Presentation is loading. Please wait.

Presentation is loading. Please wait.

DoD Common Access Card From Smart Card to Identity Management DoD Common Access Card From Smart Card to Identity Management Dr. Robert van Spyk Senior.

Published bySteven Mason Modified over 9 years ago

Similar presentations

Presentation on theme: "DoD Common Access Card From Smart Card to Identity Management DoD Common Access Card From Smart Card to Identity Management Dr. Robert van Spyk Senior."— Presentation transcript:

1 DoD Common Access Card From Smart Card to Identity Management DoD Common Access Card From Smart Card to Identity Management Dr. Robert van Spyk Senior DMDC Consortium Research Fellow Bill Boggess Chief Access & Authentication Technology Division, DMDC AATD GlobalPlatform Business Seminar Toronto, August 21, 2002

2 Topics 1. Context: Challenges Met 2. Learnings: Challenges Ahead 3. Paradigm Shift: from Smart Card to Identity Management

3 Context: Challenges Met

4 The Decision I.D. card for: –Active military –Selected Reserves –DoD civilians –“Inside the wall” contractors Physical and logical access –Authentication keys Military ID card infrastructure I.D. card for: –Active military –Selected Reserves –DoD civilians –“Inside the wall” contractors Physical and logical access –Authentication keys Military ID card infrastructure Common Access Card November 10, 1999 MEMO FROM: Dr. John Hamre (Deputy Secretary of Defense) Create a Common Access Card

5 Card Architecture Goals Requirements Java 2.1 Global platform Interoperability Specification (BSI) 32K EEPROM FIPS 140-1 Level 2 Certification Requirements Java 2.1 Global platform Interoperability Specification (BSI) 32K EEPROM FIPS 140-1 Level 2 Certification Goals Security Multi-application Multiple vendors Interoperability Post issuance Best commercial practices COTS Cost effective RESULTED IN

6 What are DEERS and RAPIDS? Defense Enrollment Eligibility Reporting System Database with 23 million records providing: –Accurate and timely information on all eligible uniformed service members (active, reserve, retired), their families and DoD civilians Detailed information on DoD benefit program eligibility Real-time Automated personnel Identification System Application that produces the ID card –Automated ID card system for military, retirees and their families –Joint, total force, multi- national and worldwide DEERSRAPIDS Independent but closely coupled established systems which provide eligibility information for DoD benefits The Business Problem

7 DMDC PERSON REPOSITORY DEERS Population DEERS SIZE Sponsors (Active, Reserves, Retired, Civil Servants) Previous Sponsors (Separatees with MGIB) Family Members Total 8,467,411 4,000,000 10,695,181 23,162,592

8 Where Are We Today 883 Workstations in 466 Locations 787,456 Cards issued as of 30 June (current trend issuing around 7,000 cards per day)

9 Toward the Million Mark

10 DEERS/RAPIDS is a Person Based DoD Benefit Delivery System DEERS - over 25,000 users throughout DoD RAPIDS - 1318 workstations at 878 sites in 13 countries. ARMY, NAVY, AIR FORCE, MARINE CORPS, COAST GUARD, NOAA, PUBLIC HEALTH Infrastructure OVER 1.5 MILLION TRANSACTONS A DAY

11 Learnings: Challenges Ahead

12 Percentage of Ownership 10090 80 70 60 50 40 30 20 10 010090 80 70 60 50 40 30 20 10 0 1009080706050403020101110120 Technology Adoption Electricity (1873) Telephone (1876) Automobile (1886) Radio (1905) Cell Phone (1983) PC (1975) Internet (1975) Smartcard (1980) Years after Invention

13 Learnings 1. The card is the tip of the application and IT infrastructure iceberg 2. Standards Mandatory for Interoperability 3. Introduction is not the same as Adoption 4. The card is about Identity

14 1. Network Infrastructure CA access is critical for CRL and issuance Network performance impacted by several layers of security. Workstations converted to Win2K and Active Directory for integrated management: legacy systems problematic (e.g Y2K conversion) TNG and other tools for monitoring

15 PKI Enabling Non-Trivial Legacy applications and OS versions Some work: Outlook 2000, Netscape, IE. but only in latest versions Requires extensive user training Requires local CA for single login application Multiple dependencies across network with sever security and S/MIME, SSL, SSH, Kerberos, etc.

