Se ha denunciado esta presentación.
Se está descargando tu SlideShare. ×

Java Card, 15 years later

Anuncio
Anuncio
Anuncio
Anuncio
Anuncio
Anuncio
Anuncio
Anuncio
Anuncio
Anuncio
Anuncio
Anuncio
Próximo SlideShare
First Steps with Java Card
First Steps with Java Card
Cargando en…3
×

Eche un vistazo a continuación

1 de 37 Anuncio

Java Card, 15 years later

Descargar para leer sin conexión

A presentation made at Chip-to-Cloud 2012, about the first 15 years of Java Card history. It takes a look back at the major events for the technology, explains why they matter, and why Java Card still matters today and will still matter tomorrow.

A presentation made at Chip-to-Cloud 2012, about the first 15 years of Java Card history. It takes a look back at the major events for the technology, explains why they matter, and why Java Card still matters today and will still matter tomorrow.

Anuncio
Anuncio

Más Contenido Relacionado

Presentaciones para usted (20)

Similares a Java Card, 15 years later (20)

Anuncio

Más reciente (20)

Java Card, 15 years later

  1. 1. Copyright © 2012, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 131 Java Card, 15 Years Later Eric Vétillard, Oracle
  2. 2. Copyright © 2012, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 132 10,000,000,000
  3. 3. Copyright © 2012, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 133 10,000,000,000 + 2,000,000,000 per year
  4. 4. Copyright © 2012, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 134 10,000,000,000 + 2,000,000,000 per year
  5. 5. Copyright © 2012, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 135 Copyright © 2012, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 16 Program Agenda  1996-1998: The early years  1999-2002: The SIM Toolkit explosion  2003-2009: Java Card 3 Connected  2000-2012: Security certification  2007-2012: The NFC promise  2012-2027: The next 15 years
  6. 6. Copyright © 2012, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 136 1996: Java on a Smart Card  At that time, there were many battles around card VM’s – SIM Toolkit applications were starting to appear – Every vendor was proposing its own architecture  Schlumberger proposed to use Java – Crazy idea coming from their advanced R&D lab – Cyberflex demonstrated that Java could run on a smart card Cyberflex
  7. 7. Copyright © 2012, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 137 1996: Java on a Smart Card  At that time, there were many battles around card VM’s – SIM Toolkit applications were starting to appear – Every vendor was proposing its own architecture  Schlumberger proposed to use Java – Crazy idea coming from their advanced R&D lab – Cyberflex demonstrated that Java could run on a smart card Cyberflex
  8. 8. Copyright © 2012, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 138 1997: From scripts to objects  The Java Card Forum forms in April, 1997 – Work starts immediately with aggressive schedule – The Java Card 2.0 specification is issued in October, 1997 – Data is stored in objects, not in a traditional file system  Two products (research prototypes?) are shown at Cartes’1997 – Cyberflex, now with some experience – A brand new GemXpresso, with Java Card 2.0 – Cyberflex rightfully gets the Sesames award
  9. 9. Copyright © 2012, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 139 1997: From scripts to objects  The Java Card Forum forms in April, 1997 – Work starts immediately with aggressive schedule – The Java Card 2.0 specification is issued in October, 1997 – Data is stored in objects, not in a traditional file system  Two products (research prototypes?) are shown at Cartes’1997 – Cyberflex, now with some experience – A brand new GemXpresso, with Java Card 2.0 – Cyberflex rightfully gets the Sesames award
  10. 10. Copyright © 2012, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 1310 1998: OpenPlatform is created  Java Card specification addresses programming – Building a portable Java Card application – Running the application on several platforms  OpenPlatform focuses on deployment – Loading an installing applications – Defining actors, roles, and tasks  Became the very strong GlobalPlatform organization
  11. 11. Copyright © 2012, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 1311 1998: OpenPlatform is created  Java Card specification addresses programming – Building a portable Java Card application – Running the application on several platforms  OpenPlatform focuses on deployment – Loading an installing applications – Defining actors, roles, and tasks  Became the very strong GlobalPlatform organization
