building a trusted gateway with java me and a secure...
TRANSCRIPT
![Page 1: Building a Trusted Gateway with Java ME and a Secure …docs.huihoo.com/javaone/2015/CON9758-Building-a... · Building a Trusted Gateway with Java ME and a Secure Element Pierre Girard,](https://reader030.vdocuments.us/reader030/viewer/2022021512/5afe2ab47f8b9a994d8e94b3/html5/thumbnails/1.jpg)
Building a Trusted Gateway with Java ME and a Secure Element
Pierre Girard, Security Solution ExpertSan-Francisco, October 27, 2015
CON9758
![Page 2: Building a Trusted Gateway with Java ME and a Secure …docs.huihoo.com/javaone/2015/CON9758-Building-a... · Building a Trusted Gateway with Java ME and a Secure Element Pierre Girard,](https://reader030.vdocuments.us/reader030/viewer/2022021512/5afe2ab47f8b9a994d8e94b3/html5/thumbnails/2.jpg)
Agenda
Gemalto introduction
Bringing Trust to M2M with Secure Elements
The Trusted gateway use case
Developing the building block with Java ME and Java Card
Building a Trusted Gateway2
![Page 3: Building a Trusted Gateway with Java ME and a Secure …docs.huihoo.com/javaone/2015/CON9758-Building-a... · Building a Trusted Gateway with Java ME and a Secure Element Pierre Girard,](https://reader030.vdocuments.us/reader030/viewer/2022021512/5afe2ab47f8b9a994d8e94b3/html5/thumbnails/3.jpg)
Our purpose
Building a Trusted Gateway3
We enable our clients to bringtrusted and convenient digital services
to billions of people
![Page 4: Building a Trusted Gateway with Java ME and a Secure …docs.huihoo.com/javaone/2015/CON9758-Building-a... · Building a Trusted Gateway with Java ME and a Secure Element Pierre Girard,](https://reader030.vdocuments.us/reader030/viewer/2022021512/5afe2ab47f8b9a994d8e94b3/html5/thumbnails/4.jpg)
We are the world leader in digital security
Building a Trusted Gateway4
WE’RE UNIQUE. WE’RE GLOBAL. WE’RE INNOVATIVE
2,900R&D ENGINEERS
114NEW PATENTSFILED IN 2014
180+COUNTRIES WHEREOUR CLIENTS ARE
BASED
14,000+EMPLOYEES
116NATIONALITIES OFOUR EMPLOYEES
€2.5bn2014 REVENUE
+2bnEND USERS
BENEFIT FROMOUR SOLUTIONS
![Page 5: Building a Trusted Gateway with Java ME and a Secure …docs.huihoo.com/javaone/2015/CON9758-Building-a... · Building a Trusted Gateway with Java ME and a Secure Element Pierre Girard,](https://reader030.vdocuments.us/reader030/viewer/2022021512/5afe2ab47f8b9a994d8e94b3/html5/thumbnails/5.jpg)
Digital security enables trusted interactions
Building a Trusted Gateway5
PEOPLEwho want to access
any service, withany device – and need
to use a digital ID.
SERVICE PROVIDERSwho need to check the IDis valid – and to manage and protect the datain their care.
![Page 6: Building a Trusted Gateway with Java ME and a Secure …docs.huihoo.com/javaone/2015/CON9758-Building-a... · Building a Trusted Gateway with Java ME and a Secure Element Pierre Girard,](https://reader030.vdocuments.us/reader030/viewer/2022021512/5afe2ab47f8b9a994d8e94b3/html5/thumbnails/6.jpg)
Ensuring strong identities andsecuring datafrom the edgeto the core
We secure and manage the entire trust chain
Building a Trusted Gateway6
![Page 7: Building a Trusted Gateway with Java ME and a Secure …docs.huihoo.com/javaone/2015/CON9758-Building-a... · Building a Trusted Gateway with Java ME and a Secure Element Pierre Girard,](https://reader030.vdocuments.us/reader030/viewer/2022021512/5afe2ab47f8b9a994d8e94b3/html5/thumbnails/7.jpg)
Our seamless chain of software, products, platformsand services
Building a Trusted Gateway7
![Page 8: Building a Trusted Gateway with Java ME and a Secure …docs.huihoo.com/javaone/2015/CON9758-Building-a... · Building a Trusted Gateway with Java ME and a Secure Element Pierre Girard,](https://reader030.vdocuments.us/reader030/viewer/2022021512/5afe2ab47f8b9a994d8e94b3/html5/thumbnails/8.jpg)
SoftwareVendors
Government
Enterprise
Internet ofThings
Financial Services& Retail
Our securesolutions
We enable our clients to deliver secure digital services in mobile
identity, payment, online banking, cloud access, transport ticketing,eGovernment, vehicle telematics,
software monetizationand so on.
