SlideShare a Scribd company logo
JAVA CARD BASICS
CONCEPTS
Eric Vétillard / Oracle
Hong Kong/18.03.2014
WHY JAVA CARD ?
3
Java on a Smart Card
Smart cards are about tamper resistance (resisting to attacks)
■ Not just attacks coming from the Web
■ Also all kinds of physical attacks
■ Observation attacks, where attackers listen to your devices
■ Fault attacks, where attackers use lasers to derail the silicon
Using a smart card with a Java Card application gives you
■ A physical isolation from the client system and the Web
■ Assets remain secure even if a computer contains malware
■ Assets on the card cannot be accessed directly from internet
■ A physical protection against most direct attackers
■ Useful for end users when their card is stolen
■ Useful for application providers when the user is the attacker
4
Java Card can Protect
your Credentials
Your application will most likely manage some credentials
■ PIN codes or passwords
■ Cryptographic keys
■ Certificates
Java Card products will protect these credentials
■ With standard procedures on all sensitive classes
■ Assets remain secure even if a computer contains malware
■ Assets on the card cannot be accessed directly from internet
■ With standard procedures such as GlobalPlatform
You are only responsible for your application logic
5
How Much do you Need to
Know about Security?
Java Card doesn’t require any specific security skill
■ It simply defines a dialect of the Java language targeting smart cards
Smart card application design requires security skills
■ What if your application returns a password as clear text?
■ Some security experience is required
■ Especially if you design your application from scratch
Smart card application implementation requires security skills
■ Mostly for highly sensitive applications
■ Countermeasures for sophisticated attacks are not obvious
■ Java can even simplify some tasks, like error management with exceptions
6
What about
Security Certifications?
Some industries/countries require security certifications
■ In most cases, Common Criteria, FIPS 140, or proprietary schemes
■ For instance, payment, identity, government apps, etc.
Security certification requires specific skills
■ Not necessarily yours, many consultants are available
Java Card provides you significant help
■ Most of the difficult work is done by platform providers
■ Application developers only need to “prove” that their application is secure
■ While relying on the Java Card security mechanisms
JAVA CARD KEY FACTS
A Full Ecosystem
8
Standards Alignment
• ETSI / 3GPP / GlobalPlatform…
• Critical success factor for global roll-out
• Globally deployed
Service delivery platform
• Storage and execution of several
independent applications
• Matured and full controlled
• Applications are independent from
platforms
High Security
Certifications
• Strong community for certification
• Help is easy to find if required
Post-Issuance
• OTA application management
• Flexible application download,
personalization and lifecycle
management
Interoperability
• Easy migration from one device to
another
• Independence from device provider
• Target platform to be selected on
specific qualities (memory, security)
Openness
• Development open to 3rd parties
• Community support (Java Card Forum)
• Extendable with new technologies (NFC)
9
Target Platform
The target platform is an integrated microcontroller
■ CPU + RAM + NVM + peripherals all in a single chip
■ CPU ranging from 8-bit to low-end 32-bit cores
■ Between 2KB and 32KB of RAM
■ Between 128KB and 1.5MB of Flash or EEPROM+ROM
Security certification requires specific skills
■ Not necessarily yours, many consultants are available
Java Card provides you significant help
■ Most of the difficult work is done by platform providers
■ Application developers only need to “prove” that their application is secure
■ While relying on the Java Card security mechanisms
A Java Card Product
Java Card Core
Native Platform
JCRE
VM
Applet
Applet Applet Applet
Library
Applet
Library
Card
Management
(GlobalPlatform)
API
Three specifications:
• Java Card Runtime Environment specification
• Java Card Virtual Machine specification
• Java Card API specification
Latest release is Java Card Classic, version 3.0.4
A Java Card Platform
Operating System
Native Platform
JCRE
VM
Applet
Applet Applet Applet
Library
Applet
Library
Card
Management
(GlobalPlatform)
API
A Java Card Platform
Card Management
Native Platform
JCRE
VM
Applet
Applet Applet Applet
Library
Applet
Library
Card
Management
(GlobalPlatform)
API
A Java Card Platform
Vertical Libraries
Native Platform
JCRE
VM
Applet
Applet Applet Applet
Library
Applet
Library
Card
Management
(GlobalPlatform)
API
A Java Card Platform
Applications
Native Platform
JCRE
VM
Applet
Applet Applet Applet
Library
Applet
Library
Card
Management
(GlobalPlatform)
API
15
Application model
A smart card is an “on-demand” server
■ The server is available when the card is powered and connected
■ Multiple applications are available, selection is required
■ Request protocols are standard by ISO (ISO7816, ISO14443)
Java Card simply provides a framework around this
■ Each application includes an Applet class, which defines
■ A procedure to manage its instantiation install()
■ A behavior when an application instance is selected select()
■ A behavior when an application processes a request process()
■ And a few more things, like deselection
This framework is sometimes complemented by vertical frameworks
■ For instance, the SIM Application Toolkit framework for SIM cards
■ Also defines a behavior for processing specific events processToolkit()
16
Persistence Model
In Java Card Classic, all data is stored in objects
■ Objects are persistent by default
■ Atomicity is guaranteed for all updates
■ Objects are kept across sessions (persistent VM)
Transient objects (in RAM) are also available
■ Mostly for performance and security reasons
The persistence model greatly influences programming style
■ Most objects are allocated statically during installation
■ Dynamic allocation during processing is strongly discouraged
■ There is no specific code for loading and saving data
■ All data from the application is available at all times
Application Firewall
com.bank.cardapps
EMVApplet OTPApplet
com.localta.tkt
TransportApplet
THANK YOU!
Eric Vétillard
Oracle
eric.vetillard@oracle.com
JCF contact: karen.brindley@javacardforum.org

