How Java Card Works

[chushpan]

What is Java Card?​

Java Card is a technology developed by Sun Microsystems (now Oracle) that enables Java-based applications to run on smart cards and other devices with limited resources (e.g. SIM cards, bank cards, electronic passports). Java Card provides a platform for creating secure applications such as payment systems, authentication systems, and digital key management.

How does Java Card work?​

Java Card works as a virtual machine (Java Card Virtual Machine, JCVM) that runs Java programs. However, unlike standard Java, Java Card is adapted to work on devices with limited resources (small memory, low processor performance).

The main components of Java Card:​

1. Security Framework:
   • Provides protection for data and applications.
   • Supports cryptographic algorithms (eg AES, RSA, ECC).
   • Shares data access between applications.
2. Virtual Machine (JCVM):
   • Executes Java bytecode adapted for running on smart cards.
   • Optimized to work with limited resources.
3. Applets:
   • Applications on Java Card are called applets .
   • Each applet performs a specific task, such as user authentication or payment processing.
4. File system:
   • Stores data in the form of files (e.g. transaction records, encryption keys).

How Java Card Works​

1. Initializing the map​

• When the card is inserted into the terminal, the terminal sends a RESET command.
• The card responds with ATR (Answer To Reset) , which contains information about supported protocols and communication parameters.

2. Selecting an applet​

• The terminal sends a SELECT command to select a specific applet on the map.
• Each applet has a unique identifier (AID - Application Identifier).

3. Executing commands​

• Once an applet is selected, the terminal can send commands to perform operations (e.g. read data, write data, perform cryptographic operations).
• The applet processes commands and returns a response.

4. Secure interaction​

• All data transmitted between the terminal and the card can be encrypted.
• Applets run in a sandbox, which prevents one applet from accessing another's data.

Example of using Java Card​

Scenario: Payment System​

1. The client inserts the card into the POS terminal.
2. The terminal sends a SELECT command to select a payment applet.
3. The applet generates an ARQC (authorization cryptogram) and sends it to the bank.
4. The bank checks the ARQC and sends an ARPC (response cryptogram).
5. The terminal completes the transaction.

Features of Java Card​

1. Limited resources:
   • Java Card runs on devices with small memory (usually a few kilobytes of RAM and tens of kilobytes of ROM/EEPROM).
   • Programs should be optimized as much as possible.
2. Multitasking support:
   • Several applets can run on one card simultaneously.
   • Each applet is isolated from the others.
3. Data protection:
   • Data is stored in secure memory.
   • Encryption and digital signature are supported.
4. Standardization:
   • Java Card complies with EMV, ISO/IEC 7816 and GlobalPlatform standards.

How to create Java Card Applet?​

Step 1: Writing the code​

• Use the Java Development Kit (JDK) and special libraries for Java Card.
• Example of a simple applet:

package com.example;

import javacard.framework.*;

public class HelloWorldApplet extends Applet {
private static final byte[] helloMessage = { (byte) 'H', (byte) 'e', (byte) 'l', (byte) 'l', (byte) 'o' };

public static void install(byte[] bArray, short bOffset, byte bLength) {
new HelloWorldApplet().register(bArray, (short) (bOffset + 1), bArray[bOffset]);
 }

public void process(APDU apdu) {
if (selectingApplet()) {
 return;
}
apdu.setOutgoingAndSend((short) 0, (short) helloMessage.length);
}
}

Step 2: Compilation​

• Compile the code using the Java Card compiler.

Step 3: Upload to the card​

• Use tools like GlobalPlatformPro to load the applet onto the map.

Step 4: Testing​

• Test the applet using a terminal or card testing software.

Advantages of Java Card​

1. Flexibility:
   • Ability to create different applications for one card.
2. Safety:
   • Built-in data protection and application isolation mechanisms.
3. Standardization:
   • Compatible with international standards.
4. Scalability:
   • Support for various types of devices (bank cards, SIM cards, electronic IDs).

