Java Card

Last updated February 15, 2024

Java Card is a software technology that allows Java-based applications (applets) to be run securely on smart cards and more generally on similar secure small memory footprint devices^[1] which are called "secure elements" (SE). Today, a secure element is not limited to its smart cards and other removable cryptographic tokens form factors; embedded SEs soldered onto a device board and new security designs embedded into general purpose chips are also widely used. Java Card addresses this hardware fragmentation and specificities while retaining code portability brought forward by Java.

Portability
Security
Design
Bytecode
Library and runtime
Specific features
Development
Versions
Java Card 3.0
Java Card 3.1
New CAP file Format and Applet Deployment Model
New I/O Framework and Trusted Peripherals
Core Platform Enhancements
Security Services
New Cryptographic Extensions
See also
References
External links

Java Card is the tiniest of Java platforms targeted for embedded devices. Java Card gives the user the ability to program the devices and make them application specific. It is widely used in different markets: wireless telecommunications within SIM cards and embedded SIM, payment within banking cards^[2] and NFC mobile payment and for identity cards, healthcare cards, and passports. Several IoT products like gateways are also using Java Card based products to secure communications with a cloud service for instance.

The first Java Card was introduced in 1996 by Schlumberger's card division which later merged with Gemplus to form Gemalto. Java Card products are based on the specifications by Sun Microsystems (later a subsidiary of Oracle Corporation). Many Java card products also rely on the GlobalPlatform specifications for the secure management of applications on the card (download, installation, personalization, deletion).

The main design goals of the Java Card technology are portability, security and backward compatibility.^[3]

Portability

Java Card aims at defining a standard smart card computing environment allowing the same Java Card applet to run on different smart cards, much like a Java applet runs on different computers. As in Java, this is accomplished using the combination of a virtual machine (the Java Card Virtual Machine), and a well-defined runtime library, which largely abstracts the applet from differences between smart cards. Portability remains mitigated by issues of memory size, performance, and runtime support (e.g. for communication protocols or cryptographic algorithms).

Security

Java Card technology was originally developed for the purpose of securing sensitive information stored on smart cards. Security is determined by various aspects of this technology:

Data encapsulation: Data is stored within the application, and Java Card applications are executed in an isolated environment (the Java Card VM), separate from the underlying operating system and hardware.
Applet firewall: Unlike other Java VMs, a Java Card VM usually manages several applications, each one controlling sensitive data. Different applications are therefore separated from each other by an applet firewall which restricts and checks access of data elements of one applet to another.
Cryptography: Commonly used symmetric key algorithms like DES, Triple DES, AES, and asymmetric key algorithms such as RSA, elliptic curve cryptography are supported as well as other cryptographic services like signing, key generation and key exchange.
Applet: The applet is a state machine which processes only incoming command requests and responds by sending data or response status words back to the interface device.

Design

At the language level, Java Card is a precise subset of Java: all language constructs of Java Card exist in Java and behave identically. This goes to the point that as part of a standard build cycle, a Java Card program is compiled into a Java class file by a Java compiler; the class file is post-processed by tools specific to the Java Card platform.

However, many Java language features are not supported by Java Card (in particular types char, double, float and long; the transient qualifier; enums; arrays of more than one dimension; finalization; object cloning; threads). Further, some common features of Java are not provided at runtime by many actual smart cards (in particular type int, which is the default type of a Java expression; and garbage collection of objects).

Bytecode

Java Card bytecode run by the Java Card Virtual Machine is a functional subset of Java 2 bytecode run by a standard Java Virtual Machine but with a different encoding to optimize for size. A Java Card applet thus typically uses less bytecode than the hypothetical Java applet obtained by compiling the same Java source code. This conserves memory, a necessity in resource constrained devices like smart cards. As a design tradeoff, there is no support for some Java language features (as mentioned above), and size limitations. Techniques exist for overcoming the size limitations, such as dividing the application's code into packages below the 64 KiB limit.