16 2. Standards Made great progress with standards: GP version 2.01 and Compliance Testing GSC-IS version 2.0 published July 2002 includes –Card Edge Interface (CEI) –Basic Services Interface (BSI) –Extended Services Interface (XSI) Java 2.1 version but with proprietary implementations

17 Interoperability Elusive No Middleware agreement hence continue to depend on vendor specific software for accessing containers Standards options leads to incompatible implementation FIPS and other certifications costly

18 Interoperability Solutions The DoD Strategy - Embrace standards where they exist and stretch requirements so that standards work for the application- examples - PKCS11 - PCSC Adopt industry best practices as defacto standards - examples - Global Platform - Javacard Publish specifications and distribute freely - example the card edge specifications for our applets were published Develop interfaces that are provided to anyone interested in developing or adapting applications to work with our card system - example - Basic Services Interface (BSI)

19 3. Adoption Security alone not compelling to most Requires customer awareness and marketing-DOD has younger demographic Quality of Life enhancement Multi-purpose

20 Paradigm Shift: from Smart Card to Identity Management

21 4. Paradigm Shift: Identity Management To know, unequivocally, the identity and privileges of an object (person or device) in real time.

22 Credit card industry has long recognized the issue - 1960’s - The card looks good - use the embosser 1970’s - I need to get authorization for this purchase - central system verification Present - all transactions authenticated - network based always on connection to central system Case for a New Paradigm Physical Access is at the 1960’s stage - it looks like a good card

23 Case for a New Paradigm Lots of Cards ……. Lots of credit/debit cards … Different pins - different procedures Different acceptance and capabilities Lots ID cards …. Different trust and authentication levels Visual evidence of your authorizations, memberships, affiliation Today -

24 The Vision Issue Date 1999SEP03 Parker IV, Christopher J. Marine Corps Active Duty Expiration Date 2003SEP01 Pay Grade O5 Armed Forces of the United States Rank LTCOL Geneva Conventions Identification Card SAMPLE One Card or a few cards Integrated identity solution Based on strong authentication Incorporating biometrics Able to perform multiple functions

25 Chain of trust in the identity end to end - key role for biometrics Independent verification wherever and whenever possible - authoritative confirming records Single identity repository that reconciles alternative views of the identity - person id services Multi-factor authentication at boundaries - the more the better Secure solutions for both the token/card and the central system - especially the biostore What are the components of a strong system? Components for Success

26 Face to Face and Biometric Identification for ENROLLMENT Store Digital Certificates for AUTHENTICATION Maintain DoD-Wide IDENTITY RAPIDS DEERS CERTIFICATE AUTHORITY 1. Enrollment Process 2. Unique & Persistent Identity Info 3. Third-Party Trust Components for Success

27 Chain of Trust Where we are going in DoD … role of biometrics Initial capture at application for military service - digital prints to FBI and to DMDC biostore - records check, face to face authentication, National Agency Check Entry onto military service - stored biometric checked against live scan before initial ID card issued Periodically - Member biometrically authenticated on ID card Reissue - every three years Physical access systems - multi-factor authentication including a biometric in high security areas or under high treat conditions Components for Success

28 Biometrics Issues Future Directions for CAC Biometrics Match on Card used instead of PIN Biometrics use as an Access Control Process for using applets on the card. This will be for both on and off card matching scenarios and will be vendor neutral More work has to be done to protect biometric stores.

29 Summary Path Forward Increased emphasis on standards as prerequisite to interoperability and hence market share DOD focus on Identity IT infrastructure transformation exceeds Y2K effort It is not the technology: it is the customer’s quality of life

30 Contact Dr. Robert van Spyk vanspyrp@osd.pentagon.mil 831-583-2500 ex 5576 Bill Boggess boggesbf@osd.pentagon.mil 831-583-4170

31 Additional Slides

32 Smart Chip Hardware Card OS (Proprietary) File system 7616-5 API Native Smartcard DATA (PKCS#15) File System Card Edge API Hierarchical File system ISO 7816-4 Middleware Vendor extentions crypto Card Edge API BSI/XSI Application Midd lewar e-Card Issuer Specific APDUAPDU APDUAPDU

33 Card Edge API BSI/XSI Application Generic Midd lewar e Java Card JCRE 2.1.1 Virtual Machine API API Interoperable Directory Structure API Global Platform 2.01 Card Manager Applic Loader & Manager APDUAPDU APDUAPDU Directory structure points at credentials and other objects CCC Card Info Container Key Object App Container App Directory Container Cert Object App Container Data Object App Container Authent Object App Container Applet DATA Applet DATA Each container can store several objects

Download ppt "DoD Common Access Card From Smart Card to Identity Management DoD Common Access Card From Smart Card to Identity Management Dr. Robert van Spyk Senior."

Similar presentations

HCQ P MEDICARES HEALTH CARE QUALITY IMPROVEMENT PROGRAM QualityNet Exchange Dennis Stricker Director, Information Systems Group Office of Clinical Standards.

HCQ P MEDICARES HEALTH CARE QUALITY IMPROVEMENT PROGRAM QualityNet Exchange Dennis Stricker Director, Information Systems Group Office of Clinical Standards.
For Joe Broghamer Philip S. Lee May 5, 2005 Implementing PIV Specifications HSPD-12 Workshop.

