Security in each byte of Java card's EEPROM

Similar Messages

• Java Card Security domain

  Hi ,
  According to the visa Open platform architecture, each Java card applet is associated with a Security domain.
  I am using GemXpressoRAD211 toolkit for developing Java Card applets.
  In the Gemxpresso211IS card, the default security domain is the Card Manager, whose AID is A0 00 00 00 03 00 00 . It is basically the card issuer security domain.
  When I install an applet to the card , the Card Manager is assumed to be the associated security domain .
  My questions are....
  1.
  How can I associate my applet to application provider security domain rather than the card issuer security domain? Form where Do I get this security domain ? Do I need to write my own security domain, or some body else provide it ?

  there's a card issuer, with its ISD
  then there's another company who wants to have ability to install/remove some applets on this card
  we create another SD for this company and "delegate" some limited capabilities to manage the contents of the card
  read about the delegated managament in GP
  regards
  Kuba

• Secure object sharing in java card

  Who has the complete code in secure object sharing in java card which is written by Michael Montgomery. I want to look at the code in this article. I wish somebody can help me!!!

  Who has the complete code in secure object sharing in java card which is written by Michael Montgomery. I want to look at the code in this article. I wish somebody can help me!!!

• Seeking Help for Guidance in developing a product using JAVA CARD

  Hi All,
  I am using windows environment with netbeans 6.8 as developer tool and MySql Server connectivity for back end process.My requirement is to develop applets and installing them to my Smart card and reader.my question is
  1. how i am supposed to create applets to get the student id of particular student whose id is already registered in the database?
  2. how to install them into the smart card?
  3.what are the commands i am supposed to follow if other than APDU commands?
  4.i found there is APDU commands but what do that each CLA,INS,p1,p2,Lc,le..commands used for?how can i use them in my creation of applets.i found the command varies for certain requirements.
  5.if possible please help me with a small example so that i will start developing it.
  can anyone help me in developing this application.i will be so helpful if anyone helps me in guiding me to develop the java card product.
  Edited by: Sijukj on Mar 4, 2010 7:04 AM

  Hi,
  Welcome to the wonderful world of embedded Java development!
  Sijukj wrote:
  1. how i am supposed to create applets to get the student id of particular student whose id is already registered in the database?The first step is to download the Java Card Development Kit (JCDK) from the Sun website (along with the related documentation/specifications). If you plan on using your code on a real card, I would recommend JC version 2.2.1 or 2.2.2. If it is sufficient to run your applet on a simulator (as a proof of concept or for assignments) with no intention on running on real hardware you could go for JC 3.0.2 and use the supplied simulator. This version of JC does not have commercially available cards as of yet.
  Once you have the applet coded and installed on your card, you would personalise the card for the card holder. This means loading card holder specific data into your application. This may also involve registering the smart card ID with the student in your database.
  2. how to install them into the smart card?The procedure for loading and installing applets is outlined in the Java Card documentation (available with the JC development kits from Sun) and the GlobalPlatform card specifications (available from [http://www.globalplatform.org]). You can look into some open source tools for doing this (GPShell and the Java Card Development Kit).
  3.what are the commands i am supposed to follow if other than APDU commands?This depends on what you are trying to achieve with your applet. If you want interoperability you could implement a standard like ISO7816 or IOS24727. This is a lot of work so you may just want to implement the proprietary you require for each operation you need (e.g. set student ID, get student ID etc).
  4.i found there is APDU commands but what do that each CLA,INS,p1,p2,Lc,le..commands used for?how can i use them in my creation of applets.i found the command varies for certain requirements.These are defined in ISO7816 part 4.
  The CLA byte gives information on the command you are sending such as secure messaging, command chaining, ISO or proprietary command
  The INS is the instruction or command you are trying to perform
  P1 and P2 are parameters to the command. These may not be required for each command but are able to be used to convey further information to the applet.
  Lc is the length of the data field you are sending (e.g. for a PUT DATA command this would be the amount of data you are sending)
  Le is the length of the data you expect to receive back from the card. If this is absent you do not expect the card to return any data, 0x00 means send all the data you have left (up to the limit of the response APDU)
  5.if possible please help me with a small example so that i will start developing it.You can find example code in the Java Card Development Kit. There are a wide range of examples there that can help you get started.
  Cheers,
  Shane

