Technical Overview of Java Card


Published on

Published in: Technology, Education
No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Technical Overview of Java Card

  1. 1. Technical Overview of Java for Smartcards Anshuman Sinha
  2. 2. Presentation <ul><li>Java Card </li></ul><ul><li>Global Platform </li></ul><ul><li>Java Card Applets </li></ul><ul><li>Client Software </li></ul>Anshuman Sinha <>
  3. 3. Why Java for Smartcards? <ul><li>Popular High level language, Object-oriented, large programmer base … </li></ul><ul><li>Write once and run anywhere </li></ul><ul><ul><li>Any vendor ’ s smart card (Interoperability) </li></ul></ul><ul><ul><li>Any vendor ’ s secure controller (Portability) </li></ul></ul><ul><li>Open programmable platform for third party application development </li></ul><ul><li>Java Card is the winner … SIM, PIV, TWIC etc. </li></ul>Anshuman Sinha <>
  4. 4. Java Platforms Anshuman Sinha <> Java Platform Size Machine Size
  5. 5. Java Card Tool Chain Anshuman Sinha <> .Java Files .class Files .jca Files .exp Files Converter Java Smartcard Loader <ul><li>Use any Java compiler </li></ul><ul><li>Use favorite development environment </li></ul><ul><li>Loader is specific </li></ul>Compiler . exp Files .cap Files
  6. 6. Java Card Block Diagram Anshuman Sinha <> Card Operating System Java Card VM Java Card Runtime Environment (JCRE) Java Card API APDU Response Card Manager Smartcard Controller + Cryptography Co-processor Applet 3 Applet 2 Applet 1 Currently Selected Applet Vertical API(s)
  7. 7. Hardware Anshuman Sinha <> R / F Interface Memory Chip Controller Antenna Coil Clk I/O Reset Vcc GND Clk I/O Reset Vcc GND Clk Mod Demod EEPROM Security & Address Logic EEPROM ROM CPU NPU Smartcard Contacts ROM RAM
  8. 8. Java Card Operating System Anshuman Sinha <> Process Loop Terminal Command <ul><li>Process Loop </li></ul><ul><li>File System </li></ul><ul><li>File context </li></ul><ul><li>Crypto algorithms </li></ul><ul><li>Data Integrity </li></ul><ul><li>Memory Management </li></ul><ul><li>Hardware Interfaces </li></ul><ul><li>Memory write/erase </li></ul><ul><li>Anti-Tearing </li></ul><ul><li>Access Controller </li></ul>EEPROM/Flash Memory Write Log <ul><li>If no tear clear the transaction buffer </li></ul><ul><li>If tear, roll back the update as if no write occurred </li></ul>ISO Commands ISO File System Anti-Tearing Tear Begin Transaction EF 1 EF 2 DF1 DF2 MF
  9. 9. Java Card Runtime Environment Anshuman Sinha <> <ul><li>Java Applet Storage </li></ul><ul><li>Java Heap Storage </li></ul><ul><li>Java Native Interface </li></ul><ul><li>Applet Selection </li></ul><ul><li>Applet Instantiation </li></ul><ul><li>Applet Context </li></ul><ul><li>Exception Handling </li></ul><ul><li>Session Anti-tearing </li></ul><ul><li>Random security checks </li></ul><ul><li>Firewalling </li></ul>Applet Data and Code Applet Firewall Java Bytecode Storage Java Object Store Applet 3 Applet 2 Applet 1 Currently Selected Applet
  10. 10. Applet Firewalling <ul><li>On Java Card the applets are firewalled, which means one applet can ’ t access the objects of the other at runtime. </li></ul><ul><li>Each applet has its own Context . Applet firewall is separation of one context from another. </li></ul><ul><li>JCRE has global context. It has access privileges to objects / fields of any applet. </li></ul>Anshuman Sinha <>
  11. 11. Smartcard Protocols Anshuman Sinha <> 7816 – 4 Inter-Industry commands for interchanges 7816 - 1 Physical Characteristics 7816 - 2 Dimension and locations of the contacts 14443 - 1 Physical Characteristics 7816 - 3 Electronic Signals and Transmission Protocol 14443 - 2 RF power and Signal I/F 14443 - 3 Initialization and anticollision 14443 - 4 Transmission protocol 7816 - 3 T=1/T=0 Transmission protocol Contact stack Contactless stack
