Java CardTM Open Platform for Smart Cards Wolfgang Effing Giesecke & Devrient GmbH Java Card Open Platform Combines tomorrow's technology and platforms C:\Presentations - JavaCard_OpenPlatform.ppt - ef - 29.04.04 - page 1 What happened in the past? • Every company created its own proprietary standard – E.g. a GSM smart card was not able to run a banking application • In the PC world it's the same with WinNT, Linux or Macintosh Platform Specific Applications 123 Operating System Chip Card Platform Microprocessor • But the internet era taught us – The customer wants to use the same applications independent of any platforms Java Card Open Platform Combines tomorrow's technology and platforms C:\Presentations - JavaCard_OpenPlatform.ppt - ef - 29.04.04 - page 2 What are the ideas for the future? • Creating an operating system, which allows the "Write once - Run anywhere" principle – The internet with its JAVA programming language showed us the right way Java Applications (Applets) 123 Java Interpreter Java Virtual Machine Operating System Microprocessor • A powerful smart card, which is able to run a GSM, banking or ID application – The user selects his requested application and starts Java Card Open Platform Combines tomorrow's technology and platforms C:\Presentations - JavaCard_OpenPlatform.ppt - ef - 29.04.04 - page 3 Java Card Basics (1) • What is Java Card? – A programmable smart card – A multi-application smart card – An interoperable smart card – A smart card for secure application loading • A programmable smart card – Easy to program using the power of JAVA – Object-Oriented – Standard Language • A lot of programmers – Very compact code Java Card Open Platform Combines tomorrow's technology and platforms C:\Presentations - JavaCard_OpenPlatform.ppt - ef - 29.04.04 - page 4 Java Card Basics (2) • A multi-application smart card – Several applications can be loaded onto the same card – Firewall between applications – Sharing between applications – ISO-7816/4 compliant application selection • An interoperable smart card – Interoperable at the source code level • Applications written for one card can run on any card • Write once - Run anywhere – Interoperable at the load file level •Since Java Card Runtime Environment JCRE 2.1 • Converted Applet CAP file can be loaded onto any card – Interoperable at the loader level • Since Open Platform 2.0 • The loading APDUs and sequences are defined Java Card Open Platform Combines tomorrow's technology and platforms C:\Presentations - JavaCard_OpenPlatform.ppt - ef - 29.04.04 - page 5 Java Card Basics (3) • A smart card for secure application loading – High security features of Java Card • Allows application loading after issuance –VM concept • No direct hardware access – References instead of pointers – Bytecode verification –Firewall • Secured execution contexts Java Card Open Platform Combines tomorrow's technology and platforms C:\Presentations - JavaCard_OpenPlatform.ppt - ef - 29.04.04 - page 6 The Java Card Architecture - Overview Java Card Open Platform Combines tomorrow's technology and platforms C:\Presentations - JavaCard_OpenPlatform.ppt - ef - 29.04.04 - page 7 The Java Card Architecture - Hardware • Chip features (Infineon SLE66CX320P) – 64 kByte ROM – 32 kByte E²PROM • 28 kByte available for the customer – 2 kByte RAM • 255 Byte COD/COR per package – Crypto-Coprocessor • DES/3DES in Hardware • Advanced Crypto Engine (ACE) for RSA calculations –UART • Support of transport protocols Java Card Open Platform Combines tomorrow's technology and platforms C:\Presentations - JavaCard_OpenPlatform.ppt - ef - 29.04.04 - page 8 The Java Card Architecture - Native Functions • Native Functions – Access to the chip hardware • Communication protocols (T=0/T=1) • Memory Access (E²PROM writing) – Special Card Functions • Atomic Transaction Facility • Transient Storage – Crytographic services • Symmetric Cryptography (DES, 3DES) • Public Key Cryptography (RSA 1024 Bit key, DSA) –Hashing (SHA-1) – Padding (ISO 