Common Access Card

Last updated
A Common Access Card (CAC). Img-card-topology-front.png
A Common Access Card (CAC).

The common access card, also commonly referred to as the CAC, is the standard identification for active duty United States defense personnel. The card itself is a smart card about the size of a credit card. [1] Defense personnel that use the CAC include the Selected Reserve and National Guard, United States Department of Defense (DoD) civilian employees, United States Coast Guard (USCG) civilian employees and eligible DoD and USCG contractor personnel. [1] It is also the principal card used to enable physical access to buildings and controlled spaces, and it provides access to defense computer networks and systems. It also serves as an identification card under the Geneva Conventions (especially the Third Geneva Convention). In combination with a personal identification number, a CAC satisfies the requirement for two-factor authentication: something the user knows combined with something the user has. The CAC also satisfies the requirements for digital signature and data encryption technologies: authentication, integrity and non-repudiation.

Contents

The CAC is a controlled item. As of 2008[ needs update ], DoD has issued over 17 million smart cards. This number includes reissues to accommodate changes in name, rank, or status and to replace lost or stolen cards. As of the same date, approximately 3.5 million unterminated or active CACs are in circulation. DoD has deployed an issuance infrastructure at over 1,000 sites in more than 25 countries around the world and is rolling out more than one million card readers and associated middleware.[ when? ]

Issuance

The CAC is issued to active United States Armed Forces (Regular, Reserves and National Guard) in the Department of Defense and the U.S. Coast Guard; DoD civilians; USCG civilians; non-DoD/other government employees and State Employees of the National Guard; and eligible DoD and USCG contractors who need access to DoD or USCG facilities and/or DoD computer network systems:

Future plans include the ability to store additional information through the incorporation of RFID chips or other contactless technology to allow seamless access to DoD facilities.

The program that is currently used to issue CAC IDs is called the Real-Time Automated Personnel Identification System (RAPIDS). RAPIDS interfaces with the Joint Personnel Adjudication System (JPAS), and uses this system to verify that the candidate has passed a background investigation and FBI fingerprint check. Applying for a CAC requires DoD form 1172-2 to be filled out and then filed with RAPIDS.

The system is secure and monitored by the DoD at all times. Different RAPIDS sites have been set up throughout military installations in and out of combat theater to issue new cards.

Design

On the front of the card, the background shows the phrase "U.S. DEPARTMENT OF DEFENSE" repeated across the card. A color photo of the cardholder is placed on the top left corner. Below the photo is the name of the cardholder. The top right corner displays the expiration date. Other information on the front includes (if applicable) the holders's: pay grade, rank, and federal identifier. A PDF417 stacked barcode is displayed on the bottom left corner. An integrated circuit chip (ICC) is placed near the bottom-middle of the front of the card.

There are three color code schemes used on the front of the CAC. A blue bar across the holder’s name shows that the cardholder is a non-U.S. citizen. A green bar shows that the cardholder is a contractor. Absence of a bar indicates all other personnel—including military personnel and civil workers, among others.

The back of the card has a ghost image of the cardholder. If applicable, the card also contains the date of birth, blood type, DoD benefits number, Geneva Convention category, and DoD Identification Number of the holder (also used as the Geneva Convention number, replacing the previously used Social Security Number). The DoD number is also known as the Electronic data interchange Personal Identifier (EDIPI). A Code 39 barcode and a magnetic strip are at the top and bottom of the card, respectively. The cardholder’s DoD ID/EDIPI number is permanent throughout his or her career with the DoD or USCG, regardless of department or division. Likewise, the permanent number follows retired U.S. military personnel who subsequently become DoD or USCG civilians or DoD or USCG contractors needing a card. Additionally, for non-military spouses, unremarried former spouses, and widows/widowers of active, Reserve or Retired U.S. military personnel who themselves become DoD or USCG civilians or DoD or USCG contractors, the DoD ID/EDIPI Number on their CAC will be the same as on their DD 1173 Uniformed Services Privilege and Identification Card (e.g., Dependent ID card).

The front of the CAC is fully laminated, while the back is only laminated in the lower half (to avoid interference with the magnetic stripe). [2]

The CAC is said to be resistant to identity fraud, [3] tampering, counterfeiting, and exploitation and provides an electronic means of rapid authentication.

