I'm new to smart-card development. Please help me understand how to get started.
What's the relationship between Javacard and JCOP?
How do I map a JCOP version to a GlobalPlatform Card Specification?
For example, what specification does JCOP 2.4.1 map to?
When do I need to code against one API versus the other?
Where can I find a good tutorial to get started?
JCOP is a software platform originally from IBM that implements Javacard API and GlobalPlatform (formerly Open Platform). Now owned and managed by NXP.
JCOP 2.4.1? Probably GP 2.1.1. Do a web search for specific product specifications.
javacard and GP:
Javacard is used to write applications - javacard applets - for smartcard platforms, using the Java Programming language and a limited version of the JVM and java libraries.
GlobalPlatform is a specification for managing applet-aware smartcards, defining operations for things like:
managing card lifecycle,
card/host authentication,
installing/deleting/instantiating/selecting applets, and
managing security policies on the card.
Using GlobalPlatform you'll exchange APDUs with the GP card for the aforementioned operations; using javacard you'll write applets that can accept and process APDUs that are specific to your application. GlobalPlatform isn't javacard specific, but javacard is the only relevant technology for smartcard applet development.
For javacard tutorials, start with the javacard site. Look through the documentation section for Getting Started stuff. Download the dev kit and you'll find some html howtos. For GlobalPlatform, you'll need to begin with the latest GP spec; it's certainly not a tutorial, but I don't think you'll find anything more useful. The spec will require strong smartcard fundamentals. Also see Required Things to start Smartcard Programming Using Javacard
I used this excellent tutorial when started with JavaCard: http://javacard.vetilles.com/tutorial/
This might be useful - I spent a while getting older tutorials working on real hardware (e.g. physical Java Cards with GP), including sending APDUs etc. I've collected some of my notes into a video format as it was too much work to write down every little thing.
The video is here: https://www.youtube.com/watch?v=oj2l0X8D4y0&hd=1 and includes basically a quick run-through of what to install, building a program, installing to a Java Card, and talking to said program via Python. It's very very basic but sometimes that's what you need...
jcManager
http://www.brokenmill.com/2010/03/java-secure-card-manager/
comes with source code, which is useful
The two best introductory tutorials I have found are:
"Lecture 14 - Javacard" https://edux.pjwstk.edu.pl/mat/268/lec/lect14/lecture14.html
and this one at JavaWorld,
How to write a Java Card applet: A developer's guide
For example code there is a section titled Learning in this Github repo,
javacard-curated-list of applets
To give an idea of the first topics that are typically covered, the headings from the second link mentioned are:
Architecting the applet
Specifying the functions of the applet
Specifying AIDs
Defining the class structure and method functions of the applet
Defining the interface between an applet and its terminal application
An APDU primer
Defining APDU commands
The Javacard APDU Class
The applet processes an APDU command by invoking methods on the APDU object. In general it performs these steps:
Step 1. Retrieve the APDU buffer
Step 2. Receive data
Step 3. Return data
Step 4. Return status word
Constructing the applet code
Implementing error checking
This article is by Zhiqun Chen who also wrote the book Java Card Technology for Smart Cards
Related
I'm going to write a Java Card applet to convert my card into an EMV compliant card.
1- The question is how can I do that?
As far as I know, there are four EMV specifications known as EMV Books which contain principles of EMV cards (Chip characteristics, file structure and also the list of APDU commands). Do I need any other specifications to implement my applet or these are all I need? If there are some other specifications which I need, are they freely available or they are proprietary?
2- Do EMV cards have an specific Applet AID?
EFT-Lab provided a good list of applet AIDs. As you see below, there are a lot of AIDs which belong to Visa International (as vendors) that all are "EMV" types. Why does Visa International have a lot of different AIDs for its EMV applets? What's the difference between these applets?
3- Is there any open source EMV applet? Is there any Java Card that has an EMV applet/package by default?
