OnCard or OffCard encryption?

Question

Because of security reason I should store encrypted data on Java card, so the question is should I encrypt data with Offcard application and send it to Java card or send pure data to Java card and let Java card encrypt it by itself?

Anyway, I want to know the best way o store data on Java card and what is the best sequence diagram in order to consider security on data?

Thanks in advance

Answer 1

Basically it depends what you call the off-card application, and whether you consider it trusted (or to which extent you consider it trusted).

In a system involving a card application, a mobile phone application, and a back-end server, usually the server and the card application are trusted, anything inbetween isn't (which means communication has to be done ciphered). The card will want to authenticate any incoming data before processing it. In that case the mobile application is not very much trusted, for various reasons, including the shortcomings of mobile OS's security. You need to elaborate a bit more on your use case. What are the attacks you wish to prevent against, and what part of your system do you trust ?

Anyway to answer your question, the private data managed by the card application does not need to be encrypted before being stored, because the storage can be considered safe.