$30 off During Our Annual Pro Sale. View Details »

Javaカードの世界 / The world of Java Card

moznion
September 07, 2018
7
12k

Javaカードの世界 / The world of Java Card

slides for #builderscon tokyo 2018

moznion

September 07, 2018
Tweet

More Decks by moznion

See All by moznion
AWS上に構築する メンテ容易なElasticsearch System / Maintainable Elasticsearch system on AWS
moznion
2
3.7k
PROXY Protocol aware Proxy Server on Node.js
moznion
2
2.1k
Perl meets AWS Lambda
moznion
0
4.2k
ソフトウェア開発における 「設計」と「パフォーマンス」の相互作用 / Interaction Between Design and Performance on
Software Development
moznion
11
6.6k
無限にスケールする上に自律的なJenkinsに見る夢~AWS篇~ / Dream of autonomous and infinite scalable Jenkins with AWS
moznion
21
6.5k
The World of Inline Module
moznion
0
4.8k
そして物語は更に何度目かのアプリ内通知再実装を迎える / Reimplement in app notification again
moznion
1
3.4k
Web Application Good Error Message (and Bad Error Message)
moznion
0
5.1k
Webアプリケーションのキャッシュ戦略とそのパターン / Pattern and Strategy of Web Application Caching
moznion
62
330k

Featured

See All Featured
Happy Clients
brianwarren
91
6.1k
The Success of Rails: Ensuring Growth for the Next 100 Years
eileencodes
26
5.7k
Creating an realtime collaboration tool: Agile Flush - .NET Oxford
marcduiker
10
1.2k
Debugging Ruby Performance
tmm1
68
11k
Build your cross-platform service in a week with App Engine
jlugia
223
17k
Sharpening the Axe: The Primacy of Toolmaking
bcantrill
12
1k
I Don’t Have Time: Getting Over the Fear to Launch Your Podcast
jcasabona
17
1.4k
From Idea to $5000 a Month in 5 Months
shpigford
376
45k
CoffeeScript is Beautiful & I Never Want to Write Plain JavaScript Again
sstephenson
152
14k
Scaling GitHub
holman
455
140k
Git: the NoSQL Database
bkeepers
PRO
420
62k
Automating Front-end Workflow
addyosmani
1354
200k

Transcript

  1. The world of Java Card
    builderscon tokyo 2018
    @moznion

    View Slide

  2. @moznion
    Software engineer
    Favorite Java's class:
    CompletableFuture

    View Slide

  3. GOAL: օ͞ΜJava Card Applet͕ॻ͚ΔΑ͏ʹͳΔ

    View Slide

  4. View Slide

  5. View Slide

  6. View Slide

  7. ਎ۙͳJava Card
    - ΫϨδοτΧʔυ
    - SIMΧʔυ
    - ͳͲͳͲ

    View Slide

  8. ਎ۙͳJava Card
    - ΫϨδοτΧʔυ
    - SIMΧʔυ
    - ͳͲͳͲ

    View Slide

  9. The world of Java Card
    The world of SIM Card?
    builderscon tokyo 2018
    @moznion

    View Slide

  10. ͨͷ͍͠Java (Card) or Not JavaΫΠζ

    View Slide

  11. View Slide

  12. C

    View Slide

  13. View Slide

  14. Java Card

    View Slide

  15. ؆୯Ͱ͢Ͷʁ

    View Slide

  16. View Slide

  17. Not Java Card (C)

    View Slide

  18. Not Java Card (C)
    Java Card͸floatΛѻ͑·ͤΜ

    View Slide

  19. View Slide

  20. Not Java Card (C)

    View Slide

  21. Not Java Card (C)
    Java Card͸charΛѻ͑·ͤΜ

    View Slide

  22. View Slide

  23. Java Card

    View Slide

  24. Java Card
    Java Card͸byteͩͬͨΒѻ͑Δ

    View Slide

  25. View Slide

  26. Θ͔Γ·͔ͨ͠ʁ

    View Slide

  27. Θ͔Γ·ͨ͠Ͷ

    View Slide

  28. Smart Card

    View Slide

  29. Smart Card
    - ISO 7816 Ͱఆٛ͞Ε͍ͯΔ
    - λΠϓ͸2छྨ
    - Intelligent Smart Card
    - Memory Card
    - Java Card ͸ Intelligent Smart Card

    View Slide

  30. Smart Card Memory
    - Card্ʹ͸3λΠϓͷϝϞϦ͕৐͍ͬͯΔ
    - Persistent Immutable Memory: ROM
    - Persistent Mutable Memory: EPROM
    - Non-Persistent Mutable Memory: RAM

