The Java Card Protection Profile version 3.0.5 has been certified and published. As opposed to the previous versions of the Protection Profile which were certified and published under the French Scheme by Agence Nationale de la Sécurité des Systèmes d’Information (ANSSI), this version of the Protection Profile has been certified and published under the German Scheme by Bundesamt für Sicherheit in der Informationstechnik (BSI).
The Java Card Protection Profile can be used to certify Java Card platforms to Common Criteria EAL4+ level. It relies on CC version 3.1 revision 5.
The Java Card Protection Profile version 3.0.5, is aligned with the latest Java Card specifications version 3.0.5, but can also be used to certify products based on versions 2.2, 2.2.1, 2.2.2, 3.0.1 and 3.0.4 of the Java Card specifications. It supersedes the previously released versions of the Protection Profile.
The Java Card Protection Profile provides a modular set of security requirements designed specifically for the characteristics of the Java Card platform. It offers a precise description of the Java Card System, background and possible environments for risk analysis, and describes the division of duties and assignment of responsibilities among the involved actors (physical and IT components) required for definition of security policies. Furthermore it defines the risks and assets to enable creation of Security Targets. Its goal is to reduce the time and cost for developers of Java Card-based products to complete security evaluations under the Common Criteria for IT Security Evaluation. This work is part of Oracle's Global Initiative on Common Criteria (CC).
The Java Card Protection Profile defines a set of security requirements for the Java Card Runtime Environment, the Java Card Virtual Machine, the Java Card API Framework, and the on-card Installer components. It provides guidelines to develop a secure Java Card platform and obtain high-level security certifications.
The design strategy behind Java Card Protection Profiles represents a breakthrough in the world of security evaluations, as it specifically accommodates the flexible, modular, and open characteristics of Java Card technology. In particular, it is intended to complement existing protection profiles available for Java Card technology-based smart cards and secure elements.
The Java Card Protection Profile comes in two configurations: