Open platform security

Abstract

The Java Card™2.1.1 Runtime Environment (JCRE) Specification [1] describes a secure virtualmachine environment for smart cards that facilitates the post-issuance loading and installation of applets, via an optional “Installer”. The Open Platform (OP) Card Specification [2] provides a robust specification for that installer. It identifies the oncard security features necessary to safeguard the various actors that are involved in a smart card system, including card issuers, application providers as well as cardholders. Such is the nature of information security these days it is necessary to demonstrate the trustworthiness of the OP approach. The Common Criteria (ISO 15408:1999) [3] presents an obvious course of action. A “Protection Profile”, termed OP3 [4] has therefore been produced in order to ensure the benefit of Common Criteria evaluation of the OP installer, and by virtue of specifying the security requirements of the underlying operating system and integrated circuitry, of Java CardTMand the chipcard platform itself. Evaluation will demonstrate that the OP security requirements are correctly implemented and cannot be bypassed, deactivated, corrupted or otherwise circumvented – at least to a given level of confidence (an EAL in Common Criteria terms). This is an amazingly useful first step. However, there are important off-card assets that the smart card does not protect. Common Criteria evaluation does nothing to mitigate the risks to those assets. A Common Criteria evaluation will make assumptions about the environment of the target of evaluation. Evaluation does nothing to validate those assumptions. The assumptions usually concern the compromise of security data held off-card. It therefore makes little sense to rely just on the CC evaluation of just the smart card in order to establish and maintain the security of the overall system. Other steps are necessary. The paper describes what is being done to progress the Common Criteria evaluation of OP and what else is necessary to ensure confidence in the security of the overall system. Researches indicate that Common Criteria evaluation at a modest level of evaluation (e.g. EAL 4) together with an “Information Security Management System” (ISMS), as specified in BS 7799:1999 Part 2 [5] –particularly to address the off-card security issues–reduces the need for smart card evaluation at higher EALs.