SlideShare a Scribd company logo

Eric java card-basics-140314

Eric Vétillard, profile picture
Eric Vétillard

The document discusses the fundamentals of Java Card technology, emphasizing its role in providing secure applications on smart cards resistant to various types of attacks. It highlights the need for security awareness in application design while noting that Java Card simplifies certain aspects of security management. Additionally, it outlines the ecosystem, specifications, application models, and certification needs associated with Java Card platforms.

Technology
1 of 18
Downloaded 25 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
JAVA CARD BASICS CONCEPTS Eric Vétillard / Oracle Hong Kong/18.03.2014
WHY JAVA CARD ?
3 Java on a Smart Card Smart cards are about tamper resistance (resisting to attacks) ■ Not just attacks coming from the Web ■ Also all kinds of physical attacks ■ Observation attacks, where attackers listen to your devices ■ Fault attacks, where attackers use lasers to derail the silicon Using a smart card with a Java Card application gives you ■ A physical isolation from the client system and the Web ■ Assets remain secure even if a computer contains malware ■ Assets on the card cannot be accessed directly from internet ■ A physical protection against most direct attackers ■ Useful for end users when their card is stolen ■ Useful for application providers when the user is the attacker
4 Java Card can Protect your Credentials Your application will most likely manage some credentials ■ PIN codes or passwords ■ Cryptographic keys ■ Certificates Java Card products will protect these credentials ■ With standard procedures on all sensitive classes ■ Assets remain secure even if a computer contains malware ■ Assets on the card cannot be accessed directly from internet ■ With standard procedures such as GlobalPlatform You are only responsible for your application logic
5 How Much do you Need to Know about Security? Java Card doesn’t require any specific security skill ■ It simply defines a dialect of the Java language targeting smart cards Smart card application design requires security skills ■ What if your application returns a password as clear text? ■ Some security experience is required ■ Especially if you design your application from scratch Smart card application implementation requires security skills ■ Mostly for highly sensitive applications ■ Countermeasures for sophisticated attacks are not obvious ■ Java can even simplify some tasks, like error management with exceptions
6 What about Security Certifications? Some industries/countries require security certifications ■ In most cases, Common Criteria, FIPS 140, or proprietary schemes ■ For instance, payment, identity, government apps, etc. Security certification requires specific skills ■ Not necessarily yours, many consultants are available Java Card provides you significant help ■ Most of the difficult work is done by platform providers ■ Application developers only need to “prove” that their application is secure ■ While relying on the Java Card security mechanisms
JAVA CARD KEY FACTS
A Full Ecosystem 8 Standards Alignment • ETSI / 3GPP / GlobalPlatform… • Critical success factor for global roll-out • Globally deployed Service delivery platform • Storage and execution of several independent applications • Matured and full controlled • Applications are independent from platforms High Security Certifications • Strong community for certification • Help is easy to find if required Post-Issuance • OTA application management • Flexible application download, personalization and lifecycle management Interoperability • Easy migration from one device to another • Independence from device provider • Target platform to be selected on specific qualities (memory, security) Openness • Development open to 3rd parties • Community support (Java Card Forum) • Extendable with new technologies (NFC)
9 Target Platform The target platform is an integrated microcontroller ■ CPU + RAM + NVM + peripherals all in a single chip ■ CPU ranging from 8-bit to low-end 32-bit cores ■ Between 2KB and 32KB of RAM ■ Between 128KB and 1.5MB of Flash or EEPROM+ROM Security certification requires specific skills ■ Not necessarily yours, many consultants are available Java Card provides you significant help ■ Most of the difficult work is done by platform providers ■ Application developers only need to “prove” that their application is secure ■ While relying on the Java Card security mechanisms
A Java Card Product Java Card Core Native Platform JCRE VM Applet Applet Applet Applet Library Applet Library Card Management (GlobalPlatform) API Three specifications: • Java Card Runtime Environment specification • Java Card Virtual Machine specification • Java Card API specification Latest release is Java Card Classic, version 3.0.4
A Java Card Platform Operating System Native Platform JCRE VM Applet Applet Applet Applet Library Applet Library Card Management (GlobalPlatform) API
A Java Card Platform Card Management Native Platform JCRE VM Applet Applet Applet Applet Library Applet Library Card Management (GlobalPlatform) API
A Java Card Platform Vertical Libraries Native Platform JCRE VM Applet Applet Applet Applet Library Applet Library Card Management (GlobalPlatform) API
A Java Card Platform Applications Native Platform JCRE VM Applet Applet Applet Applet Library Applet Library Card Management (GlobalPlatform) API
15 Application model A smart card is an “on-demand” server ■ The server is available when the card is powered and connected ■ Multiple applications are available, selection is required ■ Request protocols are standard by ISO (ISO7816, ISO14443) Java Card simply provides a framework around this ■ Each application includes an Applet class, which defines ■ A procedure to manage its instantiation install() ■ A behavior when an application instance is selected select() ■ A behavior when an application processes a request process() ■ And a few more things, like deselection This framework is sometimes complemented by vertical frameworks ■ For instance, the SIM Application Toolkit framework for SIM cards ■ Also defines a behavior for processing specific events processToolkit()
16 Persistence Model In Java Card Classic, all data is stored in objects ■ Objects are persistent by default ■ Atomicity is guaranteed for all updates ■ Objects are kept across sessions (persistent VM) Transient objects (in RAM) are also available ■ Mostly for performance and security reasons The persistence model greatly influences programming style ■ Most objects are allocated statically during installation ■ Dynamic allocation during processing is strongly discouraged ■ There is no specific code for loading and saving data ■ All data from the application is available at all times
Application Firewall com.bank.cardapps EMVApplet OTPApplet com.localta.tkt TransportApplet
THANK YOU! Eric Vétillard Oracle eric.vetillard@oracle.com JCF contact: karen.brindley@javacardforum.org

