SlideShare uma empresa Scribd logo
1 de 45
Baixar para ler offline
The key to an open world
‹#›(SAR 2003)Copyright © 2003 Oberthur Card Systems. All rights reserved. 30/06/3
Security applications
with Java Card
SAR 2003, Nancy
Julien SIMON
j.simon@oberthurcs.com
‹#›(SAR 2003)Copyright © 2003 Oberthur Card Systems. All rights reserved.
The key to an open world
30/06/2003
Outline
1. Introduction
2. Java Card overview
3. WAP security
4. IP security
5. 802.11 security
6. Q&A
‹#›(SAR 2003)Copyright © 2003 Oberthur Card Systems. All rights reserved.
The key to an open world
30/06/2003
Introduction
Oberthur Card Systems
§  No. 1 supplier of MasterCard
and Visa payment cards
worldwide.
§  No. 3 supplier of 2G/3G cards
worldwide.
§  First to apply Java technology
to the SIM card (1998).
§  Please refer to
www.oberthurcs.com for more
information.
Speaker
§  3 years at OCS R&D.
§  Mobile Communications
Development Manager.
§  In a previous life, lots of time
spent in TCP/IP and kernel
code (Mach / Chorus / *nix) :
hence, a strong interest in
computer (in)security…
The key to an open world
‹#›(SAR 2003)Copyright © 2003 Oberthur Card Systems. All rights reserved. 30/06/3
Java Card overview
Architecture
Language, VM, API
Security applications with Java Card
‹#›(SAR 2003)Copyright © 2003 Oberthur Card Systems. All rights reserved.
The key to an open world
30/06/2003
Java Card
§  Software standard initiated by Sun Microsystems in October 1996.
§  JC is now maintained by the Java Card Forum.
§  JC defines an environment allowing Java applications to to run on a
microprocessor smartcard : Java Card Runtime Environment (JCRE) :
§  Java Card is nice because :
s It allows faster and easier development than native code.
s It has all the benefits of OOD / OOP.
s It is portable at source and binary level.
s It allows applications to be loaded after the smartcard has been issued.
§  A well-designed Java Card is a very safe foundation :
s  Common Criteria EAL 4+ evaluation obtained by OCS in 2002.
s  State-of-the art cryptography, protected against SPA/DPA/DFA attacks.
‹#›(SAR 2003)Copyright © 2003 Oberthur Card Systems. All rights reserved.
The key to an open world
30/06/2003
Java Card Runtime Environment
§ The JCRE includes :
s The Java Card Virtual Machine,
s The Java Card API,
s A basic application installer.
§ It’s implemented in ROM by the smartcard issuer.
§ Its behavior is defined by the Java Card Runtime
Environment Specification.
§ Versions :
s 2.1 (May 2000).
s 2.2 (May 2002).
‹#›(SAR 2003)Copyright © 2003 Oberthur Card Systems. All rights reserved.
The key to an open world
30/06/2003
Java Card architecture
Hardware Abstraction Layer
Java Card
Virtual Machine
Java Card
API
Other API
(GSM, etc)
JCRE
Applet 1 Applet 2 Applet 3
Microcontroller
‹#›(SAR 2003)Copyright © 2003 Oberthur Card Systems. All rights reserved.
The key to an open world
30/06/2003
Language
§ JC supports most features of the Java language :
s Packages,
s Dynamic object creation (new),
s Virtual methods, Inheritance, Interfaces,
s Exceptions,
s Etc.
§ The following types are not supported
s char,
s long, float and double,
s Multi-dimensional arrays.
§ The int type is optional.
‹#›(SAR 2003)Copyright © 2003 Oberthur Card Systems. All rights reserved.
The key to an open world
30/06/2003
Java Card Virtual Machine
§ The JCVM has a classic architecture :
s It runs bytecode on an operand stack.
s JC bytecode is a subset of Java bytecode
s E.g. no int related bytecode : iload, istore, etc.
§ Compared to the JVM, the JCVM is very simplified :
s No on-demand class loading : all required classes must present on the card.
s No threads, etc.
§ The JVCM also has specific features (transactions,
inter-applet communication).
§ The behavior of the JCVM is defined by the
Java Card Virtual Machine Specification.
‹#›(SAR 2003)Copyright © 2003 Oberthur Card Systems. All rights reserved.
The key to an open world
30/06/2003
Java Card 2.1 API
§  The JC 2.1 API includes four packages, defined by the
Java Card 2.1 Application Programming Interfaces
Specification.
§  java.lang : minimal Java classes.
§  javacard.framework : smartcard-related classes
s  Communication with the terminal, PIN handling, etc.
§  javacard.security & javacardx.crypto : security classes.
s  Keys : DES, 3DES, RSA et DSA.
s  Crypto objects : KeyPair, MessageDigest, Cipher and Signature.
§  Java Card 2.2 adds Java Card RMI, AES, ECC, garbage
collection, etc.
‹#›(SAR 2003)Copyright © 2003 Oberthur Card Systems. All rights reserved.
The key to an open world
30/06/2003
Java Card references
§ Java Card
s Specs & JCDK : http://java.sun.com/javacard/
s Java Card Forum : http://www.javacardforum.org/
s « Java Card Technology For Smart Cards » , Addison-Wesley,
2000.
§ Cryptography
s RSA Labs : http://www.rsalabs.com/
s « Cryptographie appliquée » (2ème édition), Bruce Schneier.
s « Handbook of Applied Cryptography »
http://www.cacr.math.uwaterloo.ca/hac/
The key to an open world
‹#›(SAR 2003)Copyright © 2003 Oberthur Card Systems. All rights reserved. 30/06/3
WAP security
WAP overview
Wireless Identity Module (WIM)
Smartcard WAP browsers
‹#›(SAR 2003)Copyright © 2003 Oberthur Card Systems. All rights reserved.
The key to an open world
30/06/2003
Wireless Application Protocol
§  WAP 1.0 was released in 1998 and evolved into 1.3.
§  WAP 1.x doesn’t support standard Internet protocols
and languages : a WAP gateway is required.
WAE: Application Environment
WSP: Session Protocol
WTP: Transaction Protocol
WTLS: Transaction Layer Security
WDP: Datagram Protocol
HTTP: Hyper Text Transfer Protocol
SSL: Secure Sockets Layer
TCP: Transmission Control Protocol
IP: Internet Protocol
‹#›(SAR 2003)Copyright © 2003 Oberthur Card Systems. All rights reserved.
The key to an open world
30/06/2003
WAP architecture
WAP Gateway
Page encoder
Page
converter
Protocol Adapters
HTTP
Web Server
Content
CGI
Scripts
etc.
HTMLpages
WMLpages
WML = Wireless Markup Language
HTML = Hyper Text Markup Language
CGI = Common Gateway Interface
ME = Mobile Equipment
HTTP = Hyper Text Transfer Protocol
WSP = Wireless Session Protocol
WTP = Wireless Transaction Protocol
ME
WAP
browser
WSP/WTPConfig.
files
‹#›(SAR 2003)Copyright © 2003 Oberthur Card Systems. All rights reserved.
The key to an open world
30/06/2003
Wireless Identity Module
§  WAP communication is secured by the Wireless
Transaction Layer Protocol (WTLS), which is “equivalent”
to SSL.
§  WTLS relies on the Wireless Identity Module (WIM) to
perform secure operations, such as :
s  Verification primitives (PIN operations).
s  Data Access primitives (Key/certificate storage in PKCS #15 files)
s  Cryptography primitives : Compute Digital Signature, Verify Signature, Hash,
Decipher and various key primitives used to setup a WTLS session (Diffie-
Hellman, etc).
§  The WAP browser also needs the WIM to perform the
signText operation (application-level signature).
§  The WIM can be implemented as a Java Card applet.
‹#›(SAR 2003)Copyright © 2003 Oberthur Card Systems. All rights reserved.
The key to an open world
30/06/2003
WAP (in)security
WML/HTML
Web server
WML/HTML Bytecode
SSL
TCP WDP
GSM networkInternet
WTLS
There is no end-to-end security, because of the WTLS/SSL gateway.
This is the infamous “WAP gap” problem.
WAP 2.0 solves this by using standard Internet protocols (TLS).
N
‹#›(SAR 2003)Copyright © 2003 Oberthur Card Systems. All rights reserved.
The key to an open world
30/06/2003
End-to-end security
WML/HTML
Web server
WML/HTML Bytecode
TCP/IP 03.48
GSM networkInternet
Data is protected by the application,
i.e. the bytecode is encrypted/decrypted by the WAP browser
running on the (U)SIM card.
‹#›(SAR 2003)Copyright © 2003 Oberthur Card Systems. All rights reserved.
The key to an open world
30/06/2003
WAP with a smartcard browser
SMS-C
MESIM
WAP
Browser
Config.
files
OTA
server
WAP
gatewayProactive
commands
03.40 / 03.48 transport
‹#›(SAR 2003)Copyright © 2003 Oberthur Card Systems. All rights reserved.
The key to an open world
30/06/2003
Plug-in architecture
§ The core browser can be extended using plug-ins.
§ A plug-in is a normal SIM Toolkit applet.
s It extends the WIB by adding new features :
l  Data storage,
l  Cryptography : the WAP gap must be closed !
s It may be installed at personalization time.
s Plug-ins are usually small enough to be installed OTA.
§ Applet communication is possible with Java Card :
s A plug-in registers to the WIB using a Shareable interface.
s When the WIB receives the Plug-In command, it invokes the plug-in using
another Shareable interface.
‹#›(SAR 2003)Copyright © 2003 Oberthur Card Systems. All rights reserved.
The key to an open world
30/06/2003
PKI plug-ins
§ A smartcard browser usually supports several Public
Key Infrastructure (PKI) plug-ins.
§ Decryption : Asymmetric Decryption (AD)
§ Digital signature (text) : PKCS#1 (P1)
§ Digital signature with time stamp (text) : PKCS#7 (P7)
§ Digital signature and non-repudiation (data) :
Fingerprint (FP)
‹#›(SAR 2003)Copyright © 2003 Oberthur Card Systems. All rights reserved.
The key to an open world
30/06/2003
A Band Of Browsers
§  SmartTrust Wireless Internet Browser (WIB)
§  SIM Alliance S@T browser.
§  3GPP USAT Interpreter :
s 21.112 & 31.11{2,3,4} Release 5 & 6 : architecture, protocol, core browser.
s 31.113 Release 6 : plug-ins.
§  These browsers all support the WML standard (or at least a
large subset of it) as well as proprietary extensions (S@TML,
SmartTrust WML, etc). This is similar to the Netscape/IE
situation.
‹#›(SAR 2003)Copyright © 2003 Oberthur Card Systems. All rights reserved.
The key to an open world
30/06/2003
WAP references
§ USAT Interpreter – http://www.3GPP.org/
§ SIM Alliance – http://www.SIMAlliance.org
§ SmartTrust – http://www.SmartTrust.com
§ PKCS – http://www.RSALabs.com
§ WAP – http://www.OpenMobileAlliance.com/
§ World Wide Web Consortium – http://www.w3.org/
The key to an open world
‹#›(SAR 2003)Copyright © 2003 Oberthur Card Systems. All rights reserved. 30/06/3
IP Security
IP in mobile networks
Internet Key Exchange
Diffie-Hellman with Java Card
‹#›(SAR 2003)Copyright © 2003 Oberthur Card Systems. All rights reserved.
The key to an open world
30/06/2003
IP in mobile networks
‹#›(SAR 2003)Copyright © 2003 Oberthur Card Systems. All rights reserved.
The key to an open world
30/06/2003
IPsec and smartcards
IPsec tunnel
TCP = Transmission Control Protocol
HTTP = Hyper Text Transfer Protocol
Internet
apps TCP / HTTP
Private network
IPsec
IKE setup
IPsec
processing
Untrusted network
Host
‹#›(SAR 2003)Copyright © 2003 Oberthur Card Systems. All rights reserved.
The key to an open world
30/06/2003
Internet Key Exchange
IKE defines two phases :
1.  Creation of a secure channel between the IKE peers.
a. Negotiation of the IKE Security Association : encryption algorithm, hash function,
authentication method (pre-shared keys, RSA), Diffie-Hellman group.
b. Generation of shared secrets with a Diffie-Hellman exchange.
