Hardware and Operating Systems Security

Hardware and Operating Systems Security, autumn 2011

Below some information and pointers about the smartcards we will use. This should help you get started writing your first smartcard applets and host applications.

Smart cards

Smart cards communicate with the outside world by receiving commands and answering them. The protocol is described in the ISO7816-4 standard.

Java Card is a "dialect" of Java for programming such smart cards. A brief introduction to Java Card is available at JavaWorld. Lots more information is available from Sun's Java Card site. In particular, you can download the Java Card Development Kit there. The kit includes the Java Card API which contains classes you can use in your applet. Applets are compiled using a normal Java compiler and transformed to CAP files using a converter included in the kit. The protocol to download CAP files onto a smartcard is described in the Global Platform standard.

We will be using JCOP smartcards, the Java Card platform developed by IBM for which support has since moved to NXP. The JCOP4.1 cards we use support Java Card 2.2.1 and Global Platform 2.1.1. (To get an idea of the specs, these cards contain a SmartMX P5CT072 chip or something very similar to this. I couldn't find precise specs of the JCOP4.1, but they can do a bit more than the older JCOP31bio and other cards from JCOP family.)

JCOP toolset

Applets can be loaded onto the card using the JCOP toolset software that comes with the cards as an Eclipse plugin. A virtual machine for VirtualBox will be provided with Eclipse and the JCOP toolset pre-installed. On request we will email you a link with a copy of the toolset. You should save this zip file to your disk, and then open it in Eclipse as a "New Archived Site", by selecting

  Help -> Software Updates -> Find and Install -> Search for new features -> New Archived Site

in Eclipse.

Terminal

The terminal (or host application) can also written in Java. Obviously, you will need to install a recent version of the Java 2 SDK.

For easy communication with the Java Card applets on the card you should use the Smart Card I/O API.

Since the host application will need to do some cryptographic computations, you also need to install a cryptographic provider compatible with Sun's JCE. (The standard Java library does provide an API for cryptography, but the underlying engine lacks some of the important cryptographic primitives due to export restrictions.) The Bouncy Castle provider is recommended.

We have several types of smartcard readers available for use in this course:

the Towitoko ChipDrive micro
the OmniKey 3121

We also have an older Towitoko that connects to a serial port instead of USB, and an ACR30U smart card reader from SMC. The virtual machine will automatically connect to the Towitoko and the OmniKey 3121 readers. For more information and driver links check the bottom of this page.

API Documentation and Jars

Jar files should be copied to the jre\lib\ext folder of the Java 2 SDK in use. The dll files should be copied to \Windows or \Windows\System32.

API	Web site	Side	Docs
Java Card	http://java.sun.com/products/javacard/	card	API
Java	http://java.sun.com/	terminal	API
Bouncy Castle	http://www.bouncycastle.org/	terminal	API
Smart Card IO		terminal	Smart Card IO API

Installing applets on a smart card

To install an applet on the smart card you first have to create a run configuration in Eclipse:

Right click on the project
Select 'Run As' -> 'Run Configurations...'
Select 'Java Card Application'
Create a new configuration by pressing the 'New' button
On the 'Target' tab, select 'Card reader'
Click on 'Run' to install the applet on the card

Tips

Sometimes the JCOP tools have hard time compiling/producing your applets (everything works fine, but the CAP file is not produced and cannot be uploaded to the card). The Java language compatibility needs to be set up properly for the Java Card project. In project properties in Eclipse chose "Java compiler" and set "Compiler compliance level" to 1.3 (this should be the safest).
The cards we use have support for the Java Card API version 2.2.1. Make sure you include the correct library in your classpath. When using a higher version of the API, the CAP file will be created but installing the applet on the card will fail.

Example applications

Some example smartcard applications (applets and terminals) are available below.

Chipknip terminal

A simple terminal to get the current balance of your Chipknip card. (Chipknip is the Dutch national E-Purse.) Have a look at the Java file: ChipknipTerminal.java. This example demonstrates that your setup (reader and middleware APIs) is ok. It's safe to use your real chipknip with this application.

Calculator applet and terminal

This simple applet implements a calculator which operates on signed shorts. Overflow is silent. The terminal sends a command for every key on the keypad a user presses, the applet responds by sending the number to put on the display (i.e. the terminal has no state at all). Have a look at the source files in CalcApplet.zip and CalcTerminalSmartCardIO.zip. This example demonstrates Java Card and Smart Card I/O programming.

RSA crypto example

This simple example shows how to do RSA keypair generation, encryption and decryption in Java. Have a look at the source files in: RSAKeyGen.java, RSAEncrypt.java and RSADecrypt.java.

RSA crypto applet and terminal

The applet encrypts or decrypts blocks of data (length at most 128 bytes) using RSA keys which are generated off-card and uploaded to the card. RSA keys have to be sent to the card first and then the card needs to be "issued" before any encryption and decryption is done. The files with private and public keys that the host application requires/asks for can be generated with RSAKeyGen.java above. Have a look at the source files in CryptoApplet.java and CryptoTerminalSmartCardIO.java.

More Java Card code samples are at the end of this document.

Some additional (but mostly outdated) info is collected on the old version of this webpage.