Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Security Data Storage Privacy Hardware

IBM Smart Card OS On A 1MB Smart Card 128

michaelpapet.com writes "IBM has ported/developed their Javacard smart card operating system for Sharp's 1MB smart card. Read Sharp's announcement here. Interesting features include: AES encryption; elliptical curve encryption; and 1MB of storage. Sharp's smart card package claims to be almost as small as a normal smart card package. In an industry that can considers 64K of memory a luxury, 1MB is staggering. Read Sharp's original 1MB smart card announcement here. Is this a 'Build it and they will come...' kind of solution? How small is an 'almost as small' smart card IC package?"
This discussion has been archived. No new comments can be posted.

IBM Smart Card OS On A 1MB Smart Card

Comments Filter:
  • Storage space (Score:2, Insightful)

    by Anonymous Coward
    Interesting features include: AES encryption; elliptical curve encryption; and 1MB of storage.

    Wow, 1MB of storage available on 1MB media, so that's like 0MB for the OS?

    Also, why not start with a larger media? most digital cameras start at at least 16 MB. Something more than 1MB doesn't seem too unreasonable.
    • Re:Storage space (Score:3, Informative)

      by AndroidCat ( 229562 )
      Think of as a 1M hard drive. The card also has a dinky 8K RAM and 8K ROM. (Note that the press release for the card is a year old.)
    • Re:Storage space (Score:1, Informative)

      by Anonymous Coward
      For those not sure what a smart card is, it's sometimes used on credit cards, the tiny chip next to the last 4 digit number. Now you know why 1MB and the tiny OS is a big deal!
    • Re:Storage space (Score:5, Informative)

      by John Harrison ( 223649 ) <(moc.liamg) (ta) (nosirrahnhoj)> on Tuesday November 02, 2004 @08:14PM (#10706412) Homepage Journal
      I work for IBM with smart cards. My team directect Sharp the the JCOP (Java Card Open Platform) operating system over a year ago. The 1MB is rewritable storage. The OS is stored in ROM. It is a simplified version of Java (the JavaCard standard) that requires very little in the way of resources.

      Functionality is added to the card by securely loading JavaCard applets to the 1MB of storage. More info on JCOP can be found here. [ibm.com]

      • OK I bneed to ask you then.

        WHY are there no apps for smartcards out there then?
        I want to store basic important information on one. is there an app I can use? no.

        Is ther anything shoret of the overpriced enterprise 60,000 user license stuff available? no.

        smartcards are 100% useless to 90% of the planet.

        so WHY is there no consumer apps available for these things??

        I want to protect my passwords and other information.

        it seems that you guys do not want me to do this.

        at least in windows..... the funny
        • Re:Storage space (Score:3, Informative)

          Lumpy, For one thing, the smart card itself has no concept of Windows or Linux. All it knows about are the APDUs that are coming and going. I don't know why there are no consumer apps. There certainly are in Europe. You can store your browser bookmarks on your bankcard and things like that. I am not sure what sort of "basic information" you want to store. Most vendors concentrate on healthcare, banking, and finance rather than the hobbist market. If you want a password manager ActivCard makes a very
          • So make an ASIC that calculates MD5, burn an EPROM with the MD5 of the binaries, and use the ASIC to verify the integrity.
            • Um, you don't know the first thing about how applets are loaded to smart cards, do you?

              Having written an applet loader I can tell you that it has nothing to do with what you are describing.

              • Ok, no, I don't know how applets are loaded. What I meant was to have an instruction built into the chip which verifies the integrity of the flash memory based on a hash on write-once media.
                • For large volume applications the applications are already coded into ROM. You can go read the Open Platform/Global Platform spec at GlobalPlatform.org and see how applets are loaded and verified. You have to be able to derive the correct 3DES key to even talk to the card manager and then you need another key to sign all the APDUs. Finally there is optional integrity checking.
                  • But I was posting about cards that could also be used for hobbyist applications.
                    • Regardless of the application, you need to have the keys. If you buy cards with the Visa test keys (usually only used for development and demos) then it would be pretty easy. I am not aware of any vendors that will arrange for secure unique key generation in small volumes, but I am sure that if you offered them enough money you could get some. If it is just for hobby applications then the keys might not matter and you could use the test keys. Still you need the tools to write, test, and load applets. Y
                    • So then find way to namespace the keyspace, for example domain names, like what is used for the java class names, and incorporate that into the key.

