There are a number of reasons to want to add commands and applications to cards after they have been issued. For example:

In a sense, programmable smart cards are a return to the early days of smart cards when the entire card was application specific. The difference is that now, the application runs out of electrically erasable and programmable read-only memory (EEPROM), and the application can be deleted and replaced with another application anytime the card is used. The strategy of building an application's needs into the smart card's ROM-based operating system worked well when the number of cards needed for a particular application was large, when the application didn't do much, and was very stable over time—Carte Bancaire's Carte Blue, for example. As cards started to be used for smaller and more quickly evolving applications, however, the economic advantage of building the application's needs into ROM diminished. The turnaround time for a new version of the card was too long, the cost of development was too high, and the lifetime of the card was too short.

Another development that energized the quest for programmable cards was the empirically and painfully derived realization that smart card programs—whose business models had to stand on their own two feet and not be propped up by governmental mandates—had to offer more than one function. Because it was clearly impossible for all practicable functions to be ground into the card and activated on an as-needed basis, and because it was clear that the suite of functions of interest to one cardholder would differ from that of another, the notion of a multiapplication card—where applications could be loaded, used, and then deleted at the whim of the cardholder, the issuer, the application provider or, in all likelihood, all three—was quickly reached.

Finally, of course, application programmers and system architects, both those inside the established development organizations and those espousing new ideas and methods, needed smart cards for experimentation, testing and debugging, pilot projects, and special event business opportunities. Neither the skills demands, nor the tools requirements, nor the security protocols, nor the development cycle of assembly-language, ROM-based, single-application smart cards could begin to meet the new, emerging demands of the smart card marketplace. The stage was set for a new approach to on-card programming.

Adding executable code to cards after their manufacture was in and of itself not new. Card manufacturers used it from the day the first bug in ROM code was discovered to patch bugs or meet late-breaking customer requirements. The technique, familiar to all programmers as illustrated in Figure 5.1, was to plant some jump table–driven hooks at strategic places in the ROM code and to transfer out as needed to executable code in EEPROM to fix up a broken computation or to put an extra wrinkle on a stock ROM-based command. In fact, each of the card manufacturers semicommercialized this feature of their cards and would offer it to large, trusted customers as a way to differentiate their cards from their competitors.

Figure 5.1. Jump tables used to patch ROM code.

While very useful in special situations, linking executable native code into the operating system clearly wouldn't work as a general on-card programming paradigm. It didn't solve the skill set problem—you still had to program in 8051 assembler—and because code linked in like this could theoretically read ROM and write EEPROM freely and undetected by the access protections of the operating system, there were a number of less than totally compelling security implications of this technique. What was needed was a way of running a program on the card in way that guaranteed that it didn't misbehave.

The use of source code interpreters as a way to execute programs on constrained computing resources achieved widespread popularity with the version of Beginner's All-purpose Symbolic Instruction Code (BASIC) created by Bill Gates and Paul Allen for the MITS Altair in 1975. The use of interpreters to ensure safe and controlled execution of programs can be traced to IBM's Series/1 data communications computer introduced in 1977. The issues addressed by the Series/1, whose entire operating system was interpreted, was making sure that one malfunctioning application program couldn't bring down an ultra-reliable computing platform used for 24×7 online transaction processing.

Thus, when the need to run application programs on a smart card under tight control began to arise, one approach, at least, had some historical standing. The available resources were, however, yet another order of magnitude more meager than those enjoyed by Messrs. Gates and Allen.

As often happens when an idea is in the air, work on smart card interpreters sprang up independently in more than one location. In 1990, at the RD2P (Research & Development on Portable Files) research laboratory in France (run jointly by Gemplus, Lille University, Pierre Paradinas, and others), the Card Virtual Machine (CAVIMA) was developed, which focused on the use of an on-card interpreter for data retrieval as part of a medical smart card application. This work led to Gemplus's CQL card and, subsequently, the ISO 7816-7 standard. Concurrently, Jelte van der Hoek and Jurjen Bos working at DigiCash in the Netherlands built the J-Code engine for use on the electronic purse smart card that was part of a toll-road project. The J-Code engine went on to become part of the famous DigiCash “Blue” mask, which can still be licensed today from DigiCash's phoenix, eCash Technologies.

The (apparently) first patent for an interpreter on a smart card was French patent FR 2 667 171 B1 issued to Edouard Gordons, Georges Grimonprez, and Pierre Paradinas on March 27, 1992. The title of the patent is “Support Portable A Microcircuit Facilement Programmable et Procede de Programmation de ce Microcircuit.”

The mid-1990s saw the creation of a number of smart card interpreters and on-card virtual machines. The SCIL interpreter by Eduard de Jong went on to become Integrity Art's Clasp interpreter for the TOSCA language. Tony Guilfoyle, one of the programmers of the GeldKarte, created ZeitControl's Basic interpreter. Keycorp introduced the OSSCA operating system that sported a Forth interpreter and Europay also flirted with a Forth card called the Open Card Architecture (OCA) built by Forth, Inc. Oberthur announced the HOST smart card operating system that included an on-card interpreter.

Portability of applications among cards with different chips was the primary driving force during this era. Ease of programming, including the use of standard high-level languages, was less of an issue. It was generally thought that there would be few applications, that they would be small, that they would have to be carefully written, and that as the cost of creating the application was such a small part of creating a new smart card, that efficiencies provided by software tools such as the use of high-level languages simply weren't worth the effort.

