SMART CARD APPLICATION FOR CAMPUS E-SERVICES MALAR A/P SIVALINGAM FACULTY OF COMPUTER SCIENCE AND INFORMATION TECHNOLOGY

SMART CARD APPLICATION FOR

CAMPUS E-SERVICES

MALAR A/P SIVALINGAM

FACULTY OF

COMPUTER SCIENCE AND

INFORMATION TECHNOLOGY

UNIVERSITY OF MALAYA

KUALA LUMPUR

ABSTRACT

Smart card is a plastic card embedded with a microprocessor chip, which stores users information and transact the information to a computing system via a card reader. Smart card has been widely used throughout many industries including banking, healthcare, entertainment and manufacturing. The higher learning industry is one of the growing industries that have embraced the smart card technology in their campus automation and resource management. Among the universities that have implemented smart card as a part of their business operation includes University Utara Malaysia, University Multimedia, Malaysia, University of Ottawa, University of Nottingham and Florida State University.

Goon Institute, Kuala Lumpur is one of the renowned institute, which was established in 1936 and was recognized as on of the first institute that offered Accounting, LCCI, Shorthand and Law. Currently, Goon Institute, Kuala Lumpur has a total number of 300 students, which 95% of their students are foreigners, who has obtained valid student visa from the immigration department to study in Goon Institute, Kuala Lumpur. With many years of operation, the institute still maintain a manual system in student’s attendance tracking and lab and library usage. The manual system has created many challenges and issues to the institute, resulting the CEO of Goon Institute, Kuala Lumpur has requested this research to develop a smart card framework and a prototype system on how the system can resolve their current problems.

Realising the benefits of smart card usage at the higher learning industries, this research was confident to recommend a good smart card system to Goon Institute, Kuala Lumpur. This research conducted an in-depth study on the smart card study and has developed a conceptual framework and a smart card prototype system based on the recommended conceptual model. The prototype system was named as Electronic Student Tracking System, which a user evaluation was conducted and the users was satisfied with the system and agrees that the system will resolve all their current problems in student attendance, lab and library usage.

ACKNOWLEDGEMENT

Writing this research was not an effort of one. It took a great deal of input and support of many other people to complete this research.

During the process of writing this research, many people have given their invaluable support, help and encouragement. In this acknowledgments section, firstly, I would like to thank GOD for his consent and giving me the courage and strength to complete my thesis.

Secondly, I would like to thank my supervisor, Associate Professor Salimah Mokthar, for her invaluable guidance, supervision and advice in the preparation and completion of this research. I am grateful for her continued support throughout the completion of the research.

I would like to thank the interviewer, Mr. Thomas Mathew, the Chief Executive Officer of Goon Institute, Kuala Lumpur for allocating their time and imparting their experience in the interview session.

I would like to express my gratitude towards the students and staff of Goon Institute, Kuala Lumpur who have filled out my questionnaires and users evaluation of my system.

Finally, I would like to thank my parents, sister and my dearest boyfriend, for all their never ending support, finance and for the time they have invested in this thesis.

TABLE OF CONTENTS

List of Tables xiv

Chapter 1: Introduction 1

1.0 Background Study – Smart Card and Education Industry 1

1.1 Problem Statement 4

1.2 Research Objective 6

1.3 Scope of Research 7

1.4 Significance of the Research 8

1.5 Research Methodology 8

Chapter 2: Literature Review 11

2.0 Introduction 11

2.1 Fundamentals of Smart Card Technology 11 2.1.1 Smart Card Definitions 11

2.1.2 Smart Card Life Cycle 13

2.1.3 Smart Card Technologies 14

2.1.4 Microprocessor Chip Card 15

2.1.5 How Smart Card Works 17

2.1.6 Smart Card Communication Method with Readers 18

2.2 Common Industrial Practice on Smart Card Application 20 2.3 Common Smart Card Application at Institutions of Higher Learning 28 2.3.1 University Utara Malaysia (UUM) 28

2.3.2 Multimedia University (MMU) 31

2.3.3 Florida State University 33

2.3.4 University of Nottingham 35

2.3.5 Summary of Integrated Smart Card across Campus 37

2.4 Conclusion 38

Chapter 3: Methodology 39

3.0 Introduction 39

3.1 Smart Card Solution Framework for Goon Institute, Kuala Lumpur 40

3.2 Methodology to Implement Smart Card at Goon Institute,

Kuala Lumpur 43

3.2.1 Chosen Methodology - The Spiral Model 45

3.2.1.1 Customer Communication 46

3.2.1.2 Planning 50

3.2.1.4 Engineering 52

3.2.1.5 Construction & Release 53

3.2.1.6 Customer Evaluation 55

3.3 Conclusion 55

Chapter 4: Analysis, Design & Implementation 56

4.0 Introduction 56

4.1 Analysis of Current Processes for Attendance, Lab and Library

Usage 57

4.1.1 Current Registration Process 58

4.1.2 Current Attendance Process 59

4.1.3 Current Library Usage Process 60

4.2 Design of Smart Card Processes for Attendance, Lab and Library

Usage 62

4.2.1 Student Registration Process 62

4.2.2 Student Attendance Process 63

4.2.3 Lab Usage Process 64

4.2.4 Library Usage Process 67

4.3 Implementation of Smart Card Prototype at Goon Institute,

Kuala Lumpur 69

4.3.1 Electronic Student Tracking System – Student Registration 70

4.3.2 Electronic Student Tracking System – Student Attendance 72

4.3.3 Electronic Student Tracking System – Student Library

Usage 73

4.3.4 Electronic Student Tracking System – Student Lab Usage 76

4.3.5 Electronic Student Tracking System – Administration

4.4 Conclusion 81

Chapter 5: User Evaluation 82

5.0 Introduction 82

5.1 Evaluation Methodology 83

5.2 Prototype Testing Evaluation Results 85

5.2.1 General Evaluation Results 85

5.2.2 System Functional Evaluation Results 88

5.3 User Perspective Evaluation 90

Chapter 6: Conclusion 92

6.0 Introduction 92

6.1 Research Accomplishment Reviews and Findings 92

6.2 Contribution and Achievement 93

6.3 Dissertation Constraints 94

6.4 Suggestion for Future Work 95

6.5 Conclusion 95

Appendix A – Interview Questions 96

Appendix B – User Evaluation Form 98

Appendix C – User Manual 105

Appendix D – Data Flow Diagram 116

LIST OF TABLES

Table Page(s)

