OSGi World Congress 2003

1. Gemplus and OSGI
Benjamin Maury
10.23.03

2. Gemplus Introduction
World Leader for Smart Card Solutions
Smart Solutions in Telecommunications
Beyond the SIM with applications and Over the Air Platform
Trusted Solutions for finance and security
Banking: differentiated services
Retail: customer loyalty
ID and Security: Government and Enterprise
Security expertise delivered by Business Development Group
Digital Security
Operating Systems
Technology-driven business

3. What is the Gemplus Automotive Approach?
Leverage our telecom and security expertise in automotive
market :
Provide more flexibility to the SIM Card
Ensuring end to end security in Electronic Control Unit Software
Download
Enabling Multi services Token for services personalization
Requirements for services life cycle flexibility and security

4. OSGI Lite Implementation

5. Java Card J2SE J2EE
VM
Language
API
JCVM JVMKVM
J2ME
CLDC CDC
Java subset Java
JC API CLDC API CDC API
API
API
MIDP
P2
P4
P3
...
...
OSGI

6. Gemplus and Java
More than 50% of our products are Java compliant
Migration from proprietary platform towards open platform
As a smart card leader we have to be the first at the
standardization level
JSR 177 – Secure the Java Mobile Environment with security
services coming from SIM Card

7. Why OSGI for the next Java Card Platform?
Next Generation smart cards will require dynamic service
management
Need for OSGI lite in order to have a flexible way to manage
application
Need for adapting Performance and Hardware constraints due
to the small smart card environment
Gemplus is proposing an OSGI framework for the next Java
Card platform

8. Our light OSGI Implementation
Implements only the Core OSGI Features (possibly a subset)
KVM-like java platform Development for smart card
Communication is provided by an embedded TCP/IP stack
For smart card first but possible extension to small foot print
environment

9. OSGI Security Approach

10. Our OSGi Security approach
Open environment means more risk exposure and more security
requirements
Objective is to have an end to end security chain from
development to application use
The security level is always given by the weakest element
So far, usage of Global Platform to manage our open platform
Our products are based on Global Platform and have a security validated by
EAL5+ (Evaluation Assurance Level) Certification
OSGi Security scheme remains open and has to be defined by
OSGi solution integrators

11. Java is Open but Possibly Secured
Java and security
Code download post-issuance
Multi-application
Applet / platform separation
Risks
Non Verified Application (Trojan horses)
Problems of trust and rights delegation
Enforcement of chain trust
Risk assessment to evaluate the vulnerability
Identity of each involved party can be checked (authentication)
Answer to Integrity and Confidentiality of data Needs
Secure the Java Virtual Machine

12. End to end Security Services
GSM/GPRS,
UMTS
Multi-application
Post-issuance
capabilities
Signature and
encryption of
application
Internet
Shops
Application
Server
Complete security chain to reach high security level

13. Parallel can be made with the Automotive World
The same requirements exist for the automotive market
Internet
WLAN
Dealers
Application
Server
GSM/GPRS,
UMTS
Multi-application
Post-issuance
capabilities
Signature and
encryption of
application

14. Conclusion
OSGi is a candidate for New Generation Java Card
management framework
OSGI brings flexibility but great care has to be taken concerning
the complete security chain
Gemplus has an end to end security expertise and has
experimented an OSGI lite implementation

15. Questions? benjamin.maury@gemplus.com