1. Gemplus and OSGI Benjamin Maury 10.23.03

2. Gemplus Introduction  World Leader for Smart Card Solutions  Smart Solutions in Telecommunications  Beyond the SIM with applications and Over the Air Platform  Trusted Solutions for finance and security  Banking: differentiated services  Retail: customer loyalty  ID and Security: Government and Enterprise  Security expertise delivered by Business Development Group  Digital Security  Operating Systems  Technology-driven business

3. What is the Gemplus Automotive Approach?  Leverage our telecom and security expertise in automotive market :  Provide more flexibility to the SIM Card  Ensuring end to end security in Electronic Control Unit Software Download  Enabling Multi services Token for services personalization  Requirements for services life cycle flexibility and security

4. OSGI Lite Implementation

5. Java CardJ2SEJ2EE VM Language API JCVM JVM KVM J2ME CLDCCDC Java subset Java JC API CLDC API CDC API API MIDP P2 P4 P3... OSGI

6. Gemplus and Java  More than 50% of our products are Java compliant  Migration from proprietary platform towards open platform  As a smart card leader we have to be the first at the standardization level  JSR 177 – Secure the Java Mobile Environment with security services coming from SIM Card

7. Why OSGI for the next Java Card Platform?  Next Generation smart cards will require dynamic service management  Need for OSGI lite in order to have a flexible way to manage application  Need for adapting Performance and Hardware constraints due to the small smart card environment  Gemplus is proposing an OSGI framework for the next Java Card platform

8. Our light OSGI Implementation  Implements only the Core OSGI Features (possibly a subset)  KVM-like java platform Development for smart card  Communication is provided by an embedded TCP/IP stack  For smart card first but possible extension to small foot print environment

9. OSGI Security Approach

10. Our OSGi Security approach  Open environment means more risk exposure and more security requirements  Objective is to have an end to end security chain from development to application use  The security level is always given by the weakest element  So far, usage of Global Platform to manage our open platform  Our products are based on Global Platform and have a security validated by EAL5+ (Evaluation Assurance Level) Certification  OSGi Security scheme remains open and has to be defined by OSGi solution integrators

11. Java is Open but Possibly Secured  Java and security  Code download post-issuance  Multi-application  Applet / platform separation  Risks  Non Verified Application (Trojan horses)  Problems of trust and rights delegation  Enforcement of chain trust  Risk assessment to evaluate the vulnerability  Identity of each involved party can be checked (authentication)  Answer to Integrity and Confidentiality of data Needs  Secure the Java Virtual Machine

12. End to end Security Services GSM/GPRS, UMTS  Multi-application  Post-issuance capabilities  Signature and encryption of application Internet Shops Application Server Complete security chain to reach high security level

13. Parallel can be made with the Automotive World The same requirements exist for the automotive market Internet WLAN Dealers Application Server GSM/GPRS, UMTS  Multi-application  Post-issuance capabilities  Signature and encryption of application

14. Conclusion  OSGi is a candidate for New Generation Java Card management framework  OSGI brings flexibility but great care has to be taken concerning the complete security chain  Gemplus has an end to end security expertise and has experimented an OSGI lite implementation

15. Questions? benjamin.maury@gemplus.com