Common Access Card


Common Access Card
An example DoD Common Access Card

The Common Access Card (CAC) is a United States Department of Defense (DoD) smart card issued as standard identification for active-duty military personnel, reserve personnel, civilian employees, other non-DoD government employees, state employees of the National Guard, and eligible contractor personnel.

The CAC is used as a general identification card as well as for authentication to enable access to DoD computers, networks, and certain DoD facilities. It also serves as an identification card under the Geneva Conventions (esp. the Third Geneva Convention). The CAC enables encrypting and cryptographically signing email, facilitating the use of PKI authentication tools, and establishes an authoritative process for the use of identity credentials.

Contents

Objectives

The CAC has many objectives, including controlling access to computer networks, enabling users to sign documents electronically, encrypt email messages, and enter controlled facilities. The CAC is issued to all active duty military, Reserves, National Guard, DoD civilians; non-DoD/other government employees and State Employees of the National Guard and eligible DoD contractors who need access to DoD facilities or DoD computer network systems:

  • Active-duty armed forces
  • Reservists
  • National Guard members
  • National Oceanic and Atmospheric Administration
  • United States Public Health Service
  • Emergency-Essential Employees
  • Contingency Contractor Employees
  • Deployed Overseas Civilians
  • Non-Combatant Personnel
  • DoD/Uniformed Service Civilians residing on military installation in CONUS, Hawaii, Alaska, Puerto Rico, or Guam
  • DoD/Uniformed Service Civilians or Contracted Civilian residing in a foreign country for at least 365 days
  • Presidential Appointees approved by the United States Senate
  • DoD Civilian employees, and United States Military veterans with a Veterans Affairs Disability rating of 100% P&T
  • Eligible Contractor Employees
  • Non-DoD/other government and state employees of the National Guard

Future plans include the ability to store additional information through the incorporation of RFID chips or other contactless technology to allow seamless access to DoD facilities.

Technologies

On the front of the CAC, below the picture, is an integrated microchip with 32K (new versions have 64k and 144k) of storage and a PDF417 stacked two-dimensional barcode. On the back there is a magnetic stripe and a Code 39 linear barcode. Upon issue the magnetic stripe is not encoded, but reserved for localized physical security systems.[1][2] The front of the CAC is fully laminated, while the back is only laminated in the lower half (to avoid interference with the magnetic stripe).[3]

Implementation

The CAC is designed to provide two-factor authentication: what you have (the physical card) and what you know (the PIN). The CAC is the size of a standard credit card and stores 64 or 128 kB of data storage and memory on a single integrated circuit. This CAC technology allows for rapid authentication and enhanced physical and logical security. The new CAC cards are said[who?] to be resistant to identity fraud, tampering, counterfeiting, and exploitation and provides an electronic means of rapid authentication.

There are currently four kinds of CAC cards.[4] The Geneva Conventions Identification Card is the most common CAC and is given to active duty/reserve armed forces and uniformed service members. The Geneva Convention Accompany Forces Card is issued to emergency-essential civilian personnel. The ID and Privilege Common Access Card is for civilians residing on military installations. The ID card is for DOD/Government Agency identification for civilian employees.

The Common Access Card is a controlled item. As of 2008, DoD has issued over 17 million smart cards. This number includes reissues to accommodate changes in name, rank, or status and to replace lost or stolen cards. As of the same date, approximately 3.5 million unterminated or active CACs are in circulation. DoD has deployed an issuance infrastructure at over 1000 sites in more than 25 countries around the world and is rolling out more than 1 million card readers and associated middleware.

Currently, it can be used for access into DoD computers and networks equipped with an ExpressCard or USB based smartcard reader. The only approved Windows middleware for CAC is ActivClient - available only to authorized DoD personnel. Other non-Windows alternatives include LPS-Public - a non-hard drive based solution. Also, most intranet web sites require a user to log-in using a CAC to perform certain functions that require stronger credential authentication than a traditional HTTP Basic access authentication.

