Architecture & Development of NFC Applications


Published on

Published in: Education, Technology, Business
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Architecture & Development of NFC Applications

  2. 2. Presentation• Project Managerat the University of Panjab• University▫ Ticket TAP▫ Campus Nova▫ NFC Container
  3. 3. Campus Nova NFC trial with Credit Agricole and mobilepayment at the cafeteria in Sophia-Antipolis
  4. 4. Come & see us:Get 10% off ladiesbags untiltomorrowTicket TAP50% reductionforgirl studentsat the starlightDance Club? is digital, targeted and personalPresent Future
  5. 5. Partners
  6. 6.  Introduction to NFC, its Ecosystem Radio Frequency Identification Contactless cards Standardization bodies Roles and Actors NFC tags NFC on a SIM card Smart Cards NFC services use cases Pilots and business aspect Available devicesObjectives
  7. 7. Objectives (2) NFC for developers Dev kits Reading/Writing tags APDU JSR 257 & 177 Java Card PC/SC readers JSR-268 Midlet SCWS Demo and Examples Conclusion
  8. 8. Mobiquity MOBIlitY (Mobile) UbiQUITous (Internet)Oneof themajoraddedvalueforNFC is thesecurityof thirdpartyapplications providedbytheSIMcard.Oneof themajoraddedvalueforNFC is thesecurityof thirdpartyapplications providedbytheSIMcard.
  9. 9. Google Android
  10. 10. ATAWAD Google is going from web to mobile. This meansyou can now create a contact or an entry in yourcalendar from your mobile and data isautomatically replicated not on the SIM but onGoogle servers (trust and private life is anotherdebate).  ATAWAD= Any Time, Any Where, Any Device They start from the needs without necessarilyinnovate. They did not create the search engine, they justimproved it. In 5 years we’ll probably say: "they didn’t createthe mobile, they’ve just improved it."
  11. 11. Needs of NFC ? NFC is not like GPS The value chain and the different roles are complex. NFC strenghts Smart poster. Configuration shortcut. NFC in SIM card Digital signature. Secure payment. Handset manufacturersNokia, Apple, ...must agreewith MNOs Orange, SFR, ...
  12. 12. PART 1Introduction to NFC,its Ecosystem
  13. 13. RFID RFID : Radio Frequency Identification RFID Tags: Store and retrieve data (with a distant reader) History : radar technology, cow identification (year 1970). Use case examples: road taxes, trace books in libraires,access card, shops (Wall-Mart). RFID tags types Active Passive (without battery)
  14. 14. RFIDFrequencies125-135KHzRound cornersThrough most thingsNo radiation problemNo reflection problemCheaper electronics13.56MHz1m max rangeDoesn’t work throughmetal and fluidsUHFLong range (up to 10mwithout battery)GHzLong rangeHigh data rateSmallestBestcompromisefor most cardsand ticketsBestcompromisefor most cardsand ticketsANIMALS, BEER BERRELS, GASCYLINDERS, SHOES OFMARATHON RUNNERSCONVEYANCES, VEHICLES, LIBRARY, LAUNDRY,ITEM LEVEL TAGGING, BANKNOTES, ERRORPREVENTION, SECURE ACCESS, AIRPORTBAGGAGE
  15. 15. From RFID to NFC Can communicate with objects Magnetic field induction Contactless technology based on RFID 13,56MHz NFC is standardized ECMA-340 and ISO/IEC18092 Backward compatibility with ISO14443 andSmartCard Millions of readers Easy to use
  16. 16. Contactless Cards FELICA (sony) encryption keygenerated dynamicaly at each auth. Topaz Tag Innovision MIFARE Standard: 512bits UL (no security) used for tickets Other formats : 1K (768 Bytes data), 4K The 16bits random of MIFARE has been hacked NXP announced MIFAREplus MIFARE DESFirepreprogrammed cardExample: Oyster Card in London Gemalto: Mifare 4 Mobile Contactless Java Card85%+ of the accesscontrol / TicketingISO14443 market isMifare®85%+ of the accesscontrol / TicketingISO14443 market isMifare®
  17. 17. NFC NFC allows a device to read and write a contactless card, act like acontactless card and even connects to another NFC device toexchange data. 3 modes : Card reading (MIFARE …) Peer to peer (initiator & target) Card emulating Distance : 0 - 20 centimeters Bandwidth to 424 kbits/s NFC Forum : NDEF specs N-Mark: FORUM
  18. 18. Standardization bodies ETSI /SCP(Smart Card Platform) to specify theinterface between the SIM card and the NFCchipset. EMVCo for the impacts on the EMV paymentapplications. GSMAssociation Mobey Forum for mobile financial services AFSCMis French association for mobile contactless Download specifications here: Global Platform to specify a multi-applicationarchitecture of the secure element. Etc.
