The explosion of the Internet and of wireless digital communication has rapidly changed the way we connect with other people. As the world has become more connected, the business model has evolved from the traditional face-to-face in-store transaction to the on-line transaction conducted with a few mouse clicks in our home or office. The rapid emergence of electronic business opens not only new avenues for commerce but also vast opportunities for an industry to reach out to its customers and to introduce value-added services.
The success of the electronic business market relies on the same level of trust that companies have built up over years of doing business face to face and relies on technology to help handle business easily. The security and portability of smart cards provide a safe, reliable, convenient, and effective way to ensure secure e-business and to enable a broad range of new applications.
The same size as a credit card, a smart card (Figure 1.1) stores and processes information through the electronic circuits embedded in silicon in the plastic substrate of its body. A smart card is a portable and tamper-resistant computer. Unlike magnetic stripe cards, smart cards carry both processing power and information. Therefore, they do not require access to remote databases at the time of a transaction.
The idea of incorporating an integrated circuit into a plastic card was first introduced by two German inventors, Jürgen Dethloff and Helmut Grötrupp, in 1968. Later they filed a German patent on their invention. Independently, Kunitaka Arimura of the Arimura Technology Institute in Japan filed a patent on the smart card in 1970. However, real progress came with Roland Moreno's 47 smart card–related patents filed in 11 countries between 1974 and 1979[1]. In the late 1970s, CII-Honeywell-Bull (now Groupe Bull) first commercialized smart card technology and introduced microprocessor cards.
The initial smart card trials took place in France and Germany in the early 1980s using smart cards as prepaid phone cards and secure debit/credit bank cards. These successful trials proved the potential of smart cards against tampering and flexibility.
Recently, with advances in chip technology and modern cryptography, smart cards have become more powerful. They are now used to store electronic cash, replacing paper money, to store and secure personal medical records, to prevent unauthorized access to cable and satellite broadcasts, and to improve wireless telephone security.
Already very common in Europe and Asia because of the widespread use of applications such as GSM and banking cards, smart cards began to make significant entries into the U.S. market in the late 1990s with the growing demand for security technologies in the e-business arena.
The interest in smart cards is a result of the benefits they provide. One benefit, of course, is their built-in computational power. Security, portability, and ease of use are the other key advantages of smart cards.
The processor, memory, and I/O support of a smart card are packaged in a single integrated circuit embedded in a plastic card. A smart card is resistant to attack because it does not need to depend on potentially vulnerable external resources. Probing information in a smart card requires the physical possession of the card, intimate knowledge of the smart card hardware and software, and additional equipment. The security features in smart cards are further strengthened by cryptographic functions. Data stored in the card can be encrypted to safeguard its privacy in the physical memory, and data exchanged between the card and the outside world can be signed and encrypted. In addition, accessing a smart card usually requires the card holder to enter a PIN (personal identification number), which prevents the card from being used by an unauthorized person. Overall, it would be much more difficult to crack into a smart card than into a traditional desktop computer.
Another benefit of smart cards is their inherent portability. You can carry a smart card in your wallet in the same way you carry credit cards. Because of this characteristic, smart cards keep data available wherever needed, as the card holder moves from one location to another.
Smart cards are also very convenient to use. To begin a transaction, you insert the card into a card acceptance device, and you remove the card from the device when the job is done.
Smart cards are often used for secure data storage and to authenticate and ensure security of transactions. This section provides examples of applications for using smart cards.
In the telecommunication industry, prepaid phone cards offer a cash-free, low-maintenance, and antifraud mechanism for accessing public phones. Today, the wireless telecommunication industry is the largest market using smart cards for security. The most notable example is GSM (global system for mobile communication). A GSM wireless phone has a subscriber identity module (SIM) card, which is a smart card with a much smaller plastic substrate, that fits into a slot inside the phone. The SIM card identifies the user and provides encryption keys for digital voice transmission. It is very difficult to intercept telephone numbers and illegally program them into wireless phones. The key generated by the SIM card for encryption is temporary and is changed with each use. Therefore, even if a GSM transmission could be decrypted, it would be useless for the next transmission. Because the user's identity is programmed into the SIM card, the user can use not just one phone but any GSM-compatible phones that accept the SIM card. A subscriber gets a SIM card from the service provider and inserts it into a phone that can be purchased or leased separately.