Conclusion​

Java Card is a powerful technology that enables the creation of secure and flexible smart card applications. It is widely used in payment systems, authentication, and other areas. If you want to develop your own Java Card application, it is important to understand the peculiarities of working with limited resources and use the appropriate tools.

If you have additional questions about Java Card or its use cases, please ask!

 

[Man]

Java Card is a technology that allows running Java applications (applets) on smart cards, SIM cards and other devices with limited resources (low memory, weak processor). It is widely used in:

• Bank EMV chips,
• Mobile SIM/eSIM,
• Access control systems,
• Secure identification cards.

1. Java Card Architecture​

1.1. Main components​

Component	Description
Java Card VM	A stripped-down JVM for running on chips (no threads, no garbage collector, no floats).
API Framework	Standard classes for cryptography, working with APDU, file system.
Applets	Java programs running on the card (e.g. Visa payment application).
Security system	Sandbox for applet isolation, access control.

1.2. Differences from regular Java​

• No String, int (short only), multithreading.
• Minimum memory: ~2–16 KB RAM, ~32–384 KB ROM.
• All data is saved when power is turned off (NVMM).

2. How does Java Card communicate with the outside world?​

Via APDU commands (Application Protocol Data Unit) - binary messages according to the ISO 7816 standard .

2.1. APDU format​

• Command (from terminal to card):
  

  CLA INS P1 P2 Lc Data Le

  • CLA – command class (e.g. 0x80 for payments).
  • INS – instruction code (for example, 0xA4 – select application).
  • P1, P2 – parameters.
  • Lc – data length.
  • Data – payload (e.g. transaction number).
  • Le – expected length of the response.
• Answer (from card to terminal):
  

  Data SW1 SW2

  • Data – the data to be returned.
  • SW1 SW2 – status (for example, 0x90 0x00 – success).

Example: Selecting a payment application:

00 A4 04 00 07 A0 00 00 00 03 00 00 00

(Selecting an application with AID A0 00 00 00 03 00 00).

3. Development for Java Card​

3.1. What do you need?​

• Java Card Development Kit (от Oracle).
• An emulator (e.g. JCardSim) or a real card with applet support.
• Development environments: Eclipse + JCIDE, VS Code with plugins.

3.2. Example of a simple applet​

package com.example;  

import javacard.framework.*;  

public class HelloWorld extends Applet {  
public static void install(byte[] bArray, short bOffset, byte bLength) {  
new HelloWorld().register();  
}  

public void process(APDU apdu) {  
byte[] buffer = apdu.getBuffer();  
// Read the command
if (buffer[ISO7816.OFFSET_CLA] == 0x80 && buffer[ISO7816.OFFSET_INS] == 0x01) {  
// Send "Hello World!"
byte[] response = {'H', 'e', 'l', 'l', 'o', ' ', 'W', 'o', 'r', 'l', 'd', '!'};  
apdu.setOutgoing();  
apdu.setOutgoingLength((short)response.length);  
apdu.sendBytesLong(response, (short)0, (short)response.length);  
}  
}  
}

3.3. How to load an applet onto a map?​

1. Compile to CAP file (Converted Applet).
2. Download via smart card reader and utilities such as gpj (GlobalPlatform).
3. Activate via APDU commands.

4. Java Card Security​

• Sandboxing: Applets are isolated from each other.
• Cryptography: Support AES, RSA, ECC, SHA.
• Secure Element: Protection against physical hacking (power attacks, fault injections).

Vulnerabilities (rare, but exist):

• Logical Attacks – Incorrect APDU validation.
• Side-Channel Attacks – energy consumption analysis.

5. Where is it used?​

• Bank cards (EMV).
• SIM cards (downloading operator applets).
• Electronic passports (ePassport).
• Secure tokens (Google Titan, YubiKey).

Conclusion​

Java Card is a secure environment for running code on chips. Key features:
✔ Works with APDUs,
✔ Supports cryptography,
✔ Runs sandboxed applets.

Hacking/analysis requires deep knowledge (reverse engineering, cryptography). If you want to learn more, start with the JCardSim emulator and Oracle documentation.

Need EMV APDU examples or cryptography details? Ask!