Gemplus and OSGIBenjamin Maury

10.23.03

Gemplus Introduction

World Leader for Smart Card SolutionsSmart Solutions in Telecommunications

Beyond the SIM with applications and Over the Air Platform

Trusted Solutions for finance and securityBanking: differentiated servicesRetail: customer loyaltyID and Security: Government and Enterprise

Security expertise delivered by Business Development GroupDigital SecurityOperating SystemsTechnology-driven business

What is the Gemplus Automotive Approach?

Leverage our telecom and security expertise in automotive market :

Provide more flexibility to the SIM Card

Ensuring end to end security in Electronic Control Unit SoftwareDownload

Enabling Multi services Token for services personalization

Requirements for services life cycle flexibility and security

OSGI Lite Implementation

Java Card J2SE J2EE

VM

Language

API

JCVM JVMKVM

J2MECLDC CDC

Java subset Java

JC API CLDC API CDC APIAPI

APIMID

P

P2

P4P3 . . .

. . .

OSGI

Gemplus and Java

More than 50% of our products are Java compliant

Migration from proprietary platform towards open platform

As a smart card leader we have to be the first at the standardization level

JSR 177 – Secure the Java Mobile Environment with security services coming from SIM Card

Why OSGI for the next Java Card Platform?

Next Generation smart cards will require dynamic service management

Need for OSGI lite in order to have a flexible way to manage application

Need for adapting Performance and Hardware constraints due to the small smart card environment

Gemplus is proposing an OSGI framework for the next Java Card platform

Our light OSGI Implementation

Implements only the Core OSGI Features (possibly a subset)

KVM-like java platform Development for smart card

Communication is provided by an embedded TCP/IP stack

For smart card first but possible extension to small foot print environment

OSGI Security Approach

Our OSGi Security approach

Open environment means more risk exposure and more security requirements

Objective is to have an end to end security chain from development to application use

The security level is always given by the weakest element

So far, usage of Global Platform to manage our open platformOur products are based on Global Platform and have a security validated by EAL5+ (Evaluation Assurance Level) Certification

OSGi Security scheme remains open and has to be defined by OSGi solution integrators

Java is Open but Possibly Secured

Java and securityCode download post-issuanceMulti-applicationApplet / platform separation

RisksNon Verified Application (Trojan horses)Problems of trust and rights delegation

Enforcement of chain trustRisk assessment to evaluate the vulnerabilityIdentity of each involved party can be checked (authentication)Answer to Integrity and Confidentiality of data NeedsSecure the Java Virtual Machine

End to end Security Services

GSM/GPRS,UMTS

Multi-applicationPost-issuance

capabilitiesSignature and

encryption of application

Internet

Shops

Application Server

Complete security chain to reach high security level

Parallel can be made with the Automotive World

The same requirements exist for the automotive market

InternetWLAN

Dealers

Application Server

GSM/GPRS,UMTS

Multi-applicationPost-issuance

capabilitiesSignature and

encryption of application

Conclusion

OSGi is a candidate for New Generation Java Card management framework

OSGI brings flexibility but great care has to be taken concerning the complete security chain

Gemplus has an end to end security expertise and has experimented an OSGI lite implementation

Questions? benjamin.maury@gemplus.com