The Nat West (National Westminster) Development Team led by David Peacham and David Everett created the first e-purse, Mondex. In May 1995, NWDT set out to design a multiapplication smart card that was to contain a virtual machine with exactly these criteria in mind. Strict separation of applications and ITSEC Level 6 certification were the two design goals. NWDT started with the public domain Pascal virtual machine and byte codes in the book Programming Language Processors by David A. Watt. These byte codes were modified primarily by making them variable length to achieve higher density code at a slight expense of runtime efficiency. This card, completed in the summer of 1996, met both of its design desiderata and is now the Multos card.

Still in the mid-1990s, none of these interpreters or multiapplication cards garnered much more than tire-kicking attention from heavyweight issuers and scheme sponsors that were looking for a multiapplication, programmable smart card platform. It may have been the language, the organization behind the product, the experimental patina of the offerings, or simply that the time was not quite right.

This situation changed abruptly in late 1996 when Schlumberger announced the creation of the first Java Card smart card. Supporting a subset of the Java language subsequently labeled as Java Card and a subset of the Java byte codes executed by a 4-Kb on-card virtual machine built at Schlumberger's Austin product development center, Schlumberger's Java Card smart card was quickly embraced by the other major smart card manufacturers, Visa International and, eventually, the GSM mobile telephone community. While probably Java buzz, as much as technical prowess, fueled the success of Java Card, it did have the effect of changing the perception of programmable cards with on-card virtual machines from technical curiosity to commercial opportunity.

Java Card smart cards can, practically speaking, only be programmed in Java. In 1998, Microsoft introduced a smart card with a virtual machine called the Runtime Environment (RTE) that was programming language–independent. It was a Harvard architecture virtual machine that (for those with long memories) could easily have been mistaken for software Intel 8048. Microsoft initially provided a compiler for a subset of the Visual Basic (VB) language for the RTE.

In early 2000, Rowley and Associates broke—for once and for all—the connection between the on-card virtual machine and the source language used to create on-card applications by introducing a suite of software tools that enabled programs written in C, Java, Basic, or Modula-2 to be compiled for and run on both the Multos and Microsoft virtual machines. These tools have since been acquired by Aspects Software.

As is often the case with travels to unknown places, you don't know what's wrong with them until you get there. There are moats around the El Dorado that on-card interpreters sought: Actually installing and deleting lots of programs on the smart card generated large administration requirements and the running programs were pigs. As it usually the case, bridges can be built over moats; both of these shortcomings of installed interpreted applications are being addressed.

In 1998, engineers in a Swedish company, then called Across Wireless, came up with an elegant solution to the administrative costs problem: Don't install the programs on the card. Download the byte-coded program when you need to run it, run the program, and then throw the byte codes away. Because this is just exactly what your World Wide Web browser does when it downloads a page from the Internet, the interpreter that ran these Just-In-Time (JIT) byte codes came to be known as a “mini-browser.” However, you aren't in fact browsing in the Web sense at all. Not only is the cost of managing fire-and-forget byte codes much less than managing byte codes that are installed on the card, but issuers can also offer a much broader universe of on-card applications because they don't have to just go with the most generic—and thus least personal—applications. Of course, just as with real Web browsers, the security infrastructure involved in identifying loadable code that is “safe” is highly problematic.

Interpreted programs on an 8-bit smart card run at about 2 Dhrystones per second. The 8-bit processor itself runs at about 80 Dhrystones per second. Now the integer Dhrystone benchmark is arguably not representative of the compute profile of a typical interpreted program, but there can be no question that a stiff performance penalty is being paid every time an interpreted program is run. Originally, this was the price of the runtime checks that ensured the program didn't misbehave. As performance became an issue, however, these checks were moved from runtime to preloading program verification so that very few runtime checks were left in the on-card interpreter. All that's left (if this is done) is pure interpretation overhead. Because it is (to the first order of approximation) as easy to verify microprocessor assembly language as it is to verify arbitrary byte codes, more and more attention is being paid to downloading native code applications. Of course, as we pointed out above, this still doesn't address the “skill set” problem; curiouser and curiouser.

But today, the on-card interpreter—whether for functional languages like Basic, Java, or JIT languages like XML—is the mainstream for building on-card applications. This chapter is about building applications for these multiapplication cards.

On-card application programming for a specific application is essentially nothing more than a matter of defining custom APDUs and implementing them on the card. The off-card application is aware of these custom APDUs and uses them to access the on-card functionality of the application. The off-card application sends an APDU (Table 5.1) to the on-card application:

and the on-card application returns a response (Table 5.2) to the off-card application:

just like all the other APDUs we've discussed in previous chapters.

The on-card and off-card application programs can imbue the custom APDUs with whatever semantics they wish, but the basic APDU message format of ISO 7816-4 and master-slave between the host and the card must be maintained because these characteristics of the communication channel are ground into the physical and data-link layers of the T=0 and T=1 smart card protocol stacks.

The problem presented to off-card smart card programs by on-card programming is determining if the card that it has just shocked to life with a reset signal contains an application it can talk to and, if so, how it is to be activated so that the preceding APDU conversation can begin. This is called the application selection problem and it has been around for a surprisingly long time in smart cards.