  19. 19. NFC FORUM SPECSApplicationsApplicationsLLCP(Logical LinkControl Protocol)LLCP(Logical LinkControl Protocol)RTD(Record Type Definition)&NDEF(Data Exchange Format)RTD(Record Type Definition)&NDEF(Data Exchange Format)CardEmulation(Smart Card CapabilityforMobile Devices)CardEmulation(Smart Card Capabilityfor Mobile Devices)RF LayerISO 18092 + ISO 14443 Type A, Type B+ FeliCaRF LayerISO 18092 + ISO 14443 Type A, Type B+ FeliCaPeer to peer mode Read/Write mode Card emulation mode
  20. 20. Smart Poster Location based services List of proximity services dependingon Points of Interest Trailers Tickets bookingSpecificationsNFC Forumreleases specification for NDEF.NFC Data Exchange Format which is a way to « format »RFID tags to be compatible with NFC applications.Works with MIME type.SpecificationsNFC Forumreleases specification for NDEF.NFC Data Exchange Format which is a way to « format »RFID tags to be compatible with NFC applications.Works with MIME type.From SMS push to Smart Poster« pull »
  21. 21. Smart Poster RTDMAY SHALLFor example, the Smart Poster record defines a URI plus some added metadata aboutthat URI.Value Action0 Do the action (send the SMS, launch the browser, make thetelephone call)1 Save for later (store the SMS in INBOX, put the URI in a bookmark,save the telephone number in contacts)3 Open for editing (open an SMS in the SMS editor, open the URI inan URI editor, open the telephone number for editing).Action record values
  22. 22. NFC Forum tag types between tag providers and NFC device manufacturers Type 1, based on ISO14443A. Tags are read and re-write capable; users canconfigure the tag to become read-only. Memory availability is 96 bytes andexpandable to 2 Kbytes. Communication speed is 106 Kbit/s. Type 2, same as Type 1 except that memory availability is 48 bytes andexpandable to 2 Kbytes. Type 3 is based on FeliCa. Tags are pre-configured at manufacture to be eitherread and re-writable, or read-only. Memory limit is 1Mbyte per service.Communication speed is 212 Kbit/s or 424 Kbit/s. Type 4, fully compatible with ISO14443A and B standards. Tags are pre-configured. Up to 32 Kbytes per service.Communication speed is up to 424 Kbit/s.
  23. 23. NFC Roles and actorsServiceproviderTrusted ServiceManager(MNO or TTP)ApplicationownerSIMCard Manufacturer(Smart Card provider)Card IssuerMNO(SIM Card management system)Contactless service managementplatformContactless service managementplatformOTA NFC Service ManagementOTA NFC Service ManagementPOSPOSSIMSIMNFCNFCMobile stationholder
  24. 24. NFC service providerMobiledomainMobile operatorNFC applicationsrepositoryWebappWebappNFC service operatorSIMmanagementsystemSIM cardApplicationCustomersmanagementdatabaseCustomersmanagementdatabasecardletscardletsService profileplatformProfiledataProfiledataKS FSKS FSFinaluserCustomersmanagementdatabaseLife cyclemanagement systemfor mobile NFCapplicationsKS FSKS FSCustomerApplicationdataGUISDD management systemKS SSDKS SSDCard managementsystemKS ISDKS ISDNetwork accessCustomerserviceSubscribeaserviceSubscribe a serviceOperatorinformation systemCustomersdataCustomersdataSubscribea serviceInterfaces
  25. 25. ServiceproviderServiceproviderTSMTSMMobileoperatorMobileoperatorCustomerCustomer• Askfortoken (delegated management)• Askapplet installation via ISD(MNOcentric model)• Tells phone has been lost• Tells customerhas new SIMcard• Service installation request aftercustomerregistration• Tells phone has been lost• Tells customerhas new SIMcard• Services management & referral forSP• Install NFC servicesUse case: phone is lost
  26. 26. Global Platform - securitydomainsBy GemaltoLow TRUST HighMandatedDAP(applicationsintegrity atplaform level)DAPVerification(applicationintegrity bySSD)IssuerCentric(only ISDmanagement)DelegatedManagement(tokenmanagement)AuthorizedManagement(dualmanagement)High CONTROL Low
  27. 27. NFC on a Mobile Phoneone thing among allContactlessContactlessScreen with a userinterfaceScreen with a userinterfaceSecuritySecurityGPSGPSLoudspeaker andMicrophoneLoudspeaker andMicrophoneKeyboardKeyboardCameraCameraNetworkNetworkTVTVetc.
