Java Card in Banking and NFC

1. 21 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 8 Java Card in Banking and NFC Eric VETILLARD Principal Product Manager, Java Card

2. 22 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 8 Some Mobile Payment Initiatives SIM Toolkit NFC Web-based 2nd Chip

3. 23 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 8 Program Agenda • Opportunities in banking and payment • Opportunities in NFC • Java Card in banking market • Java Card in NFC • The Reference Platform • Helping you address your market

5. 25 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 8 Chip Card Migrations • Several countries with billions of cards – USA, China, India • Many more countries with very large numbers • Migration processes are getting organized – Contact and/or contactless? – User authentication: PIN, signature, … – Mix of national programs and brand-oriented programs Huge card volumes

7. 27 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 8 NFC Deployments are Happening • The infrastructure is getting ready – Phones are slowly appearing – Contactless readers are getting deployed – TSM infrastructure is ready • Business models are somewhat slower – Diverging interests between stakeholders – Some impact on the technical infrastructure – For instance, the type of Secure Element

8. 28 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 8 NFC Secure Elements • SIM cards with SWP – Network operators’ preferred solution – Everybody else is wary of it • Embedded SE’s – Domination of the “mobile wallet” actors – Not well accepted by mobile operators • SD Cards – Used by banks in many pilots – Can only work if it supports multiple application providers

9. 29 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 8 Payment a Key NFC Application • Largest NFC actions focused on payment – Isis and Google in the US – China Union Pay in China – Citizy and mobile operators in France • NFC payments endorsed by all payment actors – Visa, Union Pay, MasterCard, American Express, Discover, …

11. 31 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 8 The Java Card Promise Java Card Platform Pay app OTP app Loy app Multiple Applications

12. 32 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 8 The Java Card Promise Java Card Platform #1 Pay app OTP app Loy app Java Card Platform #2 Pay app OTP app Loy app Multiple Applications Platform Interoperability

13. 33 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 8 OTP app Loy app The Java Card Promise Java Card Platform #1 Pay app OTP app Loy app Java Card Platform #2 Pay app OTP app Loy app Java Card Platform #3 (Certified) Pay app Multiple Applications Platform Interoperability Application Isolation

14. 34 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 8 Multi-application cards • Several applications on a card – Leveraging the value of the card – Offering more services to the users • More flexibility in the lifecycle – Managing application(s) independently of the card – Modifying the card after its issuance • Separating applications from platform – Improving card management

15. 35 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 8 Step 1: Basic Interoperability • Use several vendors – Applications are portable – Reduced deployment cost – Reduced time-to-market Java Card Platform (Vendor #1) Pay app OTP app Loy app Java Card Platform (Vendor #2) Pay app OTP app Loy app  

16. 36 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 8 Step 2: Defining a Product Line Java Card Platform (Closed) Pay app Java Card Platform (Open) Pay app OTP app Loy app Java Card Platform (Third-Party) Pay app STK app SIM app Low-cost card for mass deployment Premium card for key customers Partner’s card for mobile payment One application

17. 37 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 8 Certifying a Payment Card • Attacks are becoming more sophisticated – Power analysis attacks – Fault induction attacks • Countermeasures are required at application level – Protecting key assets from attacks • Developing an application is hard – Better to rely on an up-to-date reference implementation Developing the application

18. 38 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 8 New Certification Approach • A reference implementation is provided – Implemented all required features (properly) – Including all required countermeasures • Functional certification – Platform first certified as Java Card compliant • Security certification – Platform countermeasures evaluated separately • Final certification can be minimized Splitting responsibilities

19. 39 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 8 Three-step Certification Java Card Platform Pay app Java Card Platform Pay app Functional testing Security analysis TCK compliance Security evaluation Performance tests Security checks

21. 41 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 8 Java Card is at the Heart of NFC • NFC Secure Elements share some characteristics – They host multiple applications – Applications come from multiple providers – The applications are known late in the process • Java Card is a core enabler for these characteristics – Clear isolation of applications from untrusted sources – Possibility to load applications dynamically

22. 42 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 8 Java Card and NFC Certification • Reference applications are becoming common – Several key actors in the payment market – Easiest way to deal with certification • Also offers possibilities for non-sensitive applications – Guidelines can be defined for these applications – Automated tools can be used to analyze these applications – See ongoing work in GlobalPlatform’s Card Security Workgroup

23. 43 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 8 NFC is Part of the Global Offer • Sharing some components with other offers – Payment applications are similar to those used on cards • Including specific components – Availability of User Interface can support additional applications

25. 45 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 8 The Reference Open Platform • The most open platform – Readily accessible to all developers – Including JDK, Protection Profile, and more – Freedom to extend and choose card management options • Many vertical API’s – ETSI and 3GPP APIs for STK, SCWS, and much more – GlobalPlatform API’s for management, NFC, and more

26. 46 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 8 The Reference for Certification • Common Criteria ready – Java Card Protection Profile is freely available – Many certifications around Java Card • Since 2011, 6 platforms and 11 applications in France only • The basis for private certification frameworks – Platform security requirements from EMVCo – NFC application security guidelines from AFSCM

28. 48 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 8 Oracle Tools • Oracle provides tools to Java Card licensees – Testing and Compatibility Kit (TCK) – Trimming Tool • Oracle provides tools to Java Card developers – Java Card Development Kit (JCDK) – Netbeans IDE integration • Oracle provides tools to Java Card issuers – Java Card Binary Verification Tool

29. 49 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 8 Licensee Tools • Compliance testing – Technology Compliance Kit (TCK) – Thousands ot test cases – Must be run successfully to be allowed to distribute product • Platform optimization – Trimming tool – Determines minimum subset to run an application – Used to build optimized (closed) implementations Tools to build platforms

30. 50 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 8 Developer Tools • Building and deploying applications – Specific converter to produce CAP files – Bytecode verifier used in deployment – Integration in Java code production chain • Developing applications – Integration into Netbeans IDE – Integrated debugging using simulator Tools to build Java Card applications

31. 51 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 8 Issuer Tools • Checking the full compliance of platforms – Java Card Binary Verification Tool – Runs the TCK on a card – Simply answers through a “yes/no” flag – Objective is to check the full compliance of platforms • Checking the validity of CAP files for a platform – Java Card Bytecode Verifier – Delivered with the development toolkit Tools to check Java Card platforms and applications

32. 52 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 8 Many Actors Ready to Help • Product development – Card vendors – Application developers and consultants – Security evaluation laboratories • Product deployment – Personalization bureaus – Trusted Service Managers (TSM’s) • All of this made possible by standardization Java Card has created a full ecosystem

Java Card in Banking and NFC

Estás leyendo una previsualización.

Eche un vistazo a continuación

Java Card in Banking and NFC

Más Contenido Relacionado

Presentaciones para usted (20)

A los espectadores también les gustó (14)

Similares a Java Card in Banking and NFC (20)

Más reciente (20)