Talk:Common Access Card

From Wikipedia, the free encyclopedia

Contents

[edit] Deleted "Privacy" section

I deleted this section from the article:

Congressional law prohibits eavesdropping on the content of employees computer work, as per federal wiretapping laws. There must be a clear reason to do so, and that must be communicated to a judge, who would issue a warrant, before the contents of anyone's computer can be reviewed. Exceptions include casual observation by system administrators who're working on the computs for normal reasons. Any violations should be immediately reported to the individual's superior. The issue with the CAC is that it opens wide the door with respect to undetectible screening of the data stream. There are now ways that the system administrators can illegally monitor your Internet surfing and tie that surfing, undeniably, to you, in violation of Congressional law.
In addition, cards issued to service members are printed with both the member's name and social security number. Theft or loss of the member's ID card therefore gives others access to two key pieces of information needed for identity theft.

The bit about "Congressional law" (whatever that is) has nothing to do with CACs. The statement that the card is printed with the holder's Social Security Number is simply untrue. A CAC creates no more vulnerability to identity theft than any other formal identification card, such as the standard military ID used in the United States. ➥the Epopt 14:49, 1 September 2006 (UTC)

I just looked at my CAC and there it is, my social security number, printed on the back, just above the barcode. The previous military ID card had the SSN printed on it, as well. As for Congressional law, who do you think mandated (via Congressional Law) the CAC for use by all members and employees of the Department of Defense? Furthermore, Congressional Law also governs the privacy and wiretap laws we have in the US. Please provide better reasons for the deletion, or I will revert it in the near future. Mugaliens 13:21, 2 September 2006 (UTC)
Above the barcode on mine is a black-and-white version of my picture. Above that is the magnetic strip, and above that is an alphanumeric string grouped into four-character "words." No SSN anywhere. ➥the Epopt 23:33, 2 September 2006 (UTC)
I have the same, but my SSN appears right above the barcode. My card was issued in 2003. Perhaps yours was issued at a later date, after some of the privacy concerns were heard? Mugaliens 09:09, 3 September 2006 (UTC)
Also, are you a DoD employee, contractor, or military? That might make a difference. Mugaliens 09:10, 3 September 2006 (UTC)
Addendum: According to the US Navy's CAC Fact Sheet (pics at the bottom of the pdf file), all issuees except contractors get their SSN stamped on the card. Mugaliens 09:45, 3 September 2006 (UTC)


The barcode contains different information which includes SSN, Name, Gender, Paygrades etc... The reason why you wouldn't not have a SSN is because you are a contractor. All active military service members will be required to have a CAC card which incldues Active Reserve and National Guard from all branches. Metrofx 29 January 2007 (UTC)

I agree with the deletion of this section. What has been overlooked is that CACs are primarily used to access government systems. There should be neither private mail nor private files on a US Federal Government system. To quote US DoD Instruction 8500.2, control ECWM1: 'All users are warned that they are entering a Government information system, and are provided with appropriate privacy and security notices to include statements informing them that they are subject to monitoring, recording and auditing." The statements about whether SSN and other personal information should be on the card seems to come from a distinct point of view, and does not appear to be neutralTelmarg 14:01, 28 February 2007 (UTC)

I disagree with the deletion of the above. Perhaps rewording is warranted. The section is discussing "Objections" and therefore its understood to have a POV. However, it is a fact that Date of Birth & Social Security Numbers are on the majority of CACs, making identity theft easier in the case of loss or theft. This is a concern based on fact & quite valid. Dymaxion (talk) 20:34, 15 April 2008 (UTC)

[edit] Deleted "Security" section

I deleted this section from the article after realizing I was filling it up with {{Fact}} tags:

The idea that the CAC significantly increases security is severely flawed. Under the username/password approach, hacking a person's password required either an over-the-shoulder approach, intercepting the user's hashed password and using a tool such as L0phtCrack, or the use of a keyboard recorder, a small device which sits between the keyboard and the USB or PS2 port. These approaches required physical access to the LAN. With the CAC approach, hacking a person's password became only slightly more complicated. It now requires both a keyboard recorder as well as a tap on the digital stream of information between the computer and the network. The keyboard recorder will record the PIN, which is strongly encrypted over the network, but not encrypted between the keyboard and the computer, while the digital stream tap will record the CAC's unique ID (usually a multidigit number), which is not encrypted.

