Category Archives: Open issues

Unresolved issues about the Java Card specification, for which several interpretations exist.

No memory, no chocolate!

There has been some excitement lately about the fact that more and more phones are now getting embedded SE’s (eSE’s), associated to a NFC interface. Some of this excitement came from the ability to manage third-party applications on this embedded SE, as enabled by a whole range of GlobalPlatform specifications, and by the emergence of […]

Open Source, GlobalPlatform, and Java Card

The two concepts of open source and smart cards have not gone well together. There are some projects about specific applications and corresponding terminal-side software, such as the Muscle project for Linux, and the JMRTD library for e-passports (if you have one that you want me to mention, let me know). However, there are really […]

Cloned debit cards are good for secure EMV cards

Reports about cloning debit cards have been all around, for instance here. The combination of cloning cards and making millions with a fraud scheme instantly makes smart card people happy: we told you that your magstripe cards would lead to big problems! OK. But let’s try to analyze this a bit deeper.

Java Card security certification

The certification of smart cards is a recurrent issue. Most issuers have their own requirements, which can vary greatly, even in the same industry. In addition, regulators can also get involved and make additional requirements. Let’s start by one example, the banking industry. Most issuers don’t define specifications, nor do they perform security certifications. Instead, […]

Open Source or Security through Obscurity ?

I strongly believe that keeping things secret is not a good idea, and that security cannot be achieved through obscurity. There are many convincing examples of this, even in the smart card industry. The infamous GSM algorithms are a perfect example: cryptography using secret algorithms is a bad idea, because the algorithms get broken. Following […]

Access control for smart card Web server

One of Bandol’s major innovations is the adoption of the servlet programming model. This can be considered as an acknowledgement by the smart card industry of the role of secure personal server for smart cards. Now, we just have to make sure that issuers share that vision. On technical matters, we are faced with the […]

Should a card initiate transactions ?

In the current smart card application models, the card always acts as a server, and it responds to solicitations from the card terminal. This has many advantages: for instance, the terminal can put the card in “sleep” mode when it does not need it. Some may say that the SIM Toolkit framework is an exception […]

DRM: Good or Evil ?

When I am at the office, DRM is of course the way to go: whether we talk about large SIM cards, trusted mobile phones, or any other kind of secure mobile device, DRM is the killer applications. It will allow content to be distributed safely, and everybody will be happy. When I am at home, […]

Defining a micro-server

The discussions in the Java Card Forum, and between Sun and its licensees are of course private and confidential, but there have been several presentations (including the presentation by Thierry Violleau at e-Smart [VR06]) about this topic. Everybody can therefore derive that the next release of Java Card will define a smart card as some […]

e-passport security

There have been several posts on Bruce Schneier’s blog about e-passports, including a recent one. Bruce’s views are interesting, and he raises interesting issues about RFID on passports. On the other hand, the comments posted on this post and related ones, show that there are lots of misunderstandings about the technology. Of course, this is […]