Technical Overview of Java Card

Technical Overview of Java for Smartcards Anshuman Sinha

Presentation
Java Card
Global Platform
Java Card Applets
Client Software
Anshuman Sinha <anshuman.sinha2@gmail.com>

Why Java for Smartcards?
Popular High level language, Object-oriented, large programmer base …
Write once and run anywhere
Any vendor ’ s smart card (Interoperability)
Any vendor ’ s secure controller (Portability)
Open programmable platform for third party application development
Java Card is the winner … SIM, PIV, TWIC etc.

Java Platforms Anshuman Sinha <anshuman.sinha2@gmail.com> Java Platform Size Machine Size

Java Card Tool Chain Anshuman Sinha <anshuman.sinha2@gmail.com> .Java Files .class Files .jca Files .exp Files Converter Java Smartcard Loader
Use any Java compiler
Use favorite development environment
Loader is specific
Compiler . exp Files .cap Files

Java Card Block Diagram Anshuman Sinha <anshuman.sinha2@gmail.com> Card Operating System Java Card VM Java Card Runtime Environment (JCRE) Java Card API APDU Response Card Manager Smartcard Controller + Cryptography Co-processor Applet 3 Applet 2 Applet 1 Currently Selected Applet Vertical API(s)

Hardware Anshuman Sinha <anshuman.sinha2@gmail.com> R / F Interface Memory Chip Controller Antenna Coil Clk I/O Reset Vcc GND Clk I/O Reset Vcc GND Clk Mod Demod EEPROM Security & Address Logic EEPROM ROM CPU NPU Smartcard Contacts ROM RAM

Java Card Operating System Anshuman Sinha <anshuman.sinha2@gmail.com> Process Loop Terminal Command
Process Loop
File System
File context
Crypto algorithms
Data Integrity
Memory Management
Hardware Interfaces
Memory write/erase
Anti-Tearing
Access Controller
EEPROM/Flash Memory Write Log
If no tear clear the transaction buffer
If tear, roll back the update as if no write occurred
ISO Commands ISO File System Anti-Tearing Tear Begin Transaction EF 1 EF 2 DF1 DF2 MF

Java Card Runtime Environment Anshuman Sinha <anshuman.sinha2@gmail.com>
Java Applet Storage
Java Heap Storage
Java Native Interface
Applet Selection
Applet Instantiation
Applet Context
Exception Handling
Session Anti-tearing
Random security checks
Firewalling
Applet Data and Code Applet Firewall Java Bytecode Storage Java Object Store Applet 3 Applet 2 Applet 1 Currently Selected Applet

Applet Firewalling
On Java Card the applets are firewalled, which means one applet can ’ t access the objects of the other at runtime.
Each applet has its own Context . Applet firewall is separation of one context from another.
JCRE has global context. It has access privileges to objects / fields of any applet.

Smartcard Protocols Anshuman Sinha <anshuman.sinha2@gmail.com> 7816 – 4 Inter-Industry commands for interchanges 7816 - 1 Physical Characteristics 7816 - 2 Dimension and locations of the contacts 14443 - 1 Physical Characteristics 7816 - 3 Electronic Signals and Transmission Protocol 14443 - 2 RF power and Signal I/F 14443 - 3 Initialization and anticollision 14443 - 4 Transmission protocol 7816 - 3 T=1/T=0 Transmission protocol Contact stack Contactless stack

Java Card 2.2.2 API
Java.io
Java.lang
Java.rmi
service
Javacard.framework
Applet
AID
APDU …
Javacard.security
DESKey
AESKey
Checksum …
Javacard.framework.service
Javacardx.crypto
DES Algorithm
AES Algorithm
RSA … and ECC
Javacardx.apdu
Javacardx.biometry
Javacardx.external
Javacardx.framework.math
Javacardx.framework.util
Javacardx.framework.util.intx
Anshuman Sinha <anshuman.sinha2@gmail.com> Core Packages

Java Subsetting
Multi-Threading
String handling
Dynamic Class loading
Security Manager Card Manager
Garbage Collection and finalization
Object cloning
Access control in Java packages

Fully Supported Features
packages
dynamic object creation
transient objects
virtual methods / inheritance
interfaces
Exceptions
Pseudo-Garbage Collection

Partially supported features
Object class is the root class of all the objects but not all methods are supported.
Throwable class is not supported fully but is available as the root class of all exceptions thrown.