It contains numerous inaccurate statements, and correcting them is not within the scope of this article. For example, there are many more ways to crack a username/password login than are listed, none of which cannot be used on a CAC login. Also, the statement that the PIN is "not encrypted between the keyboard and the computer" is not true in high-security situations. ➥the Epopt 14:55, 1 September 2006 (UTC)

CAC readers do not encrypt the PIN. That's handled at the software level as part of the Windows logon routine. In "high security situations" such as when logging on to the SIPRnet, the same CAC readers are used that exist on the NIPRnet. The additional security is provided by controlling physical access to the machine. You have not made a single correct statement in your comments above. If references are needed, I'll fill it to overflowing, then revert the article, unless can can provide unequivocable justifications to back up your comments. Mugaliens 13:25, 2 September 2006 (UTC)
Please do exactly that -- provide sources for the statements you want to include. If you word them in the form "SOURCE X believes that CACs have SSNs printed on them," I won't delete them. ➥the Epopt 23:30, 2 September 2006 (UTC)
You bet. Mugaliens 09:10, 3 September 2006 (UTC)

It appears someone added all the inaccurate information back in. The part about a "digital stream tap" sounds like a man-in-the-middle attack, which assumes the data can simply be replayed. If you look at the Microsoft article describing the smart Card logon process, you will see that a time-stamped (per Kerberos) challenge is sent to the smart card in order to decrypt the logon session key (Microsoft article). Without possession of the private key, it would be impossible to decrypt the data. The information posted in this article says nothing about extracting the user's private key from the smart card, which is a significantly more difficult process, and would require physical access to the card--I don't even know if it is possible. 131.28.31.217 23:55, 11 December 2006 (UTC)

I added some citation requests to the section. The text currently reads as nonsensical conjecture. If someone has demonstrated such a vulnerability, whereby obtaining the PIN and "tapping the digital stream" results in a compromised private certificate, or somehow fools the KDC into trusting a forged certificate, then they need to cite some references. 131.28.31.217 23:25, 13 December 2006 (UTC)
While "all cryptographic operations are performed on the KDC," as per the article, the PIN entered by the user travels cleartext between the keyboard and the computer. Any keystroke recorder inserted between the keyboard and the computer can intercept the PIN. Since many users leave their CACs in the computer, it's a simple matter to remove their CAC, walk over to another computer, extract the PIN from the recorder, and log in with another user's credentials. - Mugs 08:08, 4 January 2007 (UTC)

I deleted this section, as it contained logical flaws that rendered it invalid. The main point of the section seems to be that the PIN could be captured, and this is equivalent to capturing a password. I find this to be nonconvincing, as there are distinct differences in the two situations. While the PIN and password can both be captured remotely (remote keyloggers, for instance), the password can also be used remotely to attack the system. The PIN cannot, as it is of value only when the CAC is present. In addition, passwords are typically stored (encrypted) on the systems, leaving them potentially vulnerable to brute force, dictionary, or rainbow attacks. The PIN is not stored in the system. The bottom line is that the password is a single-factor authentication scheme, and one easily compromised at that. The CAC is a two-factor authentication scheme, with the hardware factor requiring possession of the CAC itself. See US National INstitute of Science and Technology Special Publication 800-63 Version 1.0.2, pp vii and others. I quote:

"Level 3- Level 3 provides multi-factor remote network authentication. At this level, identity proofing procedures require verification of identifying materials and information. Level 3 authentication is based on proof of possession of a key or a one-time password through a cryptographic protocol. Level 3 authentication requires cryptographic strength mechanisms that protect the primary authentication token (secret key, private key or one-time password) against compromise by the protocol threats including: eavesdropper, replay, on-line guessing, verifier impersonation and man-in-the-middle attacks. A minimum of two authentication factors is required. Three kinds of tokens may be used: “soft” cryptographic tokens, “hard” cryptographic tokens and “one-time password” device tokens. Authentication requires that the claimant prove through a secure authentication protocol that he or she controls the token, and must first unlock the token with a password or biometric, or must also use a password in a secure authentication protocol, to establish two factor authentication. " Other references abound.Telmarg 14:10, 28 February 2007 (UTC)

[edit] Objections Section Restored

Complete with a plethora of references, a few quotes, embedded links to additional info on Wiki, and other citations. If you feel any portion is still lacking references, please let me know and I'll add them within a few days. Thanks! Mugaliens 12:46, 3 September 2006 (UTC)

I think it's time to remove the "factual etc. disputed" page, unless anyone can provide clear, unrefutable evidence that counters the information contained in the many links I provided. Thank you. Mugaliens 20:59, 24 September 2006 (UTC)

Since no further comments or objections have been raised for nearly two months since I provided the links and references, I've removed the Disputed sign. Mugaliens 14:20, 31 October 2006 (UTC)

[edit] Leaving CAC in the computer

Many users running around the workplace habitually leave their CACs in the reader when they step away from their computers for a few moments. I know this for a fact as I've seen it happen many times. Anyone who works in or with the DoD can tell you the same thing. Mugaliens 14:26, 31 October 2006 (UTC)

Untrue. I work with the DoD and can't tell you that. I have removed your original research. ➥the Epopt 14:38, 31 October 2006 (UTC)
Your office must be much more disiplined than ones I've visisted. As networks have started to require CAC use for logging in, I've seen lots of cards sticking out of keyboards. Still, without a published reference, I agree that it should not be in the article. Somewhere out there, a security evaluation must have been done. Any evaulation would likely list leaving the card behind as a risk factor. --StuffOfInterest 15:11, 31 October 2006 (UTC)
Thanks for the second opinion. You're correct - such an evaluation was done in 2000, and so many people left their CACs in their computers that the CAC system settings were changed to provide an automatic workstation lockout after several minutes of inactivity, regardless of whether the CAC is in or not. - Mugs 07:56, 4 January 2007 (UTC)

It is true and I seen it happen all the time. I work in an office and administer 140 Army computers. People with all difference ranks leave their CAC cards in their readers all the time and walk away.- Metrofx 29 January 2007 (UTC)

True as heck. I left mine in once and got in some bad trouble when someone took the opportunity to send some incriminating emails under my name.

