Talk:Common Access Card

I deleted this section from the article:

Congressional law prohibits eavesdropping on the content of employees computer work, as per federal wiretapping laws. There must be a clear reason to do so, and that must be communicated to a judge, who would issue a warrant, before the contents of anyone's computer can be reviewed. Exceptions include casual observation by system administrators who're working on the computs for normal reasons. Any violations should be immediately reported to the individual's superior. The issue with the CAC is that it opens wide the door with respect to undetectible screening of the data stream. There are now ways that the system administrators can illegally monitor your Internet surfing and tie that surfing, undeniably, to you, in violation of Congressional law.

In addition, cards issued to service members are printed with both the member's name and social security number. Theft or loss of the member's ID card therefore gives others access to two key pieces of information needed for identity theft.

The bit about "Congressional law" (whatever that is) has nothing to do with CACs. The statement that the card is printed with the holder's Social Security Number is simply untrue. A CAC creates no more vulnerability to identity theft than any other formal identification card, such as the standard military ID used in the United States. ➥the Epopt 14:49, 1 September 2006 (UTC)Reply

I just looked at my CAC and there it is, my social security number, printed on the back, just above the barcode. The previous military ID card had the SSN printed on it, as well. As for Congressional law, who do you think mandated (via Congressional Law) the CAC for use by all members and employees of the Department of Defense? Furthermore, Congressional Law also governs the privacy and wiretap laws we have in the US. Please provide better reasons for the deletion, or I will revert it in the near future. Mugaliens 13:21, 2 September 2006 (UTC)Reply

Above the barcode on mine is a black-and-white version of my picture. Above that is the magnetic strip, and above that is an alphanumeric string grouped into four-character "words." No SSN anywhere. ➥the Epopt 23:33, 2 September 2006 (UTC)Reply

I have the same, but my SSN appears right above the barcode. My card was issued in 2003. Perhaps yours was issued at a later date, after some of the privacy concerns were heard? Mugaliens 09:09, 3 September 2006 (UTC)Reply

Also, are you a DoD employee, contractor, or military? That might make a difference. Mugaliens 09:10, 3 September 2006 (UTC)Reply

Addendum: According to the US Navy's CAC Fact Sheet (pics at the bottom of the pdf file), all issuees except contractors get their SSN stamped on the card. Mugaliens 09:45, 3 September 2006 (UTC)Reply

I deleted this section from the article after realizing I was filling it up with ^{[citation needed]} tags:

The idea that the CAC significantly increases security is severely flawed. Under the username/password approach, hacking a person's password required either an over-the-shoulder approach, intercepting the user's hashed password and using a tool such as L0phtCrack, or the use of a keyboard recorder, a small device which sits between the keyboard and the USB or PS2 port. These approaches required physical access to the LAN. With the CAC approach, hacking a person's password became only slightly more complicated. It now requires both a keyboard recorder as well as a tap on the digital stream of information between the computer and the network. The keyboard recorder will record the PIN, which is strongly encrypted over the network, but not encrypted between the keyboard and the computer, while the digital stream tap will record the CAC's unique ID (usually a multidigit number), which is not encrypted.

It contains numerous inaccurate statements, and correcting them is not within the scope of this article. For example, there are many more ways to crack a username/password login than are listed, none of which cannot be used on a CAC login. Also, the statement that the PIN is "not encrypted between the keyboard and the computer" is not true in high-security situations. ➥the Epopt 14:55, 1 September 2006 (UTC)Reply

CAC readers do not encrypt the PIN. That's handled at the software level as part of the Windows logon routine. In "high security situations" such as when logging on to the SIPRnet, the same CAC readers are used that exist on the NIPRnet. The additional security is provided by controlling physical access to the machine. You have not made a single correct statement in your comments above. If references are needed, I'll fill it to overflowing, then revert the article, unless can can provide unequivocable justifications to back up your comments. Mugaliens 13:25, 2 September 2006 (UTC)Reply

Please do exactly that -- provide sources for the statements you want to include. If you word them in the form "SOURCE X believes that CACs have SSNs printed on them," I won't delete them. ➥the Epopt 23:30, 2 September 2006 (UTC)Reply

You bet. Mugaliens 09:10, 3 September 2006 (UTC)Reply

It appears someone added all the inaccurate information back in. The part about a "digital stream tap" sounds like a man-in-the-middle attack, which assumes the data can simply be replayed. If you look at the Microsoft article describing the smart Card logon process, you will see that a time-stamped (per Kerberos) challenge is sent to the smart card in order to decrypt the logon session key (Microsoft article). Without possession of the private key, it would be impossible to decrypt the data. The information posted in this article says nothing about extracting the user's private key from the smart card, which is a significantly more difficult process, and would require physical access to the card--I don't even know if it is possible. 131.28.31.217 23:55, 11 December 2006 (UTC)Reply

