Another tutorial on Java Card, hopefully with a personal touch about security and a few practical things.
[Corrected April 9, 2009: more mentions of Classic, added a conclusion]
You have been warned in the previous posts. The Connected Edition of Java Card 3.0 is very different from Java Card 2.x. But, how exactly are these two versions different? Well, there are differences at all levels, from the virtual machine to the application model [...]
Continuing our secure channel example, we will next define a secure channel API, and provide a small example based on this API.
Beware! As mentioned before, this is only an example, not intended for real use. In addition, the code has not been actually tested so far …
After a month of silence, just a quick post to restart the tutorial thing, about the two editions of Java Card 3.0.
Two editions
As mentioned earlier, Java Card 2.x represents 5 billion cards today, and over a billion are issued each year. This represents a very significant part of the smart card business in volume, and [...]
Starting a session
Protocol
For our session start, we will here use a classical architecture, but with slightly different commands. First, here is a definition of the exchanges between two actors (say, Alice and Bob) to start a secure session:
Alice sends a 16-byte random number to a1 … a16 to Bob.
Bob replies with his own 16-byte random [...]
In the few coming posts, we will define a secure channel protocol from scratch as an example, and provide an implementation for it. This example will also be used as a way to introduce the cryptographic mechanisms that exist in Java Card.
Be careful, this is not a tutorial on cryptography. I am not a cryptography [...]
I have recented commented on the fact that parts of the Multos specification have not evolved since August 1997. Java Card was then at its 1.0 version, and in 10 years, has known 3 major releases: 2.0 introduced the new framework, 2.1 made it mature by defining binary-level interoperability, and 2.2 added a few missing [...]
Foreword: The JC101 tutorial about Java Card 2 is getting closer to the end, now dealing with the subtleties of cryptography, testing, and other difficult tasks. As progress may slow to a crawl, it is time to start discussing the technology that actually started this blog, Java Card 3.
– o –
Your first program
If you are [...]
Foreword: If you have been following the tutorial, you may have noticed that the last post was numbered 13. There are therefore 3 missing posts. Like post 13, they should be dedicated to testing techniques (building a test plan, writing tests, etc.). However, writing tests without using proprietary tools is not as easy as I [...]
My first intention was to continue on my security tutorial, by showing how we can include countermeasures in the password manager. However, since then, my colleagues tried to use this application in a training session, and I had to face a hard truth: my programs are buggy. Some of their bugs are not even subtle; [...]
UPDATED (05/06/08): Fixed problem with loops that zapped examples.
UPDATED (06/06/08): Fixed some bugs.
In the previous entry, we have looked at a few common attacks on smart cards. In this one, we will look at possible defenses against such attacks. Instead of applying them to our example, we will look at one simple example, of which [...]
vetilles.com is a personal website. The opinions expressed are not necessarily those of Trusted Labs, Trusted Logic, or the Java Card Forum.