Mobile
We enable our clients to deliver a vast range of services
Building a Trusted Gateway8
Transport
![Page 9: Building a Trusted Gateway with Java ME and a Secure …docs.huihoo.com/javaone/2015/CON9758-Building-a... · Building a Trusted Gateway with Java ME and a Secure Element Pierre Girard,](https://reader030.vdocuments.us/reader030/viewer/2022021512/5afe2ab47f8b9a994d8e94b3/html5/thumbnails/9.jpg)
Building a Trusted Gateway9
30,000+ENTERPRISES
450MOBILE
OPERATORS
3000+FINANCIAL
INSTITUTIONS
80+eGOVERNMENT
PROGRAMS
Our clients are some of the world’s big brands
![Page 10: Building a Trusted Gateway with Java ME and a Secure …docs.huihoo.com/javaone/2015/CON9758-Building-a... · Building a Trusted Gateway with Java ME and a Secure Element Pierre Girard,](https://reader030.vdocuments.us/reader030/viewer/2022021512/5afe2ab47f8b9a994d8e94b3/html5/thumbnails/10.jpg)
Agenda
Gemalto introduction
Bringing Trust to M2M with Secure Elements
The Trusted gateway use case
Developing the building block with Java ME and Java Card
Building a Trusted Gateway10
![Page 11: Building a Trusted Gateway with Java ME and a Secure …docs.huihoo.com/javaone/2015/CON9758-Building-a... · Building a Trusted Gateway with Java ME and a Secure Element Pierre Girard,](https://reader030.vdocuments.us/reader030/viewer/2022021512/5afe2ab47f8b9a994d8e94b3/html5/thumbnails/11.jpg)
Typical M2M domains with high security requirements
Building a Trusted Gateway11
M2M : the raise of the connected machinesSubject to traditional Internet security concerns+ massive deployments+ run unmanned, in the field, 24x7 ...+ long lifecycle
Most sensitive domains
Connected cars Smart energy e-health Smart home
![Page 12: Building a Trusted Gateway with Java ME and a Secure …docs.huihoo.com/javaone/2015/CON9758-Building-a... · Building a Trusted Gateway with Java ME and a Secure Element Pierre Girard,](https://reader030.vdocuments.us/reader030/viewer/2022021512/5afe2ab47f8b9a994d8e94b3/html5/thumbnails/12.jpg)
Why do we need trust ?
12
Management of sensitive devicesCar engine, PV arrays, heat pump, home door, …
Management of sensitive transactionsEnergy: (not) producing, (not) consuming, storing …X as a Service: mobility, temperature …Peer-to-peer transactions
Management of sensitive dataLocation / presence, behavior / consumption patterns, live video / sound streaming, …
Building a Trusted Gateway
![Page 13: Building a Trusted Gateway with Java ME and a Secure …docs.huihoo.com/javaone/2015/CON9758-Building-a... · Building a Trusted Gateway with Java ME and a Secure Element Pierre Girard,](https://reader030.vdocuments.us/reader030/viewer/2022021512/5afe2ab47f8b9a994d8e94b3/html5/thumbnails/13.jpg)
Trust relationships
13
Consumer
Service provider
Platform provider
The consumer is not cheating on
his service usage
The service provider is protecting my
data
The service is not hurting my platform
My service assets are protected by
the platform
Building a Trusted Gateway
![Page 14: Building a Trusted Gateway with Java ME and a Secure …docs.huihoo.com/javaone/2015/CON9758-Building-a... · Building a Trusted Gateway with Java ME and a Secure Element Pierre Girard,](https://reader030.vdocuments.us/reader030/viewer/2022021512/5afe2ab47f8b9a994d8e94b3/html5/thumbnails/14.jpg)
A gateway template
14
Servicesmanagement
API
Ser
vice
Ser
vice
Ser
vice
Platform
Service framework
OS / hardware layer
Frameworkcommon services
WAN
LANServicesmanagement
API
Serv
ice
Serv
ice
Serv
ice
Secure element
Service framework
OS / hardware layer
Frameworkcommon services
Services isolation
Services communicationPolicies, permissions,
users, authentication, crypto…
Code integrity, secure boot
Secure com.
