The Southampton Pathfinder for Smart Cards in public services

© Southampton City Council Sean Dawtry – Southampton City Council

The Southampton Pathfinder for Smart Cards in public services


SmartPath

• Sean Dawtry• Corporate IT Consultant• Southampton City Council• E-mail [email protected]• Tel 023 8083 2983


Agenda

• Overview of SmartPath• Principles • Project Scope• PKI• How Does it Work• Main Partners• Issues• The Future


Overview

• Develop Robust/Resilient Security Infrastructure for Electronic Service Delivery.

• Though Development of PKI

• Build Around Existing SmartCities Scheme

• Available from Kiosks, PCs in Libraries

• 6000 Citizens


Principles

• Bridge Digital Divide

• Through SmartCard

• Secure

• Needed Real World Application– Housing Repairs

• Portability and Interoperability


Scope

• Business Process Development– SmartCities– Housing– PKI/Certificate Management

• Infrastructure Development

• System Design

• Integration– With Back Office– SmartCities

• Secure Portal

• Intuitive User Interface


PKI

• PKI (Public Key Infrastructure)– Enables users of a unsecured public network such as

the Internet to securely and privately exchange data and money through the use of a public and a private cryptographic key pair that is obtained and shared through a trusted authority.

– The public key infrastructure provides for a digital certificate that can identify an individual or an organization and directory services that can store and, when necessary, revoke the certificates.


Digital Certificate

• A digital certificate is an electronic “passport" that establishes your credentials when doing business or other transactions on the Web.

• It contains your name, a serial number, expiration dates, a copy of the certificate holder's public key, and the digital signature of the certificate-issuing authority so that a recipient can verify that the certificate is real.

• Some digital certificates conform to a standard, X.509.


Digital Certificate

• Can be held– Web Browser

– USB Token

– Smartcard


CA and RA

• Certificate Authority– Organisation responsible for issuing and

revoking certificates

• Registration Authority– Organisation responsible for performing

the registration process and verifies the identification of the individual


CA and RA

• Southampton City Council – currently performs the CA function.

• Smartcities– Currently performs the RA function

• Both are currently one in the same


CP and CPS

• Certificate Policy– Lays down the CA’s legal obligations – Liabilities– Holders obligations

• Certificate Practice Statement– Details the processes by which the PKI will be

managed i.e. Physical Controls, Personnel Controls, backup and recovery


CP and CPS

• How do they relate– The Certificate Policy generally states

WHAT is to be adhered to. The Certificate Practice Statement states HOW it will be adhered to


Verification

• Meets Office of the E-Envoy’s authentication framework

• Applicant must produce two forms of approved documents to verify identification


Benefits of PKI

• Entity Authentication– Verifies the Identity of a person or organisation

• Data Confidentiality– Ensures transmitted data is secure

• Data Integrity– Ensures that data is not tampered with in Transit


Benefits of PKI

• Non Repudiation– Neither party can deny transaction ever took place

• Privilege Management– Policies that govern access to sensitive data


Why PKI

• E-Government programme opens up more data to more people

• Could be sensitive

• Need to ensure interest of all parties are taken into consideration

• Important to know who is at the ‘other end’

• Prevention of fraud


Registration

Create X509 Certificate

Citizen Registers

CMS

Account created within the Card Management System

Certificate Request is granted and CMS authorised to encode card

Entrust Poller

Poller Checks for new requests frequently

CMS Informed if request is invalid

FTP

Certificate Request is created and stored in FTP Directory

Check CRM to Determine Valid user

Entrust ‘Get Access’ Account Created


Authentication

Cardholder inserts card and PIN

Certificate is copied to Cryptographic Store in Web Browser

Entrust ‘Get Access’

Server

CA

‘Get Access’ Server confirms that certificate is valid and performs authentication process

Web Client

‘Get Access’ acts as a proxy server for resources from SCC application server through firewall e.g. Housing Repairs

All communication between BEA Weblogic and the user occurs through the firewall and the ‘Get Access’ Server

BEA Weblogic

Server

SCC Back office

Systems


Entrust ‘Get Access’

Server

Data

SCC

Once completed Data Flush takes place to remove the certificate from the browser

Authentication


Lost/Stolen/Blacklisted Cards

• Card Loss Report– Smartcities Creates a ‘Hotlist’

– ‘Hotlist’ Sent to SmartPath

– Checked – Certificate and Account Revoked

– New Card Requested if Necessary

– Registration Process Begins


Issues

• Take Up– Hindsight is a good thing– Public Perception

• ‘Leading Edge’– Some Components ‘volatile’

• 2 pence pieces!– Jammed in Card Readers

• Certificate Practice/Policies– Lots of work


Main Partners

• ECSoft– Primary Integration Partner

• Entrust– PKI– Security and Authentication

• Smartcities/SchlumbergerSema– Smartcards and Smartcard Integration


The Future

• Develop Key Components as a Product that Could Implemented Elsewhere

• Share Documents – Certificate Practice Statement– Certificate Policy– Design Documents

• Add more Services– Requiring higher security levels

• Revenues and Benefits• Secure Payments (in and out)• Social Care


The Future

• Develop as a National model

• Integrate With UK-Online

• Obtain T-Scheme Approval

The Southampton Pathfinder for Smart Cards in public services

Documents

Transcript of The Southampton Pathfinder for Smart Cards in public services