Java Card Forum

The Java Card Forum is an industry association of companies from the smart card, secure operating system and secure silicon industry, working together to promote and develop Java as the preferred programming language for multi-application smart cards, secure devices and other execution environments.

Why IDEMIA are using Java Card technology for their Digital Car Key solution

Smartphones have become the central object of people’s daily lives. Rare are those who forget them, even for short errands. Therefore, it makes sense for smartphone manufacturers and carmakers to work together to gradually replace car keys.

Smartphones will be at the center of the progress towards hands-free car access and ignition. Thanks to their communication abilities, Bluetooth, NFC, integration of UWB (Ultra Wide Band for precise location) technology, and their capability to secure exchanges, smartphones appear to be the easiest and safest solution.

These Digital Car Keys are highly secure. They cannot be duplicated since they are unique to each user and connect wirelessly to the car through integrated sensors. They can also be secured by exchanging authentication certificates over the network. In case of theft or loss, the key function or the smartphone itself can be remotely deactivated.

The application part of the Digital Car Key solution running on the Smart Card (UICC) in the mobile phone has been implemented in Java Card technology, as Java Card is providing the interoperability to easily load this applet onto UICCs from different manufacturers. The UICCs in mobile phones will come from different UICC suppliers and thus Java Card was the platform of choice to avoid the need for developing device specific applets. This way, the car manufacturer can rely on the fact that his applet will run on any mobile device.

Find out more:

Background to Digital Car Keys:

Digital Car Key solutions:


JCF addresses future security challenges at its virtual Plenary meeting

The JCF held its first 2021 Plenary Meeting from March 16th to 18th, 2021. The focus of this plenary meeting was mostly around discussing potential new features for the future releases of Java Card, to meet the security demands of emerging technologies and markets. 

Java Card has been deployed for over twenty years on billions of secure devices in its traditional segments; telecommunication, payment, identity and access control. The unique security features of Java Card make it a platform of choice for new use cases, such as Internet of Things devices and gateways, machine-to-machine communication and wearable devices. At the same time, Java Card is also facing technological platform changes, such as the evolution of the form factor from smart cards to embedded secure elements, and now to complete integration in the System-on-Chip, or the support of cryptographic agility to adapt to security threats such as quantum computing.

The research and standardization on post-quantum cryptography are quickly progressing, and a variety of quantum-safe algorithms are being assessed worldwide. Although it is probably too early to guess which will be the selected quantum-safe algorithms, Java Card will surely have to support a variety of new algorithms, as well as support cryptographic agility to adapt dynamically to security threats or new algorithms.

Massive IoT, with billions of connected IoT devices, is a major use case of 5G, which is starting to be deployed globally. Security is key to massive IoT, to ensure only authorized devices are connected to the network, but also to ensure the privacy and integrity of the data transmitted by those IoT devices. The support of efficient low-power consumption algorithms and protocols are an important feature that Java Card will have to provide for IoT devices, as well as the support of energy saving features such as suspend and resume. Some of these devices will indeed have to operate on battery power for very long periods of time.

Wearable devices, such as smart watches, is a growing segment where Java Card can provide secure features such as payment, connectivity or access control, and here again efficient power consumption is required.

Memory optimization of the Java Card platform was heavily discussed, in particular to better address a wide spectrum of configurations. In low memory configurations, memory optimization can decrease the RAM consumption and hence decrease the bill of material. In large memory configurations, the Java Card platform is integrated in the System-on-Chip and using the memory of the application processor of the SoC.

Finally the Plenary was the occasion to reflect on current technological evolutions, with an extensive review of the current standardization efforts in the security, payment, telecommunications, and identity area. With its unique openness, security, and interoperable features, Java Card is at the heart of major standard initiatives and will be ready to meet their future challenges.

Yours truly,

Jean-Daniel Aussel

President of the Java Card Forum

Why G+D uses Java Card technology in their StarSign Key Fob; a unique biometric access device

Enterprises and employees alike find passwords and PINs to access corporate facilities or assets cumbersome, whilst being increasingly worried about its security. Authentication with passwords are a big problem, as many people use less than 5 passwords for all accounts, or use simple passwords because they are easier to remember, or write their passwords down on paper.

FIDO Alliance defined ways for overcome these problems of password authentication and other restrictions. The free and open standard, addresses many authentication use cases e.g. using security keys, multi factors, fingerprints, facial recognition, etc. and allows a simpler and stronger authentication with public key cryptography. No information fishing, no stored secrets on the server-side, no third party protocols are necessary, and the key material and biometrics are stored on the device only. The presented StarSign KeyFob Token by Giesecke+Devrient (one of the JCF Members) combines FIDO’s authentication with a personal fingerprint identification in a single device, as a convenient and secure two-factor authenticator. 

The heart of the battery powered key fob is the Java Card Sm@rt Café Expert, as Java Card technology is predestined to support all the different applications and enables the required features, e.g. the personal identification of the holder. 

The Java Card securely stores numerous independent applications relying on the integrated access control. All these applications can be loaded on the platform by using secure GlobalPlatform means, even in the field with DSEM/SCP11c. The Java Card API and its services are used by new and existing applications and specific Java Card mechanisms e.g. “shared interfaces” allows the applet services. Java Card also supports different transmission interfaces and for example the biometric services are helpful for such a personal device.

The StarSign KeyFob implements, besides others, the FIDO application and includes a state-of-the art alternative for a convenient and secure two-factor authentication, by using a single device and fingerprint identification – all in the coin-like dimensions of a key fob.