As wireless communication gains wide acceptance, the role of wireless phones is going much further than voice transmission. To retain a competitive edge, telcom operators are competing to provide value-added services, such as mobile banking, mobile commerce, Web access, and so on, which all rely on smart cards to verify the subscriber's identity and ensure security in data transmissions.
In the payment and banking industries, smart cards are used as secure credit or debit bank cards. Their functions are similar to magnetic stripe cards. But because of the on-board computing power of smart cards, they can handle off-line transactions and verifications. Unlike magnetic stripe cards, data in a smart card cannot be easily copied and then misused. Smart card–based credit cards help to prevent credit card fraud that costs banks around the world billions of dollars a year.
Recently, the newer trends in the payment and banking area include the e-purse (or e-wallet) applications. The card stores electronic money, and the balance can be increased or decreased. Smart card–based electronic purses can reduce the cost of handling paper money; in particular, they provide an ideal payment mechanism for on-line microtransactions, where the overhead in using regular credit cards is too high for low-value transactions.
In a retail loyalty scheme, the card can help to promote cobranded retailer partnership and increase sales and customer satisfaction. The card stores loyalty points that are accumulated when the card holder purchases items from sponsoring retailers. The card holder can use the points for point-of-sale discounts, air miles, or other gifts. The data captured when the card is used can also help retailers to understand the customer's purchase preferences and behavior.
In a mass-transit system, smart cards can replace tokens and tickets. In the field of automotive transportation, smart cards can replace coins for parking and toll, in a way that is similar to the function of prepaid phone cards. The smart card solution provides many benefits in collecting fares, managing huge numbers of small transactions, and attracting customers with user-friendly and faster transactions.
In the health care sector, smart cards can help to reduce the complexity of managing information concerning patients' insurance coverage and medical histories. The card can store administration data to manage a patient's eligibility for benefits and to process claims. The card can also store a patient's medical records, providing up-to-date and reliable medical information and enabling the sharing of information among physicians, hospitals, and pharmacies.
On the Internet, user authentication and access control is an important motivation for choosing smart cards. There is increasing use of smart cards in the public key infrastructure. A smart card carries the card holder's private key and digital certificate—two components that verify the card holder's identity to the electronic world. In the public key encryption scheme, the private key, known only to you, is paired with a public key that is made widely available. The private key is used in conjunction with the public key to support digital signature signing and verification. The digital certificate is issued by a certificate authority that testifies to the authenticity of a public key. Applications using smart cards for authentication include Web site access control, digital signing of e-mail messages, and secure on-line transactions. Many other Internet applications can be envisioned.
In a closed environment, such as a corporation or a university, multiapplication smart cards can provide physical entrance to buildings and computer facilities, grant levels of network access to internal Web sites and servers, store and process administration data, and enable various financial transactions (paying for meals, purchasing snacks at vending machines, ATM withdrawals and deposits, and so on).
As smart card technology gains wider acceptance, smart cards are finding their way into everyone's wallet.
Developing a smart card application traditionally has been a lengthy and difficult process. Although the cards are standardized in size, shape, and communication protocol, the inner workings differ widely from one manufacturer to another. Most smart card development tools are built by the smart card manufacturers using generic assembly language tools and dedicated hardware emulators obtained from silicon chip vendors. It has been virtually impossible for third parties to develop applications independently and sell them to issuers. Therefore, developing smart card applications has been limited to a group of highly skilled and specialized programmers who have intimate knowledge of the specific smart card hardware and software.
Because there are no standardized high-level application interfaces available in smart cards, application developers need to deal with very low-level communication protocols, memory management, and other minute details dictated by the specific hardware of the smart card. Most smart card applications in use today have been custom developed from the ground up, which is a time-consuming process; it usually takes a year or two for a product to go to the market. Upgrading software or moving applications to a different platform is particularly difficult or impossible.
Further, because smart card applications were developed to run on proprietary platforms, applications from different service providers cannot coexist and run on a single card. Lack of interoperability and limited card functions prevent a broader deployment of smart card applications.