c. Mutual authentication and establishment of the secure IKE channel.
2.  Creation of the IPsec security association.
a. Using the secure IKE channel, negotiation of the IPsec Security Association : SPI,
IPsec transform.
b. Generation of the required keys either by deriving the Phase 1 secret, or by
performing another Diffie-Hellman exchange.
‹#›(SAR 2003)Copyright © 2003 Oberthur Card Systems. All rights reserved.
The key to an open world
30/06/2003
Diffie-Hellman for mathematicians
§  Diffie-Hellman (1976) is a widespread protocol for shared secret establishment.
§  P and α are two public numbers : α<P, P prime.
Send αa mod P
Send αb mod P
Compute
(αa mod P)b mod P.
Pick b random.
Compute αb mod P.
Compute
(αb mod P)a mod P.
Pick a random.
Compute αa mod P.
Alice Bob
Receive αb mod P.
Receive αa mod P.
Shared secrets are derived from (αab mod P) mod P
(αb mod P)a mod P
= (αa mod P)b mod P
= (αab mod P) mod P
‹#›(SAR 2003)Copyright © 2003 Oberthur Card Systems. All rights reserved.
The key to an open world
30/06/2003
Diffie-Hellman for the layman
§  DH may be implemented primitives from public key systems based on
exponentiation (RSA, DSA) or elliptic curves (ECDSA).
§  DH is vulnerable to the man-in-the-middle attack, so each peer should use
a certificate to authenticate the other peer.
Ca = ENCRYPT(α, Ka)
Cb = ENCRYPT(α, Kb)Cipher Cb with Ka.
Pick a random.
Build key Ka:
exp = a,mod = P.
Cipher α with Ka.
Alice Bob
Pick b random.
Build key Kb:
exp = b,mod = P.
Cipher α with Kb
Cipher Ca with Kb.
‹#›(SAR 2003)Copyright © 2003 Oberthur Card Systems. All rights reserved.
The key to an open world
30/06/2003
Diffie-Hellman with Java Card
§ JC 2.1 supports RSA, so DH can be implemented.
§ JC 2.2 introduces javacard.security.KeyAgreement,
which is the base class for key agreement algorithms
like DH.
s At this point, the KeyAgreement API only supports ECC keys.
s Main operation : generation of a shared secret using the caller’s Private
Key and public data received from the peer.
s public abstract short generateSecret(
byte[] publicData, short publicOffset,short publicLength,
byte[] secret, byte[] secretOffset)
‹#›(SAR 2003)Copyright © 2003 Oberthur Card Systems. All rights reserved.
The key to an open world
30/06/2003
IPsec references
§  RFC 2401 – Security Architecture For The Internet Protocol.
§  RFC 2402 – IP Authentication Header.
§  RFC 2406 – IP Encapsulating Security Payload.
§  RFC 2407 – The Internet IP Security Domain of Interpretation for
ISAKMP.
§  RFC 2408 – Internet Security Association and Key Management
Protocol.
§  RFC 2409 – The Internet Key Exchange.
§  RFC 2631 – Diffie-Hellman Key Agreement Method.
The key to an open world
‹#›(SAR 2003)Copyright © 2003 Oberthur Card Systems. All rights reserved. 30/06/3
Wi-Fi
802.11 weaknesses
Improvements to 802.11 security
Implementing 802.11 security on a (U)SIM smartcard
‹#›(SAR 2003)Copyright © 2003 Oberthur Card Systems. All rights reserved.
The key to an open world
30/06/2003
802.11 (in)security
§ 802.11 security has been cracked.
§ A new protocol is introduced to support client
authentication and distribution of session keys :
the Extensible Authentication Protocol (EAP).
§ EAP is a generic transport protocol for a large
number of authentication and key distribution
methods.
§ EAP can be integrated into PPP [RFC2284] or 802.2
[802.1X].
‹#›(SAR 2003)Copyright © 2003 Oberthur Card Systems. All rights reserved.
The key to an open world
30/06/2003
Improving 802.11 security
§  Wi-Fi Protected Access (WPA) is a short-term solution
(available now).
s  Authentication : 802.1X provides transport for EAP over LANs (EAPoL).
s  Encryption : the Temporal Key Integrity Protocol (TKIP) is based on RC-4 and
uses 128-bit keys which are recycled every 10,000 packets.
§  802.11i will be the long-term standard.
s  Authentication : 802.11i will maintain compatibility with WPA and building on
802.1x.
s  Encryption : 802.11i will introduce new authentication and confidentiality
protocols based on the Advanced Encryption Standard (AES) :
l  Counter CBC Mode Protocol (CCMP).
l  Wireless Robust Authenticated Protocol (WRAP).
‹#›(SAR 2003)Copyright © 2003 Oberthur Card Systems. All rights reserved.
The key to an open world
30/06/2003
802.11i security
Wireless client
EAPoL
Wired networkWireless network
Authentication
methods
Applications
TCP-IP
802.11
802.1x
CCMP
How safe are the keys ? How good is the crypto ?
‹#›(SAR 2003)Copyright © 2003 Oberthur Card Systems. All rights reserved.
The key to an open world
30/06/2003
Better 802.11 security
Wired network
JCRE
EAP
applet
EAP on
ISO7816
Wireless client
EAPoL
A smartcard and an authentication server.
We’ve seen this before, haven’t we ?
Applications
TCP-IP
802.11
802.1x
‹#›(SAR 2003)Copyright © 2003 Oberthur Card Systems. All rights reserved.
The key to an open world
30/06/2003
EAP methods
§  EAP is a generic protocol : it relies on a variety of methods for
authentication and key generation.
§  The following methods could be implemented on a smartcard
to provide mutual authentication and key generation :
1.  EAP-TLS [RFC2716] : Transaction Layer Security [RFC2246].
2.  EAP-SIM (IETF draft) : 2G authentication algorithms.
3.  EAP-AKA (IETF draft) : 3G authentication algorithms.
s  EAP-SIM and EAP-AKA will be part of 3GPP {2,3}3.234
Release 6.
‹#›(SAR 2003)Copyright © 2003 Oberthur Card Systems. All rights reserved.
The key to an open world
30/06/2003
EAP commands
§  Four packet types : Request, Response, Success, Failure.
§  Request (authenticator èpeer)
a.  Identity : query the identity of the peer.
b. Notification : send a displayable message to the peer (password expiration, etc).
c.  TLS / SIM / AKA : set the authentication method and data.
§  Response (peer è authenticator)
a.  Identity : send a peer identity to the authenticator.
b. Notification: acknowledge message.
c.  TLS / SIM / AKA : send authentication value.
d. NAK: decline authentication method and propose another one.
§  Success (authenticator èpeer) : authentication has succeeded.
§  Failure (authenticator èpeer) : authentication has failed.
‹#›(SAR 2003)Copyright © 2003 Oberthur Card Systems. All rights reserved.
The key to an open world
30/06/2003
EAP & 3GPP
3GPP Network
UE
WLAN Access Network
(with or without an
intermediate network)
3GPP AAA
Server
Packet
Data GW
In tran et / In tern et
3GPP PS
services
AAA = Authentication, Authorization and Accounting
GW = Gateway
PS = Packet-Switched
UE = User Equipment
WLAN = Wireless Local Access Network
A wireless client may also use a
3GPP authentication server to
connect to Internet services [23.234].
EAPoL
EAPoL
‹#›(SAR 2003)Copyright © 2003 Oberthur Card Systems. All rights reserved.
The key to an open world
30/06/2003
EAP Java Card API
§  This API is being designed by the Java Card Forum and the WLAN Smart
Card Consortium.
§  It allows Java Card developers to build applications that allow smart cards
to be used as EAP authentication tokens.
§  It has been built in the context of WLAN end-user authentication, which
relies on the EAP protocol.
§  In particular, this API has been built in the context of the APDU protocol
defined in draft-urien-eap-smartcard-01.txt, titled EAP Support in Smart
Cards.
§  It is an extension of the Java Card 2.2 API and relies on Java Card RMI.
§  All necessary cryptographic algorithms are supported by Java Card 2.2.
‹#›(SAR 2003)Copyright © 2003 Oberthur Card Systems. All rights reserved.
The key to an open world
30/06/2003
EAP Java Card API (1)
EAPApplet
EAPService
EAPBasicService
JCRE
Authenticators
JCRMI
EAP on ISO7816
The Authenticator object performs the authentication
itself : it is tied to an identity, a credential and an
authentication method.
The EAPBasicService object implements the EAP
protocol and is registers to JCRMI through the
EAPService interface.
The EAPApplet object is a basic applet that handles
EAP requests through a JCRMI service.
‹#›(SAR 2003)Copyright © 2003 Oberthur Card Systems. All rights reserved.
The key to an open world
30/06/2003
EAP Java Card API (2)
EAPApplet
EAPGlobalService
JCRE
JCRMI
EAP on ISO7816
Applet
Authenticator
Applet
Authenticator
EAPBasicGlobalService
An EAPApplet may be
used to provide EAP
services to normal applets.
Inter-applet communication
is performed through the
Shareable interface.
Java Card Firewall
‹#›(SAR 2003)Copyright © 2003 Oberthur Card Systems. All rights reserved.
The key to an open world
30/06/2003
Wi-Fi references (1)
§  Wi-Fi Alliance – http://www.weca.net
§  IEEE 802.x – http://www.ieee802.org
§  IEEE 802.11 – ISO/IEC 8802-11: (1999) IEEE Standards for Information
Technology - Telecommunications and Information Exchange between Systems -
Local and Metropolitan Area Network - Specific Requirements - Part 11: Wireless
LAN Medium Access Control (MAC) and Physical Layer (PHY) Specifications.
§  IEEE 802.1x – IEEE Standards for Local and Metropolitan Area Networks: Port-
Based Network Access Control.
§  IEEE 802.11i – Draft Supplement to Standard for Telecommunications and
Information Exchange Between Systems - LAN/MAN Specific Requirements -
Part 11: Wireless Medium Access Control (MAC) and physical layer (PHY)
specifications - Specification for Enhanced Security (Draft 3.0, November 2002).
§  3GPP – http://www.3gpp.org
§  3GPP TS 23.234 v1.8.0 - 3GPP system to WLAN Interworking; System
Description (Release 6)
‹#›(SAR 2003)Copyright © 2003 Oberthur Card Systems. All rights reserved.
The key to an open world
30/06/2003
Wi-Fi references (2)
§  IETF – http://www.ietf.org
§  RFC 1661 – The Point-to-Point Protocol.
§  RFC 1994 – PPP Challenge Handshake Authentication Protocol (CHAP)
§  RFC 2138 – Remote Authentication Dial In User Service (RADIUS)
§  RFC 2246 – The TLS protocol, version 1.0
§  RFC 2284 – PPP Extensible Authentication Protocol.
§  RFC 2716 – PPP EAP TLS Authentication Protocol.
§  draft-ietf-eap-rfc2284bis-03.txt – Extensible Authentication Protocol (EAP)
§  draft-aboba-pppext-key-problem-06.txt – EAP Keying Framework
§  draft-urien-eap-smartcard-01.txt – EAP support in smartcards
§  draft-haverinen-pppext-eap-sim-10.txt – EAP SIM Authentication
§  draft-arkko-pppext-eap-aka-09.txt – EAP AKA Authentication
§  draft-ietf-aaa-diameter-17.txt – DIAMETER Base Protocol
‹#›(SAR 2003)Copyright © 2003 Oberthur Card Systems. All rights reserved.
The key to an open world
30/06/2003
Conclusion
§  Java Card is a safe foundation for many network security applications.
§  And don’t forget E-commerce / identification applications…
§  As Java Card moves closer to the Java mainstream, new opportunities will
arise (DRM, etc).
WAP browser + PKI plug-ins
(W)TLS (OMA & IETF)
IPsec (IETF)
03.48 (3GPP)
EAP (IETF)
‹#›(SAR 2003)Copyright © 2003 Oberthur Card Systems. All rights reserved.
The key to an open world
30/06/2003
Q&A
§ Thank you very much for inviting me and for
attending this presentation.
§ If you have any questions, I’ll do my best to
answer them.
§ Feel free to get in touch !

