Java Card Forum

The Java Card Forum is an industry association of companies from the smart card, secure operating system and secure silicon industry, working together to promote and develop Java as the preferred programming language for multi-application smart cards, secure devices and other execution environments.

FAQS

ABOUT THE JAVA CARD FORUM

ABOUT JAVA CARD TECHNOLOGY

ABOUT THE JAVA CARD FORUM

What is the Java Card Forum (JCF)?
The Java Card Form is a collaboration of companies from the smart card, secure operating system, and secure silicon industry, working together to promote and develop Java as the preferred programming language for multi-application smart cards, secure devices and other execution environments.
Back to top

How is the Java Card Forum organized?
The Java Card Forum is comprised of a technical and business committee and meets as a whole group every 6 months in a different location, hosted on a rotational basis by a JCF member. On average 20 people attend over 2 days with specific work tasks. Much work is carried out between meetings (with face-to-face meetings and conference calls) to solve specific technical or business requirements and the half yearly Plenary meetings act to fine tune direction and ensure that the industry and Oracle are in alignment with customer and market requirements.
Back to top

Who are the members of the Java Card Forum?
The members of the Java Card Forum are:

Partner of the Java Card Forum:

Back to top

How do I join?
Participation in the Java Card Forum is open to companies and organizations with an interest in setting the future direction of Java Card technology. The JCF IS NOT a developer’s Forum and developers are encouraged to join Oracle’s online community where they can access documentation, share views and ask for assistance.

Membership of the Java Card Forum may be accorded by the Members to any company that:

  • Endorses Java Card,
  • Commits to using Java Card in its products,
  • Commits to promoting Java Card as its favoured solution for dynamic multiple application schemes,
  • Supplies products which embed (or will embed) Java Card API,
  • Has licensed Java Card technology from Oracle,
  • Applies for membership, and
  • Agrees to be bound by the by-laws of the group, including commitments to participate in/support the work of the Java Card Forum.

Companies interested in joining the Java Card Forum should contact us.
Back to top

Does the JCF interact with other industry associations?
A smartcard, a secure device or a secure execution environment is a complex framework involving different technologies besides the Java Card core. For this reason the Java Card Forum has to ensure coordination with organizations such as ETSI, GSMAGlobalPlatformISO/IEC,  or SIMalliance.

Back to top

ABOUT JAVA CARD TECHNOLOGY

What is Java Card technology and why should I use it?
Java Card technology preserves many of the benefits of the Java programming language – productivity, security, robustness, tools, and portability – while enabling Java technology for use on smart cards, secure devices and other secure execution environments. The Virtual Machine (VM), the language definition, and the core packages have been made more compact and succinct to bring Java technology to resource – constrained environments.

Java Card technology also includes specific security features, such as user authentication classes to manage PINs and passwords, as well as specific application isolation features, known as the firewall, that allow applications from several providers to cohabit securely on the same device.

To understand more about the uses of Java Card versus native platforms download our whitepaper. 
Back to top

What is a smart card?
A smart card is identical in size to a typical credit card and is tamper resistant. A smart card embeds a secure microcontroller that can store and process information. The most basic cards are memory cards, which store data locally, but do not contain a CPU for performing computations on that data. Higher-end microprocessor cards include a CPU for performing computations on locally stored data. A Java Card Runtime Environment can in particular run on a microprocessor card.

The secure microcontrollers used in microprocessor cards typically include CPU, a few kilobytes of RAM, as well as some persistent memory, EEPROM of Flash, which is used to store code and data. Most smart card microcontrollers also include cryptographic accelerators, as well as a number of security detectors and other countermeasures, in order to provide adequate tamper-resistance guarantees.
Back to top

What are other secure devices that Java Card runs on?
Since its inception more than 20 years ago, Java Card technology has witnessed various technology advancements. Mobile communications technology has brought always-on data and IP-based communication. Subsequently mobile devices became more powerful, requiring additional embedded Secure Elements (eSE) to protect e.g. payment applications on various smartphone OSs. Recently, eSIM management has been growing in importance, relying on eUICCs or converged integrated platforms in mobile and IoT devices.
Back to top

What is the Java Card API?
The Application Programming Interface (API) for the Java Card technology defines the calling conventions by which an applet accesses the Java Card Runtime Environment and native services. The Java Card API allows applications written for one Java Card-enabled platform to run on any other Java Card-enabled platform.