The StarSign Key Fob is the industry’s unique biometric token that supports both logical and physical access control securely and seamlessly, by supporting a wide range of communication channels including NFC, USB and Bluetooth Low Energy. It not only authenticates users while accessing desktop PCs, notebooks, workstations, tablet PCs, smartphones or IoT devices, but also authorizes physical access to buildings, departments or offices. With this, the StarSign KeyFob covers many essential use cases in enterprise environments.

Find out more:

Product website:

Product Info Sheet:

Product Video:


JCF addresses key security challenges at its virtual Plenary meeting

The JCF held its 2nd Annual Plenary Meeting from October 13th to 15th, 2020. This was the opportunity to reflect on the Java Card 3.1 specification released a little less than two years ago and prepare for the new challenges ahead.

As Java Card is more and more deployed for the security of IoT devices, key features have been discussed for this market, such as the improved control of sensors or actuators, more efficient protocols and transports, as well as improved power management features for the power constrained IoT devices. The requirements imposed by the trend for some markets of moving the platform from a dedicated secure element to the system-on-chip, also known as the integrated secure element, were discussed.

The impact of post-quantum cryptography was addressed, in anticipation of the upcoming standards and regulations around the world. Several regional initiatives are progressing fast, such as the NIST PQC standard contest entering the third selection round with a handful of candidates, or the German BSI recently issued recommendations. As Java Card is deployed on billions of secure devices and this trend is most likely to continue, the support of post-quantum cryptography is a key requirement.

Finally, the support of TLS 1.3 was debated, as this new release is gaining fast adoption and the TLS protocol is at the center of end-to-end security in numerous use cases, especially IoT.

The virtual meeting was also the opportunity to reflect on past achievements and recognising outstanding contributors. This year, this is with great pleasure that I have seen the Bertrand Award awarded to Volker Gerstenberger, our past President who contributed to a large extent to so many aspects of the Java Card Forum for the past 20 years.

Once again, the Java Card Forum has proven to be an amazing place to drive the evolution of the Java Card technology: to meet future challenges to remain this open, trusted and interoperable security platform that is Java Card.

Yours truly,
Jean-Daniel Aussel
President of the Java Card Forum

How Thales uses Java Card technology to secure IoT end-to-end communication

While device growth brings transformative effects to several industries and to people’s daily lives, it also induces an additional level of system complexity to the infrastructure that will handle device data.

In parallel, there is a strong imperative to be able to trust the data that gets acquired and acted on by IoT solutions. The effects of corrupted devices or data on systems that make instant, analytics-based decisions can have a severe cost. As a result, there is an increasing need for solutions that secure the source of data at the edge, creating end-to-end security up to the cloud and beyond to connected devices.

Recognising this need for scalable security, the GSMA (Global System for Mobile Communications) has recently published a specification to establish end-to-end, chip-to-cloud security for IoT products and services called IoT Safe (IoT SIM Applet For Secure End-End Communication), that establishes the SIM or eSIM as the hardware root of trust.

A secure element running Java Card can play a critical role to ensure trust between the cloud and connected device. It can be leveraged by the device to delegate the provisioning of device identity and to manage the initial on-boarding process. It can further secure the cloud authentication and authorisation process and store the related credentials securely.

Thales (one of the Java Card Forum Members) has implemented the GSMA IoT SAFE specifications, leveraging on field proven and standardized SIM and eSIM security solutions to deliver scalable IoT Security. Find out how they use:
Secure Elements to deliver scalable trust for IoT applications (Infographic)
Secure Elements to address the three key IoT security requirements
Secure Elements to enable mutual authentication between IoT devices and the cloud

What’s Hot?

The work of the Java Card Forum is never complete – even before the latest Version of the Java Card platform has been published, JCF Members are already compiling recommendations for the next Release.

Below are some of the areas that the JCF is currently working on:

  • Keeping Java Card Specifications up-to-date to reflect technology evolution by staying in synch with relevant standardization organisations, e.g. GSMA, ETSI, 3GPP, GlobalPlatform, etc.
  • Considering industry requirements based on feedback from the field/product deployments
  • Optimizing footprint and execution speed of the Java Card Runtime for traditional markets (Payment, ID, Telco , etc.)
  • Designing new APIs for emerging markets in need of security, e.g. IoT, enabling up-to-date security functionality in Tools and Runtime
  • Studies/analysis and white papers with regard to emerging technologies

If you feel that your company could contribute to the work of the JCF, contact us to find out how to join the Forum (please note: membership is ONLY open to companies/organisations and not individuals – check out our joining criteria).


JCF continues to drive IoT Security at its Plenary meeting in Bucharest

The JCF held its 2nd Annual Plenary Meeting in Bucharest from October 15th -17th hosted by Oracle. As already established with the latest JC 3.1 specification released in January, IoT security was still very much center stage, with connected device volumes projected to increase exponentially. And all of these new to-be-connected device classes are expected to have new requirements on the security platform, depending on their use cases and area of deployment. Sensors, actuators and controllers will be deployed in so many heterogeneous usage fields, with completely different resource, connectivity and risk contexts: V2X and autonomous driving, smart grid and power management or complete campus networks for the factory of the future – just to name a few. All of those require different communication interfaces, different form factors, different power management and different security capabilities.

It is really exciting to drive the evolution of Java Card technology to become the open, trusted and interoperable state-of-the-art security platform for the IoT.

Yours truly,
Volker Gerstenberger
President of the Java Card Forum

Volker_G h&s