ISO/IEC 7816-4
Identification cards — Integrated circuit cards — Part 4: Organization, security and commands for interchange
Cartes d’identification — Cartes à circuit intégré — Partie 4: Organisation, sécurité et commandes pour les échanges

Security condition byte  Each security condition byte specifies which security mechanisms are necessary

to conform to the access rule. Table 20 shows the security condition byte.

Table 20 — Security condition byte
b8 b7 b6 b5 b4 b3 b2 b1 Meaning
0 0 0 0 0 0 0 0 No condition
1 1 1 1 1 1 1 1 Never
- - - - 0 0 0 0 No reference to a security environment Security environment identifier (SEID byte, see 6.3.4) from one to fourteen Reserved for future use
- - - -   Not all equal  
- - - - 1 1 1 1  
0 - - - - At least one condition
1 - - - - All conditions
- 1 - - - Secure messaging
- - 1 - - External authentication
- - - 1 - User authentication (e.g., password)
Bits 8 to 5 indicate the required security conditions. If not all equal, bits 4 to 1 identify a security environment (see 6.3.4, SEID byte from one to fourteen) and the mechanisms defined in the security environment shall be used according to the indications in bits 7 to 5 for command protection and / or external authentication and / or user authentication.

–If bit 8 is set to 1, then all the conditions set in bits 7 to 5 shall be satisfied.

–If bit 8 is set to 0, then at least one of the conditions set in bits 7 to 5 shall be satisfied.

–If bit 7 is set to 1, then the control reference template (see 6.3.1) of the security environment identified in

bits 4 to 1, i.e., a SEID byte from one to fourteen, describes whether secure messaging shall apply to the

command data field and / or to the response data field (see usage qualifier byte, Table 35).

Expanded format
In expanded format, an access rule consists of an access mode data object followed by one or more security condition data objects. Access control to an object is managed by referencing access rules from the related object. A template with tag ‘AB’ may be present in the control parameters of any file (see Table 12) for such access rules.
Access mode data objects–An access mode data object contains either an access mode byte (see Tables 16 to 19), or a list of command descriptions or a proprietary state machine description; subsequent security condition data objects are relevant for all the indicated commands. Table 21 shows access mode data objects.

Table 21 —Access mode data objects
Tag Length Value Meaning
’80′ 1 Access mode byte See Tables 16 to 19
’81′ to ’8F’ Var. Command header description List of [part of] command headers (see Table 22)
’9C’ Var.   Proprietary state machine description

If the tag is from ’81′ to ’8F’, then the access mode data element represents a list of possible combinations of values of the four bytes CLA, INS, P1 and P2 in the command header. Depending on bits 4 to 1 of the tag, the list contains only values as described in Table 22. Several groups may appear in order to define a set of commands, e.g., values of INS P1 P2, INS P1 P2, … for tag ’87′.

Table 22 —Tags ’81′ to ’8F’ for access mode data objects
b8 b7 b6 b5 b4 b3 b2 b1 Meaning
1 1 1 1 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x x x x 1 —-1 —-1 —-1 The command description includes — (CLA), i.e., the value of CLA — (INS), i.e., the value of INS — (P1), i.e., the value of P1 — (P2), i.e., the value of P2
–The value of CLA shall encode zero as channel number with the meaning that the description is independent from logical channels.

–The INS code shall be even with the meaning that the description is independent from data field format indications.

Security condition data objects——According to Table 23, the security condition data objects define the security actions required for accessing an object protected through the particular access mode data object. If used as a security condition, a control reference template (see 6.3.1) referenced by tag ‘A4′ (AT), ‘B4′ (CCT), ‘B6′ (DST) or ‘B8′ (CT) shall contain a usage qualifier data object (see Table 35) indicating the security action.

Table 23 —Security condition data objects
Tag Length Value Meaning
’90′ 0 - Always
’97′ 0 - Never
’9E’ 1 Security condition byte See Table 20
‘A4′ Var. Control reference template External or user authentication depending on the usage qualifier
‘B4′, ‘B6′, ‘B8′ Var. Control reference template SM in command and / or response depending on the usage qualifier
‘A0′ Var. Security condition data objects At least one security condition shall be fulfilled (OR template)
‘A7′ Var. Security condition data objects Inversion of the security conditions (NOT template)
‘AF’ Var. Security condition data objects Every security condition shall be fulfilled (AND template)

Several security condition data objects may be attached to the same operation.
–If security condition data objects are nested in an OR template (tag ‘A0′), then at least one security condition shall be fulfilled before acting.
–If security condition data objects are not nested in an OR template (tag ‘A0′) or if they are nested in an AND template (tag ‘AF’), then every security condition shall be fulfilled before acting.
–If security condition data objects are nested in a NOT template (tag ‘A7′), then the security conditions are true until they are not fulfilled.