4- Is there any specific difference between contact and contactless EMV cards? (I mean in the file-structure or in the APDU commands)
1- The question is how can I do that?
Yes. Implement the specifications. If there are any other requirements (and surely there will be) then they should be referenced in the specs.
2- Do EMV cards have an specific Applet AID?
Because they offer specific functionality? You may even have multiple applications on the same card. Note that it is possible to select applications using a partial AID (see how the Debit & Credit card partially match). The VISA specific cards are likely used internally only, e.g. when servicing cash machines.
3- Is there any open source EMV applet? Is there any Java Card that has an EMV applet/package by default?
Not likely. It would be rather unusable because it would require EMVCo security evaluation to be accepted. So you need some kind of payment structure to pay for certification and audits. No open source initiative is likely to pony up the cash up front.
Often these kind of implementations require techniques to avoid vulnerabilities that need to remain secret; smart cards do not offer perfect security after all. That's perpendicular to open sourcing an implementation. So if there is anything out there it must be created out of academic interest (e.g. for testing the security of the protocol, proof of concept etc.).
4- Is there any specific difference between contact and contactless EMV cards? (I mean in the file-structure or in the APDU commands)
Generally it is more about which parts of the applet are available or not. The fact that most applets can be used in dual mode probably speaks for itself otherwise.
This paper seems to have a good introduction to the possible differences.
Is there any open source EMV applet? Is there any Java Card that has
an EMV applet/package by default?
Was working on a similar project and found this github repo. According to the owner:
This is a fully working EMV applet for javacard 2.2.1.
I've patched android with SEEK for Galaxy S3 and after some struggle I'm now able to send APDUs to SIM card and get proper responses.
I want to place my own applet inside SIM but since there is no way we can get the access to do so, I start to wonder if there is anyway we can issue a java card to work like a SIM card. All I need is a java card that the phone can't distinguish from a SIM, no network coverage is needed and I know it is almost impossible to create a SIM that works OK with operator and gives network coverage.
The reason for all this is I need to send APDUs and work with my applet, but if I insert a java card instead of a SIM card in GS3, it gives me no access at all.
So my question is this:
Is it possible to issue a java card so that it looks like a SIM by the phone (and not the operator)?
or Is it possible to change android so that it gives needed access when there is a java card in it, i.e. RIL works as usual?
EDIT
Okay, I think I'll try to issue a Java Card with following properties:
First, it will have an auto selected applet (default applet) that from now on will be call fake-UICC.
Second, in fake-UICC we'll emulate the file system of UICC (according to http://www.in2eps.com/fo-uicc/tk-fo-uicc-mf.html).
Third, since different class is used for SIM APDUs (0xA0) so All APDUs sent from RIL will be directed to fake-UICC by JCRE, since class+instruction is not recognized by normal Java Card. e.g. 0xA0A4 is select for SIM but 0x00A4 is select command for Java Card.
In last step, we will try to send exact same responses a real SIM would send to each APDU.
Maybe it won't work but I think it's worth a try.
SIM Card (UICC) accessed through SEEK is not the only secure element you can use in your cellphone.
On the market there are other Java Card solutions: mostly based on microSD slot (provided e. g. by GoTrust or Feitian Technologies), which you should be able to access through SEEK.
Some cellphones (Galaxy S3 is not this case, unfortunately) are equipped with a special secure element slot, which you can insert common smart card (mostly by Oberthur) into and access through SEEK (see http://www.nfcworld.com/technology/embedded-secure-element-ese/ for some devices with this feature).
There is an interesting article about SE options: http://nelenkov.blogspot.cz/2012/08/accessing-embedded-secure-element-in.html
If you know some other vendors offering microSD Java Card products, please write them down in comments and I will add them to my post. This answer is not supposed to be any advertisement for the companies mentioned above.
Well, Actually I'm not sure if this solution works or not, and as dear #Vojta mentioned in the comments under his answer I would like to discourage people from the following attempts. It will be difficult, time-consuming and probably with no useful results. He knows a lot more than me in this field.
