Java Card Forum

The Java Card Forum is an industry association of companies from the smart card, secure operating system and secure silicon industry, working together to promote and develop Java as the preferred programming language for multi-application smart cards, secure devices and other execution environments.

Tag Archives: IoT


by

Advancing eSIM Applet Security 

By Guido Abate, Chair of the Trusted Connectivity Alliance Board

Over recent years, exclusive market data from Trusted Connectivity Alliance (TCA) has highlighted how eSIM technology is being harnessed across the global digital economy to offer flexible connectivity, advanced security and enhanced experiences.

And as eSIM adoption continues to build, so too does industry demand for using the technology’s proven security capabilities to host the applets that enable various value-added mobile services. These include highly sensitive use-cases where security is paramount, including payments, identity management and IoT services.

The Critical Importance of Applet Security

Yet to maintain the highest level of security, applets must be developed correctly. This has become even more critical with the evolution to eSIM.

A single eSIM can host several profiles, each containing third-party applets that must securely share the resources of the eSIM and the mobile device. If one of these applets contains malicious software or can be used as a backdoor by hackers, other applets could be compromised and the security and privacy of the communication with that device could be at risk. 

The good news for Java Card developers is that clear, industry-recognised guidance already exists to support the development of secure, high-quality applets that enable the delivery of powerful eSIM-based value-added services. 

Stepping Stones for Java Card Applet Developers  

In 2024, Trusted Connectivity Alliance (TCA) published Stepping Stones for Java Card Applet Developers. It marked the latest release in its acclaimed ‘Stepping Stones’ series, which provides recommendations and guidelines to support the development and deployment of SIM-based technologies.

The latest edition addresses the unique considerations presented by Java Card technology, offering harmonised best practices and security recommendations to maximise interoperability and ensure eSIM applet assets are sufficiently protected. 

The guidance includes security measures applicable to all applets, such as ensuring Java Card applets pass byte code verification to confirm code integrity before execution, as well as using standard APIs. Additional recommendations for protecting sensitive applets are also provided. 

Importantly, the recommendations are widely recognised as industry best-practice. For instance, in response to a recent vulnerability disclosure related to a malicious Java Card application where researchers described how Test Profiles could be misused to install malicious Java Card applications within eSIM profiles, GSMA released guidance stating: “Java Card Application developers should comply with “TCA Stepping Stones for Java Card Applet Developers” recommendations.”

A Checklist for Secure Applet Development

To provide developers with practical guidance and to promote compliance, Stepping Stones for Java Card Applet Developers consolidates all security recommendations into a comprehensive, accessible checklist. This enables developers – particularly those who are newer to the eSIM market – to more effectively address common challenges. 

The checklist can also be used by quality and test engineers, as well as end customers, to verify proper implementations. This can help identify issues prior to deployment and promote increased trust across the ecosystem. 

Maximising eSIM Security and Interoperability

As the eSIM ecosystem continues to expand to encompass new use-cases and participants, TCA is committed to engaging with stakeholders across the industry on initiatives to maximise eSIM security and interoperability.  

For example, TCA recently participated in a joint session with the Java Card Forum to provide a technical deep-dive into how developers can utilise the recommendations and best-practices within ‘Stepping Stones for Java Card Applet Developers’ to advance the security of eSIM deployments. The session also explained how security can be bolstered by the TCALoader tool, which enables mobile operators and application developers to download, install and manage applications on the UICC / eUICC to test interoperability across different deployments.

Looking ahead – and as eSIM technology emerges as a key enabler of the global digital economy – TCA is exploring opportunities to bridge gaps across current standards and testing infrastructure to promote safe, reliable and consistent IoT deployments. 

‘Stepping Stones for Java Card Applet Developers’ is available to download here. To learn more about how TCA is advancing eSIM security, watch TCA’s webinar with the Java Card Forum here


by

jNet Secure Joins Java Card Forum, Expands Role in Driving Secure Java Card Solutions for Fintech, IoT, and Biometrics

November 13th, 2024—jNet Secure, a leader in Java Card OS and security solutions, is pleased to announce its new membership in the Java Card Forum (JCF), a premier industry association dedicated to advancing Java as the leading technology for smart cards and secure devices. Through this membership, jNet joins global technology leaders in shaping the future of Java Card standards for high-security environments.

In addition to its foundational Java Card OS licensing expertise, jNet Secure has pioneered advanced Fintech, IoT, and Biometric solutions on Java Card technology, now deployed across multiple markets. These innovations empower clients to secure digital transactions, authenticate identities biometrically, and enable safe IoT integrations, all while leveraging Java Card’s secure and scalable framework.