There are some primitive but effective application selection methods built into ISO 7816-4 that go back to 1994 that we discuss later in this chapter. A patent for application selection was issued to Georges Grimonprez and Pierre Paradinas of Gemplus on October 11, 1995. The title of the patent is “Secured Method for Loading a Plurality of Applications into Microprocessor Memory Card.”

In early 1997, the United States made a proposal to the International Standards Organization (ISO) to expand the methods in ISO 7816-4. The proposal was titled “Card Structure and Enhanced Functions for Multi-application Use.” It would have become ISO 7816-11 had it been pursued, but it wasn't. The proposal (in a slightly modified form) did go on to become U.S. patent 5802519 issued on September 1, 1998, to Eduard De Jong and titled “Coherent Data Structure with Multiple Interaction Contexts for a Smart Card.”

With the commercial acceptance of multiapplication smart cards in the late 1990s and the perception that money (perhaps the “real money”) was to be made in managing the applications on card populations and not just in writing and licensing them, a number of start-ups and old-line transaction processing companies proposed proprietary application management schemes, and a number of patents for application management were applied for and issued. Principal among the latter was U.S. patent 6005942 titled “System and Method for a Multi-application Smart Card Which Can Facilitate a Post-Issuance Download of an Application onto the Smart Card” issued on December 21, 1999, to Alfred Chan, Marc Kekicheff, Joel Weise, and David Wentker, and assigned to Visa International Service Association.

The smart card application selection problem has three subproblems: naming card applications (knowing what you are looking for), finding applications on the card (knowing where to look), and activating on-card applications (knowing what to do when you find it).

Note in passing that the “microbrowser” approach to applications finesses all of these problems, if one assumes that there is to be no inter-leaving of applications on the card (a good assumption with current systems, but not necessarily for the future). The terminal doesn't have to wonder if the card can perform its application because it gives the card the application it wants performed at the time it needs it to be performed.

The application naming subproblem has a widely agreed upon solution. ISO 7816-5 establishes a standard—a universal name space for smart card applications creatively called Application Identifiers (AIDs). An AID has two parts. The first is a Registered Application Provider Identifier (RID) of 5 bytes that is unique to the application provider. Acme Smart Card Software, for example, might have an AID of 0xA0 0x00 0x00 0x00 0x88.

The second part of an AID is a variable-length field of up to 11 bytes called the Proprietary Application Identifier Extension (PIX) that an application developer uses to identify specific applications. It is up to the individual application developer to manage the PIX name space and, thus, to make sure that the RID plus the PIX uniquely identifies one and only one application. Acme could decide to use a 3-byte PIX where the first byte was the product identifier, the second byte was the major version, and the third byte was the minor version number. 0xA0 0x00 0x00 0x00 0x88 0x05 0x01 0x02 would be Version 1.2 of Acme's application number 5.

Every smart card application developer should get an RID to identify his or her applications. RIDs are assigned by the Copenhagen Telephone Company, KTAS, which is also the ISO 7816-5 Registration Authority. KTAS's address is Teglholmsgade 1, DK-1790, Copenhagen, V, Denmark, but the application has to be approved by your national ISO body. RIDs cost about 500 Euros. For those in the U.S., the American National Standards Institute, or ANSI (www.ansi.org/), will handle requests for both national and international numbers. Forms for applying for an RID can be found in ISO 7816-5 and at www.scdk.com. If you want to issue a single-application smart card, then you need an Issuer Identification Number (IIN) that is specified in ISO 7812. For U.S. residents, forms for an IIN are also available through ANSI. The cost of an IIN is $600.

ISO 7816-4 and -5 define three methods of application identification and selection-based AIDs called implicit, direct, and DIR file.

Implicit application means that the card runs an application automatically when it is reset and includes the AID of the application in the historical bytes of the ATR or in the ATR file, 0x2F01. Initially, this was used for single-application cards where the AID in the ATR identified the application hard-wired to the card. More recently, on multiapplication cards, implicit application selection is used to launch an on-card shell program that can, in turn, run other applications. The Multos card discussed later in this chapter includes such a shell program capability.

Direct application selection uses the SELECT FILE command wherein the data field contains an AID rather than a dedicated file name. Application selection in this case is not so much a matter of launching an application program on the card as it is setting the current directory using an AID rather than a path name. After direct application selection, normal 7816-like APDU commands would be used to perform application operations on the files in the selected directory and its subdirectories. Direct application selection is typical for applications on multiapplication cards that store data but not executable code on the card.

The most elaborate application selection mechanism defined by ISO-7816 is selection by means of the DIR file. The DIR file is the file with identifier 0x2F00 in the root directory. Each constructed TLV object in the DIR file describes one application on the card. The application description must include the AID of the application and, optionally, may include the path to the directory containing the files relevant to the application and a sequence of commands that are to be executed to initiate the application. This is essentially a general-purpose shell file or BAT file capability for smart cards but the authors have never seen it used as such.

In addition to the three alternatives offered by ISO-7816, a number of smart card consortia and major issuers have come up with their own methods for doing application selection. EMV2000, for example, defines a very elaborate scheme. Visa Open Platform, the Open Card Framework, the European Telecommunications Standards Institute and the Java Card Forum, Europay and the Small Terminal Interoperability Platform consortium among others have also weighed in with their own homegrown approaches. There are also patents held by Fujitsu, Microsoft, Gemplus, Visa, Citibank, and American Express covering application selection on a smart card. Finally, each of the multiapplication cards comes with its own application selection and activation method that we will cover when we discuss the cards themselves. Most of these application selection methods are based on AIDs and all are—in the finest tradition of the smart card industry—wholly incompatible with each other.

