Java Card is a new, but fast growing technology that enhances the world of smart cards with a whole set of exciting new possibilities. Until a few years ago all smart card manufacturers had their own proprietary operating systems.
Application developers faced considerable difficulties and costs to get their application to run on multiple platforms. Due to the success of Java in the desktop world, as a language and as a platform, it seemed an attractive idea to design a small Java-based operating system that could become a common factor for all smart card platforms. Collaboration between SUN and a group of smart card manufacturers resulted in the birth of Java Card in 1997.
The most important innovations of Java Card are:
– Interoperable: verified applets run on any Java Card
– Multi-application: multiple applets can co-exist
– Dynamic: new applets can be added post-issuance
– Secure: Java’s inherent security is enhanced with dedicated concepts.
Today a large quantity of newly produced smart cards is equipped with a Java Card operating system, and card issuers start using the possibilities offered by this technology. The financial and telecom markets are the biggest application areas.
Banks use Java Card applets for financial services like e-purses, debit/credit schemes and loyalty applications. A consortium of banks even developed a complete framework called Global Platform for card and application management.
This industry standard is quickly becoming the de facto standard in the smart card payment world. Mobile telecom operators use SIMs running on Java Card for infotainment and network optimisation. Additional standards have been developed for remote management and event dispatching amongst concurrent applets.
This article studies security aspects of the Java Card technology and tries to identify its short-comings. Three case studies illustrate the impact of various threats. Finally some ideas are presented to counteract the threats and apply this technology in a secure way.
Source: Riscure
Author: Marc Witteman
Download Project – Implementation of SCOSTA-CL based Smart Card Operating System (SCSOS).pdf