To help creators of products based on Java Card technology meet the demand by banks, governments, and other card issuers for security evaluations that comply with a rigorous, widely accepted standard, the Java Card Protection Profile provides a modular set of security requirements designed specifically for the characteristics of the Java Card platform. It reduces the time and cost for developers of Java Card-based products to complete security evaluations under the Common Criteria for IT Security Evaluation. This work is part of Oracle's global initiative on Common Criteria.
A profile defines a set of security requirements for the Java Card Runtime Environment, the Java Card Virtual Machine, the Java Card API Framework, and the on-card Installer components. It provides guidelines to develop a secure Java Card platform and obtain high-level security certifications.
The design strategy behind protection profiles represents a breakthrough in the world of security evaluations, as it specifically accommodates the flexible, modular, and open characteristics of Java Card technology. In particular, it is intended to complement existing protection profiles available for Java Card technology-based smart cards.
The Java Card Protection Profile version 3.0.5, is aligned with the Java Card Specifications version 2.2.x, 3.0.1, 3.0.4 and 3.0.5.
This version of the Protection Profile has been certified by BSI (Bundesamt für Sicherheit in der Informationstechnik) to a certification level of CC EAL4+, ALC_DVS.2, AVA_VAN.5 and can be used to reach certification levels of EAL4+ and above for Java Card products. It relies on CC version 3.1 revision 5.
Java Card Protection Profile v3.0.5 Open Configuration is registered under the reference BSI-CC-PP-0099-2017, and applies to evaluations of Java Card - based smart cards or similar devices that support post-issuance downloading of applications. It replaces the Java Card Protection Profile v 3.0 Open Configuration.
Java Card Protection Profile v3.0.5 Closed Configuration is registered under the reference BSI-CC-PP-0101-2018, and applies to evaluations of Java Card products without support for post-issuance downloading of applications. It replaces the Java Card Protection Profile v 3.0 Closed Configuration.