Common Access Card ready for update
- By Joab Jackson
- Feb 04, 2004
'Every time we introduce something new on the card, it will take three years to be fully deployed.'
'DOD's Mary Dixon
Now that the Defense Department is issuing the last of its first-generation Common Access Cards, the inevitable upgrade cycle is under way.
Mary Dixon, director of the Common Access Card Office at the Defense Manpower Data Center, said the second-generation smart cards may be ready as early as this fall for new entrants and replacement of lost, stolen or worn-out cards.
The cards will have expanded memory and the ability to work with biometric software. They might also be contactless'acting when held near a reader, rather than passing physically through the reader.
So far, the CAC program has issued more than 3.8 million of an estimated 4.5 million cards. With about 12,000 to 15,000 going out each day, the initial round of deliveries should be done by March, Dixon said.
She estimated that the military services have installed up to 2 million PC readers for users to digitally sign e-mail and documents and submit passwords for applications and Web portals. The cards also serve as identification at facilities such as dining halls.
SCM Microsystems Inc. of Fremont, Calif., has delivered 1.5 million card readers to the program, said Jason Schouw, vice president and general manager of American sales.
Both hardware and software upgrades are under consideration, Dixon said. On the hardware side, the office wants cards with 64K of electrically erasable, programmable read-only memory. The cards now have only 32K.
Next summer, the office will seek final approval from DOD's Smart Card Senior Coordinating Group to purchase new cards, Dixon said. The extra memory could be used for public-key infrastructure certificates or for storing revoked encryption certificates a user might still need. Another proposal is to store digital photographs of the card-holders.
'That would be another way to counteract the threat of somebody counterfeiting the card,' Dixon said.
Last summer, the National Institute of Standards and Technology issued the governmentwide Smart Card Interoperability Specification Version 2.1 for contactless cards. But, despite the standard, Dixon said her office still has 'some concerns about using contactless cards for physical access.'
In the absence of other identifying information, a dropped card could be picked up by unauthorized personnel and used to enter a facility. Dixon said additional security'possibly biometrics'will be necessary before DOD can adopt contactless cards.
'We're not sure the industry is there yet in doing this in a nonproprietary way, but we have high hopes,' Dixon said. By late 2004, she said, 'We will have some enterprise recommendations for the use of biometrics with the card.'
The office is looking for software upgrades, too'for example, Java applets that could access a wider range of security authentication options.Three applets
Three applets already are present on each card, said John Gist, program manager for Northrop Grumman Corp.'s CAC support program. One holds a personal identification number, another a digital signature, and the third has information about the card-holder.
The office wants to replace the PIN applet with an access control applet that expands the access rules. Other applets could then reference the rules, giving developers more authentication options.
'There could be any variety of rules, but all in one applet,' Dixon said. 'To open one applet, you would need a PIN and a fingerprint. To open another, you would need two fingerprints and an iris scan.'
An applet developed by ActivCard Corp. of Fremont, Calif., is currently undergoing Federal Information Processing Standard testing, she said, and changes are being carefully weighed.
'Every time we introduce something new on the card, it will take three years to be fully deployed,' Dixon said. 'We don't want to change cards frequently. It causes too much upheaval.'
Joab Jackson is the senior technology editor for Government Computer News.