How NHS Smart Cards Work - a Slightly More Technical Guide

If you’re thinking ‘What is an NHS Smart Card and what are they for?’ then you’d definitely want to read this more general guide first. Otherwise, let’s plough on!

How NHS Smart Cards work

  • At a low level in the operating system, USB smart card reader drivers allow the computer’s kernel to communicate with the card. These drivers are readily available on most platforms. (To simplify installation, and to make it easier for us to include this work directly in the default NHSbuntu install, we have packaged up some common drivers for Ubuntu in an Packagecloud PPA here: nhsbuntu/nhs-smartcards - Packages · packagecloud)

  • A smart card client (called the Identity Agent) is running on the machine we’re going to use to connect to Spine services. Our proof-of-concept ‘alpha’ NHSbuntu Identity Agent (written from the ground up in Python in a week at the NHS Digital Hack Week June 2017) is here:

  • When a card is inserted, the Identity Agent desktop client, prompts the user to enter their PIN.

  • The PIN entered is sent to the smartcard, which is only unlocked by the correct PIN.

  • If the smartcard responds ‘OK’ ie that the PIN is correct, the Identity Agent then requests a cryptographic nonce string from the

GET /login/authactivate

sends a challenge to the smartcard, which it cryptographically signs, using its digital certificate.

  • // Signed challenge & PKCS7 / Cryptographic Message Syntax foo

  • // Middleware interacts with the certificates on the card

returns a challenge

GET /login/authvalidate

returns a simple XML list of roles that the user is authorised for

Security Broker - communicates with an LDAP server at the Care Identity Service (CIS) on the NHS Spine to obtain an XML response with a list of clinical roles that the user is authorised for.

  • Identity Agent - talks to security broker & middleware to produce a ‘ticket’
  • On windows, a named pipe is used to communicate between the Identity Agent and the browser, through a number of other intermediaries: TicketAPI (a DLL in C), GATicket.jar, and finally a Java applet in the browser.

This article was written during the NHS Digital Hack Week 26th - 30th June, which the NHSbuntu team attended in order to support NHS Digital team members who had chosen to work on a Linux version of the Identity Agent during Hack Week. Read our blog post about it here.