The Java Card Forum was officially founded 10 years ago (in February 1997), and its initial members were Schlumberger, Gemplus, and Bull CP8. This creation was a formal move, since the first meeting only happened 2 months later. Nevertheless, this first move started the work on Java Card in all three companies, and also showed […]
Category Archives: Java Card 2.x
Small details
Every time that a Java Card specification comes out, I like to think that it is a good specification, and in particular that it provides complete information for developers. We have tried hard, but the completeness remains hard to reach. Not that the spec is bad, which is not true. The Java Card Forum has […]
Java Card RMI is useless
When we first presented GemXpresso in 1997, it was made by a bunch of (Gemplus) researchers. We were all very happy, because it was a very nice card, and because it was very simple to program, thanks to Remote Method Invocation (RMI), which freed us from these damn APDU’s. It was possible to generate automatically […]
Defensive virtual machines
The notion of defensive virtual machine is a bit awkward. The official presentation of the Java (Card) Virtual Machine describes it as inherently secure, so the notion of defensive is a bit contradictory with this message. In fact, the notion of defensive virtual machine is the result of a long process: Virtual machines usually present […]
Cloning e-passports
Bruce Shneier has pointed to another article on the security of e-passports. This one focuses on cloning, but contrarily to a previous article, which simply mentioned that cloning was possible (which is natural, since nothing is done to avoid it), the authors now look for ways to actually exploit the cloned passports. The ideas are […]
Looking for Java Card sample applications
Google has introduced a tool to search code, which has already been exploited for a variety of good and bad things. This thing can be very useful small communities like the Java Card community, because it can allow us to find code based on our technology on the Web. The problem is to find the […]
Status words in ISO7816
Status words are very important in the ISO7816 specification, since they are used to indicate specific conditions. The ISO7816-3 specification states the following: 60 is the NULL byte, used to get additional time. Status words starting by 6X (except 60) have a “meaning [that is] independent of the application”. Status words starting by 9X (except […]
An efficient sensitive section API
e-Smart, day 3. Benoît Gonzalvo is from Gemalto’s security group, and he also participates to the Java Card Forum’s security work. The issue is to protect against attacks (side-channel observation or fault induction) [Gon06]. The two current approaches are: Protecting the whole VM, which is secure but potentially very slow. Protecting the application code, which […]
Java Card mobile grid
e-Smart, day 2. Serge Chaumette, Damien Sauveron, and the rest of the team directed by Serge at LaBRI, is the developer of the Java Card Grid, They have put together a bunch of smart cards readers with cards in them, and then used that as a server for security-sensitive operations. The basic idea was very […]
Java Card in transport applications
e-Smart, day 2. François Guillaume, from RATP, presented the status of RAPT’s use of Java Card for Navigo [Gui06]. Navigo is RATP’s transport smart card program. RATP has issued millions of these contactless cards. Today, Navigo is mostly used for contracts, i.e., monthly transport cards, but their objective is to use is also for individual […]