Table 3.1 Smart Card Framework Roles & Responsiblities 41

Table 5.1 General User Evaluation 83

Table 5.2 General User Evaluation Scoring 84

Table 5.3 User Feedback on General Evaluation 85

Table 5.4 User Feedback on System functionalities 88

LIST OF FIGURES

Figure Page(s)

Figure 1.1 Smart Card from University of Cambridge 2

Figure 2.1 Smart Card Life Cycle: An Overview 13

Figure 2.2 A smart card system 17

Figure 2.3 Summary of Integrated Smart Card Across Campus 37

Figure 3.1 Smart Card Solution Framework – Conceptual Overview 40

Figure 3.2 Smart Card Solution Framework – Technical Overview 42

Figure 3.3 Spiral Model 44

Figure 4.1 Current Goon Institute, Kuala Lumpur activities 57

Figure 4.2 Current Goon Institute, Kuala Lumpur Registration Process 58

Figure 4.4 Current Goon Institute, Kuala Lumpur Library Usage Process 60

Figure 4.5 Current Goon Institute, Kuala Lumpur Lab Usage Process 61

Figure 4.6 Student Registration Process 62

Figure 4.7 Student Attendance Process 63

Figure 4.8 Student Printing Process 65

Figure 4.9 Student Lab Usage Process 66

Figure 4.10 Student Borrowing Books Process 67

Figure 4.11 Student Returning Books Process 68

Figure 4.12 Admin Login Screen 70

Figure 4.13 Smart Card Registration 71

Figure 4.14 Load Prepaid Screen 71

Figure 4.15 Load Monitory Value in Smart Card 72

Figure 4.17 Registration of New Book for Library 74

Figure 4.18 Student Login Screen 74

Figure 4.19 Search for Books Availably in Library 75

Figure 4.20 Return Of Library Books 76

Figure 4.21 Booking of Lab 76

Figure 4.22 Amount Deducted to Pay for Lab Usage 77

Figure 4.23 Pin Number Generated for Lab Usage 78

Figure 4.24 Courses Offered 78

Figure 4.25 Subjects Offered Based on Course 79

Figure 4.26 Name of PCs in Lab 79

Figure 4.27 Attendance Details 80

CHAPTER 1: INTRODUCTION

1.0) Background Study – Smart Card and Education Industry

Smart card technology has been around for more than 30 years. Since its first introduction into the market, smart card was used for the payphone system. As card manufacturing cost decreases, smart card usage has expanded to other industries including manufacturing, telecommunications, retail and banking (Casset and Lanet, 2002)

In 1968, German inventor Judge Dethloff along with Helmet Grotrupp filed a patent for using plastic card as a carrier for microchips. Smart cards are the youngest members of the plastic card family. A smart card is a plastic card usually similar in size and shape to a credit card, containing a microprocessor and memory that allow storage and process of data (Merckling and Anderson, 1994).

Fundamentally, a smart card is a plastic card with a microprocessor chip embedded into it. The card looks like a normal credit card except for its metal contact (in contact card only), but applications performed could be totally different. Smart Cards are different from an ordinary magnetic strip cards in their ability to process as well as to store data. Currently, smart cards are being widely used for higher security in terms of building access control, logical access to computer system or applications and two-factor authentication for online transactions. The term “smart card” has different meanings in different books because smart cards have been used in different applications (Whinston and Choi 2004).

Education industry is one of the growing industries that has adopted smart card. Among the most reputable universities that use smart card include University of Cambridge, University of Ottawa, University of Nottingham and Florida State University.

In University of Cambridge, the smart card or better known as the university card looks like a credit card containing the cardholder's name and photo, college scarf (students, Fellows and College members only), date of birth (undergraduates only) plus a barcode that is primarily used for university library borrowing. Since June 2003, the Card Office has issued two types of University cards. They look identical but one contains a TDSi strip and the other contains both the TDSi strip and smart chip. These technologies can be used for a number of purposes including access to buildings, use of catering services, PC and web access or use of photocopying facilities (Cambridge University, 2003).

Figure 1.1: Smart Card from University of Cambridge

(Adopted from: Cambridge University, 2003)

However, University of Ottawa (U of O) campus has become a smart campus in more ways than one. The programme, specialized to U of O’s Reprography Service, utilizes a common electronic purse. This technology includes the implementation of Unattended Point of Sale (UPOS) terminals for printer and copier applications that accept the smart cards. In the back office, the transaction processing and settlement software should provide instant reporting and settlement details (Ottawa University, 2002).

In University of Nottingham, smart cards are required for staff, students and associates. Their smart cards are used for identification purpose, library usage and to access the building via a pin number. However, for students, their smart cards also provide proof of identification for the Nottingham University students’ union and membership, voting in the Students' Union elections and obtaining student discounts on and off campus (Nottingham University, 2006).

The development of an innovative identification card, debit card and bank card has earned national recognition for Florida State University. That card has been renamed the FSUCard and now serves as the identification card for faculty, staff, students, and guests of the University. This smart card allows students’ to access their fees, schedules and to enter residence halls. The smart card has assisted the staff to bring up the student’s record when paying fees, to gather information or certify eligibility and to take attendance in large lecture halls (Norwood, 1994).

In conjunction with the benefits of using smart cards, Goon Institute, a growing education institute in Kuala Lumpur would like to implement the usage of smart cards. Hence, this research would develop a smart card application for the institute based on their requirements.

1.1) Problem Statement

Goon Institute, Kuala Lumpur was established in 1936 and was known as one of the pioneer institutes that offers London Chamber of Commerce and Industry (LCCI) and commercial subjects. Currently, Goon Institute, Kuala Lumpur was established with a total number of 300 students and offers various subjects including Information Technology, Accounting, Business and A Level.

