Java Card Security Architecture
The Java Card technology enables smart cards and other devices with limited memory to run Java-based applications. Java Card technology brings a whole set of advantages to smart cards by offering a secure execution environment, platform-independence, the ability to store and update multiple applications, and compatibility with existing smart-card standards. It is also important to note that the Java Card technology [JavaCard] was developed specifically to enhance the security of smart cards.
Understanding Smart Cards
A smart card looks like a typical credit card but is much more powerful than the traditional magnetic stripe card. Smart cards make use of an embedded microprocessor chip. One of the primary advantages of smart cards over magnetic stripe cards is their ability to run small applications that perform computations. They are, in a sense, small computers. Smart cards are also compatible with a variety of portable electronic devices, such as cellular phones, personal digital assistants (PDAs), and other consumer devices.
Figure 3-6 The Java Card (Source: Sun Microsystems)
Smart card technology is quickly becoming a replacement for several current technologies—from ID badges to credit cards. Financial companies are considering smart cards as a mechanism for delivering services at a lower cost to businesses and consumers. A common service would be an electronic purse service that allows bank customers to transfer money from their bank accounts to their smart cards in the form of secure electronic cash. The electronic cash can then be used to purchase products, pay bills, or pay bridge tolls. Smart cards can be used as a form of ID in a variety of industries. Smart cards can hold information commonly found on an ID card, driver's license, or in a patient's medical records. For example, a doctor can create a record of a patient's treatment history by writing information to his or her smart card. This allows the patient, or another doctor, to have medical information available at any time. A smart card can also act as an employee access badge (by containing encrypted security information such as user names and passwords) that allows an employee access into a company's building or computer network.
Smart Card Components
Each smart card solution requires a number of hardware and software components (operating systems, APIs, and applications) and protocols (for communication between tiers and between components on a tier). There can be four or more hardware components in an enterprise smart card solution. The hardware components are the smart card, the card reader or card acceptance device (CAD), the terminal, and the back-end business applications. All smart cards contain some amount of memory—ROM, RAM, and EEPROM (that is, electrically erasable programmable read-only memory). Both memory cards and processor cards can store much more information than traditional magnetic stripe cards. ROM is used to hold the operating system and other software that you cannot modify. RAM is a volatile memory and any information in RAM is lost when the card is disconnected from the reader. Like ROM, EEPROM is used to store information that persists after power is disconnected. The CAD is a card reader that enables access to and communication with a smart card. It can also enable developers to build applications that are smart card capable. The card reader provides a "path" for your application to send and receive commands from the card. The card reader is connected to a terminal that is usually an electronic device—from common computer workstations and desktop computers (PCs) to small embedded devices, such as screen phones, set-top boxes, and cellular phones. The back-end technologies provide the information, database, or processing system to facilitate any number of smart-card enterprise solutions. Smart cards solve many of the security problems that occur in a network environment. At the center of the solution is the promising fact that a smart card requires a user PIN (Personal Identification Number) to get access to a system.
Java Card Technology in Smart Cards
Java Card technology makes it possible to create and download new applications and services to smart-card consumers. In general, a Java Card is a smart card that is capable of running Java applets. From a security standpoint, the Java Card technology maintains the built-in security of the Java platform and makes the smart card a safe way to conduct consumer transactions over such insecure networks as the Internet and public telephone systems. Thus, Java Card technology preserves many of the existing benefits of the Java programming language, such as security, robustness, and portability.
Java Card technology was designed based on the smart-card specification standard, ISO7816. This standard specifies that communication between a host application and a smart card occur through Application Protocol Data Units (APDUs). An APDU is a packet of data that conforms to a specific format. There are two types of APDUs: command APDUs and response APDUs. In Java Card technology, the host application sends a command APDU, and a Java Card applet responds with a response APDU. The Java Card technology defines a Java Card runtime environment (JCRE) on top of the hardware and the smart-card native system.
The JCRE acts as an intermediary between the native smart card system and the Java Card applet. The command APDU is transmitted to the JCRE, which sends it to the appropriate Java Card applet for processing. After processing the APDU, the Java Card applet transmits a response APDU to the JCRE, which sends it to the host application.
Java Card Runtime Environment and APIs
The JCRE provides a high-level standard interface to smart-card applications. As a result, it is much easier to develop applications for a Java smart card. The JCRE provides a secure execution environment with a virtual firewall between different applications in the same card. This allows different applications on the same card to function separately and independently from each other, as if they were on separate cards.
The Java Card API is a subset of the Java platform that allows development using object-oriented programming to create secure smart applications. By contrast, traditional smart-card application programming uses assembly language or the C programming language, which forces security evaluation of the application and also requires looking at the entire application as a unit to verify the behavior.
