Interview: Smart card guru answers questions

<em>JavaWorld</em> talks with Patrice Peyret, founding president and CEO of Integrity Arts

Few people know as much about smart cards as Patrice Peyret, founding president and CEO of Integrity Arts, a start-up company focused on smart cards, which was acquired by Sun Microsystems in September.

Peyret, a renowned smart card expert, has been working with smart cards since 1987, when he worked for Thompson Consumer Electronics on the world’s first set-top box equipped with a smart card. More than 3 million of these BSkyB set-top boxes are in use in the UK. More recently (1989 to 1995), Peyret was head of research and development for Gemplus, the world’s largest smart card company.

As a result of Sun’s acquisition of Integrity Arts, Peyret is now Director of JavaSoft’s Consumer Transactions group, which focuses on both JavaCards and Java Commerce Clients — electronic commerce software running on PCs, network computers (NCs), and possibly set-top boxes.

In late October, JavaWorld columnist Rinaldo Di Giorgio talked at length with Peyret about the state of smart cards, the Java cards, and his latest projects. Read on to learn Peyret’s answers to the following questions:

  1. What are smart cards?
  2. How do they work?
  3. Are there any significant applications of smart cards?
  4. Can you explain why smart cards are not common in the U.S.?
  5. So smart cards have been around for quite a long time?
  6. What is JavaCard?
  7. So JavaCard has had an effect on the smart card industry?
  8. So developing applications for smart cards was difficult?
  9. How is JavaCard going to improve this?
  10. Is there any danger that JavaCard is a passing fad?
  11. How do you identify an application that would benefit from using a smart card?
  12. Why are smart cards always associated with security?
  13. You mentioned the carrying of personal data…
  14. Is there room for small developers in the smart card world?
  15. Does JavaCard have any competition?
  16. Should Microsoft consider licensing JavaCard?
  17. What is JavaSoft doing to ensure access to smart cards on many platforms.
  18. How will multiple applications co-exist on JavaCard?
  19. What is the difference between OpenCard and PC/SC?
  20. What are some of these guidelines?
  21. What is your group working on at JavaSoft?
  22. What are some of the tools and when will they be available?
  23. Why are you so sure JavaCard is going to be the largest deployed computing platform in the world?

JavaWorld: What are smart cards?

Peyret: A smart card is typically a “credit card” sized form factor with a small-embedded computer chip. This card-computer can be programmed to perform tasks and store information. There are different types of smart cards: memory cards, processor cards, electronic purse cards, security cards, and JavaCards.

JW: How do they work?

Peyret: Very simply, a smart card that has a processor is inserted into a smart card reader (commonly called a card terminal) and is available for use. The software wishing to communicate with the reader needs to send some commands to manage the reader, things like power up and transfer command to card. The commands sent to cards can be custom, but we prefer to use the standard ISO 7816 specifications, which define command formats in great detail. Many different types of readers exist and soon we hope to see them shipped as standard equipment on PCs. They are not as uncommon as you think: There are several million readers deployed in homes in the United States in the Digital Satellite Systems (DSS) units.

JW: Are there any significant applications of smart cards?

Peyret: There are many significant smart card applications.

  • Banks: Small trials in the U.S.; entire countries using the card in Europe and places like South Africa.
  • Medical applications: In Germany 80 million people can use smart cards when they go to the doctor.
  • Voting: In Sweden you can vote with your smart card, which serves as a non-repudiation device.
  • Entertainment: Most DSS dishes in the U.S. have smart cards.
  • Telecommunications: Many cellular phones come with smart cards in Europe and will soon be shipping in the United States.
  • Mass Transit: British Air relies on rail and air connections more than most airports. There were many delays because customers could not be tracked while they were in transit, so no one knew where the customers were, which caused aircraft to be held for phantom customers. To solve this problem, British Air gives passengers contactless smart cards, and radio receivers track them throughout the facility. Now flights only wait when necessary, controllers can be given estimated ready times, and new departure slots can be calculated.

