremented, and if it reaches its maximum allowed value, the associated key is blocked.

At first glance, state-oriented access conditions may appear to be relatively complicated. However, they provide an enormous amount of freedom in the creation of applications, and in principle they can be used for any possible architecture. Their drawback is that they are relatively complex. In contrast to state-oriented access conditions, command-oriented access conditions define the commands that must be correctly executed prior to the access. This primarily involves authentication and identification commands. Command-oriented access conditions are widely used in the smart card world, with the best-known example being smart cards for the GSM system. With command-oriented access conditions, the access table in the file contains information about the commands that must be successfully executed for each type of access. In many cases, the commands are further assigned to specific keys. In practice, for instance, the condition for read access to a file may require prior identification of the user by means of the VERIFY command and the user’s No. 1 PIN. In this case, the file can be read only after this command has been successfully executed. The advantage of this type of access protection is its simple structure, which is generally suitable for the majority of applications. However, additional overhead is generally required if command-oriented access conditions are used, particularly with multiapplication smart cards. For instance, the access tables would have to be extended in the case of an operating system that supports downloadable program code, since explicit references to specific commands must be present in these tables. Consequently, this type of file access condition is somewhat inflexible in certain situations. All possible types of access to an EF must be precisely governed by means of access privileges. The number of commands that this involves varies, depending on the operating system. Some of the most commonly used file access commands are the following:
APPEND Enlarge a file
DELETE FILE Delete a file
INCREASE/DECREASE Computations within a file
INVALIDATE Block a file
LOCK Permanently block a file
READ/SEEK Read or search within a file
REHABILITATE Unblock a file
WRITE/UPDATE Write within a file
The access conditions of a DF are fundamentally different from those of an EF. They specify the conditions under which specific commands may be executed within the directory
in question. The three most important access commands are:
CREATE Create a new file
DELETE FILE Delete a file
REGISTER Register a new file
State-oriented access conditions are primarily used in multifunctional smart card operating systems, such as STARCOS, since they are highly flexible and easily modified. However, most large smart card applications, such asGSMand the German Eurocheque system, use commandoriented access conditions to control file access. This approach requires slightly less program code and memory than state-oriented access conditions. Of course, this comes at the price of somewhat lower flexibility. Both approaches have their advantages and disadvantages, and most arguments in favor of one or the other are ultimately based on philosophical issues related to the design of operating systems. However, a method that can be used to flexibly fashion access conditions in a general form for controlling access to resources (including files) has now been specified in the ISO/IEC 7816-9 standard. This highly powerful concept is described in more detail further on.