Java Applet and Terminal

Application for Financial

transactions
Security for Java and E-commerce Environment

Behrooz Aghakhanian
baf@kth.se

Jalil Shokouh
shokouh@kth.se

May 2011

Introduction
In this assignment we developed a financial applet for Java smart card version 2.2.1 and a
terminal java application that interact with the given applet using APDU.
First we describe the written code of the applet, and then explain the simulation and
loading the applet to the card. Finally, demonstrate some command and response in order
to perform different financial interaction with loaded applet.

Developing Applet
We set up eclipse IDE and platform and then installed Javacard development kit 2.2.1 to
develop the applet. We got a sample code from Oracle Java card tutorial website and did
some changes some method especially the authentication process. It is a bank applet that
store information about customer account balance and ability to debit from and credit to
given account as provided service. To protect the applet customer need to insert the right
PIN to be verified to use for each service.
In first part we instantiated the applet CLA, INS of methods, maximum value allowed for
account, maximum transaction amount, maximum number that customer can try different
PINs and maximum size of the PIN allowed to be set:
final
final
final
final

static
static
static
static

byte
byte
byte
byte

VERIFY = (byte) 0x20;

CREDIT = (byte) 0x30;
DEBIT = (byte) 0x40;
GET_BALANCE = (byte) 0x50;

// maximum wallet balance

final static short MAX_BALANCE = 10000;
// maximum transaction amount
final static byte MAX_TRANSACTION_AMOUNT = 100;
// maximum number of incorrect tries before the
// PIN is blocked
final static byte PIN_TRY_LIMIT =(byte)0x03;
// maximum size PIN
final static byte MAX_PIN_SIZE =(byte)0x18;

Then we added the necessary exceptions to be handled during runtime and instantiate
them with arbitrary values that will be thrown in SW field of response APDUs:
final
final
final
final
final

static
static
static
static
static

short
short
short
short
short

SW_VERIFICATION_FAILED = 0x6300;
SW_PIN_VERIFICATION_REQUIRED = 0x6301;
SW_INVALID_TRANSACTION_AMOUNT = 0x6A83;
SW_EXCEED_MAXIMUM_BALANCE = 0x6A84;
SW_NEGATIVE_BALANCE = 0x6A85;

After that we instantiated the PIN with null value and then update it with a 2 byte value.
Also gave the card 0 as default balance.
OwnerPIN pin=null;
short balance=0;
byte[] PIN={(byte)0x31,(byte)0x31};
pin.update(PIN, (short)0, (byte)2);

After writing mandatory methods (install, select, deselect), we defined the process
method in such a way that switches to different service methods (get balance, credit, debit
and verify) based on INS is command APDU.
switch (buffer[ISO7816.OFFSET_INS]) {
case GET_BALANCE: getBalance(apdu); return;
case DEBIT:
debit(apdu); return;
case CREDIT:
credit(apdu); return;
case VERIFY:
verify(apdu); return;
default:
ISOException.throwIt(ISO7816.SW_INS_NOT_SUPPORTED);
}

Finally we wrote each service method. Here is the code for credit method:
private void credit(APDU apdu) {
if (!pin.isValidated())
ISOException.throwIt(SW_PIN_VERIFICATION_REQUIRED);
byte[] buffer = apdu.getBuffer();
byte numBytes = buffer[ISO7816.OFFSET_LC];
byte byteRead = (byte)(apdu.setIncomingAndReceive());
if (( numBytes != 1 ) || (byteRead != 1))
ISOException.throwIt(ISO7816.SW_WRONG_LENGTH);
byte creditAmount = buffer[ISO7816.OFFSET_CDATA];
if (( creditAmount > MAX_TRANSACTION_AMOUNT)
|| ( creditAmount < 0 ))
ISOException.throwIt(SW_INVALID_TRANSACTION_AMOUNT);
if ((short)( balance + creditAmount) > MAX_BALANCE)
ISOException.throwIt(SW_EXCEED_MAXIMUM_BALANCE);
balance = (short)(balance + creditAmount);
return;
}

Debugging and loading process:

After writing the code, we used JCOP 41 v.2.2 plug-in for debugging the code and test it
on a simulator (JCCP Shell).

After testing the applet on simulator we again used JCOP to produce CAP file and load it
to the card. Here smart card channel is not secured. So developer does not need to enter
any PIN to load the CAP file. On the card, card manager is responsible to provide
services to install, delete, reset and protect the applet in the card. According to Java card
architecture JCOP play the role of off card JVM while card manager is on card part.

Terminal Application
We also developed an application to use the applet functions in the card using NetBeans
developing environment. This application detects all the available card readers in the
system.

User selects the proper card reader, and then enters the PIN to connect to the card. PIN is
already set to 1234 in the java card applet. This application connects to card, selects the
applet and then verifies the PIN. After these steps, user can use available function on the
card for getting balance, crediting money into card and also debiting money from the
card.

As its shown in the picture in time card insertion, the balance is 140 SEK. Then 40 SEK
is debited from the card and balance becomes 100 SEK. Then card is credited 20 SEK
and the balance become 120 SEK.