In Goon Institute, Kuala Lumpur, most of the students are foreigners. Below are the problems that the institute is facing, for both foreign and local students:

a) As for foreign students, Goon Institute, Kuala Lumpur has received numerous complaints that most students do not attend classes and are suspected to be working during class hours. This is against the Malaysian law, as foreign students have been approved to study in Malaysia under the student visa and they are not allowed to work either full time or part time. Currently, Goon Institute, Kuala Lumpur does not have a system that captures the students’ attendance. Hence, most students forge their attendance by signing on behalf of their friends, who do not attend their classes.

b) Goon Institute, Kuala Lumpur is also facing major problems by foreign and local students in using the library and labs. In the library, there have been numerous cases where books are being borrowed and have not been returned by the students. Besides, according to the library rules, each student can only borrow two books at a time and a fine would be imposed for books that are returned late. This is often overlooked as all these rules are applied manually. As for lab usage, there are cases where students misuse the lab by using the Internet for hours. Therefore, other students are unable to utilise the lab to complete their assignments. In addition, the students have been misusing the printing facilities in printing contents that are not related to their studies. This incurs higher expenses to Goon Institute, Kuala Lumpur in purchasing printing papers and replacing the printer cartridge.

Based on the above-mentioned problems, Goon Institute, Kuala Lumpur has decided to implement a smart card system that would help to reduce their problems and eventually eliminate them. The smart card system is crucial for the institute to closely monitor their students’ attendance to ensure that the students are attending all their classes. The institute would take relevant actions if the students are missing their classes prior being caught by the immigration for working illegally. The detail on how the smart card will resolve the issues on attendance, lab and library usage will be discussed in Chapter 3.

1.2) Research Objectives

Based on the problem statements, Goon Institute, Kuala Lumpur has requested for a smart card prototype system to be developed and shown to the institute to analyse if the prototype system can solve their existing problems prior to deploying the system in their institute. Hence, these research objectives are as follows:

1. Develop a conceptual framework specifically for smart card implementation for Goon Institute, Kuala Lumpur to eliminate the current problems in attendance, library and lab usage.

2. Develop a smart card system (prototype) for Goon Institute, Kuala Lumpur to validate the developed conceptual framework.

3. Conduct a user evaluation to validate if the proposed prototype is workable and can solve their current problems.

1.3) Scope of Research

In order to remain focus on the objectives, it is necessary to limit the scope in some areas.

i. This research is based upon a framework elaborated in Chapter 3 on using a smart card for Goon Institute, Kuala Lumpur.

ii. Currently the development of this prototype is concentrated on a small level tertiary education institute called Goon Institute, Kuala Lumpur. The reason for this choice is the CEO, Mr. Thomas Mathew would like to implement the system in this college to mainly monitor students’ attendance. This research will only develop a prototype that will serve as a benchmark for Goon Institute, Kuala Lumpur to develop the whole system for their institution.

iii. The prototype will only concentrate on the three main functions mentioned under the summary of integrated smart card across campus. Any other functions such as the intention of Goon Institute, Kuala Lumpur to develop a system that allows distance learning that would be considered for future enhancement.

iv. Even though there are other sophisticated security related technology, smart card is still the chosen one for the due facts of its cost effectiveness and it is a successful and widely used technology in Malaysia. Further more, the CEO prefers smart card, as it is less complicated and an effective cost solution.

1.4) Significance of the Research

Currently, the student’s attendance, lab and library usage are done manually. Although all students have their own student cards, the card is merely used as an identification when the students are in the institute but the card does not have any microprocessor chip that can be used in an automated system for attendance, lab and library usage. Therefore, the significant of this research is to develop a conceptual framework for Goon Institute to automate the student attendance, lab and library usage by using a smart card. This research will develop a working prototype to illustrate on how the conceptual framework would be able to solve the current problems in the student’s attendance, lab and library usage.

1.5) Research Methodology

This research uses various methods to develop the conceptual framework and prototype that solve the current problems. Among the methods used are:

i. Web Based Resources

There are various journals and conference papers available in the Internet on smart card technology. Hence, investigation on the current technology of smart card and the justification of recommendations are referred by the journals and conference papers from the Internet.

ii. Interview with CEO, lecturers and students of Goon Institute, Kuala Lumpur.

The objective of this interview is to understand the current problems and to investigate the requirements for the implementation of the smart card system.

iii. User Evaluation.

A User Evaluation will be conducted once the prototype has been developed for Goon Institute to evaluate if the prototype has met their expectation and can the prototype resolve their current issues.

1.6) Report Organisation

Fundamentally, this research is divided into six chapters, which are described as follows:

Chapter 1: Introduction

Chapter 1 covers the overview of dissertation including problem statement, research objective, research scope and development statement.

Chapter 2: Literature Review

Chapter 2 includes literature review on the fundamentals of smart card technology and definition of various smart card technologies. A part of that, the life cycle of a smart card and the common industrial practice on a smart card application in higher learning institutes.

Chapter 3: Methodology

Chapter 3 includes a detail explanation on the steps and method used to achieve the research objective. Included in this chapter is a framework that explains the implementation of smart card for Goon Institute, Kuala Lumpur.

Chapter 4: Implementation

This chapter conducted a detail analysis on the current processes and their problems. Once the problems have been identified, new processes have been designed and develop a working prototype for Goon Institute, Kuala Lumpur

Chapter 5: User Evaluation

Once the prototype was developed, it is vital for us to analyse that the recommended model has achieved users satisfaction and needs. Therefore, a user evaluation was conducted by allowing users to use the prototype and evaluate if the system has achieved the research objective.

Chapter 6: Conclusion

Finally, this research ends by discussing our research accomplishment; its strength, weaknesses and our suggestion for future work in Chapter 6.

CHAPTER 2: LITERATURE REVIEW

2.0) Introduction

As explained earlier in chapter 1, the objective of this research is to demonstrate and develop a smart card system (prototype) for Goon Institute, Kuala Lumpur based on a framework to be used in their library, lab, class attendance and student registration.

2.1) Fundamentals of Smart Card Technology

This section investigates the basic concept of smart cards and defines the related technologies for this research to have an in-depth knowledge of the smart card technology. In addition, this section will also conduct a case study on various higher education industries that has implemented smart card to understand the common areas that smart card is being used in the education industry.

