TIAN Yu-hong,WANG Ze-bing,FENG Yan

DOI: https://doi.org/10.3969/j.issn.1000-7024.2006.24.029

2006-01-01

Abstract:The Java virtual machine(JVM)is used more frequently as the basic engine behind dynamic web services.With the proliferation of network attacks on these network resources,much work are done to provide security for the network environment.Little effort has been placed on securing a Java web server where the attacker has a valid login to the host machine.After describing the vulnerabilities in Java's security mechanisms,an extended security system based on Java 2 security architecture is introduced.It also explains the runtime status of system.The increased assurance of correct system operation and the integrity of Java application server are provided.

Huafeng CHEN,Haibin SHEN,Xiaolang YAN

2008-01-01

Abstract:The design-for-testability structure based on scan-chain often compromises the security of crypto chips.A method to attack certain hardware implementation of elliptic curve cryptography was presented.And an easy but effective secure scan method against the attack was proposed,which would not compromise the security of the chip,while maintaining high fault coverage.By controlling operational mode of the chip,the disability mechanism of scan enable signal was applied.The scan function was disabled when there existed security information in the chip.It solved the problem of secure information disclosure caused by scan chain design.

Liu Songyan,Mao Zhigang,Ye Yizheng

DOI: https://doi.org/10.1007/bf02948841

2000-01-01

Abstract:Java card is a new system for programming smart cards, which is based on the Java language and Virtual Machine. Java card programs (applets)run in Java Card Runtime Environment (JCRE) including the Java Card Virtual Machine (JCVM), the framework, the associated native methods and the API (Application Programming Interface). JCVM is implemented as two separate pieces:off-card VM (Virtual Machine) and on-card VM. The stack model and heap memory structure used by on-card VM and exception handling are introduced. Because there are limited resources within smart card environment, and garbage collection is not supported in JCVM, the preferred way to exception handling does not directly involve the use of throw, although the throw keyword is supported. Security is the most important feature of smart card. The Java card applet security feature is also discussed.

Zhicong Li,Li Ling

DOI: https://doi.org/10.3969/j.issn.1007-757X.2018.04.019

2018-01-01

Abstract:Compared with the traditional Native card,the Java smart card is more open and versatile,and has been widely used abroad.In the field of domestic mobile payment,if Java Card technology is applied,mobile payment can take advantage of its rich functionality and high security to deal with the new requirements emerging from the development of mobile payment industry.The first part of this paper briefly introduces the Java Card platform.The second part discusses the technical architecture of Java Card.Then the third part analyzes the advanced features of the Java Card platform.And the fourth part is about the security of the Java Card platform.The application of Java Card technology in mobile payment field is discussed in the fifth part.

Yanmiao Zhang,Xiaoyu Ji,Yushi Cheng,Wenyuan Xu

DOI: https://doi.org/10.23919/ChiCC.2019.8866144

2019-01-01

Abstract:As a modern power transmission network, smart grid connects abundant terminal devices and plays an important role in our daily life. However, along with its growth are the security threats. Different from the separated environment previously, an adversary nowadays can destroy the power system by attacking its terminal devices. As a result, it's critical to ensure the security and safety of terminal devices. To achieve it, detecting the pre-existing vulnerabilities in the terminal program and enhancing its security, are of great importance and necessity. In this paper. we introduce Cker, a novel vulnerability detection tool for smart grid devices, which generates an program model based on device sources and sets rules to perform model checking. We utilize the static analysis to extract necessary information and build corresponding program models. By further checking the model with pre-defined vulnerability patterns, we achieve security detection and error reporting. The evaluation results demonstrate that our method can effectively detect vulnerabilities in smart devices with an acceptable accuracy and false positive rate. In addition, as Cker is realized by pure python. it can be easily scaled to other platforms.

Kai Sun

2002-01-01

Abstract:In current mobile agent systems, the research of protecting a host from possibly malicious mobile agents has made great progress, but reverse problem, namely protecting the agent from malicious hosts has not. This paper puts forward a scheme that uses JavaCard to provide a secure execution environment. First, attack of agent is analyzed. Then the detailed solution based on JavaCard is given.

Guillaume Bouffard,Jean-Louis Lanet

DOI: https://doi.org/10.1007/s11416-014-0218-7

2014-07-05

Journal of Computer Virology and Hacking Techniques

Abstract:Attacks on smart cards can only be based on a black box approach where the code of cryptographic primitives and operating system are not accessible. To perform hardware or software attacks, a white box approach providing access to the binary code is more efficient. In this paper, we propose a methodology to discover the romized code whose access is protected by the virtual machine. It uses a hooked code in an indirection table. We gained access to the real processor, thus allowing us to run a shell code written in 8051 assembly language. As a result, this code has been able to dump completely the ROM of a Java Card operating system. One of the issues is the possibility to reverse the cryptographic algorithm and all the embedded countermeasures. Finally, our attack is evaluated on different cards from distinct manufacturers.

