ISO/IEC 7816-4
Identification cards — Integrated circuit cards — Part 4: Organization, security and commands for interchange
Cartes d’identification — Cartes à circuit intégré — Partie 4: Organisation, sécurité et commandes pour les échanges

 Security attributes
Referenced by tags ’86′, ’8B’, ’8C’, ’8E’, ‘A0′, ‘A1′, ‘AB’, security attributes may be present in the control parameters of any file (see Table 12). Any object in the card (e.g., command, file, data object, table & view) may be associated with more than one security attribute and / or with a reference contained in a security attribute.
Referenced by tag ‘A0′, a security attribute template for data objects may be present in the control parameters of any file. Such a template is the concatenation of a security attribute data object (tags ’86′, ’8B’, ’8C’, ’8E’, ‘A0′, ‘A1′, ‘AB’) and a tag list data object (tag ’5C’, see 8.5.1) indicating the relevant data objects in the file.
Referenced by tag ’8E’, a channel security attribute (at most one) may be present in the control parameters of any file (see Table 12) and in any appropriate security environment (SE, see 6.3.3). It shall be interpreted according to Table 15.
–”Not shareable” means that at most one logical channel shall be available. The physical technology of the channel may be limited.
–”Secured” means that SM keys (see 6) shall be available (e.g., established by a previous authentication).
–”User authenticated” means that the user shall be authenticated (e.g., a successful password verification). 

Table 15 — Channel security attribute
b8 b7 b6 b5 b4 b3 b2 b1 Meaning
0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 –1 -1 -1 – Not shareable Secured User authenticated
 Any other value is reserved for future use by ISO/IEC JTC 1/SC 17.

  In SCQL environment (see ISO/IEC 7816-7[4], commands for structured card query language), security attributes can be specified in SCQL operations, e.g., CREATE TABLE and CREATE VIEW commands. If security attributes based on this clause are used, then they shall be conveyed in a data object with tags ’8B’, ’8C’ or ‘AB’ in the security attribute parameters of an SCQL operation.
Formats–This clause defines two formats for binding objects and security attributes: a compact format based on bitmaps and an expanded format that extends the compact format by TLV list management.

Compact format
In compact format, an access rule consists of an access mode byte followed by one or more security condition bytes. Access control to an object is managed by binding access rules to the related object. If several access rules are present in the value field of a data object with tag ’8C’ (see Table 12), they represent an OR condition.
Access mode bytes–Each bit 7 to 1 indicates either the absence of security condition byte when set to 0, or the presence of a security condition byte in the same order (bits 7 to 1) when set to 1. When bit 8 is set to 1, bits 7 to 4 may be used for additional commands, e.g., application-specific commands.
Tables 16 to 19 define access mode bytes respectively for DFs, EFs, data objects and tables & views. 

Table 16 Access mode byte for DFs
b8 b7 b6 b5 b4 b3 b2 b1 Meaning
0 - - - - - - - Bits 7 to 1 according to this table
1 - - - - - - - Bits 3 to 1 according to this table (bits 7 to 4 proprietary)
0 1 - - - - - - DELETE FILE(self)
0 - 1 - - - - - TERMINATE CARD USAGE(MF), TERMINATE DF
0 - - 1 - - - - ACTIVATE FILE
0 - - - 1 - - - DEACTIVATE FILE
- - - - - 1 - - CREATE FILE (DF creation)
- - - - - - 1 - CREATE FILE (EF creation)
- - - - - - - 1 DELETE FILE (child)

 

Table 17 — Access mode byte for EFs
b8 b7 b6 b5 b4 b3 b2 b1 Meaning
0 - - - - - - - Bits 7 to 1 according to this table
1 - - - - - - - Bits 3 to 1 according to this table (bits 7 to 4 proprietary)
0 1 - - - - - - DELETE FILE
0 - 1 - - - - - TERMINATE EF
0 - - 1 - - - - ACTIVATE FILE
0 - - - 1 - - - DEACTIVATE FILE
- - - - - 1 - - WRITE BINARY, WRITE RECORD, APPEND RECORD
- - - - - - 1 - UPDATE BINARY, UPDATE RECORD, ERASE BINARY, ERASE RECORD (S)
- - - - - - - 1 READ BINARY, READ RECORD (S), SEARCH BINARY, SEARCH RECORD

 

Table 18 — Access mode byte for data objects
b8 b7 b6 b5 b4 b3 b2 b1 Meaning
0 1 Bits 7 to 1 according to this table Bits 3 to 1 according to this table (bits 7 to 4 proprietary)
0 x x x x - - - 000 (any other value is reserved for future use)
1 – -1 - –1 MANAGE SECURITY ENVIRONMENT PUT DATA GET DATA

 

Table 19 — Access mode byte for tables & views
b8 b7 b6 b5 b4 b3 b2 b1 Meaning
0 - - - - - - - Bits 7 to 1 according to this table
1 - - - - - - - Bits 3 to 1 according to this table (bits 7 to 4 proprietary)
0 1 - - - - - - CREATE USER, DELETE USER
0 - 1 - - - - - GRANT, REVOKE
0 - - 1 - - - - CREATE TABLE, CREATE VIEW, CREATE DICTIONARY
0 - - - 1 - - - DROP TABLE, DROP VIEW
- - - - - 1 - - INSERT
- - - - - - 1 - UPDATE, DELETE
- - - - - - - 1 FETCH