Library and runtime

Standard Java Card class library and runtime support differs a lot from that in Java, and the common subset is minimal. For example, the Java Security Manager class is not supported in Java Card, where security policies are implemented by the Java Card Virtual Machine; and transients (non-persistent, fast RAM variables that can be class members) are supported via a Java Card class library, while they have native language support in Java.

Specific features

The Java Card runtime and virtual machine also support features that are specific to the Java Card platform:

Persistence: With Java Card, objects are by default stored in persistent memory (RAM is very scarce on smart cards, and it is only used for temporary or security-sensitive objects). The runtime environment as well as the bytecode have therefore been adapted to manage persistent objects.
Atomicity: As smart cards are externally powered and rely on persistent memory, persistent updates must be atomic. The individual write operations performed by individual bytecode instructions and API methods are therefore guaranteed atomic, and the Java Card Runtime includes a limited transaction mechanism.
Applet isolation: The Java Card firewall is a mechanism that isolates the different applets present on a card from each other. It also includes a sharing mechanism that allows an applet to explicitly make an object available to other applets.

Development

Coding techniques used in a practical Java Card program differ significantly from those used in a Java program. Still, that Java Card uses a precise subset of the Java language speeds up the learning curve, and enables using a Java environment to develop and debug a Java Card program (caveat: even if debugging occurs with Java bytecode, make sure that the class file fits the limitation of Java Card language by converting it to Java Card bytecode; and test in a real Java Card smart card early on to get an idea of the performance); further, one can run and debug both the Java Card code for the application to be embedded in a smart card, and a Java application that will be in the host using the smart card, all working jointly in the same environment.

Versions

Oracle has released several Java Card platform specifications and is providing SDK tools for application development. Usually smart card vendors implement just a subset of algorithms specified in Java Card platform target and the only way to discover what subset of specification is implemented is to test the card.^[4]

Version 3.2 (30.01.2023)^[5]
- Introduced support for (D)TLS1.3 protocols
- Added API clarifications to help application developers and significantly increase the level of interoperability across multiple implementations
Version 3.1 (17.12.2018)^[6]
- Added configurable key pair generation support, named elliptic curves support, new algorithms and operations support, additional AES modes and Chinese algorithms.
Version 3.0.5 (03.06.2015)
- Oracle SDK: Java Card Classic Development Kit 3.0.5u1 (03.06.2015)
- Added support for Diffie-Hellman modular exponentiation, Domain Data Conservation for Diffie-Hellman, Elliptic Curve and DSA keys, RSA-3072, SHA3, plain ECDSA, AES CMAC, AES CTR.
Version 3.0.4 (06.08.2011)
- Oracle SDK: Java Card Classic Development Kit 3.0.4 (06.11.2011)
- Added support for DES MAC8 ISO9797.
Version 3.0.1 (15.06.2009)
- Oracle SDK: Java Card Development Kit 3.0.3 RR (11.11.2010)
- Added support for SHA-224, SHA-2 for all signature algorithms.
Version 2.2.2 (03.2006)
- Oracle SDK: Java Card Development Kit 2.2.2 (03.2006)
- Added support for SHA-256, SHA-384, SHA-512, ISO9796-2, HMAC, Korean SEED MAC NOPAD, Korean SEED NOPAD.
Version 2.2.1 (10.2003)
- Oracle SDK: Java Card Development Kit 2.2.1 (10.2003)
Version 2.2 (11.2002)
- Added support for AES cryptography key encapsulation, CRC algorithms, Elliptic Curve Cryptography key encapsulation, Diffie-Hellman key exchange using ECC, ECC keys for binary polynomial curves and for prime integer curves, AES, ECC and RSA with variable key lengths.
Version 2.1.1 (18.05.2000)
- Oracle SDK: Java Card Development Kit 2.1.2 (05.04.2001)
- Added support for RSA without padding.
Version 2.1 (07.06.1999)

Java Card 3.0

The version 3.0 of the Java Card specification (draft released in March 2008) is separated in two editions: the Classic Edition and the Connected Edition.^[7]