  12. 12. Copyright © 2012, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 1312 1999: Java Card 2.1 and interoperability  Binary-level interoperability – Java Card 2.1 will have a binary format for cards – Endless discussions on the card format  Settled on the CAP file and export file  Complex features now stabilized – Memory management, including transient objects – Inter-applet communication, with sharing
  13. 13. Copyright © 2012, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 1313 1999: Java Card 2.1 and interoperability  Binary-level interoperability – Java Card 2.1 will have a binary format for cards – Endless discussions on the card format  Settled on the CAP file and export file  Complex features now stabilized – Memory management, including transient objects – Inter-applet communication, with sharing
  14. 14. Copyright © 2012, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 1314 1999: The SIM Toolkit API is released  ETSI defines a specification “for Java Card” – Access to the GSM file system – Definition of SIM Toolkit applications – Mostly an API  Unleashed Java Card in the mobile market – APIs still exists, being revised regularly
  15. 15. Copyright © 2012, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 1315 1999: The SIM Toolkit API is released  ETSI defines a specification “for Java Card” – Access to the GSM file system – Definition of SIM Toolkit applications – Mostly an API  Unleashed Java Card in the mobile market – APIs still exists, being revised regularly
  16. 16. Copyright © 2012, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 1316 2001: SIMAlliance Interop Stepping Stones  SIM Alliance is formed by a group of SIM vendors – Focus on easing the use of SIM cards  Interoperability stepping stones a complement of ETSI specifications – Provides detailed tips about difficult-to-use features – Refines specifications where they are unclear – Provides examples and good usage guidelines
  17. 17. Copyright © 2012, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 1317 2001: SIMAlliance Interop Stepping Stones  SIM Alliance is formed by a group of SIM vendors – Focus on easing the use of SIM cards  Interoperability stepping stones a complement of ETSI specifications – Provides detailed tips about difficult-to-use features – Refines specifications where they are unclear – Provides examples and good usage guidelines
  18. 18. Copyright © 2012, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 1318 2002: Java Card 2.2 and RMI  RMI was a symbol of Java Card 2.2 – Introduced by Gemplus in 1997, following Corba work – Adopted by Schlumberger and part of Java Card in 2002  The vision of RMI – APDU’s are an anachronistic feature of the past – Cards need to be easier to use – RMI is an up-to-date technology for using cards
  19. 19. Copyright © 2012, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 1319 2002: Java Card 2.2 and RMI  RMI was a symbol of Java Card 2.2 – Introduced by Gemplus in 1997, following Corba work – Adopted by Schlumberger and part of Java Card in 2002  The vision of RMI – APDU’s are an anachronistic feature of the past – Cards need to be easier to use – RMI is an up-to-date technology for using cards
  20. 20. Copyright © 2012, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 1320 2009: Java Card 3.0, Connected Edition  The future of Java card, as seen in 2002 – Much bigger chips – Better connectivity  Major improvement of the technology – Virtual machine inspired from mobile technology – Embedded Web server
  21. 21. Copyright © 2012, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 1321 2009: Java Card 3.0, Connected Edition  The future of Java card, as seen in 2002 – Much bigger chips – Better connectivity  Major improvement of the technology – Virtual machine inspired from mobile technology – Embedded Web server
  22. 22. Copyright © 2012, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 1322 2001: First CC certificate  The Vocable project – EAL1+ – Gemplus, Oberthur, Trusted Logic and Serma for Carte Bleue  One of the first Common Criteria certifications – Mostly an experiment
  23. 23. Copyright © 2012, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 1323 2001: First CC certificate  The Vocable project – EAL1+ – Gemplus, Oberthur, Trusted Logic and Serma for Carte Bleue  One of the first Common Criteria certifications – Mostly an experiment
  24. 24. Copyright © 2012, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 1324 2003: The Java Card Protection Profile  A common base for the certification of Java Card products – Defining a security model for Java Card – Defining the main security functions of Java Card  PP has been certified, and revised several times – Used in many certifications every year – Complemented by work performed in JHAS on logical attacks
