Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                
Scribd
Upload
422 views

Java Card 3

The document provides an overview of Java Card 3 programming. It introduces key concepts such as Java Card applets, the Java Card runtime environment, and applet lifecycles. It also describes programming aspects like protecting access with PINs and the libraries available to Java Card developers.

Uploaded by

En Maina
Copyright
© Attribution Non-Commercial (BY-NC)
Available Formats
Download as PDF, TXT or read online on Scribd
422 views

Java Card 3

The document provides an overview of Java Card 3 programming. It introduces key concepts such as Java Card applets, the Java Card runtime environment, and applet lifecycles. It also describes programming aspects like protecting access with PINs and the libraries available to Java Card developers.

Uploaded by

En Maina
Copyright
© Attribution Non-Commercial (BY-NC)
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 183

Java Card 3 Programming

Michel Koenig

Java Card 3.0 Programming

Presentation objectives
Introducing the concepts and the technology of the smart cards Describing the protocols between cards and terminals Describing how to program the Java Cards Exploring the tools and the environments provided by the manufacturers to develop solutions with smart cards

Michel Koenig

Java Card 3.0 Programming

Presentation content
Introduction ISO7816 Protocol Java Card The basic rules for Java Card programming Cyphering SIM Card Smart Card Web Server Java Card 3.0 Connected Edition Conclusion

Michel Koenig

Java Card 3.0 Programming

Introduction
History, technology, standards

Michel Koenig

Java Card 3.0 Programming

Introduction

In this chapter, we'll see


A brief history of the smart cards The applications supported by the smart cards The standards supported

Michel Koenig

Java Card 3.0 Programming

Brief history
Early seventies, first patents
Dr Arimura, R Moreno, M Ugon

Early eighties, first field testing for a memory card


Phone card in France

Mid eighties, large scale introduction of smart cards in banking system Mid nineties, SIM card introduced in mobile telephony

Michel Koenig

Java Card 3.0 Programming

What is a smart card


A plastic card like a credit card with an embedded micro chip
With or without visible contacts
Maybe contactless

Standardized
ISO 7816
Mecanical properties Electrical behavior Communication protocol

Contains a software which


Protects internal data Give access to these data in a secure way

Michel Koenig

Java Card 3.0 Programming

For what applications


Payment Loyalty systems Access systems Telephony
Mobile (GSM )

e-Government ID card, passport File system


Health Education
Michel Koenig Java Card 3.0 Programming 8

Standards
ISO 7816 GSM 11.11 V6.1.0 GSM 11.14 V7.1.0
SIM Toolkit specs

GSM 03.19 V1.0.0


SIM API for Javacard

ETSI TS 31 130 TS 102 241 TS 102 588 Java Card


Java Card Forum

EMV
Europay, Mastercard, Visa

Global Platform

Michel Koenig

Java Card 3.0 Programming

Standards

Michel Koenig

Java Card 3.0 Programming

10

Conclusion

In this chapter, we have seen


A brief history of the smart cards The applications supported by the smart cards The standards supported

Michel Koenig

Java Card 3.0 Programming

11

ISO7816 Protocol
Physical description, communication layer, file system

Michel Koenig

Java Card 3.0 Programming

12

Introduction

In this chapter, we'll see


An introduction to the ISO7816 standard What is an APDU How to exchange data between the CAD and the smart card

Michel Koenig

Java Card 3.0 Programming

13

Mechanical and Electrical Aspects


ISO 7816 standard describes
The physical organisation of the plastic card Indicates the various zones

It specifies also the purpose and the organisation of the contacts


For a smart contacted card

Possible power voltage


Clock

3V or 5V Lower maybe in the future

Michel Koenig

Java Card 3.0 Programming

14

USB and NFC port

Recent additions to the SIM card had standardized

A USB port in place of the two optionnal contacts on the bottom of the circuit A NFC (Single Wire Protocol) port for the last optionnal contact
15

USB Port

NFC SWP

Michel Koenig

Java Card 3.0 Programming

Half-duplex serial protocol


02 10 00

Due to the unique pin dedicated to input/output, the first protocol used by the smart cards were
Serial Half-duplex

C0

00

00

Communication characteristics:
Data: 8 bits Parity: even Stop: 1 bit

Speed starting at 9600 Bps

Michel Koenig

Java Card 3.0 Programming

16

USB IC
ETSI TS 102.600

Max speed 12 Mb/s Three flavours:

Integrated Circuit Card Devices

Compatible with the previous serial protocol Disk emulation To support TCP/IP protocol
17

Mass Storage

Ethernet Emulation Mode

Michel Koenig

Java Card 3.0 Programming

NFC SWP
ETSI TS 1002.613 & 622

Single Wire Protocol Full duplex

Current and voltage modulation

Max speed 1.6 Mb/s The smart card can act as


A RFID tag A RFID tag reader

Michel Koenig

Java Card 3.0 Programming

18

Terminology
The smart card reader powered by
a PC A cash register a mobile phone

is called a terminal In the standard ISO 7816 it is called :


The Card Acceptance Device Or CAD

Michel Koenig

Java Card 3.0 Programming

19

Answer to Reset
When a card is inserted into the reader, a micro-switch signals this event to the terminal. The terminal powers up the card
Using a particular protocol

When it is properly powered, the card sends back to the terminal a message called "Answer to Reset"

Michel Koenig

Java Card 3.0 Programming

20

General protocol
After sending Answer to Reset, the card waits until the terminal starts a communication The card never starts a communication The card answers to a demand coming from the terminal and waits for the next demand

Michel Koenig

Java Card 3.0 Programming

21

Application Protocol Data Unit


CLA INS P1 P2 LC The APDUs are the commands sent by the terminal to the smart card The APDU can
Carry parameters to the card Expect results from the card

