PROPRIETARY INFORMATION.
An ASSA ABLOY Group brand
© 2013 HID Global Corporation/ASSA ABLOY AB. All rights reserved. Contents are confidential and proprietary and not intended for external distribution.
A case for secure ID Credentials
Case Study: US Department of Defense
Ian Lowe – Product Marketing – Solutions
May, 2013
Identity Assurance (formerly ActivIdentity)
US Department of Defense
*(2012 Juniper Research Report)
Quick Facts

DMDC Established in 1974 to “collect and maintain accurately, readily
available manpower and personnel data.”
– November 10, 1999, Memo from Dr. John Hamre (Deputy Secretary of
Defense)
• Directive to create a Common Access Card Program
– First 70 Beta sites operational by mid 2001
– CAC v2 (GSC-IS 2.1) introduced in 2003
– Federal Information Processing Standard (FIPS) 201
• US Government PIV program created (2/2005) in response to HSPD 12
(8/2004)
• Special Publication SP800-73 created (PIV Transitional card) (3/2006)
• HID delivered PIV End-Point support in September 2007

Mission: “Serve as a central source to identify and authenticate people in the
Department of Defense.”
An ASSA ABLOY Group brand
PROPRIETARY INFORMATION. © 2013 HID Global Corporation. All rights reserved.
The History
• Laminated Photo ID
for Identification,
Facility Access and
Entitlement
• Username and
Passwords for
access to military
computers and
networks
An ASSA ABLOY Group brand
PROPRIETARY INFORMATION. © 2013 HID Global Corporation. All rights reserved.
Challenge 1
From paper ID & Passwords to smart card ID
Secure standardized
multi-function ID
Laminated IDs and
weak passwords
An ASSA ABLOY Group brand
PROPRIETARY INFORMATION. © 2013 HID Global Corporation. All rights reserved.
Solution
Standardised Credential
CAC is a multi-application dual-interface smart card for FIPS 201
deployments
Centralized Security:

Access Control Rule & Global PIN management
Generic Container (on-card buffers):





Employee ID
Benefits
External Benefits
Healthcare Information
PIV cardholder identity (facial, fingerprint)
PKI for Authentication (login), Signature/
Encryption/ Decryption (email):

Four RSA Key Pairs/ X.509 Certificates
Other Areas:

JAVACARD
CC EAL5+
GLOBAL
PLATFORM
An ASSA ABLOY Group brand
PROPRIETARY INFORMATION. © 2013 HID Global Corporation. All rights reserved.


Data Confidentiality Encryption – SMA secure
messaging protocol
Plug-in support (new CAC applications)
Multiple Global Platform Domains
Challenge 2
Infrastructure + issuance/management policies
Remote access
Hardware
ActivIDAppliance
Security
AAA or AS
Module
Server
User
LDAP
PKI
CA
database
operator
issuance
Windows and Network login
self service
employee
HID
ActivID Card
Management System
update/
post issuance
help desk
digital signature
Badging system
encryption
smart card printer
physical access
badging
HID
ActivID Batch
Management System
mass badging
service bureau
suspension /
termination
Identity
Management
System
PACS
System
Solution
HID Credential Management System
Multiple DOD infrastructure
components
Summary
 Today they issue, track and manage CAC plus
several other missions
– The PIV-based CAC is used by DoD armed services (Army, Air
Force, Navy, Marines) and 25+ DoD agencies.
An ASSA ABLOY Group brand
PROPRIETARY INFORMATION. © 2013 HID Global Corporation. All rights reserved.
What Next?
Smart Phones/Tablets and Derived Credentials
Present
Current CAC
Past
An ASSA ABLOY Group brand
PROPRIETARY INFORMATION. © 2013 HID Global Corporation. All rights reserved.
Future
Identity on Mobile
NFC Mobile Access
Derived Credentials
HID Secure Access
Cloud, Data and Door
Keys, access credentials
in your daily life
Converged in your
NFC-enabled smartphone
An ASSA ABLOY Group brand
PROPRIETARY INFORMATION. © 2013 HID Global Corporation. All rights reserved.
Used to open cloudapplications, data and
doors
Summary
• Used by DoD armed
services (Army, Air
Force, Navy, Marines)
and 25+ DoD agencies
• 30M+ cards deployed
during life of the program
• 3.8M active CACs used
everyday
• Over 11,000 cards
issued daily
• 600 issuance stations,
1000 locations in 27
countries
An ASSA ABLOY Group brand
PROPRIETARY INFORMATION. © 2013 HID Global Corporation. All rights reserved.
Best Practices
Delivery and management of Secure Trusted Identity
 Solutions should adopt/use industry standards such as: PIV,
FIPS, Global Platform, NFC…etc.
 Use the FIPS 201 APL as a starting point for selecting
compatible products: http://fips201ep.cio.gov/apl.php
 Don’t re-invent the wheel. Implement a trusted credential
management model (Registration, Vetting, Issuance,
Revocation)
 Take a layered approach to security, consider all
components of solution (Card, Chip, CMS, Middleware,
future capabilities and impact on users)
An ASSA ABLOY Group brand
PROPRIETARY INFORMATION. © 2013 HID Global Corporation. All rights reserved.
PROPRIETARY INFORMATION.
An ASSA ABLOY Group brand
© 2012 HID Global Corporation/ASSA ABLOY AB. All rights reserved. Contents are confidential and proprietary and not intended for external distribution.
15
PROPRIETARY INFORMATION.
An ASSA ABLOY Group brand
© 2013 HID Global Corporation/ASSA ABLOY AB. All rights reserved. Contents are confidential and proprietary and not intended for external distribution.