  25. 25. Copyright © 2012, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 1325 2003: The Java Card Protection Profile  A common base for the certification of Java Card products – Defining a security model for Java Card – Defining the main security functions of Java Card  PP has been certified, and revised several times – Used in many certifications every year – Complemented by work performed in JHAS on logical attacks
  26. 26. Copyright © 2012, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 1326 2010: First Platform certified by EMVCo  EMVCo security certifications have existed for a long time – Managed individually by Visa, MasterCard, … – Targeting a single payment application, regardless of platform  With NFC, EMVCo has started evaluating platforms – Based on a set of security guidelines issued by EMVCo – Without direct references to payment applications
  27. 27. Copyright © 2012, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 1327 2010: First Platform certified by EMVCo  EMVCo security certifications have existed for a long time – Managed individually by Visa, MasterCard, … – Targeting a single payment application, regardless of platform  With NFC, EMVCo has started evaluating platforms – Based on a set of security guidelines issued by EMVCo – Without direct references to payment applications
  28. 28. Copyright © 2012, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 1328 2009: Java Card Supports NFC Wallets  Java Card at the heart of NFC secure elements – Mandated by both Google and Isis for their wallets – Only technology recognized in France by AFSCM – Similar decisions in many countries  Application providers are also using Java Card – Visa is providing a Java reference implementation for payment
  29. 29. Copyright © 2012, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 1329 2009: Java Card Supports NFC Wallets  Java Card at the heart of NFC secure elements – Mandated by both Google and Isis for their wallets – Only technology recognized in France by AFSCM – Similar decisions in many countries  Application providers are also using Java Card – Visa is providing a Java reference implementation for payment
  30. 30. Copyright © 2012, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 1330 2012: Embedding the card?  In NFC, SWP SIM vs. eSE – Power struggle of operators vs. wallet providers  In M2M, embedded formats are becoming common – Addresses issues with vibrations and more  Strong debate around embedded UICC
  31. 31. Copyright © 2012, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 1331 2012: Embedding the card?  In NFC, SWP SIM vs. eSE – Power struggle of operators vs. wallet providers  In M2M, embedded formats are becoming common – Addresses issues with vibrations and more  Strong debate around embedded UICC
  32. 32. Copyright © 2012, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 1332 2015: Securing the Internet of Things  A piece in the end-to-end security story – Most devices are a front-end to the cloud – Device security is becoming important  Think of PCI, HIPAA, etc.  Java Card has a lot of potential – Most recognized security platform – A cousin of Java SE Embedded – Not linked to a single technology
  33. 33. Copyright © 2012, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 1333 2015: Securing the Internet of Things  A piece in the end-to-end security story – Most devices are a front-end to the cloud – Device security is becoming important  Think of PCI, HIPAA, etc.  Java Card has a lot of potential – Most recognized security platform – A cousin of Java SE Embedded – Not linked to a single technology
  34. 34. Copyright © 2012, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 1334 2020 and beyond: The Security Subsystem  From factor undecided – Separate hardware? In the chipset? Software? – Most likely, all of the above  Key features are not there – Assurance level is the key – Provability likely to become more and more important – Main reason to keep a smaller and simpler security subsystem
  35. 35. Copyright © 2012, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 1335 2020 and beyond: The Security Subsystem  From factor undecided – Separate hardware? In the chipset? Software? – Most likely, all of the above  Key features are not there – Assurance level is the key – Provability likely to become more and more important – Main reason to keep a smaller and simpler security subsystem
  36. 36. Copyright © 2012, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 1336 So, what is happening?  Some interesting R&D work about Java Card security – Recently, Ph.D. thesis from Guillaume Barbu – More research work at Limoges, Nijmegen, Royal Holloway, …  Lots of work on security evaluation of applets – Talks from Jean-Baptiste Machemie and Emilie Faugeron  Java Card very present around NFC – Enabling many models throughout yesterday’s NFC talks Making it happen really
  37. 37. Copyright © 2012, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 1337

×