More Related Content

PDF
Java Card, 15 years later
Eric Vétillard
 
PPT
Technical Overview of Java Card
Anshuman Sinha
 
PDF
Step-by-step Development of an Application for the Java Card Connected Platform
Eric Vétillard
 
PDF
First Steps with Java Card
Eric Vétillard
 
PDF
Java Card 2.x FAQ (2001)
Julien SIMON
 
PPT
Javacardtech
Vivek Bajpai
 
PPTX
jCardSim - development platform for Java Card Applications
Mikhail Dudarev
 
PDF
JavaCard development Quickstart
Martin Paljak
 
Java Card, 15 years later
Eric Vétillard
 
Technical Overview of Java Card
Anshuman Sinha
 
Step-by-step Development of an Application for the Java Card Connected Platform
Eric Vétillard
 
First Steps with Java Card
Eric Vétillard
 
Java Card 2.x FAQ (2001)
Julien SIMON
 
Javacardtech
Vivek Bajpai
 
jCardSim - development platform for Java Card Applications
Mikhail Dudarev
 
JavaCard development Quickstart
Martin Paljak
 

What's hot (14)

PDF
Security applications with Java Card
Julien SIMON
 
PPTX
Javacard
Samiksha90
 
PDF
jCardSim – Java Card is simple!
Mikhail Dudarev
 
PPTX
Java card
Ravi Jakashania
 
DOC
Java card
rcrahul01
 
PPT
FIPS 201 / PIV
Anshuman Sinha
 
PDF
Java Card Platform Security and Performance
Eric Vétillard
 
PPTX
Java card
Naga Dinesh
 
PDF
Java Card Technology: The Foundations of NFC
Eric Vétillard
 
PPT
Java card technology
Keerthi Thomas
 
PDF
Study of Java Card and its Application
editor1knowledgecuddle
 
PDF
Government Citizen ID using Java Card Platform
Ramesh Nagappan
 
PDF
From Bitcoin Hardware Wallets to Personal Privacy Devices
MecklerMedia
 
PDF
eSmartlock - an antipiracy dongle with integrated DRM functionalities
Yiannis Hatzopoulos
 