Anyway, as you wanted I posted my suggestion:
Each file in the system file of the SIM/USIM card is linked to a hexadecimal number as its addresses (AID). These AIDs are defined in GSM and ETSI standards (GSM 11.11 for example). You can write some Javacard applets to simulate that system file.
As SIM/USIM card's AIDs are shorten than JavaCard AIDs, you might need to choose a Java Card that support partial AID selection and use this capability to refer incoming command to its associated applet.
I think you can simulate all the system file inside a single applet also and then make that applet default selected applet.
If you had any success with this solution, please inform us. :)
I noticed that JavaCard 3.0 may have the ability to use HTTPS from the Oracle website (oracle.com/technetwork/articles/javase/javacard3-142122.html).
Are there any ways to create HTTPS connections to a normal Internet website ?
Basically with Java Card Classic you are limited to the APDU interface. This interface has been specified in the Java Card API and the ISO/IEC 7816-4 standard.
It is of course possible to channel any kind of protocol through an APDU interface, but you would have to program it yourself. Furthermore, you would have to do so on the terminal side as well, because Java doesn't know anything about TCP/IP, name resolution etc. As Java Card environments are very limited, it would be tricky to create something that resembles an HTTP client.
There have been demonstrations that implemented a tiny web server on a Java Card. Those obviously also require some kind of proxy on the terminal side.
The Connected Edition - if you can find it anywhere - uses the same idea; it implements a web-server for e.g. authentication. It doesn't provide a client to my knowledge.
A1: There are no JavaCard Connected (which describes such option) devices publicly available.
A2: Classic JavaCard does not specify/allow any kind of connections.
J2ME provides JSR 177 which has APIs to access the SIM as a smart card. I want to explore this more and see what all I can do with this, but, I cant find any documentation with respect to that. All documentation that I have found so far is very generic and only mentions how to access a smart card with the APDU APIs and not how I can use this to do anything on the SIM.
Any ideas on where to get started?
Mostly, JSR 177 is supposed to be used to extract the certificate that is on the SIM so you can encrypt/decrypt/sign data in a way that your MNO likes.
The difficulty in finding documentation comes from so few handset manufacturers having included a full JSR177 implementation in their phone.
That, in turn, presumably comes from the huge amount of external, security-related specs to read and understand before the JSR177 spec itself makes sense if you're not a cryptography protocols expert.
The TCK sources and supplemental Symbian/Nokia test code would be a good place to look but, unfortunately, none of that has been open-sourced yet.
Common commands like changing the SIM PIN code basically require an understanding of the binary protocol itself. Simply appending the correct sequence of bytes to an APDU GCF url will get it executed if the JSR177 implementation itself is correct.
If you have only looked at the Sun JavaME SDK, you should probably have a look at the APDU MIDlet example in the latest Series60 SDK and added documentation in Nokia's Java Developer's Library.
I am trying to sign an XML document with the Micrisift API for the smart cards...
So far I can list the card readers, connect to the right card and establish the context but after that I am not sure what is next......
What PC/SC Functions Do I need to call to sign a document with a private smartcard key?
thanks in advance
Javier
If you have a middleware installed you can use the Windows CAPI for cryptographic functions. Some middlewares also ship a PKCS#11 library you can use.
If you don't have any middleware you have to do it yourself using the PC/SC interface, I suggest you look into ISO/IEC 7816-4 and ISO/IEC 7816-8 if the card is using Secure Messaging (or Sado Machism if you ask me). Unfortunately those ISO specs are quite expensive, however you can find some excerpts from ISO/IEC 7816-4 right here.
The ISO/IEC 7816-4 describe the APDU commands for information exchange with the card. The PKCS#15 standard can also be of great help regarding how files are stored on the card.
Also, you might need the full specification from the card manufacturer. If you are lucky you can find a plugin for your card in the MuscleCard project or the OpenSC project (they both work in Windows too).