An Efficient and Simple Way to Test the Security of Java CardsTM

Serge Chaumette, Damien Sauveron

Abstract

Till recently it was impossible to have more than one single application running on a smart card. Multiapplication cards, and especially Java Cards, now make it possible to have several applications sharing the same physical piece of plastic. Today, these cards accept to load code only after an authentication. But in the future, the cards will be open an everybody should be authorized to upload an application. This raises new security problems by creating additional ways to attack Java Cards. These problems and the method to test them are the topic of this paper. The attacks will be illustrated with code samples. The method presented here can be applied right now by authorised people (e.g. Information Technology Evaluation Facility – ITSEF) to test the security of Java Cards since they have the authentication keys and tomorrow a hacker may also be able to use this method to attack cards without needing the keys.

References

  1. Chen, Z.: Java Card Technology for Smart Cards: Architecture and Programmer's Guide. Addison-Wesley (2000)
  2. Sun microsystems: Java CardTM 2.2.1 Specifications. Sun microsystems (2003)
  3. International Organization for Standardization: Information technology - Identification cards - Integrated circuit(s) cards with contacts - Part 3: Electronic signals and transmission protocols. (ISO)
  4. International Organization for Standardization: Information technology - Identification cards - Integrated circuit(s) cards with contacts - Part 4: Interindustry comands for interchange. (ISO)
  5. Muir, J.A.: Techniques of Side Channel Cryptanalysis. Master's thesis, University of Waterloo, Ontario, Canada (2001) Master of Mathematics in Combinatorics and Optimization.
  6. Kocher, P.: Timing attacks on implementations of diffie-hellman, rsa, dss, and other systems. In: Proceedings of the 16th Annual International Cryptology Conference on Advances in Cryptology, Springer-Verlag (1996) 104-113
  7. Kocher, P., Jaffe, J., Jun, B.: Differential Power Analysis. In: Proceedings of the 19th Annual International Cryptology Conference on Advances in Cryptology, Springer-Verlag (1999) 388-397
  8. Coron, J.S., Kocher, P., Naccache, D.: Statistics and Secret Leakage. In: Proceedings of Financial Cryptography (FC2000). Volume 1962 of Lecture Notes in Computer Science., Springer-Verlag (2001) 157-173
  9. Quisquater, J.J., Samyde, D.: ElectroMagnetic Analysis (EMA): Measures and Countermeasures for Smart Cards. In: Proceedings of E-smart 2001. Volume 2140 of Lecture Notes in Computer Science., Springer-Verlag (2001) 200-210
  10. Gandol, K., Mourtel, C., Olivier, F.: ElectroMagnetic Analysis: Concrete Results. In: Proceedings of CHES'2001. Volume 2162 of Lecture Notes in Computer Science., SpringerVerlag (2001) 251-261
  11. Kömmerling, O., Kuhn, M.G.: Design Principles for Tamper-Resistant Smartcard Processors. In: Proceedings of the USENIX Workshop on Smartcard Technology (Smartcard 7899), Chicago, Illinois, USA (1999) 9-20
  12. Bar-El, H., Choukri, H., Naccache, D., Tunstall, M., Whelan, C.: The Sorcerer's Apprentice Guide to Fault Attacks. In: Proceedings of Workshop on Fault Detection and Tolerance in Cryptography, Italy (2004)
  13. Giraud, C., Thiebeauld, H.: A survey on fault attacks. In: Proceedings of CARDIS'04, Smart Card Research and Advanced Applications VI, Toulouse, France, Kluwer academic publisher (2004) 159-176
  14. Skorobogatov, S., Anderson, R.: Optical Fault Induction Attacks. In: Proceedings of Workshop on Cryptographic Hardware and Embedded Systmes (CHES 2002), San Francisco Bay (Redwood City), USA (2002)
  15. GlobalPlatform: GlobalPlatform. (http://www.globalplatform.org/)
  16. Rose, E., Rose, K.: Lightweight bytecode verification. In: In Workshop on Fundamental Underpinnings of Java, OOPSLA 7898 Workshop., Vancouver, Canada (1998)
  17. Casset, L., Burdy, L., Requet, A.: Formal Development of an embedded verifier for Java Card Byte Code. In: Proceedings of the IEEE International Conference on Dependable Systems & Networks, Washington, D.C., USA (2002)
  18. Leroy, X.: On-Card Bytecode Verification for Java Card. In: Proceedings of the International Conference on Research in Smart Cards, E-Smart 2001, Springer-Verlag (2001) 150-164
  19. Leroy, X.: Bytecode verification on Java smart cards. Software-Practice & Experience 32 (2002) 319-340
  20. Cohen, R.M.: Defensive Java Virtual Machine Version 0.5 alpha. (1997)
  21. Barthe, G., Dufay, G., Jakubiec, L., Melo de Sousa, S.: A Formal Correspondence between Offensive and Defensive JavaCard Virtual Machines. In: Proceedings of VMCAI'02. Volume 2294 of Lecture Notes in Computer Science., Venice, Italy, Springer-Verlag (2002) 32-45
  22. Deville, D., Grimaud, G.: Building an “impossible” verifier on a Java Card. In: 2nd USENIX Workshop on Industrial Experiences with Systems Software, Boston, USA (2002)
  23. Montgomery, M., Krishna, K.: Secure Object Sharing in Java Card. In: Proceedings of the USENIX Workshop on Smartcard Technology (Smartcard 7899), Chicago, Illinois, USA (1999)
  24. Witteman, M.: Java card security. Information Security Bulletin 8 (2003) 291-298
  25. Betarte, G., Giménez, E., Chetali, B., Loiseaux, C.: FORMAVIE: Formal Modelling and Verification of Java Card 2.1.1 Security Architecture. In: Proceedings of E-Smart 2002, Nice, France (2002) 215-229
  26. Chaumette, S., Hatchondo, I., Sauveron, D.: JCAT: An environment for attack and test on Java Card. In: Proceedings of CCCT'03 and 9th ISAS'03. Volume 1., Orlando, FL, USA (2003) 270-275
  27. Hatchondo, I., Sauveron, D.: The JCatools website. (http://sourceforge.net/projects/jcatools/)
  28. CCIMB: International Common Criteria home page. (http://www.commoncriteriaportal.org/)
Download


Paper Citation


in Harvard Style

Chaumette S. and Sauveron D. (2005). An Efficient and Simple Way to Test the Security of Java CardsTM . In Proceedings of the 3rd International Workshop on Security in Information Systems - Volume 1: WOSIS, (ICEIS 2005) ISBN 972-8865-25-2, pages 331-342. DOI: 10.5220/0002574803310342


in Bibtex Style

@conference{wosis05,
author={Serge Chaumette and Damien Sauveron},
title={An Efficient and Simple Way to Test the Security of Java CardsTM},
booktitle={Proceedings of the 3rd International Workshop on Security in Information Systems - Volume 1: WOSIS, (ICEIS 2005)},
year={2005},
pages={331-342},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0002574803310342},
isbn={972-8865-25-2},
}


in EndNote Style

TY - CONF
JO - Proceedings of the 3rd International Workshop on Security in Information Systems - Volume 1: WOSIS, (ICEIS 2005)
TI - An Efficient and Simple Way to Test the Security of Java CardsTM
SN - 972-8865-25-2
AU - Chaumette S.
AU - Sauveron D.
PY - 2005
SP - 331
EP - 342
DO - 10.5220/0002574803310342