Java Card, a farewell

My Oracle story has ended, and with it my Java Card story, at least for now. I started working on the technology in February 1997, and I have never been very far from the technology for almost 20 years. However, Java Card is not in the scope of my next job, as I will focus on embedded and IoT security. I can’t say that I will never work again on Java Card, but at least I will take a break.

These 20 years have been quite an interesting ride. Java Card is an amazing technology, just as successful as it is understated. Java Card has been deployed on over 15 billion devices since the first deployments in 2000, its deployment numbers have been growing steadily for 15 years. With the current movements in the SIM industry, it is hard to guarantee that this growth will be sustained over the next years, but Java Card is at least guaranteed to have a very fat and very long tail before it disappears.

I will publish a few entries on Java Card, starting here with a few comments on how improbable this success has been over the years.

An immature technology for an immature industry

Initial work on Java Card started in 1996 at Schlumberger’s research team (now part of Gemalto), as all card vendors were looking for solutions to run scripts on smart cards, mostly for supporting the SIM Toolkit framework. At the time, every major vendor had developed a proprietary solution, usually based on an existing programming framework.

In 1997, smart card issuers were starting to ask for interoperability between vendors. The Java Card Forum was founded in the spring as an answer, although few of its members were convinced that it was the way to go forward. Sun Microsystems was invited as owner of the Java technology, smart card vendors became Java Card licensees, and Sun Microsystems took the responsibility of managing the specification and related technologies (reference implementation and compliance kit). Sun didn’t have any experience about smart cards, and in the first meetings, their representatives clearly showed it. Sun then hired Integrity Arts (a Gemplus spin-off) as consultant, and rapidly acquired them, getting expertise in-house.

Java was not well suited to the smart cards available then. The language was easy to learn, but the virtual machine brought an overhead in both size and performance. At the time, it would have been possible to design a more suitable standard for programming smart cards, but the industry has not been able to organize in order to define such a standard.

Java Card became an API specification rapidly with version 2.0, but this version was short-lived, and quickly replaced by version 2.1, which also included a virtual machine specification, and allowed binary Interoperability between products. At about that time, the mobile operators became really interested, a SIM toolkit API was defined, and the deployment began around 2000.

15 years later, this adoption of a poorly adapted technology by an immature industry has become an asset. Because Java Card was a bit too ambitious at the time, and thanks to the continuing success of the Java language, Java Card has now become a mainstream technology, which in 2015, fits the needs of the smart card market, and is present on most open smart cards, and roughly half of the microprocessor cards sold worldwide. In the end, it pays to be inadapted.

Mostly an ecosystem

In the late 1990’s, the first marketing sentences for Java Card were directly taken from Java, like “Millions of developers”, or “Write once, run anywhere”. The one specific marketing argument was about “Running multiple applications on your card”. Fifteen years later, here is a factual status:

  • Hundreds of developers (tens of expert developers), mostly working for smart card vendors or for a few specialized consulting firms.
  • Most applications written for a single card, or at least for a single issuer.
  • Most applications written by a card vendor, and running only on a single vendor’s cards.
  • Most cards running a single application.

The next question is: why is Java Card still around if it is not used? Well, in fact, it is being used, just not in the ways that people initially planned. In fact, an essential factor in the success of Java Card has been the certification of cards. In many cases, once a card is deployed, there is no (efficient) procedure to update the card to fix a bug or a vulnerability. Therefore, cards are heavily tested before to be deployed, and most vendors require several levels of certification, including a functional certification and a security certification.

These certification processes are costly, both in developer resources and in laboratory fees. Over the years, efficient certification has become an essential aspect of card development, and Java Card facilitated this in several ways:

  • A reference for core functionality. The Java Card specification defines a set of core functions which can then be used to develop applications (cryptography, I/O, storage, appication isolation and sharing). It then becomes possible to test separately these core functions (by evaluating a Java Card platform) and the application using them (by evaluating a Java Card applet). This can lead to economies of scale.
  • Reference applications. Some issuers and actors, notably Visa, have written reference versions of their applications, which have been thoroughly tested on compliant Java Card implementations. Vendors who use these reference implementations can simplify the certification process.
  • Building experience beyond developers. Laboratories, certification authorities, security consultants all have worked with many Java Card platforms and applications over the years, and now feel confident about their ability to use, test and certify such cards in different configurations. This is the ecosystem part.

In the past few years, the strength of this ecosystem has been a key asset for Java Card, together with the fact that it remains today the dominant platform for defining APIs for smart cards, regardless of the target vertical (once again an ecosystem aspect).

Not dead, not frozen, just slow and conservative

Another striking feature of Java Card is its lack of evolution. The core features of the platform have remained vastly unchanged since release 2.1. Several attempts to make the platform evolve have failed over the years:

  • Java Card RMI was introduced with Java Card 2.2, with the objective of making it easier to design new smart card applications, but it was never adopted by the community. Support of Java Card RMI has been optional in the latest releases, and it was close from being deprecated a few times.
  • Java Card 3.0 Connected was a bolder attempt at reaching new markets, this time arounod Smart Card Web Servers. This specification is very nice, and it defines a Web application model that can be implemented in half a megabyte, all included (OS, VM, Web container, content management, and a few apps). Yet, smart card web servers never caught, and this specification has never been implemented in a real product since its 2009 release.
  • An annotation framework for security interoperability was added recently, but the industry hasn’t been able to agree on a semantics for these annotations, and it has not been adopted.

In the latest 3.0.5 release, we have attempted to add a few simple things, hoping that they will be adopted, but this will only happen in a while, because of another interesting specificity of Java Card. It takes around a year to develop a new platform after the release of a specification, at least another year to get a full certification (functional and security), and another year to sell, produce and deploy it. That’s about 3 years between the specification and the actual availability of products.

This development rate partly explains the slow evolution of Java Card. The smart card ecosystem globally evolves very slowly, and to observers who are used to Web-like evolution, it may look life completely frozen. However, it keeps evolving at its specific and very slow rate. Since 2009, Java Card has become much better adapted to contactless cards, it has adopted a number of cryptographic technologies, and a few other features have evolved to follow the evolution of smart card hardware. Such changes are invisible to the non-specialist, but they keep the Java Card framework in synch with smart card technology, and this is what really counts.

2 Comments

  • MartinP wrote:

    Thanks for the wrap up!

    To be honest, that’s precisely what has troubled me as an “insider” most, for the past few years: how does one built true agility and multi-app, post-personalization delivery. The technology seems to be there, but business and politics don’t seem to follow yet. Why this matters? Because indeed, (expecting) web-like evolution can make the smart cards (and universal secure elements) as we know it obsolete before the technology reaches full potential…

  • It all depends about what we mean by “reaching full potential”. A few billions of devices every year clearly represents a significant part of the potential. And the other question that I would ask is as follows: Would “true agility, multi-app and post-personalization delivery” really improve the deployment and use of smart cards?

Leave a Reply

Your email is never shared.Required fields are marked *