Use of Smart Card and Patron API in CUHK Libraries 香港中文大學圖書館系統 University Library System The Chinese University of Hong Kong Use of Smart Card and Patron API in CUHK Libraries Paul Lau Ernest Yik Kevin Leung Dec 10, 2001
A story about how Grace uses our library services
University Library
Turnstile
CU Link Card
Turnstile
PC Logon
PC
AVM
Photocopy Card
AVM
Check Out
Check Out
Library Proxy
How we use Smart Card?
Use of Smart Card Turnstile PC Logon Add-value Machine Check-out
How we use Patron API?
Use of Patron API PC Logon Add-value Machine Library Proxy
Smart Card in CUHK Libraries
Family of Smart Card in CUHK Libraries CU Link Card Alumni Card Faculty Copying Card Copying/Printing Card
CU Link CUHK and Hang Seng Bank jointly launch the CU Link as the university identity card starting from the academic year 1999-2000.
CU Link CU Link is designed to be an all-in-one-card for identification access control Mondex stored-value ATM banking transactions
CU Link The card contains two machine-readable elements: a microprocessor chip for storing personal information and supporting Mondex, and a magnetic stripe for ATM access.
Library Smart Card Microprocessor Card with 2K memory Multi-application card for payment and identification Secure transaction management for e-purse application
What is Patron API? Offer patron information and PIN verification Based on HTTP / HTML Limit network access by host / IP
PatronAPI request & reply (1) Request patron information : http://opac.host:4500/PATRONAPI/991234/dump Reply : <HTML><BODY> P TYPE[p47]=1<BR> CUR CHKOUT[p50]=2<BR> BORROW ID[pb]=991234<BR> </BODY></HTML> or "Requested record not found"
PatronAPI request & reply (2) PIN verification : http://host:4500/PATRONAPI/991234/MYPIN/pintest Reply : <HTML><BODY> RETCOD=0<BR> </BODY></HTML> or "Invalid patron PIN", "Requested record not found"
Library Proxy For off-campus access to electronic resources Squid web proxy cache Authentication : Patron API + authentication program
PatronAPI and authentication Gateway between application & Patron API Retrieve patron record from Patron API Check block status, exp date, patron type and PIN (including records without PIN) Reply to application
Authentication program A small Perl script Works with Squid & Apache Server for Squid : read one line "USERNAME PASSWORD", output "OK" or "ERR" for Apache : read two lines "USERNAME" and "PASSWORD", exit(0) or exit(1)
Smart Card logon system in C.U.H.K. There are four main elements Smart Card Smart Card logon client Smart Card logon server Innopac Server with Patron API.
Why Smart Card ? Hardware token to improve the security level E-purse application for network printing.
Why Patron API ? Single Point of patron authorization Reduces the cost of user account management Single account & password
Why smart card logon server ?
Smart card logon system without logon server User insert his library smart card to the public PC Type in his password User information “http://Innopac.cuhk.edu.hk/logon%myusername@mypassword” sent to the Patron API server Patron API server reply to the public PC
Problems Unencrypted user name & password are transmitted over the network. All the smart card logon PC can get the access ‘dump’ function in Patron API
How CUHK solve the problems?
Smart card logon system with logon server User insert his library smart card to the public PC Type in his password Encrypted user information “http://logon.cuhk.edu.hk/logon%546864678$@56569009gh” sent to the logon server Logon server decrypted the user information and sent it to the Patron API server. Logon server redirect the Patron API reply to the public PC
Problem solved Encrypted the user name and password before transmitted over the network Only the Logon Server can access the Patron API functions.
More..
Business logic and rules Example : supports different kind of Library smart card logon Normal user (CULink card or library card holder) Smart Card + Password Department user (Department Card holder) Smart Card only Any User with Printing/Copying card Smart Card + Borrower id + Password
Audit Trail Monthly Report
Others.. Server redundancy and load balancing. Replaceable authentication modules. More ..
Summary - Patron API Single Point of patron authorization Single account & password in library Simplifies the implementation and management in the authentication for other library applications and workstations. Reduces the cost of managing those user account.
Thank You