Secure com.
Tamper resistantexecution environment
Building a Trusted Gateway
![Page 15: Building a Trusted Gateway with Java ME and a Secure …docs.huihoo.com/javaone/2015/CON9758-Building-a... · Building a Trusted Gateway with Java ME and a Secure Element Pierre Girard,](https://reader030.vdocuments.us/reader030/viewer/2022021512/5afe2ab47f8b9a994d8e94b3/html5/thumbnails/15.jpg)
Software security Hardware security
Protected environmentTrusted usersDirect access to data
Unprotected environmentNon trusted usersNo direct access to data Tamper resistant devices
15 Building a Trusted Gateway
![Page 16: Building a Trusted Gateway with Java ME and a Secure …docs.huihoo.com/javaone/2015/CON9758-Building-a... · Building a Trusted Gateway with Java ME and a Secure Element Pierre Girard,](https://reader030.vdocuments.us/reader030/viewer/2022021512/5afe2ab47f8b9a994d8e94b3/html5/thumbnails/16.jpg)
CPU
EEPROM RO
M
RA
M
Tamper resistance at chip level
ShieldGlue logicNo Buses visibleMemories and buses encryptionSensors
Blocks can be easily identifiedNo shieldNo glue logicBuses clearly visible
16 Building a Trusted Gateway
![Page 17: Building a Trusted Gateway with Java ME and a Secure …docs.huihoo.com/javaone/2015/CON9758-Building-a... · Building a Trusted Gateway with Java ME and a Secure Element Pierre Girard,](https://reader030.vdocuments.us/reader030/viewer/2022021512/5afe2ab47f8b9a994d8e94b3/html5/thumbnails/17.jpg)
HW architecture of a Secure Element
Building a Trusted Gateway17
ROM
EEPROM
RAM
CPU
Crypto
UART
ISO7816SPI…
Host
SE
6 x 5 mm
![Page 18: Building a Trusted Gateway with Java ME and a Secure …docs.huihoo.com/javaone/2015/CON9758-Building-a... · Building a Trusted Gateway with Java ME and a Secure Element Pierre Girard,](https://reader030.vdocuments.us/reader030/viewer/2022021512/5afe2ab47f8b9a994d8e94b3/html5/thumbnails/18.jpg)
SW Architecture of a Secure Element
Building a Trusted Gateway18
Java Card VM
Operating System
Java Card API
Applet 1
Applet 2
Global P
latform
APDU
Secure Element
Host
CPU
![Page 19: Building a Trusted Gateway with Java ME and a Secure …docs.huihoo.com/javaone/2015/CON9758-Building-a... · Building a Trusted Gateway with Java ME and a Secure Element Pierre Girard,](https://reader030.vdocuments.us/reader030/viewer/2022021512/5afe2ab47f8b9a994d8e94b3/html5/thumbnails/19.jpg)
Example of a SE product
Building a Trusted Gateway19
Java Card VM
Operating System
Java Card API 3.0.1
PAC
E
IAS
4.2
Global P
latformSecure Element
Infineon SLE78
TLS 1.2 supportData signature / verificationData encryption / decryptionCertificates storage
RSA 4096AES 256SHA 512ECC 521
![Page 20: Building a Trusted Gateway with Java ME and a Secure …docs.huihoo.com/javaone/2015/CON9758-Building-a... · Building a Trusted Gateway with Java ME and a Secure Element Pierre Girard,](https://reader030.vdocuments.us/reader030/viewer/2022021512/5afe2ab47f8b9a994d8e94b3/html5/thumbnails/20.jpg)
ISO7816-4 communication
Building a Trusted Gateway20
Example: CLA INS P1 P2 LeA0 B0 xx yy Le
P1, P2 : specify the data to be retrievedLe : length of data to retrieve
READ BINARY (P1,P2,Le)
Data, SW1, SW2Host
![Page 21: Building a Trusted Gateway with Java ME and a Secure …docs.huihoo.com/javaone/2015/CON9758-Building-a... · Building a Trusted Gateway with Java ME and a Secure Element Pierre Girard,](https://reader030.vdocuments.us/reader030/viewer/2022021512/5afe2ab47f8b9a994d8e94b3/html5/thumbnails/21.jpg)