Card and terminal must synchronize to


The number of bytes to exchange The direction of the exchange
This is done by the software embedded in each device

Michel Koenig

Java Card 3.0 Programming

22

Application Protocol Data Unit


Class of the APDU: one byte which is caracteristic of the APDU of the application

CLA INS P1 P2 LC
Instruction: this is the command

P1, P2: two parameters which can be combined to form a short integer LC: length of parameters which will be exchanged between the terminal and the card (from the terminal to the card, or from the card to the terminal)

Michel Koenig

Java Card 3.0 Programming

23

No parameters exchanged
CAD Card

CLA INS

P1

P2

LC

LC ==0 The card receives the APDU It processes it It returns a status word
Two bytes

process SW1 SW2

Michel Koenig

Java Card 3.0 Programming

24

Parameters sent by the terminal


CAD Card

CLA INS

P1

P2

LC INS

Data process SW1 SW2

LC 0 LC indicates the length of the data in bytes The software in the terminal and the software in the card must agree on the direction of the exchange The card acknowledges by sending back the INS byte
Simple case

Michel Koenig

Java Card 3.0 Programming

25

Data expected by the terminal


LE 0
CAD Card

The 5th byte is called LE in this case

CLA INS

P1

P2

LE INS process Data SW1 SW2

The card acknowledges the APDU by sending back the INS byte
Simple case

Data are returned by the card, followed by the status word

Michel Koenig

Java Card 3.0 Programming

26

Status word
Status report of the internal operation done by the card 0x9000 means success! When different, could indicate
0x9000 Denied access File not found No such CLA or INS expected

Michel Koenig

Java Card 3.0 Programming

27

Conclusion

In this chapter, we have seen


An introduction to the ISO7816 standard What is an APDU How to exchange data between the CAD and the smart card

Michel Koenig

Java Card 3.0 Programming

28

Java Card
Java Card Forum, history of the versions, programming aspects

Michel Koenig

Java Card 3.0 Programming

29

Introduction

In this chapter, we'll see


An introduction to the Java Card system What is a Java Card Applet What is the Java Card Runtime Environment The lifecycle of an Applet How to protect access with an OwnerPIN

Michel Koenig

Java Card 3.0 Programming

30

Operating systems
Beginning: proprietary systems
Only the applications were standardized
B0' for French banking system

Now: multi-application systems


MULTOS Windows for Smart Card
Dead but replaced by .NET for smart cards

Java Card

Michel Koenig

Java Card 3.0 Programming

31

Java Card History


Early 1996
First development
Schlumberger, Bull CP8, GemPlus, Sun

Schlumberger's Cyberflex Java Card Forum


Most of the smart cards manufacturers Sun
As a Java guru

Michel Koenig

Java Card 3.0 Programming

32

Why Java in a smart card


Java is an interpreted language
Need a Java Virtual Machine to run

Applications could be portable from one smart card to another Applications run securely in a "sand box" Small footprint for the applications

Michel Koenig

Java Card 3.0 Programming

33

Is Java for Java Card pure Java?


No until Java Card 3.0! Roughly:
Basic types restricted to
Boolean Small integers
Byte Short Int (optional)

No Strings

Arrays restricted to one-dimensional arrays Limited libraries


Including java.lang

No garbage collector

Less restrictions for Java Card 3.0


Michel Koenig Java Card 3.0 Programming 34

Which version in this course?


In this course we will introduce the Java Card 3
Classic Edition
Java Card 2.2.2

Connected Edition

Michel Koenig

Java Card 3.0 Programming

35

Available libraries
Basically, javacard and javacardx contain the smart card API
framework, security and crypto

java.lang is reduced mainly to the exception definitions java.io and java.rmi was introduced in the last 2.2 version
java.io to manage channels java.rmi to manage remote method invocation

Michel Koenig

Java Card 3.0 Programming

36

SIM Toolkit
For SIM Toolkit two more packages
access toolkit

Will be detailed later

Michel Koenig

Java Card 3.0 Programming

37

How Java works in a smart card


A Java Virtual Machine is embedded
Applet 1 Applet 2 Applet 3 Java Card Runtime Environment

4 K bytes Basic library

Java Card API Java Virtual Machine

Java Card Runtime Environment


In charge of
Activation of applications Low level communication protocol Application downloading

Michel Koenig

Java Card 3.0 Programming

38

Roles of the JCRE


Downloading a package Creating an instance of an applet Selecting an applet Transmitting an APDU to a selected applet Managing the communication protocol with the CAD

Michel Koenig

Java Card 3.0 Programming

39

Downloading a package
Applets must be encapsulated in a package External processes
Compile the applets Verify the bytecode Create a jar-like container
CAP file

Will be seen later

Package and applets are associated an identifier for future selection

Michel Koenig

Java Card 3.0 Programming

40

What is a Java Card Applet


A java object which is
package ePurse; import javacard.framework.*; class EPurse extends Applet { short balance; public EPurse(){} public static void install(){} public boolean select(){} public void process(APDU apdu) {} }

Running using the JVM Controlled by the JCRE

The class of this object must extend the class


javacard.framework.Applet

The class must overload several methods

Michel Koenig

Java Card 3.0 Programming

41

Class APDU
This class provides the basic features needed to handle the ISO7816 protocol from the applet point of view It gives access to the internal buffer dedicated to the communication This buffer can be
Retrieved by the applet Filled up by the applet and sent to the CAD

CLA

INS

P1

P2

LC

Michel Koenig

Java Card 3.0 Programming

42

Main methods of the APDU


byte buffer[] = apdu.getBuffer();

These methods help to


Get the internal buffer Start receiving data
Acknowledgement

apdu.setIncomingAndReceive();

short le = apdu.setOutgoing(); apdu.setOutgoingLength(le); apdu.sendBytes(ISO7816.OFFSET_CDATA, le);