Token-based Linking
Items are referenced as opaque tokens.
Linking can be either on-card or off card.
No need to know internal implementation details of on card API to link off-card cardlets.
Works efficiently with limited resources (RAM) on card.
Converter refers to export file of the package to link to external items
It picks the external token from export file and puts in the CAP file of the a package
Since name-to-token mapping is published in export file, the tokens can be assigned any order

Java Execution Engine Anshuman Sinha <anshuman.sinha2@gmail.com> Runtime Applet Context Applet (package) JCRE Context Operands Frame 16 bit Word 1. 2. Bytecode Handlers Native Table Function Locals Execute 3. Increment Fetch Update Java Heap

Security Exception
Instructions which throw securityException.
All invokes (static/special/interface)
getfields and putfields
checkcast
instanceof
athrow
arraylength
Security is built in the bytecodes
Java Card virtual machine can throw runtime exception on these bytecodes

Exceptions
Exception object has 2 byte reason code instead of message string as a parameter to the exception class.
Exceptions are of two types - Checked and Unchecked.
Checked exceptions must be caught and declared by keyword throws in the method body.

Exceptions
Unchecked exceptions or runtime exceptions are runtime errors thrown by JCVM or JCRE
Known Exception objects are pre-created and an application supplies the reason code and calls the throwIt method

Presentation
Java Card Design
Global / Open Platform
Applets
Client Software

Global Platform
Global Platform specifies secure, dynamic card and application management using commands, policies, transaction sequences and interfaces that are hardware neutral
System, Terminal and Card Specifications
Card Specifications
Defines the loading of applets to card both pre and post issuance
Registers Applets to Security Domain
Verifies source of application code by validating signature
Opening and closing of (SSL like) secure channel
Application Management – Install and Delete
Card Management and life cycle

Card Manager Life Cycle Anshuman Sinha <anshuman.sinha2@gmail.com> OP_Ready Initialised Secured CM_Locked Terminated Card manager acts as default selected application Initialisation key controls access At least one key set loaded Post-issuance mode (at least MACing required) All applications locked Only Card Manager is available End of card life cycle (card is mute) APDU Set Status API lockCardManager API terminateCardManager

Applet Life Cycle Anshuman Sinha <anshuman.sinha2@gmail.com> Installed Selectable Personalized Blocked Locked Application is installed (instantiated) but not available yet Application is available (activated) Application has been personalized Application is blocked, but behaviour is application-dependent Application is locked (not available) Only Card Manager can unlock APDU Set Status API setCardContentState Deleted APDU Install APDU Delete

Applet Loading Anshuman Sinha <anshuman.sinha2@gmail.com> Security Domain B Card Manager Security Domain A Applet Applet Application Provider B Card Issuer OPEN NETWORK Application Provider A HOST CARD Application Provider A Application Provider B Java Card Applet Applet chunks Secure Channel

Presentation
Java Card Design
Applets
Client Software

Java Card Applets [1/2]
Extension of javacard.framework.applet
Applet has following methods …
deselect()
getShareableInterfaceObject(..)
Install(..)
Anshuman Sinha <anshuman.sinha2@gmail.com> Called by JCRE before selection of another applet . Called by JCRE on behalf of client applet to get all methods which are shared … Called by JCRE on behalf of client applet to get all methods which are shared …

Java Card Applets [2/2]
Process(APDU)
Register(..)
Select()
SelectingApplet()
Anshuman Sinha <anshuman.sinha2@gmail.com> Called by JCRE to process application specific commands Called by JCRE to process application specific commands Called by JCRE when this applet is selected Called by JCRE to return any data back to terminal while the applet is being selected

Presentation
Java Card Design
Applets
Client Software

Client Software
Java Client Software
PCSC / JPCSC – Reader Connections
Card Detection
Service Registry
Applet Loading
Splits Applet into chunks
Loading and Verification
Application Based Commands
For e.g. PIV – Reading Image of Cardholder
Test Suites
Visual Basic Scripting
Java Client

PCSC/JPCSC Design Anshuman Sinha <anshuman.sinha2@gmail.com> ICC Aware Application Service Providers ICC Resource Manager IFD IFD IFD RS232 PS/2 IFD Handler ICC ICC ICC IFD Handler IFD Handler

References
Java Card specifications
Global Platform specifications
ISO 7816 and 14443 standards
PC/SC specifications
NIST SP 800-73 specifications for PIV
… and Others

Technical Overview of Java Card

by Anshuman Sinha on May 31, 2011

Accessibility

Categories

Tags

Upload Details

Usage Rights

Statistics

Technical Overview of Java Card — Presentation Transcript