The Java Card platform provides programmers with API classes that act as containers for cryptographic keys and PIN codes. This paper presents a first systematic evaluation of the security that these containers provide against logical attacks, for a number of cards from different manufacturers. Most cards we investigated do not appear to implement any integrity and confidentiality protection for these containers. For the cards that do, this paper presents new logical attacks that bypass these security measures. In particular, we show that the encryption of keys and PINs by the platform can be defeated using decryption functionality that the platform itself offers, so that logical attacks can still retrieve plaintext keys and PINs. We also investigate the possibilities for type confusion to access the global APDU buffer and the presence of undocumented bytecode instructions.
CITATION STYLE
Volokitin, S., & Poll, E. (2017). Logical attacks on secured containers of the Java Card platform. In Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics) (Vol. 10146 LNCS, pp. 122–136). Springer Verlag. https://doi.org/10.1007/978-3-319-54669-8_8
Mendeley helps you to discover research relevant for your work.