MULTOS
SoftwareMulti-application Operating System for smart cards, providing high-security multi-application support with EAL7 certification.
MULTOS
MULTOS (Multi-application Operating System) is a high-security smart card operating system designed for multi-application deployment, notable for being the only smart card platform to achieve Common Criteria EAL 7 certification — the highest level of the evaluation scale. Developed and managed by the MULTOS Consortium (now under the MAOSCO brand), MULTOS provides an alternative to JavaCard with a different security philosophy and application model.
Architecture
MULTOS uses a three-layer architecture:
| Layer | Description |
|---|---|
| Application layer | MEL (MULTOS Executable Language) bytecode applications |
| Virtual machine | MULTOS interpreter executing MEL instructions |
| Hardware abstraction | OS primitives for crypto, I/O, memory management |
Unlike JavaCard, which uses a subset of Java bytecode, MULTOS defines its own instruction set (MEL) optimized for the constrained smart card environment. MEL bytecodes are more compact than Java bytecodes, reducing the storage footprint on EEPROM.
Security Model
MULTOS's security model differs from JavaCard / GlobalPlatform in a fundamental way: application loading is controlled by a global certification authority (the MULTOS CA) rather than by the card issuer alone. Every application must be signed by the MULTOS CA before it can be loaded onto any MULTOS card. This centralized trust model provides strong guarantees against unauthorized code execution but reduces the flexibility of issuer-managed application deployment.
Key security features:
- Application isolation: Hardware-enforced memory partitioning between applications — no application can access another's data
- Certified loading: Every application binary is signed by the MULTOS CA using RSA or ECC signatures
- Delegated management: Card issuers receive Application Load Certificates (ALCs) that authorize loading specific applications
- EAL7 certification: Formally verified design with mathematical proofs of security properties
MULTOS vs JavaCard
| Feature | MULTOS | JavaCard |
|---|---|---|
| Certification | EAL 7 | EAL4+ to EAL6+ |
| Market share | ~5% | ~90% |
| Instruction set | MEL (proprietary) | Java bytecode subset |
| Application signing | Central CA required | Issuer-managed (GP) |
| Development tools | MULTOS SmartDeck | Eclipse + GP tools |
| Chip vendors | Limited | NXP, Infineon, Samsung, Thales |
Deployment
MULTOS is deployed primarily in high-security payment cards (particularly in the UK and Asia-Pacific), government identity cards, and military applications where the EAL7 certification provides regulatory advantages. The platform supports EMV payment, PKI authentication, and electronic purse applications.
Related Content
Smart Card Fundamentals
Getting Started…None RSA, ECC, AES on-chip Applets N/A JavaCard , MULTOS Reprogrammable Limited Yes (post-issuance via OTA ) Cost…
Post-Quantum Cryptography for Smart Cards
Security…— external implementation via javacardx.security extension MULTOS ML-KEM experimental support (2024 MULTOS SDK) Infineon…
MULTOS Application Development
ProgrammingMULTOS Application Development MULTOS (Multi-application…
Common Criteria Evaluation Process
Compliance…chips routinely target EAL5+ (augmented). JavaCard and MULTOS operating systems typically achieve EAL4+ to EAL5+. The…
Smart Card Development Environment Setup
Developer Tools…stack depends on whether you are targeting JavaCard , MULTOS , or a proprietary card OS, but the underlying reader and…
Pertanyaan yang Sering Diajukan
The smart card glossary is a comprehensive reference of technical terms, acronyms, and concepts used in smart card technology. It covers protocols (APDU, T=0, T=1), security (Common Criteria, EAL, HSM), hardware (SE, EEPROM, contact pad), and applications (EMV, ePassport, eSIM). It serves developers, product managers, and engineers.
Yes. SmartCardFYI provides glossary definitions in 15 languages including English, Korean, Japanese, Chinese, Spanish, Portuguese, Hindi, Arabic, French, Russian, German, Turkish, Vietnamese, Indonesian, and Thai.