More Related Content

What's hot

Security applications with Java Card
Security applications with Java CardSecurity applications with Java Card
Security applications with Java Card
Julien SIMON
 
Javacard
Javacard Javacard
Javacard
Samiksha90
 
jCardSim – Java Card is simple!
jCardSim – Java Card is simple!jCardSim – Java Card is simple!
jCardSim – Java Card is simple!
Mikhail Dudarev
 
Java card
Java cardJava card
Java card
Ravi Jakashania
 
Java card
Java cardJava card
Java card
rcrahul01
 
FIPS 201 / PIV
FIPS 201 / PIVFIPS 201 / PIV
FIPS 201 / PIV
Anshuman Sinha
 
Java Card Platform Security and Performance
Java Card Platform Security and PerformanceJava Card Platform Security and Performance
Java Card Platform Security and Performance
Eric Vétillard
 
Java card
Java card Java card
Java card
Naga Dinesh
 
Java Card Technology: The Foundations of NFC
Java Card Technology: The Foundations of NFCJava Card Technology: The Foundations of NFC
Java Card Technology: The Foundations of NFC
Eric Vétillard
 
Java card technology
Java card technologyJava card technology
Java card technology
Keerthi Thomas
 
Study of Java Card and its Application
Study of Java Card and its ApplicationStudy of Java Card and its Application
Study of Java Card and its Application
editor1knowledgecuddle
 
Government Citizen ID using Java Card Platform
Government Citizen ID using Java Card PlatformGovernment Citizen ID using Java Card Platform
Government Citizen ID using Java Card Platform
Ramesh Nagappan
 
From Bitcoin Hardware Wallets to Personal Privacy Devices
From Bitcoin Hardware Wallets to Personal Privacy DevicesFrom Bitcoin Hardware Wallets to Personal Privacy Devices
From Bitcoin Hardware Wallets to Personal Privacy Devices
MecklerMedia
 
eSmartlock - an antipiracy dongle with integrated DRM functionalities
eSmartlock - an antipiracy dongle with integrated DRM functionalitieseSmartlock - an antipiracy dongle with integrated DRM functionalities
eSmartlock - an antipiracy dongle with integrated DRM functionalities
Yiannis Hatzopoulos
 

What's hot (14)

Security applications with Java Card
Security applications with Java CardSecurity applications with Java Card
Security applications with Java Card
 
Javacard
Javacard Javacard
Javacard
 
jCardSim – Java Card is simple!
jCardSim – Java Card is simple!jCardSim – Java Card is simple!
jCardSim – Java Card is simple!
 
