![Page 1: DoD Common Access Card From Smart Card to Identity Management](https://reader036.vdocuments.us/reader036/viewer/2022062322/568146a2550346895db3be8a/html5/thumbnails/1.jpg)
DoD Common Access CardFrom Smart Card to Identity
Management
DoD Common Access CardFrom Smart Card to Identity
Management
Dr. Robert van SpykSenior DMDC Consortium Research
Fellow
Bill BoggessChief Access & Authentication
Technology Division, DMDC
AATD
GlobalPlatform Business Seminar
Toronto, August 21, 2002
![Page 2: DoD Common Access Card From Smart Card to Identity Management](https://reader036.vdocuments.us/reader036/viewer/2022062322/568146a2550346895db3be8a/html5/thumbnails/2.jpg)
Topics
1. Context: Challenges Met
2. Learnings: Challenges Ahead
3. Paradigm Shift: from Smart Card to Identity Management
![Page 3: DoD Common Access Card From Smart Card to Identity Management](https://reader036.vdocuments.us/reader036/viewer/2022062322/568146a2550346895db3be8a/html5/thumbnails/3.jpg)
Context: Challenges Met
![Page 4: DoD Common Access Card From Smart Card to Identity Management](https://reader036.vdocuments.us/reader036/viewer/2022062322/568146a2550346895db3be8a/html5/thumbnails/4.jpg)
The Decision
• I.D. card for:– Active military– Selected Reserves– DoD civilians– “Inside the wall”
contractors• Physical and logical
access– Authentication keys
• Military ID card infrastructure
• I.D. card for:– Active military– Selected Reserves– DoD civilians– “Inside the wall”
contractors• Physical and logical
access– Authentication keys
• Military ID card infrastructure
Common Access CardCommon Access Card
November 10, 1999
MEMO FROM: Dr. John Hamre (Deputy Secretary of Defense)
Create a Common Access Card
![Page 5: DoD Common Access Card From Smart Card to Identity Management](https://reader036.vdocuments.us/reader036/viewer/2022062322/568146a2550346895db3be8a/html5/thumbnails/5.jpg)
Card Architecture Goals
Requirements
Java 2.1
Global platform
Interoperability Specification (BSI)
32K EEPROM
FIPS 140-1 Level 2 Certification
Requirements
Java 2.1
Global platform
Interoperability Specification (BSI)
32K EEPROM
FIPS 140-1 Level 2 Certification
Goals
Security
Multi-application
Multiple vendors
Interoperability
Post issuance
Best commercial practices
COTS
Cost effective
RESULTEDIN
![Page 6: DoD Common Access Card From Smart Card to Identity Management](https://reader036.vdocuments.us/reader036/viewer/2022062322/568146a2550346895db3be8a/html5/thumbnails/6.jpg)
What are DEERS and RAPIDS?
• Defense Enrollment Eligibility Reporting System
• Database with 23 million records providing:
– Accurate and timely information on all eligible uniformed service members (active, reserve, retired), their families and DoD civilians
• Detailed information on DoD benefit program eligibility
• Real-time Automated personnel Identification System
• Application that produces the ID card
– Automated ID card system for military, retirees and their families
– Joint, total force, multi-national and worldwide
DEERS RAPIDS
Independent but closely coupled established systems which provideeligibility information for DoD benefits
The Business Problem
![Page 7: DoD Common Access Card From Smart Card to Identity Management](https://reader036.vdocuments.us/reader036/viewer/2022062322/568146a2550346895db3be8a/html5/thumbnails/7.jpg)
DMDC PERSON REPOSITORY
DEERS Population
DEERSSIZE
Sponsors(Active, Reserves, Retired, Civil Servants)
Previous Sponsors(Separatees with MGIB)
Family Members
Total
8,467,411
4,000,000
10,695,181
23,162,592
![Page 8: DoD Common Access Card From Smart Card to Identity Management](https://reader036.vdocuments.us/reader036/viewer/2022062322/568146a2550346895db3be8a/html5/thumbnails/8.jpg)
Where Are We Today
• 883 Workstations in 466 Locations
• 787,456 Cards issued as of 30 June
(current trend issuing around 7,000 cards per day)
![Page 9: DoD Common Access Card From Smart Card to Identity Management](https://reader036.vdocuments.us/reader036/viewer/2022062322/568146a2550346895db3be8a/html5/thumbnails/9.jpg)
Toward the Million Mark
787,456 CACs Issuedas of 30 June
303,017217,493
90,993137,8995,644
23,037
9,373
U.S. NavyU.S. ArmyU.S. Marine CorpsU.S. Air ForceU.S. Coast GuardDoD AgenciesOther
![Page 10: DoD Common Access Card From Smart Card to Identity Management](https://reader036.vdocuments.us/reader036/viewer/2022062322/568146a2550346895db3be8a/html5/thumbnails/10.jpg)
DEERS/RAPIDS is a Person Based DoD Benefit Delivery System DEERS - over 25,000 users throughout DoD RAPIDS - 1318 workstations at 878 sites in 13 countries.