Security applications with Java Card
Julien SIMON
 
Javacard
Samiksha90
 
jCardSim – Java Card is simple!
Mikhail Dudarev
 
Java card
Ravi Jakashania
 
Java card
rcrahul01
 
FIPS 201 / PIV
Anshuman Sinha
 
Java Card Platform Security and Performance
Eric Vétillard
 
Java card
Naga Dinesh
 
Java Card Technology: The Foundations of NFC
Eric Vétillard
 
Java card technology
Keerthi Thomas
 
Study of Java Card and its Application
editor1knowledgecuddle
 
Government Citizen ID using Java Card Platform
Ramesh Nagappan
 
From Bitcoin Hardware Wallets to Personal Privacy Devices
MecklerMedia
 
eSmartlock - an antipiracy dongle with integrated DRM functionalities
Yiannis Hatzopoulos
 
Ad

Viewers also liked (6)

PPTX
Secure Element Solutions
Ugo Chirico
 
PPTX
IoT Security: Cases and Methods [CON5446]
Leonardo De Moura Rocha Lima
 
PDF
Secure Elements in Web Applications
Olivier Potonniée
 
PDF
IoT summit - Building flexible & secure IoT solutions
Eric Larcheveque
 
PPT
NFC Basic Concepts
Ade Okuboyejo
 
PPT
Mobile Payment fraud & risk assessment
Stefano Maria De' Rossi
 
Secure Element Solutions
Ugo Chirico
 
IoT Security: Cases and Methods [CON5446]
Leonardo De Moura Rocha Lima
 
Secure Elements in Web Applications
Olivier Potonniée
 
IoT summit - Building flexible & secure IoT solutions
Eric Larcheveque
 
NFC Basic Concepts
Ade Okuboyejo
 
Mobile Payment fraud & risk assessment
Stefano Maria De' Rossi
 
Ad

Similar to Eric java card-basics-140314 (20)

PPTX
JAVA CARD BY SAIKIRAN PANJALA
Saikiran Panjala
 
PPT
Java card technology
Keerthi Thomas
 
PPT
java-card20232024999999999999999999999999999999999999999999999999999999999999...
ouahibakellou
 
PPT
Java card technology
Amol Kamble
 
PDF
Tu dresden 290404_jcop
pri18saini
 
PDF
Java Card Security
Riscure
 
PPT
581
Akhil Kumar
 
PDF
SECURE FILE MANAGEMENT SYSTEM FOR JAVA CARDS
ijfcstjournal
 
PPTX
Smart Cards, ePassports, and open source
Martijn Oostdijk
 
PDF
Eric Vétillard's Cardis2010 Slides
evetillard
 
PDF
Java Platform Security Architecture
Ramesh Nagappan
 
PDF
JavaAndNetBeans.pdf
ArturoRosas45
 
PDF
Security in Java
Siddharth Coontoor
 
PPTX
1. Java Project Guidance for engineering
vyshukodumuri
 
PDF
verification_slides
Alessio Parzian
 
PPTX
Introduction to Java Programming- Java Programming Tutorials for beginners
BINJAD1
 
ODP
Open Source and java
Dwarakanath Jagadeesan
 
ODP
S L S
Dwarakanath Jagadeesan
 
PPTX
best java training institute in Chandigarh ppt
vanshikashr2324
 
PPT
J2ee strutswithhibernate-140121221332-phpapp01
Jay Palit
 
JAVA CARD BY SAIKIRAN PANJALA
Saikiran Panjala
 
Java card technology
Keerthi Thomas
 
java-card20232024999999999999999999999999999999999999999999999999999999999999...
ouahibakellou
 