Java card
Java cardJava card
Java card
 
Java card
Java cardJava card
Java card
 
FIPS 201 / PIV
FIPS 201 / PIVFIPS 201 / PIV
FIPS 201 / PIV
 
Java Card Platform Security and Performance
Java Card Platform Security and PerformanceJava Card Platform Security and Performance
Java Card Platform Security and Performance
 
Java card
Java card Java card
Java card
 
Java Card Technology: The Foundations of NFC
Java Card Technology: The Foundations of NFCJava Card Technology: The Foundations of NFC
Java Card Technology: The Foundations of NFC
 
Java card technology
Java card technologyJava card technology
Java card technology
 
Study of Java Card and its Application
Study of Java Card and its ApplicationStudy of Java Card and its Application
Study of Java Card and its Application
 
Government Citizen ID using Java Card Platform
Government Citizen ID using Java Card PlatformGovernment Citizen ID using Java Card Platform
Government Citizen ID using Java Card Platform
 
From Bitcoin Hardware Wallets to Personal Privacy Devices
From Bitcoin Hardware Wallets to Personal Privacy DevicesFrom Bitcoin Hardware Wallets to Personal Privacy Devices
From Bitcoin Hardware Wallets to Personal Privacy Devices
 
eSmartlock - an antipiracy dongle with integrated DRM functionalities
eSmartlock - an antipiracy dongle with integrated DRM functionalitieseSmartlock - an antipiracy dongle with integrated DRM functionalities
eSmartlock - an antipiracy dongle with integrated DRM functionalities
 

Viewers also liked

Secure Element Solutions
Secure Element SolutionsSecure Element Solutions
Secure Element Solutions
Ugo Chirico
 
IoT Security: Cases and Methods [CON5446]
IoT Security: Cases and Methods [CON5446]IoT Security: Cases and Methods [CON5446]
IoT Security: Cases and Methods [CON5446]
Leonardo De Moura Rocha Lima
 
Secure Elements in Web Applications
Secure Elements in Web ApplicationsSecure Elements in Web Applications
Secure Elements in Web Applications
Olivier Potonniée
 
IoT summit - Building flexible & secure IoT solutions
IoT summit - Building flexible & secure IoT solutionsIoT summit - Building flexible & secure IoT solutions
IoT summit - Building flexible & secure IoT solutions
Eric Larcheveque
 
NFC Basic Concepts
NFC Basic ConceptsNFC Basic Concepts
NFC Basic Concepts
Ade Okuboyejo
 
Mobile Payment fraud & risk assessment
Mobile Payment fraud & risk assessmentMobile Payment fraud & risk assessment
Mobile Payment fraud & risk assessment
Stefano Maria De' Rossi
 

Viewers also liked (6)

Secure Element Solutions
Secure Element SolutionsSecure Element Solutions
Secure Element Solutions
 
IoT Security: Cases and Methods [CON5446]
IoT Security: Cases and Methods [CON5446]IoT Security: Cases and Methods [CON5446]
IoT Security: Cases and Methods [CON5446]
 
Secure Elements in Web Applications
Secure Elements in Web ApplicationsSecure Elements in Web Applications
Secure Elements in Web Applications
 
IoT summit - Building flexible & secure IoT solutions
IoT summit - Building flexible & secure IoT solutionsIoT summit - Building flexible & secure IoT solutions
IoT summit - Building flexible & secure IoT solutions
 
NFC Basic Concepts
NFC Basic ConceptsNFC Basic Concepts
NFC Basic Concepts
 
Mobile Payment fraud & risk assessment
Mobile Payment fraud & risk assessmentMobile Payment fraud & risk assessment
Mobile Payment fraud & risk assessment
 

Similar to Eric java card-basics-140314

Expand Your Control of Access to IBM i Systems and Data
Expand Your Control of Access to IBM i Systems and DataExpand Your Control of Access to IBM i Systems and Data
Expand Your Control of Access to IBM i Systems and Data
Precisely
 
Controlling Access to IBM i Systems and Data
Controlling Access to IBM i Systems and DataControlling Access to IBM i Systems and Data
Controlling Access to IBM i Systems and Data
Precisely
 
Owasp Mobile Risk Series : M4 : Unintended Data Leakage
Owasp Mobile Risk Series : M4 : Unintended Data LeakageOwasp Mobile Risk Series : M4 : Unintended Data Leakage
Owasp Mobile Risk Series : M4 : Unintended Data Leakage
Anant Shrivastava
 
Android Security
Android SecurityAndroid Security
Android Security
Arqum Ahmad
 
Windows Phone 8 Security and Testing WP8 Apps
Windows Phone 8 Security and Testing WP8 AppsWindows Phone 8 Security and Testing WP8 Apps
Windows Phone 8 Security and Testing WP8 Apps
Jorge Orchilles
 
