Smart Cards a(s) Safety Critical Systems



Similar documents
Smart Card Technology Capabilities

Java Card. Smartcards. Demos. . p.1/30

JavaCard. Java Card - old vs new

Measurement and Analysis Introduction of ISO7816 (Smart Card)

Java Card TM Open Platform for Smart Cards

Smart Card. Smart Card applications

Chytré karty opět o rok dál...

Lesson-3 CASE STUDY OF AN EMBEDDED SYSTEM FOR SMART CARD

RVS Seminar Deployment and Performance Analysis of JavaCards in a Heterogenous Environment. Carolin Latze University of Berne

Study of Java Card and its Application 1 Nainesh Rawani, 2 Akhil Patel

Smart Card Application Development Using the Java Card Technology

Java and Real Time Storage Applications

CHAPTER 5 SMART CARD TECHNOLOGY

JCAT. Java Card TM. An environment for attack and test on. Serge Chaumette, Iban Hatchondo, Damien Sauveron CCCT 03 & ISAS 03

Smart Card Evolution

Gemalto Mifare 1K Datasheet

An evaluation of the Java Card environment

Chapter 3: Operating-System Structures. Common System Components

picojava TM : A Hardware Implementation of the Java Virtual Machine

Smart Card Security Access Modules in VeriFone Omni 3350 Countertop and Omni 3600 Portable Terminals

Smart Tiger STARCHIP SMART TIGER PAYMENT PRODUCT LINE. Payment. STiger SDA. STiger DDA. STiger DUAL

8051 MICROCONTROLLER COURSE

Smart Card Based User Authentication

Chapter 3: Operating-System Structures. System Components Operating System Services System Calls System Programs System Structure Virtual Machines

Developing a new Protection Profile for (U)SIM UICC platforms. ICCC 2008, Korea, Jiju Septembre 2008 JP.Wary/M.Eznack/C.Loiseaux/R.

Fastboot Techniques for x86 Architectures. Marcus Bortel Field Application Engineer QNX Software Systems

Mobile Application Languages XML, Java, J2ME and JavaCard Lesson 04 Java

Embedded Software development Process and Tools: Lesson-4 Linking and Locating Software

Chapter 3 Operating-System Structures

jcardsim Java Card is simple!

CS 3530 Operating Systems. L02 OS Intro Part 1 Dr. Ken Hoganson

Java Card Protection Profile Open Configuration

Dolphin In-Circuit programming Updating Firmware in the field

Smart Cards and their Operating Systems

Computers. Hardware. The Central Processing Unit (CPU) CMPT 125: Lecture 1: Understanding the Computer

Fachbereich Informatik und Elektrotechnik SunSPOT. Ubiquitous Computing. Ubiquitous Computing, Helmut Dispert

CGI-based applications for distributed embedded systems for monitoring temperature and humidity

From Control Loops to Software

System Structures. Services Interface Structure

M2M For industrial and automotive

An Oracle White Paper July Oracle Primavera Contract Management, Business Intelligence Publisher Edition-Sizing Guide

Security & Chip Card ICs SLE 44R35S / Mifare

The Java Virtual Machine and Mobile Devices. John Buford, Ph.D. Oct 2003 Presented to Gordon College CS 311

Lesson 10:DESIGN PROCESS EXAMPLES Automatic Chocolate vending machine, smart card and digital camera

Hardware/Software Co-Design of a Java Virtual Machine

Introducing etoken. What is etoken?

MDG. MULTOS Developer's Guide. MAO-DOC-TEC-005 v MAOSCO Limited. MULTOS is a registered trademark of MULTOS Limited.

3GPP TSG SA WG3 Security S3#30 S October 2003 Povoa de Varzim, Portugal. Abstract

Module 2. Embedded Processors and Memory. Version 2 EE IIT, Kharagpur 1

The OpenEapSmartcard platform. Pr Pascal Urien ENST Paris

STM32JAVA. Embedded Java Solutions for STM32

Effective Java Programming. efficient software development

Chapter 12. Development Tools for Microcontroller Applications

2.0 Command and Data Handling Subsystem

The Technology Is Ready. Philip Andreae Philip Andreae & Associates

Enterprise Manager Performance Tips

Code Generation for High-Assurance Java Card Applets

ASSEMBLY PROGRAMMING ON A VIRTUAL COMPUTER

S and STEP 7 Basic V10.5

2 Introduction to Java. Introduction to Programming 1 1

Mobile Cloud Computing

CICS Transactions Measurement with no Pain

Procedure: You can find the problem sheet on Drive D: of the lab PCs. Part 1: Router & Switch

ADVANCED PROCESSOR ARCHITECTURES AND MEMORY ORGANISATION Lesson-17: Memory organisation, and types of memory

Classification of Smart Card Operating Systems

Antonio Kung, Trialog. HIJA technical coordinator. Scott Hansen, The Open Group. HIJA coordinator

A Survey on ARM Cortex A Processors. Wei Wang Tanima Dey

PUF Physical Unclonable Functions

Freescale Semiconductor, I

Resource Utilization of Middleware Components in Embedded Systems

Mobile Operating Systems. Week I

Maintain Fleet Management Solutions Using Wide Area Wireless Technology

DEPARTMENT OF COMPUTER SCIENCE & ENGINEERING Question Bank Subject Name: EC Microprocessor & Microcontroller Year/Sem : II/IV

JPURE - A PURIFIED JAVA EXECUTION ENVIRONMENT FOR CONTROLLER NETWORKS 1

What is a Smart Card?

