Analysis of JavaCard open-source ecosystem

Programmable smartcards are not just a piece of plastic for your headshot or a dumb portable store for cryptographic keys. Instead, they can perform on-card key generation, digital signatures combined with one-time passwords or even run relatively complex applications like web-servers with clients connecting via HTTPS. Those benefit from an environment with a high physically security, which includes built-in cryptographic accelerators, truly random number generators, and protected data storage.

Although the smartcard industry is more secretive than it should be with proprietary APIs and non-disclosure agreements (NDAs) at almost every step, open JavaCard platform that exists from about 1999 offers some opportunity to write own portable and open-source applications.

You can buy JavaCard-enabled smartcards for as little as $3 even in small quantities. No special skills are required, programming is done in plain Java and development toolchain is available for free.

I have recently spent some time sifting through all GitHub repositories for Java smart card projects searching for “import javacard.framework” — a sign of JavaCard applets, or relevant applications.

I used all that information to create a curated list (https://github.com/EnigmaBridge/javacard-curated-list). At the moment (7th June, 2017), there are 130 projects listed in five categories: Applets, Library code, Developer tools, JavaCard simulators, and Learning.

You are encouraged to contribute!

As most of the relevant repositories are on GitHub, I present here some statistics and also wider conclusions about the JavaCard community active on GitHub.

Popular JavaCard repositories

The most popular JavaCard-related repository is Yubico ykneo-openpgp applet (originally from Radboud University Nijmegen) implementing card’s component of the OpenPGP standard with 149 stars. It is followed by Licel’s JCardSim applet simulator (very helpful for automated testing), Martin Paljak’s AppletPlayground (a set of well prepared applets for beginners to fiddle with) and LedgerHQ’s Bitcoin Hardware Wallet. The top five includes another Yubico’s project ykneo-oath, an HOTP/TOTP applet generating one-time passwords. In total, there are 20 repos with at least 10 stars.

Popularity of GitHub repositories according to number of stars awarded.

How frequently are other developers forking the main repo?

JavaCard open-source developers don’t seem bothered with releases. Only 19 made at least one and only 10 made more than two releases.

Number of releases of a project.

Activity of JavaCard projects

The activity of a project can be judged, to some extent, by the number of contributors, commits, forks, or issues (both open and closed).

Number of contributors working on a project.

Number of git commits.

Number of closed and open issues.

Again, to give you a context, a major project like OpenSSL has 275 contributors, over 20,000 commits, 275 releases, 272 open and 862 closed issues.

The size of JavaCard (open-source) community

Eric Vétillard analyzed LinkedIn users in 2016 and found there were about 3,400 individuals claiming to have JavaCard skills. The current search returns about the same number, mostly positioned in Gemalto (405), Oberthur (184), Morpho (120), G&D (87) and NXP (78). But open-source community seems to be significantly smaller.

JavaCard skill of LinkedIn users. Source: LinkedIn (https://www.linkedin.com/topic/javacard)

The number of contributors to GitHub projects in our list is 139. A manual check of contributors to repositories with at least 3 stars yields below 50 developers, who actually contributed to JavaCard code. That seems to be an approximate size of the the open-source JavaCard community showing some activity.

How to grow JavaCard community

I believe that the community will only grow if there is real demand from real users and customers for open-source software (applets) solving real problems. What I mean are ordinary users who bought reasonably priced cards, able to install useful applets from trusted sources. Suitable cards are available now. Our next step is to find high quality applets already available. This post and the list of projects go in this direction.

In parallel, we need to increase the range of useful applets by making JavaCard attractive for new developers. Based on my own experience teaching JavaCard to university students, newcomers usually struggle with three main things: 1) not aware nor able to imagine possibilities, 2) uploading their first applet to a card, 3) troubleshooting problems with a card.

Luckily, the situation has improved significantly in the last five years both with respect to the availability of smartcards as well as tools for beginners to get started.

If you are curious about smart cards, help us spread the word. Here is a list of highlights and capabilities of cryptographic smartcards:

• A secure programmable execution environment, not just a keyring.
• The programming language is a “core” Java with additional cryptographic packages.
• Commonly supported algorithms include AES, RSA, and ECC with various variants.
• A high-quality truly random number generator is available on chip.
• Card applications (applets) can be securely updated even over-the-air using end-to-end (GlobalPlatform) secure channels.

Resources to make it easy for newbies to start fiddling with JavaCards:

• Small quantity, open JavaCards can be bought at CryptoShop, JavaCardOS, SmartCard Focus, USmartCards and others for as little as $3.
• JCAlgTest provides a list of supported algorithms for 60+ real cards.
• AppletPlayground contains example applets ready for compilation and conversion with ant-javacard.
• GlobalPlatformPro uploads applets to a card and manages them later.
• JCardSim makes debugging and automated testing easy.
• Production-ready applets like an OpenPGP or an OATH and the curated list exist for your inspiration.
• JavaCard tutorials on JavaWorld, by Eric Vetillard or me are available.

Pronounce the benefits:

• Make your PGP private key to never leave a card with an OpenPGP applet.
• Secure your bitcoins with a hardware wallet.
• Generate one-time passwords with an OATH applet.
• Authenticate with 2 factors with an U2F applet.
• Protect your disk encryption keys with a Cryptsetup applet.
• Make card which interacts with mobile phone by NFC with a NDEF applet.
• Protect your SSH key with an SSH applet
• Turn your NFC-enabled phone into one-time-password generator with HOTP via NDEF applet — no additional software required.
• Build complex applications which run completely inside a physically secure environment and communicates via TLS.
• And many more with a single card!

Conclusions

Open and programmable smartcards are now easily available, as well as most tools you need to work with them. We need to spread the word, help newbies to start and make more of mature applets available and ready for use on public repositories like GitHub.