    View Slide

  31. Smart Card Interface
    - ֎քͱ͸Card Acceptance Device (CAD) ͱ

    Card্ͷContact PointsΛհͯ͠ߦ͏
    - Card͸֎ͷੈքͱ͸ಠࣗͷϓϩτίϧʹ

    ΑΓσʔλͷ΍ΓऔΓΛߦ͏ => APDU

    View Slide

  32. APDU

    View Slide

  33. APDU
    - APDU: Application Protocol Data Units
    - Smart Card͸APDUʹΑͬͯ

    ίϛϡχέʔγϣϯΛ

    ߦ͏͜ͱ͕Ͱ͖Δ
    OFCOM: Reprogrammable SIMs: Technology,
    Evolution and Implications

    View Slide

  34. APDU
    - APDU͸جຊతʹରʹͳ͍ͬͯΔ
    - Command (Request) APDU
    - Response APDU
    - Command͸ResponseͷৄࡉΛ஌͍ͬͯΔඞཁ͕͋Δ

    View Slide

  35. Command APDU
    Mandatory Header Optional body
    CLA INS P1 P2 Lc Data field Le
    - CLA (1 byte): class (application) ͷࣝผࢠ
    - INS (1 byte): ໋ྩίʔυɽ͜ΕͰಈ࡞Λ੾ସ
    - P1/P2 (1 byte/1 byte): ໋ྩύϥϝʔλ
    - Lc (1 byte): Data fieldͷόΠτ௕
    - Data field (Lc byte): ೚ҙͷόΠτྻ
    - Le (1 byte): ϨεϙϯεͷData fieldʹڐ͞ΕΔ࠷େόΠτ௕

    View Slide

  36. Response APDU
    Optional body Mandatory trailer
    Data field SW1 SW2
    - Data field(Le bytes): ϨεϙϯεσʔλͷόΠτྻ
    - SW1/SW2 (1 byte/1 byte): εςʔλεϫʔυ

    View Slide

  37. UICC
    (Universal Integrated Circuit Card)

    View Slide

  38. UICC (Universal Integrated Circuit Card)
    - Intelligent Smart CardͷҰछ
    - ͋Δఔ౓ͷԋࢉॲཧ͕Մೳ
    - Java Card (3.0.1Ҏ߱) ͷ࣮ߦج൫

    View Slide

  39. UICC (Universal Integrated Circuit Card)
    - CPU 32bit
    - ిؾಛੑ: 1.8 / 3 / 5V
    - ΫϩοΫ: 1~5MHz
    - ROM: 16KB~
    - EEPROM 8KB~
    - RAM: 256B~

    View Slide

  40. UICC Architecture
    OFCOM: Reprogrammable SIMs: Technology,
    Evolution and Implications

    View Slide

  41. Core O.S
    UICC
    Card Manager
    and Security
    domains
    Remote Applet
    Management
    Core
    Applications
    (USIM)
    File System
    servers
    Toolkit and Javacard runtime
    environment
    Javacard
    packages
    Javacard
    Applet
    UICC API and
    USIM API
    Javacard
    Toolkit Applet
    UICC Architecture

    View Slide

  42. Java Card

    View Slide

  43. Java Card ∈ Smart Card

    View Slide

  44. Java Cardͷྺ࢙
    https://en.wikipedia.org/wiki/Java_Card
    Version 2.1
    (07.06.1999)
    Version 2.1.1
    (18.05.2000)
    Version 2.2
    (11.2002)
    Version 2.2.1
    (10.2003)
    Version 2.2.2
    (03.2006)
    Version 3.0.1
    (15.06.2009)
    Version 3.0.4
    (06.08.2011)
    Version 3.0.5
    (03.06.2015)
    -RSA without padding.
    -AES cryptography key encapsulation
    -CRC algorithms,
    -ECC key encapsulation,
    -Diffie-Hellman key exchange
    - Improved Logical Channels support (20)
    - SHA-256, SHA-384, SHA-512
    - ISO9796-2,
    - HMAC,
    - Korean SEED MAC NOPAD,
    - Korean SEED NOPAD
    -Classic and Connected editions
    -SHA-224, SHA-2 for all signature
    algorithms
    -DES MAC8 ISO9797.
    - Diffie-Hellman modular
    exponentiation
    - Domain Data
    Conservation for Diffie-
    Hellman
    - Elliptic Curve and DSA
    keys,
    - RSA-3072
    - SHA3
    - plain ECDSA
    - AES CMAC
    - AES CTR.
    - Added
    the AppletEvent interface
    with the uninstall method.
    - Added
    the isAppletActive method to
    the JCSystem class