“We are thrilled to join the Java Card Forum and contribute to the evolution of secure, interoperable solutions that protect digital identities and transactions worldwide,” said Mikhail Friedland, CEO at jNet Secure. “Our commitment to innovation in Fintech, IoT, and Biometrics aligns perfectly with JCF’s mission, and we look forward to working together to set new standards in secure digital services.”

“The Java Card Forum is delighted to welcome jNet as a new member.”, declared Jean-Daniel Aussel, President of the Java Card Forum. “jNet has a strong Java Card expertise both in legacy segments, such as payment or identity, or more innovative applications such as crypto wallets. jNet is joining forces with the other leading member organizations collaborating in the Java Card Forum to foster the adoption and to advance the evolution of Java Card-based technology as the base for strong and interoperable digital security.”

As part of the Java Card Forum, jNet Secure will collaborate with other industry leaders to drive advancements in next-generation Java Cards, promoting a more secure and connected digital ecosystem.

For more information about jNet Secure and its solutions, please visit jnet-secure.com.

About jNet Secure
jNet Secure specializes in Java Card OS licensing and advanced security solutions for diverse finance, IoT, and biometrics applications, empowering secure digital experiences across industries.

About Java Card Forum
The Java Card Forum e.V. is an industry association of companies from the smart card, secure operating system and secure silicon industry, working together to promote and develop Java as the preferred programming language for multi-application smart cards, secure devices and other execution environments.


by

Smart Payment Association highlights the importance of Java Card technology for enabling secure payments

As part of the Java Card Forum’s 25 year celebrations in 2022, we asked the Smart Payment Association why the work of the Java Card Forum, and in particular the release of the Java Card 3.1 specification, is key to the evolution of payment security.

By Lorenzo Gaston, Technical Director, Smart payment Association

The IoT use case for card payments and Java Card v3.1 Specifications

IoT is a debated technology in the card payments industry since 2017. Different pilots are ongoing for a series of identified scenarios: Smart home, wearables and intelligent cars, as well as the next generation of petrol stations. Yet they still remain inconclusive.  Use cases in these scenarios assume that an IoT device may initiate a purchase and/or a payment on behalf of the end-user. These use cases are not that easy to categorize from a legal perspective.  IoT card payments also raise challenges in terms of legal compliance, with requirements for authentication, end-user consent and payment repudiation.

Moreover, IoT systems are cyber-vulnerable and shall be subject to specific design security certification procedures according to the EU Cybersecurity Act and the recent EU Cyber Resilience Act (“The CRA”). It’s still unclear how these EU Acts will impact card payment products implemented in different form factors. The reality is that (1) early compromise of IoT payments would kill the aforementioned uses cases and (2) security vulnerabilities exist in IoT because of the broad level of heterogeneous devices in field, with reduced memory and processing capabilities.

The deployment of IoT systems suffers from a lack of technical standards as well, especially if the payment processing back-office is hosted in the Cloud. These different legal and technical unknowns make the broad adoption of IoT by banks difficult. As a result, the payments card industry, is in a “wait and see” position, until IoT devices reach the level of maturity in terms of security, required to support card-based payment applications.

In this context, SPA can only welcome the effort provided by the Java Card Forum to release the Java Card 3.1 specifications, intended to also enable the development of an open and interoperable application platform for the security of IoT devices.  Java Card 3.1 introduces new APIs and updated cryptography functions to address IoT security needs. Java Card 3.1 also allows the development of security services that are portable across a wide range of IoT security hardware. Remote device attestation services as specified by the JC 3.1 will contribute to the early identification of IoT components that have been tampered with. IoT systems will feature a diversity of technical architectures and communication pathways between individual IoT devices, intermediate gateways and back-office payment authorization servers. The new extensible I/O model enables central applications to exchange sensitive data directly with connected IoT devices, over different physical layers and application protocols. In this context, the ability to address and fix individual IoT devices is a core security requirement. If IoT devices support JC 3.1 implementations, the monitoring capability of central banking facilities will be substantially improved.

SPA believes that the publication of JC 3.1 represents a key step forward to increase trust in IoT technology by the financial community. With that in mind, SPA draws your attention to the fact that PCI-SSC has just released its first bulletin including security considerations when deploying IoT in card payments. It includes with a definition for IoT devices, not specific to payments and more interestingly it provides a list of 10 “high level” security controls IoT “secure” devices should meet. These 10 security controls are mapped onto specific detailed requirements in a US ANSI/CTA 2088-A “Baseline Cybersecurity Standard for Devices and Systems”. Things are starting to move in the payments industry with respect to IoT technology and JC 3.1 appears as a timely enabler for this positive market evolution.