  28. 28. NFC Architecture
  29. 29. PART 2NFC in a SIM Card
  30. 30. Smart Card Piece of plastic the size of a credit card hosting an electronic circuitthat can store and process information. The integrated circuit (chip) may contain a microprocessor capableof processing this information, or it can only contain non-volatilememory with a security component (memory card). Smart cards are mainly used as means of personal identification(identity card, access badge to buildings, health insurance card,SIM card) or payment (credit card, electronic purse) or proof ofsubscription to prepaid services (calling card, ticket). Contact or Contactless smart card readers are used as acommunications medium between the smart card and ahost (point of sale).
  31. 31. Smart Card used in France for healthcarerefunds (Carte Vitale)
  32. 32. Smart Card history The automated chip card was invented by German rocketscientist Helmut Gröttrup and his colleague Jürgen Dethloff. French inventor Roland Moreno actually patented his firstconcept of the memory card. Michel Ugon from Honeywell Bull invented the firstmicroprocessor smart card. Bull patented the SPOM (Self Programmable One-chipMicrocomputer) that defines the necessary architecture toauto-program the chip.1968197419771978
  33. 33. Smart Card until today The first mass use of the cards was forpayment in French pay phones (Bull CP8). Smart Card is standardized ISO 7816. The second use was with the integration ofmicrochips into all French debit cards. First Java Cards. Axalto and Gemplus, at the time the worldsno.2 and no.1 smart card manufacturers,merged and became Gemalto.19831987199219972006
  34. 34. Smart Card categoriesMicroprocessor cardMicroprocessor cardMemory cardMemory cardContact cardContact card Contactless cardContactless card
  35. 35. The memory card EEPROM read/write memory (4K max) Ex: Mifare Advantages Simple Cheap Drawbacks Security (easy to duplicate)
  36. 36. Microprocessor card Microprocessor used by the application running on cardto calculate operations. Each card can be personalized and updated aftermanufacture (for banks with more than 500 000customers).  Credentials can be updated while the card is inserted in abank automat for example.Very secure for a reasonable costVery secure for a reasonable cost
  37. 37. Smart Card security Information stored can be protected by aPIN code Cryptographic operations Circuit is shielded Unique serial number Software security Access control to data Data integrity IN/OUT firewall
  38. 38. Smart Card anatomy CPU: Control Processing Unit SRAM: Static Random Access Memory ROM: Read Only Memory Static Store the Operating System EEPROM: Electrically Erasable andProgrammable Read Only Memory Persistent CRYPTO:  Cryptographic processor RNG:  Random NumberGenerator Used to generate keys
  39. 39. Smart Card connectors• A Smart Card has 8 connectors : (ISO7816-2)• C1 Vcc• C2 RST• C3 CLK• C4 RFU (Re se rve d fo r future use )• C5 GND• C6 Vpp (old EEPROM)• C7 I/O (bi-directional, in half-duple x m o de )• C8 RFU (Re se rve d fo r future use )
  40. 40. Contactless Card ISO 14443 defines the standard forContactless Card.
  41. 41. Smart Card applications Secure a computer Store internet security certificate Hard drives can be encrypted using and attachedSmart Card Used to authenticate a user on the computer (atlogin screen)
  42. 42. Smart card applications Payment Credit card, SIM card, TV Channel card, Access card Transports Electronic purse (coffee machine) Identification PKI Digital signature Can store biometric data 2009 in Spain and Belgium: eID card 2 certificates: one used to authenticate and one toapply the digital signature (real legal value)
  43. 43. Pyramid of Authentication TechnologiesHigher levelof securityoffered forhighly valuedinformationUser private key is kept in a device such as a smartcard. Biometrics are also used to protect key.User’s private key is stored on a portablecomputer device such as a disk.User name and password authenticatesUser – PGP encrypts data.SSL encrypts data.
