Contenu connexe
Similaire à Java Card in Banking and NFC (20)
Java Card in Banking and NFC
- 1. 21 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Insert Information Protection Policy Classification from Slide 8
Java Card in Banking and NFC
Eric VETILLARD
Principal Product Manager, Java Card
- 2. 22 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Insert Information Protection Policy Classification from Slide 8
Some Mobile Payment Initiatives
SIM Toolkit
NFC Web-based
2nd Chip
- 3. 23 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Insert Information Protection Policy Classification from Slide 8
Program Agenda
• Opportunities in banking and payment
• Opportunities in NFC
• Java Card in banking market
• Java Card in NFC
• The Reference Platform
• Helping you address your market
- 4. 24 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Insert Information Protection Policy Classification from Slide 8
Chip Card Migration
- 5. 25 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Insert Information Protection Policy Classification from Slide 8
Chip Card Migrations
• Several countries with billions of cards
– USA, China, India
• Many more countries with very large numbers
• Migration processes are getting organized
– Contact and/or contactless?
– User authentication: PIN, signature, …
– Mix of national programs and brand-oriented programs
Huge card volumes
- 6. 26 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Insert Information Protection Policy Classification from Slide 8
Program Agenda
• Opportunities in banking and payment
• Opportunities in NFC
• Java Card in banking market
• Java Card in NFC
• The Reference Platform
• Helping you address your market
- 7. 27 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Insert Information Protection Policy Classification from Slide 8
NFC Deployments are Happening
• The infrastructure is getting ready
– Phones are slowly appearing
– Contactless readers are getting deployed
– TSM infrastructure is ready
• Business models are somewhat slower
– Diverging interests between stakeholders
– Some impact on the technical infrastructure
– For instance, the type of Secure Element
- 8. 28 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Insert Information Protection Policy Classification from Slide 8
NFC Secure Elements
• SIM cards with SWP
– Network operators’ preferred solution
– Everybody else is wary of it
• Embedded SE’s
– Domination of the “mobile wallet” actors
– Not well accepted by mobile operators
• SD Cards
– Used by banks in many pilots
– Can only work if it supports multiple application providers
- 9. 29 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Insert Information Protection Policy Classification from Slide 8
Payment a Key NFC Application
• Largest NFC actions focused on payment
– Isis and Google in the US
– China Union Pay in China
– Citizy and mobile operators in France
• NFC payments endorsed by all payment actors
– Visa, Union Pay, MasterCard, American Express, Discover, …
- 10. 30 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Insert Information Protection Policy Classification from Slide 8
Program Agenda
• Opportunities in banking and payment
• Opportunities in NFC
• Java Card in banking market
• Java Card in NFC
• The Reference Platform
• Helping you address your market
- 11. 31 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Insert Information Protection Policy Classification from Slide 8
The Java Card Promise
Java Card Platform
Pay
app
OTP
app
Loy
app
Multiple
Applications
- 12. 32 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Insert Information Protection Policy Classification from Slide 8
The Java Card Promise
Java Card Platform
#1
Pay
app
OTP
app
Loy
app
Java Card Platform
#2
Pay
app
OTP
app
Loy
app
Multiple
Applications
Platform
Interoperability
- 13. 33 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Insert Information Protection Policy Classification from Slide 8
OTP
app
Loy
app
The Java Card Promise
Java Card Platform
#1
Pay
app
OTP
app
Loy
app
Java Card Platform
#2
Pay
app
OTP
app
Loy
app
Java Card Platform
#3 (Certified)
Pay
app
Multiple
Applications
Platform
Interoperability
Application
Isolation
- 14. 34 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Insert Information Protection Policy Classification from Slide 8
Multi-application cards
• Several applications on a card
– Leveraging the value of the card
– Offering more services to the users
• More flexibility in the lifecycle
– Managing application(s) independently of the card
– Modifying the card after its issuance
• Separating applications from platform
– Improving card management
- 15. 35 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Insert Information Protection Policy Classification from Slide 8
Step 1: Basic Interoperability
• Use several vendors
– Applications are portable
– Reduced deployment cost
– Reduced time-to-market
Java Card Platform
(Vendor #1)
Pay
app
OTP
app
Loy
app
Java Card Platform
(Vendor #2)
Pay
app
OTP
app
Loy
app
- 16. 36 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Insert Information Protection Policy Classification from Slide 8
Step 2: Defining a Product Line
Java Card Platform
(Closed)
Pay app
Java Card Platform
(Open)
Pay
app
OTP
app
Loy
app
Java Card Platform
(Third-Party)
Pay
app
STK
app
SIM
app
Low-cost card
for
mass deployment
Premium card
for
key customers
Partner’s card
for
mobile payment
One application
- 17. 37 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Insert Information Protection Policy Classification from Slide 8
Certifying a Payment Card
• Attacks are becoming more sophisticated
– Power analysis attacks
– Fault induction attacks
• Countermeasures are required at application level
– Protecting key assets from attacks
• Developing an application is hard
– Better to rely on an up-to-date reference implementation
Developing the application
- 18. 38 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Insert Information Protection Policy Classification from Slide 8
New Certification Approach
• A reference implementation is provided
– Implemented all required features (properly)
– Including all required countermeasures
• Functional certification
– Platform first certified as Java Card compliant
