Foreword: If you have been following the tutorial, you may have noticed that the last post was numbered 13. There are therefore 3 missing posts. Like post 13, they should be dedicated to testing techniques (building a test plan, writing tests, etc.). However, writing tests without using proprietary tools is not as easy as I […]
Category Archives: Tutorial
JC101-13C: Testing Java Card applications
My first intention was to continue on my security tutorial, by showing how we can include countermeasures in the password manager. However, since then, my colleagues tried to use this application in a training session, and I had to face a hard truth: my programs are buggy. Some of their bugs are not even subtle; […]
JC101-12C: Defending against attacks
UPDATED (05/06/08): Fixed problem with loops that zapped examples. UPDATED (06/06/08): Fixed some bugs. In the previous entry, we have looked at a few common attacks on smart cards. In this one, we will look at possible defenses against such attacks. Instead of applying them to our example, we will look at one simple example, […]
JC101-11C: Attacks on smart cards
Even without Java Card 3, there are many similarities between smart cards and web servers: They both receive requests from unknown origin and process them. They both manage potentially sensitive data that they need to protect. Of course, the exact attacks are different. Cross-site scripting is not really a smart card threat, but the countermeasure […]
JC101-10C: Adding a password and state management
In the last tutorial entry, we have seen in theory how it is possible to add a password and to manage an application’s state. In the present entry, we will actually add support for a password in the application. This support will be provided using the OwnerPIN class, which goes beyond simple PIN codes, and […]
JC101-9C: Authentication and lifecycle
We now have reached the point where we have a fully functional password manager, which is able to store login information. However, this application is not complete, since it does not include any protection of these sensitive assets. Anybody who is able to select the application and who knows the application’s protocol will be able […]
JC101-8C: Processing APDU’s (2/2)
In the previous tutorial entry, we have looked at APDU processing, with an initial focus on processing a first command with incoming data. We will here look at the next commands, focusing on the ones that return data.
JC101-7C: Processing APDU’s (1/2)
In the last post, we have defined a specification for an APDU-based application. It is now time to implement this application, i.e., to start processing a few APDU’s. We’ll do that in the style that characterizes this tutorial, which is a mix of simple code with a few basic optimizations.
JC101-6C: Specifying the APDU’s
In our previous posts, we have written a class that is able to manage login information as password entries. This time, we will look at our application’s user interface. Well, user interface may be a bit overstated, since we will simply be defining a way to exchange information between the card and a terminal to […]
JC101-5C: Data management and transactions
The Java Card framework is very limited, and it does not include any container classes. A simple way to organize data is to use linked lists. This structure is very classical, so we will use this opportunity to discuss the way in which Java Card manages the atomicity of updates.