JW: Can you explain why smart cards are not common in the U.S.?

Peyret

: Smart cards have been very popular in Europe, Asia. There have been huge smart card deployments in Japan, South Africa and Germany. Recently in the U.S. these cards have started to appear in pilots as a debit card. There are currently 650 million smart cards deployed in the world. In a few years I anticipate that there will be one billion cards deployed in the world. smart card technology matured outside of the U.S. due to U.S. infrastructure and cultural reasons. The U.S. infrastructure is very different than Europe, or Japan or China for example. In the U.S. there are 14,000 banks and several hundred telecommunication service companies, and U.S. users culturally have preferred a pay-later approach, which required a good communication infrastructure. In other countries, merchants are not always online so the smart card also solved a communication infrastructure problem. In the U.S. it is harder to get the banks to cooperate on one standard. The same goes for the telecommunication companies. Many countries in Eastern Europe are going directly to chip cards; this approach also is taken by China.

JW: So smart cards have been around for quite a long time:

Peyret: Smart cards are a relatively mature solution in the process of manufacturing cards, but relatively new to the field of integrating into information systems. JavaCard provides a win/win situation by reducing the time to market and offering modern APIs that can be used to interface to corporate and consumer systems while at the same time Java gets a platform that has billions of deployed units.

JW: What is JavaCard?

Peyret: JavaCard is a smart card that is capable of running Java byte codes. Consider what this means as the cards become more powerful, that little card will be able to run some of the applications you run on your personal computer. We have no reason to believe that this will not be the case. We may face limits on the credit card form factor since this means more powerful chips can’t be used due to the packaging constraints such as flexibility, but JavaCard should not be viewed as a credit-card-only standard. As new devices emerge, JavaCard should be considered as a design option.

JW: So JavaCard has had an effect on the smart card industry?

Peyret: So far Java has been relatively isolated without much relation to previous standards, bridging between the two worlds: The card world and the Java world. Prior to Java the smart card industry suffered from two bottlenecks:

  1. Small group of knowledgeable people to program the cards, which exacerbated the time-to-market problem.
  2. Lack of ubiquity at the application level.

JW: So developing applications for smart cards was difficult.

Peyret: Yes. It was relegated to a small group of individuals practicing an arcane art. Development tools that you could buy in a store did not exist. With JavaCard I expect that you will be able to buy development tools in a store. We are developing a JavaCard applet/application developers guide so that applications can be developed for a JavaCard.

JW: How is JavaCard going to improve this?

Peyret: Programming smart cards applications is very different than programming regular applications on a PC. The two most difficult aspects of this man-machine interfaces are the lack of large memory spaces typically found on workstations and PCs and the difficulty of debugging on the smart card, which can just go quiet for bugs quite often.

Smart card applications need to be designed to account for a small amount of memory and limited processing power of chips.

JW: Is there any danger that this is a passing fad?

Peyret: Unlikely. Perhaps the form factor may change, but as time goes on I think you will carry many computers at all times, perhaps in your watch or pen as well as your wallet. I really view JavaCard as a concept … that I think will become more popular as smart cards are understood: The concept of wearable computers. We see this already in things like the [“iButton” smart ring] from Dallas Semiconductor, which will eventually support Java and can be worn as a piece of jewelry, or the contactless smart cards that you can stick in your wallet.

JW: How do you identify an application that would benefit from using a smart card?

Peyret: Typically […] any application requiring authentication or some portable memory can benefit from a smart card. Smart cards can be used for authentication and as a secure, convenient, portable storage mechanism. Developers no longer are bound by the lack of development environments.

JW: Why are smart cards always associated with security?

Peyret: One of the fundamental problems in securing computer systems is the need for tamper-resistant storage of keys. Smart cards provide this functionality as well as the ability to upgrade and/or replace a security solution when it becomes compromised. For example, there are millions of digital satellite systems that are smart card-enabled, and if some enterprising hacker cracks the security, the millions of DSS units need not be replaced; we can just mail out new cards. With JavaCard it gets even better in that we just send new cardlets [JavaCard applications] to everyone.