Start transmitting data

Utilities help to
Transform 2 bytes in a short and vice versa Copy buffers Compare buffers

apdu.setOutgoingAndSend(...);

Michel Koenig

Java Card 3.0 Programming

43

Class ISO7816
This class encapsulates most of the ISO7816 constants needed to program the applets Constants are prefixed by
CLA for class related constants INS for instruction related constants OFFSET for offsets in the buffer SW for status word related constants

Michel Koenig

Java Card 3.0 Programming

44

Lifecycle of an applet
instance aid

JCRE

er gist e

instance

in s ta ll

The JCRE downloads the package containing the Applet It calls the static method install on the Applet This method creates an instance
Or more

ne

Applet

And register this instance using an AID

Michel Koenig

Java Card 3.0 Programming

45

Lifecycle of an Applet
instance aid

JCRE

ct sele ss e proc lect e des

instance

When the instance is created and registered it can be called The JCRE can
select deselect

Applet

the instance Can call the instance to process an APDU

Michel Koenig

Java Card 3.0 Programming

46

Example of an Applet

Michel Koenig

Java Card 3.0 Programming

47

Michel Koenig

Java Card 3.0 Programming

48

Michel Koenig

Java Card 3.0 Programming

49

Simulation script

Michel Koenig

Java Card 3.0 Programming

50

Result

Michel Koenig

Java Card 3.0 Programming

51

Netbeans 6.9

Michel Koenig

Java Card 3.0 Programming

52

Other Java Card features


Many features available
PIN code management Transaction handling using JCSystem
Possibility to group together a certain number of actions into a transaction Possibility to abort or commit the transaction

Shareable applets Possibility to have several applets selected at the same time

Michel Koenig

Java Card 3.0 Programming

53

OwnerPIN
This class helps the developer to protect the access to some features of the smart card using a PIN code
private OwnerPIN pinCode; /** Creates a new instance of EPurse */ public EPurse() { balance = (short)0; pinCode = new OwnerPIN(EPURSE_PIN_TRY_LIMIT, EPURSE_PIN_MAX_SIZE); }

Michel Koenig

Java Card 3.0 Programming

54

OwnerPIN
The CAD must validate the PIN code prior to access the other features
case EPURSE_ADD: apdu.setIncomingAndReceive(); if(!pinCode.isValidated()) ISOException. throwIt( ISO7816.SW_SECURITY_STATUS_NOT_SATISFIED); break; case EPURSE_PIN: apdu.setIncomingAndReceive(); if(!pinCode.check(buffer, ISO7816.OFFSET_CDATA, EPURSE_PIN_MAX_SIZE)) ISOException.throwIt( ISO7816.SW_SECURITY_STATUS_NOT_SATISFIED); break;

Michel Koenig

Java Card 3.0 Programming

55

OwnerPIN
The OwnerPIN proposes a method to unblock a blocked PIN code (after a TRY_LIMIT unsuccessful attempts)

case EPURSE_UNBLOCK: pinCode.resetAndUnblock();

Michel Koenig

Java Card 3.0 Programming

56

OwnerPIN
The OwnerPIN proposes a method to reset the validated flag
public boolean select(){ pinCode.reset(); }

Michel Koenig

Java Card 3.0 Programming

57

Conclusion

In this chapter, we have seen


An introduction to the Java Card system What is a Java Card Applet What is the Java Card Runtime Environment The lifecycle of an Applet How to protect access with an OwnerPIN

Michel Koenig

Java Card 3.0 Programming

58

TrUST Me The key rules for Javacard Programming

Michel Koenig

Java Card 3.0 Programming

59

Java Card Programming Issues

Programming a Java Card seems simple


Reduced language Reduced library Most exciting features of Java available in Java Card Most difficulties coming from the ISO7816 protocol hidden by the JCRE and the API

Michel Koenig

Java Card 3.0 Programming

60

Java Card Programming Issues

Powerful tools help developing applets

Basic toolkit available for free from Sun (Oracle)

Helps testing and debugging applets

Enhanced toolkits provided by most of the manufacturers to


Upload applets in target Java Cards Test, on board, the uploaded applets

Michel Koenig

Java Card 3.0 Programming

61

Java Card Programming Issues

Most of the trainees applets suffer from the following drawbacks:

No consistency in data when the card is teared suddenly from the reader Poor usability and security Time out and memory issues not taken in account

Michel Koenig

Java Card 3.0 Programming

62

Tr U S T Me

A Java Card applet must be


Transaction aware Usable Secure Time-out aware Memory aware

Michel Koenig

Java Card 3.0 Programming

63

Transaction aware

Context

Memorize the ten last operations for an epurse Operation is qualified by


The type The amount The date

Michel Koenig

Java Card 3.0 Programming

64

Transaction aware (code example)

case EPURSE_ADD: apdu.setIncomingAndReceive(); if(!pinCode.isValidated()) ISOException.throwIt( ISO7816.SW_SECURITY_STATUS_NOT_SATISFIED); amount = Util.getShort(buffer, ISO7816.OFFSET_CDATA); balance = (short)(balance + amount); list.add(buffer, ISO7816.OFFSET_INS, ISO7816.OFFSET_CDATA, (short)2, (short)(ISO7816.OFFSET_CDATA + (short)2), (short)8); break;

Michel Koenig

Java Card 3.0 Programming

65

Transaction aware
(a better code)
try{ JCSystem.beginTransaction(); amount = Util.getShort(buffer, ISO7816.OFFSET_CDATA); balance = (short)(balance + amount); list.add(buffer, ISO7816.OFFSET_INS, ISO7816.OFFSET_CDATA, (short)2, (short)(ISO7816.OFFSET_CDATA + (short)2), (short)8); JCSystem.commitTransaction(); }catch(TransactionException ex){ } break;