Mais conteúdo relacionado

Mais procurados

Smart Card Presentation
Smart Card Presentation Smart Card Presentation
Smart Card Presentation ppriteshs
 
money pad the future wallet
money pad the future walletmoney pad the future wallet
money pad the future walletSabin Tripathi
 
Smart Card EMV for Dummies
Smart Card EMV for DummiesSmart Card EMV for Dummies
Smart Card EMV for DummiesSilly Beez
 
Efficient authentication for mobile and pervasive computing
Efficient authentication for mobile and pervasive computingEfficient authentication for mobile and pervasive computing
Efficient authentication for mobile and pervasive computingIGEEKS TECHNOLOGIES
 
3 layered advanced atm security
3 layered advanced atm security3 layered advanced atm security
3 layered advanced atm securityeSAT Journals
 
CSE digital Watermarking report
CSE digital Watermarking reportCSE digital Watermarking report
CSE digital Watermarking reportdivya sri
 
EMV Card Migration: How the EMV Transaction Flow Works
EMV Card Migration: How the EMV Transaction Flow WorksEMV Card Migration: How the EMV Transaction Flow Works
EMV Card Migration: How the EMV Transaction Flow WorksAnnMargaret Tutu (AMT)
 
HSM (Hardware Security Module)
HSM (Hardware Security Module)HSM (Hardware Security Module)
HSM (Hardware Security Module)Umesh Kolhe
 
Smart card technology
Smart card technologySmart card technology
Smart card technologyLav Pratap
 
Bank locker system
Bank locker systemBank locker system
Bank locker systemRahul Wagh
 
Abdullin modern payments security. emv, nfc, etc
Abdullin   modern payments security. emv, nfc, etcAbdullin   modern payments security. emv, nfc, etc
Abdullin modern payments security. emv, nfc, etcDefconRussia
 
Quantum Cryptography presentation
Quantum Cryptography presentationQuantum Cryptography presentation
Quantum Cryptography presentationKalluri Madhuri
 
Best Cyber Security Projects | The Knowledge Academy
Best Cyber Security Projects | The Knowledge Academy Best Cyber Security Projects | The Knowledge Academy
Best Cyber Security Projects | The Knowledge Academy The Knowledge Academy
 
Palo Alto Networks: Protection for Security & Compliance
Palo Alto Networks: Protection for Security & CompliancePalo Alto Networks: Protection for Security & Compliance
Palo Alto Networks: Protection for Security & ComplianceAmazon Web Services
 

Mais procurados (20)

Smart Card Presentation
Smart Card Presentation Smart Card Presentation
Smart Card Presentation
 
money pad the future wallet
money pad the future walletmoney pad the future wallet
money pad the future wallet
 
Smart Card EMV for Dummies
Smart Card EMV for DummiesSmart Card EMV for Dummies
Smart Card EMV for Dummies
 
Efficient authentication for mobile and pervasive computing
Efficient authentication for mobile and pervasive computingEfficient authentication for mobile and pervasive computing
Efficient authentication for mobile and pervasive computing
 
3 layered advanced atm security
3 layered advanced atm security3 layered advanced atm security
3 layered advanced atm security
 
CSE digital Watermarking report
CSE digital Watermarking reportCSE digital Watermarking report
CSE digital Watermarking report
 
EMV Card Migration: How the EMV Transaction Flow Works
EMV Card Migration: How the EMV Transaction Flow WorksEMV Card Migration: How the EMV Transaction Flow Works
EMV Card Migration: How the EMV Transaction Flow Works
 
HSM (Hardware Security Module)
HSM (Hardware Security Module)HSM (Hardware Security Module)
HSM (Hardware Security Module)
 
Smart card technology
Smart card technologySmart card technology
Smart card technology
 
Bank locker system
Bank locker systemBank locker system
Bank locker system
 
iOS jailbreaking
iOS jailbreakingiOS jailbreaking
iOS jailbreaking
 
Smart Card
Smart CardSmart Card
Smart Card
 
Abdullin modern payments security. emv, nfc, etc
Abdullin   modern payments security. emv, nfc, etcAbdullin   modern payments security. emv, nfc, etc
Abdullin modern payments security. emv, nfc, etc
 
Quantum Cryptography presentation
Quantum Cryptography presentationQuantum Cryptography presentation
Quantum Cryptography presentation
 