Systems Software. Introduction to Information System Components. Chapter 1 Part 2 of 4 CA M S Mehta, FCA

Agent Languages. Overview. Requirements. Java. Tcl/Tk. Telescript. Evaluation. Artificial Intelligence Intelligent Agents

Machine Architecture and Number Systems. Major Computer Components. Schematic Diagram of a Computer. The CPU. The Bus. Main Memory.

Develop a Dallas 1-Wire Master Using the Z8F1680 Series of MCUs

11.1 inspectit inspectit

Best Practises for LabVIEW FPGA Design Flow. uk.ni.com ireland.ni.com

Chapter 4 System Unit Components. Discovering Computers Your Interactive Guide to the Digital World

Chapter 2 System Structures

Page 1. Smart Card Applications. Lecture 7: Prof. Sead Muftic Matei Ciobanu Morogan. Lecture 7 : Lecture 7 : Smart Card Applications

Smart Card APDU Analysis

Single channel data transceiver module WIZ2-434

Driving force. What future software needs. Potential research topics

Building Applications Using Micro Focus COBOL

Memory Systems. Static Random Access Memory (SRAM) Cell

Technical Article. NFiC: a new, economical way to make a device NFC-compliant. Prashant Dekate

Digitale Signalverarbeitung mit FPGA (DSF) Soft Core Prozessor NIOS II Stand Mai Jens Onno Krah

Last Class: OS and Computer Architecture. Last Class: OS and Computer Architecture

advant advanced contactless smart card system

How To Use A Smart Card For A Multi-User Communication

Embedded Java & Secure Element for high security in IoT systems

Transcription:

Smart Cards a(s) Safety Critical Systems Gemplus Labs Pierre.Paradinas Paradinas@gemplus.com

Agenda Smart Card Technologies Java Card TM Smart Card a specific domain Card Life cycle Our Technical and Business constraints FM and safety card development

Historical account 1967: First idea on the use of electronic component in credit card (Europe, US, Japan). 1974: Roland Morenos patents 1979: First Bull CP8 card prototype 1982-1984: 1984: First experimentation in France 1987-1989: 1989: ISO standard 1990-1999: 1999: Applications French Carte Bleue for banking European mobile phone with GSM/SIM cards Health insurance, e-purse, 1997: First Java based open card

Smart Cards Standards (1/2) ISO 7816-1 Physical characteristic, constraints, size ISO 7816-2 Dimension and location of the contacts ISO 7816-3 Electric signal and transmission protocols Card Answer to Reset: information about card characteristic T=0; T=1

Smart Cards Standards (2/2) ISO 7816-4 Structure of the exchanged messages of command - response APDU Application Protocol Data Unit. ISO 7816-5 Application identifiers ISO 7816-6 Data element of interchange ETSI GSM 11.1: Command messages for SIM cards EMV: Command messages for payment cards JC 2.1...

Different Kind of Cards Memory cards A simple memory without a processor Data card contains data burned in read only memory Token card: one bit in memory = one token (phone card) Memory cards with logic Token card with electronic control to enhance security Microprocessors cards (smart cards) Microprocessors cards (smart cards) A module includes a processor with RAM, ROM and EEPROM, the COS and the application.

Smart card modules Power and clock provided by the reader Chip hidden under the contacts into a glue Single chip (w/o a cryptographic-processor) processor) Security features address line scrambled physical sensors others... Vcc Reset Clk Gnd I/O Component Epoxy Antenna Plastic Contacts

Smart Card Microcontrollers Microcontrollers 8 bit for low cost application 16/32 bit will be used Limited resources ROM 8 to 64 kb; contain the burned OS RAM 256 to 2 kb; fast and volatile, used as working memory EEPROM 2 to 64 kb; used as memory storage, slow and subject to wear (anti stress mechanism). Only one communication line (half duplex)

Small Software Some thousand lines: tractable with the current tools, Only sequential code, Limited number of features, Public domain specification (Java Card), Reactive system with one I/O line, Assembly and C are used.

Motivations of Open Card Applications are developed by the card provider in a secure environment, Drawbacks: time consuming costly poor flexibility time to market Responses Operating System + Application Chip Commands

Open Cards... Applications developed by the customer or any application provider, Dynamically downloaded through a network Downloadable applications Data Responses Commands Instructions Secure Virtual Machine Operating System Chip

Introduction to the Java card The Java Card The JVM architecture The security procedures

What is a Java card? The Java Card a smart card dedicated to Java applications a platform with highly limited resources a dedicated Java language a multi-application device a specific Java Virtual Machine (JVM) architecture.

A subset of Java A single thread virtual machine Unsupported features Dynamic class loading String and Thread classes Double, float, char types multiple dimension arrays java.lang.system class Garbage collection Security manager The Applet Firewall Programming limitations

The JVM architecture Developer property Developer Java compiler property Applet provider Applet Bytecode provider verifier Bytecode converter Java card features Java Card card loader features Linker Runtime firewall Java Compiler Bytecode verifier Bytecode converter Loader Linker Firewall

Java Card Environment Code source Java Class File Java Java Compiler Bytecode verifier and Converter *.java On Card Dynamic Security *.class Firewall Java Card Files Off Card Linker Loader First static *.cap Other embedded security tests Static checks and resolutions

Java Card Security Chain Applet.java.class.cap Verifier Sign/Enc Loader Virtual Machine Java Card Applet Applet Applet OP CM JC API JVM OS Chip Loader Linker

Java Card Security Chain Applet Security Policy Java Card Applet Applet Applet OP CM JC API JVM OS Chip Verifier Sign/Enc Loader Loader Linker Virtual Machine Platform Security

...and the sharing mechanism The Java Card specification provides a mechanism to share data between several applets, For example: a purse and a loyalty applet can share methods and/or objects, Due to the limited resources of the smart cards new services or libraries will be offered. A share with B a method B share with C a method Purse Applet Log Log.getTransaction Applet Provider A Loyalty Applet Buffer Buffer.reSell resell Applet Provider B JCRE Hostile Applet Buffer Applet Provider C

Two security levels Applications are no more developed under card issuer control, Platform security Traditional means, Use of formal methods. => Models of the platform security modules Application security There is a need for a global security policy Flow control (data and/or code sharing) Resources consumption (memory, CPU, method calls...) => Static analysis of applet configurations (part of the CMS)

Smart card a specific domain? Short development cycle Short life time Mass product, million of smart cards A specific life cycle

Smart Card Lifetime (1/2) Manufacturing Application masked in the ROM OS libraries and command dispatcher, Application routines. Card serial number and issuer references Initialisation Writing in EEPROM application data Secret key and object attributes (r,w,rw,...) Personalisation Writing in EEPROM card holder data Graphical (picture, logo, hologram )

Usage End Smart Card Lifetime (2/2) Process APDU command from a reader Send back a response APDU or an error APDU For open card only: application downloading Deactivation (unauthorized action), memory overhead, loss, theft, Smart Card domain is different from the traditional formal methods application domain

External constraints Certification need National rules (e.g. German and Hungarian market) Required by customers Certification requirements Common Criteria EAL5, ITSEC E-4, Security policy modeling (SPM), proof of the coherence, Semi formal correspondence between SPM and HLD Higher level EAL 7 Proof of the high level and detailed design. Proof of the implementation of the security policy by the security functions Specific customer requests

Internal constraints Specifications become more complex Increasing number of functionality related with the memory size increasing, Complexity of the new OS based on virtual machine. Gemplus masters traditional OS development But... OS qualification is very costly, And FM can reduce development cycle by automatically generating the test suites.

The killer application for FM? It seems that smart card domain is the ideal field where FM can be applied (reasonable size), Potential benefit seems to be interesting.

Formal Methods and Smart Cards Java Card Verifier using a Model Checker [Posegga[ Posegga], They transform each method of an applet into a state transition system (SMV), They propose an abstraction (type), The state is given by the virtual machine state Security properties as temporal formulae are verified with the model checker

Formal Methods and Smart Cards And more recent works... : Proof of a verifier using Coq on the [F&M] subset of the byte code [Bertot], Kestrel Institute [Qian], Modelling of a large subset of the Java Card Byte Code in B [Gemplus], Isabelle [Nipkow] and Coq [Jakubietz], The Loop project at Niemegen University [Poll],...and others...

... BUT difficult to put in practice Economic constraint: the smart card is a mass product No development overhead is admissible (except the certification process) Development process constraints: The software must be provided to the chip manufacturer within a given deadline, Very small life time, Highly optimised software.

What is missing Lack of metrics with formal developments Imprecise industrial reports on formal developments, Difficulties to predict time development, Hard to estimate the cost. Methodology Modelling and proving are not common activities, Links between semi formal and formal specification. Tool improvements Tool improvements Code generator (C and BC Java)

Gemplus works in progress EC funded Projects Verificard: improve the safety of both the JavaCard platform and Java Card applications, using formal methods Matisse: methodology and metrics (MATISSE) to use FM in an industrial context French funded Project French funded Project BOM: provide tools (Code generator)