Integration in Java embedded
Building a Trusted Gateway21
Raspberry Pi
Java Card VM
Operating System
Java Card API 3.0.1
PAC
E
IAS
4.2
Global P
latform
Secure Element
Infineon SLE78
PC/SC lite
Raspbian
PKCS#11
APDU
PKCS#11 crypto provider
Java 8 embedded API
App
![Page 22: Building a Trusted Gateway with Java ME and a Secure …docs.huihoo.com/javaone/2015/CON9758-Building-a... · Building a Trusted Gateway with Java ME and a Secure Element Pierre Girard,](https://reader030.vdocuments.us/reader030/viewer/2022021512/5afe2ab47f8b9a994d8e94b3/html5/thumbnails/22.jpg)
Some actual crypto providers
Building a Trusted Gateway22
Java crypto frameworkAPI
SPI
TLSv1.2…
AESRSA…
SunJSSE SunJCE
ECDSA…
SunEC
App
ECDSARSAPKCS11…
JNIPKCS#11
SunPKCS11
JKS…
Sun
![Page 23: Building a Trusted Gateway with Java ME and a Secure …docs.huihoo.com/javaone/2015/CON9758-Building-a... · Building a Trusted Gateway with Java ME and a Secure Element Pierre Girard,](https://reader030.vdocuments.us/reader030/viewer/2022021512/5afe2ab47f8b9a994d8e94b3/html5/thumbnails/23.jpg)
Instantiating the Secure Element provider
Building a Trusted Gateway23
// PKCS#11 configuration file for the Secure Elementprivate static final String PKCS11_CONFIG = "/home/pi/NetBeansProjects/TestPKCS11onPi/dist/GemaltoPKCS11.cfg";
// Create a PKCS#11 cryptographic provider which uses the Secure ElementProvider myPKCS11Provider = new sun.security.pkcs11.SunPKCS11(PKCS11_CONFIG);
// The PIN code protecting the Security Elementchar [] myPIN = {'0','0','0','0'};
// Create a KeyStore corresponding to the Secure ElementKeyStore.PasswordProtection pinProtection = new KeyStore.PasswordProtection(myPIN);KeyStore.Builder ksb = KeyStore.Builder.newInstance("PKCS11", myPKCS11Provider, pinProtection);KeyStore ks = ksb.getKeyStore();
// Add the SE as a cryptographic provider (useful when it is not possible to pass a provider explicitly)Security.addProvider(myPKCS11Provider);…
![Page 24: Building a Trusted Gateway with Java ME and a Secure …docs.huihoo.com/javaone/2015/CON9758-Building-a... · Building a Trusted Gateway with Java ME and a Secure Element Pierre Girard,](https://reader030.vdocuments.us/reader030/viewer/2022021512/5afe2ab47f8b9a994d8e94b3/html5/thumbnails/24.jpg)
Switching to hardware security is easy: EC signature
Building a Trusted Gateway24
Signing with software provider
char [] myPassword = {'1','2','3','4'};
// Let's sign a messageString s1 = "Les hommes naissent et demeurent libres et égaux en droits.";
// We sign with ECDSASignature ecSign = Signature.getInstance("SHA256withECDSA");
// Retreive the signature key in keystore by it’s aliasPrivateKey privKey = (PrivateKey) ks.getKey("SignKey", myPassword);
// And we sign !ecSign.initSign(privKey);ecSign.update(s1.getBytes());byte[] signature = ecSignCard.sign();
![Page 25: Building a Trusted Gateway with Java ME and a Secure …docs.huihoo.com/javaone/2015/CON9758-Building-a... · Building a Trusted Gateway with Java ME and a Secure Element Pierre Girard,](https://reader030.vdocuments.us/reader030/viewer/2022021512/5afe2ab47f8b9a994d8e94b3/html5/thumbnails/25.jpg)
Switching to hardware security is easy: EC signature
Building a Trusted Gateway25
Signing with Secure Element provider
