Javaカードの世界 / The world of Java Card

Transcript

1. The world of Java Card builderscon tokyo 2018 @moznion

2. @moznion Software engineer Favorite Java's class: CompletableFuture

3. GOAL: օ͞ΜJava Card Applet͕ॻ͚ΔΑ͏ʹͳΔ

4. None
5. None
6. None

7. ਎ۙͳJava Card - ΫϨδοτΧʔυ - SIMΧʔυ - ͳͲͳͲ

8. ਎ۙͳJava Card - ΫϨδοτΧʔυ - SIMΧʔυ - ͳͲͳͲ

9. The world of Java Card The world of SIM Card?

   builderscon tokyo 2018 @moznion

10. ͨͷ͍͠Java (Card) or Not JavaΫΠζ

11. None

12. C

13. None

14. Java Card

15. ؆୯Ͱ͢Ͷʁ

16. None

17. Not Java Card (C)

18. Not Java Card (C) Java Card͸floatΛѻ͑·ͤΜ

19. None

20. Not Java Card (C)

21. Not Java Card (C) Java Card͸charΛѻ͑·ͤΜ

22. None

23. Java Card

24. Java Card Java Card͸byteͩͬͨΒѻ͑Δ

25. None

26. Θ͔Γ·͔ͨ͠ʁ

27. Θ͔Γ·ͨ͠Ͷ

28. Smart Card

29. Smart Card - ISO 7816 Ͱఆٛ͞Ε͍ͯΔ - λΠϓ͸2छྨ - Intelligent

    Smart Card - Memory Card - Java Card ͸ Intelligent Smart Card

30. Smart Card Memory - Card্ʹ͸3λΠϓͷϝϞϦ͕৐͍ͬͯΔ - Persistent Immutable Memory: ROM

    - Persistent Mutable Memory: EPROM - Non-Persistent Mutable Memory: RAM

31. Smart Card Interface - ֎քͱ͸Card Acceptance Device (CAD) ͱ
 Card্ͷContact

    PointsΛհͯ͠ߦ͏ - Card͸֎ͷੈքͱ͸ಠࣗͷϓϩτίϧʹ
 ΑΓσʔλͷ΍ΓऔΓΛߦ͏ => APDU

32. APDU

33. APDU - APDU: Application Protocol Data Units - Smart Card͸APDUʹΑͬͯ


    ίϛϡχέʔγϣϯΛ
 ߦ͏͜ͱ͕Ͱ͖Δ OFCOM: Reprogrammable SIMs: Technology, Evolution and Implications

34. APDU - APDU͸جຊతʹରʹͳ͍ͬͯΔ - Command (Request) APDU - Response APDU

    - Command͸ResponseͷৄࡉΛ஌͍ͬͯΔඞཁ͕͋Δ

35. Command APDU Mandatory Header Optional body CLA INS P1 P2

    Lc Data field Le - CLA (1 byte): class (application) ͷࣝผࢠ - INS (1 byte): ໋ྩίʔυɽ͜ΕͰಈ࡞Λ੾ସ - P1/P2 (1 byte/1 byte): ໋ྩύϥϝʔλ - Lc (1 byte): Data fieldͷόΠτ௕ - Data field (Lc byte): ೚ҙͷόΠτྻ - Le (1 byte): ϨεϙϯεͷData fieldʹڐ͞ΕΔ࠷େόΠτ௕

36. Response APDU Optional body Mandatory trailer Data field SW1 SW2

    - Data field(Le bytes): ϨεϙϯεσʔλͷόΠτྻ - SW1/SW2 (1 byte/1 byte): εςʔλεϫʔυ

37. UICC (Universal Integrated Circuit Card)

38. UICC (Universal Integrated Circuit Card) - Intelligent Smart CardͷҰछ -

    ͋Δఔ౓ͷԋࢉॲཧ͕Մೳ - Java Card (3.0.1Ҏ߱) ͷ࣮ߦج൫

39. UICC (Universal Integrated Circuit Card) - CPU 32bit - ిؾಛੑ:

    1.8 / 3 / 5V - ΫϩοΫ: 1~5MHz - ROM: 16KB~ - EEPROM 8KB~ - RAM: 256B~

40. UICC Architecture OFCOM: Reprogrammable SIMs: Technology, Evolution and Implications

41. Core O.S UICC Card Manager and Security domains Remote Applet

    Management Core Applications (USIM) File System servers Toolkit and Javacard runtime environment Javacard packages Javacard Applet UICC API and USIM API Javacard Toolkit Applet UICC Architecture

