Common Access Card

From Wikipedia, the free encyclopedia

Jump to: navigation, search
An example DoD Common Access Card

The Common Access Card (CAC) is a United States Department of Defense (DoD) smart card issued as standard identification for active-duty military personnel, reserve personnel, civilian employees, non-DoD other government employees and State Employees of the National Guard and eligible contractor personnel.

The CAC is used as a general identification card as well as for authentication to enable access to DoD computers, networks, and certain DoD facilities. It also serves as an identification card under the Geneva Conventions.[1] The CAC enables encrypting and cryptographically signing email, facilitating the use of PKI authentication tools, and establishes an authoritative process for the use of identity credentials.

Contents

[edit] Objectives

The CAC has many objectives, including controlling access to computer networks, enabling users to sign documents electronically, encrypt email messages, and enter controlled facilities. This new DoD identification (ID) card, or CAC, is being issued to all active duty military, Reserves, National Guard, DoD civilians; non-DoD/other government employees and State Employees of the National Guard and eligible DoD contractors who need access to DoD facilities or DoD computer network systems:

  • Active-duty armed forces
  • Reservists
  • National Guard members
  • ROTC Cadets (but not NROTC midshipmen or AFROTC cadets)
  • National Oceanic and Atmospheric Administration
  • Public Health Service
  • Emergency-Essential Employees
  • Contingency Contractor Employees
  • Deployed Overseas Civilian
  • Non-Combatant Personnel
  • DoD/Uniformed Service Civilians residing on military installation in CONUS, HI, AK, Puerto Rico, or Guam
  • DoD/Uniformed Service Civilians or Contracted Civilian residing in a foreign country for at least 365 days
  • Presidential Appointees approved by the Senate
  • DoD Civilian Employees
  • Eligible Contractor Employees
  • Non-DoD/other government employees and State Employees of the National Guard

Future plans include the ability to store additional information the incorporation of RFID chips or other contactless technology to allow seamless access to DoD facilities.

[edit] Implementation

The Common Access Card is a controlled item. As of 2008, DoD has issued over 17 million smart cards. (This number includes reissues to accommodate changes in name, rank, or status and to replace lost or stolen cards.) As of the same date, approximately 3.5 million unterminated or active CACs are in circulation. DoD has deployed an issuance infrastructure at over 1000 sites in more than 25 countries around the world and is rolling out more than 1 million card readers and associated middleware.

Currently, it can be used for access into DoD computers and networks. It can be used in conjunction with a smartcard reader to gain access to a computer. Also, certain US military web sites, such as Army Knowledge Online (AKO) and the Air Force Portal, require a user to log-in using a CAC to perform certain functions that require stronger credential authentication than a traditional HTTP Basic access authentication.

The program that is currently used to issue CAC IDs is called the Real-Time Automated Personnel Identification System (RAPIDS). The system is secure and monitored by the DoD at all times. Users have to go through a special course and be certified to issue CACs. Different RAPIDS sites have been setup throughout military installations in and out of combat theater to issue new ids.

[edit] Objections

There are several objections to the use of this card, including mission capability, and scalability.

[edit] Mission capability

While most CAC users remain at the same workstation, an ever-increasing number of government websites are requiring the use of the CAC for authentication. The problem with this approach is that many people who have a legitimate requirement to access these websites, are, by the very nature of their duties, required to access those sites from non-CAC enabled workstations, often while TDY or deployed, and at workstations over which they have no administrative control, and on which they may be prohibited from installing a CAC reader. Thus, the username/password approach must be kept as a backup to CAC employment for these personnel.

[edit] Scalability

The US Army has enjoyed password scalability, or single point access to many SSL-secured websites through its Army Knowledge Online program for several years. However, some authorities believe that password-based logins are obsolete: “Passwords are a flawed technology,” according to Tom Gilbert, CTO of Blue Ridge Networks, "They aggravate the users who have to remember them and the administrators who rely on them to secure their systems." Similarly, “Passwords don’t scale,” said Mary Dixon, director of the Common Access Card Office in the Defense Manpower Data Center [2]. The US Air Force Portal on 15 Jan 10 will require a CAC or PKI to enter, disabling user/password access.