Pentesting Mobile Applications (Prashant Verma)
Pentesting Mobile Applications (Prashant Verma)Pentesting Mobile Applications (Prashant Verma)
Pentesting Mobile Applications (Prashant Verma)
ClubHack
 
Breaking Secure Mobile Applications - Hack In The Box 2014 KL
Breaking Secure Mobile Applications - Hack In The Box 2014 KLBreaking Secure Mobile Applications - Hack In The Box 2014 KL
Breaking Secure Mobile Applications - Hack In The Box 2014 KL
iphonepentest
 
Java card technology
Java card technologyJava card technology
Java card technology
Amol Kamble
 
Spo2 w25
Spo2 w25Spo2 w25
Pcishrinktofitpresentation 151125162550-lva1-app6891
Pcishrinktofitpresentation 151125162550-lva1-app6891Pcishrinktofitpresentation 151125162550-lva1-app6891
Pcishrinktofitpresentation 151125162550-lva1-app6891
Risk Crew
 
Java Card Security
Java Card SecurityJava Card Security
Java Card Security
Riscure
 
Mobile platform security models
Mobile platform security modelsMobile platform security models
Mobile platform security models
G Prachi
 
Hacking Mobile Apps
Hacking Mobile AppsHacking Mobile Apps
Hacking Mobile Apps
Sophos Benelux
 
Cyber security series Application Security
Cyber security series   Application SecurityCyber security series   Application Security
Cyber security series Application Security
Jim Kaplan CIA CFE
 
Null mumbai-reversing-IoT-firmware
Null mumbai-reversing-IoT-firmwareNull mumbai-reversing-IoT-firmware
Null mumbai-reversing-IoT-firmware
Nitesh Malviya
 
Building a Mobile Security Program
Building a Mobile Security ProgramBuilding a Mobile Security Program
Building a Mobile Security Program
Denim Group
 
CNIT 128 8: Mobile development security
CNIT 128 8: Mobile development securityCNIT 128 8: Mobile development security
CNIT 128 8: Mobile development security
Sam Bowne
 
Mobile Commerce: A Security Perspective
Mobile Commerce: A Security PerspectiveMobile Commerce: A Security Perspective
Mobile Commerce: A Security Perspective
Pragati Rai
 
Implementing Trusted Endpoints in the Mobile World
Implementing Trusted Endpoints in the Mobile WorldImplementing Trusted Endpoints in the Mobile World
Implementing Trusted Endpoints in the Mobile World
LINE Corporation
 
Java card technology
Java card technologyJava card technology
Java card technology
Keerthi Thomas
 

Similar to Eric java card-basics-140314 (20)

Expand Your Control of Access to IBM i Systems and Data
Expand Your Control of Access to IBM i Systems and DataExpand Your Control of Access to IBM i Systems and Data
Expand Your Control of Access to IBM i Systems and Data
 
Controlling Access to IBM i Systems and Data
Controlling Access to IBM i Systems and DataControlling Access to IBM i Systems and Data
Controlling Access to IBM i Systems and Data
 
Owasp Mobile Risk Series : M4 : Unintended Data Leakage
Owasp Mobile Risk Series : M4 : Unintended Data LeakageOwasp Mobile Risk Series : M4 : Unintended Data Leakage
Owasp Mobile Risk Series : M4 : Unintended Data Leakage
 
Android Security
Android SecurityAndroid Security
Android Security
 
Windows Phone 8 Security and Testing WP8 Apps
Windows Phone 8 Security and Testing WP8 AppsWindows Phone 8 Security and Testing WP8 Apps
Windows Phone 8 Security and Testing WP8 Apps
 
Pentesting Mobile Applications (Prashant Verma)
Pentesting Mobile Applications (Prashant Verma)Pentesting Mobile Applications (Prashant Verma)
Pentesting Mobile Applications (Prashant Verma)
 
Breaking Secure Mobile Applications - Hack In The Box 2014 KL
Breaking Secure Mobile Applications - Hack In The Box 2014 KLBreaking Secure Mobile Applications - Hack In The Box 2014 KL
Breaking Secure Mobile Applications - Hack In The Box 2014 KL
 
Java card technology
Java card technologyJava card technology
Java card technology
 
Spo2 w25
Spo2 w25Spo2 w25
Spo2 w25
 
Pcishrinktofitpresentation 151125162550-lva1-app6891
Pcishrinktofitpresentation 151125162550-lva1-app6891Pcishrinktofitpresentation 151125162550-lva1-app6891
Pcishrinktofitpresentation 151125162550-lva1-app6891
 
