Unresolved issues about the Java Card specification, for which several interpretations exist.
Reports about cloning debit cards have been all around, for instance here. The combination of cloning cards and making millions with a fraud scheme instantly makes smart card people happy: we told you that your magstripe cards would lead to big problems!
OK. But let’s try to analyze this a bit deeper.
The certification of smart cards is a recurrent issue. Most issuers have their own requirements, which can vary greatly, even in the same industry. In addition, regulators can also get involved and make additional requirements.
Let’s start by one example, the banking industry. Most issuers don’t define specifications, nor do they perform security certifications. Instead, they [...]
I strongly believe that keeping things secret is not a good idea, and that security cannot be achieved through obscurity. There are many convincing examples of this, even in the smart card industry. The infamous GSM algorithms are a perfect example: cryptography using secret algorithms is a bad idea, because the algorithms get broken.
Following this [...]
One of Bandol’s major innovations is the adoption of the servlet programming model. This can be considered as an acknowledgement by the smart card industry of the role of secure personal server for smart cards. Now, we just have to make sure that issuers share that vision.
On technical matters, we are faced with the classical [...]
In the current smart card application models, the card always acts as a server, and it responds to solicitations from the card terminal. This has many advantages: for instance, the terminal can put the card in “sleep” mode when it does not need it.
Some may say that the SIM Toolkit framework is an exception to [...]
When I am at the office, DRM is of course the way to go: whether we talk about large SIM cards, trusted mobile phones, or any other kind of secure mobile device, DRM is the killer applications. It will allow content to be distributed safely, and everybody will be happy.
When I am at home, DRM [...]
The discussions in the Java Card Forum, and between Sun and its licensees are of course private and confidential, but there have been several presentations (including the presentation by Thierry Violleau at e-Smart [VR06]) about this topic. Everybody can therefore derive that the next release of Java Card will define a smart card as some [...]
There have been several posts on Bruce Schneier’s blog about e-passports, including a recent one. Bruce’s views are interesting, and he raises interesting issues about RFID on passports. On the other hand, the comments posted on this post and related ones, show that there are lots of misunderstandings about the technology.
Of course, this is smart [...]
The JCRE specification does not describe how the exceptions thrown from the install command should be handled. The reason for this is that these exceptions are supposed to be handled by an installer application, and the JCRE specification (¶11.1.5)explicitly states:
Java Card RE implementers shall also define other behaviors of their Installer, including (…) what happens [...]
vetilles.com is a personal website. The opinions expressed are not necessarily those of Trusted Labs, Trusted Logic, Gemalto,or the Java Card Forum.
