Java Card™ Run Time Environment

Description

The Java Card Run Time Environment (JCRE) is a subset of the Java platform specifically designed for resource-constrained secure hardware like smart cards, UICCs (Universal Integrated Circuit Cards), and embedded Secure Elements (eSE). Defined in 3GPP specifications like TS 51.013 and referenced in vocabulary TS 21.905, the JCRE forms the core software layer that manages the execution of Java Card applets. Its architecture is partitioned into a secure, isolated environment on the card's chip. The JCRE consists of several key components: the Java Card Virtual Machine (JCVM), which interprets bytecode for the applets; the Java Card Framework, which provides a set of APIs (e.g., javacard.framework, javacard.security) for applets to access card services like cryptographic operations, APDU (Application Protocol Data Unit) communication, and persistent object storage; and the JCRE system classes, which handle fundamental services such as applet installation, registration, selection, and firewall-based isolation between applets. How it works: When a mobile device or terminal sends a command APDU to the UICC, the JCRE's communication system receives it, identifies the targeted applet (via its Application Identifier - AID), and dispatches the command to that applet's process method within its protected context. The applet executes using the JCVM, can call JCRE API methods to perform crypto operations or manage data, and returns a response APDU. The JCRE enforces strict security boundaries through its applet firewall, preventing unauthorized inter-applet access unless explicitly allowed via shareable interfaces. Its role in the network is foundational for mobile security, as it hosts the USIM application that performs subscriber authentication (using MILENAGE algorithms), stores cryptographic keys, and enables secure services like mobile banking, transport ticketing, and device identity management.

Purpose & Motivation

JCRE was created to address the need for a standardized, multi-application platform on smart cards, overcoming the limitations of proprietary, monolithic card operating systems. Before Java Card, each card issuer or manufacturer developed custom software, making it difficult to deploy, update, or manage multiple applications from different vendors on a single card. The Java Card technology, with JCRE as its runtime, introduced write-once-run-anywhere portability for card applets, significantly reducing development time and cost. In the context of 3GPP, its adoption for UICCs was motivated by the desire for a flexible, future-proof platform for the USIM, enabling the SIM card to evolve beyond basic authentication to host value-added services (e.g., NFC payment, identity). It solved the problem of siloed, insecure application development by providing a well-defined, secure execution sandbox with standardized APIs, ensuring applets from different providers could coexist without compromising the card's security or stability. Historically, its introduction aligned with the industry move towards open standards and programmable hardware, allowing mobile network operators to personalize cards with services post-issuance and fostering an ecosystem of third-party secure applet developers.

Key Features

• Secure, isolated execution environment with an applet firewall
• Standardized Java Card APIs for cryptography, I/O, and persistent storage
• Bytecode interpretation via the Java Card Virtual Machine (JCVM)
• Applet lifecycle management (installation, instantiation, selection, deletion)
• Support for global platform-compliant secure card management
• Inter-applet communication via shareable interface objects

Evolution Across Releases

Defining Specifications