The IsoApplet is an open-source applet for Java Card smartcards. Its purpose is to perform public-key-cryptography on modern smartcards together with OpenSC.

The security and reliability of asymmetric cryptography depends crucially on the confidentiality of the private key. While the public key can be sent to anyone, it is absolutely important that the private key is not compromised. Smartcards have its own processor, RAM and even operating system. They are hermetically sealed from the rest of the system (i.e. the host computer that might be compromised). Also, the developers and manufacturers of smartcards take a huge effort to ensure that no confidential data can be extracted from the card when it is not intended, even by using costly and time-consuming methods such as electron microscopy.

The Heartbleed Bug showed how dangerous saving the private key on conventional computers is. Many servers were affected (and probably, some are even still!). This bug made it possible for attackers to read private keys, user account names and passwords, encrypted communication data etc. without even being noticed. This is a horror scenario for any administrator (and of course, user). Using smartcards for authentication (e.g. with SSH) or signing and decrypting (e.g. with GnuPG) is a great way to minimize those security risks.

OpenSC is a set of libraries and tools for smartcards with cryptographic functions. It supports a good amount of smartcards. Its main purpose is to use it as an interface between the smartcard and host-side applications. OpenSC implements PKCS#11 for those applications. PKCS#11 basically presents a generic token with some cryptographic functions. This is necessary because of different capabilities, interfaces, internal realizations and so forth of different smartcards.

The IsoApplet can be used with OpenSC. The driver for the IsoApplet has been included in OpenSC in March 2015. Please see further instructions in this Wiki.

Many modern smartcards are Java Cards. Java Card is a technology that allows for the creation of "applets" that can be uploaded to the smartcard later. That way, one can easily and quickly destine the functionality of the smartcard. The problem that is often encountered: Pre-installed applets are proprietary software. Some of them are supported by OpenSC, some are not. Proprietary applets also have additional disadvantages like obscurity and the impossibility to make additions and enhancements. Or licence restrictions and large amounts as "minimal ordering quantity".

How do you use your Java Card smartcard with OpenSC? One approach would be to reverse engineer the pre-installed applet and write a driver for it. Another possibility would be to try to use the M.U.S.C.L.E. applet, but, as far as I can tell, it is quite old and out-dated.

The IsoApplet tries to be compatible with as many smartcards as possible. However, it is targeting modern smartcards. I used the Java Card version 2.2.2 because I think that it is a good compromise between portability and up-to-dateness. There are really very few smartcards that support the never 3.x.x versions. A seperate version targeting 3.0.4 cards with extended functionality might be possible in the future. The applet supports RSA 2048 bit with on-card key generation. This ensures that the private key is not compromised prior to its use. ECDSA is supported as well, but the functionality is limited due to restriction of the Java Card API 2.2.2. The driver and applet support different FP EC curves. It depends on your smartcard whether it supports the different curves. EC Keys are also generated on the card.

Private key import is also supported, however not allowed at the default configuration. I do not recommend using it. However, in some cases, there is no other option (for example if you have to have your private key on a piece of paper in a safe). Data sent to the smartcard is not encrypted and that also counts for the private key when imported. I suspect that you know what you are doing and why if you use this functionality.

Getting excited? Visit the GitHub sites, play around and stay tuned for more blog posts on this website!

IsoApplet:
https://github.com/philipWendland/IsoApplet

OpenSC: https://github.com/OpenSC/OpenSC