Category Archives: Java Card 2.x

Information about the current generation of Java Card. The posts could be tricks, tips, blogs, or just about anything useful about the existing Java Card specs.

Live from Cardis2010: Combined attacks on Java Card

I just made my second presentation at Cardis2010, about combined attacks on Java Card (joint work with Anthony Ferrari, now in charge of these things at Trusetd Labs). Sorry, no “public” slides this time, this is related to security evaluation. Interestingly, the current presenter is Guillaume Barbu, from Oberthur, who is presenting an interesting attack […]

Proving code correct

Most of us spent some time in school studying program proofs in a way or another. Many techniques exist, but in most cases, their most important use it to make students understand that, sometimes, a computation does not end. Proving programs is hard, but the hardness of the proof greatly depends on what you want […]

Live from #esmart: Fault attacks on Java Card 3.0

That talk, from Guillaume Barbu, an Oberthur and Telecom ParisTech Ph.D. student, really talks to me, by bringing together two of my favorite discussion topics. The main task is about combined attacks, which sounds really good. A Java Card 3.0 card has plenty of countemreasures against logical attacks Context isolation. Objects from an application can’t […]

Show or hide passwords

Bruce Schneier has written a blog about the fact that passwords should not be hidden, which has stirred quite an intense controversy (over 100 comments in a few hours). Some of the issues and solutions pointed in the comments are in fact quite interesting. Let’s make a little synthesis here.

Cloned debit cards are good for secure EMV cards

Reports about cloning debit cards have been all around, for instance here. The combination of cloning cards and making millions with a fraud scheme instantly makes smart card people happy: we told you that your magstripe cards would lead to big problems! OK. But let’s try to analyze this a bit deeper.

JC101-19C: Secure channel protocol

Starting a session Protocol For our session start, we will here use a classical architecture, but with slightly different commands. First, here is a definition of the exchanges between two actors (say, Alice and Bob) to start a secure session: Alice sends a 16-byte random number to a1 … a16 to Bob. Bob replies with […]

JC101-18C: Defining a secure channel from scratch

In the few coming posts, we will define a secure channel protocol from scratch as an example, and provide an implementation for it. This example will also be used as a way to introduce the cryptographic mechanisms that exist in Java Card. Be careful, this is not a tutorial on cryptography. I am not a […]

Live from e-Smart: Nijmegen strikes again

Wojciech Mostowski is a researcher from the Radboud University Nijmegen, and he is a frequent speaker at e-Smart. He even wa a finalist for the Java Card Forum a while ago. He has been spending years looking very closely at the Java Card specifications, trying to find issues in cards. Today, he is getting at […]

Java Card development environments

Over the past year, I have received a number of comments and messages about development environments. Readers ask me which environment I use, and which one they can use. Sadly, I don’t have a good answer for now. Actually, I hope that this post will be a bit interactive, and that some comments will bring […]

JC101-12C: Defending against attacks

UPDATED (05/06/08): Fixed problem with loops that zapped examples. UPDATED (06/06/08): Fixed some bugs. In the previous entry, we have looked at a few common attacks on smart cards. In this one, we will look at possible defenses against such attacks. Instead of applying them to our example, we will look at one simple example, […]