char [] myPIN = {'0','0','0','0'};
// Let's sign a messageString s1 = "Les hommes naissent et demeurent libres et égaux en droits.";
// We sign with ECDSASignature ecSign = Signature.getInstance("SHA256withECDSA", myPKCS11Provider);
// Retreive the signature key in keystore by it’s aliasPrivateKey privKey = (PrivateKey) ks.getKey("SignKey", myPIN);
// And we sign !ecSign.initSign(privKey);ecSign.update(s1.getBytes());byte[] signature = ecSignCard.sign();
![Page 26: Building a Trusted Gateway with Java ME and a Secure …docs.huihoo.com/javaone/2015/CON9758-Building-a... · Building a Trusted Gateway with Java ME and a Secure Element Pierre Girard,](https://reader030.vdocuments.us/reader030/viewer/2022021512/5afe2ab47f8b9a994d8e94b3/html5/thumbnails/26.jpg)
Building a Trusted Gateway26
How about Java ME ?
![Page 27: Building a Trusted Gateway with Java ME and a Secure …docs.huihoo.com/javaone/2015/CON9758-Building-a... · Building a Trusted Gateway with Java ME and a Secure Element Pierre Girard,](https://reader030.vdocuments.us/reader030/viewer/2022021512/5afe2ab47f8b9a994d8e94b3/html5/thumbnails/27.jpg)
Agenda
Building a Trusted Gateway27
Gemalto introduction
Bringing trust to M2M with Secure Elements
The trusted gateway use case
Developing the building block with Java ME and Java Card
![Page 28: Building a Trusted Gateway with Java ME and a Secure …docs.huihoo.com/javaone/2015/CON9758-Building-a... · Building a Trusted Gateway with Java ME and a Secure Element Pierre Girard,](https://reader030.vdocuments.us/reader030/viewer/2022021512/5afe2ab47f8b9a994d8e94b3/html5/thumbnails/28.jpg)
Use case: connected home / alarm gateway
Building a Trusted Gateway28
Multiple industries are fighting to become the connected hub in the home: example in US
Alarm System
MNO Broadband
Home Automation
Increased volumes and
adoptionwill increase
attractiveness of hacking
![Page 29: Building a Trusted Gateway with Java ME and a Secure …docs.huihoo.com/javaone/2015/CON9758-Building-a... · Building a Trusted Gateway with Java ME and a Secure Element Pierre Girard,](https://reader030.vdocuments.us/reader030/viewer/2022021512/5afe2ab47f8b9a994d8e94b3/html5/thumbnails/29.jpg)
Risks in today’s devices
Building a Trusted Gateway29
Lack of strong authentication of the device
Fake devices can be introduced in the system and interact with Service provider backend
Basic ID Diversity scheme can be uncovered through brute force or social engineering
Data is typically not strongly encrypted / authenticated
Lack of Hardware tamper resistance will allow motivated hackers to enter the system either locally or remote
![Page 30: Building a Trusted Gateway with Java ME and a Secure …docs.huihoo.com/javaone/2015/CON9758-Building-a... · Building a Trusted Gateway with Java ME and a Secure Element Pierre Girard,](https://reader030.vdocuments.us/reader030/viewer/2022021512/5afe2ab47f8b9a994d8e94b3/html5/thumbnails/30.jpg)
Secure Element added value in the gateway
Building a Trusted Gateway30
Tamper resistancePersonalization unique to each device: strong authentication of the field devices to the serverClient authentication of the WAN client to the backendStrong applicative encryption portable on various short range technologies