Best Cyber Security Projects | The Knowledge Academy
Best Cyber Security Projects | The Knowledge Academy Best Cyber Security Projects | The Knowledge Academy
Best Cyber Security Projects | The Knowledge Academy
 
Emv Explained in few words
Emv Explained in few words Emv Explained in few words
Emv Explained in few words
 
Palo Alto Networks: Protection for Security & Compliance
Palo Alto Networks: Protection for Security & CompliancePalo Alto Networks: Protection for Security & Compliance
Palo Alto Networks: Protection for Security & Compliance
 
Smart card
Smart cardSmart card
Smart card
 
Digital signature
Digital signatureDigital signature
Digital signature
 
Smart card system ppt
Smart card system ppt Smart card system ppt
Smart card system ppt
 

Destaque

Veebis allkirjastamine ID-kaardiga
Veebis allkirjastamine ID-kaardigaVeebis allkirjastamine ID-kaardiga
Veebis allkirjastamine ID-kaardigaMartin Paljak
 
OpenSC: eID interoperability through open source software
OpenSC: eID interoperability through open source softwareOpenSC: eID interoperability through open source software
OpenSC: eID interoperability through open source softwareMartin Paljak
 
Diffie-Hellman key exchange
Diffie-Hellman key exchangeDiffie-Hellman key exchange
Diffie-Hellman key exchangehughpearse
 
eSmartlock - an antipiracy dongle with integrated DRM functionalities
eSmartlock - an antipiracy dongle with integrated DRM functionalitieseSmartlock - an antipiracy dongle with integrated DRM functionalities
eSmartlock - an antipiracy dongle with integrated DRM functionalitiesYiannis Hatzopoulos
 
eSmartlock a USB Javacard dongle with anti-piracy and DRM services
eSmartlock a USB Javacard dongle with anti-piracy and DRM serviceseSmartlock a USB Javacard dongle with anti-piracy and DRM services
eSmartlock a USB Javacard dongle with anti-piracy and DRM servicesYiannis Hatzopoulos
 

Destaque (13)

Java card technology
Java card technologyJava card technology
Java card technology
 
Javacardtech
JavacardtechJavacardtech
Javacardtech
 
Java card
Java cardJava card
Java card
 
OpenDNIe Hackfest
OpenDNIe HackfestOpenDNIe Hackfest
OpenDNIe Hackfest
 
Codebits 2011
Codebits 2011Codebits 2011
Codebits 2011
 
Veebis allkirjastamine ID-kaardiga
Veebis allkirjastamine ID-kaardigaVeebis allkirjastamine ID-kaardiga
Veebis allkirjastamine ID-kaardiga
 
OpenSC: eID interoperability through open source software
OpenSC: eID interoperability through open source softwareOpenSC: eID interoperability through open source software
OpenSC: eID interoperability through open source software
 
ID-kaardist 100%
ID-kaardist 100%ID-kaardist 100%
ID-kaardist 100%
 
Java card
Java cardJava card
Java card
 
Smart Cards Evolution
Smart Cards EvolutionSmart Cards Evolution
Smart Cards Evolution
 
Diffie-Hellman key exchange
Diffie-Hellman key exchangeDiffie-Hellman key exchange
Diffie-Hellman key exchange
 
eSmartlock - an antipiracy dongle with integrated DRM functionalities
eSmartlock - an antipiracy dongle with integrated DRM functionalitieseSmartlock - an antipiracy dongle with integrated DRM functionalities
eSmartlock - an antipiracy dongle with integrated DRM functionalities
 
eSmartlock a USB Javacard dongle with anti-piracy and DRM services
eSmartlock a USB Javacard dongle with anti-piracy and DRM serviceseSmartlock a USB Javacard dongle with anti-piracy and DRM services
eSmartlock a USB Javacard dongle with anti-piracy and DRM services
 

Semelhante a Security applications with Java Card

Security's Once and Future King
Security's Once and Future KingSecurity's Once and Future King
Security's Once and Future KingKapil Sachdeva
 
PlaySIM Project Java One 2009
PlaySIM Project Java One 2009PlaySIM Project Java One 2009
PlaySIM Project Java One 2009Sebastian Hans
 
Study of Java Card and its Application
Study of Java Card and its ApplicationStudy of Java Card and its Application
Study of Java Card and its Applicationeditor1knowledgecuddle
 
Case Studies and Lessons Learned from SSL/TLS Certificate Verification Vulner...
Case Studies and Lessons Learned from SSL/TLS Certificate Verification Vulner...Case Studies and Lessons Learned from SSL/TLS Certificate Verification Vulner...
Case Studies and Lessons Learned from SSL/TLS Certificate Verification Vulner...JPCERT Coordination Center
 
Analysis of Security and Compliance using Oracle SPARC T-Series Servers: Emph...
Analysis of Security and Compliance using Oracle SPARC T-Series Servers: Emph...Analysis of Security and Compliance using Oracle SPARC T-Series Servers: Emph...
Analysis of Security and Compliance using Oracle SPARC T-Series Servers: Emph...Ramesh Nagappan
 
Making networks secure with multi-layer encryption
Making networks secure with multi-layer encryptionMaking networks secure with multi-layer encryption
Making networks secure with multi-layer encryptionADVA
 
Wrapped rsa cryptography check on window
Wrapped rsa cryptography check on windowWrapped rsa cryptography check on window
Wrapped rsa cryptography check on windowiaemedu
 
[cb22] Tales of 5G hacking by Karsten Nohl
[cb22] Tales of 5G hacking by Karsten Nohl[cb22] Tales of 5G hacking by Karsten Nohl
[cb22] Tales of 5G hacking by Karsten NohlCODE BLUE
 
jCardSim – Java Card is simple!
jCardSim – Java Card is simple!jCardSim – Java Card is simple!
jCardSim – Java Card is simple!Mikhail Dudarev
 
Root via SMS: 4G access level security assessment, Sergey Gordeychik, Alexand...
Root via SMS: 4G access level security assessment, Sergey Gordeychik, Alexand...Root via SMS: 4G access level security assessment, Sergey Gordeychik, Alexand...
Root via SMS: 4G access level security assessment, Sergey Gordeychik, Alexand...Sergey Gordeychik
 
Improved authentication & key agreement protocol using elliptic curve cryptog...
Improved authentication & key agreement protocol using elliptic curve cryptog...Improved authentication & key agreement protocol using elliptic curve cryptog...
Improved authentication & key agreement protocol using elliptic curve cryptog...CAS
 
Smart Card Based Protocol For Secure And Controlled Access Of Mobile Host In ...
Smart Card Based Protocol For Secure And Controlled Access Of Mobile Host In ...Smart Card Based Protocol For Secure And Controlled Access Of Mobile Host In ...
Smart Card Based Protocol For Secure And Controlled Access Of Mobile Host In ...flyingsheep
 
The Impact Of Cryptanalysis Using Advanced 3D Playfair...
The Impact Of Cryptanalysis Using Advanced 3D Playfair...The Impact Of Cryptanalysis Using Advanced 3D Playfair...
The Impact Of Cryptanalysis Using Advanced 3D Playfair...Robynn Dixon
 
D1 t1 t. yunusov k. nesterov - bootkit via sms
D1 t1   t. yunusov k. nesterov - bootkit via smsD1 t1   t. yunusov k. nesterov - bootkit via sms
D1 t1 t. yunusov k. nesterov - bootkit via smsqqlan
 
What is smart card on tam
What is smart card on tamWhat is smart card on tam
What is smart card on tam崇倍 洪
 
Iot Conference Berlin M2M,IoT, device management: one protocol to rule them all?
Iot Conference Berlin M2M,IoT, device management: one protocol to rule them all?Iot Conference Berlin M2M,IoT, device management: one protocol to rule them all?
Iot Conference Berlin M2M,IoT, device management: one protocol to rule them all?Julien Vermillard
 
Атаки на мобильные сети
Атаки на мобильные сетиАтаки на мобильные сети
Атаки на мобильные сетиEkaterina Melnik
 

Semelhante a Security applications with Java Card (20)

Security's Once and Future King
Security's Once and Future KingSecurity's Once and Future King
Security's Once and Future King
 
PlaySIM Project Java One 2009
PlaySIM Project Java One 2009PlaySIM Project Java One 2009
PlaySIM Project Java One 2009
 
Study of Java Card and its Application
Study of Java Card and its ApplicationStudy of Java Card and its Application
Study of Java Card and its Application
 
Case Studies and Lessons Learned from SSL/TLS Certificate Verification Vulner...
Case Studies and Lessons Learned from SSL/TLS Certificate Verification Vulner...Case Studies and Lessons Learned from SSL/TLS Certificate Verification Vulner...
Case Studies and Lessons Learned from SSL/TLS Certificate Verification Vulner...
 
Analysis of Security and Compliance using Oracle SPARC T-Series Servers: Emph...
Analysis of Security and Compliance using Oracle SPARC T-Series Servers: Emph...Analysis of Security and Compliance using Oracle SPARC T-Series Servers: Emph...
Analysis of Security and Compliance using Oracle SPARC T-Series Servers: Emph...
 
Making networks secure with multi-layer encryption
Making networks secure with multi-layer encryptionMaking networks secure with multi-layer encryption
Making networks secure with multi-layer encryption
 
Wrapped rsa cryptography check on window
Wrapped rsa cryptography check on windowWrapped rsa cryptography check on window
Wrapped rsa cryptography check on window
 
[cb22] Tales of 5G hacking by Karsten Nohl
[cb22] Tales of 5G hacking by Karsten Nohl[cb22] Tales of 5G hacking by Karsten Nohl
[cb22] Tales of 5G hacking by Karsten Nohl
 
jCardSim – Java Card is simple!
jCardSim – Java Card is simple!jCardSim – Java Card is simple!
jCardSim – Java Card is simple!
 