Michel Koenig

Java Card 3.0 Programming

66

Usability

Context

On an e-purse, each operation must be accepted only if the users PIN code had been validated and if the operation is possible

Michel Koenig

Java Card 3.0 Programming

67

(code example)

Usability

case EPURSE_ADD: apdu.setIncomingAndReceive(); if(! pincode.check(buffer, ISO7816.OFFSET_CDATA, (byte)2)) ISOException.throwIt(ISO7816.SW_SECURITY_STATUS_NOT_SATISFIED); amount = Util.getShort(buffer, (short)(ISO7816.OFFSET_CDATA + (short)2)); balance = (short)(balance + amount); list.add(buffer, ISO7816.OFFSET_INS, (short)(ISO7816.OFFSET_CDATA + (short)2), (short)2, (short)(ISO7816.OFFSET_CDATA + (short)4), (short)8); break;

Michel Koenig

Java Card 3.0 Programming

68

Usability

PIN code must not be checked at each operation

But at each session starting

PIN code must be deselected after the applet had been also deselected

Michel Koenig

Java Card 3.0 Programming

69

Security

Context

Iris scan security system with the card holders iris characteristics in a smart card Problem:

Which part of the system must decide if the iris scanned corresponds to the data stored in the smart card: The card acceptance device? The Java Card?

Michel Koenig

Java Card 3.0 Programming

70

(proposed answers)

Security

Answer 1:

The scanned data are passed to the smart card which returns yes or no! The Card Acceptance Device get the stored data from the card to compare it with the scanned data
Java Card 3.0 Programming 71

Answer 2:

Michel Koenig

Security

Mutual authentication is needed prior any data exchange Card Acceptance Device

which is more difficult to replace by a forged one

must make the comparison between data stored in the card and the data scanned

Michel Koenig

Java Card 3.0 Programming

72

Time out

Context

A message is sent to the Java Card to be encrypted using a first command A second command must be issued to get back the encrypted message

Michel Koenig

Java Card 3.0 Programming

73

Time out
(time issues)

What if

The Java card is teared from the card reader after the first command arrives and before the second command is issued The second command arrives before the first one is issued

Or if

Michel Koenig

Java Card 3.0 Programming

74

Time out

Time out aware applet

Must blank the message to be encrypted if deselect and/or select is called before the second command is issued Must refuse the second command if the first was not sent before

Michel Koenig

Java Card 3.0 Programming

75

Memory aware

Context

Memorize the ten last operations for an e-purse Operation is qualified by


The type The amount The date

Michel Koenig

Java Card 3.0 Programming

76

Memory aware
(code example)

case EPURSE_ADD: apdu.setIncomingAndReceive(); amount = Util.getShort(buffer, ISO7816.OFFSET_CDATA); Operation op = new Operation(buffer, ISO7816.OFFSET_INS,ISO7816.OFFSET_CDATA, (short)2, (short)(ISO7816.OFFSET_CDATA + (short)2), (short)8); list.add(op); break;

Michel Koenig

Java Card 3.0 Programming

77

Memory aware

More Memory aware code


Avoid creating object on the fly Create all the objects needed during construction phase Recycle already created objects

Michel Koenig

Java Card 3.0 Programming

78

Conclusion

At the beginning, smart card programming was done:


In assembly language At a low level By engineers aware of the


Transactions Usability Security Time-out Memory usage

Michel Koenig

Java Card 3.0 Programming

79

Conclusion

Today, thanks to Java Card, applet programming can be done:


In Java At a high level By simple Java programmers

Michel Koenig

Java Card 3.0 Programming

80

Conclusion
The Java Card programmers must be aware of:

Transactions Usability Security Time out Memory usage

Michel Koenig

Java Card 3.0 Programming

81

Security
Hardware and software aspects

Michel Koenig

Smart cards tutorial

82

Objectives
In this chapter, we'll see
An introduction about the security aspects of the smart cards
From a hardware point of view From a software point of view

Michel Koenig

Smart cards tutorial

83

Hardware security
A smart card contains important data
It could contain money
Electronic purses

It must be tamper resistant "If you know the attack you can build the shield"

Michel Koenig

Smart cards tutorial

84

The attacks
X raying the micro-chip Measuring the power consumption variation during critical APDU
When the PIN code is transmitted for example

Measuring the answer delay


To try to predict what branches in the program are completed

Michel Koenig

Smart cards tutorial

85

The shields
The micro-chip uses an internal shield to protect itself against an X-Ray scanning It guarantees the same delay for both branches of an alternative statement It guarantees the same power consumption in all cases

Michel Koenig

Smart cards tutorial

86

Software attacks and shields


Data are protected using cryptography
Various techniques
DES, DES3, AES RSA SHA

Cryptography is based on
A public algorithm A key
Private (DES, DES3, AES) Public (RSA)

Michel Koenig

Smart cards tutorial

87

Symmetric Enciphering
Bob
SAME KEY

Alice

Michel Koenig

Smart cards tutorial

88

Asymmetric enciphering
Bobs private key Bobs Public Key

Bob

Alice

Michel Koenig

Smart cards tutorial

89

Signing using asymmetric keys


Bobs private key Bobs Public Key

Bob

Alice

Michel Koenig

Smart cards tutorial

90

Certify public key


X509 Certificate Subject (name, company, e-mail )

Issuers subject Public Key

Michel Koenig

Smart cards tutorial

91

Certification Authority
lf Se ed gn Si
Certificate Subject (name, company, e-mail ) Start Date End Date Issuers subject Public Key

Thawte, Verisign, ...

