The Common Access Card (CAC)

The Comman Access Card
   Reading time 7

The Common Access Card (CAC)

I have seen this all over Facebook (older veterans asking about what a CAC is), so I want to explain it here since I refer to it in some of my posts. The CAC or Common Access Card, is the modern Military ID card.

The Common Access Card, also commonly referred to as the CAC is a smart card with the same form factor or size as a credit card. It is the standard identification for Active Duty United States Defense personnel, including the Selected Reserve and National Guard, United States Department of Defense (DoD) civilian employees.

Common Access Card (CAC)
Common Access Cards

It is also the principal card used to enable physical access to buildings and controlled spaces, and it provides access to unclassified defense computer (information system) networks. It also serves as an identification card under the Geneva Convention. In combination with a personal identification number (PIN), a CAC satisfies the requirement for two-factor authentication (2FA): something the user knows combined with something the user has. The CAC also satisfies the requirements for digital signature (by means of a digital Personal Identity Verification (PIV) certificate which is used for access to restricted websites and for digital signing of documents) and data encryption technologies: authentication, integrity, and non-repudiation. (source)

The CAC card was introduced in the early 2000s, with over 17 million smart cards being issued to date. And replaced the old Teslin DoD Uniformed Services Identification and Privilege card. The Teslin cards replaced the DD Form 2 series cards.

United States Uniformed Services Privilege and Identification Card - Geneva Conventions Identification Card
Teslin DoD Uniformed Services Identification and Privilege card

The Card
The card is used for Physical access control and electronic access control, meaning that a guard at a control point such as a gate can visually use the card to identify the holder, or an electronic door swipe can be used to control access. It also is used for two-factor authentication (2FA), as you have the physical card and you know your PIN.

Currently, most military installations are using the Automated Installation Entry (AIE) system which helps to remove the human element out of validating a CAC as authentic. The system scans the barcode on the back and checks it against the database to validate it. It then sends back an image of the card so the guard/sentry can compare it to the cardholder.

Automated Installation Entry (AIE) system
Automated Installation Entry (AIE) system

The Chip
It has an integrated circuit chip (ICC), that contains information such as the holder’s PIN, and PKI digital certificates. The ICC has 144kb of 2048-bit encrypted storage space (increased from 1,204-bit encrypted in 2008) and contains not only the PIN but the user EDIPI (Electronic Data Interchange Personal Identifier) which is a unique 10-digit identifier assigned to each card holder. Prior to 2012, cards were being issued with the holder’s SSN on it as well (which was replaced by the EDIPI). This number will remain with the user for the ‘life’ of their time with the U.S. Government.

Common Access Card (CAC) Internals
CAC Internals

In 2006, the Next Generation (NG) CACs added biometrics to the ICC to include a digital photo and index fingerprint information.

Beginning in October 2006, the DoD launched a new CAC in compliance with HSPD-12, and in November of 2006, published a document entitled “Implementation Guide for CAC Next Generation (NG),” which defined guidelines for implementing the government’s Federal Information Processing Standard 201 (FIPS 201) Personal Identity Verification (PIV) of Federal Employees and Contractors to meet the HSPD-12 mandate. (source)

There is also a bar code on the front and one on the back. The barcode on the front is a PDF417 code and contains a variety of PII (Personally Identifiable Information) that is encoded, not encrypted, about the cardholder, including, hair color, weight, height, eye color, and blood type. The code on the rear of the card is a Code 39 formatted code and contains the holder’s EDIPI.

There is also a passive encrypted RFID (Radio Frequency IDentification) responder sandwiched between two layers of the card. The RFID responder in the card will respond when interrogated at 13.56 MHz. The transmitter is usually mounted to a wall) which is constantly emitting a Radio Frequency (RF) energy field, and is waiting for an RFID responder to respond on the correct frequency. When a CAC crosses that RF field (usually 4 or fewer inches), the power from the field energizes the copper wire antenna inside the card, which powers the chip containing the unique encrypted data for that card. That encrypted data is transmitted back to the reader using the RF field., which is authenticated against the access control servers downstream.

The next step is for the holder to enter his/her PIN via the touchpad (optional) and they are granted access to the door (assuming the holder is authorized access)

LENEL OnGuard Access Reader
LENEL OnGuard Access Reader

Information Systems Access
Within the DoD, currently, most Unclassified computer access is controlled by the CAC as well. The holder would insert their CAC in a reader attached to the Information System. They would enter their PIN and they would be granted access to that Information System (assuming they have a valid account). This meets the DoD 2FA requirements. In 2016 the DoD announced that they would be moving away from accessing Information Systems using the CAC. In 2021, the CAC is still used widely for access to those same Information systems.

All this security and it didn’t take long for Fake DoD CAC and Retiree Identification Cards to show up online

Leave a comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.