Card computing devices may provide identification, authentication, data storage and application processing in a variety of systems from mobile phones to automated teller machines and drivers licenses. Java has become a common development platform for creating applications for card computing devices. For instance, Java Card™ is a small Java implementation for embedded devices including card computing devices. Additionally, cyber intrusions and attacks have been increasing, often exposing sensitive information.
Traditionally, cryptographic keys derivation by an application (or applet) on a card computing device generally involves copying various data used as part of key derivation and/or other cryptographic material within memory (e.g., random access memory or RAM) of the card computing device and that is accessible to the application. For example, random data and additional derivation data are generally copied into byte arrays and passed as parameters to a key derivation process. Additionally, these data are copied between byte arrays and internal buffers as part of the key derivation process. Also, the result of the key derivation process is generally passed back to the application, such as in a byte array.
Generally, the normal RAM accessible to applications executing on a card computing device is less secure (e.g., from a cryptographic point of view) than protected non-volatile memory. Traditionally, the sensitive data (e.g., data used as part of the key derivation process) passed through the RAM of the chip may be vulnerable to a cryptographic attack and an attacker can frequently analyze the chip behavior and gain additional information about the derived key and other cryptographic data (e.g., since the data passes through the normal, less secure, RAM of the chip).