Article - Issue 12, May 2002
Introducing smart cards and digital identity on a large scale: A project of the US Department of Defense
With over four million personnel involved, the introduction of smart identity cards by the US Department of Defense is the largest project of its kind. The sheer number of people involved and the security implications of the project raise particular challenges. Ramanuj Banerjee explains the way in which these challenges are being tackled and overcome.
To conform with the Government’s Common Access Card (CAC) program, the US Department of Defense (DoD) has had to move quickly to introduce a system that will see around 4.3 million personnel issued with a ‘standardised smart card’ by October 2002. These staff include military service personnel and certain military reserves, as well as civilian employees and contractors who work within the security zone of the DoD.
A single common access card serves a variety of needs. It must establish the identity of the carrier, but may also allow them to encrypt/decrypt e-mail, and selectively gain access to buildings or areas within the workplace. There are other, less general uses, which may be of value to the wider organisation, confined to a small group or required for a particular task. Such applications include the efficient preparation of personnel manifests, determining deployment readiness and the rapid and accurate identification of medical/dental records. The variety of purposes for which the CACs are used and the sheer number of card-holders within the scheme mean that the DoD has had to develop a highly innovative system, one of the largest and most complex yet to be devised.
The nature of the DoD system and its timetable have been governed by US legal requirements and the DoD’s own directives. These internal directives require:
improved network security
secure e-mail communications
streamlining of business functions
benefits to the cardholder.
The CAC system makes use of multiple credentials, cryptographically stored passwords and available demographic data, bringing these together to achieve the aims of the project.
Many private sector companies are now taking advantage of the infrastructural advances and digital identity products that have arisen from the DoD project. Companies such as Hewlett-Packard and British Telecom have followed the DoD’s example, hoping to capitalise in a more commercial fashion on the benefits conferred by an efficient, company-wide CAC system.
For the US DoD, one of the greatest challenges in implementing the program was coping with the large number of staff involved and the way in which they were scattered throughout the world. To issue multi-application cards to millions of carriers across the globe and maintain them throughout the lifetime of each card requires quite an operation; to do so securely raises a whole new set of challenges.
In the event, the DoD set up some 1500 card-issuing workstations, located at 900 sites in 13 countries. It was necessary for these dispersed workstations to be centrally coordinated, with each one being connected, via real-time communication link, to the central host computer responsible for the CAC system as a whole. This DoD host also provides an interface with other DoD systems, such as the personnel database and the certificate server, systems which may themselves be on other, dispersed sites.
There are many reasons why the smart cards may need to be updated once they have been issued, and a variety of groups may need the means to make such changes (known as ‘post-issuance card updates’ in the DoD). Once again, the challenge is to provide a secure means by which such agencies can download the card data, update it, delete or add functionality as required. If, for example, it is decided after the CAC system has been implemented, that the Army can use the smart card to monitor armoury accountability, the data for this function will need to be downloaded to individual cards at all sites employing Army personnel.
Initialisation prior to issue
Before they are shipped to DoD sites, ‘blank’ smart cards need to be initialised by the manufacturer with their own GlobalPlatform master key sets, and with Java applications software (“applets”). Once they arrive at the site of issue, cards are tested by a security officer who then verifies the integrity of each batch of cards and their applets. Each batch that is approved then has a profile created for it using the ‘batch import utility’ provided by the system, and the resulting database objects recorded by the DoD’s central issuance portal (see Figure 3). Once these procedures are complete the cards from a particular batch are ready to be personalised and issued to users.
Security is naturally a priority in handling such smart cards, and security measures need to cover the cards from manufacture to disposal. With the US DoD, its suppliers are required to adopt systems and measures that accord with DoD policy on ordering, processing, packaging and delivering the smart cards. Digital security keys are protected prior to issuing the cards by observing standard key management practices and by the use of a hardware security module, or smart-card-based equivalents to such a module.
With such a large operation, the US DoD obtains cards from a number of suppliers. Procurement is streamlined using the department’s own inventory and logistics portal. This web-based system tracks all cards, from the moment they are ordered throughout their existence, thus automating at a detailed level, the ordering and stocking of new cards.
Issuing smart cards
For a card to be issued both the prospective cardholder and a verification officer (VO) must be present. It is the VO’s responsibility to check the identity details provided by the applicant’s site of employment (this may be a local support detachment, badging office, command office or whoever deals with personnel matters) and only when satisfied, enter the details to enrol the applicant and then issue the card. Cards can be issued from any location with a card-issuing workstation and a verification officer, including self-contained mobile units located in vehicles and similar arrangements onboard ships.
The DoD has established well defined procedures and roles to ensure the security of the whole CAC system. The officers responsible for each role together enforce proper use and maintenance of the cards. The VOs are given ‘operator group’ rights that permit them to use the card-issuing workstations.
Four main components are involved in the issuing of cards to new cardholders:
The above components interact with one another via secure SSL v3.0 data connections; with remote workstations this is likely to be achieved through the Internet (see Figure 3).
The process of personalisation consists of two elements:
Logical personalisation is the injection of applications, credentials and personal identification numbers (PIN) into the ‘blank’ applet instances that were put on the card by the manufacturer.
Physical personalisation is the process that physically prints details (such as name, rank, pay grade and a photograph of the subject) onto the surface of the card.
Before a card is personalised the VO authorised to issue it must confirm the identity of the person to whom the card is to be issued; they must also authenticate their own identity and authority to the issuance portal and DEERS using their own, special card. Successful authentication establishes a secure SSL v3.0 channel from RAPIDS to both DEERS and the issuance portal, and from the issuance portal to the certificate server (see Figure 3).
Logical personalisation occurs very rapidly once the VO has launched the process. The issuance portal transparently validates each of the steps described below before they are executed, ensuring that each is legitimate according to the VO’s privileges.