Application selection is intimately connected on one hand to the way applications are loaded, unloaded, and generally managed on card populations and, on the other hand, to the way applications on a particular card share data and activate one another. Indeed, some of the application selection methods referred to previously are created in the midst of proposing solutions to one or the other or both of these allied problems. As a result, application selection will probably nnot stabilize on its own but will have to wait for consensus resolution of these other problems.

In this section, we will describe the on-card components of a hypothetical smart card application. After describing the application in generic terms, we will implement the application on each of four programmable, multiapplication smart cards. By considering the same application across all cards, the reader will more easily be able to compare the cards and decide which one is best for his or her own application.

There are two on-card application programs in our example: One is used when the card is in action and the other is used for card administration. The application itself is not one of the long-in-the-tooth smart card applications such as electronic cash, loyalty, stored value, or workstation logon. Rather, it is the application of a smart card to industrial control, also known by the acronym SCADA (System Control And Data Acquisition).

Imagine a smart card that is inserted into an electromechanical system of some sort. The system could, for example, be an automobile, a food processing plant, or a utility meter. While the card is inserted, it gathers performance data from the system and provides control commands back to the system. From time to time, the card is collected and brought back to an administration station where the data it has collected is retrieved and the algorithms it uses to provide control commands to the system are updated.

Imagine also that the control algorithms are like secret formulae. This is why we want to store them and the data we are gathering in a tamper-resistant capsule when they are out on the factory floor or in the field doing their work. For the automobile manufacturer, they control fuel consumption and emissions; for the food manufacturer, they control the taste and consistency of the product; and for the utility meter, they balance power consumption among the devices governed by the meter. For all three, the control algorithms are part of the card issuer's competitive edge. The process control card is a good example of a smart card that is a candidate for on-card programming.

Our hypothetical process control smart card has two applications: the online application and the administrative application. The online application is what is running while the card is inserted into the electromechanical system. The administrative application is what is used back at the office to collect the data and to update the algorithms.

struct {
   WORD  n;  /* number of readings accumulated */
   DWORD v;  /* sum of all accumulated readings */
   DWORD v2; /* sum of squares of all accumulated readings */
} record;

struct {
   WORD lb;   /* lower bound of reading */
   WORD ub;   /* upper bound of reading */
   BYTE c[8]; /* control command for readings in interval */
} row;

main()
{
   BYTE recs, rows;
   BYTE record[10], row[12];
   short d, n, lb, ub;
   int i, v, v2;

   if(CLA != 0xC0)
          return CLA_ERROR;

   d = MAKEWORD(APDUdata[0], APDUdata[1]);

   switch(INS) {

   /* Accumulate Data */
   case 0x10:
          SelectFile((WORD)(1000 + P1));
          ReadBinary(0, &recs, 0, 1);
          if((recs == 0) || (P2 && NEW_RECORD)) {
                  recs++;
                  WriteBinary(0, &recs, 0, 1);
          }
          recs--;
          ReadBinary((BYTE)(recs*8+1), record, 0, 10);
          n  = MAKEWORD(record[0], record[1]);
          v  = MAKEDWORD(MAKEWORD(record[2], record[3]),
                MAKEWORD(record[4], record[5]));
          v2 = MAKEDWORD(MAKEWORD(record[6], record[7]),
                MAKEWORD(record[8], record[9]));
           n++;
           v += d;
           v2 += d*d;
           memset(record, 0, sizeof(record));
           memcpy(&record[0], &n, 2);
           memcpy(&record[2], &v, 4);
           memcpy(&record[6], &v2, 4);
           WriteBinary((BYTE)(recs*8+1), record, 0, (BYTE)10);
           break;

    /* Provide Control Command */
    case 0x20:
           SelectFile((WORD)(2000 + P1));
           ReadBinary(0, &rows, 0, 1);
           for(i = 0; i < rows; i++) {
                    ReadBinary((BYTE)(i*12+1), row, 0, 12);
                    lb = MAKEWORD(row[0], row[1]);
               ub = MAKEWORD(row[2], row[3]);
               if(d> lb && d <= ub) {
                      SetResponse(row, 4, 8);
                      return SUCCESS;
               }
           }
           return TAB_ERROR;

    default:
           return INS_ERROR;
    }

    return SUCCESS;
}

main()
{
   BYTE recs, rows;
   BYTE record[10];

   if(CLA != 0xC0)
          return CLA_ERROR;

   switch(INS) {

   /* Return Card Identifier */
   case 0x10:
          SelectFile((WORD)0x0002);
          ReadBinary(0, record, 0, 10);
          SetResponse(record, 0, 10);
           break;

    /* Return Stored Data Record */
    case 0x20:
           SelectFile((WORD)(1000 + P1));
           ReadBinary(0, &recs, 0, 1);
           if(recs < P2)
                   return REC_ERROR;
           ReadBinary((BYTE)((P2-1)*8+1), record, 0, 10);
           SetResponse(record, 0, 10);
           break;

