Smart-card rollout might need more time

DOD has issued smart Common Access Cards to 2.5 million users and wants to add functions.

Olivier Douliery

The Defense Department has until October to issue smart cards to 4 million users, but a senior official has recommended that DOD extend the deadline to early next year.

Currently, 2.5 million DOD users'active-duty military service members, civilian and contract workers, and some reservists'have the Common Access Card, a public-key encryption-enabled smart card for network authentication and digital signatures.

Betsy Appleby, project manager for the Public-Key Enablement Program at the Defense Information Systems Agency, said DOD would likely need more time to distribute the rest of the cards.

DOD's plan for public-key infrastructure technologies will be spelled out later this month when Defense CIO John Stenbit meets with the department's PKI program manager, R. Michael Green.

'The goal of the PKI program is to enhance the business processes and improve the information assurance posture of the DOD through widespread use of PKI-enabled applications,' said Jim Degenford, PKI program management office advocate. 'PKI is not just a set of keys and a smart card. It's a whole set of personnel [policies and] procedures to bind user names to electronic keys so that applications can provide desired security service.'

The Defense PKI Office is looking ahead to the next wave of PKI for securing e-mail, Degenford said. The office also plans to add biometrics to the smart cards.

The cards use the Java Card run-time environment on chips with 32K of RAM. The next generation of cards will carry 64K chips, Degenford said last month at a conference in Alexandria, Va., sponsored by Silanis Technology of St. Laurent, Quebec.

'Right now we have a baseline PKI. It's functional,' he said.

The next version will have more functions and be more secure, Degenford said, although he declined to discuss the proposal of the next-generation card that Green will present to Stenbit.
New Common Access Cards will be 'more hardened, more robust'to provide more functionality for DOD PKI users,' he said.

It's everyone's business

The department has examined a dozen applications at the Joint Interoperability Test Command at Fort Huachuca, Ariz., to make sure they conform to Defense's PKI requirements. Several more apps will be tested, Degenford said.

Appleby said the Army has rewritten a business process for how troops are mobilized using PKI technologies.

'They have rewritten how to incorporate digital certificates in authorizing the mobilization of troops,' she said.

Degenford identified five obstacles facing Defense's expansion of PKI use:
  • Validating PKI certificates

  • Setting a strategy for use of tactical networks and the Secret IP Router Network

  • Assuring funding

  • Approving applications

  • Staying abreast of the technology's evolution.

Two earlier hurdles, settling on smart-card readers and middleware, are resolved, he said.
'PKI is at its best when you don't know it's there. It's in the background, seamless,' Degenford said. 'We're not there yet but we're almost there.'

Still, Degenford warned that 'PKI is not a panacea; it's not a cure-all to your desktop or network concerns.'

'You still have to think about other security [measures]. You still have to lock down your operating systems and have personal firewalls. We need overlapping layers of protection,' he said.

Appleby said DOD must prepare for what she dubbed 'single points of failure' within the program.

For example, about 40 percent of new Common Access Card users have needed to have their PINs reset because they had forgotten their passwords.

Also PKI-enabled devices need to be more mobile, Appleby said.

One example of this effort is the National Security Agency-approved wireless CryptoBerry, a more secure version of the BlackBerry e-mail client from Research in Motion Ltd. of Waterloo, Ontario, used by Army officers.

Some users of the Cryptoberry, which was employed widely in Iraq, complained it was too slow, Appleby said. NSA is working to improve the speed.

Stay Connected

Sign up for our newsletter.

I agree to this site's Privacy Policy.