ARMY, NAVY, AIR FORCE, MARINE CORPS, COAST GUARD, NOAA, PUBLIC HEALTH
Infrastructure
OVER 1.5 MILLION TRANSACTONS A DAY
![Page 11: DoD Common Access Card From Smart Card to Identity Management](https://reader036.vdocuments.us/reader036/viewer/2022062322/568146a2550346895db3be8a/html5/thumbnails/11.jpg)
Learnings: Challenges Ahead
![Page 12: DoD Common Access Card From Smart Card to Identity Management](https://reader036.vdocuments.us/reader036/viewer/2022062322/568146a2550346895db3be8a/html5/thumbnails/12.jpg)
Perc
en
tag
e o
f O
wn
ers
hip
Perc
en
tag
e o
f O
wn
ers
hip
100100
9090
8080
7070
6060
5050
4040
3030
2020
1010
00
100100
9090
8080
7070
6060
5050
4040
3030
2020
1010
0010010090908080707060605050404030302020101011 110110 120120
Technology Adoption
ElectricityElectricity(1873)(1873)
TelephoneTelephone(1876)(1876)
AutomobileAutomobile(1886)(1886)
RadioRadio(1905)(1905)
Cell Cell PhonePhone(1983) (1983) PCPC
(1975) (1975) InternetInternet(1975)(1975)
SmartcardSmartcard(1980)(1980)
Years after InventionYears after Invention
![Page 13: DoD Common Access Card From Smart Card to Identity Management](https://reader036.vdocuments.us/reader036/viewer/2022062322/568146a2550346895db3be8a/html5/thumbnails/13.jpg)
Learnings
1. The card is the tip of the application and IT infrastructure iceberg
2. Standards Mandatory for Interoperability
3. Introduction is not the same as Adoption
4. The card is about Identity
![Page 14: DoD Common Access Card From Smart Card to Identity Management](https://reader036.vdocuments.us/reader036/viewer/2022062322/568146a2550346895db3be8a/html5/thumbnails/14.jpg)
1. Network Infrastructure
• CA access is critical for CRL and issuance
• Network performance impacted by several layers of security.
• Workstations converted to Win2K and Active Directory for integrated management: legacy systems problematic (e.g Y2K conversion)
• TNG and other tools for monitoring
![Page 15: DoD Common Access Card From Smart Card to Identity Management](https://reader036.vdocuments.us/reader036/viewer/2022062322/568146a2550346895db3be8a/html5/thumbnails/15.jpg)
PKI Enabling Non-Trivial
• Legacy applications and OS versions• Some work: Outlook 2000, Netscape, IE.
but only in latest versions• Requires extensive user training• Requires local CA for single login
application• Multiple dependencies across network
with sever security and S/MIME, SSL, SSH, Kerberos, etc.