2.1.1) Smart Card Definitions

Fundamentally, this research identifies that there are various definitions given for a smart card. Among the definitions given are as below:

a) “A smart card is a plastic card about the size of a credit card, with an embedded microchip that can be loaded with data, used for telephone calling, electronic cash payments, and other applications, and then periodically refreshed for additional use.” (Merckling and Anderson, 1994)

b) “Smart card is a digitally encoded card, similar to a credit card, usually containing a variety of information about the individual(s) authorized to use it. The information can be accessed by a card reader into where the card is inserted. The information may include access codes for authentication, account numbers including merchant and banking account numbers, and electronic cash.” (Farrow, 2002).

c) “Any plastic card (like a credit card) with an embedded integrated circuit for storing information. Smart cards are being incorporated into soldier's dog-tags and used to store hospital patients' medical records. By this way they are always instantly accessible. Other uses are as a form of token in banking systems. You could store electronic money on the card or less valuable tokens such as those given away by petrol companies which you collect to exchange for free gifts at a later date. The idea being that one smart card is easier to carry around than a multitude of paper tokens. (Whinston and Choi, 2004)

Based on the various definitions, this research summarizes that smart card is basically any plastic card with the size of credit card or ATM card that has a microchip (often referred as integrated circuit card). The microchip will act as a computer, which contain application software and able to record, store and update data. The microchip also contains encryption algorithms, which provide enhanced security in terms of securing the data in the smart card and data transmission from the smart card to other applications. According to Yazid (2003), the microprocessor in a smart card can use the Public Key Infrastructure (PKI) technology to ensure the data confidentiality and date integrity of the data that is transmitted via the Internet. Besides, according to

Bennet (2000), the microchip in a smart card can be used for two-factor authentication for any transaction over the Internet, as it is more reliable and secure compared to username and password. Hence, this research concludes that the smart card is a card that acts as a smart computer, as it has a microchip, which is used to store information and ensure that the information in the card is secured when it is transmitted.

2.1.2) Smart Card Life Cycle

Figure 2.1: Smart Card Life Cycle: An Overview

(Adopted from: Rastogi and Das, 2002)

Figure 2.1 shows the life cycle on how a smart card being developed to be used in a campus. Typically, the smart card manufacturer will only manufacture the plastic card and the chip that embedded into the plastic card. The smart card manufacturer will ensure that the embedded chip has the memory to store data into the chip. Once the smart card is manufactured with an embedded chip, the card will be provided to the card application provider to develop software or better known as Application Protocol

Interface (API) to allow the read and write functions of the smart card. Once the software is written, the card will be given to an authorised card issuer to sell the card and the API. The campus will buy the card and the API from the authorised card issuer for their campus students’ usage. The campus also will monitor the expiry and the renewal of the smart card (Rastogi and Das, 2002).

2.1.3) Smart Card Technologies

In general, there are 3 types of embedded chip in a smart card, which are as follows (Whinston and Choi, 2004):

a) Java cards

Java cards specification enables Java technology to run on smart cards and other devices with limited memory. Most of telecommunication providers use this type of card for their cellular phone system.

b) Memory Cards

The chip acts as a memory storage device. Most usage of this card type is for phone cards and tickets. The cards are stored with rechargeable values and can be used many times.

c) Microprocessor cards

Smart cards with a microprocessor chip can function as a processor or operating device that offer multiple functions including execute data processing, compute complex calculation, perform encryption for data security and stores data in accordance with its operating system, acting like a PC with a hard drive.

Although all three types of smart card is available in the market, this research will recommend Goon Institute, Kuala Lumpur to use microprocessor card due to the fact that Goon Institute, Kuala Lumpur requires a multi-application smart card with higher storage capacity that interacts with the lab, library and attendance systems. In addition, since Goon Institute, Kuala Lumpur may venture into distance learning programs in future, it is important for Goon Institute, Kuala Lumpur to use microprocessor cards as it provides a higher security in terms of student’s authentication and data confidentiality. Hence, this research will only address the technology involves in the microprocessor chip and how is the smart card works in general.

2.1.4) Microprocessor Chip Card

In a microprocessor chip card, there are three main elements (Dhar, 2000):

a) A Central Processing Unit (CPU), Read Only Memory (ROM)

The CPU and ROM contain operating system or command set controls all communication between the chip and the outside world. The ROM is masked or written during production by the semiconductor manufacturer and once written, cannot be altered.

b) Random Access Memory (RAM)

RAM is used as a temporary storage register by the chip’s microprocessor. For example, when a PIN is being verified, the PIN sent by the terminal/PIN pad is temporarily stored in RAM.

c) Electrically Erasable Programmable Read Only Memory (EEPROM) that is used for the storage of user data.

EEPROM is the read/write memory for the storage of data. Access to the EEPROM memory is controlled by the chip’s operating system, and may contain data such as a PIN that can only be accessed by the operating system. Other data, for example, a card’s serial number, can be written to EEPROM during card manufacture. Most of the EEPROM memory is used to store user data such as the users identity card number, demographic information and transaction record that can be rewritten many times.

A commonly used microprocessor chip card would have its operating system stored in ROM. The operating system or command set would respond to commands, such as “read a record,” “write a record,” and “verify PIN,” sent to the card by a terminal. Information such as fund balances, card serial number, and demographic information are stored in EEPROM (Dhar, 2000). According to Itoi (2000),the CPU performs all processing functions, such as encryption, while RAM serves as a temporary register for information. During PIN verification, the PIN is temporarily stored in RAM. Since RAM memory is volatile, as soon as a card is powered off, all information stored in RAM is lost.

When evaluating card types for a particular application, the amount of memory in various components is important. The EEPROM capacity of a card is critical because a larger capacity EEPROM can store a greater number of application records and transaction files. The amount of ROM is also important because a larger capacity ROM contains a more sophisticated operating system, which facilitates complex card

and system operations. There is also a relationship between ROM and EEPROM in some cards because several vendors allow custom code extending the ROM’s operating system to be written in EEPROM. While this technique increases the card's functionality, it decreases the amount of EEPROM available for application and transaction storage (GSA, 2000).

2.1.5) How Smart Card Works?