Java Card™ technology offers a way to overcome obstacles hindering smart card acceptance. It allows smart cards and other memory-constrained devices to run applications (called applets) written in the Java programming language. Essentially, Java Card technology defines a secure, portable, and multiapplication smart card platform that incorporates many main advantages of the Java language.
Smart card application developers can benefit from Java Card technology as follows.
Ease of application development—. The Java language brings smart card programming into the mainstream of software development, relieving developers from going through the swamps of microcontroller programming, such as programming in 6805 and 8051 assembly languages. Smart card developers can also benefit from many off-the-shelf and integrated Java development environments from vendors such as Borland, IBM, Microsoft, Sun, and Symantec. Furthermore, Java Card technology offers an open platform that defines the standard application programming interfaces and runtime environment. The platform encapsulates the underlying complexity and details of the smart card system. Applet developers work with the high-level programming interfaces. They can concentrate most of their effort on the details of the application and leverage extensions and libraries that others have created.
Security—. Security is always of paramount concern when working with smart cards. Java's built-in security features fit in well with the smart card environment. For example, the level of access to all methods and variables is strictly controlled, and there is no way to forge pointers to enable malicious programs to snoop around inside memory. In addition, applets on the Java Card platform are separated by the applet firewall. This way the system can safeguard against a hostile application's attempts to damage other parts of the system.
Hardware independence—. Java Card technology is independent of the type of hardware used. It can run on any smart card processors (8 bit, 16 bit, or 32 bit). Java Card applets are written on top of the Java Card platform and thus are smart card hardware independent. Ready-to-use applets can be loaded into any Java smart card without recompilation.
Ability to store and manage multiple applications—. A Java smart card can host multiple applets, such as an electronic purse, authentication, loyalty, and health care program, from different service providers. Because of the Java Card firewall mechanism, applets are not able to access each other unless explicitly permitted to do so. Once the card is issued, its value is not fixed. More applets can be downloaded to the card. A Java smart card's functionality can be continually upgraded with new or updated applets, without the need for issuing a new or a different card.
Compatibility with existing smart card standards—. Java Card technology is based on the smart card international standard ISO 7816, so it can easily support smart card systems and applications that are generally compatible with ISO 7816. Applets can interoperate not only on all Java smart cards but also with existing card acceptance devices.
The Java Card APIs were first introduced in November 1996 by a group of engineers in Schlumberger's product center in Austin, Texas, working to bring smart card development into the mainstream while preserving smart card security. They soon recognized that the Java programming language was the solution. Schlumberger proposed the initial draft for the Java Card APIs and became the first licensed smart card company. A few months later, Bull and Gemplus joined Schlumberger to cofound the Java Card Forum, an industry consortium created for identifying and resolving issues of Java Card technology and promoting its adoption by the smart card industry.
Java Card 1.0 consisted of only specifications for APIs and is not an extensible platform that can easily be built upon. With wide industry support, Sun Microsystems, Inc. set out to develop Java Card technology as a Java technology platform for smart cards and other memory-constrained devices. Its first move was to acquire Integrity Arts, a spinoff of Gemplus that specialized in the development of virtual machine and operating system technologies for smart cards.
In November 1997, Sun Microsystems announced the Java Card 2.0 specification, which evolved from the work of Integrity Arts and was developed in collaboration with the industry and the members of the Java Card Forum, including smart card manufacturers, card issuers, and smart card associations. The Java Card 2.0 APIs differed significantly from the initial 1.0 version in providing an object-oriented way to write applets. In addition, Java Card 2.0 spelled out more fully the application runtime environment. However, the downloadable applet format was not specified.
Java Card version 2.1 was unveiled in March 1999. It consisted of three specifications: the Java Card 2.1 API Specification, the Java Card 2.1 Runtime Environment Specification, and the Java Card 2.1 Virtual Machine Specification. In version 2.1, APIs were updated but largely based on the previous 2.0 version, and applet runtime environment was further standardized. The most significant contribution of Java Card 2.1 was that it explicitly defined the Java Card virtual machine architecture and applet-loading format that makes true applet interoperability possible.
Since its inception three years ago, Java Card technology has been widely embraced by the smart card industry. It is licensed by all major smart card manufacturers and many more industry players—in all, more than 30 licensees. The list of Java Card technology licensees and partners can be found at the URL http://java.sun.com/products/javacard/#partners.