# How NHS Smart Cards Work - a Slightly More Technical Guide

**Category:** [NHoS/NHSbuntu](https://openhealthhub.org/c/nhos/35)
**Created:** 2017-06-26 14:33 UTC
**Views:** 3138
**Replies:** 0
**URL:** https://openhealthhub.org/t/how-nhs-smart-cards-work-a-slightly-more-technical-guide/1046

---

## Post #1 by @pacharanero

<div align=center><img src="/uploads/default/original/1X/dea847e098dc5bb64c1bd344d419d69a80359ecb.jpg" width="666" height="500"></div>

If you're thinking 'What is an NHS Smart Card and what are they for?' then you'd definitely want to read [this more general guide](https://www.openhealthhub.org/t/how-nhs-smart-cards-work-a-beginners-guide/1045) first. Otherwise, let's plough on!

## How NHS Smart Cards work

* At a low level in the operating system, USB smart card reader drivers allow the computer's kernel to communicate with the card. These drivers are readily available on most platforms. (To simplify installation, and to make it easier for us to include this work directly in the default NHSbuntu install, we have packaged up some common drivers for Ubuntu in an Packagecloud PPA here: https://packagecloud.io/nhsbuntu/nhs-smartcards)

* A smart card client (called the Identity Agent) is running on the machine we're going to use to connect to Spine services. Our **proof-of-concept** 'alpha' NHSbuntu Identity Agent (written from the ground up in Python in a week at the NHS Digital Hack Week June 2017) is here: https://github.com/NHSbuntu/NHSbuntu-identity-agent 

* When a card is inserted, the Identity Agent desktop client, prompts the user to enter their PIN.
<img src="/uploads/default/original/1X/d66a71c94448de33dd5542d393c10fa91e375d80.png" width="400">

* The PIN entered is sent to the smartcard, which is only unlocked by the correct PIN.

* If the smartcard responds 'OK' ie that the PIN is correct, the Identity Agent then requests a [cryptographic nonce string](https://en.wikipedia.org/wiki/Cryptographic_nonce) from the 

> `GET /login/authactivate`

sends a challenge to the smartcard, which it cryptographically signs, using its digital certificate.

* // Signed challenge & PKCS7 / Cryptographic Message Syntax foo

* // Middleware interacts with the certificates on the card 



returns a challenge

> `GET /login/authvalidate`

returns a simple XML list of roles that the user is authorised for

Security Broker - communicates with an LDAP server at the [Care Identity Service (CIS)](https://digital.nhs.uk/Registration-Authorities-and-Smartcards/care-identity-service-forms) on the NHS Spine to obtain an XML response with a list of clinical roles that the user is authorised for.


* Identity Agent - talks to security broker & middleware to produce a 'ticket'
* On windows, a [named pipe](https://msdn.microsoft.com/en-us/library/windows/desktop/aa365590(v=vs.85).aspx) is used to communicate between the Identity Agent and the browser, through a number of other intermediaries: TicketAPI (a DLL in C), GATicket.jar, and finally a Java applet in the browser.

<img src="/uploads/default/original/1X/0ddc0e6ef2e6dfbc4a226dddf08ff1d11de89256.jpg" width="666" height="500">

---
> This article was written during the NHS Digital Hack Week 26th - 30th June, which the NHSbuntu team attended in order to support NHS Digital team members who had chosen to work on a Linux version of the Identity Agent during Hack Week. Read our blog post about it here.

---


**Canonical:** https://openhealthhub.org/t/how-nhs-smart-cards-work-a-slightly-more-technical-guide/1046
**Original content:** https://openhealthhub.org/t/how-nhs-smart-cards-work-a-slightly-more-technical-guide/1046