Management Information Services Division
Smart Chip
By 2006, only two institutions still use the smart chip card and both have plans to replace it by the standard University (Contactless) Card. The Management Committee have therefore proposed to discontinue issuing the contact chip card with effect from the end of December 2006. |
| By January 2007, there was no Organisation using the smart Chip card and it has therefore been discontinued. |
- Smart chip
- Guidelines for development
- Draft guidance for smart card developers
- Hardware for accessing the card
- Software for accessing the card
- Storing data on the card
- Smart chip links
The smart chip
The smart chip is a microprocessor embedded in the card. The chip is able to store a small amount of information and control the conditions under which the information can be accessed or modified. The chip is also able to perform some cryptographic functions such as creating or checking a digital signature.
The primary purpose of the chip is to authenticate the identity of the cardholder. For this purpose, the chip holds a public/private key pair together with a digital certificate. The certificate asserts that the public key on the card belongs to the person associated with a particular identifier; this assertion is supported by a Certificate Authority run by the University Card Services. The corresponding private key remains on the card: it cannot normally be extracted, but is used by the card's own cryptographic functions.
The private key on the card is protected by a PIN (personal identification number). PINs are assigned at random when cards are issued. Cardholders must never reveal their PIN to anyone else, even to members of staff at the card office.
Guidelines for Development
For most applications this card has been superseded by the contactless chip card.
The University Card offers a platform for Colleges and Departments to develop applications which fit their own requirements. The University Card Service is able to provide information regarding other uses of the card within the University and on companies outside the University who can develop systems for the Card. Please contact them directly for more information regarding this.
Please report all uses of the Card to the University Card Service at univcard@admin.cam.ac.uk to check that:
- The University Card is fit for the purpose
- The use does not conflict with any other use of the card
- The Department or College are aware of the implications of using the card
- University Institutions are not multiplying their cost by duplicating the development, research or investment already undertaken by another.
Draft guidance for smart card developers
Note: all information in this document is liable to change. Please obtain the latest information from the Card Office before undertaking a smart card project.
The chip on the card is an IBM MFC 4.22. This is an ISO 7816 filing system card with some cryptographic capablility. The card is supplied by ComCard. The chip is personalized by the Card Office before being issued. During personalization, the card is loaded with the following items:
- A short file containing the cardholder's identifier, card serial number and expiry date only. This is intended for fast access, and can be read from the card by anyone at any time.
- A 1024 bit RSA private key. The access conditions for this object are intended to prevent its being read from the card at any time and to allow its use only after successful presentation of the cardholder's PIN.
- A 1024 bit RSA public key. This can be read from the card when the cardholder's PIN has been correctly provided.
- An X509v3 digital certificate. This contains the cardholder's identifier and the public key, and an expiry date. This can be read from the card by anyone at any time.
- Some other files containing such things as the cardholder's PIN, card office keys and directories.
Hardware for accessing the card
To communicate with the smartcard, you will need a 'card reader'. All card readers are able to write as well as read, although the card imposes restrictions on what may be read and written and by whom.
The smartcard uses a standard serial communications protocol (T=1, ISO 7816-3). It can therefore be used by any equipment which implements that protocol, including PCs, Macs, Unix machines, point of sale terminals, photocopiers etc. Although it is not tied to any host hardware or operating system, there are more facilities available for PCs and Windows than for other environments.
For a Windows PC, there is a standard called PC/SC (personal computer/smart card). In theory, any PC/SC compatible card reader is interchangeable with any other. Most PC/SC readers are plug-and-play, and should be easy to install under Windows 95/98/Me and Windows 2000. Under NT4 an installation procedure will be needed. Drivers and installation programs are supplied by the reader manufacturer.
The University card office does not recommend any particular make or model. We have generally used readers from GemPlus since these are widely available. The PC-410 (previously called GCR-410P) is a common stand-alone reader, and there is a built-in version that fits a 3.5 inch floppy disk bay.
Software for accessing the card
Under Windows, there are currently two possible ways of communicating with the card: the PC/SC interface or the pkcs#11 interface. A programmer should choose the PC/SC interface since it is quicker and simpler. (The pkcs#11 library is intended only for those applications that already use that interface, such as Netscape Communicator).
Under PC/SC, data on the card is stored in files, and files are referenced by file IDs which are 16-bit numbers. Although the card operating system allows for a hierarchical directory structure, the Cambridge Card currently uses a flat structure. The file structure is explained in a separate document. Under PC/SC, any file on the card can be selected, although most files have access conditions that prevent reading or writing unless the correct keys or passwords have been supplied.
A quick and simple method for checking the card holder's ID is to read the contents of file FD03. This is a transparent file of 20 bytes, comprising "yyyymmddaa9999azczzz". where:
yyyymmdd = expiry date (ascii)
aa9999a = userID (ascii)
c = person's card number (binary; first card is #1)
z = zero byte (RFU)
This file can be read by sending an APDU in the form "a4 b0 83 00". The access conditions for reading this file are ALW (i.e. no restriction; no PIN or key required).
Storing data on the card
If you want to store data on the card, you must apply to the Card Office for a file ID; you will also need a key to enable you to create files on the cards.