Common Access Card
From Wikipedia, the free encyclopedia
The Common Access Card (CAC) is a United States Department of Defense (DoD) smartcard issued as standard identification for active duty military personnel, reserve personnel, civilian employees, and eligible contractor personnel.
The CAC is used as a general identification card as well as for authentication to enable access to DoD computers, networks, and certain DoD facilities. It also serves as an identification card under the Geneva Conventions.[1] The CAC enables encrypting and cryptographically signing email, facilitating the use of PKI authentication tools, and establishes an authoritative process for the use of identity credentials.
Contents |
[edit] Objectives
The CAC has many objectives, including controlling access to computer networks, enabling users to sign documents electronically, encrypt email messages, and enter controlled facilities. This new DoD identification (ID) card, or CAC, is being issued to all active duty military, Reserves, National Guard, DoD civilians and eligible DoD contractors who need access to DoD facilities or DoD computer network systems:
- Active Duty Armed Forces
- Reservists
- National Guard members
- National Oceanic and Atmospheric Administration
- Public Health Service
- Emergency-Essential Employees
- Contingency Contractor Employees
- Deployed Overseas Civilian
- Non-Combatant Personnel
- DoD/Uniformed Service Civilians residing on military installation in CONUS, HI, AK, Puerto Rico, or Guam
- DoD/Uniformed Service Civilians or Contracted Civilian residing in a foreign country for at least 365 days
- Presidential Appointees approved by the Senate
- DoD Civilian Employees
- Eligible Contractor Employees
Future plans include the ability to store additional information the incorporation of RFID chips or other contactless technology to allow seamless access to DoD facilities.
[edit] Implementation
The Common Access Card is a controlled item. As of 2007, DoD has issued over 13 million smart cards. (This number includes reissues to accommodate changes in name, rank, or status and to replace lost or stolen cards.) As of the same date, approximately 3 million unterminated or active CACs are in circulation. DoD has deployed an issuance infrastructure at over 930 sites in more than 25 countries around the world and is rolling out more than 1 million card readers and associated middleware.
Currently, it can be used for access into DoD computers and networks. It can be used in conjunction with a smartcard reader to gain access to a computer. Also, certain US military web sites, such as Army Knowledge Online (AKO) and the Air Force Portal, require a user to log-in using a CAC to perform certain functions that require stronger credential authentication than a traditional HTTP Basic access authentication.
The program that is currently used to issue CAC IDs is called the Real-Time Automated Personnel Identification System (RAPIDS). The system is secure and monitored by the DoD at all times. Users have to go through a special course and be certified to issue CAC Cards. Different RAPIDS sites have been setup throughout military installations in and out of combat theater to issue new ids.
[edit] Objections
There are several objections to the use of this card, including mission capability, and scalability.
[edit] Mission capability
While most CAC users remain at the same workstation, an ever-increasing number of government websites are requiring the use of the CAC for authentication. The problem with this approach is that many people who have a legitimate requirement to access these websites, are, by the very nature of their duties, required to access those sites from non-CAC enabled workstations, often while TDY or deployed, and at workstations over which they have no administrative control, and on which they may be prohibited from installing a CAC reader. Thus, the username/password approach must be kept as a backup to CAC employment for these personnel.
[edit] Scalability
The US Army has enjoyed password scalability, or single point access to many SSL-secured websites through its Army Knowledge Online program for several years. However, some authorities believe that password-based logins are obsolete: “Passwords are a flawed technology,” according to Tom Gilbert, CTO of Blue Ridge Networks, "They aggravate the users who have to remember them and the administrators who rely on them to secure their systems." Similarly, “Passwords don’t scale,” said Mary Dixon, director of the Common Access Card Office in the Defense Manpower Data Center [2].
[edit] Car Insurance
The CAC can be used as a port hole to show proof of insurance. If on military leave, with the given consent by the insured driver, the holder of the CAC will be able to drive the vehicle. Furthermore the CAC can be given as proof of insurance on base, if driven by ones POV[citation needed].
[edit] Non-Windows Support
The Common Access Card is based on X.509 certificates with software middleware enabling an operating system to interface with the card via a hardware card reader. Although card manufacturers such as Schlumberger provided a suite of smartcard, hardware card reader and middleware for both Linux and Windows, not all other CAC systems integrators did likewise. In an attempt to correct this situation, Apple has done work for adding support for Common Access Cards to their operating system right out of the box using the MUSCLE (Movement for the Use of Smartcards in a Linux Environment) project. The procedure for this has been well documented by the Naval Postgraduate School in the publication "CAC on a Mac" at http://cisr.nps.edu/pub_techrep.html . Some work has also been done in the Linux realm. Some users are using the MUSCLE project combined with Apple's Apple Public Source Licensed Common Access Card software. Another approach to solve this problem, which is now well documented, involves the use of a new project, CoolKey, to gain Common Access Card functionality. This document is available publicly from the Naval Research Laboratory's Ocean Dynamics and Prediction's publications page by the author, Kenneth Van Alstyne, http://www7320.nrlssc.navy.mil/pubs.php .
[edit] Common Problems
The microchip is fragile and regular wear can make the card unusable.
On a technical level, the cards have certificate issues where users can't log on even though their computers are set up correctly. In addition, different CAC vendors have posed issues with different card reader systems.
[edit] See also
- Access badge
- Credential
- ID Card
- Keycard
- Magnetic stripe card
- Physical Security
- Proximity card
- Smart card
- Swipe card
[edit] References
- ^ Department of Defense Instruction 1000.1 (pdf) (English). United States Department of Defense (1991-06-05). Retrieved on 2006-12-01. “. . . Each party to a conflict is required to furnish the persons under its jurisdiction who are liable to become prisoners of war, with an identity card showing the owner's surname, first names, rank, army, regimental, personal or serial number or equivalent information, and date of birth. The identity card may, furthermore, bear the signature or the fingerprints or both, of the owner, and may bear, as well, any other information the Party to the conflict may wish to add concerning persons belonging to its Armed Forces.”
- ^ ">Security in numbers (html) (English). Government Computer News (2006-07-31). Retrieved on 2007-05-30.
[edit] External links
- CAC Assistance for your home computer or personal laptop
- CAC: Common Access Card
- Defense Manpower Data Center
- RAPIDS Site Locator
- Smart Card Alliance: Department of Defense Common Access Card Profile
- GlobalPlatform : Department of Defense Common Access Card case study
- Peripheral threats -- Government Computer News, July 30, 2007
- Federation for Identity and Cross-Credentialing Systems (FiXs)
- ORC External Certificate Authority Medium Hardware Assurance