    /* Update Control Table */
    case 0x30:
           SelectFile((WORD)(2000 + P1));
           ReadBinary(0, &rows, 0, 1);
           if(P2 && TAB_RESET) {
                   rows = 0;
                   WriteBinary(0, &rows, 0, 1);
           }
           WriteBinary((BYTE)(rows*12+1), APDUdata, 0, 12);
           rows++;
           WriteBinary(0, &rows, 0, 2);
           break;

    default:
           return INS_ERROR;
    }

    return SUCCESS;
}

The Multos card is the most mature and arguably the most secure, programmable multiapplication card on the market today. Multos card applications were originally conceived of as being written in byte code assembly language. This language, called the Multos Executable Language (MEL), is based on Pascal P-codes and the virtual machine described in David A. Watt's book Programming Language Processors. These byte codes underwent some modification to increase their density and the result was the MEL assembly language. While it was not a design constraint at the time, these modifications did not destroy the possibility of compiling high-level languages to the byte codes and today, MEL byte code compilers exist for both C and Java.

#define COPYN(N, DEST, SRC)
do {
   __ push(__typechk(unsigned char *, DEST)); 
   __ push(__typechk(unsigned char *, SRC)); 
   __code(PRIM, 0x0e, N);
} while(0);

#include <string.h>
#include <multoscomms.h>

#define BYTE unsigned char

#define CONTROL_POINTS 10
#define DATA_RECORDS 10

#define SUCCESS 0x9000
#define CLA_ERROR 0x6999
#define CSE_ERROR 0x6999
#define TAB_ERROR 0x6999
#define INS_ERROR 0x6999

#define NEW_RECORD 0x01

#define CONTROL_INTERVALS 10

#pragma melpublic

union
{
  BYTE as_bytes[8];
  int as_int[4];
} apdu_data;

#pragma melstatic

typedef struct
{
  short m_n;
  long m_v;
  long m_v2;
} record_t;

typedef struct
{
  short m_lb;
  short m_ub;
  BYTE m_data[8];
} row_t;

static BYTE records[CONTROL_POINTS];
static record_t record[CONTROL_POINTS][DATA_RECORDS];
static BYTE rows[CONTROL_POINTS];
static row_t row[CONTROL_POINTS][CONTROL_INTERVALS];

void main(int argc, char *argv[], char *envp[])
{
 BYTE r, i;
 short d;
 row_t *rowp;
 record_t *recp;

 if(CLA != 0xC0)
  ExitSW(CSE_ERROR);

 switch(INS) {

 /* Accumulate Data */
 case 0x10:

  if(!CheckCase(2))
   ExitSW(CLA_ERROR);

  d = apdu_data.as_int[0];
  r = records[P1];
  if ((r == 0) || (P2 && NEW_RECORD))
    records[P1] = ++r;
  r--;

  recp = record[P1] + r;
  recp->m_n++;
  recp->m_v += d;
  recp->m_v2 += d*d;
  break;

 /* Provide Control Command */
 case 0x20:
  r = rows[P1];
  for (rowp = row[P1]; rowp < row[P1]+r; ++rowp)
    if (d > rowp->m_lb && d <= rowp->m_ub) {
      memcpy(apdu_data.as_bytes, rowp->m_data, 8);
      ExitLa(8);
  }
  ExitSW(TAB_ERROR);

 default:
  ExitSW(INS_ERROR);
 }

 ExitSW(SUCCESS);
}

The first Java Card virtual machine was created in the spring of 1996 at Schlumberger's Austin product development center. The Schlumberger Java Card team worked top down, first prioritizing Java features versus their utility in the current smart card arena, and then discarding less useful features of Java until the Java Card virtual machine fit in 4 Kb of 6805 code.

The first implementation of the Java Card virtual machine implemented 74 Java byte codes (www.slb.com/et/). It ran on the SC49 chip, which has 11.2 Kb of ROM, 4 Kb of EEPROM, and 512 bytes of RAM (www.mot.com). The interpreter and its runtime support took all of the ROM and 1 Kb of the EEPROM, leaving 3 Kb for user programs and data. The runtime library for the card supported on-card file system operations, identity and security features such as PIN handling and file access control, and T=0 host communication functions.

This work received a U.S. patent, “US6308317: Using a High Level Programming Language with a Microcontroller” on October 23, 2001.

Following its initial development, Schlumberger transferred the specification of Java Card 1.0 to Sun Microsystems and, in the same time frame, established with Gemplus and other members of the “smart card community” the Java Card Forum. The Java Card Forum offers a venue for Java Card licensees to review, discuss, and offer suggestions to Sun Microsystems for the evolution of the Java Card specifications. As of this writing, the latest released version is Java Card 2.2 with Java Card 3.0 requirements assessment well underway.

Almost all of the Java Card smart cards on the market consist of an interpreter for the Java Card subset of Java byte codes running on top of a single-application smart card operating system. Some of the cards hide this fact and present a pure Java programming model exactly as described in the Java Card specification. Other cards, principally the Schlumberger Cyberflex Access™ series of cards, let the capabilities of the underlying operating system come through to the programming interface presented to the application.

Because the unadulterated Java Card API provides only a modest set of services outside cryptography, this latter approach holds some benefits for the application developer who is concerned with getting the application built. There is an ongoing tension between programming (application) efficiency and maintaining the integrity (purity) of the Java language, although this is not too unlike similar tensions that we've always seen between language and operating system implementations.