The Classic Edition (currently at version 3.0.5 released in June 2015) is an evolution of the Java Card Platform version 2 (which last version 2.2.2 was released in March 2006), which supports traditional card applets on resource-constrained devices such as Smart Cards. Older applets are generally compatible with newer Classic Edition devices, and applets for these newer devices can be compatible with older devices if not referring to new library functions. Smart Cards implementing Java Card Classic Edition have been security-certified by multiple vendors, and are commercially available.
The Connected Edition (currently at version 3.0.2 released in December 2009) aims to provide a new virtual machine and an enhanced execution environment with network-oriented features. Applications can be developed as classic card applets requested by APDU commands or as servlets using HTTP to support web-based schemes of communication (HTML, REST, SOAP ...) with the card. The runtime uses a subset of the Java (1.)6 bytecode, without Floating Point; it supports volatile objects (garbage collection), multithreading, inter-application communications facilities, persistence, transactions, card management facilities ... As of 2021, there has been little adoption in commercially available Smart Cards, so much that reference to Java Card (including in the present Wikipedia page) often implicitly excludes the Connected Edition.

Java Card 3.1

Java Card 3.1 was released in January 2019.

New CAP file Format and Applet Deployment Model

Applet functionality can be split into multiple Java packages
CAP file sizes can exceed 64KB

New I/O Framework and Trusted Peripherals

A variety of physical layers and application protocol is supported, beyond smart card protocols defined in ISO 7816
Logical access to device peripherals by secure element applications is facilitated

Core Platform Enhancements

Array Views (views on a subset of an array), Static Resources embedded within a CAP file and Improved API extensibility

Security Services

Certificate API, Key Derivation API, Monotonic Counter API, System Time API

New Cryptographic Extensions

Configurable Key Pair generation, Named Elliptic Curves like Edwards-Curves, Additional AES modes (CFB & XTS), Chinese Algorithms (SM2 - SM3 - SM4)

Related Research Articles

Java applets were small applications written in the Java programming language, or another programming language that compiles to Java bytecode, and delivered to users in the form of Java bytecode. The user launched the Java applet from a web page, and the applet was then executed within a Java virtual machine (JVM) in a process separate from the web browser itself. A Java applet could appear in a frame of the web page, a new application window, a program from Sun called appletviewer, or a stand-alone tool for testing applets.

Java is a high-level, class-based, object-oriented programming language that is designed to have as few implementation dependencies as possible. It is a general-purpose programming language intended to let programmers write once, run anywhere (WORA), meaning that compiled Java code can run on all platforms that support Java without the need to recompile. Java applications are typically compiled to bytecode that can run on any Java virtual machine (JVM) regardless of the underlying computer architecture. The syntax of Java is similar to C and C++, but has fewer low-level facilities than either of them. The Java runtime provides dynamic capabilities that are typically not available in traditional compiled languages.

<span class="mw-page-title-main">Java virtual machine</span> Virtual machine that runs Java programs

A Java virtual machine (JVM) is a virtual machine that enables a computer to run Java programs as well as programs written in other languages that are also compiled to Java bytecode. The JVM is detailed by a specification that formally describes what is required in a JVM implementation. Having a specification ensures interoperability of Java programs across different implementations so that program authors using the Java Development Kit (JDK) need not worry about idiosyncrasies of the underlying hardware platform.

Java Platform, Micro Edition or Java ME is a computing platform for development and deployment of portable code for embedded and mobile devices. Java ME was formerly known as Java 2 Platform, Micro Edition or J2ME. As of December 22, 2006, the Java ME source code is licensed under the GNU General Public License, and is released under the project name phoneME.

In computing, cross-platform software is computer software that is designed to work in several computing platforms. Some cross-platform software requires a separate build for each platform, but some can be directly run on any platform without special preparation, being written in an interpreted language or compiled to portable bytecode for which the interpreters or run-time packages are common or standard components of all supported platforms.