Java Card Security
Java Card SecurityJava Card Security
Java Card Security
 
Mobile platform security models
Mobile platform security modelsMobile platform security models
Mobile platform security models
 
Hacking Mobile Apps
Hacking Mobile AppsHacking Mobile Apps
Hacking Mobile Apps
 
Cyber security series Application Security
Cyber security series   Application SecurityCyber security series   Application Security
Cyber security series Application Security
 
Null mumbai-reversing-IoT-firmware
Null mumbai-reversing-IoT-firmwareNull mumbai-reversing-IoT-firmware
Null mumbai-reversing-IoT-firmware
 
Building a Mobile Security Program
Building a Mobile Security ProgramBuilding a Mobile Security Program
Building a Mobile Security Program
 
CNIT 128 8: Mobile development security
CNIT 128 8: Mobile development securityCNIT 128 8: Mobile development security
CNIT 128 8: Mobile development security
 
Mobile Commerce: A Security Perspective
Mobile Commerce: A Security PerspectiveMobile Commerce: A Security Perspective
Mobile Commerce: A Security Perspective
 
Implementing Trusted Endpoints in the Mobile World
Implementing Trusted Endpoints in the Mobile WorldImplementing Trusted Endpoints in the Mobile World
Implementing Trusted Endpoints in the Mobile World
 
Java card technology
Java card technologyJava card technology
Java card technology
 

Recently uploaded

Leveraging the Graph for Clinical Trials and Standards
Leveraging the Graph for Clinical Trials and StandardsLeveraging the Graph for Clinical Trials and Standards
Leveraging the Graph for Clinical Trials and Standards
Neo4j
 
Northern Engraving | Modern Metal Trim, Nameplates and Appliance Panels
Northern Engraving | Modern Metal Trim, Nameplates and Appliance PanelsNorthern Engraving | Modern Metal Trim, Nameplates and Appliance Panels
Northern Engraving | Modern Metal Trim, Nameplates and Appliance Panels
Northern Engraving
 
"NATO Hackathon Winner: AI-Powered Drug Search", Taras Kloba
"NATO Hackathon Winner: AI-Powered Drug Search",  Taras Kloba"NATO Hackathon Winner: AI-Powered Drug Search",  Taras Kloba
"NATO Hackathon Winner: AI-Powered Drug Search", Taras Kloba
Fwdays
 
What is an RPA CoE? Session 1 – CoE Vision
What is an RPA CoE?  Session 1 – CoE VisionWhat is an RPA CoE?  Session 1 – CoE Vision
What is an RPA CoE? Session 1 – CoE Vision
DianaGray10
 
Essentials of Automations: Exploring Attributes & Automation Parameters
Essentials of Automations: Exploring Attributes & Automation ParametersEssentials of Automations: Exploring Attributes & Automation Parameters
Essentials of Automations: Exploring Attributes & Automation Parameters
Safe Software
 
Dandelion Hashtable: beyond billion requests per second on a commodity server
Dandelion Hashtable: beyond billion requests per second on a commodity serverDandelion Hashtable: beyond billion requests per second on a commodity server
Dandelion Hashtable: beyond billion requests per second on a commodity server
Antonios Katsarakis
 
Mutation Testing for Task-Oriented Chatbots
Mutation Testing for Task-Oriented ChatbotsMutation Testing for Task-Oriented Chatbots
Mutation Testing for Task-Oriented Chatbots
Pablo Gómez Abajo
 
Session 1 - Intro to Robotic Process Automation.pdf
Session 1 - Intro to Robotic Process Automation.pdfSession 1 - Intro to Robotic Process Automation.pdf
Session 1 - Intro to Robotic Process Automation.pdf
UiPathCommunity
 
Y-Combinator seed pitch deck template PP
Y-Combinator seed pitch deck template PPY-Combinator seed pitch deck template PP
Y-Combinator seed pitch deck template PP
c5vrf27qcz
 
Poznań ACE event - 19.06.2024 Team 24 Wrapup slidedeck
Poznań ACE event - 19.06.2024 Team 24 Wrapup slidedeckPoznań ACE event - 19.06.2024 Team 24 Wrapup slidedeck
Poznań ACE event - 19.06.2024 Team 24 Wrapup slidedeck
FilipTomaszewski5
 
