Uncommon Access

The Common Access Card - a key, an ID, a password, and a signature all in one - unlocks the door to a whole new way of doing business.

W

hile the debate intensifies about whether the country needs a national identification card, the Defense Department is proceeding with an ambitious plan to put high-tech IDs in the hands of its 4 million employees. Soon, all soldiers, sailors, airmen and civilians will access computers, sign out weapons, purchase food, requisition supplies and identify themselves with the simple swipe of a card.

The Common Access Card, known as the CAC, is equipped with its own memory and a microchip that processes data. Initially, the CAC will replace the current generation of photo ID cards. Members of the armed services have long had official IDs. But now, for the first time, all active duty service members, reservists, Defense civilians and contractors will be issued a standard card. "This is a big change," says Al Edmonds, president of EDS Government Solutions, one of the information technology contractors working on the program. "DoD has always kept military and civilian identification systems very separate."

In addition to functioning as a photo ID, the CAC works with building access systems. A magnetic stripe on the back of the card holds information about where the holder is allowed to go in military buildings. Most importantly, the CAC carries a set of coded credentials; when it's inserted into a smart card reader, it replaces the computer password, which Defense officials now see as a security risk.

"There is so much potential in how one uses the Common Access Card," says Mary Dixon, director of the Access Card Office at the Defense Manpower Data Center, the organization that oversees departmentwide personnel programs. Dixon's office is managing deployment of the CACs. She says 163,000 cards have already been issued and that by the middle of 2003, every employee eligible to receive the CAC will have one. Each card costs the department $7.

Getting millions of cards into the hands of personnel stationed all over the world is no easy task. Defense already has an elaborate system for doling out ID cards. This system-in place at more than 900 installations worldwide-has been updated to issue the new cards and ensure that they are impossible to duplicate and distribute illicitly.

But there is more to the CAC program than just the cards. The military services must purchase smart card readers and the computer software needed to use the cards. The Navy, for instance, included smart card readers as a basic requirement in the Navy Marine Corps Intranet IT outsourcing contract. Now, as the card readers are deployed, the CAC will open doors to another far-reaching Defense IT effort: the department-wide public key infrastructure (PKI). This is a system for authenticating the identities of computer users, producing electronic signatures and protecting data from prying eyes while in transit over a computer network.

New Applications

Not all smart cards are created equal, says Ant Allan, a research director at the Gartner Group, a market-research firm based in Stamford, Conn. The term "smart card" is used to refer to two distinct kinds of technology, he says. The first is a simple memory card, which contains a chip on which data can be written and overwritten. The second is a more advanced card that features, in addition to its own memory, a microchip that processes data without help from a personal computer or a smart card reader. This onboard processing is vital for the Defense PKI, which requires users to have a set of special, randomly generated credentials, known as "private keys" and "digital certificates," that are stored on the CAC and never transferred off it. "You never want anyone to have access to the private key," says Dave Wennergren, the Navy's deputy chief information officer and the chair of Defense's smart card senior coordinating group. "Using smart cards to carry digital certificates was a marriage made in heaven."

When the CAC is issued, a certificate is stored in the card's memory. And because the certificate is tied to the cardholder's identity, CAC issuers demand to see all personnel in person and require multiple forms of identification before creating a new ID card. Gatekeeper computer systems then use the public key certificates to determine which systems the cardholder is allowed to access. For the system to realize its potential, "you have to have applications in place that are able to consume a certificate," says R. Michael Green, director of the Defense PKI Program Management Office and an employee of the National Security Agency. For example, Defense is working to fuse its PKI and its e-mail systems so that e-mails sent from one person can only be opened by the designated recipient. The long-delayed Defense Travel System will be one of the first Defense-wide applications to depend on the PKI. Service members will be able to electronically sign their travel vouchers using the integrated systems, eliminating the need for paper-based signatures. The department "has moved from paper to plastic," Wennergren says.

Card Smart

Dixon says at least five applications already implemented by the Air Force and the Navy use earlier generations of smart cards.They are being updated to use the CAC and will be models for future smart card uses. One of these is the Standard Asset Tracking (SATS) program, currently in use at 40 Air Force bases worldwide. SATS, which was deployed in 1996, is a paperless supply system created by the Air Force to streamline the aircraft parts requisitioning process.

"Once the SATS application was supported by the Common Access Card program, there was no need for a stand-alone smart card," says Peter Langworthy, director of the Automatic Identification Technology Center at Northrop Grumman Information Technology, based in Herndon, Va. Northrop Grumman IT built the initial SATS system and is working to replace the custom smart cards with the CAC.

SATS has already shown the benefits of smart-card technology. Before the system was implemented, Air Force supply clerks were handed a bundle of forms with every delivery of parts. Now, the clerk simply brings along a bar code scanner that doubles as a smart card reader. After the clerk scans a bar code on the product, the requisitioner presents the clerk with a smart card containing information about what supplies he or she is authorized to receive. Finally, the person receiving the supplies must type in a password proving it is their smart card that is being read. This step also serves as an electronic signature.

Langworthy says recent studies show the SATS system has led to a 96 percent reduction in paperwork. He also says SATS has virtually eliminated supply fraud and prevented certain supplies from being delivered to unauthorized airmen. Finally, the system has cut the time it takes to issue supplies by 81 percent, Air Force officials say.

As the CAC is used for additional applications, Dixon is looking forward to adding new features. Defense plans to issue cards loaded with biometric data-fingerprints, palm prints, iris scans or facial features. With this extra data, Dixon hopes to double the amount of memory on a CAC from 32 kilobytes to 64 kilobytes.

Dixon also expects Defense to move beyond magnetic strip-based building access systems. She says the goal is to install systems that communicate with the CAC from a distance, via radio waves. Such a solution is six months away from being chosen, she says, and three to five years away from full implementation.

Because each CAC has a life span of only three years, Dixon says that in all the projects her team takes on, they must make sure that what they do "tomorrow will not make what was done yesterday obsolete."

NEXT STORY: E-Sign on the Dotted Line