Is there a case for the implementation of Post-Quantum payment cards using JC v3.1 specifications?

Cryptographic extensions proposed by Java Card 3.1 significantly increases the potential for the card to provide security services to payment systems. Card payment systems are in the process of evaluating migration patterns towards stronger cryptography. A new generation of chips supporting more efficient Java Virtual Machines will allow the usage of more complex cryptographic algorithms. The challenges for the migration differ:

  • Migration to AES 256 bit will protect symmetric cryptography for card payment systems against quantum cryptanalysis. Given that, symmetric post quantum cryptographic algorithms are defined and standardized and can already be adopted. Domestic and International Card Schemes are already in the process of migrating from TDES to AES. JC v3.1 supports new cipher modes for AES and updated cryptographic packages to handle symmetric keys as trusted objects
  • The pathway for stronger asymmetric cryptography is more complex and different, as there are currently no post quantum cryptographic algorithms for the asymmetric use case defined or available. Furthermore, some of the proposed algorithms impose some challenges to current secure elements that implement Java Card technology, in terms of performance and available memory space. Within the payment industry, migration strategies are under discussion. SPA defends the use case of offline payment authentication using ECC according to:
  • The EMVCo recently released specifications: EMV Specification Bulletin 243 for contact cards and ECC C-8 Contactless Kernel specification for contactless payments and,
  • Backwards compatibility with existing RSA-based products

Therefore, in the short term, SPA outlines the need to specify methods for the ECC algorithms for both the EMV contact and EMV C-8 contactless specifications.

In the medium term, hybrid cryptographic payment cards and terminals will support classical and post-quantum public key mechanisms in addition to AES.  Because of the traditional long term migration periods for devices in card payment systems, it matters that future versions of the Java Card API include methods for access of payment applets to Post-Quantum cryptographic algorithms, such as those under standardization by US NIST after the conclusion of the 3rd round in the NIST selection contest.

What new regulated payment instruments could benefit from JC v3.1 extended functionalities?

The current payment landscape is dominated by cash and card payments for retail and person-to person transactions. For online payments, there are additional methods established, mostly based on direct credit transfer. New methods, such as instant payment or central bank digital currencies are on the horizon.  Regulations, such as PSD2 for example, and the planned PSD3 from the EU, enforce higher security for all of these payment methods by mandating strong customer authentication (SCA). They also intend to open payment methods to independent players, so-called Payment Initiation Service Providers (PISPs) and Account Servicing Payment Service Providers (ASPSPs).

Java Card technology is well suited to support these new payment instruments and comply with SCA, by implementing the legally defined authentication factor “something you own”. This can typically be a Smart Card, a mobile phone with an embedded Secure Element or (embedded) UICC, or other form factors. When these secure elements are based on JC 3.1 technology, they offer a simple possibility to add on these platforms multiple payment applications for different payment systems, which can, for instance, share essential confidential personal authentication data, such as the PIN code. As a further extension, it can also provide biometrics as an on-device cardholder verification method supporting the authentication factor “what you are”. Finally, the highly standardized JCF technology also allows a simple usage of these applications on different product platforms, without the need to change the application in the form of a Java Card applet itself.

State of the global market for payment cards and how SPA is advocating the use of card technology as the preferred retail payment instrument 

The Smart Payment Association (SPA) includes the leading payment card vendors (AUSTRIACARD, IDEMIA, G+D, Thales DIS) and silicon manufacturers (Infineon, ST).  SPA is organized in eight different WG’s addressing key domains of the payments card industry. Four of these WGs are of a technical nature and support the activity of SPA in standards bodies (EMVCo, PCI-SCC, European Cards Stakeholders Group (ECSG), European Payments Council (EPC)), payments industry groups led by European Payment Regulators (i.e. Payment Systems Market Expert Group – PSMEG), as well as the close monitoring of the evolving regulatory context for payments and the corresponding security certification framework (e.g., ENISA). SPA is recognized by its partners by our high level of commitment and contribution.

The smart payment cards market continues growing:

  • 2.63 billion smart payment cards and modules were delivered worldwide in 2021 by SPA Members and Advisory Council participants
  • Contactless cards accounted for 76% of all shipments, hitting the 2 billion threshold for the first time.
  • Circa 100 million next-generation eco-friendly smart payment cards delivered globally

** The views expressed in this article are solely those of the author listed and do not necessarily reflect the views of the Java Card Forum, its Members or Oracle. **


by

Java Card – A Foundation for the Future

As part of the 25 Year Anniversary celebrations, the JCF has produced an Infographic to demonstrate the unique benefits of the Java Card platform in providing secure solutions across converging industry segments.