![Page 31: Building a Trusted Gateway with Java ME and a Secure …docs.huihoo.com/javaone/2015/CON9758-Building-a... · Building a Trusted Gateway with Java ME and a Secure Element Pierre Girard,](https://reader030.vdocuments.us/reader030/viewer/2022021512/5afe2ab47f8b9a994d8e94b3/html5/thumbnails/31.jpg)
Demo viewHome GatewayAlarm Panel
SensorlogicPlatform
Lamp via smart plug
Power measure
Xbeetemp
and light Sensor
Smart plugOn/offpower
measure
Zigbee
1 AlarmSensors
2 Short range home automation devices3 Activity reported on Sensorlogic platformAlarm Sensor StatusHome automation Status
CleodZigbeeremote
Cellular TLS link
Zigbee Secured Link
Building a Trusted Gateway31
![Page 32: Building a Trusted Gateway with Java ME and a Secure …docs.huihoo.com/javaone/2015/CON9758-Building-a... · Building a Trusted Gateway with Java ME and a Secure Element Pierre Girard,](https://reader030.vdocuments.us/reader030/viewer/2022021512/5afe2ab47f8b9a994d8e94b3/html5/thumbnails/32.jpg)
Hardware set-up for fast prototyping
Building a Trusted Gateway32
Gemalto concept board • 2G/3G wireless module, Java ME• Arduino compatible extension
Arduino XBee• ZigBee
SE shield• DIL prototypes• SPI communication
![Page 33: Building a Trusted Gateway with Java ME and a Secure …docs.huihoo.com/javaone/2015/CON9758-Building-a... · Building a Trusted Gateway with Java ME and a Secure Element Pierre Girard,](https://reader030.vdocuments.us/reader030/viewer/2022021512/5afe2ab47f8b9a994d8e94b3/html5/thumbnails/33.jpg)
Using SE for TLS client authentication
Building a Trusted Gateway33
Java Card VMOperating System
Java Card API 3.0
applet
Global
Platform
Secure Element
CPUAPDU over SPI
Bouncy castle TLS stack
JSR#177 APDU API
SL agentTLS
![Page 34: Building a Trusted Gateway with Java ME and a Secure …docs.huihoo.com/javaone/2015/CON9758-Building-a... · Building a Trusted Gateway with Java ME and a Secure Element Pierre Girard,](https://reader030.vdocuments.us/reader030/viewer/2022021512/5afe2ab47f8b9a994d8e94b3/html5/thumbnails/34.jpg)
34
TLS handshake
RSA key pair for client authentication
Building a Trusted Gateway
![Page 35: Building a Trusted Gateway with Java ME and a Secure …docs.huihoo.com/javaone/2015/CON9758-Building-a... · Building a Trusted Gateway with Java ME and a Secure Element Pierre Girard,](https://reader030.vdocuments.us/reader030/viewer/2022021512/5afe2ab47f8b9a994d8e94b3/html5/thumbnails/35.jpg)
Agenda
Building a Trusted Gateway35
Gemalto introduction
Bringing trust to M2M with Secure Elements
The trusted gateway use case
Developing the building block with Java ME and Java Card
![Page 36: Building a Trusted Gateway with Java ME and a Secure …docs.huihoo.com/javaone/2015/CON9758-Building-a... · Building a Trusted Gateway with Java ME and a Secure Element Pierre Girard,](https://reader030.vdocuments.us/reader030/viewer/2022021512/5afe2ab47f8b9a994d8e94b3/html5/thumbnails/36.jpg)
Developing the missing parts
Building a Trusted Gateway36
Generate the signature on the SEStandard applets are available, but let’s build a demo one
Communication with the Secure ElementProvide JSR#177 standard library for APDU communication
Extension of Bouncy Castle to support an SENative Java ME TLS stack cannot use the SE
![Page 37: Building a Trusted Gateway with Java ME and a Secure …docs.huihoo.com/javaone/2015/CON9758-Building-a... · Building a Trusted Gateway with Java ME and a Secure Element Pierre Girard,](https://reader030.vdocuments.us/reader030/viewer/2022021512/5afe2ab47f8b9a994d8e94b3/html5/thumbnails/37.jpg)
