This Blog covers the latest Java technology for small devices and security in the IoT, mobile, ID and Payment

What is Java Card ?

Florian Tournier
Senior Director, IoT and Security
Here is an answer, which also includes the answer to a few ancillary questions...

Java Card was designed as a subset of Java targeting smart cards

Java Card technology is a specific Java platform that targets smart cards and related systems, which typically run on specific hardware known as Secure MCUs. The Java Card platform has a very small footprint, and it explicitly targets security applications, with dedicated APIs to manage authentication credentials (PIN) and cryptography.
When and why did this idea come?
The first version of Java Card was created in 1996, and it took a few iterations to design Java Card 2.1.1, in 1998. The most important design decisions taken then remain in use today. In 2015, we expect Java Card to be deployed on over 3 billion smart cards, and this number has been growing steadily since the first deployments around 2000.
At the end of the 1990's, smart cards, and in particular SIM cards, were a booming market. Some specifications had been defined that allowed mobile operators (who issue SIM cards) to load scripts/applications on their SIM cards. The industry was looking for a standard to support these applications. Every vendor was working on a proprietary solution, and Java Card rapidly emerged as a "neutral" solution that could satisfy all parties.
Why a specific platform?
In 1997, the specification for a smart card that would support was to have at least 64k of ROM, 16k of EEPROM, and 256 bytes of RAM. Even then, this was several orders of magnitude smaller than Java's requirements. Even beyond memory, smart card hardware and basic software is quite specific, and led to Java Card design decisions:
  • Power is external, but the persistent memory exhibits good atomicity properties.
  • Smart cards process commands and communicate through a single serial channel.
  • Smart cards are tamper-resistant and their security is often certified.
Smart cards have even more strange characteristics, but this is definitely enough to justify a specific platform.

Java Card does not run on PCs or servers

This is a consequence of the first answers: Java Card is made to run on cards, not "big" computers. The Java Card specification does not define how a computer can access a smart card, even from Java.
How can we access a Java Card card from a PC?
A card that includes Java Card is accessed like any other smart card, through a card reader, and using the ISO7816 standard (if a contact interface is used), or the ISO14443 standard (if a contactless interface is used). Most computers today support PC/SC, which is a standard interface that supports many kind of smart card readers.
In Java, an API to access smart cards is defined in JSR-268, which is supported in all recent Java releases from Oracle.

Java Card is pervasive

Java Card is pervasive in the sense that it is everywhere although it is mostly invisible. Here are a few places where Java Card technology can be found:
  • On SIM cards, in particular if you live in Europe, America, Japan, or South Korea, or if you have a NFC-enabled SIM card. The main use cases are SIM Toolkit applications (the original use case), as well as NFC applications.
  • On payment smart cards, in particular if you card supports both a contact and a contactless interface. With smart card deployments in China and USA, the volumes are still growing fast in 2015.
  • On identity cards and electronic passports, depending on the country. National ID programs with several applications are typically good candidates for Java Card.
In 2015, roughly 1 smart card out of 3 deployed will include Java Card. These are mostly the high-end cards, in all vertical application domains.

Java Card developers are specialists

Java Card technology is mostly used by specialists from the smart card industry, because smart card development is a bit specific:
  • Smart cards are deployed in large numbers (millions for most deployments) with no possibility for update in most cases. In such a context, there is a great emphasis on quality, and strong compliance requirements.
  • Smart cards protect sensitive assets and are potential attack targets. They are often subject to strict security certifications, requiring specific development procedures and even secure development premises.

There are no statistics on the number of Java Card developers, but we can estimate them to be in the thousands, with only a few highly-skilled specialists in every company that develops Java Card applications.

Can I develop a Java Card application?
Yes. Anybody can download our development kit and start developing a Java Card application. Java Cad is routinely used in classrooms, and a number of startups have developed their own Java card application. Java Card is a rather simple subset of Java, and it is by far the easiest way to develop an application for smart cards.

Yet, before you start developing, there are at least two things to consider:

  •  Smart cards are for security. The hard part of developing a Java Card application is the security part. The application must have a clear security purpose, and it must be developed following strict security standards. This is where expertise is required, even if Java Card makes the development of applications easier.
  • Smart card applications need to be deployed. Smart cards typically belong to their issuers (governments, banks, MNOs, etc.). Deploying an application typically requires getting in touch with issuers and convincing them to deploy, which is a hard task. Unless of course your plan is to design a device that includes a smart card core and deploy it yourself.

Be the first to comment

Comments ( 0 )
Please enter your name.Please provide a valid email address.Please enter a comment.CAPTCHA challenge response provided was incorrect. Please try again.