java card platform
TRANSCRIPT
-
8/3/2019 Java Card Platform
1/35
Sebastian Hans
Senior Staff Engineer
Sun Microsystems Inc.
Java Card PLATFORMOverview
-
8/3/2019 Java Card Platform
2/35
Sun Proprietary/Confidential:
Agenda
Java Card 2 Platform
Java Card 3 Platform
-
8/3/2019 Java Card Platform
3/35
Sun Proprietary/Confidential:
Smartcard basics
Small temper resistant device> 8-32 bit CPU> 1-32KB RAM> ROM and EEPROM up to 128KB> FLASH memory can also be used
High secure memory and CPU
Clock and power from the terminal
One synchronous I/O line Master-slave protocol based, card is the slave
-
8/3/2019 Java Card Platform
4/35Sun Proprietary/Confidential:
Smartcard Standards
The Baseline for all standards and specifications are> ISO 7816 series
> defines electrical and physical characteristics,
>Handshake between card and terminal
> transport protocols,
> applications protocol,
>File structures, Data structures (TLVs)
> Everything in ISO is optional
For Telecommunications (GSM, 3GPP, 3GPP2, OMA,TETRA) ETSI is standardizing a very strict platform theSIM and UICC
For the financial market EMV is the main specification
ICAO defines data structures for e-passports
-
8/3/2019 Java Card Platform
5/35Sun Proprietary/Confidential:
What does a card do ?
A card is an ultimately thin Server> It gets requests and processes them> It never takes the initiative
The programming model follows it> It is centered around the processing
of incoming requests
-
8/3/2019 Java Card Platform
6/35Sun Proprietary/Confidential:
The APDU command
ISO7816.OFFSET_CDATA
CLA INS P1 P2 LC Data
ISO7816.OFFSET_LC
ISO7816.OFFSET_P2
ISO7816.OFFSET_P1
ISO7816.OFFSET_INS
ISO7816.OFFSET_CLA
ISO7816.OFFSET_CDATA
CLA INS P1 P2 LC Data
ISO7816.OFFSET_LC
ISO7816.OFFSET_P2
ISO7816.OFFSET_P1
ISO7816.OFFSET_INS
ISO7816.OFFSET_CLA
CLA INS P1 P2 LC DataCLA INS P1 P2 LC Data
ISO7816.OFFSET_LC
ISO7816.OFFSET_P2
ISO7816.OFFSET_P1
ISO7816.OFFSET_INS
ISO7816.OFFSET_CLA
-
8/3/2019 Java Card Platform
7/35Sun Proprietary/Confidential:
APDU exchange
BO 40 xx xx 05 61 62 63 00
90 00
BO 20 xx xx 01 01 00
90 00
BO 30 xx xx 00 0109 90 00
Processesthe request
Processesthe request
Processesthe request
ClientApplication
CardApplication
-
8/3/2019 Java Card Platform
8/35Sun Proprietary/Confidential:
Java Technology Momentum
3.5 Billion Java-Enabled Cards
1.8 Billion Java-Enabled Phones
7 Million Java Set-top Boxes
800 Million Java Desktops
180 Operators DeployingJava Content
6 Million Developers
Java Everywhere
-
8/3/2019 Java Card Platform
9/35 2008 Sun Microsystems, Inc.Slide 9
Introduction to Java Card
Over 3.5 Billion cards deployed to date> 825M shipped in 2006> 1.2B shipped in 2007
Variety of form factors
All market segments> Telecom (SIM card)> Banking (Payment card)>
ID (citizen/corporate card)> PayTV (subscriber card)> Transport, Healthcare...