  44. 44. Part 3NFC potential, servicesand devices
  45. 45. NFC on iPhone already on iPhone:Stickers, 30-pin RFID readers, SIM add-on…
  46. 46.  Exchange data, P2P Configuration (bluetooth pairing) Vending machines, servicemaintenance Loyalty, couponing NFC poster, get information Ticketing Medical, home care Web applications Payment solution Access control Mobile signature Etc.Added value services
  47. 47. NFC Use casesby Nokia
  48. 48. Mobile Ticketing A customer books two tickets for a concert. He pays and downloads his tickets on hismobile phone with a simple touch. He meets with his girlfriend and transfersthe ticket on her mobile. They arrives and unlock security gatesthanks to their NFC mobile phone.14 millions RFID ticketswere produced by ASKfor Olympic Games inChina - Mobile ticketing will become more popular over the next fewyears, with 2.6 billion tickets worth $87 billion, delivered by2011Juniper Research (April 2008)
  49. 49. NFC in the World (2009) Japan with Sony FeliCa, NTT DoCoMoNTT Docomo reports 10 million mobile credit cardcustomers StoLPaN « Store Logistics and Payment with NFC » isa pan-European consortium supported by theEuropean Commission’s Information SocietyTechnologies program: Akbankand Turkcell test NFC in Istanbul Visa launches NFC trial in Brazil Citi launches NFC trial in India Telefónica launches O2 Money, says it is ready todeploy NFC Nokia Money 41 NFC-related trials and launches in the Asia-Pacificregion so far… etc.
  50. 50. NFC in France(2009) Disneyland Paris to test NFC and contactless cardsfrom October 2009, with Crédit Mutuel and CICbanks. Smart-Park with VINCI Parkand Monext. Paris Metro: Paris transport operators to launch NFCticketing from the end of 2010. STIF will coordinatethe Paris transport operators (Optile, RATPand SNCFTransilien) and the participating telecoms operators(Orange, Bouygues Telecom and SFR). Pegasus workgroup: multi-operator (Orange,Bouygues Telecom, SFR), multi-bank (BNP Paribas,Groupe Crédit Mutuel-CIC, Crédit Agricole, SociétéGénérale) with MasterCard, Visa Europe and Gemaltofor mobile payment in two cities: Caen and Strasbourg Nice NFC city
  51. 51. NFC gives sense to touch based servicesObjectObjectTag+ URLTag+ URLMobiledeviceMobiledeviceReaderReaderDisplayWirelessserviceproviderWirelessserviceproviderInformationon ObjectsInformationon ObjectsNFC is not a Bluetooth replacement. NFC is not made to transfer objects.One of the key argument for NFC is to pair a Bluetooth device.More than wireless.Proximity and contact.Secure payment.Co m po ne nts o f an o bje ct hype rlinking s che m e
  52. 52. NFC tomorrow Hard beginningThree years ago, ABI Research predicted half ofmobile phones in the world will be NFC ready in2009. Juniper research, september2009: NFC Mobile Payments to Exceed $30bn by 2012,Supported by Revenues from Mobile Couponsand Smart Posters June 2009: Top handset manufacturers beginsampling NXP’s PN544 NFC chipThe PN544 NFC co ntro lle r is the first fully industry standard NFChandse t chip, o ffe ring co m pliance with the Sing le Wire Pro to co land with Mifare .
  53. 53. In a recent presentation, Sony Ericsson says mobile NFC will takemore than 5 years to become mass market.NFC tomorrow
  54. 54. NFC keys of success Reach and availability The availability o f NFC pho ne s and SIMcard Variety of use Ease of use Se e ipho ne Security Be able to lo ck paym e nt card Added value services Advantag e fo r custo m e r ? Infrastructure NFC acce ss po ints in sho psComplex valuechain+Mobile OTA B2Cbattle
  55. 55. NFC DevicesNFC Phones using single wire Protocol and UICC (08/2008)The Sagem my700XThe LG L600VThe Nokia 6131 SWPThe Motorola SLVR L7All devices are more or less concept devices and come withan InsideContactless NFC Chip.In order to develop applications with these devices a DevKit (like the Gemalto Developer Suite) and a SWP UICC isrequired. All four devices are already capable of usingSCWS.
