Upload
eric-vetillard
View
453
Download
0
Embed Size (px)
Citation preview
21 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Insert Information Protection Policy Classification from Slide 8
Java Card in Banking and NFC
Eric VETILLARD
Principal Product Manager, Java Card
22 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Insert Information Protection Policy Classification from Slide 8
Some Mobile Payment Initiatives
SIM Toolkit
NFC Web-based
2nd Chip
23 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Insert Information Protection Policy Classification from Slide 8
Program Agenda
• Opportunities in banking and payment
• Opportunities in NFC
• Java Card in banking market
• Java Card in NFC
• The Reference Platform
• Helping you address your market
24 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Insert Information Protection Policy Classification from Slide 8
Chip Card Migration
25 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Insert Information Protection Policy Classification from Slide 8
Chip Card Migrations
• Several countries with billions of cards
– USA, China, India
• Many more countries with very large numbers
• Migration processes are getting organized
– Contact and/or contactless?
– User authentication: PIN, signature, …
– Mix of national programs and brand-oriented programs
Huge card volumes
26 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Insert Information Protection Policy Classification from Slide 8
Program Agenda
• Opportunities in banking and payment
• Opportunities in NFC
• Java Card in banking market
• Java Card in NFC
• The Reference Platform
• Helping you address your market
27 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Insert Information Protection Policy Classification from Slide 8
NFC Deployments are Happening
• The infrastructure is getting ready
– Phones are slowly appearing
– Contactless readers are getting deployed
– TSM infrastructure is ready
• Business models are somewhat slower
– Diverging interests between stakeholders
– Some impact on the technical infrastructure
– For instance, the type of Secure Element
28 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Insert Information Protection Policy Classification from Slide 8
NFC Secure Elements
• SIM cards with SWP
– Network operators’ preferred solution
– Everybody else is wary of it
• Embedded SE’s
– Domination of the “mobile wallet” actors
– Not well accepted by mobile operators
• SD Cards
– Used by banks in many pilots
– Can only work if it supports multiple application providers
29 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Insert Information Protection Policy Classification from Slide 8
Payment a Key NFC Application
• Largest NFC actions focused on payment
– Isis and Google in the US
– China Union Pay in China
– Citizy and mobile operators in France
• NFC payments endorsed by all payment actors
– Visa, Union Pay, MasterCard, American Express, Discover, …
30 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Insert Information Protection Policy Classification from Slide 8
Program Agenda
• Opportunities in banking and payment
• Opportunities in NFC
• Java Card in banking market
• Java Card in NFC
• The Reference Platform
• Helping you address your market
31 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Insert Information Protection Policy Classification from Slide 8
The Java Card Promise
Java Card Platform
Pay
app
OTP
app
Loy
app
Multiple
Applications
32 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Insert Information Protection Policy Classification from Slide 8
The Java Card Promise
Java Card Platform
#1
Pay
app
OTP
app
Loy
app
Java Card Platform
#2
Pay
app
OTP
app
Loy
app
Multiple
Applications
Platform
Interoperability
33 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Insert Information Protection Policy Classification from Slide 8
OTP
app
Loy
app
The Java Card Promise
Java Card Platform
#1
Pay
app
OTP
app
Loy
app
Java Card Platform
#2
Pay
app
OTP
app
Loy
app
Java Card Platform
#3 (Certified)
Pay
app
Multiple
Applications
Platform
Interoperability
Application
Isolation
34 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Insert Information Protection Policy Classification from Slide 8
Multi-application cards
• Several applications on a card
– Leveraging the value of the card
– Offering more services to the users
• More flexibility in the lifecycle
– Managing application(s) independently of the card
– Modifying the card after its issuance
• Separating applications from platform
– Improving card management
35 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Insert Information Protection Policy Classification from Slide 8
Step 1: Basic Interoperability
• Use several vendors
– Applications are portable
– Reduced deployment cost
– Reduced time-to-market Java Card Platform
(Vendor #1)
Pay
app
OTP
app
Loy
app
Java Card Platform
(Vendor #2)
Pay
app
OTP
app
Loy
app
36 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Insert Information Protection Policy Classification from Slide 8
Step 2: Defining a Product Line
Java Card Platform
(Closed)
Pay app
Java Card Platform
(Open)
Pay
app
OTP
app
Loy
app
Java Card Platform
(Third-Party)
Pay
app
STK
app
SIM
app
Low-cost card
for
mass deployment
Premium card
for
key customers
Partner’s card
for
mobile payment
One application
37 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Insert Information Protection Policy Classification from Slide 8
Certifying a Payment Card
• Attacks are becoming more sophisticated
– Power analysis attacks
– Fault induction attacks
• Countermeasures are required at application level
– Protecting key assets from attacks
• Developing an application is hard
– Better to rely on an up-to-date reference implementation
Developing the application
38 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Insert Information Protection Policy Classification from Slide 8
New Certification Approach
• A reference implementation is provided – Implemented all required features (properly)
– Including all required countermeasures
• Functional certification – Platform first certified as Java Card compliant
