Monday, March 17, 2014

HCE: Host-based Card Emulation 1/2

Its been quite long since my last post...
Have been quite busy exploring the possibilities with various new technologies :) It's about time that the learnings must be shared.

In this post i will try to share some simple and basic details about much talked HCE.

Q> What is HCE?
A> Host-Based Card Emulation

Er... whats that??
Before we talk about HCE (Host-Based Card Emulation) we must understand what is CE (Card Emulation)

Card Emulation is as it says emulation of a card (CreditCard/ ID Card/ Loyalty Card / any card) over NFC interface of a mobile phone.

In this mode a mobile NFC can exchange APDU (Data) with the a POS (Payment Terminals) or any other Terminal (eg. Security Machine on Doors or a Time punching machine for your office )

Alright!! I understand NFC but whats Card Emulation?
A card in this refers to a an environment which is created with the help of secure element, and applets.

Woaahhh 2 NEW TERMS!!!
Secure Element:  In simplest words.. Its a memory + processor + Mini OS which is out of phone OS, is highly restricted for access and is believed to be non-hackable!
Applets: Nothing more than small Java Programs which can run on this Mini OS of Secure Element. Which communicates based on Hexadecimal Commands also known as APDU.

So when you use your credit card or even a sim card remember "YOU GOT THE POWER" of secure element in your hands. Yeah that a freaking complete Operating system which is super secure in your hand.

Ok.. so??
So Card Emulation basically says that in order to communicate with this Card (Secure Element + Applets) the Phone NFC will accept the commands, will send these commands to Card residing somewhere in the phone and then will forward the responses generated from this Card over NFC interface back to the terminal.



Now to ease things up Card can be present in 3 of these location
1. Embedded Secure Element
2. SDCard based Secure Element
3. UICC (SIM Card)

Kool!! then why do we need HCE?
The biggest advantage is also the biggest disadvantage for Secure Element, being highly restricted, any addition of deletion of data needs heck of approvals from the provider of these.
For example: In case of UICC based Secure Element, only the MNO (mobile Network Operator) who owns a SIM card is authorised to put your CreditCard data inside the secure element, BUT, the CreditCard belongs to a Issuer (Bank) therefore in-order to put one simple CreditCard inside a secure element you need Bank and MNO to come together and work together. No wonder you don't see many application which uses any of these technologies.

Now with HCE, there is no need for Secure Element, I mean you can work even without them.
Now the data can directly be sent and received by an application, your own phone application.


Next we will get in more details of Implementation... To be Continued...