A significant part of my job is to evaluate the security of smart cards, in particular in the banking sector. The level of security achieved in today’s card is definitely quite good, and getting a PIN out of a banking smart card remains a very difficult task. Nevertheless, the latest paper of Cambridge’s research lab …
The Java Card Forum was officially founded 10 years ago (in February 1997), and its initial members were Schlumberger, Gemplus, and Bull CP8. This creation was a formal move, since the first meeting only happened 2 months later. Nevertheless, this first move started the work on Java Card in all three companies, and also showed …
Every time that a Java Card specification comes out, I like to think that it is a good specification, and in particular that it provides complete information for developers. We have tried hard, but the completeness remains hard to reach. Not that the spec is bad, which is not true. The Java Card Forum has …
When we first presented GemXpresso in 1997, it was made by a bunch of (Gemplus) researchers. We were all very happy, because it was a very nice card, and because it was very simple to program, thanks to Remote Method Invocation (RMI), which freed us from these damn APDU’s. It was possible to generate automatically …
The notion of defensive virtual machine is a bit awkward. The official presentation of the Java (Card) Virtual Machine describes it as inherently secure, so the notion of defensive is a bit contradictory with this message. In fact, the notion of defensive virtual machine is the result of a long process: Virtual machines usually present …
Bruce Shneier has pointed to another article on the security of e-passports. This one focuses on cloning, but contrarily to a previous article, which simply mentioned that cloning was possible (which is natural, since nothing is done to avoid it), the authors now look for ways to actually exploit the cloned passports. The ideas are …
Google has introduced a tool to search code, which has already been exploited for a variety of good and bad things. This thing can be very useful small communities like the Java Card community, because it can allow us to find code based on our technology on the Web. The problem is to find the …
Status words are very important in the ISO7816 specification, since they are used to indicate specific conditions. The ISO7816-3 specification states the following: 60 is the NULL byte, used to get additional time. Status words starting by 6X (except 60) have a “meaning [that is] independent of the application”. Status words starting by 9X (except …
e-Smart, day 3. Benoît Gonzalvo is from Gemalto’s security group, and he also participates to the Java Card Forum’s security work. The issue is to protect against attacks (side-channel observation or fault induction) [Gon06]. The two current approaches are: Protecting the whole VM, which is secure but potentially very slow. Protecting the application code, which …
e-Smart, day 2. Serge Chaumette, Damien Sauveron, and the rest of the team directed by Serge at LaBRI, is the developer of the Java Card Grid, They have put together a bunch of smart cards readers with cards in them, and then used that as a server for security-sensitive operations. The basic idea was very …