JW: You mentioned the carrying of personal data…

Peyret: Smart cards are really excellent at carrying your personal data. Think of it as a digital wallet that can store all this personal date under electronic lock and key.

JW: Is there room for small developers in the smart card world?

Peyret: Consider the need for applications as smart cards begin to participate in each of our daily lives as we interact with our latest PDA, phone, set-top box, NC, smart card enabled ATM and, of course, buy coffee at Starbucks. I can see a market where there are thousands of small cardlets for all the different functions you need, for example. Consider the number of cardlets required for smart card-enabled doors, cars, and entire buildings.

JW: Does JavaCard have any competition?

Peyret: As of this time the companies responsible for producing 80 percent of the cards have licensed JavaCard.

JW: Should Microsoft consider licensing JavaCard?

Peyret: Not really JavaCard is usually licensed by card Manufacturers. Microsoft does not currently produce cards.

JW: What is JavaSoft doing to ensure access to smart Cards on many platforms.

Peyret: My group is working with the licensees to make sure all the licensees are compatible on the 2.0 specification. We do this by providing support and providing test cases as well as reference implementations.

JW: How will multiple applications co-exist on JavaCard?

Peyret: Often security solutions are very good but very useless. [Systems become] so secure that no one uses them. We are taking a more practical approach with JavaCard and using the GateWay Security Model described to allow multiple applications to exchange data. It would be pretty foolish to present several smart cards to perform a transaction, although in all fairness we already provide several credit cards to perform many common transactions and maybe this model will stay, car companies and airline companies will issue different cards.

JW: What is the difference between OpenCard and PC/SC?

Peyret: OpenCard is a collection of companies endorsing a Java interface to smart cards. OpenCard is written in Java and has the potential to be 100% pure. JavaSoft will soon be releasing an API that supports Serial and Parallel devices. Once this is available, OpenCard can be 100% pure. But we are diverging. OpenCard is a fairly lightweight interface to smart cards that provides a framework for developing smart card applications in Java. PC/SC is an interface to smart cards for Windows platforms. OpenCard, in the spirit of cooperation, has provided an interface layer so that OpenCard can use PC/SC to basically manage smart card readers or terminals and send APDUs [application protocol data units] to these readers. So if you write your application to the OpenCard specification you will get portability if you write it to PC/SC you will only work on Windows platforms, which may not be the predominant personal platform.

JW: What are some of these guidelines?

Peyret: Developers should be able to buy the tools in a store, buy a few cards in the store, and read the latest column in JavaWorld and then build an applet for the Card. In the past this was not possible, programs were burned into the chip and the special chips had to be produced. Smart cards can become a 6 billion market.

JW: What is your group working on at JavaSoft?

Peyret: My group is concentrating on getting the 2.0 specification completed and accepted as well as developing reference implementations and tools and of course providing support to licensees.

JW: What are some of the tools and when will they be available?

We are working on some specific tools to assist developers in developing smart card applications. A smart card has a pretty restrictive interface with a difficult user machine interface. We are working on:

  • card simulators,
  • debuggers, [and]
  • terminal simulators

for host systems. We do not expect these tools to be available until Q1/98. Debugging smart card applications can be more difficult than debugging, say, an embedded controller, because with a controlled you could always get an in-circuit emulator or ICE. Due to the security constraints of a smart card, you can’t replace the CPU easily.

JW: Why are you so sure JavaCard is going to be the largest deployed computing platform in the world?

Peyret: There is this interesting phenomena, call it exponential growth or powers of 10 or even geometric growth. It goes something like this: In the beginning there were one or two electronic computers then there were 10 times as many IBM 7xxx followed by 10 times as many mainframes followed by 10 times as many minicomputers followed by 10 times as many PCs followed by 10 times as many Java Cards. Given these many platforms there is a need for developers. When cards reach a billion units, that is a rather large audience with quite a bit of ubiquity.

Source: www.infoworld.com