                      That would stop accidental key conflicts. Not a very good solution, but better than nothing.
                • The lead for JCOP has told me that for flash based systems the OS is loaded into flash rather than rom since there is so much storage space. On EEPROM systems it is written in the ROM.
          • "Because of security functionality you can't just sit down, write a Java applet to store your passwords, and load it to your Visa card. "

            Why not? If Global Platform worked as advertised, and if the JVM really is as secure as Multos, then what woud the bank care if you had some game high score, web passwords or personal data applet on your Visa card? Surely it would be a good way to cut churn: you wouldn't want to switch Visa cards if you had to re-enter all of your web passwords.

            • If the bank loaded the applet (it could be a general purpose filesystem with little or no security) then they wouldn't care. What they don't want at this point is a hobbyist writing their own applet and loading it themselves. If you don't have the card manager keys you can't load/delete/lock/instatiate applets.
        • Have a look at the muscle project - although originally aimed towards linux there is also stuff for windows. They provide an opensource card applet that can be used e.g. to hold certificates that can be used with Netscape.

          http://www.linuxnet.com/smartcard/index.html

          cheers
      • Can you get DirectTV with one?
    • Slashdot's a year late? Come on now...

      Heck, a lot of the stuff that gets posted here I've already heard of... but a year late? We can all do better...
  • by xsupergr0verx ( 758121 ) on Tuesday November 02, 2004 @08:05PM (#10706362)
    One "640k should be enough for anybody" joke in the title should be enough for everybody.
  • Titanium Card (Score:3, Interesting)

    by Anonymous Coward on Tuesday November 02, 2004 @08:08PM (#10706386)
    Check out the titanium card, I believe it has more than 1 meg of memory, and while we are on the topic of smart cards flip over to www.cardcoders.org
  • by AndroidCat ( 229562 ) on Tuesday November 02, 2004 @08:12PM (#10706404) Homepage
    Looks .. card-sized! [sharp-world.com]
  • Security anybody? (Score:3, Interesting)

    by SpeedyGonz ( 771424 ) on Tuesday November 02, 2004 @08:22PM (#10706450)
    Sorry for this, i couldn't help it: *** TIN FOIL HAT MODE ON An IC card, capable of running a tiny java - based OS, used for, say, storing my Credit card details . . . sounds like clock frequencies on the high Khz to low Mhz order, am I right? What about somebody detecting it's electromagnetic activity (when used) using a device like that "Tempest project" one that detects the EM fields produced by CRTs. Does this thing use too small a voltage to be picked up by an antenna at short range? *** TIN FOIL HAT MODE OFF
    • Would encryption be of any use? I'm not familar with the "Tempest project" thing mentioned above.

      And besides, if you're close enough to use a short range antenna (very short range, I'm guessing), you're close enough to mug 'em. Perhaps not as clean, and much more noticible, but a heck of a lot easier.
    • Tempest shmempest. A much more serious side-channel attack (i.e. an attack that allows one to break encrypted data or protocols through means other than the information transmitted intentionally by the card) is power analysis. This attack is exceedingly effective against many smart cards... is this one protected?
      • Tempest shmempest. A much more serious side-channel attack (i.e. an attack that allows one to break encrypted data or protocols through means other than the information transmitted intentionally by the card) is power analysis. This attack is exceedingly effective against many smart cards... is this one protected?

        Just run seti@home^H^H^H^Hcard on it during idle times and you'll mask the power consumption!

