I just made my second presentation at Cardis2010, about combined attacks on Java Card (joint work with Anthony Ferrari, now in charge of these things at Trusetd Labs). Sorry, no “public” slides this time, this is related to security evaluation. Interestingly, the current presenter is Guillaume Barbu, from Oberthur, who is presenting an interesting attack […]
Category Archives: Java Card 2.x
Most of us spent some time in school studying program proofs in a way or another. Many techniques exist, but in most cases, their most important use it to make students understand that, sometimes, a computation does not end. Proving programs is hard, but the hardness of the proof greatly depends on what you want […]
That talk, from Guillaume Barbu, an Oberthur and Telecom ParisTech Ph.D. student, really talks to me, by bringing together two of my favorite discussion topics. The main task is about combined attacks, which sounds really good. A Java Card 3.0 card has plenty of countemreasures against logical attacks Context isolation. Objects from an application can’t […]
Bruce Schneier has written a blog about the fact that passwords should not be hidden, which has stirred quite an intense controversy (over 100 comments in a few hours). Some of the issues and solutions pointed in the comments are in fact quite interesting. Let’s make a little synthesis here.
Reports about cloning debit cards have been all around, for instance here. The combination of cloning cards and making millions with a fraud scheme instantly makes smart card people happy: we told you that your magstripe cards would lead to big problems! OK. But let’s try to analyze this a bit deeper.
Starting a session Protocol For our session start, we will here use a classical architecture, but with slightly different commands. First, here is a definition of the exchanges between two actors (say, Alice and Bob) to start a secure session: Alice sends a 16-byte random number to a1 … a16 to Bob. Bob replies with […]
In the few coming posts, we will define a secure channel protocol from scratch as an example, and provide an implementation for it. This example will also be used as a way to introduce the cryptographic mechanisms that exist in Java Card. Be careful, this is not a tutorial on cryptography. I am not a […]
Wojciech Mostowski is a researcher from the Radboud University Nijmegen, and he is a frequent speaker at e-Smart. He even wa a finalist for the Java Card Forum a while ago. He has been spending years looking very closely at the Java Card specifications, trying to find issues in cards. Today, he is getting at […]
Over the past year, I have received a number of comments and messages about development environments. Readers ask me which environment I use, and which one they can use. Sadly, I don’t have a good answer for now. Actually, I hope that this post will be a bit interactive, and that some comments will bring […]
UPDATED (05/06/08): Fixed problem with loops that zapped examples. UPDATED (06/06/08): Fixed some bugs. In the previous entry, we have looked at a few common attacks on smart cards. In this one, we will look at possible defenses against such attacks. Instead of applying them to our example, we will look at one simple example, […]