• Urgent ! writing a java card applet -APDU problem

  hi
  i'm fairly new to the java programming language. i'm trying to write an RSA java card applet to run on a java card simulator.
  I am not sure at all what code i need to write for the CLA byte in the command APDU and what code i need to write for the INS byte in the command APDU, and where exactly to put it in my program.
  if anybody knows please could you help me out.
  So far i have written the code below.
  thanx
  louise
  import javacard.framework.*;
  import java.math.*;
  import java.util.*;
  /*the public key is the public part of the key. Anyone
  can have it. It can only encrypt data, not decrypt.*/
  public class publickey extends Applet{
  //code of the CLA byte in the command APDU header
  final static byte publickey_CLA = (byte)0x00;
  //max number of characters for text message is 60
  final static char MAX_TXT_MSG = 0x3c;
  //MAX number of tries (3) before PIN is blocked
  final static byte PIN_TRY_LIMIT = (byte)0x03;
  //size of PIN must be 4 digits long
  final static byte PIN_SIZE = (byte)0x04;
  //below status word(SW) values are returned by applet
  //in certain circumstances:
  //signal that the PIN verification failed
  final static short SW_PIN_VERIFICATION_FAIL = 0x6300;
  //signal that PIN validation required for txt msging
  final static short SW_PIN_VERIFICATION_REQUIRED = 0x630;
  //instance variables declaration
  OwnerPIN pin; //variable for holding owners pin
  BigInteger n,e;
  String owner;//variable for holding owners name
  /*make a public key. Do not do it yourself, but
  make a public key from a private key.*/
  publickey(String iowner,BigInteger in,BigInteger ie){
  owner=iowner;
  n=in;
  e=ie;
  public void process (APDU apdu) {
  byte[] buffer = apdu.getBuffer();
  //check Select APDU command
  if((buffer[ISO7816.OFFSET_CLA] ==0) &&
  (buffer[ISO7816.OFFSET_INS] ==(byte) (0xA4)) )
  return;
  if(buffer[ISO7816.OFFSET_CLA] !=publickey_CLA)
  ISOException.throwIt
  (ISO7816.SW_CLA_NOT_SUPPORTED);
  /*read the key back from a string.*/
  publickey(String from){
  StringTokenizer st=new StringTokenizer(from," ");
  owner=st.nextToken();
  n=readBI(st.nextToken());
  e=readBI(st.nextToken());
  /*use the key to encrypt a 'message' m. m should be a
  number from 1 to n (n not included).
  use makemessage to convert your message to a BigInteger.
  BigInteger encrypt(BigInteger m){
  return m.modPow(e,n);
  /*make a string from this key.*/
  public String toString(){
  return owner+" "+printBI(n)+" "+printBI(e);
  /*help methods for reading and writing:*/
  final static int radix=36;
  static String printBI(BigInteger b){
  return b.toString(radix);
  static BigInteger readBI(String s){
  return new BigInteger(s,radix);
  /* these methods convert an arbitrary message,
  in the form of an array of bytes, to a message
  suitable for encryption. To do this random bits
  are added (this is needed to make cracking of the
  system harder), and it is converted to a BigInteger.*/
  BigInteger makemessage(byte[] input){
  /*to understand this part of the program,
  read the description of the BigInteger constructor
  (in the standard java help). */
  if(input.length>128 ||
  input.length*8+24>=n.bitLength())
  return new BigInteger("0"); //error! message to long.
  byte[] paddedinput=new byte[n.bitLength()/8-1];
  for(int i=0;i<input.length;i++)
  paddedinput[i+1]=input;
  paddedinput[0]=(byte)input.length;
  for(int i=input.length+1;i<paddedinput.length;i++)
  paddedinput[i]=(byte)(Math.random()*256);
  return new BigInteger(paddedinput);
  /*the inverse of makemessage.*/
  static byte[] getmessage(BigInteger b){
  byte[] paddedoutput=b.toByteArray();
  byte[] output=new byte[paddedoutput[0]];
  for(int i=0;i<output.length;i++)
  output[i]=paddedoutput[i+1];
  return output;
  class privatekey{
  /*the data of a key*/
  BigInteger n,e,d;
  String owner;
  int bits;
  Random ran;
  /*unimportant things, needed for calculations:*/
  static int certainty=32;
  static BigInteger one=new BigInteger("1"),
  three=new BigInteger("3"),
  seventeen=new BigInteger("17"),
  k65=new BigInteger("65537");
  /*make a new key. supply the name of the owner of the
  key, and the number of bits.
  owner: all spaces will be replaced with underscores.
  bits: the more bits the better the security. Every
  value above 500 is 'safe'. If you are a really paranoid
  person, you should use 2000.*/
  privatekey(String iowner,int ibits){
  BigInteger p,q;
  bits=ibits;
  owner=iowner.replace(' ','_');//remove spaces from owner name.
  ran=new Random();
  p=new BigInteger(bits/2,certainty,ran);
  q=new BigInteger((bits+1)/2,certainty,ran);
  n=p.multiply(q);
  BigInteger fi_n=fi(p,q);
  e=chooseprimeto(fi_n);
  d=e.modInverse(fi_n);
  /*read the key back from a string*/
  privatekey(String from){
  StringTokenizer st=new StringTokenizer(from," ");
  st.nextToken();
  n=readBI(st.nextToken());
  e=readBI(st.nextToken());
  d=readBI(st.nextToken());
  /*some help methods:*/
  static BigInteger fi(BigInteger prime1,BigInteger prime2){
  return prime1.subtract(one).multiply(prime2.subtract(one));
  static BigInteger BI(String s)
  {return new BigInteger(s);}
  BigInteger chooseprimeto(BigInteger f){
  /*returns a number relatively prime to f.
  this number is not chosen at random, it first
  tries a few primes with few 1's in it. This
  doesn't matter for security, but speeds up computations.*/
  if(f.gcd(three).equals(one))
  return three;
  if(f.gcd(seventeen).equals(one))
  return seventeen;
  if(f.gcd(k65).equals(one))
  return k65;
  BigInteger num;
  do{
  num=new BigInteger(16,ran);
  }while(!f.gcd(num).equals(one));
  return num;
  final static int radix=36;
  static String printBI(BigInteger b){
  return b.toString(radix);
  static BigInteger readBI(String s){
  return new BigInteger(s,radix);
  /*returns the public key of this private key.*/
  publickey getpublickey(){
  return new publickey(owner,n,e);
  /*the same encryption that the public key does.*/
  BigInteger encrypt(BigInteger m){
  return m.modPow(e,n);
  /*decryption is the opposite of encryption: it
  brings the original message back.*/
  BigInteger decrypt(BigInteger m){
  return m.modPow(d,n);
  public String toString(){
  return owner+" "+printBI(n)+" "+printBI(e)+" "+printBI(d);
  /*this main demonstrates the use of this program.*/
  public static void main(String[] ps){
  say("************ make key:");
  privatekey priv=new privatekey("sieuwert",92);
  publickey pub=priv.getpublickey();
  say("the public key:"+priv);
  say("************ encrypt message:");
  byte[] P="RUOK?".getBytes();
  BigInteger Pc=pub.makemessage(P);
  say("converted:\t"+printBI(Pc));
  BigInteger C=pub.encrypt(Pc);
  say("coded message: "+printBI(C));
  say("************ decrypt message:");
  BigInteger Pc2=priv.decrypt(C);
  say("decoded:\t"+printBI(Pc2));
  byte[] P2=publickey.getmessage(Pc2);
  say("deconverted: "+new String(P2));
  static void say(String s){
  System.out.println(s);

