Smart Card Security Training

3 days

Smart Card Security (3 days)

Riscure provides a three day training on Smart Card Security. The training will address both logical and side channel security issues and introduce the participants into secure programming patterns, providing an understanding of the security requirements which can be taken into account when developing smart card code or when testing or evaluating smart card security.

Integral part of this training is the Java Card Logical Security Training, which is also provided separately as a one-and-a-half day training.

This training provides a practical introduction into the world of side channel and perturbation analysis. It shows the basics and allows attendees to understand and experience what it means to break a system with these types of attacks. At the same time this course explores the countermeasures that are available to developers. Using these, the side channel and fault injection attack resistance of software on smart cards and embedded systems will significantly improve. We examine source code implementations on weaknesses and provide hands-on exercises to improve these implementations. This will allow the attendee to develop a feel for the possibilities and limitations for software-based countermeasures against such attacks.

Furthermore the trainees will be introduced to the logical security concepts and risks posed by the Java Card and GP platform in relation to security on all levels. Starting from basics, such as the architecture and assumptions of the card’s operating system, trainees move in to defense code development and applet development.

For the demonstrations and exercises during this training the following tools will be used:

  • Inspector, side channel and fault injection analysis tool developed by Riscure
  • JCworkBench, Java Card test tool developed by Riscure

Training objectives

At the end of the course, the aim is that each trainee:

  • Has gained an understanding of the threats and security concepts of smart cards.
  • Has built experience in attacking smart cards with side channel and fault injection attacks.
  • Has built experience in discovering security weaknesses in source code and in writing secure code for smart card technology.
  • Has built experience in developing and executing tests (attacks) to attack applets and the Java Card OS.
  • Has gained an understanding in secure programming guidelines that are specific for smart cards.
  • Has gained an understanding how countermeasures can be used to mitigate vulnerabilities.

Our training is cost effective as it would require considerably more effort and time to obtain this level of knowledge in-house.

Intended audience

The nature of the training is mainly technical. The primary audience for this training includes:

  • Application developers
  • Chip and hardware designers
  • Security architects
  • Security analysts
  • (Product managers)

The trainees typically come from Smart Card vendors, issuers like banks, governmental bodies, telecom and transportation industry and other test labs.

Prerequisites

The training program provides thorough coverage on the topics mentioned above and is focused on beginner and intermediate level. The participants are expected to:

  • Have a basic understanding of security and cryptography.
  • Have a basic understanding of smart card technology and smart card interfaces.
  • Have a basic understanding of Java Card Technology.
  • Have experience in programming in Java and C/Assembly (native) on smart cards.
  • Have a good understanding of English.

A basic conceptual understanding of side channel and fault injection testing is recommended, but not required to follow the training.

Practical information

Riscure provides lunch, coffee/tea and beverages and training material. Equipment for the hands-on sessions will be provided. Each participant will receive a certificate of completion.