smart card chips

Java card, MULTOS, .NET..? Smartcard operating systems explained

Just like computers, smart cards come in all shapes and sizes (although not literally, since their physical properties are actually highly standardised!!)

Smart cards are, in fact, more similar to computers than you might at first think. Underneath that gold contact plate, or, indeed, embedded within the latest contactless-only smart card, there typically lies a powerful single-chip microcontroller that includes all of the components of a traditional computer:

  • A powerful processor (typically 32 bit, sometimes with a crypto co-processor)
  • Some permanent storage, for both programs and data  (FLASH or EEPROM)
  • Some operating memory (ie RAM)
  • A communications interface with the outside world (serial comms, to ISO7816)
  • An operating system (can either be fixed function, or programmable)

Smart card operating systems of the past

Twenty years ago, all smart card operating systems tended to be fixed function. Under this approach, someone decides exactly what the card should do, designs the method of organising the stored data and creates a fixed set of commands for telling the card what to do from the outside world. This is then baked into a card operating system (COS) that is permanently programmed into the card during manufacture as its operating firmware.

This works really well in many use cases, especially where the functions needed are well understood. The smart card operating system can be very compact and relatively simple, as it doesn’t need to handle concepts such as multiple applications or field updates, although clearly if some new requirement comes along then it needs to be addressed right back at the embedded firmware/manufacturer level, which can be slow and costly.

Fixed function smart cards – the ACOS range

There are several great fixed function smart cards around that are still used for all kinds of applications. Possibly the best example that we know of is the ACOS3 card from ACS. This is a general purpose smart card, which can be bought in a range of different memory sizes and interface options (contact, contactless or dual-interface) and which offers flexible features for securing and encrypting data for many different applications where hardware security is needed.

While the ACOS3 card provides a basic level of encryption using, say, triple DES, the more powerful ACOS5 card is also fixed function, but with a crypto co-processor that supports 3DES, AES and RSA, as well as SHA-256. This is suitable for PKI digital certificate smart card applications such as two-factor Windows logon and secure email signing, where the private key is generated on, and never leaves, the card. This card also meets stringent security standards including EAL5+ and FIPS 140-2.

The evolution of programmable smart cards

As processor chips have become more powerful, and the cost of on-board storage has fallen, the concept of the programmable smart card has grown in popularity. Here, the card is still supplied with an operating system, but the actual application(s) are loaded separately, often at a much later stage, and by different people in the chain of supply. Much like a desktop or laptop computer, this kind of card operating system looks after all of the low level functions, and provides developers with an environment where applications (known as applets) can be developed using specific programming languages and standardised APIs.

This approach has many benefits, including the ability to install multiple applets on one card, to update them in the field, and to manage the issuance of cards differently – for instance, ‘blank’ smart cards can now be manufactured in bulk, and personalised later, only when required.

Various different programmable smart card operating systems have emerged over the years, just like they have with PCs. By far the most popular is Java card, originally conceived by Sun Microsystems and now managed by Oracle as a common standard that many different card manufacturers work to. Others include .NET (now end of life), BasicCard (possibly the easiest to get started with) and MULTOS (probably the most secure).

Each smart card operating system has its pro’s and con’s, and, within each one, there are often multiple versions that provide different features and levels of functionality. As encryption technology progresses, for example with the introduction of elliptic curve (ECC) algorithms, and new national standards emerge, such as FIPS 140 and FIPS 201, so the chips and operating systems are developed to support them.

There is also an important framework known as Global Platform, which is independent of any particular operating system, but which provides a common approach for managing multiple applications on a card, and the security involved in loading, configuring, updating and communicating with these applications.

Together, mature and widespread smartcard operating systems, such as Java card and MULTOS, along with Global Platform, have been used to power and secure most of the mass market roll-outs of EMV payment and GSM SIM cards as well as many secure government identity and authentication smart cards such as CAC, PIV, digital tachograph and national ID cards around the world.

Sourcing smart cards – your one stop shop

It has always been difficult for developers to obtain small numbers of smart cards running different operating systems, along with all of the information and help needed to use and program them for various applications. Smartcard Focus was launched over 15 years ago to address this market, and has grown to become the trusted source for many different types of card, most of which are held in stock for immediate shipment around the globe, along with associated developer kits, finished solutions and smart card reader/writers. Smartcard Focus also offers in-depth technical support, thanks to its highly experienced in-house R&D team, and also specialises in sourcing and/or manufacturing custom smart cards, including hybrid cards where a contact smart card chip is embedded into a card body containing one or more RFID chips, in order to produce a solution that works with multiple systems.

Comments are closed.