To view the Infographic as a PDF, please click here.


by

Trusted Connectivity Alliance celebrates collaboration with Java Card Forum

As part of the Java Card Forum’s 25 year Anniversary celebrations, we have been talking to leading standards organisations to highlight the importance of industry collaboration over the years.
In this interview, Claus Dietze, Chair of the Board, Trusted Connectivity Alliance (TCA) explains the importance of Java Card technology in the Telecoms industry, how the 2 organisations have successfully collaborated over the years and why Java Card should be the platform of choice for IoT solutions.

What is the role of Java Card in Telecoms and how has it evolved over the last 25 years?

Java Card is a key pillar of the Telecoms industry; it’s a key technology for our Secure Element ecosystem. And why is it like this? Because it’s providing the capabilities our ecosystem actually needs.

First of all, it’s providing flexibility, but of course it also provides one of the main features and capabilities, which is interoperability. And due to this, many of the demands that the ecosystem has, can be answered.

The other aspect of evolution, is of course in regards to its market share – you may know that the TCA, formerly the SIMalliance, is tracking its Members’ market data and we started doing this almost 20 years ago (not quite 25 years!). We already started tracking the market share of Java Card in 2004 and back then, I think it’s not a secret if I disclose that we had a market share which was significant, but not yet reaching the level of native operating systems – we had something like 40%. Since then, the market share of Java Card and its adoption in the field steadily grew year on year and we see that this is going to grow even further in the future. So, with new exciting technologies, such as the eSIM, we see that, as far as I am aware, all the eSIMs that are commercially deployed out there in the field are all based on Java Card technology.

It has evolved significantly, because it’s adapting its requirements and capabilities to the needs of our ecosystems very well.

How have the TCA and JCF collaborated?

This started many years ago. The way that the TCA organises its work is by establishing Working Groups. And one of the first working groups that the TCA established was dealing with interoperability – a Working Group that is still alive today. Java Card was a brand new technology in the early days and even though it was claiming to be interoperable from the beginning, different vendors actually interpreted the specification slightly differently and also some of the capabilities and features requested by the customers of those same vendors, were not yet available in the Java Card specification, so proprietary extensions were implemented and that’s what was always causing problems when it comes to the interoperability. As we have key members of the TCA who are also key members of the JCF, we established some sort of “exchange”, so that findings of the TCA were then reported back into the JCF and could be brought into the specifications of Java Card, thus enhancing interoperability and also enhancing the feature set.

What benefits did this collaboration bring?

It improved interoperability – it brought benefits in particular to the whole SIM ecosystem I would say.
Maybe for the network operators it brought the benefit that they had one type of application, so it brought interoperability on the applet level in particular. The idea was to develop an applet once and to run it on all the different platforms of the various SIM vendors and that improved the network operators’ time to market, introducing new services on different SIM vendors’ platforms, because they just had to take the existing applet and put it onto the new SIM and deploy.

For the SIM vendors themselves, it also reduced their efforts, because they just had to develop their application once, and to run it, or even licence it to other SIM vendors, thus also creating additional revenue potential. So, it brought many benefits, in particular, increasing the interoperability of technical implementations.

How does the TCA see Java Card changing in line with the evolving IoT landscape?

The Internet of Things is actually very fragmented, so everyone is understanding something different by this term. You have a wide area of use cases and a wide area of different types of devices. But what they have in common, is that most of those devices need to be connected – so they have a need for connectivity again. And we think that this connectivity should be trusted. In the IoT you don’t currently have security experts, certainly not in the early days at least; they think – let’s connect a device and talk about security later. We think we have to make sure this is done at the very beginning. The technology that we are offering, with SIM technology, eSIM technology and also integrated SIM technology, provides a foundation for first of all enabling trusted connectivity, and of course also for putting additional applications on top of those platforms, that are increasing the security level of the IoT in general. So we think that with Java Card, we can inherit the benefits we have from the traditional SIM and take it and transfer it over into the IoT. And just to add on top of that, of course we also think that eSIM technology, which is based on Java Card these days, is also enabling the IoT to be trusted and more secure. There is also a lot that Java Card can bring with regards to Low Power, to Memory Sizes and so on…there are many features that Java Card is implementing already, that we can leverage off very well, so I think the future is bright for Java Card in IoT and I am very much looking forward to the continued collaboration between the 2 associations on this topic as well.

You can see this interview in video format here.


by

Trusted Connectivity Alliance celebrates collaboration with Java Card Forum

In the third interview of the 25th Anniversary series, Claus Dietze, Chair of the Board, Trusted Connectivity Alliance explains the importance of Java Card technology in the Telecoms industry, how the 2 organisations have successfully collaborated over the years and why Java Card should be the platform of choice for IoT solutions.