There are currently four different variants of CACs. [1] The Geneva Conventions Identification Card is the most common CAC and is given to active duty/reserve armed forces and uniformed service members. The Geneva Convention Accompany Forces Card is issued to emergency-essential civilian personnel. The ID and Privilege Common Access Card is for civilians residing on military installations. The ID card is for DOD/Government Agency identification for civilian employees.

Encryption

Until 2008, all CACs were encrypted using 1,024-bit encryption. Starting 2008, the DoD switched to 2,048-bit encryption. [4] Personnel with the older CACs had to get new CACs by the deadline. [4] On October 1, 2012, all certificates encrypted with less than 2,048-bits were placed on revocation status, rendering legacy CACs useless except for visual identification. [4]

Usage

The CAC is designed to provide two-factor authentication: what you have (the physical card) and what you know (the PIN). This CAC technology allows for rapid authentication, and enhanced physical and logical security. The card can be used in a variety of ways.

Visual identification

The CAC can be used for visual identification by way of matching the color photo with the owner. This is used for when the user passes through a guarded gate, or purchases items from a store, such as a PX/BX that require a level of privileges to use the facility. Some states allow the CAC to be used as a government-issued ID card, such as for voting or applying for a drivers license.

Magnetic stripe

The magnetic stripe can be read by swiping the card through a magnetic stripe reader, much like a credit card. The magnetic stripe is actually blank when the CAC is issued. However, its use is reserved for localized physical security systems. [5] The magnetic stripe was removed first quarter 2018. [6]

Integrated circuit chip (ICC)

The integrated circuit chip (ICC) contains information about the owner, including the PIN and one or more PKI digital certificates. The ICC comes in different capacities, with the more recent versions issued at 64 and 144 kilobytes (KB).[ citation needed ]

The CAC can be used for access into computers and networks equipped with one or more of a variety of smartcard readers. Once inserted into the reader, the device asks the user for a PIN. Once the PIN is entered, the PIN is matched with the stored PIN on the CAC. If successful, the EDIPI number is read off the ID certificate on the card, and then sent to a processing system where the EDIPI number is matched with an access control system, such as Active Directory or LDAP. The DoD standard is that after three incorrect PIN attempts, the chip on the CAC will lock.

The EDIPI number is stored in a PKI certificate. Depending on the owner, the CAC contains one or three PKI certificates. If the CAC is used for identification purposes only, an ID certificate is all that is needed. However, in order to access a computer, sign a document, or encrypt email, signature and encryption certificates are also required.

A CAC works in virtually all modern computer operating systems. Besides the reader, drivers and middleware are also required in order to read and process a CAC. The only approved Microsoft Windows middleware for CAC is ActivClient—available only to authorized DoD personnel. Other non-Windows alternatives include LPS-Public—a non-hard drive based solution.

DISA now requires all DoD-based intranet sites to provide user authentication by way of a CAC in order to access the site. Authentication systems vary depending on the type of system, such as Active Directory, RADIUS, or other access control list.

CAC is based on X.509 certificates with software middleware enabling an operating system to interface with the card via a hardware card reader. Although card manufacturers such as Schlumberger provided a suite of smartcard, hardware card reader and middleware for both Linux and Windows, not all other CAC systems integrators did likewise. In an attempt to correct this situation, Apple Federal Systems has done work for adding some support for Common Access Cards to their later Snow Leopard operating system updates out of the box using the MUSCLE (Movement for the Use of Smartcards in a Linux Environment) project. The procedure for this was documented historically by the Naval Postgraduate School in the publication "CAC on a Mac" [7] although today the school uses commercial software. According to the independent military testers and help desks, not all cards are supported by the open source code associated with Apple's work, particularly the recent CACNG or CAC-NG PIV II CAC cards. [8] Third party support for CAC Cards on the Mac are available from vendors such as Centrify and Thursby Software. [9] Apple's Federal Engineering Management suggest not using the out-of-the-box support in Mac OS X 10.6 Snow Leopard [10] but instead supported third party solutions. Mac OS X 10.7 Lion has no native smart card support. Thursby's PKard for iOS software extends CAC support to Apple iPads and iPhones. Some work has also been done in the Linux realm. Some users are using the MUSCLE project combined with Apple's Apple Public Source Licensed Common Access Card software. Another approach to solve this problem, which is now well documented, involves the use of a new project, CoolKey, [11] to gain Common Access Card functionality. This document is available publicly from the Naval Research Laboratory's Ocean Dynamics and Predictions Branch. [12]

Bar codes

The CAC has two types of bar codes: PDF417 in the front and Code 39 in the rear.