  Command APDU is not written in your source code, rather it is sent from PC or programmed Card Acceptance Device/ Card Reader/ Terminal.
  The code installed in the Java Card should be able to handle the Command APDU received and process it accordingly, and finally your code should be able to send out response APDU.
  You may think your code as a decoder, to retrieve each byte (CLA, INS, P1, P2, DATA, LC) using the Java Card API, you should be able to do it.
  Also, I notice in your code that you want to work out with strings, but Java Card does not support strings, chars, long, float, double ...
  to send out reponse APDU, there are certain steps that you can use, not just simply print like ordinary J2SE may use.
  hope this will help u

• Please help error regarding GPShell 1.4.2 with Java Card 2.2.1

  Hi masters..
  please help me regarding GPShell + Smart Card Reader (namely Omnikey Cardman 5321)..
  currently i've a smart card reader (Omnikey) and a sample java card that support for Java Card 2.2.1..
  i've installed Smart card reader's driver, and it has already completely function..
  When i try to run this command in GPShell 1.4.2, i get this report :
  C:\GPShell-1.4.2>GPShell helloInstallgemXpressoProR3_2E64.txt
  mode_201
  gemXpressoPro
  enable_trace
  establish_context
  card_connect
  * reader name OMNIKEY CardMan 5x21 0
  card_connect() returns 0x80100069 (The smart card has been removed, so that furt
  her communication is not possible.
  select -AID A000000018434D00
  Command --> 00A4040008A000000018434D00
  Wrapped command --> 00A4040008A000000018434D00
  select_application() returns 0x00000006 (The handle is invalid.
  Yes, i know that in that script (helloInstallgemXpressoProR3_2E64.txt), there's a script for load helloworld.cap into Java card..
  i tried that because i just want to make sure whether my Java Card run well or not..
  Please help me regarding this..
  Thanks in advance..

  Hi safarmer, thanks for your reply :)..
  Sorry before, i still don't understand about your last reply.. :(
  especially for check the crytpogram.. :(
  could you describe what mean of each line of code from that snippet code?..
  Sequence   : 0002
  challenge  : 598dd3961bfd
  cryptogram : 24cccf18c18437bb
  host       : 5a7787ba91497948
  DEBUG [] - Input to session S-ENC derivation: 01820002000000000000000000000000
  DEBUG [] - S-ENC: adc1163ba2a146fbb94af44c8676fb7cadc1163ba2a146fb
  DEBUG [] - Input to session DEK derivation : 01810002000000000000000000000000
  DEBUG [] - S-DEK: fd01086b6db03bdfe0d5cb61d03ed3abfd01086b6db03bdf
  DEBUG [] - Input to session CMAC derivation: 01010002000000000000000000000000
  DEBUG [] - S-MAC: 3e07b0c8fdfd798a573b9b9889d0cb513e07b0c8fdfd798a
  Input to card cryptogram verification: 5a7787ba914979480002598dd3961bfd8000000000000000
  DEBUG [] - Signature : 24cccf18c18437bb
  DEBUG [] - Cryptogram: 24cccf18c18437bb
  Card cryptogram authenticated=======================================================================================
  =======================================================================================
  i've added script "mode_211" to my script, as follow :
  mode_211
  enable_trace
  establish_context
  card_connect -readerNumber 2
  select -AID a0000000030000
  open_sc -security 1 -keyind 0 -keyver 0 -mac_key 404142434445464748494a4b4c4d4e4f -enc_key 404142434445464748494a4b4c4d4e4f // Open secure channel
  delete -AID a00000006203010c0101
  delete -AID a00000006203010c01
  delete -AID a00000006203010c0101
  install -file HelloWorld.cap -nvDataLimit 500 -instParam 00 -priv 2
  card_disconnect
  release_contextbut when i executed that script in the console, i got this :
  C:\GPShell-1.4.2>GPShell helloInstallChan.txt
  mode_211
  enable_trace
  establish_context
  card_connect -readerNumber 2
  * reader name OMNIKEY CardMan 5x21-CL 0
  select -AID a0000000030000
  Command --> 00A4040007A0000000030000
  Wrapped command --> 00A4040007A0000000030000
  Response <-- 6F108408A000000003000000A5049F6501FF9000
  open_sc -security 1 -keyind 0 -keyver 0 -mac_key 404142434445464748494a4b4c4d4e4
  f -enc_key 404142434445464748494a4b4c4d4e4f // Open secure channel
  Command --> 80CA006600
  Wrapped command --> 80CA006600
  Response <-- 664C734A06072A864886FC6B01600C060A2A864886FC6B02020101630906072A864
  886FC6B03640B06092A864886FC6B040215650B06092B8510864864020102660C060A2B060104012
  A026E01029000
  Command --> 80500000083C4E03633407EC1800
  Wrapped command --> 80500000083C4E03633407EC1800
  Response <-- 0000715457173C2B8FC1FF020002598DD3961BFD8B6F2963C070FF949000
  Command --> 8482010010E17B69E2A3DFEA320B0B457657362614
  Wrapped command --> 8482010010E17B69E2A3DFEA320B0B457657362614
  Response <-- 9000
  delete -AID a00000006203010c0101
  Command --> 80E400800C4F0AA00000006203010C010100
  Wrapped command --> 84E40080144F0AA00000006203010C0101D259A163E654B99900
  Response <-- 6A88
  delete_applet() returns 0x80206A88 (6A88: Referenced data not found.)
  delete -AID a00000006203010c01
  Command --> 80E400800B4F09A00000006203010C0100
  Wrapped command --> 84E40080134F09A00000006203010C01094A9BF13AD2CC3E00
  Response <-- 6A88
  delete_applet() returns 0x80206A88 (6A88: Referenced data not found.)
  delete -AID a00000006203010c0101
  Command --> 80E400800C4F0AA00000006203010C010100
  Wrapped command --> 84E40080144F0AA00000006203010C010156679B9711B83FAB00
  Response <-- 6A88
  delete_applet() returns 0x80206A88 (6A88: Referenced data not found.)
  install -file HelloWorld.cap -nvDataLimit 500 -instParam 00 -priv 2
  file name HelloWorld.cap
  Command --> 80E602001F09A00000006203010C0107A0000000030000000AEF08C60201A8C80201
  F40000
  Wrapped command --> 84E602002709A00000006203010C0107A0000000030000000AEF08C60201
  A8C80201F400D35F07F1D11A31E500
  Response <-- 6985
  install_for_load() returns 0x80206985 (6985: Command not allowed - Conditions of use not satisfied.)What it does mean?..
  so, can i reset THE RETRY COUNTER of my Java Card?..
  could you give me an example script that reset the Retry Counter?..
  Thanks in advance..
  Sorry i really confuse.. :(

• Is it possible to simulate whole java card application on simulator?