Certificate Subject (name, company, e-mail ) Start Date End Date Issuers subject Public Key Certificate Subject (name, company, e-mail ) Start Date End Date Issuers subject Public Key

Certificate Subject (name, company, e-mail ) Start Date End Date Issuers subject Public Key

Michel Koenig

Smart cards tutorial

92

Authentication Authorization Privacy

Integrity

Non-repudiation

Michel Koenig

Smart cards tutorial

93

Protect private key With Smart cards


The Private key is born, lives and dies inside the card
Key pair generation Secure access Cryptographic algorithm process inside the card

Physically secure
No hard drive storage of the private key

Portable
No multi-key Multiple Device

Enciphering is done inside the card


Computer Independent

Michel Koenig

Smart cards tutorial

94

Document

Hashing (a.k.a FingerPrint)


Modifying one bit completely changes the Hash Hash result is completely unpredictable

Hash

Usual algorithms are MD5 (used for linux Password storage) or SHA-1
8365923334

Michel Koenig

Smart cards tutorial

95

Digital Signature (Email)


Senders private key & X509 certificate
X.509

Kps

Sender

Receiver

Sender's PK

Kss
Sender's SK

Letter

Letter

8365923334

Hash
8365923334

Hash Signing
X.509 X.509

=?
Identification/ Authentication of the content of the letter

Digital Signature 8A!G@3&04

Certificate Authority

CA Public key (certificate checked)

Michel Koenig

Smart cards tutorial

96

S/MIME Encryption
Sender
Message

Receiver

- generate "symmetric document key" (PC)

- unwrap document key with the receivers private key

- encrypt message with symmetric key (PC)

$@/!&@#

Encrypted message

- get certificate of receiver, verify certificate and extract public key


X.509

Kpr

- decrypt message with " sym document key"

Message

- encrypt "sym document key" with receivers public key

Trust Centre

Michel Koenig

Smart cards tutorial

97

Example

Michel Koenig

Smart cards tutorial

98

Example

Michel Koenig

Smart cards tutorial

99

Example

Michel Koenig

Smart cards tutorial

100

Example

Michel Koenig

Smart cards tutorial

101

Example

Michel Koenig

Smart cards tutorial

102

Example

Michel Koenig

Smart cards tutorial

103

Example

Michel Koenig

Smart cards tutorial

104

Example

Michel Koenig

Smart cards tutorial

105

Example

Michel Koenig

Smart cards tutorial

106

Encrypting w/public

Michel Koenig

Smart cards tutorial

107

Result

Received ATR = 0x3b 0xf0 0x11 0x00 0xff 0x00 CLA: 00, INS: a4, P1: 04, P2: 00, Lc: 06, b6, 84, 89, 33, 88, 8e, Le: 00, SW1: 90, SW2: 00 CLA: 80, INS: b2, P1: 00, P2: 00, Lc: 10, 00, 01, 02, 03, 04, 05, 06, 07, 08, 09, 0a, Le: 40, 66, ff, e8, 04, 8a, 41, 9e, c2, dd, e7, 44, 79, 3d, 65, 31, a5, c6, c8, 54, bd, 49, 52, da, 99, f0, e4, 89, b6, 08, a4, f6, 64, f9, f8, a4, 95, 3a, 13, 2d, 17, 73, 7b, 4c, 49, SW1: 90, SW2: 00 0b, 0c, 0d, 0e, 0f, 08, eb, 3d, 27, a5, d3, ba, 9f, 41, 65, bb, 1e, c2, 0e, 93, 8c, e5, b6, 61, 9c,

Michel Koenig

Smart cards tutorial

108

Conclusion
In this chapter, we have seen
An introduction about the security aspects of the smart cards
From a hardware point of view From a software point of view

Michel Koenig

Smart cards tutorial

109

SIM Cards
Proactive SIM cards

Michel Koenig

Smart cards tutorial

110

Introduction

In this chapter, we'll see

The standards driving the smart cards for mobile telephony What is the SIM Toolkit How Java Card handles the SIM toolkit A full example of a Java Card applet built using the SIM Toolkit library

Michel Koenig

Smart cards tutorial

111

SIM cards
Standardized by ETSI for GSM GSM 11.11 V6.1.0
SIM specs
Subscriber Identification Module

GSM 11.14 V7.1.0


SIM Toolkit specs

GSM 03.19 V1.0.0


Javacard SIM API

Michel Koenig

Smart cards tutorial

112

Proactives SIM
Using the SIM Toolkit, possibility to
Program the SIM Make the SIM card application driving the phone
Access to keyboard, display,

Michel Koenig

Smart cards tutorial

113

Internal organization
Root 0x3F00

The SIM contains a certain number of "files" grouped into "directories" Terminology:
Directory 0x2345

File 0x2222

Element File: file Dedicated File: directory

File 0x2A34

Michel Koenig

Smart cards tutorial

114

File hierarchy

Michel Koenig

Smart cards tutorial

115

File hierarchy

Michel Koenig

Smart cards tutorial

116

Proactive SIM
The ISO7816 standard does not permit that the card starts talking first
A card is waiting for an APDU and responds when it receives the APDU

Proactive SIM cards use a specific status word to indicate to the Mobile Equipment that they want to talk to it

Michel Koenig

Smart cards tutorial

117

Proactive protocol

Michel Koenig

Smart cards tutorial

118

Allowed commands for the SIM


The SIM card can
Display text on the phone display Input data from the keyboard Play tone Send a SMS Process an incoming SMS

Michel Koenig

Smart cards tutorial

119

SIM Toolkit applet


A SIM Toolkit applet must
Import sim.access and sim.toolkit packages Extend the javacard.framework.Applet Implement the interfaces
ToolkitInterface ToolkitConstants