• Security certification
– Platform countermeasures evaluated separately
• Final certification can be minimized
Splitting responsibilities
- 19. 39 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Insert Information Protection Policy Classification from Slide 8
Three-step Certification
Java Card Platform
Pay app
Java Card Platform
Pay app
Functional testing
Security analysis
TCK compliance
Security evaluation
Performance tests
Security checks
- 20. 40 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Insert Information Protection Policy Classification from Slide 8
Program Agenda
• Opportunities in banking and payment
• Opportunities in NFC
• Java Card in banking market
• Java Card in NFC
• The Reference Platform
• Helping you address your market
- 21. 41 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Insert Information Protection Policy Classification from Slide 8
Java Card is at the Heart of NFC
• NFC Secure Elements share some characteristics
– They host multiple applications
– Applications come from multiple providers
– The applications are known late in the process
• Java Card is a core enabler for these characteristics
– Clear isolation of applications from untrusted sources
– Possibility to load applications dynamically
- 22. 42 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Insert Information Protection Policy Classification from Slide 8
Java Card and NFC Certification
• Reference applications are becoming common
– Several key actors in the payment market
– Easiest way to deal with certification
• Also offers possibilities for non-sensitive applications
– Guidelines can be defined for these applications
– Automated tools can be used to analyze these applications
– See ongoing work in GlobalPlatform’s Card Security Workgroup
- 23. 43 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Insert Information Protection Policy Classification from Slide 8
NFC is Part of the Global Offer
• Sharing some components with other offers
– Payment applications are similar to those used on cards
• Including specific components
– Availability of User Interface can support additional applications
- 24. 44 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Insert Information Protection Policy Classification from Slide 8
Program Agenda
• Opportunities in banking and payment
• Opportunities in NFC
• Java Card in banking market
• Java Card in NFC
• The Reference Platform
• Helping you address your market
- 25. 45 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Insert Information Protection Policy Classification from Slide 8
The Reference Open Platform
• The most open platform
– Readily accessible to all developers
– Including JDK, Protection Profile, and more
– Freedom to extend and choose card management options
• Many vertical API’s
– ETSI and 3GPP APIs for STK, SCWS, and much more
– GlobalPlatform API’s for management, NFC, and more
- 26. 46 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Insert Information Protection Policy Classification from Slide 8
The Reference for Certification
• Common Criteria ready
– Java Card Protection Profile is freely available
– Many certifications around Java Card
• Since 2011, 6 platforms and 11 applications in France only
• The basis for private certification frameworks
– Platform security requirements from EMVCo
– NFC application security guidelines from AFSCM
- 27. 47 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Insert Information Protection Policy Classification from Slide 8
Program Agenda
• Opportunities in banking and payment
• Opportunities in NFC
• Java Card in banking market
• Java Card in NFC
• The Reference Platform
• Helping you address your market
- 28. 48 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Insert Information Protection Policy Classification from Slide 8
Oracle Tools
• Oracle provides tools to Java Card licensees
– Testing and Compatibility Kit (TCK)
– Trimming Tool
• Oracle provides tools to Java Card developers
– Java Card Development Kit (JCDK)
– Netbeans IDE integration
• Oracle provides tools to Java Card issuers
– Java Card Binary Verification Tool
- 29. 49 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Insert Information Protection Policy Classification from Slide 8
Licensee Tools
• Compliance testing
– Technology Compliance Kit (TCK)
– Thousands ot test cases
– Must be run successfully to be allowed to distribute product
• Platform optimization
– Trimming tool
– Determines minimum subset to run an application
– Used to build optimized (closed) implementations
Tools to build platforms
- 30. 50 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Insert Information Protection Policy Classification from Slide 8
Developer Tools
• Building and deploying applications
– Specific converter to produce CAP files
– Bytecode verifier used in deployment
– Integration in Java code production chain
• Developing applications
– Integration into Netbeans IDE
– Integrated debugging using simulator
Tools to build Java Card applications
- 31. 51 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Insert Information Protection Policy Classification from Slide 8
Issuer Tools
• Checking the full compliance of platforms
– Java Card Binary Verification Tool
– Runs the TCK on a card
– Simply answers through a “yes/no” flag
– Objective is to check the full compliance of platforms
• Checking the validity of CAP files for a platform
– Java Card Bytecode Verifier
– Delivered with the development toolkit
Tools to check Java Card platforms and applications
- 32. 52 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Insert Information Protection Policy Classification from Slide 8
Many Actors Ready to Help
• Product development
– Card vendors
– Application developers and consultants
– Security evaluation laboratories
• Product deployment
– Personalization bureaus
– Trusted Service Managers (TSM’s)
• All of this made possible by standardization
Java Card has created a full ecosystem
- 33. 53 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Insert Information Protection Policy Classification from Slide 8
Q&A
- 34. 54 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Insert Information Protection Policy Classification from Slide 8