    View Slide

  45. - UICC্Ͱಈ͘JavaͷϥϯλΠϜ: JCRE
    - Java Card্Ͱಈ࡞͢ΔόΠτίʔυ͸

    ͍ΘΏΔ௨ৗͷJVMόΠτίʔυͷαϒηοτ
    - => ͭ·Γػೳ੍͕ݶ͞Ε͍ͯΔ
    Java Card

    View Slide

  46. - ੍ݶ͞Ε͍ͯΔػೳͷྫ
    - Dynamic class loading
    - Security Manager
    - Thread
    - Object cloning
    - Finalization
    - Large primitive data types
    - جຊతʹ16bitΛ্ݶͱͯ͠ಈ࡞͢Δ (ྫ֎͋Γ)
    - primitive type
    - native methods
    Java Card Restrictions

    View Slide

  47. - ม਺͸ϦϑΝϨϯε͞Εͳ͘ͳͬͨΒ

    ແ͘ͳΔ (lost) ͔GC͞ΕΔ
    - GC͕͋Δ͔Ͳ͏͔͸Χʔυͷ࣮૷࣍ୈ
    Java Card Memory Lifecycle

    View Slide

  48. - αϯυϘοΫεػೳ
    - Java CardͷϑΝΠΞ΢Υʔϧ͸1ͭͷΧʔυ্Ͱಈ࡞͍ͯ͠
    Δappletͷ؀ڥΛ෼཭͢Δ
    - ·ͨ͋ΔappletͷΦϒδΣΫτΛଞͷappletʹ໌ࣔతʹڞ༗
    ͢Δ͜ͱ΋Ͱ͖Δ
    - capability control
    - εϚʔτΧʔυ্ͰͷηΩϡΞͳಈ࡞ͷͨΊ
    - e.g. memory, CPU
    Java Card Security Functions

    View Slide

  49. - Smart Card࢓༷Ͳ͓Γ3λΠϓͷϝϞϦ͕
    ͋Δ
    - ROM
    - EEPROM
    - RAM
    Java Card Memory

    View Slide

  50. جຊతʹΠϯελϯεม਺͸͢΂ͯ
    EEPROMʹॻ͖ࠐ·Ε·͢ʂʂʂʂ
    Java Card Memory

    View Slide

  51. - ͭ·Γʁ
    - ిݯ͕੾Εͯ΋Πϯελϯεม਺ͷσʔλ͸࢒Γ·͢ʂ
    - ਖ਼֬ʹݴ͏ͱిݯ͕੾Εͯ΋JVM͸ࢭ·Βͳ͍
    - Πϯελϯεม਺ʹॻ͖ࠐΈ·͘ΔͱΧʔυ͕

    յΕ·͢ʂʂʂʂʂ
    - (ޙड़͢ΔςΫχοΫΛ࢖ͬͯؤுΔඞཁ͕͋Δ)
    Java Card Memory

    View Slide

  52. - RAM͸ʁ
    - RAM͸͋Δʹ͸͋Δ͕ඇৗʹখ͍͞
    - ୣ͍߹͍͕ى͜Δ (ྫ֎͕ग़Δ)
    - ຊ౰ʹҰ࣌తͳσʔλ΍ຊ౰ʹηϯγςΟϒͳ

    σʔλΛೖΕΔͱ͖ʹ͚ͩ࢖͏
    Java Card Memory

    View Slide

  53. - Java Card JVM͸͜ͷੈʹੜΛड͚ΔͱҰੜಈ͖ଓ͚Δ
    - shutdownͷ֓೦͕ͳ͍
    - ిݯڙڅ͕ͳ͍৔߹͸ʮແݶͷΫϩοΫαΠΫϧʯͱ

    Έͳ͍ͯ͠Δ
    Java Card JVM Lifecycle

    View Slide

  54. - Initialization phase
    - Immutable memory (ROM) ྖҬʹॻ͖ࠐΉ
    - e.g. ൃߦऀ໊, ੡଄ऀ໊ͳͲ
    - Personalization phase
    - Immutable memory (ROM) ྖҬʹॻ͖ࠐΉ
    - e.g. Ϣʔβʔ໊, 伴, PINͳͲ
    - ੜΧʔυΛߪೖͨ͠ࡍ͸initialization phase·ͰࡁΜͰ͍Δ͜ͱ͕ଟ͍
    Java Card Lifecycle