The Java Card API is compatible with formal international standards, such as ISO7816, and industry-specific standards, such as EMVCo’s EMV standards for payment, and ETSI/3GPP standards for UICC/SIM cards.
Back to top

What are the application fields of Java Card Technology?

Telecom: Billions of SIM cards have been issued in the mobile telecommunications sector including Java Card technology, connecting and securing 2G, 3G, 4G and soon 5G and LPWAN networks with (U)SIM applications. The Java Card platform can also be widely found in the growing NFC sphere (such as transport, loyalty and payment). In addition, the Internet-of-Things provides a vast playing field for flexible and secure connectivity solutions.

Mobile phone and wearables: Mobile OEMs and Wearables device vendors use Java Card embedded and integrated secure element to offer contactless and online payment services, NFC services and to offer a root of trust for device software integrity.

Finance: Java Card technology is often at the base of payment transactions, using payment cards or using NFC transactions in cards or mobile phones. Leading payment institutions trust Java Card to host their payment applications and accelerate vendor certifications. Java Card also allows banks and other financial operators to differentiate by offering new modes of authentication such as biometry, or additional services such as loyalty.

Government and Identity: Many governments are including Java Card technology in their requirements for electronic identity documents such as ID cards and Passports. Java Card provides strong guarantees of interoperability and security, as required by these sensitive deployments. Applications include PKI, Digital Signature, Encryption and more.

Automotive: In addition to subscription management and connectivity services, Automotive OEMs offer secure remote services using the embedded secure elements for authentication.

IoT Security: Smart meter and Gateway OEMs leverage Java Card-based secure element to ensure device attestation and integrity, and device credential protection. IoT device makers can utilise security chips running Java Card technology to deliver secure authentication to IoT solutions. (See IoT Area,  Infographic and Whitepaper for more details).
Back to top

Can contactless cards support the Java Card platform?
The Java Card technology is independent of the type of supporting hardware. The Java Card platform can run on contact and contactless devices. The Java Card platform also runs on secure elements that power the Card Emulation mode in NFC, independently of the form factor (SIM, embedded secure element, or other).
Back to top

Who can contribute to the specifications? 
To date over the last 20 years, the Java Card Forum has worked on multiple iterations of the Java Card API enhancement specifications. The group is currently working on enhancements to Java Card 3.1 specification requirements.
Back to top

Where do I find specifications?
Details about the latest specifications can be found on the Oracle website.
Back to top

What is the role of the JC in the standardization of Smart Card Technology?

The Java Card specifications are constantly updated to align with specifications developed in other organizations for both horizontal and vertical specifications.
The horizontal or generic standards are the ISO/IEC set of standards for the secure element market in general.

The vertical standards for vertical market segments include but are not limited to:

  • ETSI and 3GPP for the mobile communication market and the deployment of NFC services to mobile phones
  • GlobalPlatform for the secure management of the Java Card Platform and Java Card Applets in the Financial, Government-ID and Telecommunication market
  • EMVco for the development of Payment applications.

Horizontal and vertical alignments are a two way process, either specifications from these organizations are updated to take advantage from latest development of the Java Card Platform, or the Java Card specifications are constantly updated to follow the latest (e.g. cryptographic) development taking into account specifications and recommendations (e.g. from NIST, BSI, RSA Labs, IETF).
Back to top

Are the Java Card platform and GlobalPlatform Card Specification related?
The GlobalPlatform consortium has issued a Card Specification that defines a card management framework. This specification compliments the Java Card specifications by defining a set of commands that can be used to manage applications on a Java Card product.