A simple Java Card applet for signing demo
Building a Trusted Gateway37
![Page 38: Building a Trusted Gateway with Java ME and a Secure …docs.huihoo.com/javaone/2015/CON9758-Building-a... · Building a Trusted Gateway with Java ME and a Secure Element Pierre Girard,](https://reader030.vdocuments.us/reader030/viewer/2022021512/5afe2ab47f8b9a994d8e94b3/html5/thumbnails/38.jpg)
A simple Java Card applet for signing demo
Building a Trusted Gateway38
public void process(APDU apdu) {
// get the APDU bufferbyte[] apduBuffer = apdu.getBuffer();
switch (apduBuffer[ISO7816.OFFSET_INS]) {
// Sign raw RSAcase 0x03:
// P1, P2 and Lc checks here
// Receive the dataapdu.setIncomingAndReceive();
try {rsa.init(privKey, Cipher.MODE_DECRYPT);rsa.doFinal(apduBuffer, ISO7816.OFFSET_CDATA, (short) 128, result, (short) 0);Util.arrayCopy(result, (short) 0, apduBuffer, (short) 0, (short) result.length);apdu.setOutgoingAndSend((short)0 , (short) 128);
} catch (CryptoException e) {Util.setShort(apduBuffer, (short) 0, e.getReason());apdu.setOutgoingAndSend((short)0 , (short) 2);
}
ISOException.throwIt(ISO7816.SW_NO_ERROR);break;
We are using raw RSA for demo purpose, real applet process padding internally
![Page 39: Building a Trusted Gateway with Java ME and a Secure …docs.huihoo.com/javaone/2015/CON9758-Building-a... · Building a Trusted Gateway with Java ME and a Secure Element Pierre Girard,](https://reader030.vdocuments.us/reader030/viewer/2022021512/5afe2ab47f8b9a994d8e94b3/html5/thumbnails/39.jpg)
JSR#177 SATSA: Security And Trust Services API
Building a Trusted Gateway39
Provides 4 independent and optional packages for Java ME
SATSA – APDU: API for APDU communicationNo security as such, pure communication layer
SATSA –JCRMI: API for RMI on Java Card objectsObsolete (JCRMI didn’t take off)
SATSA – PKI: API for data signature
SATSA – CRYTOProvides crypto algorithms for encryption, hash, signature verification
![Page 40: Building a Trusted Gateway with Java ME and a Secure …docs.huihoo.com/javaone/2015/CON9758-Building-a... · Building a Trusted Gateway with Java ME and a Secure Element Pierre Girard,](https://reader030.vdocuments.us/reader030/viewer/2022021512/5afe2ab47f8b9a994d8e94b3/html5/thumbnails/40.jpg)
JSR#177 on concept board
Building a Trusted Gateway40
Only SATSA-CRYTO is natively presentSoftware implementation onlyNo signature in the API
We decided to implement a SATSA-APDU in Java Based on GPIO APIProvides javax.microedition.apdu.APDUConnection interface
![Page 41: Building a Trusted Gateway with Java ME and a Secure …docs.huihoo.com/javaone/2015/CON9758-Building-a... · Building a Trusted Gateway with Java ME and a Secure Element Pierre Girard,](https://reader030.vdocuments.us/reader030/viewer/2022021512/5afe2ab47f8b9a994d8e94b3/html5/thumbnails/41.jpg)
41
Using Bouncy Castle TLS stack
SocketConnection sc = (SocketConnection) Connector.open("socket://myserver.com:443");DataOutputStream os = sc.openDataOutputStream();DataInputStream is = sc.openDataInputStream();SecureRandom mySecureRandom = new SecureRandom();
TlsClientProtocol tlscp = new TlsClientProtocol(is, os, mySecureRandom);