  56. 56. NOKIA 6212 Java MIDP 2.0 Bluetooth 2.0 2 megapixel camera 3G connection Share business cards, bookmarks,calendar notes, images, profiles, andmore. Contactless payment and ticketingcapabilities. Access to mobile services andinformation with a simple touch. Uses Java specification requirement257 (JSR 257) for third-party NFCapplications. re m y Be lo sto ck o n the future o f NFChttp: //fr. yo utube . co m /watch? v= Bo O H7 AtCT_ E
  57. 57. Nokia 6216 First SIM-based NFC handset by Nokia Capable of storing credit card, user account andother security details on the SIM card, availability appr. Q1/2010See video,Jeremy Belostock, NFC, and operators
  58. 58. NationalID cardAircraftpart tagPassportlabel / pageSecureaccess orcredit cardTransitcardTransitticketLibrarybooklabelItemdruglabelRetailpallet/ caselabelSpecification typically ISO 14443 or15693 (read distance to 50 cm)7cents Chip cost 3dollarsSecurity and memory for RFID tags vs costSecurityand/ormemorysize
  59. 59. NFC requirements
  60. 60. Part 4NFC for developers
  61. 61. Developing on a Mobile Phone isDifferent operatingsystems, brow sers, etc.What are the solutions to develop a3rd partyapplication on a mobile phonee xce pt o n iPho ne 
  62. 62. UICC SIMUICC SIMNFCantennaNFCantennaExternalenv.ApplicationsApplicationsCPUCPUOSOSJ2MEJ2MENFC ChipNFC ChipOTAOSOSAppsAppsNFC Phone Architecture Single Wire Protocol (SWP) architecture:SIM & SE is same Java Card. MIFARE is a storage which enables thephone to act like a MIFARE card.Fro m a de ve lo pe rs po int o f vie w it do e s no t m atte r at allwhe rethe SE is lo cate d. Yo u willstillco de ag ainst the Glo balPlatfo rmspe cs. The o nly diffe re nce co m e s with the distributio n/life cyclem o de l; and since in m o st case s, the o pe rato rs co ntro lbo th theSIMcard and the pho ne , the diffe re nce is larg e ly acade m icalanyway.O f co urse , busine ss pe o ple m ay think diffe re ntly, but thats the irpro ble m .Jalkane n, No kia discussio n bo ards
  63. 63. NFC and C (with Java Native Interface) JNI allows to call C code and DLL in Java.  To use JNI, you must follow the following steps: Create a Native method in Java Once the Java class is compiled, you must generate aheader file with the tool javah –h. Compile the native code using the interface generated atstep 2. Change the methods headers and params. For example: a String becomes a Jstring.
  64. 64. NFC and Java Java / NFCJava is the key. It allows technologies towork together : Bluetooth, Video, Music, GPRS, … Problems of JSR not implemented on a mobile phone Graphical user Interface are not always compatible : screensize, different JVM. Solution: Mobile Distillery ? SVG ? Flash lite ? SIM Toolkit ?SCWS ? HTML5 ? Native application : security problem, no API, manufacturerlock… Symbian development is heavy.
  65. 65.  Java IDE such as Eclipse orNetbeans SDK from manufacturers(Nokia) Dev Kit from card issuers(Gemalto, Oberthur) Dev Kit from MNO (Orange)Development Kits
  66. 66. JCOP ToolsString uri = Sys te m . g e tPro pe rty("inte rnal. se . url");ISO 1 4443Co nne ctio n is e Co nn =(ISO 1 4443Co nne ctio n) Co nne cto r.o pe n(uri);Applet extends javacard.framework.Applet MIDlet JCOP tools need activation key: compatible PC/SC reader Configure SE keyset to 42ENC, MAC and KEY are all "404142434445464748494A4B4C4D4E4F”public vo id pro ce s s(APDUapdu){byte [] buf = apdu. g e tBuffe r();// Ig no re Se le ct ins tructio n.if (buf[ISO 7 8 1 6 .O FFSET_ CLA] = = 0 x0 0 & &buf[ISO 7 8 1 6 .O FFSET_ INS] = = (byte )0 xA4) {re turn;}
  67. 67. Gemalto Developer suite
  68. 68. Gemalto Developer suite
  69. 69. Nokia 6212 SDKCompatible with Netbeans and Eclipse
  70. 70. JSR-257 Contactlesscommunication API For NFC andInfrared Optionalpackagefor J2ME DiscoveryManagerTarget listener(nomatter thetype) ConnectionNDEF& ISO14443
  71. 71. MIFARECard is composed of 16 sectorswith 4 blocks of 16 bytes each.In each sector a block is reservedto define access bits. Ex : block 7.A key is initialized to read andwrite data blocks.Security in a MIFARE 1K CARD
  72. 72. MIFARE Anti-collision An anti-collision system allows tooperate with many cards in thesame magnetic field. The algorithm selects each cardone by one and ensures that thetransaction takes place on theselected card without datacorruption.MAD (MIFARE Applicatio n Dire cto ry) is a table writte n infirst se cto r and use d to ide ntify which se cto r isde dicate d to a spe cific applicatio n.RequestRequestAnti-collisionAnti-collisionRead/WriteRead/WriteAuthenticationAuthenticationSelect cardSelect cardCard id ?Transaction timeTransaction timeGSMA tech guide: NFC mobile deviceand reader shall be less than or equal to250ms to meet Service Providerrequirements.GSMA tech guide: NFC mobile deviceand reader shall be less than or equal to250ms to meet Service Providerrequirements.
  73. 73. Receive read-only data from NDEF tagNDEF pushThe MIDlet can see that it was launched by touchinga tag, by reading the DiscoveryManager propertyLaunchType.