100's of products worldwide
Passports
Contactless
USB Tokens
Smart Cards
SIM Cards
Secure FlashMemory
-
8/3/2019 Java Card Platform
10/35Sun Proprietary/Confidential:
The JavaTM
Platform
OptionalPackages
Java
EnterpriseEdition(JEE)
Java
StandardEdition(JSE)
JVM Card VM
OptionalPackages
PersonalProfile
Foundation Profile
CDC
MIDP
CLDC
KVM
Java Platform Micro Edition(JMETM)
JavaCard
PersonalBasis Profile
-
8/3/2019 Java Card Platform
11/35
Sun Proprietary/Confidential:
What is a Java Card
Java Card technology defines:> A subset of the Java programming language and virtual
machine definition suitable for smart card applications> Core and extension Java Card API
> A secure multi application card runtime environment> Enables post-issuance secure card application download
Adaptable to different market needs> (GSM, 3G, ID-card, Ticketing, Transport, Finance)
All services have to be implemented as a Java CardApplet
-
8/3/2019 Java Card Platform
12/35
2008 Sun Microsystems, Inc.Slide 12
Java Card Historical Roadmap
1996 Introduction of Java Card technology
1997 Java Card 2.0 Technology Foundations
1999 Java Card 2.1 Interoperable File Format
2000 Java Card 2.1.1 Additional Crypto APIs
2002 Java Card 2.2 Next gen crypto, memory management
2003 Java Card 2.2.1 Enhancements for USIM
2004 Java Card S Entry level Fixed Function cards2006 Java Card 2.2.2 ETSI and Contactless
2008 Java Card 3.0 Classic and Connected
-
8/3/2019 Java Card Platform
13/35
Sun Proprietary/Confidential:
Java Card Benefits
Object Oriented Programming
Secure Programming Platform
Hardware Independent
Operating System Independent Multi-Application Support
Secure Applet Loading
Open Standard
-
8/3/2019 Java Card Platform
14/35
-
8/3/2019 Java Card Platform
15/35
Sun Proprietary/Confidential:
Java Card Architecture
Vendor-specific Operating System (Mem, I/O, Crypto)
Java Card Virtual Machine
Open PlatformSystem Applet
Applet 1
Open PlatformAPI Java Card API
Applet 2 Applet n
Java Card Runtime Environment
Issuer Defined API
JCRE
Vendor-specific Operating System (Mem, I/O, Crypto)
Java Card Virtual Machine
Open PlatformSystem Applet
Applet 1
Open PlatformAPI Java Card API
Applet 2 Applet n
Java Card Runtime Environment
Issuer Defined API
JCRE
-
8/3/2019 Java Card Platform
16/35
Sun Proprietary/Confidential:
Split VM Architecture
Off-card
Class loading, linking and name resolution
Bytecode verification, optimization and conversion
On-card
Bytecode execution and security enforcement
-
8/3/2019 Java Card Platform
17/35
Sun Proprietary/Confidential:
Java Subsetfor the Java Card Platform
Small primitive data types:boolean, byte, short
One-dimensional arrays Packages, classes, interfaces, exceptions Inheritance, virtual methods, overloading, dynamic object
creation, access scope, binding rules
Optional: 32-bit integer int data type Optional GC
-
8/3/2019 Java Card Platform
18/35
Sun Proprietary/Confidential:
Java Card Runtime Environment
JCRE Card resource management
Communications (APDU exchange, inter-application
communication) Applet execution (selecting and Applet, invoking process
method)
Applet security (firewall)
Performs the tasks ofan operating system
-
8/3/2019 Java Card Platform
19/35
Sun Proprietary/Confidential:
Java Card Runtime Features
Persistent and transient objects
Atomic operations and transactions
Applet firewall and sharing mechanisms
Java Card VM and Java Card RErun for the whole card lifetime!
-
8/3/2019 Java Card Platform
20/35
Sun Proprietary/Confidential:
JC application Sequence Diagram
Off-card On-card
Client App Card AppJCRE
Command APDU
Prepares thecommand
Response APDUDecodes theresponse
process( apdu )
-
8/3/2019 Java Card Platform
21/35
Sun Proprietary/Confidential:
JC application modell
A JC applications is always a subclass of the Applet classfrom javacard.framework
Applets class provides entry points to select and deselectthe application, install it and receive APDUs from the
terminal Reacts to APDU's send from the JCRE to the process
method
Only one active applications at a time Several applet can be selected at the same time but cannot work in parallel
-
8/3/2019 Java Card Platform
22/35
Sun Proprietary/Confidential:
Why a Firewall ?