TlsClient tlsc = new DefaultTlsClient(){public TlsAuthentication getAuthentication() throws IOException {
return new TlsAuthentication() {
// Callback when receiving server certificatepublic void notifyServerCertificate(Certificate serverCertificate) throws IOException {
// Check the certificate chain wrt to the Root CA certificate.…
}
// Callback when client CertificateVerify shall be sent public TlsCredentials getClientCredentials(CertificateRequest certificateRequest) throws IOException{
// Factory class can decide which credential to use based on TLS context (e.g. the server address)// Can instatiate DefaultTlsSignerCredential or our SETlsSignerCredentialreturn TlsSignerCredentialsFactory.getInstance(context);
}
};}
};
tlscp.connect(tlsc);
Building a Trusted Gateway
![Page 42: Building a Trusted Gateway with Java ME and a Secure …docs.huihoo.com/javaone/2015/CON9758-Building-a... · Building a Trusted Gateway with Java ME and a Secure Element Pierre Girard,](https://reader030.vdocuments.us/reader030/viewer/2022021512/5afe2ab47f8b9a994d8e94b3/html5/thumbnails/42.jpg)
Bouncy Castle extension
Building a Trusted Gateway42
Seven classes added to Bouncy CastleNew SE RSA key parameters and the associated signature classes
![Page 43: Building a Trusted Gateway with Java ME and a Secure …docs.huihoo.com/javaone/2015/CON9758-Building-a... · Building a Trusted Gateway with Java ME and a Secure Element Pierre Girard,](https://reader030.vdocuments.us/reader030/viewer/2022021512/5afe2ab47f8b9a994d8e94b3/html5/thumbnails/43.jpg)
Core RSA signature engine (simplified)
Building a Trusted Gateway43
Remove all actual RSA computations and delegate to SEpublic BigInteger processBlock(BigInteger input)
{ byte[] signature = new byte[128]; byte[] toBeSigned = input.toByteArray();
// We check make sure that the input length is 128 bytes padded with leading 0 bytesbyte[] data = new byte[128];System.arraycopy(toBeSigned, 0, data, 128 - toBeSigned.length, toBeSigned.length);
final String AID ="A0.0.0.0.18.50.0.0.0.0.0.0.52.41.44.41";try {
APDU apdu = new APDU(AID);
// Sending the APDU to the SE: CLA=0x00, INS=0x03, P1=P2=0x00byte[] response = apdu.sendAPDU((byte)0x00, (byte) 0x03, (byte) 0x00, (byte) 0x00, new byte[] {(byte)128}, new byte[] {(byte)128}, data);
// Copy resultSystem.arraycopy(response, 0, signature, 0, 128);
} catch (Exception e) {System.out.println("Cannot connect to the SE");e.printStackTrace();
}
return new BigInteger(signature);
}
![Page 44: Building a Trusted Gateway with Java ME and a Secure …docs.huihoo.com/javaone/2015/CON9758-Building-a... · Building a Trusted Gateway with Java ME and a Secure Element Pierre Girard,](https://reader030.vdocuments.us/reader030/viewer/2022021512/5afe2ab47f8b9a994d8e94b3/html5/thumbnails/44.jpg)
Take away
Gemalto has the techno bricks to
prototype quickly a secure home
gateway
Secure Element can be used to
secure heterogeneous
networks
SensorLogic Cloud Platform allows you
to quickly and securely deploy your prototypes
Building a Trusted Gateway44
![Page 45: Building a Trusted Gateway with Java ME and a Secure …docs.huihoo.com/javaone/2015/CON9758-Building-a... · Building a Trusted Gateway with Java ME and a Secure Element Pierre Girard,](https://reader030.vdocuments.us/reader030/viewer/2022021512/5afe2ab47f8b9a994d8e94b3/html5/thumbnails/45.jpg)
Building a Trusted Gateway45
Thank you