  74. 74. Java Card Java Card MIFARE ProX & SmartMXare cards with microprocessor and OS (for example JCOP). An Applet is a JAVA CARD application stored inside theSecure Element. APDU COMMANDS is a way tocommunicate with Applet ISO14443Connection and 7816-4APDUS Security : Crypto Processor
  75. 75. Java Card description At the beginning, applications on Smart Card were all developed proprietary andnative. There was a need to find a generic way to develop an application that could run on 2Smart Cards issued by different companies. The Java Card technology allows developers to gatheraround one way ofprogramming using Java. And it openned the path to third party applications. This technology can also be used to develop on a SIM card. A SIM card has morememory than other types of Smart Cards like Credit Card. Java Card includes: An API (application programming interface) to define Java libraries that can beused A virtual machine Runtime (JCRE) : memory and security management Java Card 2.1.1 SDK provides an environment to test applets,a tool to upload applets into the Java Card, andcode examples.
  76. 76. Smart Card protocols PTS : Protocol Type Sélection ATR : Answer To ResetT=0 Byte-level transmissionprotocol, defined in ISO/IEC7816-3T=1 Block-level transmissionprotocol, defined in ISO/IEC7816-3APDU transmission via contactlessinterface, defined inISO/IEC 14443-4
  77. 77. ISO 7816-4: APDU APDU Command (C-APDU), sent by reader to the card Header, 4 Bytes Class instruction (CLA) Code instruction (INS) Parameters : P1 et P2 Optional body (random size) Lc = length of body (data) in Bytes Le = length of response to the command (Bytes) The data field contains data to be sent to the card, to processinstructions specified in header.
  78. 78. APDU command types 4 APDUs commands are possible depending onwhether it expects a response back or if itcontains data. No data, no required answer CLA INS P1 P2 Data, no required answer CLA INS P1 P2 Lc Data No data, required answer CLA INS P1 P2 Le Data, required answer CLA INS P1 P2 Lc Data Le
  79. 79. AID AID = unique identifier for an application or acertain type of files First 5 bytes are RID (resource identifier) Following bytes are PIX (proprietary identifierextension)
  80. 80. Java Card Select
  81. 81. Java Card: CAPA smart card is inserted into a Card Acceptance Device (CAD) to power on theintegrated circuit.
  82. 82. Java Card features Threads CPU on JavaCard does not support multiple tasks and you can’tuse « synchronized » or « volatile ». Garbage collector Finalize() not supported Non-supported types: Long, Char, Float, Double Supported types:
  83. 83. Java Card features Java Card support atomic transaction System.beginTransaction() System.commitTransaction()System.abortTransaction()
  84. 84. Java Card security « Sandbox »: In Java, code and applicationdata (resources) are protected by a sandboxand can’t interfere with other applications.
  85. 85. Java Card applet• Let’s take the example of a Wallet to see how to codean applet.• This applet allows the SIM card to act as a realeletronic purse.• Use cases• The applet can add and substract money to a balance• Shows the actual balance of the purse• It includes a mechanism to ask for a PIN code for securitypurposesSee articles on Sun website articles on Sun website
  86. 86.
  87. 87. Java Card applet Wallet Package declaration Java naming convention Java Card frameworkpackage com.sun.javacard.samples.wallet;package com.sun.javacard.samples.wallet;import javacard.framework.*;import javacard.framework.*;
  88. 88. Java Card: applet Wallet The Java class must extend Applet. It definesall the methods to communicate with JCRE.public class Wallet extends Appletpublic class Wallet extends Applet
  89. 89. Java Card 2 modes An applet is unactive until it receives an APDUcommand Card Emulation Reader Emulation
  90. 90. Applet PIN code In the Wallet source code, the VERIFYmethod checks the PIN code. The APDUcommand contains the parameter PIN (storedinside the data field). If PIN code is the same than the one definedduring the installation process, the methodreturns true. PIN_TRY_LIMIT = 3
  91. 91. CLA and INS We choose the hexadecimal value 0xB0 toidentify our Wallet. This value identifies all APDU commands thatare processed by the applet. It means that the APDU commands debit andcredit all start with the byte CLA 0xB0.Wallet_CLA =(byte)0xB0;Wallet_CLA =(byte)0xB0;