I added some citation requests to the section. The text currently reads as nonsensical conjecture. If someone has demonstrated such a vulnerability, whereby obtaining the PIN and "tapping the digital stream" results in a compromised private certificate, or somehow fools the KDC into trusting a forged certificate, then they need to cite some references. 131.28.31.217 23:25, 13 December 2006 (UTC)Reply

While "all cryptographic operations are performed on the KDC," as per the article, the PIN entered by the user travels cleartext between the keyboard and the computer. Any keystroke recorder inserted between the keyboard and the computer can intercept the PIN. Since many users leave their CACs in the computer, it's a simple matter to remove their CAC, walk over to another computer, extract the PIN from the recorder, and log in with another user's credentials. - Mugs 08:08, 4 January 2007 (UTC)Reply

Complete with a plethora of references, a few quotes, embedded links to additional info on Wiki, and other citations. If you feel any portion is still lacking references, please let me know and I'll add them within a few days. Thanks! Mugaliens 12:46, 3 September 2006 (UTC)Reply

I think it's time to remove the "factual etc. disputed" page, unless anyone can provide clear, unrefutable evidence that counters the information contained in the many links I provided. Thank you. Mugaliens 20:59, 24 September 2006 (UTC)Reply

Since no further comments or objections have been raised for nearly two months since I provided the links and references, I've removed the Disputed sign. Mugaliens 14:20, 31 October 2006 (UTC)Reply

Many users running around the workplace habitually leave their CACs in the reader when they step away from their computers for a few moments. I know this for a fact as I've seen it happen many times. Anyone who works in or with the DoD can tell you the same thing. Mugaliens 14:26, 31 October 2006 (UTC)Reply

Untrue. I work with the DoD and can't tell you that. I have removed your original research. ➥the Epopt 14:38, 31 October 2006 (UTC)Reply

Your office must be much more disiplined than ones I've visisted. As networks have started to require CAC use for logging in, I've seen lots of cards sticking out of keyboards. Still, without a published reference, I agree that it should not be in the article. Somewhere out there, a security evaluation must have been done. Any evaulation would likely list leaving the card behind as a risk factor. --StuffOfInterest 15:11, 31 October 2006 (UTC)Reply

Thanks for the second opinion. You're correct - such an evaluation was done in 2000, and so many people left their CACs in their computers that the CAC system settings were changed to provide an automatic workstation lockout after several minutes of inactivity, regardless of whether the CAC is in or not. - Mugs 07:56, 4 January 2007 (UTC)Reply

It is true and I seen it happen all the time. I work in an office and administer 140 Army computers. People with all difference ranks leave their CAC cards in their readers all the time and walk away.- Metrofx 29 January 2007 (UTC)

The CAC card has been called a Geneva Convention ID card, but I don't see such a statement on this page. If true, what part of the Geneva Conventions apply? --Boblord 18:02, 11 November 2006 (UTC)Reply

I'm not an expert on the Conventions, but my CAC says right on it, "Geneva Conventions Identification Card". The same was true of the previous military ID.Roachmeister 00:27, 1 December 2006 (UTC)Reply

Answer: Convention (III) relative to the Treatment of Prisoners of War. Geneva, 12 August 1949, Article 4.A.(4): "Persons who accompany the armed forces without actually being members thereof, such as civilian members of military aircraft crews, war correspondents, supply contractors, members of labour units or of services responsible for the welfare of the armed forces, provided that they have received authorization, from the armed forces which they accompany, who shall provide them for that purpose with an identity card similar to the annexed model." Depending on one's rank or duties, they will fall into one of five Geneva Conventions categories. - Mugs 09:20, 4 January 2007 (UTC)Reply

I added the POV-section tag, primarily for the part about "A better approach". It may or may not be true, but the way it is worded seems like so much advertisment for SANS.Roachmeister 00:24, 1 December 2006 (UTC)Reply

Actually, not an advertisement at all - merely industry-standard security practices. Regardless, Epopt deleted it anyway, wrongly claiming "that has nothing to do with CACs and so is irrelevant to this article." Current CAC security is flawed, and industry-standard practices exist which can fix the flaws - that's highly relevant to this article. - Mugs 07:51, 4 January 2007 (UTC)Reply

The following text was removed: "though that legislation is irrelevant to the work of military personnel." Reason: Congressional law applies equally to the military as it does to civilians unless specifically stated otherwise. No military member, including Security Forces or OSI personnel, or civilian authorities, may search the personal files or e-mails of another military member without a court order. Casual oberservance of a person's files during the routine maintenance of the computer by an authorized service technician is allowed. - Mugs 07:52, 4 January 2007 (UTC)Reply