PDF417 Sponsor Barcode

Example valueField nameSizeDescription
"IDUS"Identification Code4Sponsor/Dependent card
"3"Bar Code Version1
XXPDF417 Size2
XPDF417 Checksum1
XPDF417 RSize1
"1"Sponsor flag11=Sponsor
0=Dependent
"GREATHOUSE, TUYET"Name27Last, First
"999100096"Person Designator Identifier9999-10-0096
"1"Family sequence number1
"         "Reserved for future use9
"00"DEERS dependent suffixSponsor v3
"60"Height (inches)25' 0"
"150"Weight (pounds)3150 lbs
"RD"Hair Color2BK=Black
BR=Brown
BD=Blonde
RD=Red
GY=Gray
WH=White
BA=Bald
OT=Other
"BR"Eye Color2BK=Black
BR=Brown
HZ=Hazel
BL=Blue
GY=Gray
GR=Green
OT=Other
"1992OCT31"Date of birth919921031
"S"Direct Care Flag1S=Unlimited
"M" CHAMPUS Flag1M=Civilian Health Care CHAMPUS
"Y"Comissary flag1Y=Eligible and active
"Y" MWR flag1Y=Eligible and active
"U"Exchange flag1U=Unlimited
"2011OCT31"CHAMPUS Effective Date920111031
"2057SEP30"CHAMPUS Expiration Date920570930
"2RET  "Form number6DD Form 2 - Retired
"2011NOV04"Card Issue Date920111104
"INDEF    "Card Expiration Date9Indefinite
"8   "Card Security Code4
"H"Service/Component Code1
"RET   "Status6RET=Retired member entitled to retired pay
"USA  "Branch of service5USA=U.S. Army
"PVT   "Rank6PVT=Private
"E2  "Pay grade4
"I  "Geneva Convention Code3
"UNK"Blood Type3

PDF417 Dependent Barcode

Example valueField nameSizeDescription
"IDUS"Identification Code4Sponsor/Dependent card
............
"0"Sponsor flag11=Sponsor

0=Dependent

............
"RET   "Sponsor Status6RET=Retired member entitled to retired pay
"USA  "Sponsor Branch of service5USA=U.S. Army
"PVT   "Sponsor Rank6PVT=Private
"E2  "Sponsor Pay grade4
"        TRUMBOLD, ERIC     "Sponsor Name27
"999100096"Sponsor Person Designator Identifier27
"CH"Relationship2SP=Spouse

CH=Child

RFID technology

There are also some security risks in RFID. To prevent theft of information in RFID, in November 2010, 2.5 million radio frequency shielding sleeves were delivered to the DoD, and another roughly 1.7 million more were to be delivered the following January 2011. [13] RAPIDS ID offices worldwide are required to issue a sleeve with every CAC. [13] When a CAC is placed in a holder along with other RFID cards, it can also cause problems, such as attempting to open a door with an access card when it is in the same holder as a CAC. Despite these challenges at least one civilian organization, NOAA, uses the RFID technology to access facilities nationwide. Access is usually granted after first removing the CAC from the RF shield and then holding it against a reader either mounted on a wall or located on a pedestal. Once the CAC is authenticated to a local security server either the door will release or a signal will be displayed to security guards to grant access to the facility.

Common problems

The ICC is fragile and regular wear can make the card unusable. Older cards tend to de-laminate with repeated insertion/removal from readers, but this problem appears to be less significant with the newer (PIV-compliant) cards. Also, the gold contacts on the ICC can become dirty and require cleaning with either solvents or a rubber pencil eraser.

Fixing or replacing a CAC typically requires access to a RAPIDS facility, causing some practical problems. In remote locations around the world without direct Internet access or physical access to a RAPIDS facility, a CAC is rendered useless if the card expires, or if the maximum number of re-tries of the PIN is reached. Based on the regulations for CAC use, a user on TAD / TDY must visit a RAPIDS facility to replace or unlock a CAC, usually requiring travel to another geographical location or even returning to one's home location. The CAC PMO [14] has also created a CAC PIN Reset workstation capable of resetting a locked CAC PIN.