  92. 92. INS The 2ndbyte of an APDU command identifiesthe instructionfinal static byte VERIFY = (byte) 0x20;final static byte CREDIT = (byte) 0x30;final static byte DEBIT = (byte) 0x40;final static byte GET_BALANCE = (byte) 0x50final static byte VERIFY = (byte) 0x20;final static byte CREDIT = (byte) 0x30;final static byte DEBIT = (byte) 0x40;final static byte GET_BALANCE = (byte) 0x50
  93. 93. Other values Other fixed values of our electronic purse The variables// maximum balancefinal static short MAX_BALANCE = 0x7FFF;// maximum transaction amount final static byteMAX_TRANSACTION_AMOUNT = 127;// maximum number of incorrect tries before the// PIN is blockedfinal static byte PIN_TRY_LIMIT =(byte)0x03;// maximum size PINfinal static byte MAX_PIN_SIZE =(byte)0x08;// maximum balancefinal static short MAX_BALANCE = 0x7FFF;// maximum transaction amount final static byteMAX_TRANSACTION_AMOUNT = 127;// maximum number of incorrect tries before the// PIN is blockedfinal static byte PIN_TRY_LIMIT =(byte)0x03;// maximum size PINfinal static byte MAX_PIN_SIZE =(byte)0x08;OwnerPIN pin;short balance;OwnerPIN pin;short balance;
  94. 94. Applet structure Constructor Install Select Process Header analysis (CLA and INS)public void process(APDU apdu) {public void process(APDU apdu) {
  95. 95. Send and receive APDUs setIncomingAndReceive(); setOutgoingAndSend() Transfer mode Expected length for the answer Send bytes in responsebyte[] apduBuffer = apdu.getBuffer();apduBuffer[0] = byte1;apduBuffer[1] = byte2;apduBuffer[2] = byte3;//0-offset, 3-number of bytes to sendapdu.setOutgoingAndSend(0, 3);byte[] apduBuffer = apdu.getBuffer();apduBuffer[0] = byte1;apduBuffer[1] = byte2;apduBuffer[2] = byte3;//0-offset, 3-number of bytes to sendapdu.setOutgoingAndSend(0, 3);byte[] buffer = apdu.getBuffer();short bytes_left = (short) buffer[ISO.OFFSET_LC];short readCount = apdu.setIncomingAndReceive();while (bytes_left > 0) {//{process received data in buffer}…bytes_left -= readCount;//get more datareadCount = apdu.receiveBytes (ISO.OFFSET_CDDATA);}byte[] buffer = apdu.getBuffer();short bytes_left = (short) buffer[ISO.OFFSET_LC];short readCount = apdu.setIncomingAndReceive();while (bytes_left > 0) {//{process received data in buffer}…bytes_left -= readCount;//get more datareadCount = apdu.receiveBytes (ISO.OFFSET_CDDATA);}
  96. 96. Get Balance Retrieve current balance of the electronicpurse CLA: 0xB0 INS: 0x50: GET BALANCE P1: 0x00: Normal mode P2: 0x00 Data: in: none. out: 2 bytes of balance.
  97. 97. Credit Mutual authentication To send the APDU command, you must first initialize a securetransaction with the applet (MAC): CLA: 0xB0 INS: 0x30: CREDIT P1: 0x00: Normal mode P2: 0x00 Data: - in: 2 bytes of value to credit. - out: 2 bytes of updated balance. - exception: ISOException with reasonSW_SECURITY_STATUS_NOT_SATISFIED (0x6982) if authentication failed.
  98. 98. JSR-177 SATSA JSR-177: Security and Trust Services API forJ2ME Used to communicate with SIM card Used to encrypt/decrypt/sign data Example with symmetric algorithm here:
  99. 99. Gemalto examples APDU commands of GPPurseapplet are stored in the fileAPDU_Commands.atf thatcomes with the project. Youcan open this file with theJcard Manager and executeeach command at a time. Or manually thanks to theoption Send APDU in the menubar.
  100. 100. Gemalto developer suite: Instance AID
  101. 101. Nokia 6131 Secure ElementSecure Element consists of Java Smart Cardarea and Mifare 4K areaA specific API provided for Applets to accessMifare memoryAll access is password protectedPassword is one-way hashed from Mifare KeyAand KeyBJCSystem : atomic transaction managementThe Secure Element IS NOT a play groundProtected by Issuerspecific secret keysProtected by transport keys
  102. 102. PC/SC readers SCMreaderuses PC/SC driver(Windows) Other readers: Philips Pegoda, Omnikey Cardman, etc. The most commonly used smart-card interface is PC/SC, a middlewarelayer backed by Microsoft, and part of the Windows operating system. JPCSC is a Java-wrapperaround the native PC/SC API. JCOP Toolsincludes JPCSC and uses it on Linux and MacOS X. On Windows, JCOPTools uses the native PC/SC API directly. JCOP Tools also includes the JCOP offcard API, which is a comprehensivesmart card API with special support for Java Card and GlobalPlatform. Thatsits on top of native PC/SC, JPCSC, and some other proprietary cardmiddleware. OpenCard Framework(OCF), see split up).