Figure 2.2: A smart card system

(Farrow, 2002)

Figure 2.2 shows that all smart cards communicate with a host (e.g.: personal computers) by interfacing with the host through a reader / encoder terminal, which is a read/write device for the host to read information from the smart card and also write new information into the smart card (Farrow, 2002). Similar to an ATM machine, to use a smart card, users simply insert the smart card in a reader and provide a PIN or password as an additional protection to authenticate if the legitimate user is using the smart card. Once the PIN number is validated, the smart card allows a terminal to access the information in the smart card (Merckling and Anderson, 1994). However, the smart card will not allow the terminal to read or write all the information in the smart card. The security software in the smart card will confine certain operations, which involve users’ confidential information such as user’s private key and digital certificate. In other words, all computation involving user’s private key or digital

Reader / encoder Terminal Smart Card Host Data transmission Data transmission Reader / encoder Terminal Reader / encoder Terminal Smart Card Host Host Data transmission Data transmission

certificate will be processed internally within the smart card. Hence, the confidential information is secured as the information never leaves the smart card and only the legitimate user has the access to the information. This provides a strong authentication method especially when a user is communicating in an open network such as the Internet. Finally, once a user has completed the transaction, the user will remove the smart card from the reader and keep it in a safe place (Farrow, 2002).

2.1.6) Smart Card Communication Method with Readers

As mentioned earlier, all smart cards will interface or communicate with a host through a read/write device, called as a reader. There are four essential methods of communicating between the smart card and the reader:

a) Contact Cards

A contact card requires the smart card to be inserted into a reader, which is physically connected to a host. When a contact card is inserted into a reader, the reader will establish a direct electronic contact with the chip in the smart card (Dhar, 2000). Contact cards are generally used for applications that require higher security such as banking and logical access to personal computers. Hence, contact card uses Public Key Infrastructure (PKI) to ensure that confident information of the users are encrypted and securely stored in the smart card (Toji and Wada 2003).

b) Contactless Cards

Contactless smart cards interact with a reader through remote data transfer using radio frequency. The contactless cards contain a chip and the reader will read the information and the card is placed within 10cm or about four inches from the smart card reader. Contactless cards are usually used for functions that require higher speed and ease of throughput such as office building access and scanning machines collecting payment for motorway tolls or parking (Dhar, 2000).

c) Hybrid Cards

Hybrid card generally refers to cards that have both contact and contactless interface. The contact interface is used by the microprocessor chip module and the contactless interface is used by the memory chip module. The hybrid cards are designed to support multi-technology, combining various technologies that are used for different purpose. Generally, the microprocessor chip in a hybrid card will be used for data storage and magnetic strip is used for office building access control (GSA, 2000)

d) Combi-Cards

A combi-card (sometimes known as a dual-interface card), on the other hand, incorporates contact and contactless capability into a single chip. Contact and contactless communications can interface with the same memory within the card. Therefore a single processor supports multiple interfaces such as for data storage and building access control (Rastogi and Das 2002).

2.2) Common Industrial Practice on Smart Card Application

Section 2.1 investigates the smart card technology in general. In this section, this research will study the common functionalities that are involved in a smart card. This section will provide an in-depth knowledge on the smart card functionalities and will help this research to identify the functionalities that can be used for smart card implementation at Goon Institute, Kuala Lumpur.

According to Cobb (2004), smart card application has been used in many industries including health, banking, entertainment and transportation. According to a report produced by National ICT Security and Emergency Response Centre (NISER) in 2002, the worldwide smart card market is expected to grow to $7 billion by 2006 due to the expanding capabilities of the smart card functions. Based on this research investigation, below are the examples of smart card functions commonly used an industry.

a) Identification

Basically, a smart card can be used as an identity card to authenticate the identification of a person. Employee badge is one that is commonly used by most organization for personal identification, as the smart card will have the basic information of a user in the smart card chip including name, age, date of birth, height and blood group. The smart card also will have a digitised photo attached on the smart card to verify that the legitimate user is using the smart card. Smart cards, that has basic information of the user is normally used in manufacturing

industries to authenticate physical entry of the user into a building (Casset and Lanet, 2002).

Besides embedding basic user’s information, smart card also can be used in applications that require higher identification security. This is done by embedding the cardholder’s digital certificate and private key into the smart card chip. The chip can provide higher secure identification, as the digital certificate acts as online passport that verifies the identity of the cardholder and authenticate if the user is authorized to use an application. Moreover, the smart card also holds the cardholder’s private key, which is used to digitally sign electronic documents or transactions. This allows an application to ensure that a document has been validated and approved by an authorized user (Pleunis and Stala, 2004).

b) Physical Access Control

The smart card can be used as a part of an automated system that controls the individual's ability to access a physical location such as a building, parking lot, office, or other designated physical space. By implementing a physical access control through a smart card, an organization can achieve the followings (Josang, 1995):

Control and assign access Privileges

An organization can control the access privileges of a person through a single smart card. For example, a finance industry can control the physical access of a person through his or her smart card. Typically, the managers of the finance industry will be authorized to use the car park and physical

access to all the departments including marketing, human resource, sales and store. On the other hand, the executives’ physical access may be restricted by only those authorised to enter the building and certain departments according to their jobs and roles in the firm. The different level physical access can be controlled by writing the access privileges of their staff into their smart card. Hence, the organization will be able to control the staff access privileges based on their authorization.

Track/audit accesses

As smart card physical access can be monitored as each transaction from a smart card will be updated in a log of a system. This will ease an organization to audit or track the log file to identify the list of the individual who has steps in and out of a building when a fraud has taken place in the organization.

Generate access reports

Based on the log file that tracks the accessibility of a person, an organization can generate reports for their tracking or documentation purpose. In most cases, the organization will use the smart card to monitor whether their staff clock in and clock out of the office.

c) Logical Access Control

The smart card can be used as part of an automated system that controls an individual's ability to access one or more computer system resources such as a

workstation, network, application or database. Computer system security generally encompasses three functions (Whinston and Choi 2004):

Data Security

Data security schemes utilize mechanisms, such as data encryption to protect information

Authentication

Authentication techniques are used to prove the identity of an individual and provide access

Access Control

Access control techniques are used to manage and control an individual’s privileges to access workstations, databases, host systems, and other networks.

