A smart card is identical in size to a typical credit card and is tamper resistant. A smart card embeds a secure microcontroller that can store and process information. The most basic cards are memory cards, which store data locally, but do not contain a CPU for performing computations on that data. Higher-end microprocessor cards include a CPU for performing computations on locally stored data. A Java Card Runtime Environment can in particular run on a microprocessor card.
The secure microcontrollers used in microprocessor cards typically include CPU, a few kilobytes of RAM, as well as some persistent memory, EEPROM of Flash, which is used to store code and data. Most smart card microcontrollers also include cryptographic accelerators, as well as a number of security detectors and other countermeasures, in order to provide adequate tamper-resistance guarantees.
The Application Programming Interface (API) for the Java Card technology defines the calling conventions by which an applet accesses the Java Card Runtime Environment and native services. The Java Card API allows applications written for one Java Card-enabled platform to run on any other Java Card-enabled platform.
The Java Card API is compatible with formal international standards, such as ISO7816, and industry-specific standards, such as EMVCo’s EMV standards for payment, and ESI/3GPP standards for UICC/SIM cards.
Java Card technology preserves many of the benefits of the Java programming language - productivity, security, robustness, tools, and portability - while enabling Java technology for use on secure elements such as smart cards. The Virtual Machine (VM), the language definition, and the core packages have been made more compact and succinct to bring Java technology to the resource - constrained environment of secure elements.
Java Card technology also includes specific smart card features, such as user authentication classes to manage PINs and passwords, as well as specific application isolation features, known as the firewall, that allow applications from several providers to cohabit securely on the device.
Since Java Card 3.0, there are two distinct editions of the Java Card specifications: Classic and Connected..
The Classic Edition of the Java Card specification is a direct successor to the Java Card 2.2.2 specification. It targets smart cards as deployed today on all vertical markets, based on ISO7816 and ISO14443 communication..
The Connected Edition of the Java Card specification is a technological breakthrough, in which Java Card has been extended to support a Web application model, with servlets running on the card, and TCP/IP as basic protocol. In order to support this new application model, the Virtual Machine and Runtime Environment have been upgraded as well, now supporting advanced features like multithreading, hierarchical class loaders, or permissions that are not supported in the simpler Java Card Classic framework. The Connected Edition runs on high-end secure microcontrollers, typically based on a 32-bit processor and supporting a high-speed communication interface like USB..
Any off-the-shelf development tools for the Java programming language can be used to develop applets for the Java Card platform. Oracle is also providing a developer toolkit for Java Card, which includes Java Card specific tools such as the CAP file converter and verifier. In addition, Oracle provides an integration of this developer toolkit in popular IDEs: the Java Card Classic Development Kit, versio, includes a plug-in for the Eclipse IDE, and the Netbeans environment includes a Java Card-specific option that can be used to develop Java Card Connected applications.
Many of the Java Card platform licensees have created development tools for the Java Card Application Environment. For example, some have simulations of the smart card environment to test and debug the applet written for the Java Card platform.
The Java Card technology is independent of the type of supporting hardware. The Java Card platform can run on contact and contactless devices. The Java Card platform also runs on secure elements that power the Card Emulation mode in NFC, independently of the form factor (SIM, embedded secure element, or other).
The GlobalPlatform consortium has issued a Card Specification that defines a card management framework. This specification complements the Java Card specifications by defining a set of commands that can be used to manage applications on a Java Card product.
The GlobalPlatform Card Specification also defines a Java Card API that allows Java Card developers to further integrate GlobalPlatform support in their applications.
Most Java Card products include at least some support for the GlobalPlatform Card specification. Please refer to GlobalPlatform for more information.
Java Card technology is used in all smart card markets, including the most demanding in terms of security. Oracle has published a Java Card Protection Profile, which has been used by smart card vendors to certify the security of their Java Card products, up to the highest available levels (EAL5+ in many instances, and even EAL7 for one product). To get these certifications, the Java Card products have undergone extensive security testing by government-approved laboratories, which have not been able to identify vulnerabilities in the products they tested.
Compared to native products, Java Card products embed similar core technologies, like cryptography and security countermeasures. Naturally, because Java Card allows the downloading of application code, it faces new threats that do not affect native cards. Of course, these new threats are considered in the Java Card security model, and they are addressed in the Java Card specification, for instance through the definition of the Java Card firewall, and also in the implementation of the Java Card products sold by our licensees.
In addition, because the Java Card specification is openly available, it has fostered an active research community, which has been studying the technology for years, and has contributed to the improvement of the security of Java Card products.
For all these reasons, the Java Card platform is today the most secure smart card platform available, with more security-certified card products than any other smart card framework.