  103. 103. javax.smartcardioJava 6 introduces Smart Card I/OAPI defined by JSR 268.Java 6 introduces Smart Card I/OAPI defined by JSR 268.
  104. 104. Dev tools and architecture Devices used- Mobile phone NOKIA 6131- Tags MIFARE 1K- Pegoda Reader / Philips- SCM Contactless Reader For developers: Netbeans, Eclipse, Visual Studio, etc. NFC software layers Graphical User Interface (GUI), implemented in J2ME (orother). Controller / Application logic (as much as possible),implemented on the Java Card / Secure Element. Memory of the Mifare element used for storing data.
  105. 105. MIDlet proxyPhoneOTA ServerOTA ServerSecure ElementSecure ElementMifareMifare AppletAppletMIDletMIDletOTA provisioning can be done through HTTP / HTTPS or BIP/TCP.BIPis a new generation protocol allowing remote SIM managementover the air (remote file management, remote applicationmanagement).
  106. 106. Physical layer Steps for astandard NFCcommunication1. Open2. Poll3. Connect4. Exchange5. Disconnect6. Close
  107. 107. J2ME Java Midlet Java PlatformMicro Edition Software Development Kit3.0 Lightweight UI Toolkit (LWUIT) integration ProGuard (obfuscator) Limited storage A mobile phone application is divided into 2 packages, adescriptor JAD file and a JAR file containing Java classes. Thanks to the JAD file, the JAR file is installed on themobile phone. Developer can set JAD attributes tomanage permissions, push registry, etc. Use a Controller to listen and launch threaded events:1. Call to NFC chip2. Print new screen3. Save data in Record Store
  108. 108. J2ME Signature and certificate Security exception MIDP permissions
  109. 109. SmartCard Web Server SIM Toolkit successor. SCWS technology can be installed on new generation SIM card andallows GUI management thanks to mobile web browser. The SIM card is the authorization module for secure electronictransactions but it’s the mobile phone that controls and generatesgraphical interfaces. With SCWS, a developer can implement thefull application in one package and deploy it directly on the SIMcard. MMI and Applets are on the same media. Deployment andadministration of applications are simplified. For example: if theuser changes his mobile phone. Moreover, generated interfaces are compatible with most phonesbut the rendering and user interaction is not necessarily better.
  110. 110. SCWS Demo
  111. 111. Example of applicationsNFC Applications – My KeysOfficeOfficeHomeHomeCarCarEdit DeleteParkingP5New keyNew keyreceived.received.Open application ?Open application ?YesYesNoNoWriting keyWriting key75%75%Installing key…Installing key…Key addedKey addedExitExit YesYesAccess granted.Access granted.Add a shortcut ?Add a shortcut ?Lock ALock APAMSZone1PAMSZone2Credential for PAMS Zone 2 can unlock A and BLock B
  112. 112.  See Mobile PKI (ETSI). The MSSP platform is a solution to managedigital signatures for a MNO. Two processes: Registration: to obtain a certificate and a privatekey Signature: to sign data (with private key)Mobile Signature Service ProviderMSSPMSSPOperatorServiceProviderCertificationauthority
  113. 113. Ex: eBanking authentication1. Customer accesses his bank website thanks to hislogin/password.2. Bank sends a request for authentication to Operator (WPKI). Thisrequest includes the mobile number (IMSI: International MobileSubscriber Identity)3. Customer enters PIN code4. eBanking service is authorizedBackBackOkOkEnter PIN codeSecureApplicationOkOkYou are nowauthenticatedBackBackOkOkTheapplicationneeds toverify youridentity
  114. 114. DEMO
  115. 115. HelloKiosk
  116. 116. Conclusion NFC in handsets without knowing itreally soon Industry is now convinced SDK standardization Easy to use ! Remember iPhone
  117. 117. Conclusion Use J2ME 3.0 Use JSR 257 or SCWS Optimize your code Store your data online Never trust a MIDlet Sign your application Use J2ME Polish or LWUIT to adapt your application to your targetplatforms (screen size) Use web app for cross-platform development Use AFSCM specifications for OTA NFC is not an exchange protocol but identificationFo r de ve lo pe rs
  118. 118. Resources Writing a Java Card Applet
  119. 119. Resources Contactless Smart Cards and NFCPeter Harrop, Ning Xiao & Raghu Das, thanks for pictures http://www.rfidjournal.comRFID Information http://mobilepayment.typepad.comMobile payment blog http://0x9000.blogspot.comGreat blog on Java Card developmentSpe cialthanks to Nicolas Pastorellywho he lpe d m e o n so m e slide s
  120. 120. Contact meMaster M.E., Panjab