  12. 12. Java Card 2.2.2 API <ul><li> </li></ul><ul><li>Java.lang </li></ul><ul><li>Java.rmi </li></ul><ul><ul><ul><ul><li>service </li></ul></ul></ul></ul><ul><li>Javacard.framework </li></ul><ul><ul><ul><ul><li>Applet </li></ul></ul></ul></ul><ul><ul><ul><ul><li>AID </li></ul></ul></ul></ul><ul><ul><ul><ul><li>APDU … </li></ul></ul></ul></ul><ul><li> </li></ul><ul><ul><ul><ul><li>DESKey </li></ul></ul></ul></ul><ul><ul><ul><ul><li>AESKey </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Checksum … </li></ul></ul></ul></ul><ul><li>Javacard.framework.service </li></ul><ul><li>Javacardx.crypto </li></ul><ul><ul><ul><ul><li>DES Algorithm </li></ul></ul></ul></ul><ul><ul><ul><ul><li>AES Algorithm </li></ul></ul></ul></ul><ul><ul><ul><ul><li>RSA … and ECC </li></ul></ul></ul></ul><ul><li>Javacardx.apdu </li></ul><ul><li>Javacardx.biometry </li></ul><ul><li>Javacardx.external </li></ul><ul><li>Javacardx.framework.math </li></ul><ul><li>Javacardx.framework.util </li></ul><ul><li>Javacardx.framework.util.intx </li></ul>Anshuman Sinha <> Core Packages
  13. 13. Java Subsetting <ul><li>Multi-Threading </li></ul><ul><li>String handling </li></ul><ul><li>Dynamic Class loading </li></ul><ul><li>Security Manager Card Manager </li></ul><ul><li>Garbage Collection and finalization </li></ul><ul><li>Object cloning </li></ul><ul><li>Access control in Java packages </li></ul>Anshuman Sinha <>
  14. 14. Fully Supported Features <ul><li>packages </li></ul><ul><li>dynamic object creation </li></ul><ul><li>transient objects </li></ul><ul><li>virtual methods / inheritance </li></ul><ul><li>interfaces </li></ul><ul><li>Exceptions </li></ul><ul><li>Pseudo-Garbage Collection </li></ul>Anshuman Sinha <>
  15. 15. Partially supported features <ul><li>Object class is the root class of all the objects but not all methods are supported. </li></ul><ul><li>Throwable class is not supported fully but is available as the root class of all exceptions thrown. </li></ul>Anshuman Sinha <>
  16. 16. Token-based Linking <ul><li>Items are referenced as opaque tokens. </li></ul><ul><li>Linking can be either on-card or off card. </li></ul><ul><li>No need to know internal implementation details of on card API to link off-card cardlets. </li></ul><ul><li>Works efficiently with limited resources (RAM) on card. </li></ul><ul><li>Converter refers to export file of the package to link to external items </li></ul><ul><li>It picks the external token from export file and puts in the CAP file of the a package </li></ul><ul><li>Since name-to-token mapping is published in export file, the tokens can be assigned any order </li></ul>Anshuman Sinha <>
  17. 17. Java Execution Engine Anshuman Sinha <> Runtime Applet Context Applet (package) JCRE Context Operands Frame 16 bit Word 1. 2. Bytecode Handlers Native Table Function Locals Execute 3. Increment Fetch Update Java Heap
  18. 18. Security Exception <ul><li>Instructions which throw securityException. </li></ul><ul><ul><li>All invokes (static/special/interface) </li></ul></ul><ul><ul><li>getfields and putfields </li></ul></ul><ul><ul><li>checkcast </li></ul></ul><ul><ul><li>instanceof </li></ul></ul><ul><ul><li>athrow </li></ul></ul><ul><ul><li>arraylength </li></ul></ul>Anshuman Sinha <> <ul><li>Security is built in the bytecodes </li></ul><ul><li>Java Card virtual machine can throw runtime exception on these bytecodes </li></ul>
  19. 19. Exceptions <ul><li>Exception object has 2 byte reason code instead of message string as a parameter to the exception class. </li></ul><ul><li>Exceptions are of two types - Checked and Unchecked. </li></ul><ul><li>Checked exceptions must be caught and declared by keyword throws in the method body. </li></ul>Anshuman Sinha <>
  20. 20. Exceptions <ul><li>Unchecked exceptions or runtime exceptions are runtime errors thrown by JCVM or JCRE </li></ul><ul><li>Known Exception objects are pre-created and an application supplies the reason code and calls the throwIt method </li></ul>Anshuman Sinha <>
  21. 21. Presentation <ul><li>Java Card Design </li></ul><ul><li>Global / Open Platform </li></ul><ul><li>Applets </li></ul><ul><li>Client Software </li></ul>Anshuman Sinha <>