Java card technology
Amol Kamble
 
Tu dresden 290404_jcop
pri18saini
 
Java Card Security
Riscure
 
581
Akhil Kumar
 
SECURE FILE MANAGEMENT SYSTEM FOR JAVA CARDS
ijfcstjournal
 
Smart Cards, ePassports, and open source
Martijn Oostdijk
 
Eric Vétillard's Cardis2010 Slides
evetillard
 
Java Platform Security Architecture
Ramesh Nagappan
 
JavaAndNetBeans.pdf
ArturoRosas45
 
Security in Java
Siddharth Coontoor
 
1. Java Project Guidance for engineering
vyshukodumuri
 
verification_slides
Alessio Parzian
 
Introduction to Java Programming- Java Programming Tutorials for beginners
BINJAD1
 
Open Source and java
Dwarakanath Jagadeesan
 
S L S
Dwarakanath Jagadeesan
 
best java training institute in Chandigarh ppt
vanshikashr2324
 
J2ee strutswithhibernate-140121221332-phpapp01
Jay Palit
 

Recently uploaded (20)

PDF
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
PDF
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
PDF
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
PPTX
Programs and apps: productivity, graphics, security and other tools
4mqw9zch22
 
PPTX
Cloud computing and distributed systems.
kkkkkhan
 
PDF
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
PDF
A comparative analysis of optical character recognition models for extracting...
IAESIJAI
 
PPTX
Machine Learning_overview_presentation.pptx
kondavamsidharreddy2
 
PPTX
ACSFv1EN-58255 AWS Academy Cloud Security Foundations.pptx
23bcla24
 
PPTX
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
DOCX
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
PPTX
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
PDF
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
PPTX
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
blackmambaettijean
 
PDF
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
PDF
Approach and Philosophy of On baking technology
30anthuong17
 
PDF
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
PDF
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
PDF
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
PDF
Assigned Numbers - 2025 - Bluetooth® Document
Bloombase
 
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
Programs and apps: productivity, graphics, security and other tools
4mqw9zch22
 
Cloud computing and distributed systems.
kkkkkhan
 
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
A comparative analysis of optical character recognition models for extracting...
IAESIJAI
 
Machine Learning_overview_presentation.pptx
kondavamsidharreddy2
 
ACSFv1EN-58255 AWS Academy Cloud Security Foundations.pptx
23bcla24
 
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
blackmambaettijean
 
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
Approach and Philosophy of On baking technology
30anthuong17
 
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
Assigned Numbers - 2025 - Bluetooth® Document
Bloombase
 