Once logical personalisation is complete the RAPIDS terminal connects to a card printer to carry out physical personalisation.
A single CAC card profile acts as a blueprint which controls all the operations involved in issuing cards. The system employs advanced auditing features which log details of the VO, the individual card being issued and all commands and content changes. Complete audit logs are sealed in a tamper-evident audit manager within the issuance portal.
Communication within the network relies upon standards-based security technologies and protocols to provide complete protection of data during transmission, much of which is over open networks, such as the Internet. The issuance portal connects to the Internet behind layered firewalls. To ensure secure communications, GlobalPlatform, Internet Engineering Task Force (IETF) and National Institute of Standards & Technology (NIST) standards are employed.
Use of smart cards
For a CAC to be used with a PC, the system must have the CAC-approved client integration middleware that handles the interface between the card and the PC’s applications. This advanced software provides a highlevel interface to the PKI credentials and login passwords that are stored on the smart card. The middleware allows the cryptographic routines stored on the card to interact with networked applications software available through the PC. The client middleware facilitates the issuing of smart cards, their management and control and in addition contributes to overall network security.
Once in use the DoD smart card has many applications:
The PKI user credentials provide the details for a two-factor security login, which is used to gain remote access to various systems via a secure website. Where appropriate, cards allow access through firewalls to networks that contain sensitive information, such as the Navy Marine Corps Intranet (NMCI) and the DoD’s Non-classified Internet Protocol Router Network (NIPRNet).
Using PKI e-mail encryption credentials the users can attach legally enforceable digital signatures to their e-mails.
PKI encryption is used to protect confidential (but not mission-critical) e-mail.
Cryptographic passwords control login to Windows, Novell, on-screen dialogues and HTML forms.
Control of PIN number authentication allows the cardholder to access help and manage their own PIN details using their smart card.
Instant access to demographic, health and benefit data allows administrators to minimise paperwork when allocating personnel to various DoD duties.
Access credentials stored on the card control entry to installations, buildings and other restricted spaces.
Individual DoD departments must comply with a formal procedure when they wish to have a new application added to the CAC. The DoD authorises alterations and additions when it is satisfied that the approval criteria have been met. Defense agencies and the armed forces are already testing various applications to take advantage of the remaining card space. As the DoD approves department-specific applications the CAC will be used to streamline a variety of personnel and logistics management operations, such as quarter-deck control and warrior readiness.
Updating smart cards once they are in use
The ability to update cards from a wide range of locations enables the DoD to maintain smart cards in an accurate, and therefore useful, state once they have been issued to personnel. PIN numbers may need to be unlocked, changes made to PKI credentials and demographic data, or to renew e-mail addresses; and certificates and applets carried by the card need maintenance. Updating is performed via the secure channel protocol in compliance with GlobalPlatform standards.
The system used to update cards consists of three components: CACcompliant software for the PC, the Maintenance Portal (a self-administration website) and the Post- Issuance User Portal (see Figure 4).
Using their own PCs, cardholders access the Post-Issuance User Portal via the Maintenance Portal website. Login to the User Portal requires a valid ID certificate, previously issued from a RAPIDS workstation. The User Portal is seamlessly integrated with the issuance portal (see Figure 2) When a cardholder requests an update from the User Portal for the first time, the system retrieves the record for that card from the issuance portal database and writes it to its own database. It then performs the update request and updates the record in its own database.
The issuance portal and User Portal enable certain content management operations to be delegated to DoD departments and agencies or to the cardholders themselves. Updates can be performed in one of three ways:
Cardholders can bring their cards to a verification officer (VO), who updates the applets and credentials by connecting to the issuance portal using their RAPIDS workstation.
Cardholders can themselves access the User Portal via the Maintenance Portal website, possible from their own PC. Working in this way they can update, download and delete card applications as required.
Although it is not possible at present, there are plans for automatic card content updates. This advanced function will mean that cardholders will need only to establish their identity to the User Portal and issue a synchronisation command from their PC for a complete, automatic update to be performed.
The issuance portal allows the DoD to ‘federate’ the management of applications carried by the card, and still comply with GlobalPlatform standards. This means that many agencies, once they are authorised to do so, can provide and manage their own applications on a single DMDCissued smart card. The Java Card applets each have their own, independent cryptographic control, so only the provider of a particular application can load, update and delete their own applet, although it is on a ‘shared’ smart card.
The US Department of Defense’s CAC program is one of the first global, large-scale, ID badge programs that enable management of card-based credentials throughout a card’s lifetime. It is also significant because it encompasses a wide range of applications on a single card. Its success suggests that such smart cards may be the ideal solution to providing and protecting user credentials. Such smart cards may indeed soon be seen as essential in governing access to logical systems and secure facilities.
The initial adoption of a system such as the CAC described here can be considered costly; however this must be set against the administration savings and increased security achieved. In this case the DoD has eliminated the need for separate management, back-ups, administrators and budgets by consolidating user credentials and applications on to a single card, maintained by a single system. In this way the DoD is realising a solid return on its initial investment in the CAC program.
The initial adoption of a system … as … described here can be considered costly; … this must be set against the administration savings and increased security achieved.
Director of Technical Consultancy, Activcard, INC.
Ramanuj Banerjee is Director of Technical Consultancy for ActivCard, Inc. ActivCard provides digital identity and authentication solutions that enable enterprises to securely provision and use a variety of credentials for multiple business applications. ActivCard is the leading provider for the US Department of Defense smart card ID badge program, and other enterprise customers such as Hewlett- Packard®, Sun® Microsystems, British Telecom, Citigroup®, and Cable & Wireless. Email: firstname.lastname@example.org