DoD Common Access Card

dashingincestuousSecurity

Feb 23, 2014 (3 years and 4 months ago)

65 views

DoD Common Access Card

From Smart Card to Identity Management




Dr. Robert van Spyk

Senior DMDC Consortium Research Fellow


Bill Boggess

Chief Access & Authentication Technology
Division, DMDC



AATD

GlobalPlatform Business Seminar

Toronto, August 21, 2002

Topics

1. Context: Challenges Met

2. Learnings: Challenges
Ahead

3. Paradigm Shift: from
Smart Card to Identity
Management

Context: Challenges Met

The Decision


I.D. card for:


Active military


Selected Reserves


DoD civilians


“Inside the wall”
contractors


Physical and logical
access


Authentication keys


Military ID card
infrastructure

Common Access Card




November 10, 1999


MEMO FROM:


Dr. John Hamre


(Deputy Secretary of


Defense)


Create a Common Access
Card













Card Architecture Goals

Requirements

Java 2.1

Global platform

Interoperability
Specification (BSI)

32K EEPROM

FIPS 140
-
1 Level 2
Certification

Goals

Security

Multi
-
application

Multiple vendors

Interoperability

Post issuance

Best commercial
practices

COTS

Cost effective

RESULTED

IN

What are DEERS and RAPIDS?


Defense Enrollment Eligibility
Reporting System


Database

with 23 million
records providing:


Accurate and timely
information on all eligible
uniformed service members
(active, reserve, retired),
their families and DoD
civilians


Detailed information on DoD
benefit program eligibility


Real
-
time Automated personnel
Identification System


Application
that produces the
ID card


Automated ID card system

for military, retirees and

their families


Joint, total force, multi
-
national and worldwide

DEERS

RAPIDS

Independent but closely coupled established systems which provide

eligibility information for DoD benefits


The Business Problem


DMDC


PERSON


REPOSITORY

DEERS Population

DEERS

SIZE

Sponsors

(Active, Reserves, Retired, Civil Servants)


Previous Sponsors

(Separatees with MGIB)


Family Members



Total


8,467,411


4,000,000


10,695,181



23,162,592

Where Are We Today




883 Workstations in 466 Locations




787,456 Cards issued as of 30 June

(current trend issuing around 7,000
cards per day)

Toward the Million Mark

787,456 CACs Issued
as of 30 June
303,017
217,493
90,993
137,899
5,644
23,037
9,373
U.S. Navy
U.S. Army
U.S. Marine Corps
U.S. Air Force
U.S. Coast Guard
DoD Agencies
Other
DEERS/RAPIDS is a Person Based DoD Benefit Delivery System


DEERS
-

over 25,000 users throughout DoD


RAPIDS
-

1318 workstations at 878 sites in 13 countries.

ARMY, NAVY, AIR FORCE, MARINE CORPS, COAST GUARD, NOAA, PUBLIC HEALTH

Infrastructure

OVER 1.5 MILLION TRANSACTONS A DAY

Learnings: Challenges Ahead

Percentage of Ownership

100

90

80

70

60

50

40

30

20

10

0

100

90

80

70

60

50

40

30

20

10

0

100

90

80

70

60

50

40

30

20

10

1

110

120

Technology Adoption

Electricity

(1873)

Telephone

(1876)

Automobile

(1886)

Radio

(1905)

Cell
Phone

(1983)

PC

(1975)

Internet

(1975)

Smartcard

(1980)

Years after Invention

Learnings

1. The card is the tip of the application
and IT infrastructure iceberg

2. Standards Mandatory for
Interoperability

3. Introduction is not the same as
Adoption

4. The card is about Identity

1. Network Infrastructure


CA access is critical for CRL and
issuance


Network performance impacted by
several layers of security.


Workstations converted to Win2K and
Active Directory for integrated
management: legacy systems
problematic (e.g Y2K conversion)


TNG and other tools for monitoring

PKI Enabling Non
-
Trivial


Legacy applications and OS versions


Some work: Outlook 2000, Netscape, IE.
but only in latest versions


Requires extensive user training


Requires local CA for single login
application


Multiple dependencies across network
with sever security and S/MIME, SSL,
SSH, Kerberos, etc.


