-
-
Notifications
You must be signed in to change notification settings - Fork 216
JavaCard Buyer's Guide
Tip
TL;DR: head straight to the Shopping List!
JavaCard is an almost-a-commodity software platform for creating small applications that run inside a smart card chip. Such applications usually deal with handling of cryptographic keys or otherwise processing cryptographic secrets. While somewhat an open platform with public documentation, a lot is still proprietary and/or covered with broad NDA-s.
Note
This is a cheat sheet for buying blank, developer-friendly JavaCard-s from the Internet. It comes AS-IS, with no endorsements nor warranty!
- JavaCard version: 3.0.4 should be the minimum these days, as this is what is supported by newer SDK-s. Cards with 3.1 are also slowly becoming available and 3.2 specification is published but probably not available in real life production chips before a year or so. Bigger is better, but for actual rollout check the necessary features, algorithms and maybe try to aim for 2.2.2-compatible code. Keep in mind that API compatibility does not relate to algorithm availability!
- GlobalPlatform version: 2.2(.1) and 2.3(.1) are common. This relates to loading your application to the card (for which also 2.1.1 is sufficient) but 2.2 adds SCP03 support, which uses AES keys instead of 3DES. In addition to version and SCP algorithm, make sure that the card supports (and is pre-configured to use!) necessary features like RMAC or security domains or delegated management.
- EEPROM size: 64K, 72K, 128K, 144K and bigger sizes are common. Bigger is better, but when actually rolling out your card, choose a size that is with optimal price/size depending on actual requirements.
- Supported algorithms: JavaCard version number does not mean that all algorithms documented in the relevant API are available. Consult vendor documentation or JCAlgTest by @petrs to select a good candidate based on project needs.
-
GlobalPlatform default keys (or test keys, with the value
404142434445464748494A4B4C4D4E4F
or40..4F
for short): only if you get default test keys (or otherwise known keys) shall you be able to load applications to the card. You shall not be able to load your application to the card without the keys. Always be sure to ask for test keys for sample cards! If a key diversification scheme is used, get a reference to the method (EMV and VISA2 are known) and source for the derivation data! - Contact/Contactless interface: for creating NFC applications you want to get a card with dual interface or even contactless-only. Pay attention to ISO 14443 A vs B! Pick 14443-A if not sure.
- Proximity cards: for opening doors, usually a different chip with a separate antenna is present on the card for this single purpose (especially for 125kHz). But a vendor can usually combine necessary physical access cards with a suitable JavaCard chip module. For Mifare Classic and DESFire emulation option is available with some chips.
- Common Criteria / FIPS / EMVCo validation: most serious smart cards have some form of certification. CC EAL5+ and FIPS 140 level 3 being common for the JavaCard part. Bigger is better but keep in mind, that "the use of a validated cryptographic module in a computer or telecommunications system does not guarantee the security of the overall system." (excerpt from FIPS 140-2)
- GlobalPlatform lifecycle: should be OP_READY, but keep in mind that certain pre-personalization steps (like changin physical characteristics of the chip) may only be done before this state and are usually proprietary. Keep this in mind when actually rolling out.
- SIM cards: many if not all SIM (UICC) cards are JavaCard. Mapping guidelines exist, but SIM related functionality is usually independent of the programmable JavaCard part. SIM toolkit and similar packages must be available on the SIM.
- Guidance documentation: this is the part that usually requires a) a NDA and probably b) a business contract.
Important
See the Keys page for more information on Global Platform Secure Channel keys.
See also: Java Card Forum
Known manufacturers of JavaCard compatible smart cards, in alphabetical order:
- Excelsecu
- Feitian
- Giesecke & Devrient
- IDEMIA (ex Oberthur, Morpho)
- Infineon
- NXP (JCOP) (ex Athena)
- STMicroelectronics
- Thales (ex Gemalto, Axalto, Schlumberger)
Availability of various JavaCard-s for mere mortals is MUCH better than it was when this guide was first created. GlobalPlatformPro works with virtually any JavaCard available on the free market today (or will work as soon as I get my hands on a new item), as long as you know the keys and other parameters.
- link
- description
- link
- description
Note
There's a considerable number of different sellers on aliexpress, ebay and the likes, with various cards and different levels of services and technical support. Be sure to do your due diligence before!
Also in small quantities. In alphabetical order:
- CardLogix (US)
- CryptoShop (AT)
- MoTechno (DE)
- SmartcardFocus (UK, US)
- OpenDNSSEC 2012 HSM Buyers' Guide
- Similar overview from 2010 (PDF)
Contact Martin @ javacard.pro
javacard.pro - custom JavaCard applet development services · Editing locked due to malicious SPAM, sorry :(
Basic usage
- Getting Started
- Support GlobalPlatformPro development
- Glossary
- Environment variables
- Keys
- Secure Channel Establishment
- Application management
- Frequently Asked Questions
- Support & Questions
Advanced topics
- Lifecycle management
- Supplementary security domains
- DAP Verification
- Delegated management & receipts
- PACE
Development
JavaCard ecosystem