DoD Common Access CardFrom Smart Card to Identity

Management

DoD Common Access CardFrom Smart Card to Identity

Management

Dr. Robert van SpykSenior DMDC Consortium Research

Fellow

Bill BoggessChief Access & Authentication

Technology Division, DMDC

AATD

GlobalPlatform Business Seminar

Toronto, August 21, 2002

Topics

1. Context: Challenges Met

2. Learnings: Challenges Ahead

3. Paradigm Shift: from Smart Card to Identity Management

Context: Challenges Met

The Decision

• I.D. card for:– Active military– Selected Reserves– DoD civilians– “Inside the wall”

contractors• Physical and logical

access– Authentication keys

• Military ID card infrastructure

• I.D. card for:– Active military– Selected Reserves– DoD civilians– “Inside the wall”

contractors• Physical and logical

access– Authentication keys

• Military ID card infrastructure

Common Access CardCommon Access Card

November 10, 1999

MEMO FROM: Dr. John Hamre (Deputy Secretary of Defense)

Create a Common Access Card

Card Architecture Goals

Requirements

Java 2.1

Global platform

Interoperability Specification (BSI)

32K EEPROM

FIPS 140-1 Level 2 Certification

Requirements

Java 2.1

Global platform

Interoperability Specification (BSI)

32K EEPROM

FIPS 140-1 Level 2 Certification

Goals

Security

Multi-application

Multiple vendors

Interoperability

Post issuance

Best commercial practices

COTS

Cost effective

RESULTEDIN

What are DEERS and RAPIDS?

• Defense Enrollment Eligibility Reporting System

• Database with 23 million records providing:

– Accurate and timely information on all eligible uniformed service members (active, reserve, retired), their families and DoD civilians

• Detailed information on DoD benefit program eligibility

• Real-time Automated personnel Identification System

• Application that produces the ID card

– Automated ID card system for military, retirees and their families

– Joint, total force, multi-national and worldwide

DEERS RAPIDS

Independent but closely coupled established systems which provideeligibility information for DoD benefits

The Business Problem

DMDC PERSON REPOSITORY

DEERS Population

DEERSSIZE

Sponsors(Active, Reserves, Retired, Civil Servants)

Previous Sponsors(Separatees with MGIB)

Family Members

Total

8,467,411

4,000,000

10,695,181

23,162,592

Where Are We Today

• 883 Workstations in 466 Locations

• 787,456 Cards issued as of 30 June

(current trend issuing around 7,000 cards per day)

Toward the Million Mark

787,456 CACs Issuedas of 30 June

303,017217,493

90,993137,8995,644

23,037

9,373

U.S. NavyU.S. ArmyU.S. Marine CorpsU.S. Air ForceU.S. Coast GuardDoD AgenciesOther

DEERS/RAPIDS is a Person Based DoD Benefit Delivery System DEERS - over 25,000 users throughout DoD RAPIDS - 1318 workstations at 878 sites in 13 countries.

ARMY, NAVY, AIR FORCE, MARINE CORPS, COAST GUARD, NOAA, PUBLIC HEALTH

Infrastructure

OVER 1.5 MILLION TRANSACTONS A DAY

Learnings: Challenges Ahead

Perc

en

tag

e o

f O

wn

ers

hip

Perc

en

tag

e o

f O

wn

ers

hip

100100

9090

8080

7070

6060

5050

4040

3030

2020

1010

00

100100

9090

8080

7070

6060

5050

4040

3030

2020

1010

0010010090908080707060605050404030302020101011 110110 120120

Technology Adoption

ElectricityElectricity(1873)(1873)

TelephoneTelephone(1876)(1876)

AutomobileAutomobile(1886)(1886)

RadioRadio(1905)(1905)

Cell Cell PhonePhone(1983) (1983) PCPC

(1975) (1975) InternetInternet(1975)(1975)

SmartcardSmartcard(1980)(1980)

Years after InventionYears after Invention

Learnings

1. The card is the tip of the application and IT infrastructure iceberg

2. Standards Mandatory for Interoperability

3. Introduction is not the same as Adoption

4. The card is about Identity

1. Network Infrastructure

• CA access is critical for CRL and issuance

• Network performance impacted by several layers of security.

• Workstations converted to Win2K and Active Directory for integrated management: legacy systems problematic (e.g Y2K conversion)

• TNG and other tools for monitoring

PKI Enabling Non-Trivial

• Legacy applications and OS versions• Some work: Outlook 2000, Netscape, IE.

but only in latest versions• Requires extensive user training• Requires local CA for single login

application• Multiple dependencies across network

with sever security and S/MIME, SSL, SSH, Kerberos, etc.