The Java Card API is a standard set of APIs and software classes that will run on any existing smart card. It is ISO7816-4 compliant, and compatible with formal international standards such as ISO7816 and industry-specific standards such as Europay/MasterCard/Visa (EMV). It also provides Java Card issuers with interoperable services through logical channel support defined by standards organizations, such as the European Telecommunications Standards Institute (ETSI), Third Generation Partner Project (3GPP), and Wireless Access Protocol (WAP). The Java Card provides the issuers with security options by supporting cryptographic algorithms, including Advanced Encryption Standard (AES) and Elliptic Curve Cryptography (ECC).
Let's look at the Java Card platform security features in greater detail.
Java Card Platform Security Model
The Java Card platform provides a number of security features that can be enforced at every level at the inception of application development. They are characterized as follows:
- The Java Card technology supports a subset of the Java programming language and JVM specifications, inheriting the security features built into the supported subset.
- The Java Card platform stores the objects and data in memory. During a power loss or unexpected failure, the platform makes sure that the objects and data are stored to its previous state before such failures.
- The Java Card applets are verified to ensure their integrity, because they can be downloaded over an unsecured network. A trusted third party can also cryptographically sign Java Card applets. The digital signature of an applet can be verified during on-card installation to further ensure the safety of the code.
- In the Java Card runtime, the notion of a sandbox is implemented via the applet firewall mechanism. The firewall essentially assigns an object space, called a context, to each applet on the card. Data access within a context is allowed, but the access to an applet in a different context is prohibited by the firewall. Applets residing in different contexts can share objects using secure object-sharing mechanisms by implementing a shareable interface.
- The Java Card applets are not allowed to execute native methods except for the card's vendor-issued applets. This means that applets installed after issuance of the card are restricted from running native methods.
- The Java Card technology embraces techniques using compressed archive files with cryptographic signatures to provide tamperproof distribution and installation procedures for Java class files and Java Card applets.
Java Card Applets
A Java Card applet is a smart card application written using the Java Card APIs and is able to run within a JCRE. It is important to note that Java Card applets are not intended to run in a Web browser environment. Multiple applets can be loaded and coexist on a Java Card and can have multiple instances. Each applet instance is uniquely identified by an application identifier (AID). Similar to any persistent objects, applets installed on a Java Card live throughout the entire lifetime of the Java Card as long as the card is usable. The applets will terminate only if they are uninstalled. The process of applet installation to a card (also referred to as masking) is done through the proprietary tools provided by the Java Card manufacturer.
Java Card Applet Development and Installation
To study Java Card security, it is very important to understand the process of developing and installing Java Card applets. Figure 3-7 illustrates the steps involved in developing and installing a Java Card applet.
Figure 3-7 Java Card applet development and installation
The development of a Java Card applet typically starts like developing any other Java program and compiling the source file to produce Java class files. The resulting class files are tested and debugged using a Java Card simulator environment that simulates the applet using the Java Card runtime environment running on a development workstation. The simulator helps the developer to study the behavior and results prior to deploying on a Java Card. Then the class files that make up the applet are converted to a Converted Applet (CAP) file using a Java Card CAP converter tool. As a package, the resulting CAP files represent a Java Card applet. These CAP files are further tested using a Java Card emulator tool in the development environment to identify the expected behavior of the applet in a real Java Card. Finally, the tested applet comprised of all the CAP files is downloaded into the Java Card using a proprietary tool provided by the Java Card vendor. To secure the applets (using vendor-provided tools), it is possible to sign the applet code and allow the Java Card to verify the signatures.
Java Card Applet Security
The Java Card provides a multi-application smart card environment that allows multiple applets to coexist on a Java Card and also provides the flexibility to download applets after manufacture or issuance. The Java Card provides a virtual applet firewall protection mechanism that isolates an applet package to its designated firewall partition (referred to as context). The context mechanism disallows object access from another applet located in a different context. To support cooperative applications running on a single card, it provides a secure object sharing mechanism. The sharing mechanism under specific conditions enables one context to access objects belonging to another context by performing a context switch. When an object is accessed, the JCRE enforces access control, and if the contexts do not match, the access is denied and results in a SecurityException.
Java Card Development Kit
Sun Microsystems provides a Java Card development kit that contains components and tools that you need to develop Java Card applets. The development kit provides a set of tools that support Java Card applet development and deployment onto a smart card. It provides a Java Card Workstation Development Environment (JCWDE) that simulates a Java Card runtime environment using a JVM. It provides a Converter utility, which does off-card verification processes, including class loading, linking, name resolution, bytecode verification, optimization, and conversion of an applet to a smart-card installation format. For more information about the Java Card Development Kit, refer to the Web site at http://java.sun.com/products/javacard.
In summary, a Java Card is a portable computing device about the size of a credit card that is often used as a secure storage device; beyond that, it can be used for a variety of security and identity-management solutions. Some common examples are as follows:
- Secure storage for personal and confidential information
- Prepaid GSM phone SIM cards offering a cash-free and anti-fraud mechanism
- Secure identity cards for personal identification, physical access, user authentication, and access control
- Bank credit cards that cannot be copied and misused like magnetic stripe cards
We will take a look at Java Card strategies for secure personal identification in Chapter 15, "Secure Personal Identification Using Smart Cards and Biometrics."