• Security certification – Platform countermeasures evaluated separately
• Final certification can be minimized
Splitting responsibilities
39 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Insert Information Protection Policy Classification from Slide 8
Three-step Certification
Java Card Platform
Pay app
Java Card Platform
Pay app
Functional testing
Security analysis
TCK compliance
Security evaluation
Performance tests
Security checks
40 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Insert Information Protection Policy Classification from Slide 8
Program Agenda
• Opportunities in banking and payment
• Opportunities in NFC
• Java Card in banking market
• Java Card in NFC
• The Reference Platform
• Helping you address your market
41 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Insert Information Protection Policy Classification from Slide 8
Java Card is at the Heart of NFC
• NFC Secure Elements share some characteristics
– They host multiple applications
– Applications come from multiple providers
– The applications are known late in the process
• Java Card is a core enabler for these characteristics
– Clear isolation of applications from untrusted sources
– Possibility to load applications dynamically
42 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Insert Information Protection Policy Classification from Slide 8
Java Card and NFC Certification
• Reference applications are becoming common
– Several key actors in the payment market
– Easiest way to deal with certification
• Also offers possibilities for non-sensitive applications
– Guidelines can be defined for these applications
– Automated tools can be used to analyze these applications
– See ongoing work in GlobalPlatform’s Card Security Workgroup
43 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Insert Information Protection Policy Classification from Slide 8
NFC is Part of the Global Offer
• Sharing some components with other offers
– Payment applications are similar to those used on cards
• Including specific components
– Availability of User Interface can support additional applications
44 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Insert Information Protection Policy Classification from Slide 8
Program Agenda
• Opportunities in banking and payment
• Opportunities in NFC
• Java Card in banking market
• Java Card in NFC
• The Reference Platform
• Helping you address your market
45 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Insert Information Protection Policy Classification from Slide 8
The Reference Open Platform
• The most open platform
– Readily accessible to all developers
– Including JDK, Protection Profile, and more
– Freedom to extend and choose card management options
• Many vertical API’s
– ETSI and 3GPP APIs for STK, SCWS, and much more
– GlobalPlatform API’s for management, NFC, and more
46 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Insert Information Protection Policy Classification from Slide 8
The Reference for Certification
• Common Criteria ready
– Java Card Protection Profile is freely available
– Many certifications around Java Card
• Since 2011, 6 platforms and 11 applications in France only
• The basis for private certification frameworks
– Platform security requirements from EMVCo
– NFC application security guidelines from AFSCM
47 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Insert Information Protection Policy Classification from Slide 8
Program Agenda
• Opportunities in banking and payment
• Opportunities in NFC
• Java Card in banking market
• Java Card in NFC
• The Reference Platform
• Helping you address your market
48 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Insert Information Protection Policy Classification from Slide 8
Oracle Tools
• Oracle provides tools to Java Card licensees
– Testing and Compatibility Kit (TCK)
– Trimming Tool
• Oracle provides tools to Java Card developers
– Java Card Development Kit (JCDK)
– Netbeans IDE integration
• Oracle provides tools to Java Card issuers
– Java Card Binary Verification Tool
49 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Insert Information Protection Policy Classification from Slide 8
Licensee Tools
• Compliance testing
– Technology Compliance Kit (TCK)
– Thousands ot test cases
– Must be run successfully to be allowed to distribute product
• Platform optimization
– Trimming tool
– Determines minimum subset to run an application
– Used to build optimized (closed) implementations
Tools to build platforms
50 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Insert Information Protection Policy Classification from Slide 8
Developer Tools
• Building and deploying applications
– Specific converter to produce CAP files
– Bytecode verifier used in deployment
– Integration in Java code production chain
• Developing applications
– Integration into Netbeans IDE
– Integrated debugging using simulator
Tools to build Java Card applications
51 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Insert Information Protection Policy Classification from Slide 8
Issuer Tools
• Checking the full compliance of platforms
– Java Card Binary Verification Tool
– Runs the TCK on a card
– Simply answers through a “yes/no” flag
– Objective is to check the full compliance of platforms
• Checking the validity of CAP files for a platform
– Java Card Bytecode Verifier
– Delivered with the development toolkit
Tools to check Java Card platforms and applications
52 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Insert Information Protection Policy Classification from Slide 8
Many Actors Ready to Help
• Product development
– Card vendors
– Application developers and consultants
– Security evaluation laboratories
• Product deployment
– Personalization bureaus
– Trusted Service Managers (TSM’s)
• All of this made possible by standardization
Java Card has created a full ecosystem
53 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Insert Information Protection Policy Classification from Slide 8
Q&A
54 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Insert Information Protection Policy Classification from Slide 8