Introducing the next-generation common access card

CHIPS, April-June, 2007 by Sonya R. Smith

The Department of Defense (DoD) is modifying the current Common Access Card (CAC) to meet the mandates of Homeland Security Presidential Directive 12 (HSPD-12). HSPD-12 establishes a federal standard for identification credentials issued to all federal employees and eligible contractors.

The "next-generation CAC" is being phased in throughout the DoD as current CACs expire. During this transition period, both the current Common Access Card, and the next-generation CAC will be in circulation. Both are valid forms of identification and there is no benefit to replacing your current card with a next-generation CAC before its expiration date.

The next-generation CAC maintains all the capabilities and functionality of the current card: data stored on an integrated circuit chip (ICC) enables rapid electronic authentication and enhanced security. PKI certificates generated and stored on the card enable the card owner to digitally sign documents and e-mails, encrypt e-mails, and establish secure online network connections.

Added Functionality

Instead of having to stop and "swipe" your card to read the information from the magnetic stripe or bar code, the next-generation CAC adds a contactless technology capability, which provides the ability to utilize radio frequencies to transfer data between the card and the card reader for physical access. This increases the speed for identity authentication and improves the ability to manage heavy traffic flow into facilities.

In addition to the PKI certificates, the next-generation CAC adds biometrics in the form of a digital photo and two index fingerprints, stored as minutiae templates on the ICC. The minutiae templates are a mathematical representation of the data points unique to each set of biometrics. They are used instead of storing actual fingerprint images on the next-generation CAC to protect against compromise.

Biometrics provide the ability to positively bind the individual to his or her credential. The integration of biometrics and PKI with the CAC provides an added multifactor authentication capability for logical and physical access systems.

Multifactor authentication, which relies on more than one means to authenticate identity, is a more robust authentication scheme because it requires possession of a particular item--the CAC; knowledge of a particular item--your Personal Identification Number (PIN); and physical verification--biometrics.

Changes in Appearance

The look of the next-generation CAC will change slightly to meet federal standards and to better meet security needs. Figure 1 shows a depiction of the current CAC on the left and the next-generation CAC on the right. The following are the key differences you will see with the next-generation CAC:

Photograph: moved down approximately 2 millimeters to make room for a header that reads "United States Government" above the photograph.

Expiration Date: added to upper right corner in MMMYYYY format.

Personnel Category, Agency/Department, Expiration Date and Seal:

* Moved down so last line of the expiration date is on the same line as the bottom of the photo

* Agency/Department allows space for two lines of text

* The font size is now 8-point

* The Great Seal is no longer available and the DoD seal is the highest available. The seal is watermarked, enabling readable text over the seal.

Name: moved down approximately 2 millimeters to accommodate movement of photo.

Bar Code: moved down approximately 2 millimeters to accommodate photograph and name.

Pay Grade and Rank: moved down and to the right and font sizes changed to 5-point for header and 8-point for data.

Issue Date: removed to make room for Agency/Department field.

Color Coding:

* A red stripe will be used to represent first responders. Red is used to identify foreign nationals on current CACs.

* A blue stripe will be used to represent foreign nationals.

* A green stripe will continue to represent contractors.

* The stripe will be horizontal under the photo and fade from light to dark. Currently the stripe is vertical on the right side.

Data Storage

Contrary to popular belief, the CAC does not store any personal or medical records. The next-generation CAC requires increased storage capacity simply to store the biometrics and the federally required Personal Identity Verification (PIV) certificate. The goal, in our net-centric world, is to use the card, with its PKI and biometrics as identity authentication factors, to access authoritative data sources through Web portal applications. Below is a summary of the key data included in the technology of the card.

[FIGURE 1 OMITTED]

The integrated circuit chip stores 64 kilobytes of data, including:

* PKI certificates * Two digital fingerprints (minutiae templates) * Digital photo * Personal Identity Verification (PIV) certificate * Organizational affiliation * Agency * Department * Expiration date

Bar codes may store key personal information, including:

* Name * Social Security Number * Date of birth * Personnel category * Pay category * Benefits information * Organization affiliation * Pay grade