Common Access Card
From Wikipedia, the free encyclopedia
 |
Please see the discussion on the talk page. |
The Common Access Card (CAC) is a United States Department of Defense (DoD) smartcard issued as standard identification for active duty military personnel, reserve personnel, civilian employees, and eligible contractor personnel.
The CAC is used as a general identification card as well as for authentication to enable access to DoD computers, networks, and certain DoD facilities. It also serves as an identification card under the Geneva Conventions.[1] The CAC enables encrypting and crytographically signing email, facilitating the use of PKI authentication tools, and establishes an authoritative process for the use of identity credentials.
Contents |
[edit] Objectives
The CAC has many objectives, including controlling access to computer networks, enabling users to sign documents electronically, encrypt email messages, and enter controlled facilities. This new DoD identification (ID) card, or CAC, is being issued to all active duty military, Reserves, National Guard, DoD civilians and eligible DoD contractors who need access to DoD facilities or DoD computer network systems:
- Active Duty Armed Forces
- Reservists
- National Guard members
- National Oceanic and Atmospheric Administration
- Public Health Service
- Emergency-Essential Employees
- Contingency Contractor Employees
- Deployed Overseas Civilian
- Non-Combatant Personnel
- DoD/Uniformed Service Civilians residing on military installation in CONUS, HI, AK, Puerto Rico, or Guam
- DoD/Uniformed Service Civilians or Contracted Civilian residing in a foreign country for at least 365 days
- Presidential Appointees approved by the Senate
- DoD Civilian Employees
- Eligible Contractor Employees
Future plans include the ability to store additional information the incorporation of RFID chips or other contactless technology to allow seamless access to DoD facilities.
[edit] Implementation
As of July 2004, DoD has issued over 5.4 million smart cards. (This number includes reissues to accommodate changes in name, rank, or status and to replace lost or stolen cards.) As of the same date, approximately 3 million unterminated or active CACs are in circulation. DoD has deployed an issuance infrastructure at over 930 sites in more than 25 countries around the world and is rolling out more than 1 million card readers and associated middleware.
Currently, it can be used for access into DoD computers and networks. It can be used in conjunction with a smartcard reader to gain access to a computer. Also, certain US military web sites, such as Army Knowledge Online (AKO), require a user to log-in using a CAC to perform certain functions that require stronger credential authentication than a traditional HTTP basic authentication.
The program that is currently used to issue CAC IDs is called RAPIDS. The system is secure and monitored by the DOD at all times. Users have to go through a special course and be certified to issue CAC Cards. Different RAPIDS sites have been setup throughout military installations in and out of combat theater to issue new ids.
[edit] Objections
There are several objections to the use of this card, including mission capability, and scalability.
[edit] Mission capability
While most CAC users remain at the same workstation, an ever-increasing number of government websites are requiring the use of the CAC for authentication. The problem with this approach is that many people who have a legitimate requirement to access these websites, are, by the very nature of their duties, required to access those sites from non-CAC enabled workstations, often while TDY or deployed, and at workstations over which they have no administrative control, and on which they may be prohibited from installing a CAC reader. Thus, the username/password approach must be kept as a backup to CAC employment for these personnel.
[edit] Scalability
The US Army has enjoyed password scalability, or single point access to many SSL-secured websites through its Army Knowledge Online program for several years. However, some authorities believe that password-based logins are obsolete: “Passwords are a flawed technology,” according to Tom Gilbert, CTO of Blue Ridge Networks, "They aggravate the users who have to remember them and the administrators who rely on them to secure their systems." Similarly, “Passwords don’t scale,” said Mary Dixon, director of the Common Access Card Office in the Defense Manpower Data Center [2].
[edit] Non-Windows Support
The Common Access Card, historically, has only been supported by Windows machines, however an increasing number of Department of Defense workstations are using operating systems such as Linux or Mac OS X. Fortunately, Apple has done work for adding support for Common Access Cards to their operating system right out of the box using the MUSCLE (Movement for the Use of Smartcards in a Linux Environment) project. The procedure for this has been well documented by the Naval Postgraduate School in the publication "CAC on a Mac" at http://cisr.nps.edu/pub_techrep.html . Some work has also been done in the Linux realm. Some users are using the MUSCLE project combined with Apple's Apple Public Source Licensed Common Access Card software. Another approach to solve this problem, which is now well documented, involves the use of a new project, CoolKey, to gain Common Access Card functionality. This document is available publically from the Naval Research Laboratory's Ocean Dynamics and Prediction's publications page by the author, Kenneth Van Alstyne, http://www7320.nrlssc.navy.mil/pubs.php .
[edit] Common Problems
The CAC card is far from perfect due to design flaws. The microchip can be damaged easily from foreign objects scratches such as sand. Looking at the card at a more technical level, the cards have certificate issues where users can't log on even through their computers are setup correctly. Also different brands of cards have posed an issue with different systems.
[edit] References
- ^ Department of Defense Instruction 1000.1 (English) (pdf). United States Department of Defense (1991-06-05). Retrieved on 2006-12-01. “. . . Each party to a conflict is required to furnish the persons under its jurisdiction who are liable to become prisoners of war, with an identity card showing the owner's surname, first names, rank, army, regimental, personal or serial number or equivalent information, and date of birth. The identity card may, furthermore, bear the signature or the fingerprints or both, of the owner, and may bear, as well, any other information the Party to the conflict may wish to add concerning persons belonging to its Armed Forces. As far as possible the card shall measure 6.5 x 10 cm. and shall be issued in duplicate.”
- ^
