Skip to main content

The Adoption Rate of JavaCard Features by Certified Products and Open-Source Projects

  • Conference paper
  • First Online:
Smart Card Research and Advanced Applications (CARDIS 2023)

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 14530))

Abstract

JavaCard is the most prevalent platform for cryptographic smartcards nowadays. Despite having more than 20 billion smartcards shipped with it and thirteen revisions since the JavaCard API specification was first published more than two decades ago, uptake of newly added features, cryptographic algorithms or their parameterizations, and systematic analysis of overall activity is missing. We fill this gap by mapping the activity of the JavaCard ecosystem from publicly available sources with a focus on 1) security certification documents available under Common Criteria and FIPS140 schemes and 2) activity and resources required by JavaCard applets released in an open-source domain (Paper supplementary materials, full results of analysis and open tools are available at https://crocs.fi.muni.cz/papers/cardis2023).

The analysis performed on all certificates issued between the years 1997–2023 and on more than 200 public JavaCard applets shows that new features from JavaCard specification are adopted slowly, typically taking six or more years. Open-source applets utilize new features even later, likely due to the unavailability of recent performant smartcards in smaller quantities. Additionally, almost 70% of constants defined in JavaCard API specification are completely unused in open-source applets. The applet portability improves with recent cards, and transient memory requirements (scarce resource on smartcards) are typically small.

While twenty or more products have been consistently certified every year since 2009, the open-source ecosystem became more active around 2013 but seemed to decline in the past two years. As a result, the whole smartcard ecosystem might be negatively impacted by limited exposure to new ideas and usage scenarios, serving only well-established domains and potentially harming its long-term competitiveness.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 49.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 64.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Similar content being viewed by others

Notes

  1. 1.

    https://survey.stackoverflow.co/2023/.

  2. 2.

    https://octoverse.github.com/.

  3. 3.

    https://seccerts.org/.

  4. 4.

    JavaCard API contains in total 151 constants with such name.

  5. 5.

    https://seccerts.org/fips/6d094db49a6e2242/.

  6. 6.

    https://seccerts.org/fips/6d094db49a6e2242/, /a5bef651c8e3fd6c/.

  7. 7.

    https://seccerts.org/cc/03aded94fb04c62e/, /45098872448f5816/, /03aded94f b04c62e/, /b0e6f667d52402df/.

  8. 8.

    https://github.com/crocs-muni/javacard-curated-list.

  9. 9.

    https://github.com/crocs-muni/jcalgtest.

  10. 10.

    https://seccerts.org/cc/2a45531c2dbd1ab8/.

  11. 11.

    https://crocs.fi.muni.cz/papers/cardis2023.

  12. 12.

    https://github.com/CRISES-URV/eVerification-2.

  13. 13.

    https://github.com/Celliwig/PinSentry-OTP.

  14. 14.

    https://github.com/gilb/smart_card_TLS.

  15. 15.

    https://github.com/dufkan/JCEd25519.

  16. 16.

    https://github.com/david-oswald/jc_curve25519.

  17. 17.

    https://github.com/crocs-muni/javacard-curated-list.

References

  1. Barbosa, O., Alves, C.: A systematic mapping study on software ecosystems. In: Proceedings of International Workshop on Software Ecosystems (2011)

    Google Scholar 

  2. Licel Corporation. jCardSim | Java Card Runtime Environment Simulator (2022). https://jcardsim.org/. Accessed 29 Sept 2023

  3. de Lima Fontao, A., dos Santos, R.P., Dias-Neto, A.C.: Mobile software ecosystem (mseco): a systematic mapping study. In: 2015 IEEE 39th Annual Computer Software and Applications Conference, vol. 2, pp. 653–658. IEEE (2015)

    Google Scholar 

  4. Dufka, A., Švenda, P.: Enabling efficient threshold signature computation via java card API. In: Proceedings of the 18th International Conference on Availability, Reliability and Security, ARES 2023, New York, NY, USA, 2023. Association for Computing Machinery (2023)

    Google Scholar 

  5. Glossner, J., Murphy, S., Iancu, D.: An overview of the drone open-source ecosystem. arXiv preprint arXiv:2110.02260 (2021)