42. Java Card

43. Java Card ∈ Smart Card

44. Java Cardͷྺ࢙ https://en.wikipedia.org/wiki/Java_Card Version 2.1 (07.06.1999) Version 2.1.1 (18.05.2000) Version

    2.2 (11.2002) Version 2.2.1 (10.2003) Version 2.2.2 (03.2006) Version 3.0.1 (15.06.2009) Version 3.0.4 (06.08.2011) Version 3.0.5 (03.06.2015) -RSA without padding. -AES cryptography key encapsulation -CRC algorithms, -ECC key encapsulation, -Diffie-Hellman key exchange - Improved Logical Channels support (20) - SHA-256, SHA-384, SHA-512 - ISO9796-2, - HMAC, - Korean SEED MAC NOPAD, - Korean SEED NOPAD -Classic and Connected editions -SHA-224, SHA-2 for all signature algorithms -DES MAC8 ISO9797. - Diffie-Hellman modular exponentiation - Domain Data Conservation for Diffie- Hellman - Elliptic Curve and DSA keys, - RSA-3072 - SHA3 - plain ECDSA - AES CMAC - AES CTR. - Added the AppletEvent interface with the uninstall method. - Added the isAppletActive method to the JCSystem class

45. - UICC্Ͱಈ͘JavaͷϥϯλΠϜ: JCRE - Java Card্Ͱಈ࡞͢ΔόΠτίʔυ͸
 ͍ΘΏΔ௨ৗͷJVMόΠτίʔυͷαϒηοτ - => ͭ·Γػೳ੍͕ݶ͞Ε͍ͯΔ

    Java Card

46. - ੍ݶ͞Ε͍ͯΔػೳͷྫ - Dynamic class loading - Security Manager -

    Thread - Object cloning - Finalization - Large primitive data types - جຊతʹ16bitΛ্ݶͱͯ͠ಈ࡞͢Δ (ྫ֎͋Γ) - primitive type - native methods Java Card Restrictions

47. - ม਺͸ϦϑΝϨϯε͞Εͳ͘ͳͬͨΒ
 ແ͘ͳΔ (lost) ͔GC͞ΕΔ - GC͕͋Δ͔Ͳ͏͔͸Χʔυͷ࣮૷࣍ୈ Java Card Memory

    Lifecycle

48. - αϯυϘοΫεػೳ - Java CardͷϑΝΠΞ΢Υʔϧ͸1ͭͷΧʔυ্Ͱಈ࡞͍ͯ͠ Δappletͷ؀ڥΛ෼཭͢Δ - ·ͨ͋ΔappletͷΦϒδΣΫτΛଞͷappletʹ໌ࣔతʹڞ༗ ͢Δ͜ͱ΋Ͱ͖Δ -

    capability control - εϚʔτΧʔυ্ͰͷηΩϡΞͳಈ࡞ͷͨΊ - e.g. memory, CPU Java Card Security Functions

49. - Smart Card࢓༷Ͳ͓Γ3λΠϓͷϝϞϦ͕ ͋Δ - ROM - EEPROM - RAM

    Java Card Memory

50. جຊతʹΠϯελϯεม਺͸͢΂ͯ EEPROMʹॻ͖ࠐ·Ε·͢ʂʂʂʂ Java Card Memory

51. - ͭ·Γʁ - ిݯ͕੾Εͯ΋Πϯελϯεม਺ͷσʔλ͸࢒Γ·͢ʂ - ਖ਼֬ʹݴ͏ͱిݯ͕੾Εͯ΋JVM͸ࢭ·Βͳ͍ - Πϯελϯεม਺ʹॻ͖ࠐΈ·͘ΔͱΧʔυ͕
 յΕ·͢ʂʂʂʂʂ -

    (ޙड़͢ΔςΫχοΫΛ࢖ͬͯؤுΔඞཁ͕͋Δ) Java Card Memory

52. - RAM͸ʁ - RAM͸͋Δʹ͸͋Δ͕ඇৗʹখ͍͞ - ୣ͍߹͍͕ى͜Δ (ྫ֎͕ग़Δ) - ຊ౰ʹҰ࣌తͳσʔλ΍ຊ౰ʹηϯγςΟϒͳ
 σʔλΛೖΕΔͱ͖ʹ͚ͩ࢖͏