/*
** online.java - On-Line Application for the SCADA Card
*/
import java.lang.reflect.Array;
import javacard.framework.*;
import javacardx.framework.*;
import javacardx.crypto.*;

public class online extends javacard.framework.Applet {

    /*  SCADA card on-Line application parameters and sizing values */
    final static byte SCADA_CLA = (byte)0xC0;

    final static byte DATA_ACQUISITION_INS = (byte)0x10;
    final static byte SYSTEM_CONTROL_INS   = (byte)0x20;

    final static byte NEW_RECORD = (byte)0x01;

    final static byte POINTS  = 4;
    final static byte RECORDS = 8;
    final static byte ROWS    = 8;

    /* The input/output buffer */
    byte apdu_data[];

    /* The data acquisition records and system control tables */
    static byte records[];
    static byte record[];
    static byte rows[];
    static byte row[];

    private online() {

           records = new byte[POINTS];
           record  = new byte[POINTS*RECORDS*10];
           rows    = new byte[POINTS];
           row     = new byte[POINTS*ROWS*12];

           register();
}

/* Called when the applet is instantiated. */
public static void install(APDU apdu) {
        new online();
}

/*  Called when the applet is selected. */
public boolean select() {
        return true;
}

/* Called when an APDU is received. */
public void process(APDU apdu) throws ISOException {
       short d;
       byte p;

       apdu.setIncomingAndReceive();

       apdu_data = apdu.getBuffer();

       if ((apdu_data[ISO.OFFSET_CLA] == ISO.CLA_ISO) &&
                (apdu_data[ISO.OFFSET_INS] == ISO.INS_SELECT)){
                ISOException.throwIt(ISO.SW_NO_ERROR);
       }

       if (apdu_data[ISO.OFFSET_CLA] != SCADA_CLA)
                       ISOException.throwIt(ISO.SW_CLA_NOT_SUPPORTED);

       p = apdu_data[ISO.OFFSET_P1];

       d = Array.getShort(apdu_data, 0);

       switch (apdu_data[ISO.OFFSET_INS]) {

       case DATA_ACQUISITION_INS:
                AccumulateData(p, d, apdu_data[ISO.OFFSET_P2]);
                break;
       case SYSTEM_CONTROL_INS:
                ProvideControl(p, d);
                apdu.setOutgoingAndSend((short)0, (short)8);
                break;
       default:
                ISOException.throwIt(ISO.SW_INS_NOT_SUPPORTED);
       }

       ISOException.throwIt(ISO.SW_NO_ERROR);
}

/*
** Accumulate a Data Value from a Control Point
*/
private void AccumulateData(byte p, short d, byte flags) {
       short r, n, v, v2;

       r = records[p];

       if((r == 0) || ((flags & NEW_RECORD) != 0)) {
               r++;
               records[p] = (byte)r;
       }
       r--;

       n  = Array.getShort(record, p*r*10+0);
       v  = Array.getShort(record, p*r*10+2);
       v2 = Array.getShort(record, p*r*10+6);

       n  += 1;
       v  += d;
       v2 += d*d;

       Array.setShort(record, p*r*10+0, n);
       Array.setShort(record, p*r*10+2, v);
            Array.setShort(record, p*r*10+6, v2);
    }

    /*
    ** Provide a Control Command to a Control Point
    */
    private void ProvideControl(byte p, short d) {
           short r, i, lb, ub;

           r = rows[p];

           for(i = 0; i < r; i++) {

                   lb = Array.getShort(row, p*r*12+0);
                   ub = Array.getShort(row, p*r*12+2);

                   if(d > lb && d <= ub) {
                          Util.arrayCopy(row, (short)(p*r*12+4),
                                             apdu_data, (short)0, (short)8);
                          return;
                   }
            }
            ISOException.throwIt(ISO.SW_RECORD_NOT_FOUND);
    }
}

Microsoft's Windows for Smart Cards (WfSC) operating system was developed in the summer of 1998 and made its debut at Cartes'98 in November of that year. Rather than designing de novo for the smart card, the Microsoft development team, like Multos's Nat West Development Team before it, started with battle-hardened designs from “big iron” and adapted them to the resources available on the smart card. The philosophy was to embed smart card computing in the skill sets and programming models of existing application programmers rather than require that these application programmers learn new skills and programming models in order to use smart cards. Of course, handling the limited resources environment of the smart card will probably always constitute a re-learning process for typical PC-level application programmers.

The file system design of the Windows card is the tried and true File Access Table (FAT) file system of DOS and Windows. Because smart cards are used internationally, file names are represented in Unicode rather than ASCII. To support the fine-grain, multipersonality requirements for access control and data security, the team adopted the access control list (ACL) design created by Bob Daley and Peter Neumann in 1964 for the Multics operating system and found in many Multics descendants such as George, Unix, VMS, and Windows NT. The virtual machine is a compact version of the Intel 8048 and the on-card application programming interface is a greatly scaled-down version of the Windows API.

