The CAC is designed to provide
two-factor authentication: what you have (the physical card) and what you know (the
PIN). This CAC technology allows for rapid authentication, and enhanced physical and logical security. The card can be used in a variety of ways.
Visual identification The CAC can be used for visual identification by way of matching the color photo with the owner. This is used for when the user passes through a guarded gate, or purchases items from a store, such as a PX/BX that require a level of privileges to use the facility. Some states allow the CAC to be used as a government-issued ID card, such as for voting or applying for a drivers license.
Magnetic stripe The
magnetic stripe can be read by swiping the card through a magnetic stripe reader, much like a credit card. The magnetic stripe is actually blank when the CAC is issued. However, its use is reserved for localized physical security systems. The magnetic stripe was removed first quarter 2018.
Integrated circuit chip (ICC) The integrated circuit chip (ICC) contains information about the owner, including the PIN and one or more
PKI digital certificates. The ICC comes in different capacities, with the more recent versions issued at 64 and 144 kilobytes (KB). The CAC can be used for access into computers and networks equipped with one or more of a variety of
smartcard readers. Once inserted into the reader, the device asks the user for a PIN. Once the PIN is entered, the PIN is matched with the stored PIN on the CAC. If successful, the EDIPI number is read off the ID certificate on the card, and then sent to a processing system where the EDIPI number is matched with an access control system, such as
Active Directory or
LDAP. The DoD standard is that after three incorrect PIN attempts, the chip on the CAC will lock. The EDIPI number is stored in a PKI certificate. Depending on the owner, the CAC contains one or three PKI certificates. If the CAC is used for identification purposes only, an ID certificate is all that is needed. However, in order to access a computer, sign a document, or encrypt email, signature and encryption certificates are also required. A CAC works in virtually all modern computer operating systems. Besides the reader, drivers and middleware are also required in order to read and process a CAC. The only approved Microsoft Windows middleware for CAC is ActivClient—available only to authorized DoD personnel. Other non-Windows alternatives include LPS-Public—a non-hard drive based solution.
DISA now requires all DoD-based intranet sites to provide user authentication by way of a CAC in order to access the site. Authentication systems vary depending on the type of system, such as
Active Directory,
RADIUS, or other
access control list. CAC is based on
X.509 certificates with software middleware enabling an operating system to interface with the card via a hardware card reader. Although card manufacturers such as
Schlumberger provided a suite of smartcard, hardware card reader and middleware for both
Linux and
Windows, not all other CAC systems integrators did likewise. In an attempt to correct this situation,
Apple Federal Systems has done work for adding some support for Common Access Cards to their later Snow Leopard operating system updates out of the box using the MUSCLE (Movement for the Use of Smartcards in a Linux Environment) project. The procedure for this was documented historically by the
Naval Postgraduate School in the publication "CAC on a Mac" although today the school uses commercial software. According to the independent military testers and help desks, not all cards are supported by the open source code associated with Apple's work, particularly the recent CACNG or CAC-NG PIV II CAC cards. Third party support for CAC Cards on the Mac are available from vendors such as Centrify and
Thursby Software. Apple's Federal Engineering Management suggest not using the out-of-the-box support in Mac OS X 10.6 Snow Leopard but instead supported third party solutions. Mac OS X 10.7 Lion has no native smart card support. Thursby's PKard for iOS software extends CAC support to Apple iPads and iPhones. Some work has also been done in the Linux realm. Some users are using the MUSCLE project combined with Apple's
Apple Public Source Licensed Common Access Card software. Another approach to solve this problem, which is now well documented, involves the use of a new project, CoolKey, to gain Common Access Card functionality. This document is available publicly from the
Naval Research Laboratory's Ocean Dynamics and Predictions Branch.
Bar codes The CAC has two types of bar codes:
PDF417 in the front and
Code 39 in the rear.
PDF417 Sponsor Barcode PDF417 Dependent Barcode RFID technology There are also some security risks in RFID. To prevent theft of information in RFID, in November 2010, 2.5 million radio frequency shielding sleeves were delivered to the DoD, and another roughly 1.7 million more were to be delivered the following January 2011. RAPIDS ID offices worldwide are required to issue a sleeve with every CAC. When a CAC is placed in a holder along with other RFID cards, it can also cause problems, such as attempting to open a door with an access card when it is in the same holder as a CAC. Despite these challenges at least one civilian organization, NOAA, uses the RFID technology to access facilities nationwide. Access is usually granted after first removing the CAC from the RF shield and then holding it against a reader either mounted on a wall or located on a pedestal. Once the CAC is authenticated to a local security server either the door will release or a signal will be displayed to security guards to grant access to the facility. ==Common problems==