  Hello all,
  currently i dont have any real java card yet,not either reader . I already made a simple applet and check its working by CJCRE (net beans simulator), it is working fine,
  now i want to move to host application which will communicate with java card via card reader. Is this possible to simulate complete application ( host application + java card applets)?
  I want to check it out that:- which line of java program would be helpful to know that:-
  1-"how real host application will talk to reader"
  2- how it connect and disconnect the reader
  3- how it send apdu to java card by reader
  and much more.
  I am using netbeans 7.1 and it is using CJCRE as a simulator....

  you mean to say this
  http://askra.de/software/jcdocs/app-notes-2.2.2/apduio.html
  I am quite confused now, i read this but still can not imagine the concept ,
  an applet code is :-
  public class GetName extends Applet
       final static byte CLASS     = (byte) 0x80;  // Class of the APDU commands
       final static byte INS_READ  = (byte) 0x02;  // instruction for the READ APDU command
       final static byte INS_WRITE = (byte) 0x03;  // instruction for the READ APDU command
       final static byte INS_DY_CO = (byte) 0x04;  // instruction for the READ APDU command
       final static byte[] text    = {(byte) 'A', (byte) 'M', (byte) 'I', (byte) 'T'};
       public static byte[] holder;
       public static void install(byte[] bArray, short bOffset, byte bLength)
          new GetName();
      protected GetName()
          holder = new byte[5];// allocation of memory in runtime
          register();
      public void process(APDU apdu)
            if(selectingApplet())
                 return;
          byte[] cmd_apdu = apdu.getBuffer();         
           if (cmd_apdu[ISO7816.OFFSET_CLA] == CLASS)
                 switch(cmd_apdu[ISO7816.OFFSET_INS])
                      case INS_READ:  
                      if ((cmd_apdu[ISO7816.OFFSET_P1] != 0) || (cmd_apdu[ISO7816.OFFSET_P2] != 0))
                      ISOException.throwIt(ISO7816.SW_WRONG_P1P2);
                      short le = (short)(cmd_apdu[ISO7816.OFFSET_LC] & 0x00FF); 
                      short len_text = (short)text.length;                      
                      if (le != len_text)
                      ISOException.throwIt((short)(ISO7816.SW_CORRECT_LENGTH_00 + len_text)); 
                      apdu.setOutgoing();                      
                      apdu.setOutgoingLength((short)len_text);
                      apdu.sendBytesLong(text, (short)0, (short)len_text);
                      break;
                  // here we save data from apdu and will keep inside the data byte                   
                      case INS_WRITE:
                  short lc = (short)(cmd_apdu[ISO7816.OFFSET_LC] & 0x00FF); 
                  Util.arrayCopy(cmd_apdu, (short) ((ISO7816.OFFSET_CDATA) & 0xff), holder, (short) 0, lc);
                      short len_holder_inside_write= (short) holder.length;
                     apdu.setOutgoing();
                  apdu.setOutgoingLength((short)len_holder_inside_write);
                  apdu.sendBytesLong(holder, (short) 0, (short) len_holder_inside_write);
                  break;
                  case INS_DY_CO:
                      short len_holder= (short) holder.length;
                  apdu.setOutgoing();
                  apdu.setOutgoingLength((short)len_holder);
                  apdu.sendBytesLong(holder, (short) 0, (short) len_holder);
                  break;
                      default : 
                      ISOException.throwIt(ISO7816.SW_INS_NOT_SUPPORTED);
           else
                  ISOException.throwIt(ISO7816.SW_CLA_NOT_SUPPORTED);
  }now i think i need to make a another java file which would contain a main class, Is this both file would be inside a single java card project. and how these both would be connect to each other.
  for manually run a applet- there were two steps 1-
  C:\java_card_kit-2_2\samples\src\demo>jcwde jcwde-getname.app
  Java Card 2.2 Workstation Development Environment (version 0.18).
  Copyright 2002 Sun Microsystems, Inc. All rights reserved.
  jcwde is listening for T=0 Apdu's on TCP/IP port 9,025.
  and in second terminal we wrote-
  C:\java_card_kit-2_2\samples\src\demo>apdutool -nobanner -noatr getname.scr > ge
  tname.scr.jcwde.out
  Here it is clear that, if i will use javacardio then no need to pass the apdu from a file .....but i am confuse about how it possible, ie. is both file lie in same project , because i m using simulator so i need to run these both file simoltaneously........give me some roughly steps to implement this.

• Java Card program execution on Eclipse

  Hi Dears,
  I am new to Java Card. I did setup to run Java Card programs on eclipse using http://eclipse-jcde.sourceforge.net/.
  This is my simple program below
  import javacard.security.RandomData;
  public class Main {
       public void main() {
            RandomData rd = RandomData.getInstance(RandomData.ALG_SECURE_RANDOM);
            short outLen = 10;
            byte buffer[] = new byte[outLen];
            short outOffset = 0;
            rd.generateData(buffer, outOffset, outLen);
  Compilation is successful but when I run the program I get the following error.
  Error occurred during initialization of VM
  java/lang/NoClassDefFoundError: java/lang/String
  This is very annoying. I think my run time environment is not ok for running java card programs. I am able to run Java programs but not java card programs. Any one can help please?
  Thanks,
  Regards,
  Naveed

  please post code with &#123;code} tags
  Naveed86 wrote:
  Hi Dears,
  I am new to Java Card. I did setup to run Java Card programs on eclipse using http://eclipse-jcde.sourceforge.net/.
  This is my simple program below
  import javacard.security.RandomData;
  public class Main {
       public void main() {
            RandomData rd = RandomData.getInstance(RandomData.ALG_SECURE_RANDOM);
            short outLen = 10;
            byte buffer[] = new byte[outLen];
            short outOffset = 0;
            rd.generateData(buffer, outOffset, outLen);
  }Compilation is successful but when I run the program I get the following error.
  Error occurred during initialization of VM
  java/lang/NoClassDefFoundError: java/lang/String
  This is very annoying. I think my run time environment is not ok for running java card programs. I am able to run Java programs but not java card programs. Any one can help please?
  Thanks,
  Regards,
  Naveed

