DOD networks migrating to smart card logon process to improve security

Published Nov. 8, 2006
56th Communication Squadron

LUKE AIR FORCE BASE, Ariz. -- The Air Force is moving from using passwords to logon to unclassified networks to using a "smart card" and a personal identification number.

No specific implementation date has been determined at Luke, subject to appropriate discussions with the union. However, when implemented, the primary method for logging on to a standard unclassified Air Force user account will be a through a process known as smart card logon.

The smart card is the standard Department of Defense identification card and is also known as the common access card. To use the CAC for network logon, simply insert the CAC into the reader attached to a workstation and enter the associated six- to eight-digit personal identification number selected when the card was created.

Why are we doing this? Our networks are essential to the success of our missions and the protection of our information. Unfortunately, these same networks are under attack every day by hackers, saboteurs and terrorists. They can compromise the integrity of our network and put critical information systems at risk through unauthorized access, fraud, e-mail tampering, eavesdropping and data theft. Imagine what could happen if the information needed to perform duties to support operations here couldn't be accessed.

Besides containing operationally sensitive information, we increasingly conduct many personnel and financial transactions over the network. That information is personal and we can't afford the operational or identity theft consequences if the data is compromised.

One of the key weaknesses of networks these days is the use of passwords. Conventional passwords are vulnerable because they are stored on and transmitted over the network and can be hacked. Our adversaries know how to capture passwords and if they end up with one, could access our systems at will and move about freely on our network.

So what is the benefit of using the CAC for logon? Increased security! The advantage of CAC plus PIN is known as "two factor authentication." It requires something a person has (the CAC) and something the person knows (the PIN). A computer user needs both to gain access to the network.

Unlike passwords, PINs are not stored on or transmitted over the networks. And since the PIN works differently than a password, the CAC holder doesn't have to change it unless they think it has been compromised. Also, if the CAC is lost or stolen and another person tries to guess your PIN, the CAC will be locked after three the unsuccessful attempts.

This change may seem difficult, but it's necessary. There may be some hurdles along the way, but the network team here has already identified many of the challenges and are already developing solutions.

The Air Force is pursuing a phased approach to implementation. The first phase is instituting the smart card logon from traditional work places. Later phases will include fielding secure alternatives where use of the CAC card is not practical, enabling applications for secure remote and wireless access, and implementing SCL in deployed environments.

Smart card logon also represents a change that affects every member of the Air Force community, so everyone needs to prepare. Base members need to ensure they have a properly functioning CAC and that they know their PIN. Unit client support administrators and the military personnel flight can help with this phase.