Iot Security
Iot SecurityIot Security
Iot Security
 
SlingSecure USB Eng
SlingSecure USB EngSlingSecure USB Eng
SlingSecure USB Eng
 
Unit 5 m commerce
Unit 5 m commerceUnit 5 m commerce
Unit 5 m commerce
 
Root via SMS: 4G access level security assessment, Sergey Gordeychik, Alexand...
Root via SMS: 4G access level security assessment, Sergey Gordeychik, Alexand...Root via SMS: 4G access level security assessment, Sergey Gordeychik, Alexand...
Root via SMS: 4G access level security assessment, Sergey Gordeychik, Alexand...
 
Improved authentication & key agreement protocol using elliptic curve cryptog...
Improved authentication & key agreement protocol using elliptic curve cryptog...Improved authentication & key agreement protocol using elliptic curve cryptog...
Improved authentication & key agreement protocol using elliptic curve cryptog...
 
Smart Card Based Protocol For Secure And Controlled Access Of Mobile Host In ...
Smart Card Based Protocol For Secure And Controlled Access Of Mobile Host In ...Smart Card Based Protocol For Secure And Controlled Access Of Mobile Host In ...
Smart Card Based Protocol For Secure And Controlled Access Of Mobile Host In ...
 
The Impact Of Cryptanalysis Using Advanced 3D Playfair...
The Impact Of Cryptanalysis Using Advanced 3D Playfair...The Impact Of Cryptanalysis Using Advanced 3D Playfair...
The Impact Of Cryptanalysis Using Advanced 3D Playfair...
 
D1 t1 t. yunusov k. nesterov - bootkit via sms
D1 t1   t. yunusov k. nesterov - bootkit via smsD1 t1   t. yunusov k. nesterov - bootkit via sms
D1 t1 t. yunusov k. nesterov - bootkit via sms
 
What is smart card on tam
What is smart card on tamWhat is smart card on tam
What is smart card on tam
 
Iot Conference Berlin M2M,IoT, device management: one protocol to rule them all?
Iot Conference Berlin M2M,IoT, device management: one protocol to rule them all?Iot Conference Berlin M2M,IoT, device management: one protocol to rule them all?
Iot Conference Berlin M2M,IoT, device management: one protocol to rule them all?
 
Атаки на мобильные сети
Атаки на мобильные сетиАтаки на мобильные сети
Атаки на мобильные сети
 

Mais de Julien SIMON

An introduction to computer vision with Hugging Face
An introduction to computer vision with Hugging FaceAn introduction to computer vision with Hugging Face
An introduction to computer vision with Hugging FaceJulien SIMON
 
Reinventing Deep Learning
 with Hugging Face Transformers
Reinventing Deep Learning
 with Hugging Face TransformersReinventing Deep Learning
 with Hugging Face Transformers
Reinventing Deep Learning
 with Hugging Face TransformersJulien SIMON
 
Building NLP applications with Transformers
Building NLP applications with TransformersBuilding NLP applications with Transformers
Building NLP applications with TransformersJulien SIMON
 
Building Machine Learning Models Automatically (June 2020)
Building Machine Learning Models Automatically (June 2020)Building Machine Learning Models Automatically (June 2020)
Building Machine Learning Models Automatically (June 2020)Julien SIMON
 
Starting your AI/ML project right (May 2020)
Starting your AI/ML project right (May 2020)Starting your AI/ML project right (May 2020)
Starting your AI/ML project right (May 2020)Julien SIMON
 
Scale Machine Learning from zero to millions of users (April 2020)
Scale Machine Learning from zero to millions of users (April 2020)Scale Machine Learning from zero to millions of users (April 2020)
Scale Machine Learning from zero to millions of users (April 2020)Julien SIMON
 
An Introduction to Generative Adversarial Networks (April 2020)
An Introduction to Generative Adversarial Networks (April 2020)An Introduction to Generative Adversarial Networks (April 2020)
An Introduction to Generative Adversarial Networks (April 2020)Julien SIMON
 
AIM410R1 Deep learning applications with TensorFlow, featuring Fannie Mae (De...
AIM410R1 Deep learning applications with TensorFlow, featuring Fannie Mae (De...AIM410R1 Deep learning applications with TensorFlow, featuring Fannie Mae (De...
AIM410R1 Deep learning applications with TensorFlow, featuring Fannie Mae (De...Julien SIMON
 
AIM361 Optimizing machine learning models with Amazon SageMaker (December 2019)
AIM361 Optimizing machine learning models with Amazon SageMaker (December 2019)AIM361 Optimizing machine learning models with Amazon SageMaker (December 2019)
AIM361 Optimizing machine learning models with Amazon SageMaker (December 2019)Julien SIMON
 
AIM410R Deep Learning Applications with TensorFlow, featuring Mobileye (Decem...
AIM410R Deep Learning Applications with TensorFlow, featuring Mobileye (Decem...AIM410R Deep Learning Applications with TensorFlow, featuring Mobileye (Decem...
AIM410R Deep Learning Applications with TensorFlow, featuring Mobileye (Decem...Julien SIMON
 
A pragmatic introduction to natural language processing models (October 2019)
A pragmatic introduction to natural language processing models (October 2019)A pragmatic introduction to natural language processing models (October 2019)
A pragmatic introduction to natural language processing models (October 2019)Julien SIMON
 
Building smart applications with AWS AI services (October 2019)
Building smart applications with AWS AI services (October 2019)Building smart applications with AWS AI services (October 2019)
Building smart applications with AWS AI services (October 2019)Julien SIMON
 
Build, train and deploy ML models with SageMaker (October 2019)
Build, train and deploy ML models with SageMaker (October 2019)Build, train and deploy ML models with SageMaker (October 2019)
Build, train and deploy ML models with SageMaker (October 2019)Julien SIMON
 
The Future of AI (September 2019)
The Future of AI (September 2019)The Future of AI (September 2019)
The Future of AI (September 2019)Julien SIMON
 
Building Machine Learning Inference Pipelines at Scale (July 2019)
Building Machine Learning Inference Pipelines at Scale (July 2019)Building Machine Learning Inference Pipelines at Scale (July 2019)
Building Machine Learning Inference Pipelines at Scale (July 2019)Julien SIMON
 
Train and Deploy Machine Learning Workloads with AWS Container Services (July...
Train and Deploy Machine Learning Workloads with AWS Container Services (July...Train and Deploy Machine Learning Workloads with AWS Container Services (July...
Train and Deploy Machine Learning Workloads with AWS Container Services (July...Julien SIMON
 
Optimize your Machine Learning Workloads on AWS (July 2019)
Optimize your Machine Learning Workloads on AWS (July 2019)Optimize your Machine Learning Workloads on AWS (July 2019)
Optimize your Machine Learning Workloads on AWS (July 2019)Julien SIMON
 
Deep Learning on Amazon Sagemaker (July 2019)
Deep Learning on Amazon Sagemaker (July 2019)Deep Learning on Amazon Sagemaker (July 2019)
Deep Learning on Amazon Sagemaker (July 2019)Julien SIMON
 
Automate your Amazon SageMaker Workflows (July 2019)
Automate your Amazon SageMaker Workflows (July 2019)Automate your Amazon SageMaker Workflows (July 2019)
Automate your Amazon SageMaker Workflows (July 2019)Julien SIMON
 
Build, train and deploy ML models with Amazon SageMaker (May 2019)
Build, train and deploy ML models with Amazon SageMaker (May 2019)Build, train and deploy ML models with Amazon SageMaker (May 2019)
Build, train and deploy ML models with Amazon SageMaker (May 2019)Julien SIMON
 

Mais de Julien SIMON (20)

An introduction to computer vision with Hugging Face
An introduction to computer vision with Hugging FaceAn introduction to computer vision with Hugging Face
An introduction to computer vision with Hugging Face
 
Reinventing Deep Learning
 with Hugging Face Transformers
Reinventing Deep Learning
 with Hugging Face TransformersReinventing Deep Learning
 with Hugging Face Transformers
Reinventing Deep Learning
 with Hugging Face Transformers
 
Building NLP applications with Transformers
Building NLP applications with TransformersBuilding NLP applications with Transformers
Building NLP applications with Transformers
 
Building Machine Learning Models Automatically (June 2020)
Building Machine Learning Models Automatically (June 2020)Building Machine Learning Models Automatically (June 2020)
Building Machine Learning Models Automatically (June 2020)
 
Starting your AI/ML project right (May 2020)
Starting your AI/ML project right (May 2020)Starting your AI/ML project right (May 2020)
Starting your AI/ML project right (May 2020)
 
Scale Machine Learning from zero to millions of users (April 2020)
Scale Machine Learning from zero to millions of users (April 2020)Scale Machine Learning from zero to millions of users (April 2020)
Scale Machine Learning from zero to millions of users (April 2020)
 
An Introduction to Generative Adversarial Networks (April 2020)
An Introduction to Generative Adversarial Networks (April 2020)An Introduction to Generative Adversarial Networks (April 2020)
An Introduction to Generative Adversarial Networks (April 2020)
 
AIM410R1 Deep learning applications with TensorFlow, featuring Fannie Mae (De...
AIM410R1 Deep learning applications with TensorFlow, featuring Fannie Mae (De...AIM410R1 Deep learning applications with TensorFlow, featuring Fannie Mae (De...
AIM410R1 Deep learning applications with TensorFlow, featuring Fannie Mae (De...
 
AIM361 Optimizing machine learning models with Amazon SageMaker (December 2019)
AIM361 Optimizing machine learning models with Amazon SageMaker (December 2019)AIM361 Optimizing machine learning models with Amazon SageMaker (December 2019)
AIM361 Optimizing machine learning models with Amazon SageMaker (December 2019)
 
AIM410R Deep Learning Applications with TensorFlow, featuring Mobileye (Decem...
AIM410R Deep Learning Applications with TensorFlow, featuring Mobileye (Decem...AIM410R Deep Learning Applications with TensorFlow, featuring Mobileye (Decem...
AIM410R Deep Learning Applications with TensorFlow, featuring Mobileye (Decem...
 
A pragmatic introduction to natural language processing models (October 2019)
A pragmatic introduction to natural language processing models (October 2019)A pragmatic introduction to natural language processing models (October 2019)
A pragmatic introduction to natural language processing models (October 2019)
 
Building smart applications with AWS AI services (October 2019)
Building smart applications with AWS AI services (October 2019)Building smart applications with AWS AI services (October 2019)
Building smart applications with AWS AI services (October 2019)
 
Build, train and deploy ML models with SageMaker (October 2019)
Build, train and deploy ML models with SageMaker (October 2019)Build, train and deploy ML models with SageMaker (October 2019)
Build, train and deploy ML models with SageMaker (October 2019)
 
The Future of AI (September 2019)
The Future of AI (September 2019)The Future of AI (September 2019)
The Future of AI (September 2019)
 
Building Machine Learning Inference Pipelines at Scale (July 2019)
Building Machine Learning Inference Pipelines at Scale (July 2019)Building Machine Learning Inference Pipelines at Scale (July 2019)
Building Machine Learning Inference Pipelines at Scale (July 2019)
 
Train and Deploy Machine Learning Workloads with AWS Container Services (July...
Train and Deploy Machine Learning Workloads with AWS Container Services (July...Train and Deploy Machine Learning Workloads with AWS Container Services (July...
Train and Deploy Machine Learning Workloads with AWS Container Services (July...
 
Optimize your Machine Learning Workloads on AWS (July 2019)
Optimize your Machine Learning Workloads on AWS (July 2019)Optimize your Machine Learning Workloads on AWS (July 2019)
Optimize your Machine Learning Workloads on AWS (July 2019)
 
Deep Learning on Amazon Sagemaker (July 2019)
Deep Learning on Amazon Sagemaker (July 2019)Deep Learning on Amazon Sagemaker (July 2019)
Deep Learning on Amazon Sagemaker (July 2019)
 
Automate your Amazon SageMaker Workflows (July 2019)
Automate your Amazon SageMaker Workflows (July 2019)Automate your Amazon SageMaker Workflows (July 2019)
Automate your Amazon SageMaker Workflows (July 2019)
 
Build, train and deploy ML models with Amazon SageMaker (May 2019)
Build, train and deploy ML models with Amazon SageMaker (May 2019)Build, train and deploy ML models with Amazon SageMaker (May 2019)
Build, train and deploy ML models with Amazon SageMaker (May 2019)
 

Último

Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024SkyPlanner
 
Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Commit University
 
Cybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptxCybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptxGDSC PJATK
 
Videogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfVideogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfinfogdgmi
 
Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024D Cloud Solutions
 
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfUiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfDianaGray10
 
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAAnypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAshyamraj55
 
COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online CollaborationCOMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online Collaborationbruanjhuli
 
AI You Can Trust - Ensuring Success with Data Integrity Webinar
AI You Can Trust - Ensuring Success with Data Integrity WebinarAI You Can Trust - Ensuring Success with Data Integrity Webinar
AI You Can Trust - Ensuring Success with Data Integrity WebinarPrecisely
 
OpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureOpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureEric D. Schabell
 
Comparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioComparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioChristian Posta
 
Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™Adtran
 
9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding Team9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding TeamAdam Moalla
 
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...DianaGray10
 
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1DianaGray10
 
Machine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdfMachine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdfAijun Zhang
 
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...Aggregage
 
NIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopNIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopBachir Benyammi
 

Último (20)

Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024
 
Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)
 
20230104 - machine vision
20230104 - machine vision20230104 - machine vision
20230104 - machine vision
 
Cybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptxCybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptx
 
Videogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfVideogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdf
 
Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024
 
20150722 - AGV
20150722 - AGV20150722 - AGV
20150722 - AGV
 
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfUiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
 
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAAnypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
 
COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online CollaborationCOMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
 
AI You Can Trust - Ensuring Success with Data Integrity Webinar
AI You Can Trust - Ensuring Success with Data Integrity WebinarAI You Can Trust - Ensuring Success with Data Integrity Webinar
AI You Can Trust - Ensuring Success with Data Integrity Webinar
 
OpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureOpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability Adventure
 
Comparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioComparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and Istio
 
Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™
 
9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding Team9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding Team
 
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
 
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
 
Machine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdfMachine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdf
 
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
 
NIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopNIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 Workshop
 

Security applications with Java Card

  • 1. The key to an open world ‹#›(SAR 2003)Copyright © 2003 Oberthur Card Systems. All rights reserved. 30/06/3 Security applications with Java Card SAR 2003, Nancy Julien SIMON j.simon@oberthurcs.com
  • 2. ‹#›(SAR 2003)Copyright © 2003 Oberthur Card Systems. All rights reserved. The key to an open world 30/06/2003 Outline 1. Introduction 2. Java Card overview 3. WAP security 4. IP security 5. 802.11 security 6. Q&A
  • 3. ‹#›(SAR 2003)Copyright © 2003 Oberthur Card Systems. All rights reserved. The key to an open world 30/06/2003 Introduction Oberthur Card Systems §  No. 1 supplier of MasterCard and Visa payment cards worldwide. §  No. 3 supplier of 2G/3G cards worldwide. §  First to apply Java technology to the SIM card (1998). §  Please refer to www.oberthurcs.com for more information. Speaker §  3 years at OCS R&D. §  Mobile Communications Development Manager. §  In a previous life, lots of time spent in TCP/IP and kernel code (Mach / Chorus / *nix) : hence, a strong interest in computer (in)security…
  • 4. The key to an open world ‹#›(SAR 2003)Copyright © 2003 Oberthur Card Systems. All rights reserved. 30/06/3 Java Card overview Architecture Language, VM, API Security applications with Java Card
  • 5. ‹#›(SAR 2003)Copyright © 2003 Oberthur Card Systems. All rights reserved. The key to an open world 30/06/2003 Java Card §  Software standard initiated by Sun Microsystems in October 1996. §  JC is now maintained by the Java Card Forum. §  JC defines an environment allowing Java applications to to run on a microprocessor smartcard : Java Card Runtime Environment (JCRE) : §  Java Card is nice because : s It allows faster and easier development than native code. s It has all the benefits of OOD / OOP. s It is portable at source and binary level. s It allows applications to be loaded after the smartcard has been issued. §  A well-designed Java Card is a very safe foundation : s  Common Criteria EAL 4+ evaluation obtained by OCS in 2002. s  State-of-the art cryptography, protected against SPA/DPA/DFA attacks.
  • 6. ‹#›(SAR 2003)Copyright © 2003 Oberthur Card Systems. All rights reserved. The key to an open world 30/06/2003 Java Card Runtime Environment § The JCRE includes : s The Java Card Virtual Machine, s The Java Card API, s A basic application installer. § It’s implemented in ROM by the smartcard issuer. § Its behavior is defined by the Java Card Runtime Environment Specification. § Versions : s 2.1 (May 2000). s 2.2 (May 2002).
  • 7. ‹#›(SAR 2003)Copyright © 2003 Oberthur Card Systems. All rights reserved. The key to an open world 30/06/2003 Java Card architecture Hardware Abstraction Layer Java Card Virtual Machine Java Card API Other API (GSM, etc) JCRE Applet 1 Applet 2 Applet 3 Microcontroller
  • 8. ‹#›(SAR 2003)Copyright © 2003 Oberthur Card Systems. All rights reserved. The key to an open world 30/06/2003 Language § JC supports most features of the Java language : s Packages, s Dynamic object creation (new), s Virtual methods, Inheritance, Interfaces, s Exceptions, s Etc. § The following types are not supported s char, s long, float and double, s Multi-dimensional arrays. § The int type is optional.
  • 9. ‹#›(SAR 2003)Copyright © 2003 Oberthur Card Systems. All rights reserved. The key to an open world 30/06/2003 Java Card Virtual Machine § The JCVM has a classic architecture : s It runs bytecode on an operand stack. s JC bytecode is a subset of Java bytecode s E.g. no int related bytecode : iload, istore, etc. § Compared to the JVM, the JCVM is very simplified : s No on-demand class loading : all required classes must present on the card. s No threads, etc. § The JVCM also has specific features (transactions, inter-applet communication). § The behavior of the JCVM is defined by the Java Card Virtual Machine Specification.
  • 10. ‹#›(SAR 2003)Copyright © 2003 Oberthur Card Systems. All rights reserved. The key to an open world 30/06/2003 Java Card 2.1 API §  The JC 2.1 API includes four packages, defined by the Java Card 2.1 Application Programming Interfaces Specification. §  java.lang : minimal Java classes. §  javacard.framework : smartcard-related classes s  Communication with the terminal, PIN handling, etc. §  javacard.security & javacardx.crypto : security classes. s  Keys : DES, 3DES, RSA et DSA. s  Crypto objects : KeyPair, MessageDigest, Cipher and Signature. §  Java Card 2.2 adds Java Card RMI, AES, ECC, garbage collection, etc.
  • 11. ‹#›(SAR 2003)Copyright © 2003 Oberthur Card Systems. All rights reserved. The key to an open world 30/06/2003 Java Card references § Java Card s Specs & JCDK : http://java.sun.com/javacard/ s Java Card Forum : http://www.javacardforum.org/ s « Java Card Technology For Smart Cards » , Addison-Wesley, 2000. § Cryptography s RSA Labs : http://www.rsalabs.com/ s « Cryptographie appliquée » (2ème édition), Bruce Schneier. s « Handbook of Applied Cryptography » http://www.cacr.math.uwaterloo.ca/hac/
  • 12. The key to an open world ‹#›(SAR 2003)Copyright © 2003 Oberthur Card Systems. All rights reserved. 30/06/3 WAP security WAP overview Wireless Identity Module (WIM) Smartcard WAP browsers
  • 13. ‹#›(SAR 2003)Copyright © 2003 Oberthur Card Systems. All rights reserved. The key to an open world 30/06/2003 Wireless Application Protocol §  WAP 1.0 was released in 1998 and evolved into 1.3. §  WAP 1.x doesn’t support standard Internet protocols and languages : a WAP gateway is required. WAE: Application Environment WSP: Session Protocol WTP: Transaction Protocol WTLS: Transaction Layer Security WDP: Datagram Protocol HTTP: Hyper Text Transfer Protocol SSL: Secure Sockets Layer TCP: Transmission Control Protocol IP: Internet Protocol
  • 14. ‹#›(SAR 2003)Copyright © 2003 Oberthur Card Systems. All rights reserved. The key to an open world 30/06/2003 WAP architecture WAP Gateway Page encoder Page converter Protocol Adapters HTTP Web Server Content CGI Scripts etc. HTMLpages WMLpages WML = Wireless Markup Language HTML = Hyper Text Markup Language CGI = Common Gateway Interface ME = Mobile Equipment HTTP = Hyper Text Transfer Protocol WSP = Wireless Session Protocol WTP = Wireless Transaction Protocol ME WAP browser WSP/WTPConfig. files
  • 15. ‹#›(SAR 2003)Copyright © 2003 Oberthur Card Systems. All rights reserved. The key to an open world 30/06/2003 Wireless Identity Module §  WAP communication is secured by the Wireless Transaction Layer Protocol (WTLS), which is “equivalent” to SSL. §  WTLS relies on the Wireless Identity Module (WIM) to perform secure operations, such as : s  Verification primitives (PIN operations). s  Data Access primitives (Key/certificate storage in PKCS #15 files) s  Cryptography primitives : Compute Digital Signature, Verify Signature, Hash, Decipher and various key primitives used to setup a WTLS session (Diffie- Hellman, etc). §  The WAP browser also needs the WIM to perform the signText operation (application-level signature). §  The WIM can be implemented as a Java Card applet.
  • 16. ‹#›(SAR 2003)Copyright © 2003 Oberthur Card Systems. All rights reserved. The key to an open world 30/06/2003 WAP (in)security WML/HTML Web server WML/HTML Bytecode SSL TCP WDP GSM networkInternet WTLS There is no end-to-end security, because of the WTLS/SSL gateway. This is the infamous “WAP gap” problem. WAP 2.0 solves this by using standard Internet protocols (TLS). N
  • 17. ‹#›(SAR 2003)Copyright © 2003 Oberthur Card Systems. All rights reserved. The key to an open world 30/06/2003 End-to-end security WML/HTML Web server WML/HTML Bytecode TCP/IP 03.48 GSM networkInternet Data is protected by the application, i.e. the bytecode is encrypted/decrypted by the WAP browser running on the (U)SIM card.
  • 18. ‹#›(SAR 2003)Copyright © 2003 Oberthur Card Systems. All rights reserved. The key to an open world 30/06/2003 WAP with a smartcard browser SMS-C MESIM WAP Browser Config. files OTA server WAP gatewayProactive commands 03.40 / 03.48 transport
  • 19. ‹#›(SAR 2003)Copyright © 2003 Oberthur Card Systems. All rights reserved. The key to an open world 30/06/2003 Plug-in architecture § The core browser can be extended using plug-ins. § A plug-in is a normal SIM Toolkit applet. s It extends the WIB by adding new features : l  Data storage, l  Cryptography : the WAP gap must be closed ! s It may be installed at personalization time. s Plug-ins are usually small enough to be installed OTA. § Applet communication is possible with Java Card : s A plug-in registers to the WIB using a Shareable interface. s When the WIB receives the Plug-In command, it invokes the plug-in using another Shareable interface.
  • 20. ‹#›(SAR 2003)Copyright © 2003 Oberthur Card Systems. All rights reserved. The key to an open world 30/06/2003 PKI plug-ins § A smartcard browser usually supports several Public Key Infrastructure (PKI) plug-ins. § Decryption : Asymmetric Decryption (AD) § Digital signature (text) : PKCS#1 (P1) § Digital signature with time stamp (text) : PKCS#7 (P7) § Digital signature and non-repudiation (data) : Fingerprint (FP)
  • 21. ‹#›(SAR 2003)Copyright © 2003 Oberthur Card Systems. All rights reserved. The key to an open world 30/06/2003 A Band Of Browsers §  SmartTrust Wireless Internet Browser (WIB) §  SIM Alliance S@T browser. §  3GPP USAT Interpreter : s 21.112 & 31.11{2,3,4} Release 5 & 6 : architecture, protocol, core browser. s 31.113 Release 6 : plug-ins. §  These browsers all support the WML standard (or at least a large subset of it) as well as proprietary extensions (S@TML, SmartTrust WML, etc). This is similar to the Netscape/IE situation.
  • 22. ‹#›(SAR 2003)Copyright © 2003 Oberthur Card Systems. All rights reserved. The key to an open world 30/06/2003 WAP references § USAT Interpreter – http://www.3GPP.org/ § SIM Alliance – http://www.SIMAlliance.org § SmartTrust – http://www.SmartTrust.com § PKCS – http://www.RSALabs.com § WAP – http://www.OpenMobileAlliance.com/ § World Wide Web Consortium – http://www.w3.org/
  • 23. The key to an open world ‹#›(SAR 2003)Copyright © 2003 Oberthur Card Systems. All rights reserved. 30/06/3 IP Security IP in mobile networks Internet Key Exchange Diffie-Hellman with Java Card
  • 24. ‹#›(SAR 2003)Copyright © 2003 Oberthur Card Systems. All rights reserved. The key to an open world 30/06/2003 IP in mobile networks
  • 25. ‹#›(SAR 2003)Copyright © 2003 Oberthur Card Systems. All rights reserved. The key to an open world 30/06/2003 IPsec and smartcards IPsec tunnel TCP = Transmission Control Protocol HTTP = Hyper Text Transfer Protocol Internet apps TCP / HTTP Private network IPsec IKE setup IPsec processing Untrusted network Host
  • 26. ‹#›(SAR 2003)Copyright © 2003 Oberthur Card Systems. All rights reserved. The key to an open world 30/06/2003 Internet Key Exchange IKE defines two phases : 1.  Creation of a secure channel between the IKE peers. a. Negotiation of the IKE Security Association : encryption algorithm, hash function, authentication method (pre-shared keys, RSA), Diffie-Hellman group. b. Generation of shared secrets with a Diffie-Hellman exchange. c. Mutual authentication and establishment of the secure IKE channel. 2.  Creation of the IPsec security association. a. Using the secure IKE channel, negotiation of the IPsec Security Association : SPI, IPsec transform. b. Generation of the required keys either by deriving the Phase 1 secret, or by performing another Diffie-Hellman exchange.
  • 27. ‹#›(SAR 2003)Copyright © 2003 Oberthur Card Systems. All rights reserved. The key to an open world 30/06/2003 Diffie-Hellman for mathematicians §  Diffie-Hellman (1976) is a widespread protocol for shared secret establishment. §  P and α are two public numbers : α<P, P prime. Send αa mod P Send αb mod P Compute (αa mod P)b mod P. Pick b random. Compute αb mod P. Compute (αb mod P)a mod P. Pick a random. Compute αa mod P. Alice Bob Receive αb mod P. Receive αa mod P. Shared secrets are derived from (αab mod P) mod P (αb mod P)a mod P = (αa mod P)b mod P = (αab mod P) mod P
  • 28. ‹#›(SAR 2003)Copyright © 2003 Oberthur Card Systems. All rights reserved. The key to an open world 30/06/2003 Diffie-Hellman for the layman §  DH may be implemented primitives from public key systems based on exponentiation (RSA, DSA) or elliptic curves (ECDSA). §  DH is vulnerable to the man-in-the-middle attack, so each peer should use a certificate to authenticate the other peer. Ca = ENCRYPT(α, Ka) Cb = ENCRYPT(α, Kb)Cipher Cb with Ka. Pick a random. Build key Ka: exp = a,mod = P. Cipher α with Ka. Alice Bob Pick b random. Build key Kb: exp = b,mod = P. Cipher α with Kb Cipher Ca with Kb.
  • 29. ‹#›(SAR 2003)Copyright © 2003 Oberthur Card Systems. All rights reserved. The key to an open world 30/06/2003 Diffie-Hellman with Java Card § JC 2.1 supports RSA, so DH can be implemented. § JC 2.2 introduces javacard.security.KeyAgreement, which is the base class for key agreement algorithms like DH. s At this point, the KeyAgreement API only supports ECC keys. s Main operation : generation of a shared secret using the caller’s Private Key and public data received from the peer. s public abstract short generateSecret( byte[] publicData, short publicOffset,short publicLength, byte[] secret, byte[] secretOffset)
  • 30. ‹#›(SAR 2003)Copyright © 2003 Oberthur Card Systems. All rights reserved. The key to an open world 30/06/2003 IPsec references §  RFC 2401 – Security Architecture For The Internet Protocol. §  RFC 2402 – IP Authentication Header. §  RFC 2406 – IP Encapsulating Security Payload. §  RFC 2407 – The Internet IP Security Domain of Interpretation for ISAKMP. §  RFC 2408 – Internet Security Association and Key Management Protocol. §  RFC 2409 – The Internet Key Exchange. §  RFC 2631 – Diffie-Hellman Key Agreement Method.
  • 31. The key to an open world ‹#›(SAR 2003)Copyright © 2003 Oberthur Card Systems. All rights reserved. 30/06/3 Wi-Fi 802.11 weaknesses Improvements to 802.11 security Implementing 802.11 security on a (U)SIM smartcard
  • 32. ‹#›(SAR 2003)Copyright © 2003 Oberthur Card Systems. All rights reserved. The key to an open world 30/06/2003 802.11 (in)security § 802.11 security has been cracked. § A new protocol is introduced to support client authentication and distribution of session keys : the Extensible Authentication Protocol (EAP). § EAP is a generic transport protocol for a large number of authentication and key distribution methods. § EAP can be integrated into PPP [RFC2284] or 802.2 [802.1X].
  • 33. ‹#›(SAR 2003)Copyright © 2003 Oberthur Card Systems. All rights reserved. The key to an open world 30/06/2003 Improving 802.11 security §  Wi-Fi Protected Access (WPA) is a short-term solution (available now). s  Authentication : 802.1X provides transport for EAP over LANs (EAPoL). s  Encryption : the Temporal Key Integrity Protocol (TKIP) is based on RC-4 and uses 128-bit keys which are recycled every 10,000 packets. §  802.11i will be the long-term standard. s  Authentication : 802.11i will maintain compatibility with WPA and building on 802.1x. s  Encryption : 802.11i will introduce new authentication and confidentiality protocols based on the Advanced Encryption Standard (AES) : l  Counter CBC Mode Protocol (CCMP). l  Wireless Robust Authenticated Protocol (WRAP).
  • 34. ‹#›(SAR 2003)Copyright © 2003 Oberthur Card Systems. All rights reserved. The key to an open world 30/06/2003 802.11i security Wireless client EAPoL Wired networkWireless network Authentication methods Applications TCP-IP 802.11 802.1x CCMP How safe are the keys ? How good is the crypto ?
  • 35. ‹#›(SAR 2003)Copyright © 2003 Oberthur Card Systems. All rights reserved. The key to an open world 30/06/2003 Better 802.11 security Wired network JCRE EAP applet EAP on ISO7816 Wireless client EAPoL A smartcard and an authentication server. We’ve seen this before, haven’t we ? Applications TCP-IP 802.11 802.1x
  • 36. ‹#›(SAR 2003)Copyright © 2003 Oberthur Card Systems. All rights reserved. The key to an open world 30/06/2003 EAP methods §  EAP is a generic protocol : it relies on a variety of methods for authentication and key generation. §  The following methods could be implemented on a smartcard to provide mutual authentication and key generation : 1.  EAP-TLS [RFC2716] : Transaction Layer Security [RFC2246]. 2.  EAP-SIM (IETF draft) : 2G authentication algorithms. 3.  EAP-AKA (IETF draft) : 3G authentication algorithms. s  EAP-SIM and EAP-AKA will be part of 3GPP {2,3}3.234 Release 6.
  • 37. ‹#›(SAR 2003)Copyright © 2003 Oberthur Card Systems. All rights reserved. The key to an open world 30/06/2003 EAP commands §  Four packet types : Request, Response, Success, Failure. §  Request (authenticator èpeer) a.  Identity : query the identity of the peer. b. Notification : send a displayable message to the peer (password expiration, etc). c.  TLS / SIM / AKA : set the authentication method and data. §  Response (peer è authenticator) a.  Identity : send a peer identity to the authenticator. b. Notification: acknowledge message. c.  TLS / SIM / AKA : send authentication value. d. NAK: decline authentication method and propose another one. §  Success (authenticator èpeer) : authentication has succeeded. §  Failure (authenticator èpeer) : authentication has failed.
  • 38. ‹#›(SAR 2003)Copyright © 2003 Oberthur Card Systems. All rights reserved. The key to an open world 30/06/2003 EAP & 3GPP 3GPP Network UE WLAN Access Network (with or without an intermediate network) 3GPP AAA Server Packet Data GW In tran et / In tern et 3GPP PS services AAA = Authentication, Authorization and Accounting GW = Gateway PS = Packet-Switched UE = User Equipment WLAN = Wireless Local Access Network A wireless client may also use a 3GPP authentication server to connect to Internet services [23.234]. EAPoL EAPoL
  • 39. ‹#›(SAR 2003)Copyright © 2003 Oberthur Card Systems. All rights reserved. The key to an open world 30/06/2003 EAP Java Card API §  This API is being designed by the Java Card Forum and the WLAN Smart Card Consortium. §  It allows Java Card developers to build applications that allow smart cards to be used as EAP authentication tokens. §  It has been built in the context of WLAN end-user authentication, which relies on the EAP protocol. §  In particular, this API has been built in the context of the APDU protocol defined in draft-urien-eap-smartcard-01.txt, titled EAP Support in Smart Cards. §  It is an extension of the Java Card 2.2 API and relies on Java Card RMI. §  All necessary cryptographic algorithms are supported by Java Card 2.2.
  • 40. ‹#›(SAR 2003)Copyright © 2003 Oberthur Card Systems. All rights reserved. The key to an open world 30/06/2003 EAP Java Card API (1) EAPApplet EAPService EAPBasicService JCRE Authenticators JCRMI EAP on ISO7816 The Authenticator object performs the authentication itself : it is tied to an identity, a credential and an authentication method. The EAPBasicService object implements the EAP protocol and is registers to JCRMI through the EAPService interface. The EAPApplet object is a basic applet that handles EAP requests through a JCRMI service.
  • 41. ‹#›(SAR 2003)Copyright © 2003 Oberthur Card Systems. All rights reserved. The key to an open world 30/06/2003 EAP Java Card API (2) EAPApplet EAPGlobalService JCRE JCRMI EAP on ISO7816 Applet Authenticator Applet Authenticator EAPBasicGlobalService An EAPApplet may be used to provide EAP services to normal applets. Inter-applet communication is performed through the Shareable interface. Java Card Firewall
  • 42. ‹#›(SAR 2003)Copyright © 2003 Oberthur Card Systems. All rights reserved. The key to an open world 30/06/2003 Wi-Fi references (1) §  Wi-Fi Alliance – http://www.weca.net §  IEEE 802.x – http://www.ieee802.org §  IEEE 802.11 – ISO/IEC 8802-11: (1999) IEEE Standards for Information Technology - Telecommunications and Information Exchange between Systems - Local and Metropolitan Area Network - Specific Requirements - Part 11: Wireless LAN Medium Access Control (MAC) and Physical Layer (PHY) Specifications. §  IEEE 802.1x – IEEE Standards for Local and Metropolitan Area Networks: Port- Based Network Access Control. §  IEEE 802.11i – Draft Supplement to Standard for Telecommunications and Information Exchange Between Systems - LAN/MAN Specific Requirements - Part 11: Wireless Medium Access Control (MAC) and physical layer (PHY) specifications - Specification for Enhanced Security (Draft 3.0, November 2002). §  3GPP – http://www.3gpp.org §  3GPP TS 23.234 v1.8.0 - 3GPP system to WLAN Interworking; System Description (Release 6)
  • 43. ‹#›(SAR 2003)Copyright © 2003 Oberthur Card Systems. All rights reserved. The key to an open world 30/06/2003 Wi-Fi references (2) §  IETF – http://www.ietf.org §  RFC 1661 – The Point-to-Point Protocol. §  RFC 1994 – PPP Challenge Handshake Authentication Protocol (CHAP) §  RFC 2138 – Remote Authentication Dial In User Service (RADIUS) §  RFC 2246 – The TLS protocol, version 1.0 §  RFC 2284 – PPP Extensible Authentication Protocol. §  RFC 2716 – PPP EAP TLS Authentication Protocol. §  draft-ietf-eap-rfc2284bis-03.txt – Extensible Authentication Protocol (EAP) §  draft-aboba-pppext-key-problem-06.txt – EAP Keying Framework §  draft-urien-eap-smartcard-01.txt – EAP support in smartcards §  draft-haverinen-pppext-eap-sim-10.txt – EAP SIM Authentication §  draft-arkko-pppext-eap-aka-09.txt – EAP AKA Authentication §  draft-ietf-aaa-diameter-17.txt – DIAMETER Base Protocol
  • 44. ‹#›(SAR 2003)Copyright © 2003 Oberthur Card Systems. All rights reserved. The key to an open world 30/06/2003 Conclusion §  Java Card is a safe foundation for many network security applications. §  And don’t forget E-commerce / identification applications… §  As Java Card moves closer to the Java mainstream, new opportunities will arise (DRM, etc). WAP browser + PKI plug-ins (W)TLS (OMA & IETF) IPsec (IETF) 03.48 (3GPP) EAP (IETF)
  • 45. ‹#›(SAR 2003)Copyright © 2003 Oberthur Card Systems. All rights reserved. The key to an open world 30/06/2003 Q&A § Thank you very much for inviting me and for attending this presentation. § If you have any questions, I’ll do my best to answer them. § Feel free to get in touch !