• Default applets on brand new java card and spec support

  Hi,
  I have got brand new java card reader and real java card.
  I want to just access it using Java and see if I can access stuff on the java card before i go ahead with next things.
  I was thinking of just doing select on some applet which is present on brand new java card by default.
  1. Does anyone know if any default applet is present on java card?
  2. If yes, AID of that?
  3. Is there any APDU by which I can find out which java card spec that card supports?
  Btw, I am using Java Card 2.2.2 and the card i have should also have same support.
  Edited by: unic.man on Jul 12, 2008 2:11 AM

  >
  1. I know that any smart-card has a universally unique id which can be retrieved pro grammatically. Can you please tell me the APDU/API to retrieve it on Host app side? If not, card side at least?
  I don't know much about unique IDs but basically you've got the ATR which is given to you every time the card is powered on. The ATR identifies a particular family of cards. If you want to identify each card you need to have a look at the GET DATA command (in Global Platform) and especially the CPLC (Card Production Life Cycle). Apparently you can get a unique ID by combining the IC batch identifier and the IC serial number.
  2. I'm also struggling with deploying the app. It is not detecting the default installer applet via apdutool. I found some articles and netbeans plug-in talking about keys to download applet on card. Do you know standard keys/derivated keys to start secured channel?I don't think you can use the JCDK to install an applet on a real card. If you have a JCOP card I advise you to get the JCOP tools. And yes you will need the keys to establish a secure channel but I don't know what the default keys are on a JCOP card.

• NFC for Java Card

  Hi guys
  I'm a new one with NFC, especially for the field that I'm investigating right now, Java Cards. Hence, would you mind to help me with the initialization? I mean what am I supposed to begin with (name of documents, materials,...)?
  Any of your help would be appreciated.
  Thanks in advance
  Jason