The tremendous expansion of interest in Internet access has generated increased concern over the security of data transmission and user authentication. This has introduced two-factor authentication, which uses the username and password and the smart card access with PIN number has been a wide focus remote access applications, such as home banking, wireless systems and satellite-based systems. Hence, currently smart cards have been widely used in many industries to provide a secure and portable authentication token for secure logical access (Yazid, 2003).

d) Biometrics

According to RSA Security Inc report, Three-Factor Authentication, which is by using biometrics, is the strongest form of authentication practiced in the market (Willough, 2001). Biometrics involves the measurement of a unique biological feature used to verify the claimed identity based on a physiological or behavioural characteristic. The physiological characteristics measure a physical feature such as a fingerprint or face. The behavioural characteristics measure a reaction or response such as a signature or voice pattern. The biometrics available under the Smart Cards includes (Burr, 2004):

Fingerprint Scan.

The fingerprint is one of the most widely used biometrics in most countries government. For example, the US Departmental of Defense is currently using the fingerprint biometrics to authorize for an individual to access the confidential information. Besides, the Employment Provision Fund (EPF) in Malaysia is using the fingerprint that is embedded in the identity card of a person to request for their EPF statement.

Fundamentally, the use of a fingerprint requires that the user place one or more fingers on a platen on the fingerprint scanner. The scanner will capture the fingerprints and convert them to templates that will be used for verification against the fingerprint that is stored in a chip of a smart card.

Hand Geometry

Hand geometry is not a common biometrics used by an organization. Currently, this biometrics is being used by the Departmental of Energy of United State (US). Hand geometry system uses the optical systems to map key geometrical features of the topography of a hand to verify an individual’s identity. Hand geometry technology uses a number of different measurements to create the template and the readings may include measuring finger length, skin translucency, hand thickness, and palm shape.

Facial Recognition

Facial recognition is commonly used by several motor vehicle departments in US to provide identity authentication in the issuing of drivers’ licenses. Facial recognition is based upon comparison of the characteristics of a life scan of a face against a stored template of facial characteristics in the smart card.

Biometrics is typically used in two approaches (Basu and Muylle 2003):

i) A one-to-many identification search

A one-to-many identification is performed by searching a database against a fingerprint, iris scan, etc. The search may include the entire biometric database, or it may be set to designated parameters, such as, “search all female fingerprints.”

ii) A one-to-one verification match

A one-to-one verification is performed by matching the biometric against a specified biometric template. The template can be stored in a database and/or on a

smart card. If stored on a smart card, it becomes a form of portable identity verification.

A one-to-many search against the database ensures that one and only one card is issued to an individual. When an iris or facial pattern stored on the card is matched using a one-to-one verification against the unique biometric identifiers held by the person, the system is assured that the correct person has correct access.

Generally, the Smart Card will use the one-to-one verification. To use the smart card in this way, there must be secure means to bind the biometric to the smart card and to ensure that the biometric is properly attributed to the correct individual. One approach advocates placement of authentication information, including the biometric template, in an attribute certificate that is placed on the smart card when the user is enrolled in the system and issued the card. The attribute certificate functions similarly to a digital certificate (and, in fact, can be a component of the digital certificate). In this approach, the identity of the cardholder is verified by an independent entity (typically a Registration Authority) that performs identity proofing and takes a life scan of the person’s biometric. The live scan is translated into a biometric template, which is placed in an attribute certificate, when an Attribute Authority issues it.

The Attribute Authority performs the same certificate issuance and verification functions for an attribute certificate that a Certification Authority performs for a digital certificate (and, in fact, a single Certification Authority could perform the same functions for both an attribute and a digital Certificate).

The attribute certificate can be retrieved from the smart card by any system component or application to authenticate the user’s identity. The system component or application verifies first the signature of the certificate, and then the authentication information via the means specified in the certificate (depending on the type of biometric template contained in the certificate). While this approach to binding the biometric to the smart card is highly secure, it is also costly to put in place the infrastructure needed to verify the authenticity of the attribute certificate. Therefore, agencies with lower levels of risk may choose to implement biometrics without the use of an attribute certificate.

The issues concerning the security of physical locations, computer access, and access to large dollar funds have great complexity. Smart card technology, in combination with biometrics, offers some of the greatest levels of security available. Those agencies with higher-level security needs should consider the use of biometrics.

Based on the above smart card functionalities, identification, physical access control and logical access control will be the three functionalities that will be most suitable to be implemented at Goon Institute, Kuala Lumpur. Identification and physical access control can be used for student’s attendance and library usage, as the functions are able to store the attendance and library usage (borrowing and returning books) data into a database and able to generate report for monitoring purposes. On the other hand, the logical access control is useful for lab usage as the lab administrator is able to control the usage of Internet and printing facility. This research will not recommend biometrics at this stage, as it may be too expensive for Goon Institute to

implement and maintain a biometrics technology at their institute. Besides, the CEO of Goon Institute, Kuala Lumpur, Mr Thomas Mathew has mentioned that he prefers to deploy smart card application compared to biometrics due to the medium set-up of the Institution and the high cost involved in biometrics implementation. Hence, identification, physical access control and logical access control are the most suitable functionalities to be implemented in Goon Institute, Kuala Lumpur.

2.3) Common Smart Card Application at Institutions of Higher Learning

Section 2.2 investigates the common functionalities in a smart card that basically can be used in all industries. This section will study the common smart card applications that are being used in the Institutions of Higher Learning. The knowledge gained from this section will help to identify the applications that can be implemented in Goon Institute and to assist this research to develop the smart card conceptual framework for Goon Institute, Kuala Lumpur. Among the research done for smart card implementation includes some renowned universities including University Utara Malaysia, Multimedia University, Florida State University and University of Nottingham.

