There are been several mentions in articles and comments about .NET smart cards and about Multos. It seems that comparisons between these systems are often expected. The latest request is for a comparison between Java Card and .NET. I will start by the cruel part: As of today, no open smart card technology compares to […]
Category Archives: Discussions
Open Source or Security through Obscurity ?
I strongly believe that keeping things secret is not a good idea, and that security cannot be achieved through obscurity. There are many convincing examples of this, even in the smart card industry. The infamous GSM algorithms are a perfect example: cryptography using secret algorithms is a bad idea, because the algorithms get broken. Following […]
Access control for smart card Web server
One of Bandol’s major innovations is the adoption of the servlet programming model. This can be considered as an acknowledgement by the smart card industry of the role of secure personal server for smart cards. Now, we just have to make sure that issuers share that vision. On technical matters, we are faced with the […]
DRM and Java Card
The DRM world, at least for its music part, is shaking on its grounds, with today’s memo from Steve Jobs. Jobs argues in there that music sold on Internet should be DRM-free, and his main argument is interesting: record companies are selling 90% of their music on DRM-free CD’s, so why bother protecting the rest? […]
Java Card RMI is useless
When we first presented GemXpresso in 1997, it was made by a bunch of (Gemplus) researchers. We were all very happy, because it was a very nice card, and because it was very simple to program, thanks to Remote Method Invocation (RMI), which freed us from these damn APDU’s. It was possible to generate automatically […]
Should a card initiate transactions ?
In the current smart card application models, the card always acts as a server, and it responds to solicitations from the card terminal. This has many advantages: for instance, the terminal can put the card in “sleep” mode when it does not need it. Some may say that the SIM Toolkit framework is an exception […]
DRM: Good or Evil ?
When I am at the office, DRM is of course the way to go: whether we talk about large SIM cards, trusted mobile phones, or any other kind of secure mobile device, DRM is the killer applications. It will allow content to be distributed safely, and everybody will be happy. When I am at home, […]
About security in evaluations
A few days ago, the final verdict was published in the trial following a plane crash that killed 87 persons in 1992. Nobody was finally condemned, as the judge estimated that they had not committed any legal fault. However, an article in today’s “Le Monde” (in French) debates on the very usefulness of such trials. […]
There could be millions of Java Card applications
The Java Card platform is the most widely used application platform in the world, with around 2 billion cards deployed. However, it remains very different from the other platforms such as Windows or even MIDP. However, for interoperability reasons, most applications are heavily standardized (for instance in the banking and identity markets), which reduces even […]
Smart card security requirements are too high
As a security evaluator, I often hear vendors complaining that the security requirements are too high, and that they cost them a lot for nothing. These complaints are easy to dismiss on the grounds that they apply equally to all vendors, but there are other consequences, which are more difficult to dismiss: Issuers with higher […]