  Jason,
  I'm not sure what you mean by NFC integrated Java Card. Could you give me the name of the document you downloaded from Global Platform?
  Java Card knows about the transport type between itself and the reader: contact (T=0, T=1 : ISO/IEC 7816) or contactless (T=CL : ISO/IEC 14443). But that is all; a Java Card applet should not know or care about the lower transport layers.
  As for the relationship between GSM, UICC and NFC, have a look at the document "NFC Stepping Stones" from SIMAlliance: http://www.simalliance.org/en?t=/documentManager/sfdoc.file.supply&fileID=1308660607647
  EDIT:
  For more on STK applets (GSM), read the Gemalto introduction to the SIM Toolkit: http://developer.gemalto.com/home/technology/sim-toolkit.html
  The best standard for you to start with is probably 3GPP 43.019.
  As reference, here is a partial list of (I hope) relevant standards. If you find more, please post them here!
  ISO/IEC:
  ISO/IEC 7816-1
  ISO/IEC 7816-2
  ISO/IEC 7816-3 (T=0)
  ISO/IEC 7816-4 (Limited to command set required for GSM compliance.)
  Java Card:
  Runtime Environment Specification Java Card Platform, Version 2.2.1 V2.2.1
  Virtual Machine Specification Java Card Platform, Version 2.2.1 V2.2.1
  Application Programming Interface Java Card Platform, Version 2.2.1 V2.2.1
  Global Platform:
  Global Platform Card Specification 2.1.1 V2.1.1
  GSM:
  GSM 11.11 version 8.3.0
  GSM 11.12 version 4.3.1
  GSM 11.14 version 8.3.0
  GSM 11.17 version 7.0.2
  GSM 11.18 version 7.0.1
  GSM Comp128-1, 2, 3
  SIM:
  TS 23.040 V.6 Technical realization of the Short Message Service (SMS)
  TS 43.019 V.6 Subscriber Identity Module Application Programming Interface (SIM API) for Java Card; Stage 2
  TS 51.011 V.5 Specification of the Subscriber Identity Module - Mobile Equipment (SIM-ME) interface
  TS 51.014 V.4 Specification of the SIM Application Toolkit for the Subscriber Identity Module - Mobile Equipment (SIM - ME) interface
  USIM:
  TS 31.102 V.6 Characteristics of the Universal Subscriber Identity Module (USIM) application
  TS 31.111 V.6 Universal Subscriber Identity Module (USIM) Application Toolkit (USAT)
  TS 31.115 V.6 Secured packet structure for (Universal) Subscriber Identity Module (U)SIM Toolkit applications
  TS 31.116 V.6 Remote APDU Structure for (Universal) Subscriber Identity Module (U)SIM Toolkit applications
  TS 31.124 V.6 Mobile Equipment (ME) conformance test specification; Universal Subscriber Identity Module Application Toolkit (USAT) conformance test specification
  TS 31.900 V.6 SIM/USIM internal and external interworking aspects
  TR 31.919 V.6 2G/3G Java Card™ Application Programming Interface (API) based applet interworking
  ETSI TS 135.208 Technical Specification Universal Mobile Telecommunications System (UMTS); 3G Security; Specification of the MILENAGE algorithm set
  UICC:
  TS 31.101 V.6 UICC-terminal interface; Physical and logical characteristics
  TS 31.121 V.6 UICC-terminal interface; Universal Subscriber Identity Module (USIM) application test specification
  ETSI TS 102.220 ETSI numbering system for telecommunication application providers
  ETSI TS 102.221 Smart cards; UICC-Terminal interface; Physical and logical characteristics
  ETSI TS 102.222 IC Cards Admin Commands for Telecom
  ETSI TS 102.223 Card Application Toolkit
  ETSI TS 102 241 "Technical Specification Smart Cards; UICC Application Programming Interface (UICC API) for Java Card"
  OTA:
  ETSI TS 102.224 Security mechanisms for UICC based Applications -Functional requirements
  ETSI TS 102.225 Secured packet structure for UICC based applications
  ETSI TS 102.226 Remote APDU structure for UICC based applications
  TS 23.040 V.6 Technical realization of the Short Message Service (SMS) Point-to-Point (PP)
  TS 23.041 V.6 Technical realization of Cell Broadcast Service (CBS)
  (U)SAT:
  TS 23.048 V.5 Security Mechanisms for the (U)SIM application toolkit
  TS 31.111 V.6 Specification of the USIM Application Toolkit
  TS 31.112 V.6 Universal Subscriber Identity Module Application Toolkit (USAT) interpreter architecture description
  TS 31.113 V.6 Universal Subscriber Identity Module Application Toolkit (USAT) interpreter byte codes
  TS 31.114 V.6 Universal Subscriber Identity Module Application Toolkit (USAT) interpreter protocol and administration
  TS 51.014 V.4 Specification of the SIM Application Toolkit for the Subscriber Identity Module - Mobile Equipment (SIM-ME) interface
  ETSI TS 102 223 Card Application Toolkit (CAT)
  SIM Alliance:
  S@T 01.00 Specification 2009 SIMalliance S@T Byte Code
  S@T 01.10 Specification 2009 SIMalliance S@T Markup Language
  S@T 01.20 Specification 2009 SIMalliance S@T Session Protocol
  S@T 01.21 Specification 2009 SIMalliance S@T Administrative Commands
  S@T 01.22 Specification 2009 SIMalliance S@T Operational Commands
  S@T 01.23 Specification 2009 SIMalliance S@T Push Commands
  S@T 01.30 Specification 2007 SIMalliance S@T Validation Test Plan System Functional Tests
  S@T 01.50 Specification 2009 SIMalliance S@T Browser Behaviour Guidelines
  S@T 01.60 Gateway Implement 2009 SIMalliance S@T Gateway Implement
  Security & Algorithm
  TS 33.102 V.6 3G security; Security architecture
  TS 33.105 V.6 Cryptographic algorithm requirements
  TS 35.205 V.6 3G Security; Specification of the MILENAGE algorithm set: An example algorithm set for the 3GPP authentication and key generation functions f1, f1*, f2, f3, f4, f5 and f5*; Document 1: General
  TS 35.206 V.6 3G Security; Specification of the MILENAGE algorithm set: An example algorithm set for the 3GPP authentication and key generation functions f1, f1*, f2, f3, f4, f5 and f5*; Document 2: Algorithm specification
  TS 55.205 V.6 Specification of the GSM-MILENAGE algorithms: An example algorithm set for the GSM Authentication and Key Generation Functions A3 and A8
  Test specification
  TS 31.048 V.5 Security mechanisms for the (U)SIM application toolkit; Test specification
  TS 31.120 V.6 UICC-terminal interface; Physical, electrical and logical test specification
  TS 31.121 V.6 UICC-terminal interface; Universal Subscriber Identity Module (USIM) application test specification
  TS 31.122 V.6 Universal Subscriber Identity Module (USIM) conformance test specification
  TS 31.130 V.6 (U)SIM Application Programming Interface (API); (U)SIM API for Java Card
  TS 31.213 V.6 Test specification for subscriber (U)SIM; Application Programming Interface (API) for Java Card™
  TS 35.203 V.6 Specification of the 3GPP confidentiality and integrity algorithms; Document 3: Implementors' test data
  TS 35.207 V.6 3G Security; Specification of the MILENAGE algorithm set: An example algorithm set for the 3GPP authentication and key generation functions f1, f1*, f2, f3, f4, f5 and f5*; Document 3: Implementors’ test data
  TS 35.208 V.6 3G Security; Specification of the MILENAGE algorithm set: An example algorithm set for the 3GPP authentication and key generation functions f1, f1*, f2, f3, f4, f5 and f5*; Document 4: Design conformance test data
  TR 35.909 V.6 3G Security; Specification of the MILENAGE algorithm set: an example algorithm set for the 3GPP authentication and key generation functions f1, f1*, f2, f3, f4, f5 and f5*; Document 5: Summary and results of design and evaluation
  TS 51.013 V.5 Test specification for Subscriber Identity Module (SIM) Application Programming Interface (API) for Java Card
  TS 51.017 V.4 Subscriber Identity Module (SIM) test specification
  Adriaan
  Edited by: Adriaan on Feb 14, 2012 1:34 AM

• MIDP and Bluetooth as Java Card substitute

  Hi,
  I'm a Java developer, but not a Java Card developer, so I'm curious about the opinions of Java Card developers. It seems to me that IR and Bluetooth enabled J2ME/MIDP devices could be used in many situations where Java Cards are currently used. Depending on the adoption rates of
  a) Bluetooth enabled computers, devices, access points, etc... and
  b) cell phones with both Bluetooth and J2ME
  It may soon (a year or two) become cheaper and/or more convenient to issue users without a J2ME Bluetooth phone, such a device, than to issue all users Java Cards.
  So, entrenched coders
  1) Is this migration sane?
  2) Is anybody doing it, now?
  3) How hard/trivial is porting the applications?
  Thanks,
  Curt

  I'm aware of the JSR, but what is the security element ?On Sun Tech Days I was told it should be a Java Card. ;-))
  The main advantage of a smartcard is that it provides a trustworthy and tamper-resistant environment.
  Please have a look at
  http://www.simalliance.org/portal_upload/SIMalliance_comm.PDF
  I quote from the SIM Alliance site:
  "Thanks to a defined standard, easy downloading and powerful operating systems displaying high quality graphics, J2ME phones are making their mark. This leads to the question with such success and a memory capacity up to 1000 times the (U)SIM, will this relegate the Smart Card to a second class citizen?
  While Smart Card cannot compete with a Java handset for the sexy aspects of applications such as graphics, the core attributes of a Smart Card offer a number of significant benefits to application delivery, execution and management. All of these features require privacy management, security, portability and one-to-one personalization.
  Wireless applications must be secure and robust. However, it is feared that operators' revenue streams and secure pipeline will be threatened by the free delivery of applications mimicking the loss-making Internet portal model.
  This is where the Smart Card, (UICC, (U)SIM, and equivalent), will play an essential role in providing security, building trust and protecting revenues for mobile businesses.
  The card will become an integral part of the architecture for distributed applications running at the same time on Server, Handset and Smart Card to leverage the respective benefits of each part of the infrastructure.
  By looking at the strong points of each of the Java standards, Java Card and J2ME are not competing technologies but instead can be used in tandem to create an "open" and "secure" infrastructure that operators and content providers need in order to increase their ARPU and diminish costs. At present this infrastructure does not exist but leading operators, handset manufacturers, content providers and (U)SIM suppliers are working to make it a reality."