[edit] Geneva Conventions

The CAC card has been called a Geneva Convention ID card, but I don't see such a statement on this page. If true, what part of the Geneva Conventions apply? --Boblord 18:02, 11 November 2006 (UTC)

I'm not an expert on the Conventions, but my CAC says right on it, "Geneva Conventions Identification Card". The same was true of the previous military ID.Roachmeister 00:27, 1 December 2006 (UTC)
Answer: Convention (III) relative to the Treatment of Prisoners of War. Geneva, 12 August 1949, Article 4.A.(4): "Persons who accompany the armed forces without actually being members thereof, such as civilian members of military aircraft crews, war correspondents, supply contractors, members of labour units or of services responsible for the welfare of the armed forces, provided that they have received authorization, from the armed forces which they accompany, who shall provide them for that purpose with an identity card similar to the annexed model." Depending on one's rank or duties, they will fall into one of five Geneva Conventions categories. - Mugs 09:20, 4 January 2007 (UTC)

[edit] NPOV - "A better approach"

I added the POV-section tag, primarily for the part about "A better approach". It may or may not be true, but the way it is worded seems like so much advertisment for SANS.Roachmeister 00:24, 1 December 2006 (UTC)

Actually, not an advertisement at all - merely industry-standard security practices. Regardless, Epopt deleted it anyway, wrongly claiming "that has nothing to do with CACs and so is irrelevant to this article." Current CAC security is flawed, and industry-standard practices exist which can fix the flaws - that's highly relevant to this article. - Mugs 07:51, 4 January 2007 (UTC)

[edit] Text Removed

The following text was removed: "though that legislation is irrelevant to the work of military personnel." Reason: Congressional law applies equally to the military as it does to civilians unless specifically stated otherwise. No military member, including Security Forces or OSI personnel, or civilian authorities, may search the personal files or e-mails of another military member without a court order. Casual oberservance of a person's files during the routine maintenance of the computer by an authorized service technician is allowed. - Mugs 07:52, 4 January 2007 (UTC)

As A RAPIDS user, I believe some of the information on this page to be out of date, incomplete, incorrect, or down right lies. I will offer a complete review of the article and offer my suggestions on how it can be improved. I think in response to the claim that the article is biased, I believe the article as it is presented right now although incorrect is neutral. Bruce R. Jones 03:04, 13 March 2007 (UTC)

[edit] RFID

In the section that states, "Future plans include the ability to store additional information the incorporation of RFID chips or other contactless technology to allow seamless access to DoD facilities.", I believe cretain elements of that statement are incorrect. First, regarding the ability to store additional information, the card already has the ability to store information; however, DMDC has stated on numerous occasions that the CAC should not be considered a data carrier and instead should be considered an authentication token to backend databases. Next, the incorporation of RFID chips should be updated to reflect the Department's decision to pursue 14443 contactless technology. This is detailed on the www.cac.mil website. My feeling is that unless such forward-looking statements come from the horse's mouth (a.k.a., DMDC), then they should be considered conjecture.

[edit] Common Problems

"The CAC card is far from perfect due to design flaws. The microchip can be damaged easily from foriegn objects scratches such as sand. Looking at the card at a more technical level, the cards have certificate issues where users can't log on even through their computers are setup correctly. Also different brands of cards have posed an issue with different systems."

I take exception to the statement of "design flaws" as well aa several other statements in this section. It is perfectly reasonable to say that the CAC is far from perfect, but to categorically classify this as attributable to design flaws, is not accurate. I would recommend deleting this statement. Also. the microchip can be damaged, but to say that it can be easily damaged without something to bolster that claim, is not defensible. The microchips are put through rigorous tests by the card manufacturers to ensure they can hold up in adverse conditions (e.g., scratch, corrosion, etc.). Also, DMDC produces card failure reports, and failures due to chip damage are not a significant number. Next, the section that starts "looking at the card at a more technical level", makes some anecdotal statements without any reliable source to bolster the claim. These types of issues most likely have less to do with the card and more to do with the individual network (e.g., middleware deployment, ActiveDirectory forest, etc.). Anyway, it is hardly a rigorous technical examination. I recommend amending or deleting this entire section based on the disputes outlined above. —The preceding unsigned comment was added by Jmac7997 (talk • contribs) 18:18, 19 March 2007 (UTC).

[edit] Scalability

Doesn't the scalability section support the use of a CAC, instead of where it falls in this article (under objections)?167.176.6.27 02:53, 9 November 2007 (UTC)

[edit] TMA

Too many acronyms. "...driven by one's POV"? TDY? —Preceding unsigned comment added by 71.205.58.127 (talk) 05:26, 1 January 2008 (UTC)