ISO/IEC 7816-4
Identification cards — Integrated circuit cards — Part 4: Organization, security and commands for interchange
Cartes d’identification — Cartes à circuit intégré — Partie 4: Organisation, sécurité et commandes pour les échanges

SE identifier——A SE identifier (SEID byte) may reference any security environment, e.g., for secure messaging and for storing and restoring by a MANAGE SECURITY ENVIRONMENT command (see 7.5.11).
–Unless otherwise specified by the application, the value ’00′ denotes an empty environment where no secure messaging and no authentication are defined.
–The value ‘FF’ denotes that no operation can be performed in this environment.
–Unless otherwise specified by the application, the value ’01′ is reserved for the default SE, always available. This clause does not specify the content of the default SE; it may be empty.
–The value ‘EF’ is reserved for future use.

Components——Control reference templates (CRT) may describe various components of a SE. Any relative control reference (files, keys or data) specified with a mechanism in the environment definition shall be resolved with respect to the DF selected before using the mechanism. Absolute control references (e.g.,
absolute path) need not be resolved. Within an SE, components may have two aspects: one being valid for SM in command data fields and the other for SM in response data fields.
At any time during card operation, a current SE shall be active, either by default or as a result of commands performed by the card. The current SE contains one or more components among the following components.
–Some components belong to the default SE associated with the current DF.
–Some components are transmitted in commands using secure messaging.
–Some components are transmitted in MANAGE SECURITY ENVIRONMENT commands.
–Some components are invoked by a SEID byte in a MANAGE SECURITY ENVIRONMENT command.
The current SE is valid until there is a warm reset or a deactivation of the contacts (see ISO/IEC 7816-3), a change of context (e.g., by selecting a different application DF) or a MANAGE SECURITY ENVIRONMENT command setting or replacing the current SE. In SM, control reference data objects transmitted in a CRT shall take precedence over any corresponding control reference data object present in the current SE.

Certificate holder authorization——Authentication procedures may use card-verifiable certificates, i.e., templates that can be interpreted and verified by the card by a VERIFY CERTIFICATE operation using a public key (see ISO/IEC 7816-8[4]). In such a certificate, a certificate holder authorization (e.g., a role identifier) may be conveyed in an interindustry data element referenced by tag ’5F4C’. If such a data element is used in the security conditions to fulfil for accessing data or functions, then the data object (tag ’5F4C’) shall be present in the control reference template for authentication (AT) describing the authentication procedure.
NOTE: In the first edition of ISO/IEC 7816-9[4], tag ’5F4B’ references a certificate holder authorization (data element of five or more bytes). In amendment 1 to the first edition of ISO/IEC 7816-6, tag ’5F4B’ references an integrated circuit manufacturer identifier (one-byte data element). Consequently, tag ’5F4B’ is deprecated in ISO/IEC 7816.

Access control——The card may store security environments used for access control within EFs (see tag ’8D’ in Table 12) containing interindustry SE templates (tag ’7B’). Within the interindustry SE template (tag ’7B’), the context-specific class (first byte from ’80′ to ‘BF’) is reserved for security environment data objects. As listed in Table 37, for every included SE, the security environment template contains a SEID byte data object (tag ’80′), an optional LCS byte data object (tag ’8A’), one or more optional cryptographic mechanism identifier template (tag ‘AC’) and one or more CRTs (tags ‘A4′, ‘A6′, ‘AA’, ‘B4′, ‘B6′, ‘B8′, as SM tags).

Table 37 — Security environment data objects

PVC Patch MIFARE DESFire EV1 Smart Card 4k byte/32k bit,Mifare DESFire EV1 4K Proximity Contactless Cards,Mifare DESFire EV1 4K Plain White Cards,

If present in the SE template, the LCS byte data object indicates for which life cycle state the SE is valid. If the SE is used for access control, e.g., to a file, then the LCS byte of the file and the LCS byte of the SE have to match. If no LCS byte data object is present, then the SE is valid for the activated operational state. In the SE template, if a CRT carries several data objects with the same tag (e.g., data objects specifying a key reference), then at least one of the data objects has to be fulfilled (OR condition).

SE retrieval——Any CRT in the current SE may be retrieved by a GET DATA command with P1-P2 set to ’004D’ (extended header list, see 8.5.1) and a command data field consisting of a SE template (tag ’7B’) containing one or more pairs, each one consisting of a CRT tag followed by ’80′ (see 8.5.1 for the use of a length set to ’80′ in an extended header list).