2.3.1) University Utara Malaysia (UUM)

University Utara Malaysia (UUM) smart card application is better known as the University Multipurpose Card (UMPC), is a multi-purpose card catered to be used by the entire community of UUM including the students, lecturers and the staff of UUM. The smart card at UUM has two vital roles:

Basically, the multipurpose card is used by the students and UUM staff as a form of identifications and used for UUM applications. The functions of the multipurpose card used at the university are listed below:

i) Identification Card

The smart card acts as a matrix card for students and ID card for staffs, which store the owner’s personal, academic and medical information. The identification card will also be used for door access to enter the campus, library and lab rooms.

ii) Library System

The smart card will interact with the library system for borrowing books, payment of fines and keep an audit log on books that have been borrowed

iii) Staff attendance System

The staff is required to insert their smart card when they come to work and when they attend classes. The system will capture the time their smart card is being inserted and generates report for tracking and monitoring of staff attendance.

iv) Medical System

The smart card acts as an interface with the medical system. The students and staffs need to swipe their smart card when they visit the campus clinic.

b) Multipurpose Card to be used for Banking

The multipurpose smart card can also be used for conducting banking transactions. Among the functions used for the banking purposes are as below:

i) ATM

The multipurpose card is catered to conduct transactions at bank ATM machines including cash withdrawal, fund transfer, internet bank registration, SMS banking registration and utility bill payment

ii) e-Debit

The UUM staff and students are able to conduct electronic funds transfer at point of sale, whereby they can pay their purchase by using their UMPC and Personal Identification Number (PIN). This is done by deducting directly from their saving account when the staff or students purchase from their smart card using the e-debit service.

iii) MEPS Cash

MEPS cash is an e-Purse application in the UMPC. Basically, the UMPC can load some monetary amount into the smart card from the ATM machine and can use the amount for small amount purchase.

2.3.2) Multimedia University, Malaysia (MMU)

The Multimedia University (MMU), Malaysia smart card holds different types of information in electronic form with sophisticated security mechanism. The smart card has all three technologies embedded into a single smart card, which are the contact chip, contactless chip and the magnetic ship. The smart card has two main functions:

a) Financial Applications

Among the financial applications in the smart card includes the following: i) Electronic Purse

The smart card is able to store certain amount of monetary value, which the staff and students are able to purchase goods and services by using the smart card

ii) ATM Card

The smart card will also act as ATM card, whereby the owner is able to conduct banking activities on the services available in an ATM bank. This includes withdrawal of money, fund transfer, bill payment and so forth.

iii) Touch N Go

The MMU smart card can also be used at Touch N Go. Similar to MYKAD, the MMU smart card is able to store some monetary values in the smart card and the contactless chip enables the smart card to be used at any Touch N Go services including the highways, LRT stations and bus terminals.

iv) Debit Card

MMU smart card also will interface with the saving account of the MMU staffs and students. This enables the staff and students to use their smart card to purchase small amount of purchases and the money will be deducted directly from the savings account.

b) Non – Financial Applications

As for non financial applications, the MMU smart card has the following functions:

i) Access Control System

The access control system is authorization system which integrates with MMU door access existing system to allow authorized person to enter certain premises. MMU staff and students will need to use their smart card to enter the any of the premises (i.e.: classroom, lab, library, etc) within the MMU campus and this allows the campus to control and monitor the access of the staffs and students to the MMU premises.

ii) Time Attendance System

Time attendance system is a attendance system used by the MMU staff and students. The staff and students will need to swipe in and out their smart card when they enter or leave a class or lab. This enables the MMU management to keep track of the staff and students attendance to their classes.

iii) Parking Management System

The parking management system controls the cars entering a parking lot. Basically, MMU staff and students will need to use their smart card to swipe for them to enter the car park. The parking management system will authenticate the staff and students validity of entering the car park when they swipe the smart card and will not allow invalid users to enter.

iv) Booking Facilities

The smart card is also used for the staff or students to book a meeting room and books at the library. A staff or student must insert their card in the library or meeting room and the booking system will automatically book the requested book or room by extracting the usernames from the smart card and register the time and date of booking.

In addition to the above non financial system, MMU smart card also has similar functions as UUM, which the smart card can be used as an identification system to be used in at the library for borrowing and returning books and finally for medical system.

2.3.3) Florida State University, USA

The Florida State University smart card is called FSUCard. Fundamentally, the smart card system functions the same as UUM and MMU for financial and non-financial system. This includes that the FSUCard will be used as a form of identifications, used at the library for borrowing books, keep track of the attendance of the lecturers and

students, withdrawal from ATM, e-Debit and e-Purse. However, in addition to the standard smart card applications, the FSUCard has the following functions:

a) Transfer Financial Aid

The FSUCard enable financial aid easily to students by allowing their scholarships, grants, and student loans, electronically transferred to their FSUCard Account. This can be done when students’ apply for the FSUCard Account services and when they first enroll into the university and holder the scholarships provider the account number for them to directly bank in FSUCard account. The account will have a Disbursement Authorization Statement for the students to keep track of the money in the account.

b) Automatic Payment of Course Fees

Once the FSUCard account has been opened, the students can choose to pay their course fees electronically. Basically, the fund must be available at the FSUCard account for the student to swipe their card at the University Bursary to pay their course fees. This provides convenience for both the university and the students and the process of course fees payment is fast and easy.

c) Payroll Deduction

The FSUCard also allows the university staff to authorize a specific amount to be directly deposited from their paycheck into their FSUCard account. This is a convenient way for them to purchase any item in the campus such as books and lunch and also to local merchants for including paying their bills and buying groceries for their houses by simply using the smart card or FSUCard.

2.3.4) University of Nottingham, UK

The smart card system was implemented at the University of Nottingham in the late 2006. The smart card applications has the basic functions, which is divided based on staffs card, students card and associate cards.

a) Staffs Card

Staff card only has the functions of door access information. Basically, when the staff card is produced at Door Access rights, the access rights will automatically be added into the staff card. This process will permit the staff with the access rights appropriate to their School, Department and Faculty. If the card does not provide building access, it is likely that the staff is not given the authorised rights to enter that location.

b) Students Card

The student smart card has two main functions, which are library card and building access card. The library cards allow students to enter to the library system and use the smart card to borrow books. As for the building access card, certain buildings on campus require a University smart card to gain entry. Many computer rooms, for example, can be accessed 24 hours a day by using your University smart card.

c) Associate Card

The Associate Card may be issued at the discretion of the Director of Estate Management to individuals who have a formal association with the University of Nottingham (i.e. Emeritus Professor, Special Professor, Chaplin, Members of Council etc) but who do not have a staff contract of employment with the University of Nottingham.

The Associate Card will provide them with access to the buildings or specialist facilities controlled by the electronic access control system and also allow them to make use of the Library's services.

