Java Card Security: How Smart Cards and Java Mix in Java

Printing Quick Response Code in Java Java Card Security: How Smart Cards and Java Mix
Java Card Security: How Smart Cards and Java Mix
Decoding QR-Code In Java
Using Barcode Control SDK for Java Control to generate, create, read, scan barcode image in Java applications.
CHAPTER SECTIONS: 1 / 2 / 3 / 4 / 5 / 6 / 7 / 8
QR-Code Printer In Java
Using Barcode maker for Java Control to generate, create QR-Code image in Java applications.
Previous Page Next Page
Denso QR Bar Code Decoder In Java
Using Barcode recognizer for Java Control to read, scan read, scan image in Java applications.
Section 5 -- How Secure Are Smart Cards
Barcode Generation In Java
Using Barcode encoder for Java Control to generate, create bar code image in Java applications.
Before we dig into the security implications raised by putting a Java VM on a smart card, we need to address the issue of basic smart card platform security. Smart cards are funny things. Depending on how they're used, smart cards can sometimes be meant to keep secrets from the very people who carry them around and use them. Consider, for example, a smart card that stores monetary value in an internal register. If the card user can figure out a way to change the value of the register outside of traditional means, he or she might be able to mint money! Smart cards like this make tempting targets for bad guys. Because smart cards are often used in security-critical situations, they have undergone a fair amount of scrutiny from security researchers. Two main results are worth considering before we get into security issues specific to Java: 1) the terminal problem, and 2) physical attacks on the card.
Decoding Bar Code In Java
Using Barcode recognizer for Java Control to read, scan read, scan image in Java applications.
The Terminal Problem
Draw QR Code In C#.NET
Using Barcode creator for VS .NET Control to generate, create QR Code ISO/IEC18004 image in VS .NET applications.
Smart cards need a way to interact with their users. Since there is no built-in display capability in most cards, the CAD must take on this responsibility. Any display used during critical transactions, such as transferring money, needs to have two properties: the display must be trustworthy, and it must be unspoofable. Making sure a terminal presents proper and trustworthy information to a user is known as the terminal problem. The terminal problem is really a trust issue. How is a card user to be sure that the card is doing what it is supposed to be doing during a transaction How can a card user check to see whether account balances (for example) have been properly debited or credited The problem is that cards are very much black boxes.
Quick Response Code Creator In Visual Studio .NET
Using Barcode printer for ASP.NET Control to generate, create QR Code JIS X 0510 image in ASP.NET applications.
Many systems now on the drawing board include the use of personal computers as client-side CADs. Consumers will use a PC to interact with the smart card and to address the concerns raised by the terminal problem. The problem is that PCs are notoriously insecure, especially when they're used to exchange lots of documents and programs, as most consumers do. If you use your computer this way, you're taking on a great deal of risk. One direct consequence of PC untrustworthiness is a PC's impotence relative to the terminal problem. If your PC can't be trusted, how can you believe that what it is telling you on behalf of your smart card is correct In fact, one excellent reason for using smart cards at all is that PCs can't be trusted. The reasoning goes that it is better to store secrets like PINs, sensitive personal data, and private keys on a smart card than on a PC. That way, if the PC is compromised, your secrets can't be so easily stolen. However, this leaves us with the terminal problem. A scenario can make this more concrete. Imagine that someone has tampered with your Web browser either by hacking into your PC or by tampering with the Web browser executable before you downloaded it. Now clearly you can't trust the browser not to steal or rewrite data on the way from your smart card to you. Some things that might happen are:
Drawing QR Code JIS X 0510 In .NET
Using Barcode encoder for Visual Studio .NET Control to generate, create QR-Code image in VS .NET applications.
The smart card requires a PIN before it can be used. Through a browser interface, you are queried for your PIN (which you faithfully enter). The corrupted browser sees the PIN go by and stores it for later illicit use. The PC is used as a listening post in order to carry out capture/replay attacks against the smart card (these kinds of attack often work against cryptographic protocols unless the protocols are carefully designed to address this problem). The PC steals the private key off the smart card and is able to "legally" represent you by digital signature.
Quick Response Code Generation In Visual Basic .NET
Using Barcode creator for .NET framework Control to generate, create QR image in Visual Studio .NET applications.
What is needed is a trusted display. Some researchers have suggested that PDAs such as 3Com PalmPilots might serve as trusted displays. The idea is that the PDA can interact directly with the user during securitycritical operations like PIN input. In fact, the PDA can replace the smart card entirely since it can easily carry out all the required computations. (PDAs are probably too unwieldy for this idea. It's much easier to slide a smart card into your wallet than a PalmPilot.) Unfortunately, there is not much reason to trust a PalmPilot much more than a PC these days. The problem is that newer PalmPilots and other PDAs are designed to network with PCs directly (sometimes even using a TCP/IP stack). That's good news if you want to transfer data to and from your PDA, but it's risky. Just like a PC, a PalmPilot is probably insecure if you frequently download programs onto it. Crackers are currently devising hacks that work against PalmPilots. In the end, we're stuck with the terminal problem. As smart cards move into more widespread use on PCs, PC-based interfaces will be especially susceptible to this problem. An insecure Windows 95 OS in concert with a Web browser should not be trusted to display critical information to a smart card user. A PDA might do the trick, but is likely to carry similar risks.
Drawing Barcode In Java
Using Barcode creation for Java Control to generate, create bar code image in Java applications.
Generating Code 39 Full ASCII In Java
Using Barcode generation for Java Control to generate, create Code 39 Full ASCII image in Java applications.
Postnet 3 Of 5 Drawer In Java
Using Barcode generator for Java Control to generate, create USPS POSTal Numeric Encoding Technique Barcode image in Java applications.
Making UCC - 12 In Visual Studio .NET
Using Barcode generation for ASP.NET Control to generate, create UPC-A image in ASP.NET applications.
GTIN - 128 Generator In VS .NET
Using Barcode encoder for ASP.NET Control to generate, create EAN 128 image in ASP.NET applications.
EAN-13 Supplement 5 Maker In Visual Basic .NET
Using Barcode generation for .NET Control to generate, create EAN13 image in Visual Studio .NET applications.