Bytecode verification has been an interesting debate since the very beginning of Java Card. Back then, in 1997, Java was very much about Java applets, and the bytecode verifier was the essential piece of software that allowed untrusted code to run in a browser efficiently (i.e., without doing expensive runtime checks, and without having to …
This summer was very interesting for new attacks. There are two that I really liked, for very different reasons. They are also both attacks on PIN codes, yet they are quite different. The first one is an attack on ATMs, with a thermal camera, hoping that your fingers stay on the keys long enough to …
The French government has recently published a law, and some details of the application degree have led to strong reactions from the industry, including a suit by the French association of social online services. The suit is about a recent law that forces sites to retain a lot of information about their users, and to …
I was not at e-Smart this year, but here are some early reports from colleagues who attended the sessions. Over the coming days, I will comment on a few selected presentations. First, one of my favorite topics, which was covered Friday morning: attacks on the Java Card platform. There were two presentations this morning on …
At midday, it is time for a little break in my smart card day, and go listen to an Oracle OpenWorld session. I might as well leverage today’s professional look to blend better into OOW’s suit-dominated crowds. The funny thing is that every OOW session I have seen ended up turning into a blatent advertising …
The next talk was about Identity for Services in the Cloud, by Jiandong Guo and Symon Chang. Their focus was to promote their favorite solution, which has been around for a while, and whose objective is to clearly separate authentication from authorization using standards. Their scheme is quite classical: The client gets a SAML token …
This session is about selling security internally. This was my first session from Oracle OpenWorld, by Oracle people, and I expected it to be from the database’s point of view. It was true, but the part I liked most was in fact from a business guy, with no relationship to databases. The database view was …
UPDATED ON 04/06/10: Additional comments about security requirements Securing Web servers is hard work, as OWASP periodically reminds us. Of course, this applies to smart card web servers, regardless of the underlying technology. I received a comment from someone who noticed that some of the Java Card 3.0 Connected sample applications have really bad security. …
Smart card security doesn’t often get on traditional media, so we can all (at least, the French-spaking ones) be happy that France Culture will spend an hour discussing the security of payment cards, trying to provide an answer to the question “Comment améliorer la sécurité des cartes bancaires?“. Among the speakers, we will have Jean-Louis …
I just made my second presentation at Cardis2010, about combined attacks on Java Card (joint work with Anthony Ferrari, now in charge of these things at Trusetd Labs). Sorry, no “public” slides this time, this is related to security evaluation. Interestingly, the current presenter is Guillaume Barbu, from Oberthur, who is presenting an interesting attack …