2. Standards

Made great progress with standards:


GP version 2.01 and Compliance
Testing


GSC
-
IS version 2.0 published July
2002 includes


Card Edge Interface (CEI)


Basic Services Interface (BSI)


Extended Services Interface (XSI)


Java 2.1 version but with proprietary
implementations



Interoperability Elusive


No Middleware agreement hence
continue to depend on vendor specific
software for accessing containers


Standards options leads to incompatible
implementation


FIPS and other certifications costly

Interoperability Solutions

The DoD Strategy
-



Embrace standards where they exist and stretch
requirements so that standards work for the
application
-

examples
-

PKCS11
-

PCSC


Adopt industry best practices as defacto standards
-

examples
-

Global Platform
-

Javacard


Publish specifications and distribute freely
-

example
the card edge specifications for our applets were
published


Develop interfaces that are provided to anyone
interested in developing or adapting applications to
work with our card system
-

example
-

Basic Services
Interface (BSI)




3. Adoption


Security alone not compelling to most


Requires customer awareness and
marketing
-
DOD has younger
demographic


Quality of Life enhancement


Multi
-
purpose


Paradigm Shift: from Smart Card to
Identity Management

4. Paradigm Shift: Identity Management

To know, unequivocally, the identity
and privileges of an object (person
or device) in real time.



Credit card industry has long recognized the issue
-


1960’s
-

The card looks good
-

use the embosser

1970’s
-

I need to get authorization for this


purchase
-

central system verification

Present
-

all transactions authenticated
-

network based always on connection to
central system


Case for a New Paradigm

Physical Access is at the 1960’s stage
-

it
looks like a good card


Case for a New Paradigm

Lots of Cards …….

Lots of credit/debit cards …

Different pins
-

different procedures

Different acceptance and capabilities

Lots ID cards ….

Different trust and authentication levels

Visual evidence of your authorizations,

memberships, affiliation

Today
-


The Vision

Issue Date

1999SEP03

Parker IV,

Christopher J.

Marine Corps


Active Duty

Expiration Date

2003SEP01

Pay Grade

O5

Armed Forces

of the


United States

Rank

LTCOL

Geneva Conventions Identification Card

SAMPLE

One Card

or a few cards

Integrated identity solution

Based on strong authentication

Incorporating biometrics

Able to perform multiple functions




Chain of trust

in the identity end to end
-

key role
for biometrics


Independent verification

wherever and whenever
possible
-

authoritative confirming records


Single identity repository

that reconciles alternative
views of the identity
-

person id services


Multi
-
factor authentication

at boundaries
-

the more
the better


Secure solutions

for both the token/card and the
central system
-

especially the biostore


What are the components of a strong system?

Components for Success

Face to Face and

Biometric Identification for


ENROLLMENT

Store Digital

Certificates for

AUTHENTICATION

Maintain

DoD
-
Wide

IDENTITY

RAPIDS

DEERS

CERTIFICATE

AUTHORITY

1. Enrollment


Process

2. Unique &


Persistent

Identity

Info

3. Third
-
Party


Trust

Components for Success



Chain of Trust

Where we are going in DoD … role of biometrics


Initial capture at application for military service
-

digital prints
to FBI and to DMDC biostore
-

records check, face to face
authentication, National Agency Check


Entry onto military service
-

stored biometric checked against
live scan before initial ID card issued


Periodically
-

Member biometrically authenticated on ID card
Reissue
-

every three years

Physical access systems
-

multi
-
factor authentication including
a biometric in high security areas or under high treat
conditions

Components for Success

Biometrics Issues

Future Directions for CAC


Biometrics Match on Card used instead
of PIN


Biometrics use as an Access Control
Process for using applets on the card.
This will be for both on and off card
matching scenarios and will be vendor
neutral

More work has to be done to protect biometric
stores.

Summary

Path Forward


Increased emphasis on standards as
prerequisite to interoperability and hence
market share


DOD focus on Identity


IT infrastructure transformation exceeds
Y2K effort


It is not the technology: it is the
customer’s quality of life


Contact

Dr. Robert van Spyk

vanspyrp@osd.pentagon.mil

831
-
583
-
2500 ex 5576


Bill Boggess

boggesbf@osd.pentagon.mil

831
-
583
-
4170


Additional Slides

Smart Chip Hardware

Card OS (Proprietary)

File system 7616
-
5 API

Native
Smartcard




DATA (PKCS#15)

File System

Card Edge API

Hierarchical

File system

ISO 7816
-
4

Middleware

Vendor extentions
crypto

Card Edge API

BSI/XSI

Application

Midd
lewar
e
-
Card Issuer Specific

A
P
D
U

A
P
D
U

Card Edge API

BSI/XSI

Application

Generic Midd
lewar
e

Java Card JCRE 2.1.1
Virtual Machine API

API

Interoperable
Directory
Structure

API

Global Platform 2.01
Card Manager Applic
Loader & Manager

A
P
D
U

A
P
D
U

Directory structure points at
credentials and other objects



CCC

Card Info
Container




Key Object

App Container




App Directory
Container




Cert Object

App Container




Data Object

App Container




Authent Object

App Container




Applet

DATA




Applet

DATA

Each container can
store several objects