9797, PKCS#1, PKCS#5) –Signing – Encipher, Decipher – Firewall control Java Card Open Platform Combines tomorrow's technology and platforms C:\Presentations - JavaCard_OpenPlatform.ppt - ef - 29.04.04 - page 9 The Java Card Architecture - JCVM (1) • The Java Card Virtual Machine (JCVM) is responsible for – Byte Code Interpretation – Exception Handling – Firewall Checks – Object Consistency Checks • The JCVM does not support – Long, double and float variables – Multithreading – Garbage collection – Reloadable classes – Currently no 32 bit integer Java Card Open Platform Combines tomorrow's technology and platforms C:\Presentations - JavaCard_OpenPlatform.ppt - ef - 29.04.04 - page 10 The Java Card Architecture - JCVM (2) • The JCVM is split into two parts .class .cap files Converter file Interpreter off-card on-card • The Converter (off-card VM) – Class loading, resolution and linking – Verification – Bytecode optimization and conversion to CAP file • The Interpreter (on-card VM) – Bytecode execution – Java Card firewall enforcement Java Card Open Platform Combines tomorrow's technology and platforms C:\Presentations - JavaCard_OpenPlatform.ppt - ef - 29.04.04 - page 11 The Java Card Architecture - JCRE • Java Card Runtime Environment (JCRE) – Card Reset Handling – Applet Selection and APDU Dispatching – Firewall Control and Context Switching – Access to Application Identifiers (AIDs) – Access to Shareable Interface Objects (SIOs) Java Card Open Platform Combines tomorrow's technology and platforms C:\Presentations - JavaCard_OpenPlatform.ppt - ef - 29.04.04 - page 12 The Java Card Architecture - API (1) • Java Card API 2.1 – java.lang • Language Elements – javacard.framework • Core Applet Functionallity – javacard.security •Random, Keys, Message Digests, Signatures – javacardx.crypto • Cipher Services Java Card Open Platform Combines tomorrow's technology and platforms C:\Presentations - JavaCard_OpenPlatform.ppt - ef - 29.04.04 - page 13 The Java Card Architecture - API (2) • java.lang –Object – Throwable –Exceptions • javacard.framework – Applet (base class for all Applets) –AID – APDU (high level IO) – System (Transactions, Transient Data, JCRE requests) –PIN – Util (arrayCopy(NonAtomic), secure arrayCompare) – Exceptions, Shareable Interface, ISO7816 Interface Java Card Open Platform Combines tomorrow's technology and platforms C:\Presentations - JavaCard_OpenPlatform.ppt - ef - 29.04.04 - page 14 The Java Card Architecture - API (3) • javacard.security – Key Interfaces – Key Builder – Message Digest – Signature –Random Data • javacardx.crypto – Symmetric Cryptography • DES, 3DES – Public Key Cryptography •RSA, DSA Java Card Open Platform Combines tomorrow's technology and platforms C:\Presentations - JavaCard_OpenPlatform.ppt - ef - 29.04.04 - page 15 The Java Card Architecture - Card Management • Card Manager Applet, API and Loader – Card Content Management – Card Life Cycle Management – Keyset Management – Secure Messaging – Applet Signature Verification – Applet Installation and Registration – Applet Life Cycle Management Java Card Open Platform Combines tomorrow's technology and platforms C:\Presentations - JavaCard_OpenPlatform.ppt - ef - 29.04.04 - page 16 Programming a Java Card - Overview Java TM Source Java Compiler Java™ G&D Card Application Java Card Code (Symantec Visual C@fe, Class File Professional Package (CAP) (On-Card VM) Borland J-Builder, (Off-Card VM Microsoft J++, ...) Converter-Module) Functional Test Test with card characteristics z The Java™ source code will be converted into the class files with standard tools z Input of the G&D Java Card VM are class files, containing byte code z Some work of the JVM is done outside the card z A new simplified and smaller card class file (CAP-Format) is generated z The CAP-file with the applet is loaded onto the card z The applet will be interpreted on the smart card Java Card Open Platform Combines tomorrow's technology and platforms C:\Presentations - JavaCard_OpenPlatform.ppt - ef - 29.04.04 - page 17.