![Page 16: DoD Common Access Card From Smart Card to Identity Management](https://reader036.vdocuments.us/reader036/viewer/2022062322/568146a2550346895db3be8a/html5/thumbnails/16.jpg)
2. Standards
Made great progress with standards:• GP version 2.01 and Compliance Testing• GSC-IS version 2.0 published July 2002
includes– Card Edge Interface (CEI)– Basic Services Interface (BSI)– Extended Services Interface (XSI)
• Java 2.1 version but with proprietary implementations
![Page 17: DoD Common Access Card From Smart Card to Identity Management](https://reader036.vdocuments.us/reader036/viewer/2022062322/568146a2550346895db3be8a/html5/thumbnails/17.jpg)
Interoperability Elusive
• No Middleware agreement hence continue to depend on vendor specific software for accessing containers
• Standards options leads to incompatible implementation
• FIPS and other certifications costly
![Page 18: DoD Common Access Card From Smart Card to Identity Management](https://reader036.vdocuments.us/reader036/viewer/2022062322/568146a2550346895db3be8a/html5/thumbnails/18.jpg)
Interoperability Solutions
The DoD Strategy -
• Embrace standards where they exist and stretch requirements so that standards work for the application- examples - PKCS11 - PCSC
• Adopt industry best practices as defacto standards - examples - Global Platform - Javacard
• Publish specifications and distribute freely - example the card edge specifications for our applets were published
• Develop interfaces that are provided to anyone interested in developing or adapting applications to work with our card system - example - Basic Services Interface (BSI)
![Page 19: DoD Common Access Card From Smart Card to Identity Management](https://reader036.vdocuments.us/reader036/viewer/2022062322/568146a2550346895db3be8a/html5/thumbnails/19.jpg)
3. Adoption
• Security alone not compelling to most
• Requires customer awareness and marketing-DOD has younger demographic
• Quality of Life enhancement• Multi-purpose
![Page 20: DoD Common Access Card From Smart Card to Identity Management](https://reader036.vdocuments.us/reader036/viewer/2022062322/568146a2550346895db3be8a/html5/thumbnails/20.jpg)
Paradigm Shift: from Smart Card to Identity Management
![Page 21: DoD Common Access Card From Smart Card to Identity Management](https://reader036.vdocuments.us/reader036/viewer/2022062322/568146a2550346895db3be8a/html5/thumbnails/21.jpg)
4. Paradigm Shift: Identity Management
To know, unequivocally, the identity and privileges of an object (person or device) in real time.
![Page 22: DoD Common Access Card From Smart Card to Identity Management](https://reader036.vdocuments.us/reader036/viewer/2022062322/568146a2550346895db3be8a/html5/thumbnails/22.jpg)
Credit card industry has long recognized the issue -
1960’s - The card looks good - use the embosser
1970’s - I need to get authorization for this purchase - central system verification
Present - all transactions authenticated - network based always on connection to
central system
Case for a New Paradigm
Physical Access is at the 1960’s stage - it looks like a good card
![Page 23: DoD Common Access Card From Smart Card to Identity Management](https://reader036.vdocuments.us/reader036/viewer/2022062322/568146a2550346895db3be8a/html5/thumbnails/23.jpg)
Case for a New Paradigm
Lots of Cards …….
Lots of credit/debit cards …Different pins - different proceduresDifferent acceptance and capabilities
Lots ID cards ….Different trust and authentication levelsVisual evidence of your authorizations,memberships, affiliation
Today -
![Page 24: DoD Common Access Card From Smart Card to Identity Management](https://reader036.vdocuments.us/reader036/viewer/2022062322/568146a2550346895db3be8a/html5/thumbnails/24.jpg)
The Vision
Issue Date
1999SEP03
Parker IV,Christopher J.
Marine Corps Active Duty
Expiration Date
2003SEP01
Pay Grade
O5
Armed Forcesof the
United States
Rank
LTCOL
Geneva Conventions Identification Card
SA
MP
LE
One Cardor a few cards
Integrated identity solutionBased on strong authenticationIncorporating biometricsAble to perform multiple functions
![Page 25: DoD Common Access Card From Smart Card to Identity Management](https://reader036.vdocuments.us/reader036/viewer/2022062322/568146a2550346895db3be8a/html5/thumbnails/25.jpg)
• Chain of trust in the identity end to end - key role for biometrics
• Independent verification wherever and whenever possible - authoritative confirming records
• Single identity repository that reconciles alternative views of the identity - person id services
• Multi-factor authentication at boundaries - the more the better
• Secure solutions for both the token/card and the central system - especially the biostore
What are the components of a strong system?