Michel Koenig

Smart cards tutorial

120

SIM Toolkit applet


Example:
import sim.toolkit.*; import sim.access.*; import javacard.framework.*; public class MyApplet1 extends javacard.framework.Applet implements ToolkitInterface, ToolkitConstants { // Mandatory variables private SIMView gsmFile; private ToolkitRegistry reg;

Michel Koenig

Smart cards tutorial

121

SIMView
The SIMView interface is the interface between the applet and the GSM filesystem It proposes
Constants to identify in a simple way the regular GSM files Methods to access these files

Michel Koenig

Smart cards tutorial

122

SIMView
Example:
/** DF under MF */ /** File identifier : DF TELECOM = 0x7F10 */ public static final short FID_DF_TELECOM /** File identifier : DF GSM = 0x7F20 */ public static final short FID_DF_GSM /** File identifier : DF DCS-1800 = 0x7F21 */ public static final short FID_DF_DCS_1800 /** File identifier : DF IS-41 = 0x7F22 */ public static final short FID_DF_IS_41 /** File identifier : DF FP-CTS = 0x7F23 */ = (short)0x7F22; = (short)0x7F21; = (short)0x7F20; = (short)0x7F10;

Michel Koenig

Smart cards tutorial

123

SIMView
Example:
public short select(short fid, byte fci[], short fciOffset, short fciLength) throws NullPointerException, ArrayIndexOutOfBoundsException, SIMViewException;

Michel Koenig

Smart cards tutorial

124

SIMSystem
The SIMSystem class provides one method which is
SIMView getTheSIMView()

Michel Koenig

Smart cards tutorial

125

ToolkitRegistry
The SIM Applet communicates with the mobile equipment through the ToolkitRegistry The SIM applet get an entry from the ToolkitRegistry in order
To receive and process the events sent by the mobile equipment To send command to the mobile equipment

Michel Koenig

Smart cards tutorial

126

SIM Toolkit applet


Example
// Main Menu private byte idMenu1; private byte[] Menu1; public MyApplet1() { // Get the GSM application reference gsmFile = SIMSystem.getTheSIMView(); // Get the reference of the applet ToolkitRegistry object reg = ToolkitRegistry.getEntry(); /**@todo: Customize your menu titles here*/ Menu1 = new byte[] { (byte) '1', (byte) ' ', (byte) 'M', (byte) 'e', (byte) 'n', (byte) 'u', (byte) '1' }; // Define the applet Menu Entry idMenu1 = reg.initMenuEntry(Menu1, (short) 0, (short) Menu1.length, PRO_CMD_SELECT_ITEM, false, (byte) 0, (short) 0); }

Michel Koenig

Smart cards tutorial

127

initMenuEntry
public byte initMenuEntry( byte[] menuEntry, /* the menu entry string short offset, /* its offset */ short length, /* its byte nextAction, /* boolean helpSupported, byte iconQualifier, short iconIdentifier /* ) throws */

length */ action associated */ /* true if help available */ 0 if no icon */

java.lang.NullPointerException, java.lang.ArrayIndexOutOfBoundsException, ToolkitException, TransactionException

Michel Koenig

Smart cards tutorial

128

SIM Toolkit applet


/** * Method called by the JCRE at the installation of the applet * @param bArray the byte array containing the AID bytes * @param bOffset the start of AID bytes in bArray * @param bLength the length of the AID bytes in bArray */ public static void install(byte[] bArray, short bOffset, byte bLength) { // Create the Java SIM toolkit applet MyApplet1 StkCommandsExampleApplet = new MyApplet1(); // Register this applet StkCommandsExampleApplet.register(bArray, (short) (bOffset + 1), (byte) bArray[bOffset]); }

Michel Koenig

Smart cards tutorial

129

SIM Toolkit applet


/** * Method called by the SIM Toolkit Framework * @param event the byte representation of the event triggered */ public void processToolkit(byte event) { // Manage the request following the MENU SELECTION event type if (event == EVENT_MENU_SELECTION) { // Get the selected item EnvelopeHandler envHdlr = EnvelopeHandler.getTheHandler(); byte selectedItemId = envHdlr.getItemIdentifier(); // Perform the required service following the Menu1 selected // item if (selectedItemId == idMenu1) { menu1Action(); }

Michel Koenig

Smart cards tutorial

130

SIM Toolkit applet


private byte [] helloWorld; private void menu1Action() { // Get the received envelope ProactiveHandler proHdlr = ProactiveHandler.getTheHandler(); helloWorld = new byte[]{(byte)'H',(byte)'e',(byte)'l',(byte)'l', (byte)'o',(byte)' ',(byte)'w',(byte)'o',(byte)'r',(byte)'l',(byte)'d'}; // Initialize the display text command proHdlr.initDisplayText((byte) 0x00, DCS_8_BIT_DATA, helloWorld, (short) 0, (short) (helloWorld.length)); proHdlr.send(); return; }

Michel Koenig

Smart cards tutorial

131

Running

Michel Koenig

Smart cards tutorial

132

Documentation
More documentation in
3gpp 43019-560

Michel Koenig

Smart cards tutorial

133

Conclusion

In this chapter, we have seen

The standards driving the smart cards for mobile telephony What is the SIM Toolkit How Java Card handles the SIM toolkit A full example of a Java Card applet built using the SIM Toolkit library

Michel Koenig

Smart cards tutorial

134

Smart Card Web Server


An other way for the SIM card to control the handset

Michel Koenig

Smart cards tutorial

135

Introduction

In this chapter, we'll see:

A new approach to interface the applications in the SIM card, using the handset The architecture of the SCWS A full application for a SIM card supporting SCWS

Michel Koenig

Smart cards tutorial

136

Introduction

SIM Toolkit was introduced at the time when handset had few capabilities for interfacing

Text oriented display No graphics Hierachical menus Full color graphic interface Point and pin menus
Smart cards tutorial 137

