javacardemv

How to make an EMV card from a Javacard?


I'm going to write a Java Card applet to convert my card into an EMV compliant card.

1- The question is how can I do that?

As far as I know, there are four EMV specifications known as EMV Books which contain principles of EMV cards (Chip characteristics, file structure and also the list of APDU commands). Do I need any other specifications to implement my applet or these are all I need? If there are some other specifications which I need, are they freely available or they are proprietary?

2- Do EMV cards have an specific Applet AID?

EFT-Lab provided a good list of applet AIDs. As you see below, there are a lot of AIDs which belong to Visa International (as vendors) that all are "EMV" types. Why does Visa International have a lot of different AIDs for its EMV applets? What's the difference between these applets?

enter image description here

3- Is there any open source EMV applet? Is there any Java Card that has an EMV applet/package by default?

4- Is there any specific difference between contact and contactless EMV cards? (I mean in the file-structure or in the APDU commands)


Solution

  • 1- The question is how can I do that?

    Yes. Implement the specifications. If there are any other requirements (and surely there will be) then they should be referenced in the specs.

    2- Do EMV cards have an specific Applet AID?

    Because they offer specific functionality? You may even have multiple applications on the same card. Note that it is possible to select applications using a partial AID (see how the Debit & Credit card partially match). The VISA specific cards are likely used internally only, e.g. when servicing cash machines.

    3- Is there any open source EMV applet? Is there any Java Card that has an EMV applet/package by default?

    Not likely. It would be rather unusable because it would require EMVCo security evaluation to be accepted. So you need some kind of payment structure to pay for certification and audits. No open source initiative is likely to pony up the cash up front.

    Often these kind of implementations require techniques to avoid vulnerabilities that need to remain secret; smart cards do not offer perfect security after all. That's perpendicular to open sourcing an implementation. So if there is anything out there it must be created out of academic interest (e.g. for testing the security of the protocol, proof of concept etc.).

    4- Is there any specific difference between contact and contactless EMV cards? (I mean in the file-structure or in the APDU commands)

    Generally it is more about which parts of the applet are available or not. The fact that most applets can be used in dual mode probably speaks for itself otherwise.

    This paper seems to have a good introduction to the possible differences.