The program that is currently used to issue CAC IDs is called the Real-Time Automated Personnel Identification System (RAPIDS). The system is secure and monitored by the DoD at all times. Users have to go through a special course and be certified to issue CACs. Different RAPIDS sites have been set up throughout military installations in and out of combat theater to issue new cards.

Objections

There are several objections to the use of this card, including mission capability, and scalability.

Mission capability

While most CAC users remain at the same workstation, an ever-increasing number of government websites are requiring the use of the CAC for authentication. The problem with this approach is that many people who have a legitimate requirement to access these websites, are, by the very nature of their duties, required to access those sites from non-CAC enabled workstations, often while on temporary assignments or deployed, and at workstations over which they have no administrative control, and on which they may be prohibited from installing a CAC reader. Thus, the username/password approach must be kept as a backup to CAC employment for these personnel.

Scalability

The US Army has enjoyed password scalability (also known as Single Sign On [SSO]), or single point access to many SSL-secured websites through its Army Knowledge Online program for several years. However, some authorities believe that password-based logins are obsolete: “Passwords are a flawed technology,” according to Tom Gilbert, CTO of Blue Ridge Networks, "They aggravate the users who have to remember them and the administrators who rely on them to secure their systems." Similarly, “Passwords don’t scale,” said Mary Dixon, director of the Common Access Card Office in the Defense Manpower Data Center.[5] The US Air Force Portal has required a CAC or PKI to enter, disabling user/password access since January 15, 2010. The Air Force Portal also allows some single sign-on capabilities to many other Air Force and DOD sites.

Non-Windows support

The Common Access Card is based on X.509 certificates with software middleware enabling an operating system to interface with the card via a hardware card reader. Although card manufacturers such as Schlumberger provided a suite of smartcard, hardware card reader and middleware for both Linux and Windows, not all other CAC systems integrators did likewise. In an attempt to correct this situation, Apple Federal Systems has done work for adding some support for Common Access Cards to their later Snow Leopard operating system updates out of the box using the MUSCLE (Movement for the Use of Smartcards in a Linux Environment) project. The procedure for this was documented historically by the Naval Postgraduate School in the publication "CAC on a Mac"[1] although today the school uses commercial software. According to the independent military testers and help desks, not all cards are supported by the open source code associated with Apple's work, particularly the recent CACNG or CAC-NG PIV II CAC cards [2]. Third party support for CAC Cards on the Mac are available from vendors such as Centrify and Thursby Software. Apple's Federal Engineering Management suggest not using the out-of-the-box support in Mac OS X 10.6 Snow Leopard [3] but instead supported third party solutions. Mac OS X 10.7 Lion has no native smart card support. Thursby's PKard for iOS software extends CAC support to Apple iPads and iPhones. Some work has also been done in the Linux realm. Some users are using the MUSCLE project combined with Apple's Apple Public Source Licensed Common Access Card software. Another approach to solve this problem, which is now well documented, involves the use of a new project, CoolKey, to gain Common Access Card functionality. This document is available publicly from the Naval Research Laboratory's Ocean Dynamics and Predictions Branch [4]. The Software Protection Initiative offers a LiveCD with CAC middleware and DoD certificate within a browser-focused, minimized Linux OS, called LPS-Public that works on x86 Windows, Mac, and Linux computers.

Common problems

The microchip is fragile and regular wear can make the card unusable. Older cards tended to de-laminate with repeated insertion/removal from readers, but this problem appears to be less significant with the newer (PIV-compliant) cards. Also, the gold contacts on the top of the card can become dirty and require cleaning with either solvents or a rubber pencil eraser.

Frequently, there are issues with using the cards to provide client-side authentication to an SSL/TLS website. Both the client computer and the web server currently need to have a complete set of DoD Certificate Authority certificates in their trusted certificate store, or login will fail. Troubleshooting this can be difficult, since at first glance it appears to users that their computers are set up correctly. In addition, different CAC vendors have posed issues with different card reader systems.