    • As the normal user would write his/her password on the card, why bother with high tech? The biggest security problem is always the people...
  • Virtual Machine? (Score:3, Insightful)

    by Jimmy The Leper ( 734441 ) on Tuesday November 02, 2004 @08:24PM (#10706463)

    Do I have to plug it in and then wait 45 seconds for the java virtual machine to load before it lets me do anything?

    Also, now that it has java, does that mean I can run Project Looking Glass?

  • by bentfork ( 92199 ) on Tuesday November 02, 2004 @08:27PM (#10706469)
    Smart cards are a great way to keep you private encryption key(s) and passwords safe, OFF your computer harddrive, and out of your computer memory.

    Why? Because you the user can not know if the computer you are typing on is safe ( think spyware, malware etc... ) .

    Current smartcard technology has been problimatic because you can only store tiny amounts of data on them. By tiny I mean really small, shorter than a few SMS (text based cellphone) message amount of data. ( dont forget the file allocation table takes up space...)

    You also dont really store data on them, they store data for you. Smart cards are basically little computers, that will only respond with the correct password to give you your data. Pretty clever really.

    Now it looks like they will be able to store much more data, like a couple 1024 bit keys, your encrypted passwords and lots of other great stuff like that.

    That is what it could be used for... but I am sure everyone is going to buy them because they can save their IE Favorites, and their Email Address book on it.

    • The nice part is that you can check biometric data without exposing the actual data outside the card. For example, you plug the card into a fingerprint reader and the reader gives the print data to the card. The card compares it to the stored data, and if it's a close-enough match, says OK and unlocks access to other data.

      If it wasn't "smart", an outside system would have to have access to the real data to compare against the finger or password attempt.

  • The 20 Year Cycle (Score:5, Informative)

    by Etcetera ( 14711 ) * on Tuesday November 02, 2004 @08:32PM (#10706502) Homepage

    20 years ago, Apple was figuring out how to squeeze a graphical operating system into 128K of RAM. Permanent storage that didn't cost 5 figures was in the 400K range.

    In this day of multi-gigabyte OS installs, it's refreshing to see people return to the "lean and mean" OS mentality, even if it's out of necessity. Hell, even 10 years ago, you could still install an entire installation of Mac OS 7.6 on a set of 10-12 floppies.

    Those were the days. Nice to see such "hack"ish talent used again.

  • by nervesystem ( 547835 ) on Tuesday November 02, 2004 @08:38PM (#10706527)
    This is really just about adding high density flash to an existing smart card platform. Other then having alot of flash this (16 bit CPU, 4-8K RAM) card is just like most other JavaCards out there (such as in your cell phone or AMEX Blue card). The innovative smart cards these days have 32 bit CPUs such as the P9SC648 [philips.com] from Philips and ST22N256 [st.com] from ST Micro. The Philips card is alot more powerful then IBM/Sharp's card and still has 512 KB Flash. The ST card has 256 KB Flash and 368 ROM and is shipping now for $4 to $5 in quantity.
  • by GoClick ( 775762 ) on Tuesday November 02, 2004 @08:39PM (#10706531)
    The confusion here is that the average /.er doesn't know that a SmartCard is not a SmartMedia Card.

    A SmartCard is NOT for holding pictures of your cat. It's primarily for identity verification. See
    SmartCard [wikipedia.org]

    A SmartMedia Card IS for storing pictures of your cat or whatever else you might have. This is the large card that goes in SOME digital cameras. SmartMedia is a trademark of Toshiba. It is a flash memory format Please see
    SmartMedia [wikipedia.org]
    • A SmartCard is NOT for holding pictures of your cat. It's primarily for identity verification.

      But what if I use it for identity verification of my CAT? What do you think about that, Mr. Smart Guy?!

      Wait, I don't own a cat.
    • Most people here are more intimately familiar with smart cards as satellite access cards (AKA CAM cards). Of course, a lot of lazy slashdotters have never bothered to take the card in their receiver out to check what it was until I just typed this. :-D
    • A "trimmed" version of SmartCards called SIMs are used in GSM phones. They are litterally trimmed down from a standard sized smartcard.