Modern handsets support


Michel Koenig

Introduction

Axalto developers proposed at Cartes 2000 a simplified web server inside the SIM card

SESAME 2000 the introduction of the USB port the powerfulness of modern SIM card the size of SIM applications

With

this solution was rapidly adopted and standardized


Michel Koenig Smart cards tutorial 138

SCWS

The standard adopted is called: Smart Card Web Server This standard supposes

A TCP/IP link

On USB

A TCP/IP stack on board

Michel Koenig

Smart cards tutorial

139

SCWS

Applets SCWS API SCWS STK Api

Javacard APIs Java Virtual Machine Low Level Resources

Michel Koenig

Smart cards tutorial

140

Packages and classes


/* * Imported packages */ import javacard.framework.*; import uicc.scws.HttpRequest; import uicc.scws.HttpResponse; import uicc.scws.ScwsConstants; import uicc.scws.ScwsException; import uicc.scws.ScwsExtension; import uicc.scws.ScwsExtensionRegistry;

Universal Integrated Circuit Card

Michel Koenig

Smart cards tutorial

141

ScwsConstants
MIME types
CONTENT_TYPE_IMAGE_GIF CONTENT_TYPE_TEXT_HTML

Status code
SC_OK (200) SC_NOT_FOUND (404)

Parsing tags
URI_QUERY_TAG

Michel Koenig

Smart cards tutorial

142

ScwsExtension
The applet (servlet!) working in SCWS mode must implement ScwsExtension That means overiding the methods
doGet() doPost() doHead() ...

Michel Koenig

Smart cards tutorial

143

HttpRequest
Not really the J2EE HttpRequest but enough to extract data from a HTTP request Provides methods like
findAndCopyKeywordValue getContentLength getContentType

Michel Koenig

Smart cards tutorial

144

HttpResponse
As for HttpRequest, helps the user to provide an HTTP response to the request Provides methods like
setContentType() appendContent() writeStatusCode() flush()

Michel Koenig

Smart cards tutorial

145

Example
In the next servlet, the strings are encoded as arrays of bytes
Strings are not supported by Java Card 2

In the next two pages, the pseudo code written in comment show how the servlet would be written if String was supported by this release of Java Card

Michel Koenig

Smart cards tutorial

146

Example
/* public class HelloWorld extends javacard.framework.Applet AppletEvent, ScwsExtension { public final static String url = "/HelloWorld"; public final static String appId = "HelloWorld; implements

public byte[] temporaryBuffer; public final static short TEMPORARY_BUFFER_LENGTH = (short) 100; public final static String HTML_BEGIN = "<html>"+"<head>"+ "<title>"+"Hello"+"</title>"+"</head>"+ "<body BGCOLOR=\"#FFFFFF\">"+"<center>"; public final static String HELLO = "Hello "; public final static String HTML_END = "</center>"+"</body>"+ "</html>"

Michel Koenig

Smart cards tutorial

147

Example
Unfortunately String are not yet supported by Java Card
Strings are supported by Java Card 3

The arrays of bytes are not so easy to read, but the result is the same

Michel Koenig

Smart cards tutorial

148

Example
public class HelloWorld extends javacard.framework.Applet implements AppletEvent, ScwsExtension { /** the servlet url */ public final static byte[] url = { (byte)'/', (byte)'H', (byte)'e', (byte)'l', (byte)'l', (byte)'o', (byte)'W', (byte)'o', (byte)'r', (byte)'l', (byte)'d' }; public final static byte[] appId = { (byte)'H', (byte)'e', (byte)'l', (byte)'l', (byte)'o', (byte)'W', (byte)'o', (byte)'r', (byte)'l', (byte)'d' };

Michel Koenig

Smart cards tutorial

149

Example
// Temporary operation buffer public byte[] temporaryBuffer; public final static short TEMPORARY_BUFFER_LENGTH = (short) 100; public final static byte[] HTML_BEGIN = { (byte)'<',(byte)'h',(byte)'t',(byte)'m',(byte)'l',(byte)'>', (byte)'<',(byte)'h',(byte)'e',(byte)'a',(byte)'d',(byte)'>', (byte)'<',(byte)'t',(byte)'i',(byte)'t',(byte)'l',(byte)'e',(byte)'>', (byte)'H',(byte)'e',(byte)'l',(byte)'l',(byte)'o', (byte)'<',(byte)'/',(byte)'t',(byte)'i',(byte)'t',(byte)'l',(byte)'e', (byte)'>', (byte)'<',(byte)'/',(byte)'h',(byte)'e',(byte)'a',(byte)'d',(byte)'>',

Michel Koenig

Smart cards tutorial

150

Example
(byte)'<',(byte)'b',(byte)'o',(byte)'d',(byte)'y',(byte)' ', (byte)'B',(byte)'G',(byte)'C',(byte)'O',(byte)'L',(byte)'O',(byte)'R', (byte)'=',(byte)'"',(byte)'#',(byte)'F',(byte)'F',(byte)'F',(byte)'F', (byte)'F',(byte)'F',(byte)'"',(byte)'>', (byte)'<',(byte)'c',(byte)'e',(byte)'n',(byte)'t',(byte)'e',(byte)'r', (byte)'>'}; public final static byte[] HELLO ={(byte)'H',(byte)'e',(byte)'l', (byte)'l',(byte)'o',(byte)' '}; public final static byte[] HTML_END = { (byte)'<',(byte)'/',(byte)'c',(byte)'e',(byte)'n',(byte)'t',(byte)'e', (byte)'r',(byte)'>', (byte)'<',(byte)'/',(byte)'b',(byte)'o',(byte)'d',(byte)'y', (byte)'<',(byte)'/',(byte)'h',(byte)'t',(byte)'m',(byte)'l',(byte)'>'};