[edit] Non-Windows support

The Common Access Card is based on X.509 certificates with software middleware enabling an operating system to interface with the card via a hardware card reader. Although card manufacturers such as Schlumberger provided a suite of smartcard, hardware card reader and middleware for both Linux and Windows, not all other CAC systems integrators did likewise. In an attempt to correct this situation, Apple has done work for adding support for Common Access Cards to their operating system right out of the box using the MUSCLE (Movement for the Use of Smartcards in a Linux Environment) project. The procedure for this has been well documented by the Naval Postgraduate School in the publication "CAC on a Mac"[1]. Some work has also been done in the Linux realm. Some users are using the MUSCLE project combined with Apple's Apple Public Source Licensed Common Access Card software. Another approach to solve this problem, which is now well documented, involves the use of a new project, CoolKey, to gain Common Access Card functionality. This document is available publicly from the Naval Research Laboratory's Ocean Dynamics and Predictions Branch[2]. The Software Protection Initiative offers a LiveCD with CAC middleware and DoD certificate within a browser-focused, minimized Linux OS, called LPS-Public that works on x86 Windows, Mac, and Linux computers.

[edit] Common problems

The microchip is fragile and regular wear can make the card unusable. Older cards tended to de-laminate with repeated insertion/removal from readers, but this problem appears to be less significant with the newer (PIV-compliant) cards. Also, the gold contacts on the top of the card can become dirty and require cleaning with either solvents or a rubber pencil eraser.

Frequently, there are issues with using the cards to provide client-side authentication to an SSL/TLS website. Both the client computer and the web server currently need to have a complete set of DoD Certificate Authority certificates in their trusted certificate store, or login will fail. Troubleshooting this can be difficult, since at first glance it appears to users that their computers are set up correctly. In addition, different CAC vendors have posed issues with different card reader systems.

Often blamed on CAC as of late 2008 but actually resulting from other changes is a failure during the SSL "handshake" that results in a failure to access a secured website. DoD websites now should require the use of TLS v1.0 (or SSL v3.1) and refuse connections using SSL 2.0/3.0, due to potential weaknesses in the older SSL standard and corresponding requirements in the Security Technical Implementation Guides. However, many common web browsers (including Internet Explorer v6.x) do not have TLS 1.0 enabled by default, which means the SSL "handshake" cannot complete. This is not a CAC-related problem, but happens at about the point in the login process where the CAC is required, leading to user confusion.

[edit] Technologies

On the front of the CAC, below the picture, is an integrated microchip with 32K of storage and a PDF417 stacked two-dimensional barcode. On the back there is a magnetic stripe and a Code 39 linear barcode. Upon issue the magnetic stripe is not encoded, but reserved for localized physical security systems.[3][4] The front of the CAC is fully laminated, while the back is only laminated in the lower half (to avoid interference with the magnetic stripe).[5]

[edit] See also

[edit] References

  1. ^ "Department of Defense Instruction 1000.1" (in English) (pdf). United States Department of Defense. 1991-06-05. http://www.js.mil/whs/directives/corres/pdf/i10001wch2_013074/i10001p.pdf. Retrieved 2006-12-01. ". . . Each party to a conflict is required to furnish the persons under its jurisdiction who are liable to become prisoners of war, with an identity card showing the owner's surname, first names, rank, army, regimental, personal or serial number or equivalent information, and date of birth. The identity card may, furthermore, bear the signature or the fingerprints or both, of the owner, and may bear, as well, any other information the Party to the conflict may wish to add concerning persons belonging to its Armed Forces." 
  2. ^ ">"Security in numbers" (in English) (html). Government Computer News. 2006-07-31. http://www.gcn.com/print/25_22/41468-1.html. Retrieved 2007-05-30. 
  3. ^ http://pmo.cac.navy.mil/docs/CAC_INFO_SHEET.pdf
  4. ^ http://www.amc.army.mil/amc/pe/pdf/CACFactSheet031301.pdf
  5. ^ https://www.fbo.gov/index?s=opportunity&mode=form&id=f3933c2b8c2aaf22acb80c119e2f3a1a&tab=core&_cview=1

[edit] External links

Retrieved from "http://en.wikipedia.org/wiki/Common_Access_Card"