Provides isolation between applications> In addition to the Java programming language rules
Required because of persistence
Operates dynamically at run-time> Objects are owned by applications
-
8/3/2019 Java Card Platform
23/35
Sun Proprietary/Confidential:
The Firewall Is Flexible
System objects are handled specifically> Some access constraints are relaxed
JCRE entry point objects
Isolation is at the package level
> Several applets can be in the same context
Applets can explicitly share objects> javacard.framework.Shareable
-
8/3/2019 Java Card Platform
24/35
Sun Proprietary/Confidential:
Firewall Granularity
Code
Package B
AppB
Package B
AppB
Package A
AppA1 AppA2
Package A
AppA1 AppA2
Applet
Instance
and Data
AppA1AppA1 AppA2AppA2 AppBAppB
-
8/3/2019 Java Card Platform
25/35
Sun Proprietary/Confidential:
Java Card API packages
Java API Packages>packagejava.lang
Java Card specific packages>packagejavacard.framework>packagejavacard.security>packagejavacardx.crypto
-
8/3/2019 Java Card Platform
26/35
Sun Proprietary/Confidential:
Applet Development Path
Source
(*.java)
Standard
Java
Compiler
Java Byte
codes
(*.class)
Java CardConverter
Java CardConverter
C-JCRE
Simulator
JavaCard
JavaCard
JavaCard
Standard
Java VM
JCWDE
1
2
3
4
CAP file
Verifier
CAP file
Verifier
5
-
8/3/2019 Java Card Platform
27/35
Sun Proprietary/Confidential:
Latest Java Card Specification 2.2.2
2.2.1 maintenance> RMI-related bug in VM spec
> Correct CRC32 bug in Checksum class
> Utility APIs for TLV, short, int
Contactless Enhancements> Extended length APDU support> Memory access API
> Contactless crypto performanceenhancement
> Multiple Interfaces management
> BCD Utility API
Crypto and Security> Additional Crypto algorithms
> HMAC-MD5, HMAC-SHA1, SHA-256, Korean Seed
> Signature w/msg recovery
> Partial message digest> Incorporation of Biometrics API
Standards alignment> 20 Logical Channels support
Focus on Contactless and ID
-
8/3/2019 Java Card Platform
28/35
Sun Proprietary/Confidential:
Agenda
Java Card 2 Platform
Java Card 3 Platform
-
8/3/2019 Java Card Platform
29/35
2008 Sun Microsystems, Inc.Slide 29
Java Card 3.0 Specifications
Launched March 31 2008 Two stand-alone Editions for Java Card 3.0
specifications
Connected Edition> Includes all new network-oriented features
Classic Edition> Leverages the existing Java Card 2.x platform architecture> For the more resource-constrained devices
Both Editions are backward compatible with previous versions andshare key security features
-
8/3/2019 Java Card Platform
30/35
2008 Sun Microsystems, Inc.Slide 30
Classic Edition Features
Traditional split VM> resource efficient, 16-bit on-card VM> off-card conversion for applet size
optimization : CAP files
> on-card or off-card byte code verification> on-demand Garbage Collection
Classic Java Card APIs> Incremental extension of Java Card 2.2.2 platform framework
APDU-based communication> Contact or contactless
-
8/3/2019 Java Card Platform
31/35
2008 Sun Microsystems, Inc.Slide 31
Connected Edition features
Embedded web server withJava Servlet API support> Service static and dynamic content
via HTTP(s)
Multi threaded environment Concurrent communication over
USB, ISO, contactless
Client & Server communication
Full backward compatibility
-
8/3/2019 Java Card Platform
32/35
Sun Proprietary/Confidential:
> Java CardSecurity Features
> Cryptography
> Backwardcompatibility
Java Card 3.0 Features Specifications
Connected Products
> Network-oriented
> High-speed interface
> Larger memory
Classic Products
> Traditional cardarchitecture
> APDU based
> Constrained memory
> HTTP Webserver> Generic Comm. Framework
> Client mode
> String, char, long
> Multi-dim. arrays, collections
> Event Framework
> 32 bit, KVM-level VM> Concurrent app execution
> .class loading, automatic GC
> APDU-based communication
> Incremental evolutionof the Java Card FW
> 16 bit, JC 2.x-level VM
> Off-card conversion
> Single threaded
Java Card 3.0 Specifications
-
8/3/2019 Java Card Platform
33/35
2008 Sun Microsystems, Inc.Slide 33
Java Card 3.0Connectivity Layers and Protocol Stack
New In Java Card 3.0Connected Edition
-
8/3/2019 Java Card Platform
34/35
2008 Sun Microsystems, Inc.Slide 34
Java Card 3.0High Level Architecture
-
8/3/2019 Java Card Platform
35/35
Sebastian [email protected]
Thank You