Michel Koenig

Smart cards tutorial

151

Example
public HelloWorld(byte[] buffer, short offset, byte length) { // First LV is instance AID short aid = offset; offset += buffer[offset] + (byte) 1; // Second LV is Privilege offset += buffer[offset] + (byte) 1; // Third LV is specific install parameter (extract from TAG C9) offset++; // skip C9 Length // Register the new applet instance to the JCRE register(buffer, (short) (aid + (short) 1), buffer[aid]); //Register application id,there is corresponding appId in the // Run/Debug configuration for URL Mapping ScwsExtensionRegistry.register(this, appId, (short) 0, (short) appId.length);

Michel Koenig

Smart cards tutorial

152

Example
try { // Create a temporary buffer for read/write temporaryBuffer = JCSystem.makeTransientByteArray( TEMPORARY_BUFFER_LENGTH, JCSystem.CLEAR_ON_RESET); } catch (SystemException se) { // create buffer in persistent memory as not enough transient // is available temporaryBuffer = new byte[TEMPORARY_BUFFER_LENGTH]; }

Michel Koenig

Smart cards tutorial

153

Example
public void doGet(HttpRequest req, HttpResponse resp) throws ScwsException { try { resp.writeStatusCode(ScwsConstants.SC_OK); resp.setContentType(ScwsConstants.CONTENT_TYPE_TEXT_HTML); resp.enableChunkMode(); short queryLength = req.findAndCopyKeywordValue( ScwsConstants.URI_QUERY_TAG, temporaryBuffer,(short)0, (short)temporaryBuffer.length); resp.appendContent(HTML_BEGIN,(short)0,(short)HTML_BEGIN.length); resp.appendContent(HELLO, (short)0, (short)HELLO.length); resp.appendContent(temporaryBuffer, (short)0, queryLength); resp.appendContent(HTML_END,(short)0, (short)HTML_END.length); }catch(Exception e) {resp.writeStatusCode(ScwsConstants.SC_BAD_REQUEST);} resp.flush();

Michel Koenig

Smart cards tutorial

154

Static HTML
Static HTML file : helloworld.html
<html> <body> <p>Simagine HelloWorld</p> <br> <form action="/HelloWorld" method="get"> <input name="name" type="text"> <br> <input value="Type in your name" type="submit"> </form> </body> </html>

URI of the SCWS servlet

Michel Koenig

Smart cards tutorial

155

Running

Michel Koenig

Smart cards tutorial

156

Conclusion

In this chapter, we have seen:

A new approach to interface the applications in the SIM card, using the handset The architecture of the SCWS A full application for a SIM card supporting SCWS

Michel Koenig

Smart cards tutorial

157

Java Card 3.0 Connected Edition


A new and rich flavour of Java Card

Michel Koenig

Smart cards tutorial

158

Introduction

In this chapter, we'll see


The main enhancements introduced by Java Card 3 The restrictions of Java Card 3 compared to Java SE A full example of a servlet

Michel Koenig

Smart cards tutorial

159

Features

Java Card 3.0 has two editions:

The Classic Edition


Compatible with Java Card 2 Applications are built with applets With a WEB server embedded HTTP, TCP/IP over USB

The Connected Edition


Michel Koenig

Smart cards tutorial

160

Features

Java Card 3.0 classic edition remains applet oriented Java Card 3.0 connected edition is servlet oriented

Specifications of the supported servlets are extracted from the Servlet API Specifications 2.4

Everything which deals with floating point numbers, J2EE, etc. are not taken in account.

Michel Koenig

Smart cards tutorial

161

Features

But, like traditionnal servlets, the Java Card 3 servlets support the methods:

doGet doPost doHead doPut doDelete doOptions doTrace


Smart cards tutorial 162

Michel Koenig

Features

Better support of the Java language


All data types except float and double Multiple threads Extensive API support (java.lang, java.util, GCF, and so on) Direct handling of class files, with all loading and linking on card All new Java language syntax constructs, like enums, generics, enhanced for loops, auto boxing/unboxing, and so on Automatic garbage collection
Smart cards tutorial 163

Michel Koenig

Architecture

Michel Koenig

Smart cards tutorial

164

Architecture

Michel Koenig

Smart cards tutorial

165

Example

The following example is created with NetBeans 6.9 with the Java Card wizard It is the web instance of the very well known Hello world program

Most code is automatically generated by the Java Card wizard

Michel Koenig

Smart cards tutorial

166

Example

Michel Koenig

Smart cards tutorial

167

Example

Michel Koenig

Smart cards tutorial

168

Example

Michel Koenig

Smart cards tutorial

169

Example

Michel Koenig

Smart cards tutorial

170

Example

Michel Koenig

Smart cards tutorial

171

Example

Michel Koenig

Smart cards tutorial

172

Example

Michel Koenig

Smart cards tutorial

173

Example

Michel Koenig

Smart cards tutorial

174

Example

Michel Koenig

Smart cards tutorial

175

Example

Michel Koenig

Smart cards tutorial

176

Example

Michel Koenig

Smart cards tutorial

177

Example

Michel Koenig

Smart cards tutorial

178

Example

Michel Koenig

Smart cards tutorial

179

Example

Michel Koenig

Smart cards tutorial

180

Conclusion

In this chapter, we have seen


The main enhancements introduced by Java Card 3 The restrictions of Java Card 3 compared to Java SE A full example of a servlet

Michel Koenig

Smart cards tutorial

181

Conclusion

Michel Koenig

Smart cards tutorial

182

Conclusion

In 1996, the Java Card system changed dramatically the way to program secure applications for smart cards Despite many concurents on the field, this system remains today the first language for smart cards in the world Combined with Java for Mobile Equipment it represents the solution to develop secure applications for the future powerful smartphones
Smart cards tutorial 183

Michel Koenig

You might also like