The Connected Device Configuration (CDC) is a specification of a framework for Java ME applications describing the basic set of libraries and virtual-machine features that must be present in an implementation. The CDC is combined with one or more profiles to give developers a platform for building applications on embedded devices ranging from pagers up to set-top boxes. The CDC was developed under the Java Community Process as JSR 36 and JSR 218.

Java Card OpenPlatform (JCOP) is a smart card operating system for the Java Card platform developed by IBM Zürich Research Laboratory. On 31 January 2006 the development and support responsibilities transferred to the IBM Smart Card Technology team in Böblingen, Germany. Since July 2007 support and development activities for the JCOP operating system on NXP / Philips silicon are serviced by NXP Semiconductors.

The Microsoft Windows platform specific Cryptographic Application Programming Interface is an application programming interface included with Microsoft Windows operating systems that provides services to enable developers to secure Windows-based applications using cryptography. It is a set of dynamically linked libraries that provides an abstraction layer which isolates programmers from the code used to encrypt the data. The Crypto API was first introduced in Windows NT 4.0 and enhanced in subsequent versions.

<span class="mw-page-title-main">Java (software platform)</span> Set of computer software and specifications

Java is a set of computer software and specifications that provides a software platform for developing application software and deploying it in a cross-platform computing environment. Java is used in a wide variety of computing platforms from embedded devices and mobile phones to enterprise servers and supercomputers. Java applets, which are less common than standalone Java applications, were commonly run in secure, sandboxed environments to provide many features of native applications through being embedded in HTML pages.

Network Security Services (NSS) is a collection of cryptographic computer libraries designed to support cross-platform development of security-enabled client and server applications with optional support for hardware TLS/SSL acceleration on the server side and hardware smart cards on the client side. NSS provides a complete open-source implementation of cryptographic libraries supporting Transport Layer Security (TLS) / Secure Sockets Layer (SSL) and S/MIME. NSS releases prior to version 3.14 are tri-licensed under the Mozilla Public License 1.1, the GNU General Public License, and the GNU Lesser General Public License. Since release 3.14, NSS releases are licensed under GPL-compatible Mozilla Public License 2.0.

Comparison of the Java and .NET platforms.

JavaFX is a software platform for creating and delivering desktop applications, as well as rich web applications that can run across a wide variety of devices. JavaFX has support for desktop computers and web browsers on Microsoft Windows, Linux, and macOS, as well as mobile devices running iOS and Android, through Gluon Mobile.

Private Disk is a disk encryption application for the Microsoft Windows operating system, developed by Dekart SRL. It works by creating a virtual drive, the contents of which is encrypted on-the-fly; other software can use the drive as if it were a usual one.

Mac OS Runtime for Java was Apple's proprietary virtual machine for Java-based applications in the classic Mac OS. Both a runtime environment and a software development kit (SDK) are available.

Dalvik is a discontinued process virtual machine (VM) in the Android operating system that executes applications written for Android. Dalvik was an integral part of the Android software stack in the Android versions 4.4 "KitKat" and earlier, which were commonly used on mobile devices such as mobile phones and tablet computers, and more in some devices such as smart TVs and wearables. Dalvik is open-source software, originally written by Dan Bornstein, who named it after the fishing village of Dalvík in Eyjafjörður, Iceland.

The Java Development Kit (JDK) is a distribution of Java technology by Oracle Corporation. It implements the Java Language Specification (JLS) and the Java Virtual Machine Specification (JVMS) and provides the Standard Edition (SE) of the Java Application Programming Interface (API). It is derivative of the community driven OpenJDK which Oracle stewards. It provides software for working with Java applications. Examples of included software are the Java virtual machine, a compiler, performance monitoring tools, a debugger, and other utilities that Oracle considers useful for Java programmers.

This article compares the application programming interfaces (APIs) and virtual machines (VMs) of the programming language Java and operating system Android.

The Java platform provides a number of features designed for improving the security of Java applications. This includes enforcing runtime constraints through the use of the Java Virtual Machine (JVM), a security manager that sandboxes untrusted code from the rest of the operating system, and a suite of security APIs that Java developers can utilise. Despite this, criticism has been directed at the programming language, and Oracle, due to an increase in malicious programs that revealed security vulnerabilities in the JVM, which were subsequently not properly addressed by Oracle in a timely manner.