  22. 22. Global Platform <ul><li>Global Platform specifies secure, dynamic card and application management using commands, policies, transaction sequences and interfaces that are hardware neutral </li></ul><ul><ul><li>System, Terminal and Card Specifications </li></ul></ul><ul><li>Card Specifications </li></ul><ul><ul><li>Defines the loading of applets to card both pre and post issuance </li></ul></ul><ul><ul><li>Registers Applets to Security Domain </li></ul></ul><ul><ul><li>Verifies source of application code by validating signature </li></ul></ul><ul><ul><li>Opening and closing of (SSL like) secure channel </li></ul></ul><ul><ul><li>Application Management – Install and Delete </li></ul></ul><ul><ul><li>Card Management and life cycle </li></ul></ul>Anshuman Sinha <>
  23. 23. Card Manager Life Cycle Anshuman Sinha <> OP_Ready Initialised Secured CM_Locked Terminated Card manager acts as default selected application Initialisation key controls access At least one key set loaded Post-issuance mode (at least MACing required) All applications locked Only Card Manager is available End of card life cycle (card is mute) APDU Set Status API lockCardManager API terminateCardManager
  24. 24. Applet Life Cycle Anshuman Sinha <> Installed Selectable Personalized Blocked Locked Application is installed (instantiated) but not available yet Application is available (activated) Application has been personalized Application is blocked, but behaviour is application-dependent Application is locked (not available) Only Card Manager can unlock APDU Set Status API setCardContentState Deleted APDU Install APDU Delete
  25. 25. Applet Loading Anshuman Sinha <> Security Domain B Card Manager Security Domain A Applet Applet Application Provider B Card Issuer OPEN NETWORK Application Provider A HOST CARD Application Provider A Application Provider B Java Card Applet Applet chunks Secure Channel
  26. 26. Presentation <ul><li>Java Card Design </li></ul><ul><li>Global / Open Platform </li></ul><ul><li>Applets </li></ul><ul><li>Client Software </li></ul>Anshuman Sinha <>
  27. 27. Java Card Applets [1/2] <ul><li>Extension of javacard.framework.applet </li></ul><ul><li>Applet has following methods … </li></ul><ul><ul><li>deselect() </li></ul></ul><ul><ul><li>getShareableInterfaceObject(..) </li></ul></ul><ul><ul><li>Install(..) </li></ul></ul>Anshuman Sinha <> Called by JCRE before selection of another applet . Called by JCRE on behalf of client applet to get all methods which are shared … Called by JCRE on behalf of client applet to get all methods which are shared …
  28. 28. Java Card Applets [2/2] <ul><ul><li>Process(APDU) </li></ul></ul><ul><ul><li>Register(..) </li></ul></ul><ul><ul><li>Select() </li></ul></ul><ul><ul><li>SelectingApplet() </li></ul></ul>Anshuman Sinha <> Called by JCRE to process application specific commands Called by JCRE to process application specific commands Called by JCRE when this applet is selected Called by JCRE to return any data back to terminal while the applet is being selected
  29. 29. Presentation <ul><li>Java Card Design </li></ul><ul><li>Global / Open Platform </li></ul><ul><li>Applets </li></ul><ul><li>Client Software </li></ul>Anshuman Sinha <>
  30. 30. Client Software <ul><li>Java Client Software </li></ul><ul><ul><li>PCSC / JPCSC – Reader Connections </li></ul></ul><ul><ul><li>Card Detection </li></ul></ul><ul><ul><li>Service Registry </li></ul></ul><ul><li>Applet Loading </li></ul><ul><ul><li>Splits Applet into chunks </li></ul></ul><ul><ul><li>Loading and Verification </li></ul></ul><ul><li>Application Based Commands </li></ul><ul><ul><li>For e.g. PIV – Reading Image of Cardholder </li></ul></ul><ul><li>Test Suites </li></ul><ul><ul><li>Visual Basic Scripting </li></ul></ul><ul><ul><li>Java Client </li></ul></ul>Anshuman Sinha <>
  31. 31. PCSC/JPCSC Design Anshuman Sinha <> ICC Aware Application Service Providers ICC Resource Manager IFD IFD IFD RS232 PS/2 IFD Handler ICC ICC ICC IFD Handler IFD Handler
  32. 32. References <ul><li>Java Card specifications </li></ul><ul><li>Global Platform specifications </li></ul><ul><li>ISO 7816 and 14443 standards </li></ul><ul><li>PC/SC specifications </li></ul><ul><li>NIST SP 800-73 specifications for PIV </li></ul><ul><li>… and Others </li></ul>Anshuman Sinha <>