QA or the Highway - Component Testing: Bridging the gap between frontend appl...
QA or the Highway - Component Testing: Bridging the gap between frontend appl...QA or the Highway - Component Testing: Bridging the gap between frontend appl...
QA or the Highway - Component Testing: Bridging the gap between frontend appl...
zjhamm304
 
Principle of conventional tomography-Bibash Shahi ppt..pptx
Principle of conventional tomography-Bibash Shahi ppt..pptxPrinciple of conventional tomography-Bibash Shahi ppt..pptx
Principle of conventional tomography-Bibash Shahi ppt..pptx
BibashShahi
 
GNSS spoofing via SDR (Criptored Talks 2024)
GNSS spoofing via SDR (Criptored Talks 2024)GNSS spoofing via SDR (Criptored Talks 2024)
GNSS spoofing via SDR (Criptored Talks 2024)
Javier Junquera
 
From Natural Language to Structured Solr Queries using LLMs
From Natural Language to Structured Solr Queries using LLMsFrom Natural Language to Structured Solr Queries using LLMs
From Natural Language to Structured Solr Queries using LLMs
Sease
 
JavaLand 2024: Application Development Green Masterplan
JavaLand 2024: Application Development Green MasterplanJavaLand 2024: Application Development Green Masterplan
JavaLand 2024: Application Development Green Masterplan
Miro Wengner
 
A Deep Dive into ScyllaDB's Architecture
A Deep Dive into ScyllaDB's ArchitectureA Deep Dive into ScyllaDB's Architecture
A Deep Dive into ScyllaDB's Architecture
ScyllaDB
 
Astute Business Solutions | Oracle Cloud Partner |
Astute Business Solutions | Oracle Cloud Partner |Astute Business Solutions | Oracle Cloud Partner |
Astute Business Solutions | Oracle Cloud Partner |
AstuteBusiness
 
GraphRAG for LifeSciences Hands-On with the Clinical Knowledge Graph
GraphRAG for LifeSciences Hands-On with the Clinical Knowledge GraphGraphRAG for LifeSciences Hands-On with the Clinical Knowledge Graph
GraphRAG for LifeSciences Hands-On with the Clinical Knowledge Graph
Neo4j
 
Harnessing the Power of NLP and Knowledge Graphs for Opioid Research
Harnessing the Power of NLP and Knowledge Graphs for Opioid ResearchHarnessing the Power of NLP and Knowledge Graphs for Opioid Research
Harnessing the Power of NLP and Knowledge Graphs for Opioid Research
Neo4j
 
zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...
zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...
zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...
Alex Pruden
 

Recently uploaded (20)

Leveraging the Graph for Clinical Trials and Standards
Leveraging the Graph for Clinical Trials and StandardsLeveraging the Graph for Clinical Trials and Standards
Leveraging the Graph for Clinical Trials and Standards
 
Northern Engraving | Modern Metal Trim, Nameplates and Appliance Panels
Northern Engraving | Modern Metal Trim, Nameplates and Appliance PanelsNorthern Engraving | Modern Metal Trim, Nameplates and Appliance Panels
Northern Engraving | Modern Metal Trim, Nameplates and Appliance Panels
 
"NATO Hackathon Winner: AI-Powered Drug Search", Taras Kloba
"NATO Hackathon Winner: AI-Powered Drug Search",  Taras Kloba"NATO Hackathon Winner: AI-Powered Drug Search",  Taras Kloba
"NATO Hackathon Winner: AI-Powered Drug Search", Taras Kloba
 
What is an RPA CoE? Session 1 – CoE Vision
What is an RPA CoE?  Session 1 – CoE VisionWhat is an RPA CoE?  Session 1 – CoE Vision
What is an RPA CoE? Session 1 – CoE Vision
 
Essentials of Automations: Exploring Attributes & Automation Parameters
Essentials of Automations: Exploring Attributes & Automation ParametersEssentials of Automations: Exploring Attributes & Automation Parameters
Essentials of Automations: Exploring Attributes & Automation Parameters
 
Dandelion Hashtable: beyond billion requests per second on a commodity server
Dandelion Hashtable: beyond billion requests per second on a commodity serverDandelion Hashtable: beyond billion requests per second on a commodity server
Dandelion Hashtable: beyond billion requests per second on a commodity server
 