GraalVM is a Java Development Kit (JDK) written in Java. The open-source distribution of GraalVM is based on OpenJDK, and the enterprise distribution is based on Oracle JDK. As well as just-in-time (JIT) compilation, GraalVM can compile a Java application ahead of time. This allows for faster initialization, greater runtime performance, and decreased resource consumption, but the resulting executable can only run on the platform it was compiled for. It provides additional programming languages and execution modes. The first production-ready release, GraalVM 19.0, was distributed in May 2019. The most recent release is GraalVM for JDK 21, made available in September 2023.

References

↑ Chen, Z. (2000). Java Card Technology for Smart Cards: Architecture and Programmer's Guide . Addison-Wesley Java Series. Addison-Wesley. ISBN 978-0-201-70329-0 . Retrieved 9 April 2019.
↑ Oracle Learning Library (2013-01-30), Developing Java Card Applications, archived from the original on 2021-12-13, retrieved 2019-04-18
↑ Ahmed Patel; Kenan Kalajdzic; Laleh Golafshan; Mona Taghavi (2011). "Design and Implementation of a Zero-Knowledge Authentication Framework for Java Card". International Journal of Information Security and Privacy. IGI. 5 (3): 1–18. doi:10.4018/ijisp.2011070101.
↑ "JCAlgTest - database of supported JavaCard algorithms" . Retrieved 27 January 2016.
↑ Ponsini, Nicolas (30 January 2023). "Announcing Java Card 3.2 Release". Java Card Blog. Retrieved 6 February 2023.
↑ Ponsini, Nicolas. "Unveiling Java Card 3.1: New Cryptographic Extensions". blogs.oracle.com. Retrieved 2019-04-18.
↑ Samoylov, N. (2018). Introduction to Programming: Learn to program in Java with data structures, algorithms, and logic. Packt Publishing. p. 13. ISBN 978-1-78883-416-2 . Retrieved 9 April 2019.

External links

Java Card overview (Oracle)
Defcon 21: The Secret Life of SIM Cards on YouTube
JavaCards-OpenSC

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.

[Chen_2000-1] Chen, Z. (2000). Java Card Technology for Smart Cards: Architecture and Programmer's Guide . Addison-Wesley Java Series. Addison-Wesley. ISBN 978-0-201-70329-0 . Retrieved 9 April 2019.

[2] Oracle Learning Library (2013-01-30), Developing Java Card Applications, archived from the original on 2021-12-13, retrieved 2019-04-18

[3] Ahmed Patel; Kenan Kalajdzic; Laleh Golafshan; Mona Taghavi (2011). "Design and Implementation of a Zero-Knowledge Authentication Framework for Java Card". International Journal of Information Security and Privacy. IGI. 5 (3): 1–18. doi:10.4018/ijisp.2011070101.

[4] "JCAlgTest - database of supported JavaCard algorithms" . Retrieved 27 January 2016.

[5] Ponsini, Nicolas (30 January 2023). "Announcing Java Card 3.2 Release". Java Card Blog. Retrieved 6 February 2023.

[6] Ponsini, Nicolas. "Unveiling Java Card 3.1: New Cryptographic Extensions". blogs.oracle.com. Retrieved 2019-04-18.

[Samoylov_2018_p._13-7] Samoylov, N. (2018). Introduction to Programming: Learn to program in Java with data structures, algorithms, and logic. Packt Publishing. p. 13. ISBN 978-1-78883-416-2 . Retrieved 9 April 2019.

[1]

[2]

[3]

[4]

[5]

[6]

[7]

Java platform editions

Java Card Java ME (Micro Edition) Java SE (Standard Edition) Jakarta EE (Enterprise Edition) JavaFX (bundled in Oracle's JDK from versions 8 to 10 but separately since 11) PersonalJava (Discontinued)
v t e