Thomas Schäck

Securing e-business applications using smart cards

As the Internet is used increasingly as a platform for business transactions, security becomes a primary issue for Internet applications. Some applications are too sensitive for software-only security mechanisms. Higher levels of protection can be achieved with smart-card-based authentication schemes and transaction protocols. In this paper, we provide examples of typical banking applications implemented with smart cards using symmetrical (DES) and asymmetrical (RSA) cryptography. We present a pure JavaTM architecture for such applications, which is intended for use on standard Web application servers and client devices enabled for Web browsing and the Java language. It employs applets on the client side to access smart cards via the OpenCard Framework. The applets communicate with authentication servlets or application servlets on the server side and act as a mediator between the smart card and the application logic on the server.

The Service Layer

The OpenCard Framework service layer shields the application programmer from smart card details. This layer abstracts the smart card and on-card applications. Figure 10.1 shows the general structure of this layer.

Smart Card Readers and Terminals

To write and read data to a smart card or to execute a command on a smart card, it is necessary to have a physical connection with the card. To make the connection with a contact card, it has to be inserted in a smart card acceptance device. In this chapter we give an overview of the different types of card acceptance devices.

OCF and e-business

Today, a lot of companies and businesses are transforming into e-businesses to improve their internal efficiency, to improve the link to their suppliers, and to reach new markets via the Internet. The rising number of e-business transactions and increasing transaction values make security a top priority. As a result, integration of secure tokens like smart cards into e-business applications becomes more and more important (see Chapter 3).

Introduction to OpenCard

The history of the OpenCard Framework begins in 1997 with the introduction of the Network Computer. Companies like Sun, Oracle, and IBM worked on Network Computers to combine the advantages of a desktop computer with the low administration and maintenance cost of a terminal. The first Network Computers already contained smart card readers, and since Java is the language of choice on Network Computers, the idea of a Java framework for smart card access was born.

Smart Card Standards and Industry Initiatives

Standards like ISO 7816 and industry initiatives like EMV or Open-Card are necessary to ensure that smart card aware applications, cards, and card readers are built to uniform specifications. Without standards, interoperability is not possible. A smart card application or a card itself would be usable only in a very limited environment. But smart cards, readers, and applications developed and manufactured according to standards also work with devices developed by another company in a different part of the world.

Java Card and OCF

In this chapter, we present a sample Java Card applet together with the basic concepts of on-card programming for Java Cards. We explain the associated off-card programming and show how OCF brings off-card and on-card parts together. You can find a brief introduction to the Java Card platform in Section 2.3.2 “Java Card”.

Card and Application Management

In this chapter, we give an overview on card management and application management systems. We also describe how OCF can be used to support these systems on client devices. In Section 15.1, we give an overview on card, application and key management systems and the life cycles of cards and applications. Card management systems, as well as application management systems need to perform card-related actions on various client platforms. In Section 15.2, we show how the OpenCard Framework can be used to support application download to smart cards via the Internet and for application personalization via the Internet.

What Makes the Smart Card “Smart”?

In this chapter, we describe the different types of smart cards, explain their features and benefits, and give some recommendations on when to use which type. We also introduce the smart card hardware in this chapter. Since the focus of this book is on the software side, we will provide only a basic introduction to hardware terminology and concepts. If you have worked with smart cards before, you will probably want to skip this chapter.

Smart Cards and e-business

In recent time, e-business and m-business (mobile e-business) have become buzzwords that are often encountered in the media. Right now, a lot of companies and businesses are transforming into e-businesses and expanding to m-businesses to improve their internal efficiency, to improve the link to their suppliers and to reach new markets via the Internet.