  6. Hajny, J., Malina, L., Martinasek, Z., Tethal, O.: Performance evaluation of primitives for privacy-enhancing cryptography on current smart-cards and smart-phones. In: Garcia-Alfaro, J., Lioudakis, G., Cuppens-Boulahia, N., Foley, S., Fitzgerald, W.M. (eds.) DPM/SETOP -2013. LNCS, vol. 8247, pp. 17–33. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-642-54568-9_2

    Chapter  Google Scholar 

  7. Janovsky, A., Jancar, J., Svenda, P., Chmielewski, Ł., Michalik, J., Matyas, V.: sec-certs: examining the security certification practice for better vulnerability mitigation. arXiv:2311.17603 (2023)

  8. Konstantinos Manikas and Klaus Marius Hansen: Software ecosystems-a systematic literature review. J. Syst. Softw. 86(5), 1294–1306 (2013)

    Article  Google Scholar 

  9. Mavroudis, V., Svenda, P.: JCMathLib: wrapper cryptographic library for transparent and certifiable javacard applets. In: 2020 IEEE European Symposium on Security and Privacy Workshops, pp. 89–96, IEEE. Genoa, Italy (2020)

    Google Scholar 

  10. Oracle. Java card™ platform, application programming interface, classic edition version 3.2 (2023). https://docs.oracle.com/en/java/javacard/3.2/jcapi/api_classic/index.html. Accessed 29 Sept 2023

  11. Martin Paljak. GlobalPlatformPro (2023). https://github.com/martinpaljak/GlobalPlatformPro. Accessed29 Sept 2023

  12. Pawlak, R., Monperrus, M., Petitprez, N., Noguera, C., Seinturier, L.: Spoon: a library for implementing analyses and transformations of java source code. Softw. Pract. Experience 46, 1155–1179 (2015)

    Article  Google Scholar 

  13. Svenda, P., Kvasnovsky, R., Nagy, I., Dufka, A.: JCAlgTest: robust identification metadata for certified smartcards. In: 19th International Conference on Security and Cryptography, pp. 597–604. INSTICC. Lisabon (2022)

    Google Scholar 

Download references

Acknowledgments

We would like to thank reviewers for their valuable comments. The authors were supported by Ai-SecTools (VJ02010010) project and by the European Union under Grant Agreement No. 101087529 (CHESS).

Author information

Authors and Affiliations

Authors

Corresponding author

Correspondence to Petr Svenda .

Editor information

Editors and Affiliations

Appendix

Appendix

1.1 JavaCard projects and certificates included in analysis

The following types of JavaCard open-source projects were included in the analysisFootnote 17: Electronic passports and citizen ID (\(8\)x), Authentication and access control (\(29\)x), Payments and loyalty (\(20\)x), Key and password managers (\(15\)x), Digital signing, OpenPGP and mail security (\(8\)x), e-Health (\(1\)x), NDEF tags (\(6\)x), Cryptocurrency wallets (\(7\)x), Emulation of proprietary cards (\(8\)x), Mobile telephony (SIM) (\(5\)x), Library JavaCard code (\(47\)x), Learning (school projects, etc.) (\(5\)x) and Other (\(24\)x).

Table 5. Common Criteria and FIPS140 certificates of smartcards with JavaCard platform used for algorithm analysis (mentioning at least one JavaCard constant).

The JavaCard version reference analysis included all certification documents from the dataset containing a match of the JavaCard API version using regular expressions (406 documents in total).

Rights and permissions

Reprints and permissions

Copyright information

© 2024 The Author(s), under exclusive license to Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Zaoral, L., Dufka, A., Svenda, P. (2024). The Adoption Rate of JavaCard Features by Certified Products and Open-Source Projects. In: Bhasin, S., Roche, T. (eds) Smart Card Research and Advanced Applications. CARDIS 2023. Lecture Notes in Computer Science, vol 14530. Springer, Cham. https://doi.org/10.1007/978-3-031-54409-5_9

Download citation

  • DOI: https://doi.org/10.1007/978-3-031-54409-5_9

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-031-54408-8

  • Online ISBN: 978-3-031-54409-5

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics