Java Card in Banking and NFC

21 Copyright © 2011, Oracle and/or its affiliates. All rights

reserved.

Insert Information Protection Policy Classification from Slide 8

Java Card in Banking and NFC

Eric VETILLARD

Principal Product Manager, Java Card


reserved.


Some Mobile Payment Initiatives

SIM Toolkit

NFC Web-based

2nd Chip


reserved.


Program Agenda

• Opportunities in banking and payment

• Opportunities in NFC

• Java Card in banking market

• Java Card in NFC

• The Reference Platform

• Helping you address your market


reserved.


Chip Card Migration


reserved.


Chip Card Migrations

• Several countries with billions of cards

– USA, China, India

• Many more countries with very large numbers

• Migration processes are getting organized

– Contact and/or contactless?

– User authentication: PIN, signature, …

– Mix of national programs and brand-oriented programs

Huge card volumes


reserved.


Program Agenda








reserved.


NFC Deployments are Happening

• The infrastructure is getting ready

– Phones are slowly appearing

– Contactless readers are getting deployed

– TSM infrastructure is ready

• Business models are somewhat slower

– Diverging interests between stakeholders

– Some impact on the technical infrastructure

– For instance, the type of Secure Element


reserved.


NFC Secure Elements

• SIM cards with SWP

– Network operators’ preferred solution

– Everybody else is wary of it

• Embedded SE’s

– Domination of the “mobile wallet” actors

– Not well accepted by mobile operators

• SD Cards

– Used by banks in many pilots

– Can only work if it supports multiple application providers


reserved.


Payment a Key NFC Application

• Largest NFC actions focused on payment

– Isis and Google in the US

– China Union Pay in China

– Citizy and mobile operators in France

• NFC payments endorsed by all payment actors

– Visa, Union Pay, MasterCard, American Express, Discover, …


reserved.


Program Agenda








reserved.


The Java Card Promise

Java Card Platform

Pay

app

OTP

app

Loy

app

Multiple

Applications


reserved.



Java Card Platform

#1

Pay

app

OTP

app

Loy

app

Java Card Platform

#2

Pay

app

OTP

app

Loy

app

Multiple

Applications

Platform

Interoperability


reserved.


OTP

app

Loy

app


Java Card Platform

#1

Pay

app

OTP

app

Loy

app

Java Card Platform

#2

Pay

app

OTP

app

Loy

app

Java Card Platform

#3 (Certified)

Pay

app

Multiple

Applications

Platform

Interoperability

Application

Isolation


reserved.


Multi-application cards

• Several applications on a card

– Leveraging the value of the card

– Offering more services to the users

• More flexibility in the lifecycle

– Managing application(s) independently of the card

– Modifying the card after its issuance

• Separating applications from platform

– Improving card management


reserved.


Step 1: Basic Interoperability

• Use several vendors

– Applications are portable

– Reduced deployment cost

– Reduced time-to-market Java Card Platform

(Vendor #1)

Pay

app

OTP

app

Loy

app

Java Card Platform

(Vendor #2)

Pay

app

OTP

app

Loy

app


reserved.


Step 2: Defining a Product Line

Java Card Platform

(Closed)

Pay app

Java Card Platform

(Open)

Pay

app

OTP

app

Loy

app

Java Card Platform

(Third-Party)

Pay

app

STK

app

SIM

app

Low-cost card

for

mass deployment

Premium card

for

key customers

Partner’s card

for

mobile payment

One application


reserved.


Certifying a Payment Card

• Attacks are becoming more sophisticated

– Power analysis attacks

– Fault induction attacks

• Countermeasures are required at application level

– Protecting key assets from attacks

• Developing an application is hard

– Better to rely on an up-to-date reference implementation

Developing the application


reserved.


New Certification Approach

• A reference implementation is provided – Implemented all required features (properly)

– Including all required countermeasures

• Functional certification – Platform first certified as Java Card compliant

• Security certification – Platform countermeasures evaluated separately

• Final certification can be minimized

Splitting responsibilities


reserved.


Three-step Certification

Java Card Platform

Pay app

Java Card Platform

Pay app

Functional testing

Security analysis

TCK compliance

Security evaluation

Performance tests

Security checks


reserved.


Program Agenda








reserved.


Java Card is at the Heart of NFC

• NFC Secure Elements share some characteristics

– They host multiple applications

– Applications come from multiple providers

– The applications are known late in the process

• Java Card is a core enabler for these characteristics

– Clear isolation of applications from untrusted sources

– Possibility to load applications dynamically


reserved.


Java Card and NFC Certification

• Reference applications are becoming common

– Several key actors in the payment market

– Easiest way to deal with certification

• Also offers possibilities for non-sensitive applications

– Guidelines can be defined for these applications

– Automated tools can be used to analyze these applications

– See ongoing work in GlobalPlatform’s Card Security Workgroup


reserved.


NFC is Part of the Global Offer

• Sharing some components with other offers

– Payment applications are similar to those used on cards

• Including specific components

– Availability of User Interface can support additional applications


reserved.


Program Agenda








reserved.


The Reference Open Platform

• The most open platform

– Readily accessible to all developers

– Including JDK, Protection Profile, and more

– Freedom to extend and choose card management options

• Many vertical API’s

– ETSI and 3GPP APIs for STK, SCWS, and much more

– GlobalPlatform API’s for management, NFC, and more


reserved.


The Reference for Certification

• Common Criteria ready

– Java Card Protection Profile is freely available

– Many certifications around Java Card

• Since 2011, 6 platforms and 11 applications in France only

• The basis for private certification frameworks

– Platform security requirements from EMVCo

– NFC application security guidelines from AFSCM


reserved.


Program Agenda








reserved.


Oracle Tools

• Oracle provides tools to Java Card licensees

– Testing and Compatibility Kit (TCK)

– Trimming Tool

• Oracle provides tools to Java Card developers

– Java Card Development Kit (JCDK)

– Netbeans IDE integration

• Oracle provides tools to Java Card issuers

– Java Card Binary Verification Tool


reserved.


Licensee Tools

• Compliance testing

– Technology Compliance Kit (TCK)

– Thousands ot test cases

– Must be run successfully to be allowed to distribute product

• Platform optimization

– Trimming tool

– Determines minimum subset to run an application

– Used to build optimized (closed) implementations

Tools to build platforms


reserved.


Developer Tools

• Building and deploying applications

– Specific converter to produce CAP files

– Bytecode verifier used in deployment

– Integration in Java code production chain

• Developing applications

– Integration into Netbeans IDE

– Integrated debugging using simulator

Tools to build Java Card applications


reserved.


Issuer Tools

• Checking the full compliance of platforms

– Java Card Binary Verification Tool

– Runs the TCK on a card

– Simply answers through a “yes/no” flag

– Objective is to check the full compliance of platforms

• Checking the validity of CAP files for a platform

– Java Card Bytecode Verifier

– Delivered with the development toolkit

Tools to check Java Card platforms and applications


reserved.


Many Actors Ready to Help

• Product development

– Card vendors

– Application developers and consultants

– Security evaluation laboratories

• Product deployment

– Personalization bureaus

– Trusted Service Managers (TSM’s)

• All of this made possible by standardization

Java Card has created a full ecosystem


reserved.


Q&A


reserved.


Java Card in Banking and NFC

Technology

Transcript of Java Card in Banking and NFC