    Java Card Memory

53. - Java Card JVM͸͜ͷੈʹੜΛड͚ΔͱҰੜಈ͖ଓ͚Δ - shutdownͷ֓೦͕ͳ͍ - ిݯڙڅ͕ͳ͍৔߹͸ʮແݶͷΫϩοΫαΠΫϧʯͱ
 Έͳ͍ͯ͠Δ Java

    Card JVM Lifecycle

54. - Initialization phase - Immutable memory (ROM) ྖҬʹॻ͖ࠐΉ - e.g.

    ൃߦऀ໊, ੡଄ऀ໊ͳͲ - Personalization phase - Immutable memory (ROM) ྖҬʹॻ͖ࠐΉ - e.g. Ϣʔβʔ໊, 伴, PINͳͲ - ੜΧʔυΛߪೖͨ͠ࡍ͸initialization phase·ͰࡁΜͰ͍Δ͜ͱ͕ଟ͍ Java Card Lifecycle

55. Core O.S UICC Card Manager and Security domains Remote Applet

    Management Core Applications (USIM) File System servers Toolkit and Javacard runtime environment Javacard packages Javacard Applet UICC API and USIM API Javacard Toolkit Applet UICC Architecture

56. Core O.S UICC Card Manager and Security domains Remote Applet

    Management Core Applications (USIM) File System servers Toolkit and Javacard runtime environment Javacard packages Javacard Applet UICC API and USIM API Javacard Toolkit Applet UICC Architecture

57. Applet!!!

58. Applet...?

59. Applet...? No!

60. - ͍ΘΏΔJava AppletͰ͸ͳ͍ - Java Card RuntimeͰಈ͔͢ΞϓϦέʔγϣϯͷ୯Ґ - Java Card্ʹ͸ෳ਺ͷAppletΛ֨ೲͰ͖Δ

    - ෳ਺ͷAppletΛಉ࣌ʹ࣮ߦ͢Δ͜ͱ͸Ͱ͖ͳ͍ - select()/deselect()Ͱಈ͔͢appletΛ੾Γସ͑Δ Applet

61. Java Card Development

62. Extreme Environment - int͕࢖͑Δͷ͸ඇৗʹݶఆతͳঢ়گͷΈ - Java Card 3.0Ҏ߱ (ClassicͰ͸࢖͑ͳ͍) -

    ಛघͳࣄ৘͕ͳ͍ݶΓshortΛ࢖͏ - float΍double͸࢖͑·ͤΜ - String΋࢖͑·ͤΜ - (࣮͸ϞμϯͳJava Card؀ڥͩͱ࢖͑Δ) - ୅ΘΓʹόΠτ഑ྻ (byte[]) Λ࢖͏ - ଟ࣍ݩ഑ྻ΋࢖͑·ͤΜ

63. Extreme Environment - Πϯελϯεม਺͸EEPROMʹอଘ͞ΕΔ - EEPROMͷण໋͸͍͍ͩͨ100,000 writes - ॻ͖ࠐΈ·͘ΔͱͿͬյΕ·͢ -

    ϩʔΧϧม਺͸RAMʹอଘ͞ΕΔ - ͨͩ͠native typeʹݶΔ - Ͳ͏ͯ͠΋RAMʹอଘ͍ͨ͠ͱ͖͸ʁ - transient arrayΛ࢖͏ - JCSystem.makeTransientByteArray((short)255,JCSystem.CLEAR_ON_RESET); - ͜ΕΛEEPROMʹ໭͢͜ͱ͸Ͱ͖ͳ͍

64. Compilation and bytecode conversion class .exp COMPILE .java CONVERT .cap

    .jca

65. Compilation and bytecode conversion class .exp COMPILE .java CONVERT .cap

    .jca ͍ΘΏΔී௨ͷJDK (1.6͕҆ఆ͍ͯ͠Δ……)

66. Compilation and bytecode conversion class .exp COMPILE .java CONVERT .cap

    .jca Java Card Development Kit όΠτίʔυΛม׵͢Δ

67. Tool chain - IDE: Eclipse - javacard plugin͕͋Δ།ҰͷIDE? - JDK:

    JDK 1.6 (or later?) - JCDK: Java Card Development Kit
 (JCDK͸Java Cardͷόʔδϣϯʹ߹ΘͤΔ)

68. Tool chain - Loading onto card: Smart Card Reader Writer

    - Live testing: NomadLAB Contact Spy, etc...

