Nick, On Wed, 2011-05-25 at 03:49 -0700, Nick Wiedenbrueck wrote: > On 25 Mai, 11:49, Russel Winder <[email protected]> wrote: > > I assume that EMV and other smartcards are still being programmed in > > either C, EC++ or Java Card. Given the increasing importance of smart > > cards in the world, having people who can work with ISO 7816 and ISO > > 14443 is somewhat crucial. On the other hand trying to work with those > > protocols is a definite quick route to the asylum. > > All right, yesterday I still thought it would be fun do mess around > with > Java Card, but this sounds kinda scary.
JavaCard itself is actually very simple, very straightforward, and a not bad technology to work with -- assuming you can afford the licence fees if you ever release product. Actually C and C++ are probably better for this sort of work due to the less constrained semantics of the byte, short and int data types, and the presence of unsigned versions! As you probably guessed it is all about bit-mangling and Java isn't good at that. JavaCard is though its own operating system whereas using C and C++ you need an operating system underneath to create security silos for the applications. But most chip companies provide a lot of hardware support for this so the OSs tend to be small, simple and pre-loaded in ROM. The problem that prompted me to say asylum is the underlying ISO 7816 and 14443 protocols. They are extraordinarily fiddly bit-twiddling based since they were designed for the days when you were lucky if you had 256 bytes of RAM. The protocol remains the same even now you have 16kB or more. Also the protocol nigh on assumed a 8051, where now ARM is very popular. The real question is whether anyone actually wants to run applications on smartcards or whether they are just used as security tokens -- i.e. the one and only application on the smartcard is the one that receives the PIN from the reader and returns true/false. Network operators used to want to have applications on SIM cards as it was the only computing resource they had control over. With modern smart phones this makes little sense, it is much better to control the phone in some way. Hence all the lock downs, and phone branding. Local authorities (at least in the UK) were looking into putting applications onto cards to allow people to carry their data with them, especially across authority boundaries. However all the project went to the wall in favour of using communications at the database level with the card just a security token. UK id cards went to the wall, which killed off a lot of interest in smartcards that the use of them in passports hasn't offset since it is a closed cartel. Though reading the data on the passport is fairly straightforward. You just need to spend some time deducing the cryptography keys. Of course my day-to-day connection with all this is now 6 years out of date, which is both a very short and very long time. It is short as projects and processes take eons, it is long as the technology has probably changed 4 times in that period. -- Russel. ============================================================================= Dr Russel Winder t: +44 20 7585 2200 voip: sip:[email protected] 41 Buckmaster Road m: +44 7770 465 077 xmpp: [email protected] London SW11 1EN, UK w: www.russel.org.uk skype: russel_winder
signature.asc
Description: This is a digitally signed message part