• Java card Applet RSA encryption Problems with Android

  hi all,I am new to java card development. I have used nxp jcop 31-36 java card and nexus s for testing the application.so i have faced lot of problems.first of all i want to encrypt data coming from the android app using RSA1024 and send back to the android application.there are the problems I faced
  1.RSA1024 and RSA2048 algorithms can't work with the nexus s Application.it means i can't receive any encrypt data from card.but when i test the application with eclipse jcop shell tool it is work properly.
  2.when i run the application in nexus s the application is crashed.it gives some wired sound when tap the java card to android phone.it may be java card application crashed or give some wired sound from android OS level.
  3.Then I Test the Application with Samsung S2. Sometimes it works but sometimes it crashed.in the S2 the encryption works fine(but we have to keep wile card 2 or 3 minutes).
  these are the steps i followed in established the connection i android phone.So fist i created the ISO dep connection and first select the Application(00A40400AID).Then using transive method i send data to java card.In the Java card in the installation i have created the RSA key pairs and get the RSA public key and private key.in some method i got the APDU buffer and read data and encrypt this data.Then those are send back to the card. First i want to know is there any problem in Android Os or JCOP 31/36 card.And other thing each time i requested to java crd is that need to reset the java card and how to reset the Java card.(some brief idea)

  Hi,
  1) Import android.smartcard libraries,
  2) Try to make a connection :
  ISmartcardConnectionListener connectionListener = new ISmartcardConnectionListener()3) create an instance of smartcardclient:
  smartcard = new SmartcardClient(this, connectionListener);4) get the list of readers :
  String[] readers = smartcard.getReaders();you can check if a specific reader is connected or nor with
  smartcard.isCardPresent(readers [0]);5) create a card channel and select your applet:
  cardChannel = smartcard.openLogicalChannel(cardReader, APPLET_AID);
  ICardChannel cardChannel = null;
  cardChannel = smartcard.openLogicalChannel(cardReader, APPLET_AID);6) you can send and receive APDUs with this line of code:
  byte[] response Apdu = cardChannel.transmit(commandApdu);Regards,
  Hana

• !!Help!![Java Card Platform]Off Card Installer[v3.0.2]Create failed: null

  I newbie used NetBeans to simulator Java Card Platform, and newbie for Java Card.
  I take VERY simple sample HelloWorld and add several lines:
  and launch build.xml with run task.
  all stages goes well, compiling, packaging, loading to simulator, but creation failed!!!!
  import javacard.security.RandomData;
  public class HelloWorld extends Applet {
       private RandomData Rnd ;
       protected HelloWorld() {
            Rnd = RandomData.getInstance(RandomData.ALG_SECURE_RANDOM);
            register();
       public static void install(byte[] bArray, short bOffset, byte bLength) {
            new HelloWorld();
  build.xml(Create-Instance)
  OffCard Installer [v3.0.2]
      Copyright (c) 2009 Sun Microsystems, Inc.
      All rights reserved.
      Use is subject to license terms.
  [ INFO: ] [Creating an instance of HelloWorld with instance ID //aid/A000000062/03010C0101 on http://localhost:8019/cardmanager/]
  [ INFO: ] "Off Card Installer validating create information"
  [ INFO: ] "Off Card Installer preparing create information"
  [ INFO: ] "Off Card Installer sending create request"
  [ INFO: ] Create failed: null
  When I remove this line,
  //Rnd = RandomData.getInstance(RandomData.ALG_SECURE_RANDOM);
  then OffCard Installer will operation completed successfully.
  [ INFO: ] Operation completed successfully.
  WHAT I'm doing wrong?
  Someone can help me!!

  I newbie used NetBeans to simulator Java Card Platform, and newbie for Java Card.
  I take VERY simple sample HelloWorld and add several lines:
  and launch build.xml with run task.
  all stages goes well, compiling, packaging, loading to simulator, but creation failed!!!!
  import javacard.security.RandomData;
  public class HelloWorld extends Applet {
       private RandomData Rnd ;
       protected HelloWorld() {
            Rnd = RandomData.getInstance(RandomData.ALG_SECURE_RANDOM);
            register();
       public static void install(byte[] bArray, short bOffset, byte bLength) {
            new HelloWorld();
  build.xml(Create-Instance)
  OffCard Installer [v3.0.2]
      Copyright (c) 2009 Sun Microsystems, Inc.
      All rights reserved.
      Use is subject to license terms.
  [ INFO: ] [Creating an instance of HelloWorld with instance ID //aid/A000000062/03010C0101 on http://localhost:8019/cardmanager/]
  [ INFO: ] "Off Card Installer validating create information"
  [ INFO: ] "Off Card Installer preparing create information"
  [ INFO: ] "Off Card Installer sending create request"
  [ INFO: ] Create failed: null
  When I remove this line,
  //Rnd = RandomData.getInstance(RandomData.ALG_SECURE_RANDOM);
  then OffCard Installer will operation completed successfully.
  [ INFO: ] Operation completed successfully.
  WHAT I'm doing wrong?
  Someone can help me!!

• What Java compiler for Java Card development ?

