Java Card in Banking and NFC

21 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Insert Information Protection Policy Classification from Slide 8
Java Card in Banking and NFC
Eric VETILLARD
Principal Product Manager, Java Card

reserved.
Some Mobile Payment Initiatives
SIM Toolkit
NFC Web-based
2nd Chip

reserved.
Program Agenda
• Opportunities in banking and payment
• Opportunities in NFC
• Java Card in banking market
• Java Card in NFC
• The Reference Platform
• Helping you address your market

reserved.
Chip Card Migration

reserved.
Chip Card Migrations
• Several countries with billions of cards
– USA, China, India
• Many more countries with very large numbers
• Migration processes are getting organized
– Contact and/or contactless?
– User authentication: PIN, signature, …
– Mix of national programs and brand-oriented programs
Huge card volumes

reserved.
Program Agenda

reserved.
NFC Deployments are Happening
• The infrastructure is getting ready
– Phones are slowly appearing
– Contactless readers are getting deployed
– TSM infrastructure is ready
• Business models are somewhat slower
– Diverging interests between stakeholders
– Some impact on the technical infrastructure
– For instance, the type of Secure Element

reserved.
NFC Secure Elements
• SIM cards with SWP
– Network operators’ preferred solution
– Everybody else is wary of it
• Embedded SE’s
– Domination of the “mobile wallet” actors
– Not well accepted by mobile operators
• SD Cards
– Used by banks in many pilots
– Can only work if it supports multiple application providers

reserved.
Payment a Key NFC Application
• Largest NFC actions focused on payment
– Isis and Google in the US
– China Union Pay in China
– Citizy and mobile operators in France
• NFC payments endorsed by all payment actors
– Visa, Union Pay, MasterCard, American Express, Discover, …

reserved.
Program Agenda

reserved.
The Java Card Promise
Java Card Platform
Pay
app
OTP
app
Loy
app
Multiple
Applications

reserved.
Java Card Platform
#1
Pay
app
OTP
app
Loy
app
Java Card Platform
#2
Pay
app
OTP
app
Loy
app
Multiple
Applications
Platform
Interoperability

reserved.
OTP
app
Loy
app
Java Card Platform
#1
Pay
app
OTP
app
Loy
app
Java Card Platform
#2
Pay
app
OTP
app
Loy
app
Java Card Platform
#3 (Certified)
Pay
app
Multiple
Applications
Platform
Interoperability
Application
Isolation

reserved.
Multi-application cards
• Several applications on a card
– Leveraging the value of the card
– Offering more services to the users
• More flexibility in the lifecycle
– Managing application(s) independently of the card
– Modifying the card after its issuance
• Separating applications from platform
– Improving card management

reserved.
Step 1: Basic Interoperability
• Use several vendors
– Applications are portable
– Reduced deployment cost
– Reduced time-to-market
Java Card Platform
(Vendor #1)
Pay
app
OTP
app
Loy
app
Java Card Platform
(Vendor #2)
Pay
app
OTP
app
Loy
app
 

reserved.
Step 2: Defining a Product Line
Java Card Platform
(Closed)
Pay app
Java Card Platform
(Open)
Pay
app
OTP
app
Loy
app
Java Card Platform
(Third-Party)
Pay
app
STK
app
SIM
app
Low-cost card
for
mass deployment
Premium card
for
key customers
Partner’s card
for
mobile payment
One application

reserved.
Certifying a Payment Card
• Attacks are becoming more sophisticated
– Power analysis attacks
– Fault induction attacks
• Countermeasures are required at application level
– Protecting key assets from attacks
• Developing an application is hard
– Better to rely on an up-to-date reference implementation
Developing the application

reserved.
New Certification Approach
• A reference implementation is provided
– Implemented all required features (properly)
– Including all required countermeasures
• Functional certification
– Platform first certified as Java Card compliant
• Security certification
– Platform countermeasures evaluated separately
• Final certification can be minimized
Splitting responsibilities

reserved.
Three-step Certification
Java Card Platform
Pay app
Java Card Platform
Pay app
Functional testing
Security analysis
TCK compliance
Security evaluation
Performance tests
Security checks

reserved.
Program Agenda

reserved.
Java Card is at the Heart of NFC
• NFC Secure Elements share some characteristics
– They host multiple applications
– Applications come from multiple providers
– The applications are known late in the process
• Java Card is a core enabler for these characteristics
– Clear isolation of applications from untrusted sources
– Possibility to load applications dynamically

reserved.
Java Card and NFC Certification
• Reference applications are becoming common
– Several key actors in the payment market
– Easiest way to deal with certification
• Also offers possibilities for non-sensitive applications
– Guidelines can be defined for these applications
– Automated tools can be used to analyze these applications
– See ongoing work in GlobalPlatform’s Card Security Workgroup

reserved.
NFC is Part of the Global Offer
• Sharing some components with other offers
– Payment applications are similar to those used on cards
• Including specific components
– Availability of User Interface can support additional applications

reserved.
Program Agenda

reserved.
The Reference Open Platform
• The most open platform
– Readily accessible to all developers
– Including JDK, Protection Profile, and more
– Freedom to extend and choose card management options
• Many vertical API’s
– ETSI and 3GPP APIs for STK, SCWS, and much more
– GlobalPlatform API’s for management, NFC, and more

reserved.
The Reference for Certification
• Common Criteria ready
– Java Card Protection Profile is freely available
– Many certifications around Java Card
• Since 2011, 6 platforms and 11 applications in France only
• The basis for private certification frameworks
– Platform security requirements from EMVCo
– NFC application security guidelines from AFSCM

reserved.
Program Agenda

reserved.
Oracle Tools
• Oracle provides tools to Java Card licensees
– Testing and Compatibility Kit (TCK)
– Trimming Tool
• Oracle provides tools to Java Card developers
– Java Card Development Kit (JCDK)
– Netbeans IDE integration
• Oracle provides tools to Java Card issuers
– Java Card Binary Verification Tool

reserved.
Licensee Tools
• Compliance testing
– Technology Compliance Kit (TCK)
– Thousands ot test cases
– Must be run successfully to be allowed to distribute product
• Platform optimization
– Trimming tool
– Determines minimum subset to run an application
– Used to build optimized (closed) implementations
Tools to build platforms

reserved.
Developer Tools
• Building and deploying applications
– Specific converter to produce CAP files
– Bytecode verifier used in deployment
– Integration in Java code production chain
• Developing applications
– Integration into Netbeans IDE
– Integrated debugging using simulator
Tools to build Java Card applications

reserved.
Issuer Tools
• Checking the full compliance of platforms
– Java Card Binary Verification Tool
– Runs the TCK on a card
– Simply answers through a “yes/no” flag
– Objective is to check the full compliance of platforms
• Checking the validity of CAP files for a platform
– Java Card Bytecode Verifier
– Delivered with the development toolkit
Tools to check Java Card platforms and applications

reserved.
Many Actors Ready to Help
• Product development
– Card vendors
– Application developers and consultants
– Security evaluation laboratories
• Product deployment
– Personalization bureaus
– Trusted Service Managers (TSM’s)
• All of this made possible by standardization
Java Card has created a full ecosystem

reserved.
Q&A

reserved.

Java Card in Banking and NFC

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Viewers also liked

Viewers also liked (14)

Similar to Java Card in Banking and NFC

Similar to Java Card in Banking and NFC (20)

Recently uploaded

Recently uploaded (20)

Java Card in Banking and NFC