69. Appletͷجຊಈ࡞

70. Appletͷجຊಈ࡞ ͜ΕΛ࣮૷͢Δ javacard.framework.AppletͰ ఆٛ͞Ε͍ͯΔ

71. Source Code Sample: https://gist.github.com/moznion/ 3bfbc5121afceaebcc77964b4b94517a

72. ·ͱΊ

73. ·ͱΊ - Smart Card͕Θ͔Γ·ͨ͠ - APDU͕Θ͔Γ·ͨ͠ - Java Card͕Θ͔Γ·ͨ͠ -

    Java Card (JCRE) Ͱಈ࡞͢ΔAppletΛॻ͚Δ
 Α͏ʹͳΓ·ͨ͠

74. However...

75. Applet Write

76. Applet Write ❌

77. Applet Write ❌ Why????

78. Applet Write

79. Cardͷॻ͖ࠐΈʹ͸伴͕ඞཁ - ೝূػ͔ؔΒ෷͍ग़͞ΕΔ伴͕ඞཁ - গͳ͘ͱ΋झຯͷൣғͰ͸伴͸
 खʹೖΒͳ͍……ʢͱࢥΘΕΔʣ

80. Applet Write AID

81. Cardͷ࣮ߦʹ͸AID΋ඞཁ - Appletͷregisterʹ͸AID (Application Identifier) ͕ඞཁ - AIDʹ͸ISOͰ؅ཧ͞Ε͍ͯΔRIDؚ͕·Ε͍ͯΔ - झຯͷൣғͰ͸RID͸΋Β͑ͳ͍

    (ͱࢥΘΕΔ……)

82. ॻ͖ࠐΊͳ͍͡ΌΜʂʂʂʂʂ

83. Q?

84. Referenced docs - ISO 7816-4 - https://www.iso.org/standard/54550.html - Java Card

    Platform Specification - https://docs.oracle.com/javacard - How to write a Java Card applet: A developer's guide - https://www.javaworld.com/article/2076450/client-side-java/ how-to-write-a-java-card-applet--a-developer-s-guide.html

85. ͨͷ͍͠;Ζ͘ Java CardͬͯͲ͜Ͱങ͑Δͷ

86. Java CardΛങ͏ - AmazonݟʹߦͬͨΒചͬͯͨ……

87. Java CardΛങ͏ - AliexpressݟʹߦͬͨΒചͬͯͨ……

88. Java CardΛങ͏ - ΋͠࢓ࣄͰങ͏ͷͰ͋Ε͹ઐ໳ͷϕϯμʔ͔Β ങ͏͜ͱʹͳΔͰ͠ΐ͏ - Gemalto - IDEMIA -

    ͳͲͳͲ

89. ͨͷ͍͠;Ζ͘ Java CardͷςετͬͯͲ͏΍Δͷ

90. Java Cardͷςετ - ιʔείʔυ͔ΒόΠτίʔυʹ
 ίϯύΠϧ͢Δ෦෼͸ී௨ͷJDK - ී௨ʹJavaΛॻ͍ͯςετΛ͢Ε͹ྑ͍

91. Java Cardͷςετ - ADPUΛ࣮ࡍʹྲྀ͠ࠐΉςετ΋Ͱ͖Δ - offlineςετͱݺΜͰ͍·͢ʢҰൠతʁʣ - ΧʔυϦʔμʹͭͳ͍Ͱম͍ͯAPDUΛྲྀ͠ࠐΉ - responseͷAPDUΛςετ͢Δײ͡

92. Java Cardͷςετ - Production ReadyͳCardͷAPDUΛԣऔΓͯ͠
 σόοά͢Δࣄ΋Ͱ͖Δ - ͋·ͭ͑͞ແઢ͕ਧ͚Δ΋ͷ΋͋Δ - NomadLAB

    Contact Spyͱ͔Λ࢖͏ - ΊͬͪΌߴ͍Ͱ͢

93. ͨͷ͍͠;Ζ͘ Java Cardʹ͸σΟϨΫτϦߏ଄΋͋Δ

94. Java Card಺ͷσΟϨΫτϦߏ଄ - APDUͰಡΈॻ͖Մೳ