王海军,李明禄,李钢江

DOI: https://doi.org/10.3969/j.issn.1000-3428.2004.z1.246

2004-01-01

Abstract:This paper describes the implementation process of Java Card which SUN presented in the development application of smart card. Architecture of Java card are put forward. Communication protocols of Java card and some Java card API to the lower level design and security of Java card are presented. Some implementations of Elliptic Curve Cryptography (ECC) algorithm with constrained computational power consumption and memory resources,compared to RSA algorithm, are given.

Guillaume Bouffard,Vincent Giraud,Léo Gaspard

DOI: https://doi.org/10.48550/arXiv.2110.10037

2021-10-19

Cryptography and Security

Abstract:The Java Card Virtual Machine (JCVM) platform is widely deployed on security-oriented components. JCVM implementations are mainly evaluated under security schemes. However, existing implementation are close-source without detail. We believe studying how to design JCVM will improve them and it can be reused by the community to improve Java Card security. In 2018, Bouffard et al. [6] introduced an Operating System (OS) which aims at running JCVM compatible implementation. This OS is compatible with several Commercially available Off-The-Shelf (COTS) components. This is a first step to design a secure JCVM platform. However, some important details are missing to design a secure-oriented Java Card platform. In this article, we focus on the JCVM memory. This memory contains everything required to run JCVM and applets. Currently, JCVM memory is out of the Java Card specification and each JCVM developer use his own approach. Based on the existing tools and documentation, we explain how to extract from the Java Card toolchain every data required by applets and JCVM. When data to store in memory are identified, this article introduces how to organize required data onto JCVM memory.

李莹,殷中科,曹晓,邓水光

DOI: https://doi.org/10.3785/j.issn.1008-973X.2012.03.002

2012-01-01

Abstract:The security performance of the Schnorr signature protocol for JavaCard was analyzed in order to enhance security and improve the efficiency. A linear cryptanalysis scheme based on key-recovery attack against the signature protocol was presented, and the feasibility of the attacking method was proved by a case of successful attack. On this basis, a notion of security preprocessing was proposed, which is a linear detection based scheme. The linear detection random numbers and corresponding variables were stored in the special areas of JavaCard. This approach can avoid generation of random number and the complexity modular exponentiation when the digital signature is created in card. Security performance analysis result shows that the proposed scheme not only can promote the operation speed effectively with the same hardware platform and cryptography intensity, but also avoids a type of linear cryptanalysis.

Kun Gu,Liji Wu,Xiangyu Li,Xiangxin Zhang

DOI: https://doi.org/10.1109/cis.2011.149

2011-01-01

Abstract:Information security is very important for the smart cards. Electromagnetic analysis (EMA) attack is a common method of side channel attacks which is a serious threat for the security of smart cards. So it is necessary to build a system to estimate the ability of the smart card to resist EMA attack. In this paper, an automatic EMA system for smart cards is designed and implemented. This system can measuring the electromagnetic field of smart card and can also carry out EMA attack. To verify the effectiveness of this system, an EMA attack was successfully carried out by it on a FPGA which 3DES cryptographic algorithm was loaded and implemented. 3DES is widely used in bank IC card and USB key. It is important to make sure of the safety of these financial IC cards. The experimental results showed that the applicable electromagnetic field signal can be traced to estimate the ability of the security device to resist EMA attack.

李增智,李钢,韩冬,王志文

DOI: https://doi.org/10.3969/j.issn.1002-137X.2001.07.004

2001-01-01

Computer Science

Abstract:Smart card is currently a popular embedded device,but it has some drawbacks. On the other hand, Java's reliability,cross platform support,and many other advantages make it fit into embedded systems. The paper discusses every aspect of JavaCard,the combination of smart card and Java technology,form which,we can conclude Java has great applied potential in embedded devices.

Wang Feiyu,Li Xiangyu,Wu Liji,Zhang Xiangmin

DOI: https://doi.org/10.16526/j.cnki.11-4762/tp.2012.09.032

2012-01-01

Abstract:In order to enhance the security of contact smartcards,an embedded system for practical security analysis which is an opening programming platform for generating trigger signals of the chip is designed.Detail design of the embedded system is presented,and the design of contact smartcards interface circuit,card reader interface circuit and the control module are described particularly.This design can be used to communicate with smartcards or card reader,at the same time implementing Man-in-the-MiddleAttack,generating trigger signals for Side-Channel attack or disturbing power supply or clock of the smartcards.Furthermore,it can test and verify the chip design of contact smartcards by FPGA.The result shows us it is not only flexibility,low cost and high efficiency,but also utilized in many fields such as Side-Channel attack,fault attack and security testing in cryptographic chip.

沈炜,陈纯

DOI: https://doi.org/10.3969/j.issn.1000-3428.2002.01.019

2002-01-01

Abstract:As a kind of low cost device of tamper resistance, the smart card has been used for many purposes. But, a number of techniques for attacking smart cards are also known and they show that building secure and effective issuing architecture is much harder than it looks. In this paper, we analyze trust relationship among entities in issuing architecture and classify possible attacks. Furthermore a set of protocols have been presented and on the basis of them, a secure scheme is given.

Jinghao Zhao,Boxiao Ding,Yunqi Guo,Zhaowei Tan,Songwu Lu

DOI: https://doi.org/10.1145/3447993.3483254

2021-01-01

Abstract:The SIM/eSIM card stores critical information for a mobile user to access the 4G/5G network. In this work, we uncover three vulnerabilities of the current SIM practice. We show that the PIN-based access control may expose the in-SIM data to an adversary through both hardware and software. Once exposed, such in-SIM information can be used to reconstruct various keys used for device authentication, data encryption, etc. They thus enable a number of attacks, including traffic eavesdropping, man-in-the-middle attack, impersonation, etc. The fundamental problem is that, the current SIM design does not offer proper authentication and fine-grained access control to hundreds of in-SIM files for various in-card applets and off-card units. We next propose a new solution that offers both authentication and fine-grained access control. Our implementation and evaluation have confirmed the viability of our proposal.

Mei Hong,Hui Guo,Bin Luo

DOI: https://doi.org/10.1109/FGCN.2008.25

2008-01-01

Abstract:A multi-service smart card system enables users to access different services over an open network with a single smart card. Due to its highly economic and social benefits, the multi-service smart card system has drawn much attention in industrial and academic areas. However, the big hindrance to its wide employment is the risk of breaching user service confidentiality and privacy across different service systems. This paper proposes a secure multi-service system model to overcome such a problem. The model allows users to access different services with a single password. The privacy and service confidentiality are achieved through a set of protections-password protection, user identity protection, and service transaction protection-to guarantee the user¿s anonymity to all service systems and ensure high unlinkability between different services.

Jun Guo,Liji Wu,Xiangmin Zhang,Xiangyu Li

DOI: https://doi.org/10.1109/cis.2012.150

2012-01-01

Abstract:Fault attack is a kind of attack that the attacker injects faults into the hardware and the secret key is likely to be revealed. The paper will describe a fault attack platform for smart card. This platform includes PC terminal serial console software, smart card interface circuits, and smart card reader fault attack circuits. Then the fault platform could communicate with the contact smart card or the smart card reader by complying with the protocol of ISO/IEC 7816. Using this fault platform, we can inject any glitches on power and clock when the smart card is running the encryption command. And then the fault attack platform can send wrong ciphertext to the PC terminal console software through by serial port. We can analyze the fault data by MATLAB or software programming to crack the key of the smart card. So, the security of smart card could be verified. The glitch of voltage range could be from 0v to 5v. And the scope of clock frequency can be from 1HZ to 50 MHZ.

冯志兴,李建华,王轶俊

DOI: https://doi.org/10.3969/j.issn.1009-8054.2009.03.024

2009-01-01

Abstract:The inherent security of IC card is one of the main driving forces of the EMV migration abroad and the PBOC2.0 financial IC card migration at home.The paper discusses the four major parts of the security certification system IC card data authentication,cardholder identification,message security and transaction authentication,and ana-lyzes the security of this certification system.

Ming-Yang Chih,Jie-Ren Shih,Bo-Yin Yang,Jin-Tai Ding,Chen-Mou Cheng

2010-01-01

Abstract:MIFARE Classic is a proprietary contactless smart card technology widely used in public transportation ticketing systems of cities across the world. MIFARE Classic's cryptographic protection to the stored data has been reverse-engineered and broken in a recent series of papers. In this paper, we report our experience attacking a real MIFARE Classic system. Specifically, we have implemented a brute-force search using NVIDIA graphics cards to verify the claims in the literature. Moreover, we have achieved a tremendous improvement over an existing sniffer-based attack that takes advantage of other design and implementation flaws of CRYPTO-1, MIFARE Classic's proprietary cipher. To our best knowledge, this is the first report in the literature of a practical long-range attack. These attacks disarm all cryptographic protection of MIFARE Classic, making it extremely difficult to secure transactions. Lastly, we take up the challenge and present our ideas how to defend against most attacks using practical mechanisms that do not require any hardware changes. Our proposed mechanisms can be easily implemented on a variety of MIFARE Classic readers on the market and only require commodity PCs be used in the backend system with intermittent network connectivity.