      They are most often packaged in the original card form with cuts so you can break out the smaller form factor. Placing them back into the larger card allows them to be used with ISO compliant card readers, which software is available for to allow you to update your phone book, etc.

      Java applications are the big new thing with GSM phones (more so the dedicated phones rath

  • Give it a few years, and everyone will be wanting 40 gig versions to store their mp3 collection on.
  • by Anonymous Coward
    They are not really secure, the java card runs the applet in what is called "the sand box" basically protected memory that is held apart from the os, so the applet can run without accessing the os, or being able to attack the os..

    Funny thing is if you blast the card with uv radiation (read a black light) you can force the switches in the card (by overloading with excess energy) to flip back and forth and cause the card to allow you to pop out of the sandbox.. =)

    Suddenly you have access to the protected ar
    • When you speak like that, it sounds like it's a piece-of-cake to do this. Also this is not java-related at all, this applies to all chipcards in general. All very nice in theory, but in reality - what you describe there requires a lot of multi-million-$ equipment, which only very few ppl (read: no-one) have in their private laboratory at home. Also don't forget you'll need some man-years of work to accomplish exactly what you want :)
      Most chip-foundries have the equipment, some security-audit centers also of
  • Innovation is a great thing...but I wish companies would give up on all this small media and put all their resources into something larger.

    I'd pay a whole bunch for a small 200GB hard drive that I could hang on my keychain. Laptop drives are small, but not quite small enough. I'd put up with their extra size, but I haven't seen any break 80GB.

    I'd just like to be able to plug my own hard drive into someone else's computer and have my own OS and files all ready. No smart cards, just smart technology. We sho

  • I'm sure this card incorporates some form of elliptic curve cryptography [wikipedia.org], rather than "elliptical curve encryption", which doesn't mean anything AFAIK.

    I guess all of the other mathematicians are watching election coverage rather than pointing out slashdot editing errors...

  • "American Distress now provides the Credit Card X2! Uses WiFi technology to play your favorite movies and songs to you with wireless headphones! Plus, includes new neural-link Counter Strike!" Actually, that would be pretty cool. At least the Wifi part, though that could be threatening to security.
  • Why would any sane person waste crushingly scarce ROM and RAM space on a Java interpreter? Everybody involved knows exactly what the target hardware is, and can compile directly to it. This has failure written all over it.

    Just give me the raw hardware, I'll program that.

  • When we will see readers in common equipment?
    It would be nice to have PGP and SSH key stored on my ID card :-).
    • What would be even more interesting would be to have the card contain a cryptographic processor that handled all of your encryption needs built in. This would allow you to keep your private keys on the card, without having them accessible from the computer. The main advantage of this would be public terminals - you could plug in and use them without having to worry if the machine was secure (an attacker could still, in theory, read the data you retrieve but not your key, keeping the remote system secure).
  • 64K a luxury (Score:1, Redundant)

    by stretch0611 ( 603238 )
    In an industry that can considers 64K of memory a luxury, 1MB is staggering.

    Surely I am not the only one old enough to remember The Vic-20 with its 5K RAM that greeted you with "3,583 bytes free." (which was left after necessary internal storage and buffers) And if you had an additional $150 you could buy the "luxury" of a 16K RAM Cartridge.

  • What's next, you're going to tell me they can fit an entire operating system on a 20Kb ROM [old-computers.com]? That's preposterous.
  • Did anyone notice that the date on the post was 11/13/2003?? Ya know..like a year agoish?
  • 1MB may be amazing by todays standards but it's quite likely with constantly falling flash prices that we may see smart cards sporting 512MB+ in the near future... Possibly changing the way people use systems in corporate and public environments...
  • all the sites they link you have to bulk pucrhase them!
    :mad:
  • As in, "how big a mallet do I need to pound it into a *standard* card receptacle?"

Most public domain software is free, at least at first glance.

Working...