2.3.5) Summary of Integrated Smart Card across Campus

Integrated Smart Card Across Campus

UniversityUtara Malaysia

• _{Identification Card} • _{Library System}

• _{Staff attendance System} • _{Medical System}

• _{Multipurpose Card to be used for} Banking

• _ATM • _e-Debit • _{MEPS Cash}

Multimedia University, Malaysia

• _{Electronic Purse} • _{ATM Card} • _{Touch N Go} • _{Debit Card}

• _{Access Control System} • _{Time Attendance System} • _{Parking Management System} • _{Booking Facilities}

University of Nottingham, UK

• _{Staffs Card - door access} information.

• _{Students Card - library card and} building access card.

• _{Associate Card - access to the} buildings or specialist facilities and Library's services.

Florida State University, USA

• _{identifications, used at the}

library for borrowing books

• _{keep track f the attendance of}

the lecturers and students

• _{withdrawal from ATM} • _e-Debit

• _e-Purse

• _{Transfer Financial Aid}

• _{Automatic Payment of Course} Fees

• _{Payroll Deduction}

Figure 2.3: Summary of Integrated Smart Card Across Campus Goon Institute, Kuala Lumpur

• _{To take attendance}

• _{Lab Usage (use of PC and web access)} • _{Library usage}

Based on the above research, it is observed that these institutions have adopted multipurpose smart card that can be used for both campus applications (e.g.: attendance system, library system, door access, etc) and non-campus usage (e.g.: ATM usage, MEPS, e-Debit, Touch N Go, etc). However, none of the above institutions have the functionality to use their multipurpose smart card for their lab usage, which will be one of the main functions for Goon Institute, Kuala Lumpur smart card application.

Although figure 2.3 shows that the smart card can be used for campus applications and non-campus usage, this research will still remain its scope on attendance, lab and library usage for smart card implementation for Goon Institute, Kuala Lumpur. This is due to the requirements from the CEO and lecturers of Goon Institute, Kuala Lumpur to only implement the three main functions (attendance, lab and library usage) and the rest of the functionalities will be considered as future enhancement.

2.4) Conclusion

This chapter has investigated the smart card technology and the common industrial practice in using the smart card. With the in-depth understanding on the technology, this research will next investigate on Goon Institute, Kuala Lumpur requirements and the design to develop the smart card application.

CHAPTER 3: METHODOLOGY

3.0) Introduction

In chapter 2, this research discusses the smart card technology and the common areas of implementation in most industries in general and specifically the Higher Learning Institutions. In this chapter this research is divided in two phases:

a) Development of smart card solution framework for Goon Institute, Kuala Lumpur.

This phase will develop a conceptual and technical smart card framework for Goon Institute, Kuala Lumpur and will discuss the roles and responsibilities of the functions in the framework.

b) Methodology to implement the smart card for Goon Institute, Kuala Lumpur. Based on the conceptual smart card framework, this phase will adopt a methodology to develop and implement the smart card application for Goon Institute, Kuala Lumpur.

3.1) Smart Card Solution Framework for Goon Institute, Kuala Lumpur

As mentioned in the research objective at Chapter 1, this research will develop a conceptual framework to be implemented for Goon Institute, Kuala Lumpur. Hence, figure 3.1 shows that the conceptual smart card framework will be used for smart card implementation at Goon Institute, Kuala Lumpur.

Figure 3.1: Smart Card Solution Framework – Conceptual Overview

Based on the smart card solution framework, the roles and responsibilities of each function are stated in the table below

Central Issuing Authority

Central Repository Registration of Schools

Smart Card Users (Students)

Attendance Library Printing / Photostatting

Smart Card Functions

Central Issuing Authority

Central Repository Registration of Schools

Smart Card Users (Students)

Attendance Library Printing / Photostatting

Table 3.1: Smart Card Framework Roles & Responsibilities Function Roles & Responsibilities

Central Issuing Authority (Admission / Registration division)

The Central Issuing Authority basically issues digital certificates to students’ smart cards and ensures that all certificates are proven secured by issuing digital certificate that uses 128-bit key length of encryption. The 128-bit key length encryption is vital if Goon Institute, Kuala Lumpur would like to venture into e-learning and online payment services in the near future

The division that acts as a central issuing authority can either be the admission or the registration division of the institute, as these two divisions are responsible for registering new and existing students.

Registration Authorities (Individual Faculties)

Registration Authority is the department that is responsible to register new and returning students who are using the students smart card for faculties at the institute (e.g.: faculty of computer science, faculty of law, faculty of accounting, etc). As for new students, each faculty will have to register the students details into a smart card and apply for the student’s digital certificate from the central issuing authority. For returning students, the faculty will need to renew the digital certificate and update the student registration status including registered semester and total subjects that are approved, to register for the semester.

Central Repository (Database)

Repository is a collection of databases containing certificates of the students. Each time a student uses his or her smart card, the system will validate if the student is eligible to use the Goon Institute, Kuala Lumpur facilities by mapping the certificate in the smart card and the certificate in the database. This will allow the institute to restrict unauthorised students to use the facilities. The repository is open and accessible to all students and staff to review the validity of the students certificates in terms of date of renewal and expiry date of the certificate.

Smart Card Users (Students)

Smart card users are basically students who use the institute’s facilities with their smart card. The digital certificate in the student’s smart card will authenticate the students to prove that they are legitimate students, which is confirmed by checking the central repository.

Smart Card Functions

Smart card functions are the activities that are required by Goon Institute, Kuala Lumpur. This includes monitoring the student’s attendance, lab and library usage. The functions can be expanded if the institute wants to implement more functions such as to access buildings, update student’s payment and so forth in the near future.

As Figure 3.1 presents the conceptual overview of the smart card framework, Figure 3.2 shows the technical overview within the smart card framework.

Figure 3.2: Smart Card Solution Framework – Technical Overview

As a single smart card will be used to integrate various processes, Figure 3.2 shows the technical overview of the smart card solution framework. Typically, a smart card will have its own operating system (OS) or data structure. The OS will act as the security system to confine the users’ confidential information including the users private key and digital certificate. In other words, the OS will protect all the confidential information to be processed within the smart card without allowing the

Printing / Photocopying API

Smart Card OS / Data Structure Smart Card API

Smart Card Reader APIs

Existing Legacy System Attendance