Mutation Testing for Task-Oriented Chatbots
Mutation Testing for Task-Oriented ChatbotsMutation Testing for Task-Oriented Chatbots
Mutation Testing for Task-Oriented Chatbots
 
Session 1 - Intro to Robotic Process Automation.pdf
Session 1 - Intro to Robotic Process Automation.pdfSession 1 - Intro to Robotic Process Automation.pdf
Session 1 - Intro to Robotic Process Automation.pdf
 
Y-Combinator seed pitch deck template PP
Y-Combinator seed pitch deck template PPY-Combinator seed pitch deck template PP
Y-Combinator seed pitch deck template PP
 
Poznań ACE event - 19.06.2024 Team 24 Wrapup slidedeck
Poznań ACE event - 19.06.2024 Team 24 Wrapup slidedeckPoznań ACE event - 19.06.2024 Team 24 Wrapup slidedeck
Poznań ACE event - 19.06.2024 Team 24 Wrapup slidedeck
 
QA or the Highway - Component Testing: Bridging the gap between frontend appl...
QA or the Highway - Component Testing: Bridging the gap between frontend appl...QA or the Highway - Component Testing: Bridging the gap between frontend appl...
QA or the Highway - Component Testing: Bridging the gap between frontend appl...
 
Principle of conventional tomography-Bibash Shahi ppt..pptx
Principle of conventional tomography-Bibash Shahi ppt..pptxPrinciple of conventional tomography-Bibash Shahi ppt..pptx
Principle of conventional tomography-Bibash Shahi ppt..pptx
 
GNSS spoofing via SDR (Criptored Talks 2024)
GNSS spoofing via SDR (Criptored Talks 2024)GNSS spoofing via SDR (Criptored Talks 2024)
GNSS spoofing via SDR (Criptored Talks 2024)
 
From Natural Language to Structured Solr Queries using LLMs
From Natural Language to Structured Solr Queries using LLMsFrom Natural Language to Structured Solr Queries using LLMs
From Natural Language to Structured Solr Queries using LLMs
 
JavaLand 2024: Application Development Green Masterplan
JavaLand 2024: Application Development Green MasterplanJavaLand 2024: Application Development Green Masterplan
JavaLand 2024: Application Development Green Masterplan
 
A Deep Dive into ScyllaDB's Architecture
A Deep Dive into ScyllaDB's ArchitectureA Deep Dive into ScyllaDB's Architecture
A Deep Dive into ScyllaDB's Architecture
 
Astute Business Solutions | Oracle Cloud Partner |
Astute Business Solutions | Oracle Cloud Partner |Astute Business Solutions | Oracle Cloud Partner |
Astute Business Solutions | Oracle Cloud Partner |
 
GraphRAG for LifeSciences Hands-On with the Clinical Knowledge Graph
GraphRAG for LifeSciences Hands-On with the Clinical Knowledge GraphGraphRAG for LifeSciences Hands-On with the Clinical Knowledge Graph
GraphRAG for LifeSciences Hands-On with the Clinical Knowledge Graph
 
Harnessing the Power of NLP and Knowledge Graphs for Opioid Research
Harnessing the Power of NLP and Knowledge Graphs for Opioid ResearchHarnessing the Power of NLP and Knowledge Graphs for Opioid Research
Harnessing the Power of NLP and Knowledge Graphs for Opioid Research
 
zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...
zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...
zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...
 