Components for Success
![Page 26: DoD Common Access Card From Smart Card to Identity Management](https://reader036.vdocuments.us/reader036/viewer/2022062322/568146a2550346895db3be8a/html5/thumbnails/26.jpg)
Face to Face and
Biometric Identification for ENROLLMENT
Store Digital Certificates for
AUTHENTICATION
Maintain DoD-Wide
IDENTITY
RAPIDS
DEERSCERTIFICATEAUTHORITY
1. Enrollment Process
2. Unique &
PersistentIdentity
Info
3. Third-Party Trust
Components for Success
![Page 27: DoD Common Access Card From Smart Card to Identity Management](https://reader036.vdocuments.us/reader036/viewer/2022062322/568146a2550346895db3be8a/html5/thumbnails/27.jpg)
Chain of TrustWhere we are going in DoD … role of biometrics
Initial capture at application for military service - digital prints to FBI and to DMDC biostore - records check, face to face authentication, National Agency Check
Entry onto military service - stored biometric checked against live scan before initial ID card issued
Periodically - Member biometrically authenticated on ID card Reissue - every three yearsPhysical access systems - multi-factor authentication including a biometric in high security areas or under high treat conditions
Components for Success
![Page 28: DoD Common Access Card From Smart Card to Identity Management](https://reader036.vdocuments.us/reader036/viewer/2022062322/568146a2550346895db3be8a/html5/thumbnails/28.jpg)
Biometrics Issues
Future Directions for CAC
• Biometrics Match on Card used instead of PIN
• Biometrics use as an Access Control Process for using applets on the card. This will be for both on and off card matching scenarios and will be vendor neutral
More work has to be done to protect biometric stores.
![Page 29: DoD Common Access Card From Smart Card to Identity Management](https://reader036.vdocuments.us/reader036/viewer/2022062322/568146a2550346895db3be8a/html5/thumbnails/29.jpg)
Summary
Path Forward
• Increased emphasis on standards as prerequisite to interoperability and hence market share
• DOD focus on Identity
• IT infrastructure transformation exceeds Y2K effort
• It is not the technology: it is the customer’s quality of life
![Page 31: DoD Common Access Card From Smart Card to Identity Management](https://reader036.vdocuments.us/reader036/viewer/2022062322/568146a2550346895db3be8a/html5/thumbnails/31.jpg)
Additional Slides
![Page 32: DoD Common Access Card From Smart Card to Identity Management](https://reader036.vdocuments.us/reader036/viewer/2022062322/568146a2550346895db3be8a/html5/thumbnails/32.jpg)
Smart Chip Hardware
Card OS (Proprietary)
File system 7616-5 API
Native Smartcard
DATA (PKCS#15)
File System
Card Edge API
HierarchicalFile system
ISO 7816-4
Middleware
Vendor extentions crypto
Card Edge API
BSI/XSI
ApplicationMiddleware-Card Issuer Specific
APDU
APDU
![Page 33: DoD Common Access Card From Smart Card to Identity Management](https://reader036.vdocuments.us/reader036/viewer/2022062322/568146a2550346895db3be8a/html5/thumbnails/33.jpg)
Card Edge API
BSI/XSI
ApplicationGeneric Middleware
Java Card JCRE 2.1.1 Virtual Machine API
API
InteroperableDirectory Structure
API
Global Platform 2.01 Card Manager Applic Loader & Manager
APDU
APDU
Directory structure points at
credentials and other objects
CCC Card Info Container
Key Object
App Container
App Directory Container
Cert Object
App Container
Data Object
App Container
Authent Object
App Container
Applet
DATA
Applet
DATA
Each container can store several objects