2. Standards

Made great progress with standards:• GP version 2.01 and Compliance Testing• GSC-IS version 2.0 published July 2002

includes– Card Edge Interface (CEI)– Basic Services Interface (BSI)– Extended Services Interface (XSI)

• Java 2.1 version but with proprietary implementations

Interoperability Elusive

• No Middleware agreement hence continue to depend on vendor specific software for accessing containers

• Standards options leads to incompatible implementation

• FIPS and other certifications costly

Interoperability Solutions

The DoD Strategy -

• Embrace standards where they exist and stretch requirements so that standards work for the application- examples - PKCS11 - PCSC

• Adopt industry best practices as defacto standards - examples - Global Platform - Javacard

• Publish specifications and distribute freely - example the card edge specifications for our applets were published

• Develop interfaces that are provided to anyone interested in developing or adapting applications to work with our card system - example - Basic Services Interface (BSI)

3. Adoption

• Security alone not compelling to most

• Requires customer awareness and marketing-DOD has younger demographic

• Quality of Life enhancement• Multi-purpose

Paradigm Shift: from Smart Card to Identity Management

4. Paradigm Shift: Identity Management

To know, unequivocally, the identity and privileges of an object (person or device) in real time.

Credit card industry has long recognized the issue -

1960’s - The card looks good - use the embosser

1970’s - I need to get authorization for this purchase - central system verification

Present - all transactions authenticated - network based always on connection to

central system

Case for a New Paradigm

Physical Access is at the 1960’s stage - it looks like a good card

Case for a New Paradigm

Lots of Cards …….

Lots of credit/debit cards …Different pins - different proceduresDifferent acceptance and capabilities

Lots ID cards ….Different trust and authentication levelsVisual evidence of your authorizations,memberships, affiliation

Today -

The Vision

Issue Date

1999SEP03

Parker IV,Christopher J.

Marine Corps Active Duty

Expiration Date

2003SEP01

Pay Grade

O5

Armed Forcesof the

United States

Rank

LTCOL

Geneva Conventions Identification Card

SA

MP

LE

One Cardor a few cards

Integrated identity solutionBased on strong authenticationIncorporating biometricsAble to perform multiple functions

• Chain of trust in the identity end to end - key role for biometrics

• Independent verification wherever and whenever possible - authoritative confirming records

• Single identity repository that reconciles alternative views of the identity - person id services

• Multi-factor authentication at boundaries - the more the better

• Secure solutions for both the token/card and the central system - especially the biostore

What are the components of a strong system?

Components for Success

Face to Face and

Biometric Identification for ENROLLMENT

Store Digital Certificates for

AUTHENTICATION

Maintain DoD-Wide

IDENTITY

RAPIDS

DEERSCERTIFICATEAUTHORITY

1. Enrollment Process

2. Unique &

PersistentIdentity

Info

3. Third-Party Trust

Components for Success

Chain of TrustWhere we are going in DoD … role of biometrics

Initial capture at application for military service - digital prints to FBI and to DMDC biostore - records check, face to face authentication, National Agency Check

Entry onto military service - stored biometric checked against live scan before initial ID card issued

Periodically - Member biometrically authenticated on ID card Reissue - every three yearsPhysical access systems - multi-factor authentication including a biometric in high security areas or under high treat conditions

Components for Success

Biometrics Issues

Future Directions for CAC

• Biometrics Match on Card used instead of PIN

• Biometrics use as an Access Control Process for using applets on the card. This will be for both on and off card matching scenarios and will be vendor neutral

More work has to be done to protect biometric stores.

Summary

Path Forward

• Increased emphasis on standards as prerequisite to interoperability and hence market share

• DOD focus on Identity

• IT infrastructure transformation exceeds Y2K effort

• It is not the technology: it is the customer’s quality of life

Contact

Dr. Robert van Spykvanspyrp@osd.pentagon.mil

831-583-2500 ex 5576

Bill Boggessboggesbf@osd.pentagon.mil

831-583-4170

Additional Slides

Smart Chip Hardware

Card OS (Proprietary)

File system 7616-5 API

Native Smartcard

DATA (PKCS#15)

File System

Card Edge API

HierarchicalFile system

ISO 7816-4

Middleware

Vendor extentions crypto

Card Edge API

BSI/XSI

ApplicationMiddleware-Card Issuer Specific

APDU

APDU

Card Edge API

BSI/XSI

ApplicationGeneric Middleware

Java Card JCRE 2.1.1 Virtual Machine API

API

InteroperableDirectory Structure

API

Global Platform 2.01 Card Manager Applic Loader & Manager

APDU

APDU

Directory structure points at

credentials and other objects

CCC Card Info Container

Key Object

App Container

App Directory Container

Cert Object

App Container

Data Object

App Container

Authent Object

App Container

Applet

DATA

Applet

DATA

Each container can store several objects