Const CLA = &HC0
Const INS = &H20
Const P1 = &H0
Const P2 = &H0

Const NEW_RECORD = &H1

Const SUCCESS = &H9000
Const CLA_ERROR = &H6D00
Const INS_ERROR = &H6E00
Const TAB_ERROR = &H6F00

Const SHIFT8 As Integer = &H100
Const SHIFT16 As Long = &H10000
Const SHIFT24 As Long = &H1000000

Function MAKEWORD(ByVal a As Byte, ByVal b As Byte) As Long
    MAKEWORD = a * SHIFT8 + b
End Function

Function MAKEDWORD(ByVal a As Long, ByVal b As Long) As Long
    MAKEDWORD = a * SHIFT16 + b
End Function

Sub Main(ByVal CLA As Byte, _
         ByVal INS As Byte, _
         ByVal P1 As Byte, _
         ByVal P2 As Byte, _
         ByVal lc As Byte)

    Dim APDUdata(0 To 10)
    Dim recs, rows As Byte
    Dim record(0 To 9) As Byte, row(0 To 11) As Byte
    Dim d, n, lb, ub As Integer
    Dim v, v2 As Long
    Dim hFile As Byte
    Dim i, Status, ActualBytes As Byte
    Dim fileName(0 To 3) As Byte

    If (CLA <> &HC0) Then
        ScwSendCommInteger CLA_ERROR
        Exit Sub
    End If

    d = MAKEWORD(APDUdata(0), APDUdata(1))

    Select Case INS

    ' Accumulate Data
    Case &H10:
        fileName(0) = &H10
        fileName(1) = P1
        fileName(2) = 0
        fileName(3) = 0
        Status = ScwCreateFile(fileName, "", hFile)
        Status = ScwReadFile(hFile, recs, 1, ActualBytes)
        If recs = 0 Or P2 = NEW_RECORD Then
            recs = recs + 1
            Status = ScwSetFilePointer(hFile, 0, FILE_BEGIN)
            Status = ScwWriteFile(hFile, recs, 1, ActualBytes)
        End If
        recs = recs - 1
        Status = ScwSetFilePointer(hFile, recs * 8 + 1, FILE_BEGIN)
        Status = ScwReadFile(hFile, record, 10, ActualBytes)
        n = MAKEWORD(record(0), record(1))
        v = MAKEDWORD(MAKEWORD(record(2), record(3)), MAKEWORD(record(4), record(5)))
        v2 = MAKEDWORD(MAKEWORD(record(6), record(7)), MAKEWORD(record(8), record(9)))

        n = n + 1
        v = v + d
        v2 = v2 + d * d

        record(0) = n  SHIFT8
        record(1) = n - record(0) * SHIFT8

        record(2) = v  SHIFT24
        record(3) = v  SHIFT16 - record(2) * SHIFT8
        record(4) = v  SHIFT8 - (record(2) * SHIFT16 + record(3) * SHIFT8)
        record(5) = v - (record(2) * SHIFT24 + record(3) * SHIFT16 + record(4) * SHIFT8)

        record(6) = v2  SHIFT24
        record(7) = v2  SHIFT16 - record(6) * SHIFT8
        record(8) = v2  SHIFT8 - (record(6) * SHIFT16 + record(7) * SHIFT8)
        record(9) = v2 - (record(6) * SHIFT24 + record(7) * SHIFT16 + record(8) * SHIFT8)

        Status = ScwSetFilePointer(hFile, recs * 10 + 1, FILE_BEGIN)
        Status = ScwWriteFile(hFile, record, 10, ActualBytes)

    ' Provide Control Command
    Case &H20:
        fileName(0) = &H20
        fileName(1) = P1
        fileName(2) = 0
        fileName(3) = 0
        Status = ScwCreateFile(fileName, "", hFile)
        Status = ScwReadFile(hFile, rows, 1, ActualBytes)
        For i = 0 To rows
            Status = ScwSetFilePointer(hFile, i * 12 + 1, FILE_BEGIN)
            Status = ScwReadFile(hFile, row, 12, ActualBytes)
            lb = MAKEWORD(row(0), row(1))
            ub = MAKEWORD(row(2), row(3))
            If d > lb And d <= ub Then
                ScwSendCommBytes row, 4, 8
                ScwSendCommInteger SUCCESS
                Exit Sub
            End If
        Next
        ScwSendCommInteger SUCCESS
        Exit Sub
    End Select

End Sub

The ZeitControl Basic card was and still is the first programmable smart card to offer an integrated application development environment that spans both the off-card and the on-card application simultaneously. You bring up the off-card application in one window, the on-card in an adjacent window, and single-step through the off-card, over to the on-card, and then back to the off-card. At the time they were introduced in 1996, the card and its IDE were light-years ahead of the competition. In a number of ways, they still are. The IDE is free and can be downloaded from www.zeitcontrol.de.

ZeitControl Basic (ZC-Basic) contains most of the usual Basic language constructs including strings and string functions, arrays, and user-defined data types. Like the Microsoft card, the Basic card sports a DOS-like FAT file system with the familiar Basic programming interface.

Command &HC0 &H10 MyAPDU(in As Long, out As String)

     if in <> 0 then
          out = "Not Zero"
     else
          out = "Zero"
End Command

Declare Command &HC0 &H10 MyAPDU(in As Long, out As String)
Dim S As String
...
Call MyApdu(0, S)
...

