JavaCard 3 in real world?

Asked 3/3, 2012 at 14:22 Answered 18/9, 2018 at 17:18

Solved android mobile sim-card javacard apdu

I'm currently working on my diploma work. Part of the work includes development of JavaCard applet for regular SIM cards. First option is to use JavaCard2.X API and use APDU commands to communicate with the applet. This might be very tricky as I need to develop client-app for android (which will be communicate with this applet) and that is so far possible only trough special - not so user friendly - API called Seek-for-android. (if I'm wrong, please correct me)

However, I also came across JavaCard3 Connected Edition, which provides much more options - for example web applets. Using webapps, deployed on SIM card and accessing them through browser in mobile device would be very convenient (of course developing such applet would be much easier as well). Problem is, that I can't find any mentions of Javacard3 being used in real life, or even on real SIM cards. I can't even find any mentions of possible date of release of such cards. Actually, there is almost no information on this topic.

So, my question is - do you know anything useful about this platform? Anything about real-life usage? Which card supports Javacard3? Are there any developers smart-cards, which are "JC3 enabled"? Will there be SIM cards with this platform in the future?

Thanks a lot for answers!!!

Swound answered 3/3, 2012 at 14:22 Comment(7)

I do know that JavaCard 3 uptake is very modest, and that implementations are pretty sparse since they do require a lot of resources (RAM, EEPROM and CPU, probably in that order) of the chip. Personally I'm not in their market as all the projects I perform have an API on the APDU level. – Asshur 4/3, 2012 at 17:14

So I am about to take painful journey with Seek for Android + JavaCard2.x. Thanks for info!! – Swound 7/3, 2012 at 14:13

Small update: the specs require something like > 24KB RAM (currently most high end chips are at about 8KB for contactless to 16KB for contact), and a 32 bit CPU (e.g. ARM core). – Asshur 20/3, 2012 at 0:57

@MaartenBodewes Any update two years later? – Terris 24/2, 2015 at 12:56

@Terris The CPU's that I am using still have about half of the amount of RAM available or less. I don't see much movement for now. And most of the protocols I see are still APDU oriented. If there is any change it will probably happen in the mobile sector (SIM). – Asshur 24/2, 2015 at 13:13

@MaartenBodewes Any update two years later? I have seen Java Card 3 Classic edition cards, but no Connected cards. Have you met any in real world usage? – Terris 9/1, 2017 at 18:57

I'm somewhat out of it ("thanks" to my company) but no. Definitely not on the wireless front. Nowadays IoT is the buzz not so much web technologies. – Asshur 9/1, 2017 at 19:1

At JavaOne 2012 Moscow representatives of the JavaCard Oracle team demonstrated a prototype device with support for Java 3 Connected Edition based on Portable Security Token ES.

Lightsome answered 16/5, 2012 at 10:5 Comment(3)

I also spoke with representatives from Oracle, in my opinion, these tokens are ideal for building secure java applications. For example C3 Licensing System uses a JavaCard for storage and verification of licenses. – Farland 16/5, 2012 at 10:22

Thats valuable info, thanks. However, it seems to me, that JC3 won't be used in mobile phones SIM cards in next few years. – Swound 7/7, 2012 at 13:40

Although uptake will be relatively low initialy, the SIM market is what Java Card 3 connected is all about. The question is if the market will move to these high end chips. It remains to be seen if the required hardware will be cheap enough, but Moore's "law" will take care of that eventually. – Asshur 23/7, 2012 at 18:13

It's 2018 when I am writing this and I think this question needs a new answer.

Java Card 3 Connected Edition is dead in the water. It requires a large amount of RAM, which is still expensive even in the latest editions of the chips. SRAM takes large amounts of memory, and high end chips often still contain 8-10KiB of RAM max.

Furthermore, it was generated with the idea that web-developers would easily connect with it. This doesn't seem to have happened and it is questionable if a security device should be programmed by web-devs at all.

The additional overhead of the TLS protocol adds a heavy overhead without apparent benefit. The TLS protocol also requires a weird connection with the browser / end user. The idea that you can enter a PIN or password on a chip generated web page certainly has failed.

The idea of adding hardware support for browsers in general has failed. Before there were Java applets running in the browser, and the browser largely depended on add-ons. This has all gone away and it is very unlikely to return.

So even if RAM (or FRAM, MRAM, XCross or whatever hybrid memory solution will exist) ever comes cheap on a secure smart card processor, it is unlikely that JC 3 Connected will again see the light of day. Meanwhile Java Card Classic is still going strong although it is far from sexy at the moment - the OTN forum on Java Card is as good as dead (although OTN and sexy themselves are so far apart that they might as well exist on different poles, I certainly prefer SO).

Asshur answered 18/9, 2018 at 17:18 Comment(1)

Off topic: if you ask me JC classic should receive a rewrite where all the lessons learned are included in a new JRE and API. 32 bit processors have happened, and it is probably best to bring JC Classic closer to Java devs than continuing on the split path. – Asshur 18/9, 2018 at 17:21

There is no card in the field with JavaCard 3 right now. Everything under development. But I recommend you to have a look to JSR 177. If Android supports it you can communicate with your applet by normal APDU commands.

Weever answered 10/5, 2012 at 15:55 Comment(0)

Recommended topics

Hot tags