For Joe Broghamer Philip S. Lee May 5, 2005 Implementing PIV Specifications HSPD-12 Workshop.
Installation & User Guide

Installation & User Guide
© Copyrights 1998 Algorithmic Research Ltd. All rights Reserved D a t a S e c u r i t y A c r o s s t h e E n t e r p r i s e Algorithmic Research a company.

© Copyrights 1998 Algorithmic Research Ltd. All rights Reserved D a t a S e c u r i t y A c r o s s t h e E n t e r p r i s e Algorithmic Research a company.
Mobile Devices in the DoD

Mobile Devices in the DoD
End Slide Format DO NOT place photos or additional text boxes on this slide. An ASSA ABLOY Group brand PROPRIETARY INFORMATION. © 2013 HID Global Corporation/ASSA.

End Slide Format DO NOT place photos or additional text boxes on this slide. An ASSA ABLOY Group brand PROPRIETARY INFORMATION. © 2013 HID Global Corporation/ASSA.
Multi-Application in Smart Card-based Devices Christophe Colas, Chief Software Architect August 2002.

Multi-Application in Smart Card-based Devices Christophe Colas, Chief Software Architect August 2002.
Digital Certificate Installation & User Guide For Class-2 Certificates.

Digital Certificate Installation & User Guide For Class-2 Certificates.
EDUCAUSE 2001, Indianapolis IN Securing e-Government: Implementing the Federal PKI David Temoshok Federal PKI Policy Manager GSA Office of Governmentwide.

EDUCAUSE 2001, Indianapolis IN Securing e-Government: Implementing the Federal PKI David Temoshok Federal PKI Policy Manager GSA Office of Governmentwide.
The Italian Academic Community’s Electronic Voting System Pierluigi Bonetti Lisbon, May 2000.

The Italian Academic Community’s Electronic Voting System Pierluigi Bonetti Lisbon, May 2000.
The Federation for Identity and Cross-Credentialing Systems (FiXs) www.FiXs.org FiXs ® - Federated and Secure Identity Management in Operation Implementing.

The Federation for Identity and Cross-Credentialing Systems (FiXs) FiXs ® - Federated and Secure Identity Management in Operation Implementing.
FIPS 201 Personal Identity Verification For Federal Employees and Contractors National Institute of Standards and Technology Information Technology Laboratory.

FIPS 201 Personal Identity Verification For Federal Employees and Contractors National Institute of Standards and Technology Information Technology Laboratory.
Ramanuj Banerjee Director Technical Consultancy. ActivCard, Inc. Headquartered in Fremont, CA Headquartered in Fremont, CA Over 12 years of experience.

Ramanuj Banerjee Director Technical Consultancy. ActivCard, Inc. Headquartered in Fremont, CA Headquartered in Fremont, CA Over 12 years of experience.
Certification Authority. Overview  Identifying CA Hierarchy Design Requirements  Common CA Hierarchy Designs  Documenting Legal Requirements  Analyzing.

Certification Authority. Overview  Identifying CA Hierarchy Design Requirements  Common CA Hierarchy Designs  Documenting Legal Requirements  Analyzing.
United States DoD Public Key Infrastructure: Deploying the PKI Token

United States DoD Public Key Infrastructure: Deploying the PKI Token
Cross Platform Single Sign On using client certificates Emmanuel Ormancey, Alberto Pace Internet Services group CERN, Information Technology department.

Cross Platform Single Sign On using client certificates Emmanuel Ormancey, Alberto Pace Internet Services group CERN, Information Technology department.
Office of Military Personnel DEERS/RAPIDS CCGNRC Brief CWO Joey Brown Military Compensation (CG-1222)

Office of Military Personnel DEERS/RAPIDS CCGNRC Brief CWO Joey Brown Military Compensation (CG-1222)
Your Electronic Key to the Future Personnel Transformation…The Way Ahead Keane, John M. Army Active Duty Expiration Date 2003OCT22 Pay Grade O10 Geneva.

Your Electronic Key to the Future Personnel Transformation…The Way Ahead Keane, John M. Army Active Duty Expiration Date 2003OCT22 Pay Grade O10 Geneva.
Computer Security Biometric authentication Based on a talk by Dr J.J. Atick, Identix, “Biometrics in the Decade of Security”, CNSS 2003.

Computer Security Biometric authentication Based on a talk by Dr J.J. Atick, Identix, “Biometrics in the Decade of Security”, CNSS 2003.
Department of Defense Biometrics Management Office 1 Department of Defense (DoD) Common Access Card (CAC) and Biometrics Integration (CBI) Overview

Department of Defense Biometrics Management Office 1 Department of Defense (DoD) Common Access Card (CAC) and Biometrics Integration (CBI) Overview

Similar presentations

Ads by Google