  What Java compiler and options should be used for Java Card development with the goal of generating correct, and (secondarily) small or/and fast code after conversion to Java Card bytecode using converter ?
  In particular
  - Is use of JDK 7 approved by Oracle for Java Card development? That would solve security problems associated with (the web components of the JRE of) some earlier JDK, including the latest JDK6. The JCDK 3.0.4 release notes states "+the commercial version of Java Development Kit (JDK software) version 6 Update 10 (JDK 6 Update 10) or later is required+, but that does not answer that question.
  - Anyone had _bad_ experience (like incorrect or disastrous code) with the Java compiler bundled with Eclipse ? I have seen at least one case where org.eclipse.jdt.core_3.7.3.v20120119-1537.jar produced slightly more compact code than javac.
  - Anyone had _bad_ experience with javac in jdk1.3 ? In an applet involving a "finally" clause, I've seen it generating more compact code than later javac (which in my test triplicated the code for the finally clause).

  What Java compiler and options should be used for Java Card development with the goal of generating correct, and (secondarily) small or/and fast code after conversion to Java Card bytecode using converter ?-target -source may be required to generate compatible byte code. Depending on the CAP file converter being used debug information may also help. Remember that Java Card is a subset of the Java language (also there are short opcodes that Java doesn't have etc) so a lot of the work for optimisation is done by the converter or the JCRE. You can look at the JCA code generated to determine what works best for your applets. There are also some ways of stripping out dead code etc from JCA files (return statements after a throw etc) to reduce your code size. Most of the speed optimisations come from your code (avoiding context switches and unnecessary security/access checks).
  The compactness of your Java Card binary may not be directly related to the size of your compiled Java code. It can depend on the converter you use and any optimisaitons the JCRE might try to do when the code is loaded.
  - Is use of JDK 7 approved by Oracle for Java Card development? That would solve security problems associated with (the web components of the JRE of) some earlier JDK, including the latest JDK6. Java Card does not use any of the libraries from the JDK/JRE. All of the libraries are provided by the JCRE on the smartcard.
  The JCDK 3.0.4 release notes states "+the commercial version of Java Development Kit (JDK software) version 6 Update 10 (JDK 6 Update 10) or later is required+, but that does not answer that question.Anything above JDK6u10 is supported. If you use Java 7 you may need to add a -source and -target flag when compiling.
  - Anyone had _bad_ experience (like incorrect or disastrous code) with the Java compiler bundled with Eclipse ? I have seen at least one case where org.eclipse.jdt.core_3.7.3.v20120119-1537.jar produced slightly more compact code than javac.We generally use the Eclipse compiler as we find that we get more deterministic builds. When CAP files are sent for security review it is helpful to have the reviewer able to generate a CAP file that matches the one you sent to confirm the binary is what you say it is.
  - Anyone had _bad_ experience with javac in jdk1.3 ? In an applet involving a "finally" clause, I've seen it generating more compact code than later javac (which in my test triplicated the code for the finally clause).We do not use anything less than Java 6 for compilation.
  - Shane

• Generate DES key with java card with JCRE 2.1.2

  Hi everyone,
  I want to generate DES key in my applet . my card supports GP 2.0.1 and JCRE 2.1.2 .
  I have tested my applet with JCRE 2.2.1 and used this JCSystem class functions to generate DES key and it compiles and works correctlly .
  but when I want to compile my applet with JCRE 2.1.2 I recieve an error which says that API 2.1.2 doesn't support JCSystem class .
  so I'll really appreciate it if anyone could tell me how can I generate DES key with JCRE 2.1.2
  and also I use JCSystem class functions to get my card's persistent and transistent memory , so with this class not working on JCRE 2.1.2 I have problem to read my free memories too .
  So I'll appreciate your help on this matter too.
  Best Regards,
  Vivian

  Hi Vivian,
  I don't seem to have any problem with the code you posted. What is the error you are getting? Is it with the compiler or with the CAP file converter? If it is a compiler error, you will need to ensure that the Java Card API jar is in your build path.
  Here is a simple class that works with JC 2.1.1 (which will work with JC 2.1.2 as well). I have confirmed that this applet compiles and will return encrypted data to the caller.
  package test;
  import javacard.framework.APDU;
  import javacard.framework.Applet;
  import javacard.framework.ISO7816;
  import javacard.framework.ISOException;
  import javacard.framework.JCSystem;
  import javacard.security.DESKey;
  import javacard.security.KeyBuilder;
  import javacard.security.RandomData;
  import javacardx.crypto.Cipher;
  * Test JC2.1.1 applet for random DES key.
  * @author safarmer - 1.0
  * @created 24/11/2009
  * @version 1.0 %PRT%
  public class TestApplet extends Applet {
      private DESKey key;
      private Cipher cipher;
       * Default constructor that sets up key and cipher.
      public TestApplet() {
          RandomData rand = RandomData.getInstance(RandomData.ALG_SECURE_RANDOM);
          short lenBytes = (short) (KeyBuilder.LENGTH_DES / 8);
          byte[] buffer = JCSystem.makeTransientByteArray(lenBytes, JCSystem.CLEAR_ON_DESELECT);
          key = (DESKey) KeyBuilder.buildKey(KeyBuilder.TYPE_DES, KeyBuilder.LENGTH_DES, false);
          rand.generateData(buffer, (short) 0, lenBytes);
          key.setKey(buffer, (short) 0);
          cipher = Cipher.getInstance(Cipher.ALG_DES_CBC_ISO9797_M1, false);
      public static void install(byte[] bArray, short bOffset, byte bLength) {
          // GP-compliant JavaCard applet registration
          new TestApplet().register(bArray, (short) (bOffset + 1), bArray[bOffset]);
      public void process(APDU apdu) {
          // Good practice: Return 9000 on SELECT
          if (selectingApplet()) {
              return;
          byte[] buf = apdu.getBuffer();
          switch (buf[ISO7816.OFFSET_INS]) {
              case (byte) 0x00:
                  cipher.init(key, Cipher.MODE_ENCRYPT);
                  short len = cipher.doFinal(buf, ISO7816.OFFSET_CDATA, buf[ISO7816.OFFSET_LC], buf, (short) 0);
                  apdu.setOutgoingAndSend((short) 0, len);
                  break;
              default:
                  // good practice: If you don't know the INStruction, say so:
                  ISOException.throwIt(ISO7816.SW_INS_NOT_SUPPORTED);
  }Cheers,
  Shane