Eric java card-basics-140314

  • 1. JAVA CARD BASICS CONCEPTS Eric Vétillard / Oracle Hong Kong/18.03.2014
  • 3. 3 Java on a Smart Card Smart cards are about tamper resistance (resisting to attacks) ■ Not just attacks coming from the Web ■ Also all kinds of physical attacks ■ Observation attacks, where attackers listen to your devices ■ Fault attacks, where attackers use lasers to derail the silicon Using a smart card with a Java Card application gives you ■ A physical isolation from the client system and the Web ■ Assets remain secure even if a computer contains malware ■ Assets on the card cannot be accessed directly from internet ■ A physical protection against most direct attackers ■ Useful for end users when their card is stolen ■ Useful for application providers when the user is the attacker
  • 4. 4 Java Card can Protect your Credentials Your application will most likely manage some credentials ■ PIN codes or passwords ■ Cryptographic keys ■ Certificates Java Card products will protect these credentials ■ With standard procedures on all sensitive classes ■ Assets remain secure even if a computer contains malware ■ Assets on the card cannot be accessed directly from internet ■ With standard procedures such as GlobalPlatform You are only responsible for your application logic
  • 5. 5 How Much do you Need to Know about Security? Java Card doesn’t require any specific security skill ■ It simply defines a dialect of the Java language targeting smart cards Smart card application design requires security skills ■ What if your application returns a password as clear text? ■ Some security experience is required ■ Especially if you design your application from scratch Smart card application implementation requires security skills ■ Mostly for highly sensitive applications ■ Countermeasures for sophisticated attacks are not obvious ■ Java can even simplify some tasks, like error management with exceptions
  • 6. 6 What about Security Certifications? Some industries/countries require security certifications ■ In most cases, Common Criteria, FIPS 140, or proprietary schemes ■ For instance, payment, identity, government apps, etc. Security certification requires specific skills ■ Not necessarily yours, many consultants are available Java Card provides you significant help ■ Most of the difficult work is done by platform providers ■ Application developers only need to “prove” that their application is secure ■ While relying on the Java Card security mechanisms
  • 8. A Full Ecosystem 8 Standards Alignment • ETSI / 3GPP / GlobalPlatform… • Critical success factor for global roll-out • Globally deployed Service delivery platform • Storage and execution of several independent applications • Matured and full controlled • Applications are independent from platforms High Security Certifications • Strong community for certification • Help is easy to find if required Post-Issuance • OTA application management • Flexible application download, personalization and lifecycle management Interoperability • Easy migration from one device to another • Independence from device provider • Target platform to be selected on specific qualities (memory, security) Openness • Development open to 3rd parties • Community support (Java Card Forum) • Extendable with new technologies (NFC)
  • 9. 9 Target Platform The target platform is an integrated microcontroller ■ CPU + RAM + NVM + peripherals all in a single chip ■ CPU ranging from 8-bit to low-end 32-bit cores ■ Between 2KB and 32KB of RAM ■ Between 128KB and 1.5MB of Flash or EEPROM+ROM Security certification requires specific skills ■ Not necessarily yours, many consultants are available Java Card provides you significant help ■ Most of the difficult work is done by platform providers ■ Application developers only need to “prove” that their application is secure ■ While relying on the Java Card security mechanisms
  • 10. A Java Card Product Java Card Core Native Platform JCRE VM Applet Applet Applet Applet Library Applet Library Card Management (GlobalPlatform) API Three specifications: • Java Card Runtime Environment specification • Java Card Virtual Machine specification • Java Card API specification Latest release is Java Card Classic, version 3.0.4
  • 11. A Java Card Platform Operating System Native Platform JCRE VM Applet Applet Applet Applet Library Applet Library Card Management (GlobalPlatform) API
  • 12. A Java Card Platform Card Management Native Platform JCRE VM Applet Applet Applet Applet Library Applet Library Card Management (GlobalPlatform) API
  • 13. A Java Card Platform Vertical Libraries Native Platform JCRE VM Applet Applet Applet Applet Library Applet Library Card Management (GlobalPlatform) API
  • 14. A Java Card Platform Applications Native Platform JCRE VM Applet Applet Applet Applet Library Applet Library Card Management (GlobalPlatform) API
  • 15. 15 Application model A smart card is an “on-demand” server ■ The server is available when the card is powered and connected ■ Multiple applications are available, selection is required ■ Request protocols are standard by ISO (ISO7816, ISO14443) Java Card simply provides a framework around this ■ Each application includes an Applet class, which defines ■ A procedure to manage its instantiation install() ■ A behavior when an application instance is selected select() ■ A behavior when an application processes a request process() ■ And a few more things, like deselection This framework is sometimes complemented by vertical frameworks ■ For instance, the SIM Application Toolkit framework for SIM cards ■ Also defines a behavior for processing specific events processToolkit()
  • 16. 16 Persistence Model In Java Card Classic, all data is stored in objects ■ Objects are persistent by default ■ Atomicity is guaranteed for all updates ■ Objects are kept across sessions (persistent VM) Transient objects (in RAM) are also available ■ Mostly for performance and security reasons The persistence model greatly influences programming style ■ Most objects are allocated statically during installation ■ Dynamic allocation during processing is strongly discouraged ■ There is no specific code for loading and saving data ■ All data from the application is available at all times
  • 18. THANK YOU! Eric Vétillard Oracle eric.vetillard@oracle.com JCF contact: karen.brindley@javacardforum.org