Trusted Labs, a leader in security services ranging from risk analysis to evaluation, announces that it has developed a Common Criteria Protection Profile for open (U)SIM Java(tm) cards designed to host third-party security-sensitive applications, in a joint effort with other companies including French mobile operators Bouygues Telecom, Orange and SFR. The Protection Profile will soon be available for application providers and platform developers.
Common Criteria Protection Profiles specify the security requirements that need to be addressed by a given product, expressing the needs of a community of users. This Protection Profile defines the security requirements of the whole (U)SIM card platform and marks the first milestone in the scalable composition scheme initiated last year by Trusted Labs and SFR with the help of DCSSI, the French certification body.
The Protection Profile addresses the issues involved in downloading security-sensitive applications on a card platform in a secure environment. Prior to any card loading, non-sensitive applications will be validated by independent third parties, whereas sensitive applciations will be evaluated by an ITSEF in composition with the card platform. Both types of applications will require signature verification by a trusted third party prior to any loading on the card.
This Protection Profile facilitates the security certification of (U)SIM cards – the target being high assurance of EAL4+ type. As a result, application providers can access a dedicated and secure area on the cards. The Protection PRofile thus contributes to the launch of multi-application (U)SIM cards, by increasing confidence in the security model.
“With this Protection Profile, the card platform can be certified separately from the applications it is to host. Expected to become a de facto industry standard, the Protection Profile should spur the deployment of security-sensitive applications – such as banking, pay TV, e-signature and transport applications – on (U)SIM cards, bringing about true multi-application,” said Claire Loiseaux, CEO of Trusted Labs.
About Trusted Labs
Trusted Labs specializes in security consulting and evaluation of embedded systems such as smart cards, terminals and mobile phones. Its consulting activity covers security architecture, formal methods and certification methodology such as FIPS140-2 or Common Criteria. Its evaluation activity includes security evaluations of smart cards and terminals, testing services and tools, and automated validation of applet security and interoperability. Trusted Labs consults and evaluates the products and services of large telecom operators, financial institutions and card and terminal manufacturers. Trusted Labs has already obtained international recognition of its expertise thanks to its participation in various evaluation schemes (Common Criteria, MasterCard CAST) and its contribution to several Protection Profiles for DCSSI, the French certification body, and for Sun Microsystems (Java Card(tm) Protection Profile).