    View Slide

  55. Core O.S
    UICC
    Card Manager
    and Security
    domains
    Remote Applet
    Management
    Core
    Applications
    (USIM)
    File System
    servers
    Toolkit and Javacard runtime
    environment
    Javacard
    packages
    Javacard
    Applet
    UICC API and
    USIM API
    Javacard
    Toolkit Applet
    UICC Architecture

    View Slide

  56. Core O.S
    UICC
    Card Manager
    and Security
    domains
    Remote Applet
    Management
    Core
    Applications
    (USIM)
    File System
    servers
    Toolkit and Javacard runtime
    environment
    Javacard
    packages
    Javacard
    Applet
    UICC API and
    USIM API
    Javacard
    Toolkit Applet
    UICC Architecture

    View Slide

  57. Applet!!!

    View Slide

  58. Applet...?

    View Slide

  59. Applet...?
    No!

    View Slide

  60. - ͍ΘΏΔJava AppletͰ͸ͳ͍
    - Java Card RuntimeͰಈ͔͢ΞϓϦέʔγϣϯͷ୯Ґ
    - Java Card্ʹ͸ෳ਺ͷAppletΛ֨ೲͰ͖Δ
    - ෳ਺ͷAppletΛಉ࣌ʹ࣮ߦ͢Δ͜ͱ͸Ͱ͖ͳ͍
    - select()/deselect()Ͱಈ͔͢appletΛ੾Γସ͑Δ
    Applet

    View Slide

  61. Java Card Development

    View Slide

  62. Extreme Environment
    - int͕࢖͑Δͷ͸ඇৗʹݶఆతͳঢ়گͷΈ
    - Java Card 3.0Ҏ߱ (ClassicͰ͸࢖͑ͳ͍)
    - ಛघͳࣄ৘͕ͳ͍ݶΓshortΛ࢖͏
    - float΍double͸࢖͑·ͤΜ
    - String΋࢖͑·ͤΜ
    - (࣮͸ϞμϯͳJava Card؀ڥͩͱ࢖͑Δ)
    - ୅ΘΓʹόΠτ഑ྻ (byte[]) Λ࢖͏
    - ଟ࣍ݩ഑ྻ΋࢖͑·ͤΜ

    View Slide

  63. Extreme Environment
    - Πϯελϯεม਺͸EEPROMʹอଘ͞ΕΔ
    - EEPROMͷण໋͸͍͍ͩͨ100,000 writes
    - ॻ͖ࠐΈ·͘ΔͱͿͬյΕ·͢
    - ϩʔΧϧม਺͸RAMʹอଘ͞ΕΔ
    - ͨͩ͠native typeʹݶΔ
    - Ͳ͏ͯ͠΋RAMʹอଘ͍ͨ͠ͱ͖͸ʁ
    - transient arrayΛ࢖͏
    - JCSystem.makeTransientByteArray((short)255,JCSystem.CLEAR_ON_RESET);
    - ͜ΕΛEEPROMʹ໭͢͜ͱ͸Ͱ͖ͳ͍

    View Slide

  64. Compilation and bytecode conversion
    class
    .exp
    COMPILE
    .java
    CONVERT .cap
    .jca

    View Slide

  65. Compilation and bytecode conversion
    class
    .exp
    COMPILE
    .java
    CONVERT .cap
    .jca
    ͍ΘΏΔී௨ͷJDK
    (1.6͕҆ఆ͍ͯ͠Δ……)

    View Slide

  66. Compilation and bytecode conversion
    class
    .exp
    COMPILE
    .java
    CONVERT .cap
    .jca
    Java Card Development Kit
    όΠτίʔυΛม׵͢Δ

    View Slide

  67. Tool chain
    - IDE: Eclipse
    - javacard plugin͕͋Δ།ҰͷIDE?
    - JDK: JDK 1.6 (or later?)
    - JCDK: Java Card Development Kit

    (JCDK͸Java Cardͷόʔδϣϯʹ߹ΘͤΔ)

    View Slide

  68. Tool chain
    - Loading onto card: Smart Card Reader Writer
    - Live testing: NomadLAB Contact Spy, etc...

    View Slide

  69. Appletͷجຊಈ࡞

    View Slide

  70. Appletͷجຊಈ࡞
    ͜ΕΛ࣮૷͢Δ
    javacard.framework.AppletͰ
    ఆٛ͞Ε͍ͯΔ

    View Slide

  71. Source Code Sample:
    https://gist.github.com/moznion/
    3bfbc5121afceaebcc77964b4b94517a

    View Slide

  72. ·ͱΊ

    View Slide

  73. ·ͱΊ
    - Smart Card͕Θ͔Γ·ͨ͠
    - APDU͕Θ͔Γ·ͨ͠
    - Java Card͕Θ͔Γ·ͨ͠
    - Java Card (JCRE) Ͱಈ࡞͢ΔAppletΛॻ͚Δ

    Α͏ʹͳΓ·ͨ͠

    View Slide

  74. However...

    View Slide

  75. Applet Write

    View Slide

  76. Applet Write

    View Slide

  77. Applet Write

    Why????

    View Slide

  78. Applet Write

    View Slide

  79. Cardͷॻ͖ࠐΈʹ͸伴͕ඞཁ
    - ೝূػ͔ؔΒ෷͍ग़͞ΕΔ伴͕ඞཁ
    - গͳ͘ͱ΋झຯͷൣғͰ͸伴͸

    खʹೖΒͳ͍……ʢͱࢥΘΕΔʣ

    View Slide

  80. Applet Write
    AID

    View Slide

  81. Cardͷ࣮ߦʹ͸AID΋ඞཁ
    - Appletͷregisterʹ͸AID (Application Identifier) ͕ඞཁ
    - AIDʹ͸ISOͰ؅ཧ͞Ε͍ͯΔRIDؚ͕·Ε͍ͯΔ
    - झຯͷൣғͰ͸RID͸΋Β͑ͳ͍ (ͱࢥΘΕΔ……)

    View Slide

  82. ॻ͖ࠐΊͳ͍͡ΌΜʂʂʂʂʂ

    View Slide

  83. Q?

    View Slide

  84. Referenced docs
    - ISO 7816-4
    - https://www.iso.org/standard/54550.html
    - Java Card Platform Specification
    - https://docs.oracle.com/javacard
    - How to write a Java Card applet: A developer's guide
    - https://www.javaworld.com/article/2076450/client-side-java/
    how-to-write-a-java-card-applet--a-developer-s-guide.html

    View Slide

  85. ͨͷ͍͠;Ζ͘
    Java CardͬͯͲ͜Ͱങ͑Δͷ

    View Slide

  86. Java CardΛങ͏
    - AmazonݟʹߦͬͨΒചͬͯͨ……

    View Slide

  87. Java CardΛങ͏
    - AliexpressݟʹߦͬͨΒചͬͯͨ……

    View Slide

  88. Java CardΛങ͏
    - ΋͠࢓ࣄͰങ͏ͷͰ͋Ε͹ઐ໳ͷϕϯμʔ͔Β
    ങ͏͜ͱʹͳΔͰ͠ΐ͏
    - Gemalto
    - IDEMIA
    - ͳͲͳͲ

    View Slide

  89. ͨͷ͍͠;Ζ͘
    Java CardͷςετͬͯͲ͏΍Δͷ

    View Slide

  90. Java Cardͷςετ
    - ιʔείʔυ͔ΒόΠτίʔυʹ

    ίϯύΠϧ͢Δ෦෼͸ී௨ͷJDK
    - ී௨ʹJavaΛॻ͍ͯςετΛ͢Ε͹ྑ͍

    View Slide

  91. Java Cardͷςετ
    - ADPUΛ࣮ࡍʹྲྀ͠ࠐΉςετ΋Ͱ͖Δ
    - offlineςετͱݺΜͰ͍·͢ʢҰൠతʁʣ
    - ΧʔυϦʔμʹͭͳ͍Ͱম͍ͯAPDUΛྲྀ͠ࠐΉ
    - responseͷAPDUΛςετ͢Δײ͡

    View Slide

  92. Java Cardͷςετ
    - Production ReadyͳCardͷAPDUΛԣऔΓͯ͠

    σόοά͢Δࣄ΋Ͱ͖Δ
    - ͋·ͭ͑͞ແઢ͕ਧ͚Δ΋ͷ΋͋Δ
    - NomadLAB Contact Spyͱ͔Λ࢖͏
    - ΊͬͪΌߴ͍Ͱ͢

    View Slide

  93. ͨͷ͍͠;Ζ͘
    Java Cardʹ͸σΟϨΫτϦߏ଄΋͋Δ

    View Slide

  94. Java Card಺ͷσΟϨΫτϦߏ଄
    - APDUͰಡΈॻ͖Մೳ

    View Slide