Java Card Protection Profile 3.0.5 available

Announcing Java Card Protection Profile 3.0.5  
(Updated 09/05/18 - Closed Configuration Available)

The Java Card Protection Profile version 3.0.5 has been certified and published. As opposed to the previous versions of the Protection Profile which were certified and published under the French Scheme by Agence Nationale de la Sécurité des Systèmes d’Information (ANSSI), this version of the Protection Profile has been certified and published under the German Scheme by Bundesamt für Sicherheit in der Informationstechnik (BSI).

The Java Card  Protection Profile can be used to certify Java Card platforms to Common Criteria EAL4+ level. It relies on CC version 3.1 revision 5.

The Java Card Protection Profile version 3.0.5, is aligned with the latest Java Card specifications version 3.0.5, but can also be used to certify products based on versions 2.2, 2.2.1, 2.2.2, 3.0.1 and 3.0.4 of the Java Card specifications. It supersedes the previously released versions of the Protection Profile. 

What is the Java Card Protection Profile ?

The Java Card Protection Profile provides a modular set of security requirements designed specifically for the characteristics of the Java Card platform. It offers a precise description of the Java Card System, background and possible environments for risk analysis, and describes the division of duties and assignment of responsibilities among the involved actors (physical and IT components) required for definition of security policies. Furthermore it defines the risks and assets to enable creation of Security Targets.  Its goal is to reduce the time and cost for developers of Java Card-based products to complete security evaluations under the Common Criteria for IT Security Evaluation. This work is part of Oracle's Global Initiative on Common Criteria (CC). 

The Java Card Protection Profile defines a set of security requirements for the Java Card Runtime Environment, the Java Card Virtual Machine, the Java Card API Framework, and the on-card Installer components. It provides guidelines to develop a secure Java Card platform and obtain high-level security certifications.

The design strategy behind Java Card Protection Profiles represents a breakthrough in the world of security evaluations, as it specifically accommodates the flexible, modular, and open characteristics of Java Card technology. In particular, it is intended to complement existing protection profiles available for Java Card technology-based smart cards and secure elements.

Protection Profile Configurations 

The Java Card Protection Profile comes in two configurations: 

• The Open Configuration Protection Profile can be used to certify Java Card platforms that allow post-issuance downloading of applications. It has been certified by BSI under reference BSI-CC-PP-0099-2017. Access the Java Card Open Configuration Protection Profile Certification report from the BSI web site.
• The Closed Configuration Protection Profile can be used to certify products that do not support post-issuance downloading of applications. It has been certified by BSI under reference BSI-CC-PP-0101-2018.  Access the Java Card Closed Configuration Protection Profile Certification report from the BSI web site.

More Information

• Download Java Card Protection Profile v3.0.5 Open Configuration from OTN
• Learn about the Common Criteria for Information Technology Security Evaluation