Se ha denunciado esta presentación.
Se está descargando tu SlideShare. ×

Eric java card-basics-140314

Ad

JAVA CARD BASICS
CONCEPTS
Eric Vétillard / Oracle
Hong Kong/18.03.2014

Ad

WHY JAVA CARD ?

Ad

3
Java on a Smart Card
Smart cards are about tamper resistance (resisting to attacks)
■ Not just attacks coming from the W...

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Próximo SlideShare
Java Card, 15 years later
Java Card, 15 years later
Cargando en…3
×

Eche un vistazo a continuación

1 de 18 Anuncio
1 de 18 Anuncio

Eric java card-basics-140314

Descargar para leer sin conexión

A presentation made at a Java Card Forum Open Day in Hong Kong in 2014, explaining basic concepts about Java Card technology.

A presentation made at a Java Card Forum Open Day in Hong Kong in 2014, explaining basic concepts about Java Card technology.

Más Contenido Relacionado

Similares a Eric java card-basics-140314 (20)

Eric java card-basics-140314

  1. 1. JAVA CARD BASICS CONCEPTS Eric Vétillard / Oracle Hong Kong/18.03.2014
  2. 2. WHY JAVA CARD ?
  3. 3. 3 Java on a Smart Card Smart cards are about tamper resistance (resisting to attacks) ■ Not just attacks coming from the Web ■ Also all kinds of physical attacks ■ Observation attacks, where attackers listen to your devices ■ Fault attacks, where attackers use lasers to derail the silicon Using a smart card with a Java Card application gives you ■ A physical isolation from the client system and the Web ■ Assets remain secure even if a computer contains malware ■ Assets on the card cannot be accessed directly from internet ■ A physical protection against most direct attackers ■ Useful for end users when their card is stolen ■ Useful for application providers when the user is the attacker
  4. 4. 4 Java Card can Protect your Credentials Your application will most likely manage some credentials ■ PIN codes or passwords ■ Cryptographic keys ■ Certificates Java Card products will protect these credentials ■ With standard procedures on all sensitive classes ■ Assets remain secure even if a computer contains malware ■ Assets on the card cannot be accessed directly from internet ■ With standard procedures such as GlobalPlatform You are only responsible for your application logic
  5. 5. 5 How Much do you Need to Know about Security? Java Card doesn’t require any specific security skill ■ It simply defines a dialect of the Java language targeting smart cards Smart card application design requires security skills ■ What if your application returns a password as clear text? ■ Some security experience is required ■ Especially if you design your application from scratch Smart card application implementation requires security skills ■ Mostly for highly sensitive applications ■ Countermeasures for sophisticated attacks are not obvious ■ Java can even simplify some tasks, like error management with exceptions
  6. 6. 6 What about Security Certifications? Some industries/countries require security certifications ■ In most cases, Common Criteria, FIPS 140, or proprietary schemes ■ For instance, payment, identity, government apps, etc. Security certification requires specific skills ■ Not necessarily yours, many consultants are available Java Card provides you significant help ■ Most of the difficult work is done by platform providers ■ Application developers only need to “prove” that their application is secure ■ While relying on the Java Card security mechanisms
  7. 7. JAVA CARD KEY FACTS
  8. 8. A Full Ecosystem 8 Standards Alignment • ETSI / 3GPP / GlobalPlatform… • Critical success factor for global roll-out • Globally deployed Service delivery platform • Storage and execution of several independent applications • Matured and full controlled • Applications are independent from platforms High Security Certifications • Strong community for certification • Help is easy to find if required Post-Issuance • OTA application management • Flexible application download, personalization and lifecycle management Interoperability • Easy migration from one device to another • Independence from device provider • Target platform to be selected on specific qualities (memory, security) Openness • Development open to 3rd parties • Community support (Java Card Forum) • Extendable with new technologies (NFC)
  9. 9. 9 Target Platform The target platform is an integrated microcontroller ■ CPU + RAM + NVM + peripherals all in a single chip ■ CPU ranging from 8-bit to low-end 32-bit cores ■ Between 2KB and 32KB of RAM ■ Between 128KB and 1.5MB of Flash or EEPROM+ROM Security certification requires specific skills ■ Not necessarily yours, many consultants are available Java Card provides you significant help ■ Most of the difficult work is done by platform providers ■ Application developers only need to “prove” that their application is secure ■ While relying on the Java Card security mechanisms
  10. 10. A Java Card Product Java Card Core Native Platform JCRE VM Applet Applet Applet Applet Library Applet Library Card Management (GlobalPlatform) API Three specifications: • Java Card Runtime Environment specification • Java Card Virtual Machine specification • Java Card API specification Latest release is Java Card Classic, version 3.0.4
  11. 11. A Java Card Platform Operating System Native Platform JCRE VM Applet Applet Applet Applet Library Applet Library Card Management (GlobalPlatform) API
  12. 12. A Java Card Platform Card Management Native Platform JCRE VM Applet Applet Applet Applet Library Applet Library Card Management (GlobalPlatform) API
  13. 13. A Java Card Platform Vertical Libraries Native Platform JCRE VM Applet Applet Applet Applet Library Applet Library Card Management (GlobalPlatform) API
  14. 14. A Java Card Platform Applications Native Platform JCRE VM Applet Applet Applet Applet Library Applet Library Card Management (GlobalPlatform) API
  15. 15. 15 Application model A smart card is an “on-demand” server ■ The server is available when the card is powered and connected ■ Multiple applications are available, selection is required ■ Request protocols are standard by ISO (ISO7816, ISO14443) Java Card simply provides a framework around this ■ Each application includes an Applet class, which defines ■ A procedure to manage its instantiation install() ■ A behavior when an application instance is selected select() ■ A behavior when an application processes a request process() ■ And a few more things, like deselection This framework is sometimes complemented by vertical frameworks ■ For instance, the SIM Application Toolkit framework for SIM cards ■ Also defines a behavior for processing specific events processToolkit()
  16. 16. 16 Persistence Model In Java Card Classic, all data is stored in objects ■ Objects are persistent by default ■ Atomicity is guaranteed for all updates ■ Objects are kept across sessions (persistent VM) Transient objects (in RAM) are also available ■ Mostly for performance and security reasons The persistence model greatly influences programming style ■ Most objects are allocated statically during installation ■ Dynamic allocation during processing is strongly discouraged ■ There is no specific code for loading and saving data ■ All data from the application is available at all times
  17. 17. Application Firewall com.bank.cardapps EMVApplet OTPApplet com.localta.tkt TransportApplet
  18. 18. THANK YOU! Eric Vétillard Oracle eric.vetillard@oracle.com JCF contact: karen.brindley@javacardforum.org

×