PKI secures council transactions

Southampton folk trial a smartcard that provides secure access to council services, writes Karl Cushing

Southampton folk trial a smartcard that provides secure access to council services, writes Karl Cushing

A smartcard project in Southampton is using public key infrastructure (PKI) to support cashless transactions and enable local citizens to access council services more securely.

The Smartpath scheme, which has been awarded Pathfinder status, is an extension of the Smartcities smartcard project being run by Southampton Council. Digital certificates stored on the cards allow users to access a personalised Web portal from public access points such as Internet kiosks and PCs in libraries.

The system is being tested by 6,000 local people in a pilot scheme using a housing repairs application from software firm SX3. Smartpath project manager Sean Dawtry says housing repairs was chosen for the trial because it is "an ideal online application" and is relatively low-risk.

The plan is to extend the scheme to incorporate services that require greater authentication, such as benefit requests and online payments. Dawtry acknowledges that some users will not want to use the card for such purposes but he stresses that this is not the point of the scheme. "It is about adding more choice and convenience," he explains.

The PKI system has been provided by security software firm Entrust. Dawtry says that although PKI is not foolproof it is the best option available at the moment. Using PKI will also enable the council to keep track of who is logging on to the network and what they are doing, adding to information captured by its CRM system.

Dawtry says that a key aim was to make using the cards intuitive. The system also had to be e-gif compliant, so the council made it Java-based and incorporated XML.

Certificate management was another major consideration, and its development took a lot of time and effort. In order to comply with the Data Protection Act, the amount of personal information held on the card has been kept to a minimum.

When a user first registers, an account is created within the CMS (card management system) and a request for a certificate is created and stored in the FTP (File Transfer Protocol) directory. The authentication system checks the validity of the user - for the housing repairs function they will need to be a housing tenant, for example. The account is then authorised, an X509 certificate is generated and the CMS is authorised to encode the card. The card user never actually penetrates the council's firewall and the card is protected by a Pin code.

If a card is lost or stolen the user goes through a procedure similar to that with bank cards. After contacting the Smartcities Bureau, the user is checked to make sure their claim is valid and a new card and Pin are sent out separately. However, if they are deemed to have used the card fraudulently they will be blacklisted and barred from receiving a new one.

Read more on IT risk management