For some DoD networks, Active Directory (AD) is used to authenticate users. Access to the computer's parent Active Directory is required when attempting to authenticate with a CAC for a given computer, for the first time. Use of, for example a field replaced laptop computer that was not prepared with the user's CAC before shipment would be impossible to use without some form of direct access to Active Directory beforehand. Other remedies include establishing contact with the intranet by using public broadband Internet and then VPN to the intranet, or even satellite Internet access via a VSAT system when in locations where telecommunications is not available, such as in a natural disaster location.

See also

Related Research Articles

<span class="mw-page-title-main">Access control</span> Selective restriction of access to a place or other resource, allowing only authorized users

In physical security and information security, access control (AC) is the selective restriction of access to a place or other resource, while access management describes the process. The act of accessing may mean consuming, entering, or using. Permission to access a resource is called authorization.

<span class="mw-page-title-main">Smart card</span> Pocket-sized card with embedded integrated circuits for identification or payment functions

A smart card (SC), chip card, or integrated circuit card, is a card used to control access to a resource. It is typically a plastic credit card-sized card with an embedded integrated circuit (IC) chip. Many smart cards include a pattern of metal contacts to electrically connect to the internal chip. Others are contactless, and some are both. Smart cards can provide personal identification, authentication, data storage, and application processing. Applications include identification, financial, public transit, computer security, schools, and healthcare. Smart cards may provide strong security authentication for single sign-on (SSO) within organizations. Numerous nations have deployed smart cards throughout their populations.

A personal identification number (PIN), or sometimes redundantly a PIN number or PIN code, is a numeric passcode used in the process of authenticating a user accessing a system.

<span class="mw-page-title-main">EMV</span> Smart payment card standard

EMV is a payment method based on a technical standard for smart payment cards and for payment terminals and automated teller machines which can accept them. EMV stands for "Europay, Mastercard, and Visa", the three companies that created the standard.

<span class="mw-page-title-main">Security token</span> Device used to access electronically restricted resource

A security token is a peripheral device used to gain access to an electronically restricted resource. The token is used in addition to, or in place of, a password. Examples of security tokens include wireless keycards used to open locked doors, a banking token used as a digital authenticator for signing in to online banking, or signing a transaction such as a wire transfer.

<span class="mw-page-title-main">Electronic identification</span> Digital proof of identity

An electronic identification ("eID") is a digital solution for proof of identity of citizens or organizations. They can be used to view to access benefits or services provided by government authorities, banks or other companies, for mobile payments, etc. Apart from online authentication and login, many electronic identity services also give users the option to sign electronic documents with a digital signature.

<span class="mw-page-title-main">HID Global</span> American manufacturer

HID Global is an American manufacturer of secure identity products. The company is an independent brand of Assa Abloy, a Swedish door and access control conglomerate. Björn Lidefelt was appointed CEO on 27 January 2020. He succeeded Stefan Widing, who led HID Global for over four years.

<span class="mw-page-title-main">Electronic lock</span> Locking device which operates by means of electric current

An electronic lock is a locking device which operates by means of electric current. Electric locks are sometimes stand-alone with an electronic control assembly mounted directly to the lock. Electric locks may be connected to an access control system, the advantages of which include: key control, where keys can be added and removed without re-keying the lock cylinder; fine access control, where time and place are factors; and transaction logging, where activity is recorded. Electronic locks can also be remotely monitored and controlled, both to lock and to unlock.

<span class="mw-page-title-main">Payment card</span> Card issued by a financial institution that can be used to make a payment

Payment cards are part of a payment system issued by financial institutions, such as a bank, to a customer that enables its owner to access the funds in the customer's designated bank accounts, or through a credit account and make payments by electronic transfer with a payment terminal and access automated teller machines (ATMs). Such cards are known by a variety of names, including bank cards, ATM cards, client cards, key cards or cash cards.

A card reader is a data input device that reads data from a card-shaped storage medium and provides the data to a computer. Card readers can acquire data from a card via a number of methods, including: optical scanning of printed text or barcodes or holes on punched cards, electrical signals from connections made or interrupted by a card's punched holes or embedded circuitry, or electronic devices that can read plastic cards embedded with either a magnetic strip, computer chip, RFID chip, or another storage medium.

A contactless smart card is a contactless credential whose dimensions are credit card size. Its embedded integrated circuits can store data and communicate with a terminal via NFC. Commonplace uses include transit tickets, bank cards and passports.

<span class="mw-page-title-main">United States Uniformed Services Privilege and Identification Card</span> U.S. Department of Defense identity document


A United States Uniformed Services Privilege and Identification Card is an identity document issued by the United States Department of Defense to identify a person as a member of the Armed Forces or a member's dependent, such as a child or spouse.

