If a state machine must be implemented in an operating system, there are various ways in which it can be constructed. However, certain basic principles must be observed, independent of the operating system and its producer. In the previously described layered model of the operating system, the state machine must be located after the command interpreter and before the actual execution of the command. The task of the state machine is to determine whether the received command may be executed in the present state. It does this using a table. A basic principle here, as is usual with smart cards, is to use as little memory as possible to provide the state information. In addition, this information must also be structured such that the actual state machine can be built using as little memory as possible. The state machine needs a certain amount of information to analyze the command held in the I/O buffer. Figure 5.31 shows a possible structure for a smart card state table. The first data element (initial state) contains the state the rest of data in the data structure is to be processed. This data element could contain a number that directly defines the state to which all the other information applies. This is followed by a subtable that identifies all commands that are allowed in the initial state. It must be possible to identify a single command, a group of commands, all commands or no commands in each subtable. The allowed parameters for a command followthe command definition in the table structure. In these data elements, it must be possible to define both individual values and ranges of values for the parameters. For example, if the code for the READ BINARY command is in the command field, the P1 and P2 parameter fields could contain the minimum and maximum offset values for a read access to transparent data, while the P3 parameter field could contain both the lower and upper limits for the length. Since multiple entries may be present in this subtable for a given state, additional commands and their parameters could be defined after READ BINARY.

A table entry concludes with the new state that is to be assumed if the command is successfully executed, which means if command execution completes without any errors. The data structure of the example also allows a state to be defined that is to be assumed if command execution is not successful. In order to maintain a high degree of flexibility within the state machine, it must be possible to specify subsequent states either absolutely or relatively. Here ‘relative’ means that the new state is set by adding or subtracting a value to or from the value of the initial state, while ‘absolute’ means that the value of the new state is set directly, without reference to the value of the initial state. In principle, there are no limits to howa state machine can be constructed. The data structure illustrated here is quite suitable for use in a relatively sophisticated operating system. In principle, every possible state machine diagram can be represented in a smart card using the described data structure and a corresponding state machine. Naturally, individual files also have their own supplementary protection against unauthorized reading or writing in the form of access conditions for commands. Nevertheless, sequential control for commands can provide an additional higher level mechanism that complements this object-oriented protection and that thus increases the security of the system. This is actually the primary benefit of using state machines in smart cards.