Often blamed on CAC as of late 2008 but actually resulting from other changes is a failure during the SSL "handshake" that results in a failure to access a secured website. DoD websites now should require the use of TLS v1.0 (or SSL v3.1) and refuse connections using SSL 2.0/3.0, due to potential weaknesses in the older SSL standard and corresponding requirements in the Security Technical Implementation Guides. However, many common web browsers (including Internet Explorer v6.x) do not have TLS 1.0 enabled by default, which means the SSL "handshake" cannot complete. This is not a CAC-related problem, but happens at about the point in the login process where the CAC is required, leading to user confusion.

Fixing or replacing a CAC typically requires access to a RAPIDS facility, causing some practical problems. In remote locations around the world without direct Internet access or physical access to a RAPIDS facility, a CAC is rendered useless if the card expires, or if the maximum number of re-tries of the PIN is reached. Based on the regulations for CAC use, a user on TDY must visit a RAPIDS facility to replace or unlock a CAC, usually requiring him to travel to another geographical location or even returning to his home location. The CAC PMO has also created a CAC PIN Reset workstation capable of resetting a locked CAC PIN.

On the device level, contact with Active Directory is required when attempting to access a personal computer with a CAC for the first time. Use of, for example a field replaced laptop computer that was not prepared with the user's CAC before shipment would be impossible to use without some form of direct access to Active Directory beforehand. Other remedies include establishing contact with the intranet via broadband Internet, or even satellite Internet access via a VSAT system when in locations where telecommunications is not available, such as in a natural disaster location. In some cases, the user or technical support is forced to break DoD and other regulations, such as mailing the CAC back to technical support along with the user's PIN, or giving the user the computer's local administrator username and password.

See also

References

External links


Wikimedia Foundation. 2010.

Look at other dictionaries:

  • Access control — is the ability to permit or deny the use of a particular resource by a particular entity. Access control mechanisms can be used in managing physical resources (such as a movie theater, to which only ticketholders should be admitted), logical… …   Wikipedia

  • Access badge — An access badge is a credential used to gain entry to an area having automated access control entry points. Entry points may be doors, turnstiles, parking gates or other barriers.Access badges use various technologies to identify the holder of… …   Wikipedia

  • Card — The term card (from Greek χάρτης chartēs , paper, papyrus ), primarily refers to cardboard or a piece of this.More generally, the term can refer to any of various small flat objects, typically made from heavy paper or plastic. In particular: *… …   Wikipedia

  • Card advantage — (often abbreviated CA) is a term used in collectible card game strategy to indicate one player having access to more cards than another player.cite web | last = Knutson | first = Ted | title = Introduction to Card Advantage | publisher = Wizards… …   Wikipedia

  • Common core services — are services that the operating system has to take care of, these are usually administrated by the Kernel of an operating system. These may include:*Memory management *Internet functionality *Network Security features *Library manager *loader… …   Wikipedia

  • Common Interface — Various components of Conditional Access Common Interfa …   Wikipedia

  • Card reader — A card reader is a data input device that reads data from a card shaped storage medium. Historically, paper or cardboard punched cards were used throughout the first several decades of the computer industry to store information and write programs …   Wikipedia

  • Common Scrambling Algorithm — The Common Scrambling Algorithm (or CSA) is the encryption algorithm used in the DVB digital television broadcasting for encrypting video streams. CSA was specified by ETSI and adopted by the DVB consortium in May 1994. Contents 1 History 2… …   Wikipedia

  • Common elements of Final Fantasy — Articleissues cleanup = May 2008 importance = April 2008 refimprove = April 2007Though each Final Fantasy story is independent, many themes and elements of gameplay recur throughout the series. Some spin off titles have cameo appearances of… …   Wikipedia

  • Common-law marriage — Family law Entering into marria …   Wikipedia


Share the article and excerpts

Direct link
Do a right-click on the link above
and select “Copy Link”

We are using cookies for the best presentation of our site. Continuing to use this site, you agree with this.