The GlobalPlatform Card Specification also defines a Java Card API that allows Java Card developers to further integrate GlobalPlatform support in their applications.

Most Java Card products include at least some support for the GlobalPlatform Card specification. Please refer to GlobalPlatform for more information.
Back to top

What is the difference between the Java Card Classic Edition and the Java Card Connected Edition?
Since Java Card 3.0, there are two distinct editions of the Java Card specifications: Classic and Connected.

The Classic targets smart cards and secure devices on all vertical markets. It is the basis for billions of cards currently deployed, and can run security services on a wide range of hardware configurations, from chips based on ISO7816 and ISO14443 communication to IoT secure elements.

The Connected Edition of the Java Card specification is a technological breakthrough, in which Java Card has been extended to support a Web application model, with servlets running on the card, and TCP/IP as basic protocol. The Connected Edition runs on high-end secure microcontrollers, typically based on a 32-bit processor and supporting a high-speed communication interface.
Back to top

What can I use to develop an applet for the Java Card platform?
Any off-the-shelf development tools for the Java programming language can be used to develop applets for the Java Card platform. Oracle is also providing a developer toolkit for Java Card, including integration with the Eclipse IDE.

Details about Oracle support can be found here.
Back to top

What other tools are available for development? Who is producing such tools?
Many of the Java Card platform licensees have created development tools for the Java Card Application Environment. For example, some have simulations of the smart card environment to test and debug the applet written for the Java Card platform.
Back to top

What Java Card technology products are available now?
Many Java Card platform licensees have announced product availability. Each vendor website may include information on the characteristics of those products and their Java Card functionality.
Back to top

Is Java Card technology as secure as native smart card technology?
Java Card technology is used in all smart card and secure device markets, including the most demanding in terms of security. Oracle publishes a Java Card Protection Profile, which has been used by smart card vendors to certify the security of their Java Card products, up to the highest available levels (EAL5+ in many instances, and even EAL7 in some cases). To get these certifications, the Java Card products have undergone extensive security testing by government-approved laboratories, which have not been able to identify vulnerabilities in the products they tested.

Compared to native secure OS and products, Java Card products embed similar core technologies, like cryptography and security countermeasures. Naturally, because Java Card allows the downloading of application code, it faces new threats that do not affect native or closed secure devices. Of course, these new threats are considered in the Java Card security model, and they are addressed in the Java Card specification, for instance through the definition of the Java Card firewall, and also in the implementation of the Java Card products sold by licensees.

In addition, because the Java Card specification is openly available, it has fostered an active research community, which has been studying the technology for years, and has contributed to the improvement of the security of Java Card products.
For all these reasons, the Java Card platform is today the most secure application platform available, with more security-certified products than any other smart card or secure device framework.

To understand more about the uses of Java Card versus native platforms download our whitepaper.
Back to top

How does the Java Card Platform contribute to the mobile payment ecosystem?
The Java Card Platform is a solution employing client security, based on a collection of time-tested industry standards – i.e. the well orchestrated combination of Java Card, GlobalPlatform and ISO specifications. This combination has a successful track record of 20+ years experience in the mobile, as well as payment field. Its capability to be certified from a functional and security perspective, makes it the natural, reliable choice for current and future successful mobile payment deployments.
Back to top

How does the Java Card address the security requirements of IoT devices?
To support the growing security needs of connected devices, Java Card includes dedicated features to support the development of Internet of Things (IoT) Security applications at the edge of the network:

  • A flexible I/O model can be extended to support a variety of physical layers and application protocols, allowing the logical access to device peripherals by secure element applications.
  • Certificate APIs, Extended Cryptography support and anti-replay mechanisms facilitate the implementation of Cloud Authentication protocols using secure hardware
  • Continuous improvement in compatibility testing and standardization of Java APIs ensure that Java Card applications can be quickly ported and work across an evolving IoT Silicon landscape.

For more information on the applications and use cases unlocked by Java Card in the Internet of Things, please refer to IoT Area,  Infographic and Whitepaper.
Back to top