Smart cards evolving into data servers
- By Joab Jackson
- May 10, 2007
SAN FRANCISCO'Although they are as thin as credit cards and hold only minute amounts of data, smart cards are rapidly starting to operate like tiny Web servers, according to Eric V'tillard, chief technology officer for Trusted Labs, a security consulting firm based in Sophia Antipolis, France.
To this end, Sun Microsystems is shaping its next-generation JavaCard specification to a server-programmer model, said Saqid Ahmad, Sun's engineering lead for the JavaCard platform.
Both technologists spoke at the JavaOne conference this week about the direction of smart-card development. Both technologists see smart cards becoming more like personal data servers, the units interacting with their host mobile phone or personal computer in much the same way a Web server would.
Although the first cards had only a few kilobytes of memory'enough to hold only scant amounts of information'today's cards can offer a physical platform with which a variety of fairly sophisticated transactions can be staged. The new cards have up to a megabyte or more for read-only memory, with which to store an operating system, as well as a few hundred kilobytes of some sort of flash memory for programs and even random access memory for scratch space. And unlike memory cards, smart cards have simple processors.
As a result of this shift, your next-generation smart cards could run servlets instead of applets. And they will communicate by TCP/IP instead of the simpler Application Protocol Data Unit, standard for simple card-based communications. And they will hold both data, small applications and authentication tokens.
'It's a more complex type of environment we're talking about here,' Ahmad said.
The current JavaCard specification version 2.2 is a subset of the Java standard edition, he added. This version features a split Java Virtual machine, where half the duties of running a program fall on the card and the other half fall on the supporting device. Each application is protected from other applications by a firewall, though they can share data.
The new specification now being developed will be in effect an embedded web server with Java application programming interface support, according to Ahmad. The software will actually be a subset of the Java Enterprise Edition platform, and will be able to run servlets, or programs able to dynamically assemble content on the fly.
The new architecture is moving toward a model of supporting multiple applications, where applications can share Java objects in addition to data. It will also support for multi-threading.
One of the chief uses for smart cards continues to be as authentication servers, V'tillard said. In this scenario, a mobile phone or computer consults the card to get proof of the identity of person using the device, perhaps in conjunction with a password stored on the card.
It makes more sense to use the card rather than the phone itself as the authentication device, as commercial mobile phone software tends to be a collection of best-of-breed applications that are often written without security in mind, V'tillard said. The developer can keep tighter control of a smart card environment.
Since contactless cards interact wirelessly, security advocates have voiced concerns about the cards being read without the user's knowledge. But the card developer could design the software so that the card will not relay any information wirelessly before getting the owner's approval, say by having the user click on an agreement button.
'Smart cards are good roots of trust. They provide a reasonably high level of security. They are easy to isolate, and they can minimize the trusted subsystems' required to complete a task, V'tillard said.
Joab Jackson is the senior technology editor for Government Computer News.