Const NEWRECORD = &H1

Const TABERROR = &H6F00

Eeprom recs, rows As Byte

Command &HC0 &H10 AccumulateData(d as Long)

    Dim n As Integer
    Dim v, v2 As Long

    If recs = 0 Or P2 = NEWRECORD Then
        recs = recs + 1
    End If

    Open "data" For Binary Access Read Write As #1

    Seek #1, (recs-1)*10

    Get #1, , n
    Get #1, , v
    Get #1, , v2

    n = n + 1
    v = v + d
    v2 = v2 + d * d

    Seek #1, (recs-1)*10

    Put #1, , n
    Put #1, , v
    Put #1, , v2

    Close #1

End Command

Command &HC0 &H20 ProvideCommand(d as Long, c1 as Long, c2 as Long)
    Dim i as Byte
    Dim lb, ub as Integer
    Dim row(0 to 11) as Byte

    Open Chr$(P1) For Binary Access Read As #1

    For i = 0 To rows
           Get #1, , lb
           Get #1, , ub
           Get #1, , c1
           Get #1, , c2

        If d > lb And d <= ub Then
            Exit Command
        End If
    Next

    SW1SW2 = TABERROR

End Command

The Basic card has by far and away the most tightly integrated, most efficient, and easiest to use application development cycle. The ZeitControl “Double Debugger” is identical to the Microsoft Visual Basic environment but the integration of the card and the off-card application is much tighter and more seamless than in the Visual Basic IDE.

Within single running instance of the Double Debugger, you create and edit both sides of the application. Each side can be compiled by itself or the two sides can be compiled simultaneously. After successful compilation, the source code for each side can be loaded into side-by-side windows and you can single-step through the off-card application, follow an APDU to the on-card application, single-step through the on-card code, follow a response back to the off-card application, and continue single-stepping through the host code. All communication between the off-card and the on-card application is visible as are current variable values on both sides. The usual debugging features, such as breakpoints and watch points in each window, are available.

Next, the on-card application can be downloaded to a Basic card. Single-stepping through the off-card application proceeds as previously. Communication between the host and the card is visible but response from the card is immediate.

You may have six applications on your smart card but you only have one home address. Clearly, you want the six applications and any new ones that might be loaded onto your card to share this information but you may want only one, the personal information management application, for example, to be able to change it. The video store application and the pizza parlor application on your card may want to share a loyalty points purse but they don't want the ice cream store to figure out how much time you're spending at the other end of Main Street by reading the number of video-pizza loyalty points you have accumulated.

There can be 5, 10, or even 20 different entities that have one or more rights to access various pieces of data on a multiapplication smart card. The cardholder is an obvious example of one of these entities. The issuer of the electronic purse on the card is another example. The capacity to enforce data access control policies—ensuring that each entity can do what it is allowed to do and not do what it is not allowed to do—is in fact the defining characteristic of a smart card.

Data access control is more comprehensive than data security. Data security typically means making sure that unauthorized entities can't access a piece of data. It is focused primarily on locking people out, not on selectively letting some people do some things and other people do other things. Data access control certainly includes data security in this sense but goes on to ensure that, for example, entities that are only allowed to read the data can't change it or entities that are only allowed to add data to a file can't delete data from it.

The four programmable cards as described previously are functionally identical—write an application in a high-level language, compile it to byte codes, load the byte codes onto the card, place them in execution, and talk to the running application with APDUs. The approach taken by one is preferred by some and the approach taken by another preferred by others. But they are basically the same with respect to the broad outlines of creating, loading, and running an on-card application.

Given then that data access control is the defining property of smart cards, it is perhaps surprising where these four cards differ as much as they do in this aspect of their operation. You might have thought that the users and the makers of smart cards would long ago have come to a consensus on the right way to do data access control and that all the cards would simply implement this given wisdom. Actually, it can be argued that they did; however, the resulting mechanisms don't fit well into a multiapplication environment where applications want to share data.

The problem of on-card data sharing and access control in its full generality is actually relatively new to smart cards. In the pre-multiapplication card era, there were only a few entities on a card (the cardholder, the issuer, the generic point of use), the number of data items was static, and the access rights of each entity were frozen when the card was created. It didn't take much in the way of on-card software to meet these modest data access control requirements. It wasn't until the advent of serious commercial interest in the multiapplication card in the late 1990s that the realization dawned that existing smart card data access control machinery was not up to the challenges of these new kinds of cards. The number of entities a card had to keep track of multiplied many times over. The entities could come and go with the applications. The complexity of the trust relationships between the entities and the data on the card multiplied.

In this chapter, we have discussed on-card programming and compared and contrasted the four major multiapplication, programmable smart cards on the market. Each card, together with its application development environment, has its strengths and weaknesses. They are certainly all different and there are undoubtedly practical smart card applications where any one of them would outshine all of the others.

The Multos card and the Windows card are minimalist RISC type cards that provide maximum freedom to the application programmer. Java card and Basic card are CISC type cards with richer programming models but more application programmer creature comforts once you learn how to navigate them.

Our discussions of the four cards can be summarized in the following five property tables (Tables 5.8 through 5.12):

Finally, Table 5.13 gives some descriptive information about each card as of the writing of this book.

While it may be hard to conclude from the preceding discussion, things are actually getting better for the smart card application developer. Most, if not all of the Java cards are being brought into cross-compatibility. The ETSI SCP series of smart card standards yield interoperable cards—not just standards-compliance marketing claims. And smart cards with multitasking operating systems on 32-bit chips have been announced. Whether or not card issuers turn to the third-party application development community for applications is solely a function of how compelling and innovative the applications created by that community are. This is progress.