A keycard lock is a lock operated by a keycard, a flat, rectangular plastic card. The card typically, but not always, has identical dimensions to that of a credit card, that is ID-1 format. The card stores a physical or digital pattern that the door mechanism accepts before disengaging the lock.

<span class="mw-page-title-main">Estonian identity card</span> National identity card of Estonia

The Estonian identity card is a mandatory identity document for citizens of Estonia. In addition to regular identification of a person, an ID-card can also be used for establishing one's identity in electronic environment and for giving one's digital signature. Within Europe as well as French overseas territories, Georgia and Tunisia the Estonian ID-card can be used by the citizens of Estonia as a travel document.

<span class="mw-page-title-main">Credit card fraud</span> Financial crime

Credit card fraud is an inclusive term for fraud committed using a payment card, such as a credit card or debit card. The purpose may be to obtain goods or services or to make payment to another account, which is controlled by a criminal. The Payment Card Industry Data Security Standard is the data security standard created to help financial institutions process card payments securely and reduce card fraud.

Defense Enrollment Eligibility Reporting System (DEERS) is a computerized database for United States Service members, military retirees, 100% VA Disabled Veterans, dependents, DoD active Contractors, and others worldwide who are entitled to Public Key Infrastructure and TRICARE eligibility.

<span class="mw-page-title-main">Card security code</span> Security feature on payment cards

A card security code is a series of numbers that, in addition to the bank card number, is printed on a credit or debit card. The CSC is used as a security feature for card not present transactions, where a personal identification number (PIN) cannot be manually entered by the cardholder. It was instituted to reduce the incidence of credit card fraud.

The Lebanese identity card is a compulsory Identity document issued to citizens of the Republic of Lebanon by the police on behalf of the Lebanese Ministry of Interior or in Lebanese embassies/consulates (abroad) free of charge. It is proof of identity, citizenship and residence of the Lebanese citizens.

<span class="mw-page-title-main">Campus card</span> Student identification document

A campus credential, more commonly known as a campus card or a campus ID card is an identification document certifying the status of students, faculty, staff or other constituents as members of the institutional community and eligible for access to services and resources. Campus credentials are typically valid for the duration of a student's enrollment or an employee's service.

The term digital card can refer to a physical item, such as a memory card on a camera, or, increasingly since 2017, to the digital content hosted as a virtual card or cloud card, as a digital virtual representation of a physical card. They share a common purpose: Identity Management, Credit card, Debit card or driver license. A non-physical digital card, unlike a Magnetic stripe card can emulate (imitate) any kind of card.

References

  1. 1 2 3 "COMMON ACCESS CARD (CAC)". US Department of Defense. Retrieved 18 January 2017.
  2. "Central Issuance Facility Common Access Card (CAC) Production - Federal Business Opportunities: Opportunities".
  3. DOD to Drop Social Security Numbers from ID Cards
  4. 1 2 3 AirForceTimes. "404 - AirForceTimes".{{cite web}}: Cite uses generic title (help)
  5. "CHIPS Articles: Access Approved: Biometrics and Smart Cards Open Doors to Improved Efficiency". Archived from the original on 2014-07-14.
  6. "REMOVAL OF MAGNETIC STRIPE FROM DOD COMMON ACCESS CARDS" (PDF). Archived from the original (PDF) on 2022-03-19. Retrieved 2021-11-11.
  7. cisr. "CISR - Publications - Technical Reports". Archived from the original on 2006-09-04. Retrieved 2006-09-17.
  8. "MilitaryCAC's Mac OS X support landing page".
  9. "Thursby Software - Securing enterprise and personal mobility". Thursby Software Systems, Inc.
  10. "Re: [Fed-Talk] Pkinit working on Snow Leopard but need forwardable TGT". Archived from the original on 2014-02-22. Retrieved 2011-05-09.
  11. "389 Directory Server (Open Source LDAP)". Archived from the original on 2012-11-26. Retrieved 2013-02-12.
  12. "Archived copy" (PDF). Archived from the original (PDF) on 2015-07-15. Retrieved 2009-09-09.{{cite web}}: CS1 maint: archived copy as title (link)
  13. 1 2 "Defense Department order RF shields from National Laminating - SecureIDNews". SecureIDNews.
  14. Navy CAC PMO