Eric java card-basics-140314

  • 1. JAVA CARD BASICS CONCEPTS Eric Vétillard / Oracle Hong Kong/18.03.2014
  • 3. 3 Java on a Smart Card Smart cards are about tamper resistance (resisting to attacks) ■ Not just attacks coming from the Web ■ Also all kinds of physical attacks ■ Observation attacks, where attackers listen to your devices ■ Fault attacks, where attackers use lasers to derail the silicon Using a smart card with a Java Card application gives you ■ A physical isolation from the client system and the Web ■ Assets remain secure even if a computer contains malware ■ Assets on the card cannot be accessed directly from internet ■ A physical protection against most direct attackers ■ Useful for end users when their card is stolen ■ Useful for application providers when the user is the attacker
  • 4. 4 Java Card can Protect your Credentials Your application will most likely manage some credentials ■ PIN codes or passwords ■ Cryptographic keys ■ Certificates Java Card products will protect these credentials ■ With standard procedures on all sensitive classes ■ Assets remain secure even if a computer contains malware ■ Assets on the card cannot be accessed directly from internet ■ With standard procedures such as GlobalPlatform You are only responsible for your application logic
  • 5. 5 How Much do you Need to Know about Security? Java Card doesn’t require any specific security skill ■ It simply defines a dialect of the Java language targeting smart cards Smart card application design requires security skills ■ What if your application returns a password as clear text? ■ Some security experience is required ■ Especially if you design your application from scratch Smart card application implementation requires security skills ■ Mostly for highly sensitive applications ■ Countermeasures for sophisticated attacks are not obvious ■ Java can even simplify some tasks, like error management with exceptions
  • 6. 6 What about Security Certifications? Some industries/countries require security certifications ■ In most cases, Common Criteria, FIPS 140, or proprietary schemes ■ For instance, payment, identity, government apps, etc. Security certification requires specific skills ■ Not necessarily yours, many consultants are available Java Card provides you significant help ■ Most of the difficult work is done by platform providers ■ Application developers only need to “prove” that their application is secure ■ While relying on the Java Card security mechanisms
  • 8. A Full Ecosystem 8 Standards Alignment • ETSI / 3GPP / GlobalPlatform… • Critical success factor for global roll-out • Globally deployed Service delivery platform • Storage and execution of several independent applications • Matured and full controlled • Applications are independent from platforms High Security Certifications • Strong community for certification • Help is easy to find if required Post-Issuance • OTA application management • Flexible application download, personalization and lifecycle management Interoperability • Easy migration from one device to another • Independence from device provider • Target platform to be selected on specific qualities (memory, security) Openness • Development open to 3rd parties • Community support (Java Card Forum) • Extendable with new technologies (NFC)
  • 9. 9 Target Platform The target platform is an integrated microcontroller ■ CPU + RAM + NVM + peripherals all in a single chip ■ CPU ranging from 8-bit to low-end 32-bit cores ■ Between 2KB and 32KB of RAM ■ Between 128KB and 1.5MB of Flash or EEPROM+ROM Security certification requires specific skills ■ Not necessarily yours, many consultants are available Java Card provides you significant help ■ Most of the difficult work is done by platform providers ■ Application developers only need to “prove” that their application is secure ■ While relying on the Java Card security mechanisms
  • 10. A Java Card Product Java Card Core Native Platform JCRE VM Applet Applet Applet Applet Library Applet Library Card Management (GlobalPlatform) API Three specifications: • Java Card Runtime Environment specification • Java Card Virtual Machine specification • Java Card API specification Latest release is Java Card Classic, version 3.0.4
  • 11. A Java Card Platform Operating System Native Platform JCRE VM Applet Applet Applet Applet Library Applet Library Card Management (GlobalPlatform) API
  • 12. A Java Card Platform Card Management Native Platform JCRE VM Applet Applet Applet Applet Library Applet Library Card Management (GlobalPlatform) API
  • 13. A Java Card Platform Vertical Libraries Native Platform JCRE VM Applet Applet Applet Applet Library Applet Library Card Management (GlobalPlatform) API
  • 14. A Java Card Platform Applications Native Platform JCRE VM Applet Applet Applet Applet Library Applet Library Card Management (GlobalPlatform) API
  • 15. 15 Application model A smart card is an “on-demand” server ■ The server is available when the card is powered and connected ■ Multiple applications are available, selection is required ■ Request protocols are standard by ISO (ISO7816, ISO14443) Java Card simply provides a framework around this ■ Each application includes an Applet class, which defines ■ A procedure to manage its instantiation install() ■ A behavior when an application instance is selected select() ■ A behavior when an application processes a request process() ■ And a few more things, like deselection This framework is sometimes complemented by vertical frameworks ■ For instance, the SIM Application Toolkit framework for SIM cards ■ Also defines a behavior for processing specific events processToolkit()
  • 16. 16 Persistence Model In Java Card Classic, all data is stored in objects ■ Objects are persistent by default ■ Atomicity is guaranteed for all updates ■ Objects are kept across sessions (persistent VM) Transient objects (in RAM) are also available ■ Mostly for performance and security reasons The persistence model greatly influences programming style ■ Most objects are allocated statically during installation ■ Dynamic allocation during processing is strongly discouraged ■ There is no specific code for loading and saving data ■ All data from the application is available at all times
  • 18. THANK YOU! Eric Vétillard Oracle eric.vetillard@oracle.com JCF contact: karen.brindley@javacardforum.org