Java Card 3.1 Bakes In IoT Device Security

Oracle's new release of Java Card 3.1 boosts Internet of Things (IoT) functionality with features that address use cases in markets including telecom , payments, cars, wearables and more.

Oracle said Java Card boosts the development of IoT security applications at the edge of the network' edge in an effort to address the increasing security needs surrounding connected devices.

Java Card is essentially a compact version of the Java Platform with security enhancement designed for secure, typically tamper-resistant, chips or hardware systems, and with specialized APIs to facilitate the development of security applications.

Close to 6 billion Java Card-based devices are deployed each year, Oracle says, making it the leading software platform for running security services on smart cards and "secure elements," which are chips used to protect smartphones, banking cards and government services.

"Java Card is already widely used in automotive, wearables, or smart metering, where it provides security services and connectivity services," explained Florian Tournier, senior director of Oracle's IoT and Security group, in an e-mail. "It is worth noting that Java Card is quite unique in its ability to combine security applications, such as device integrity and authentication, with a SIM application for connectivity. As such, and leveraging its footprint in the SIM business with billions of units deployed each year, Java Card is in a strong position to power embedded device security services."

The 3.1 release comes with a number of upgrades, but it's the dedicated IoT features that represent a kind of evolution of the technology. This release introduces new APIs and updated cryptography functions to address the security needs of IoT and facilitate the design of such security applications as device "attestation." Java Card in IoT devices enables deployment of security and connectivity services on the same chip. Multiple applications can be deployed on a single card and new ones can be added to it even after it has been deployed.

Oracle typically releases major updates or additions to the Java Card Platform specification every two or three years, with more frequent releases of the SDK and testing tools in-between. The last specification (version 3.0.5) was released in late 2015. But the scope of new 3.1 features is more significant than any release in the recent past, Tournier said.

"A reason for this ambitious release is the opportunity in the IoT market, where tens of billions of devices are about to be deployed with very acute security needs," he said. "The 3.1 release facilitates the development and delivery of security services to these devices and helps solution providers cope with a changing IoT landscape by virtue of being updatable. Also, there are evolutions in security hardware being introduced, with new choices, such as integrated secure elements (a secure environment within a general-purpose CPU or MCU). The latest version of Java Card helps abstract hardware specificities from the application developer, increasing application portability and reducing development costs."

This release supports deployments of Edge Computing security services "at IoT speed," the company says. It's designed to allow the development of security services that are portable across a wide range of IoT security hardware, helping reduce the risk and complexity of evolving IoT hardware and standards." Also, a new extensible I/O model enables applications to exchange sensitive data directly with connected peripherals over a variety of physical layers and application protocols.

Java Card 3.1 also comes with a set of tools for developing new services and applications. An extended file format simplifies application deployment, code upgrade, and maintenance. API enhancements boost developer productivity and the memory efficiency of applications in secure devices.

"Connected devices' volumes are expected to increase in the upcoming years, posing an increasingly complex challenge as growth adds system complexity to the infrastructure handling device data," said Volker Gerstenberger, president and chair of the Java Card Forum, in a statement. "Java Card 3.1 is very significant to the Internet of Things, bringing interoperability, security and flexibility to a fast-growing market currently lacking high-security and flexible edge security solutions."

More information on Java Card is available on the Oracle's Java and IoT page and Datasheet and this Java Card Forum IoT White Paper and Infographic.

About the Author

John K. Waters is the editor in chief of a number of sites, with a focus on high-end development, AI and future tech. He's been writing about cutting-edge technologies and culture of Silicon Valley for more than two decades, and he's written more than a dozen books. He also co-scripted the documentary film Silicon Valley: A 100 Year Renaissance, which aired on PBS.  He can be reached at