Smart cards of different stripes

As the Defense Department designs the next-generation smart card for the government's largest deployment of the technology, it is changing its focus from issuance to advanced applications. Meanwhile, two other fledgling smart card efforts are ramping up their own large-scale programs to enhance their homeland security missions.

Evaluating biometrics and doubling the size of the card's memory to 64K are two of the technology changes dictated by DOD's evolving operational requirements for its Common Access Card (CAC) program. The new smart card programs from the Transportation Security Administration and Homeland Security Department will benefit from the lessons learned by DOD's program, but their unique operational requirements will prompt officials to forge new ground in the smart card arena.

"It's an interesting study to show how they are utilizing effectively the same technology, but applying it in very different ways," said Randy Vanderhoof, executive director of the nonprofit Smart Card Alliance Inc.

DOD "has driven the use of the cards for access to computers and secure Internet-based services as their primary utilization of the technology, which is somewhat different than what [TSA's] primary focus will be," he said.

TSA "is more focused on physical access and credentialing for workers who have access to secure areas," Vanderhoof said. "The DHS program will incorporate both because they have 22 agencies coming together, all with different building and personnel systems."

Operational requirements have guided the technology choices for the CAC program from its inception, said Mary Dixon, program manager for DOD's access card office.

The first-generation CACs are used as identification cards. They also store the personal identification numbers (PINs) and digital certificates users need to authenticate themselves to secure networks, and to digitally sign and encrypt documents such as secure e-mail and travel requests.

With the next-generation card, scheduled for production late next year, DOD is testing contactless cards — which don't need to be swiped on readers — and integration with biometrics to allow agencies to move large groups of people quickly, yet securely, into buildings. Previously issued cards will be transitioned to the new system over a three-year life cycle.

In addition, DOD is investigating doubling the memory on the new card to 64K to incorporate additional digital certificates or applications into the card, Dixon added.

Dixon envisions eliminating some of the current card's functionality, which was originally added to accommodate a slew of disparate legacy systems, such as magnetic stripes, two-dimensional bar codes and linear bar code readers.

Meanwhile, the military services are maneuvering to leverage some of the space available on the new card to develop their own applications, said Brad Triebwasser, an account manager with EDS, a contractor for the CAC program. Triebwasser works with DOD's Defense Manpower Data Center, which distributes the cards.

"The services will start to look at space available for applications and to use the Java applet space that is available," he said. "That is a pretty significant shift in terms of what the cards are being used for."

For example, the Navy is requiring that new desktop computers be CAC-enabled, so that users can digitally sign documents with card-based certificates, said Joe Rozmeski, also an EDS account manager on the CAC program. DOD users also can use the cards for travel requests and absentee voting.

TSA: Multiple Requirements

TSA's Transportation Worker Identification Credential (TWIC) system, now being piloted in two regional tests, is designed to develop universal ID cards to identify workers entering secure locations or nonpublic areas.

The pilot project will test several types of technology, including regular smart cards with integrated circuit chips and cards that have a magnetic stripe, a two-dimensional bar code, a linear bar code and an optical memory chip.

Beyond the pilot tests, the production version of the TWIC card will likely use multiple types of technology because it has to accommodate the existing security infrastructure at airports and seaports, such as bar code scanners and magnetic stripe readers, Vanderhoof said.

Although each of the technologies has its own merits, optical cards are not suitable for TSA's physical access applications, according to Neville Pattinson, director of business development and technology at smart card vendor Schlumberger Ltd.

He said optical cards were designed to store documents, not to be widely used as access devices.

For one, the deployment costs for optical cards would be prohibitively high, as much as $2,500 per optical reader, versus a price of between $10 and $40 for smart card readers. Also, although the card has a large amount of memory, it would have to store a biometric identifier such as a fingerprint in its actual image as laser dots that a microscope could read. This would cause both security and privacy concerns, he said.

DHS: A Common Audience

DHS announced a new program in July to issue smart cards to all of its 180,000 employees next year.

In a pilot project the agency plans to launch next month, DHS officials will give 300 federal workers smart cards for access to buildings and facilities and for authentication for computer systems. Employees from the 22 agencies brought their ID cards with them when the agencies were folded into DHS, and many are not interoperable or do not have complete identity information.

Both DHS and TSA will find that their eventual technology choices will be strongly influenced by their issuance processes, Vanderhoof said.

"DHS will be an internal smart card system, and, for the most part, will be a centralized process because the bulk of their personnel and services will be centered in Washington, D.C.," he said.

"The TWIC program will have a combination...because they need to be able to put systems in place at the hundreds of airports and seaports...that will have to be tied back together to a central infrastructure so they can validate that only one credential has been issued to one individual," Vanderhoof said.

Havenstein is a freelance writer based in Cary, N.C.

***

At a Glance

DOD's Common Access Card program

Launched in 2000.

2.8 million cards issued, at a rate of 10,000 to 14,000 a day.

Target date to complete issuing 4 million cards is April 2004.

First-generation card used primarily to secure access to computers and networks and to digitally sign documents.

***

DHS' smart card ID program

September pilot involving 300 users will test deploying cards for physical access, secure log-on to systems, signature and encryption of e-mail, secure client-side access to DHS Web site, certified time stamping, and remote access.

The multifunction Java-based card can be used for additional applications after issuance.

Card will be required to store biometrics.

TSA's Transportation Worker Identification Credential system

Card designed to identify workers entering secure locations.

Multiple technologies will be tested to support existing infrastructure.

Agency will explore incorporating digital photos with each option.