What is a smart card ID?
A smart card includes an embedded computer chip that can be either a microprocessor with internal memory or a memory chip alone. The card connects to a reader with direct physical contact or with a remote contactless electromagnetic interface. With an embedded microprocessor, smart cards have a unique ability to store large amounts of data, carry out their own on-card functions (e.g., encryption and digital signatures) and interact intelligently with a smart card reader. A smart card ID can combine several ID technologies, including the embedded chip, visual security markings, a magnetic stripe, a barcode and/or an optical stripe. Smart cards are used worldwide in financial, telecommunications, transit, healthcare, secure identification and other applications.

Why is a smart card the ideal alternative for privacy-sensitive secure personal ID system?
A smart card is the only alternative that can securely combine several applications and technologies onto one card, providing both convenience and security while minimizing the need to present personal, private information. With a smart card-based system, there is no technical requirement to have a central database system that observes all requests for services. Because the smart card is an active device (a small computer), the card is able to give only that information that is required for the specific services at the time the card is presented.

What is biometrics and how is used for authentication?
Biometrics are automated methods of recognizing a person based on a physiological or behavioral characteristic. Among the features measured are; face, fingerprints, hand geometry, handwriting, iris, retinal, vein, and voice. Biometric technologies are becoming the foundation of an extensive array of highly secure identification and personal verification solutions. As the level of security breaches and transaction fraud increases, the need for highly secure identification and personal verification technologies is becoming apparent.
Biometric-based solutions are able to provide for confidential financial transactions and personal data privacy. The need for biometrics can be found in federal, state and local governments, in the military, and in commercial applications. Enterprise-wide network security infrastructures, government IDs, secure electronic banking, investing and other financial transactions, retail sales, law enforcement, and health and social services are already benefiting from these technologies.

Biometric-based authentication applications include workstation, network, and domain access, single sign-on, application logon, data protection, remote access to resources, transaction security and Web security. Trust in these electronic transactions is essential to the healthy growth of the global economy. Utilized alone or integrated with other technologies such as smart cards, encryption keys and digital signatures, biometrics are set to pervade nearly all aspects of the economy and our daily lives. Utilizing biometrics for personal authentication is becoming convenient and considerably more accurate than current methods (such as the utilization of passwords or PINs). This is because biometrics links the event to a particular individual (a password or token may be used by someone other than the authorized user), is convenient (nothing to carry or remember), accurate (it provides for positive authentication), can provide an audit trail and is becoming socially acceptable and inexpensive.

How is a biometric template created on a smart card, and what stops someone from overwriting the card with his/her own biometric?
A biometric template is an encrypted hash of the actual biometric itself. Once created, the template is digitally signed and locked onto the card by the issuing authority. Any attempt to overwrite would not be authenticated by the issuing authority as the smart card prevents modifications of its memory by anyone who is not correctly authenticated.

GSA's Smart Card Vision:
· Single card, multiple purpose, biometric enabled
· Secure access to government facilities, systems, applications and data
· Interoperable cards, readers, and applications
· Enable employees to do the job faster, better, cheaper and more securely!

Federal Government Smart Card Deployment: 13 Million Cards (1.2 Million issued to date)

CAC Smart ID State & Local
Army Homeland Security/TSA Transportation Workers
Navy State Department First Responders
Air Force Justice/INS
Marines GSA
Treasury

The Common Access Card (CAC)
Information is a powerful weapon that can help fight and win the Nation's wars. That is why the DoD harnessed the power of the Internet years ago-to ensure that information was protected and readily available to its personnel. A by-product of the Internet is Electronic Commerce (EC) technology. The Military Services view EC as a way to achieve improved business processes, respond to a changing environment, and provide timely, accurate, and secure information to support the warfighter.
In November of 1999, the Deputy Secretary of Defense directed the Military Services to implement smart cards in the form of a Common Access Card (CAC). A smart card a credit card-sized device containing one or more integrated circuit chips, and may also include additional technologies such as: a magnetic stripe, bar codes, a radio frequency transmitter, and photographic identification. Initial CAC issuance to DoD personnel will be completed by October 2003.
What Will the CAC Do?
The CAC has numerous functions - literally combining several cards into one. In addition to replacing the existing DoD identification card, the CAC will:
· Enable physical access to buildings and controlled spaces
· Enable computer network and system access
· Serve as the primary platform for the Public Key Infrastructure (PKI) token

Benefits of the CAC
Positive impact on readiness. With a CAC application, many paper-based processes will become automated. Therefore, what may have taken days to do may now take just hours. Military Service members may use the CAC to enter their installation, log onto computers, or verify medical benefits eligibility or dining facility privileges. As the technology matures, the CAC will perform even more functions - thereby enhancing readiness and saving time and money for all personnel.
Increased protection for personal and national security through Public Key Infrastructure (PKI). PKI is a CAC component, and is an enabling technology that provides data protection through authentication and data integrity. PKI performs specific functions such as single sign-on access control, signing electronic documents, and encrypting email. Eventually, all DoD computers will have a card reader allowing network access using the CAC. PKI adds an extra layer of security, because without your CAC, no one can log onto your computer even if they have your name and password. PKI authentication also provides the DoD another weapon to foil the attacks of computer hackers on DoD computer systems. With PKI, personal privacy is better protected and national security is also strengthened.
Who Will Receive the CAC?
Active duty military, National Guard, Reserve, DoD civilians, and eligible contractors will receive a CAC. Retirees and military dependents will not receive the CAC at this time, but will continue receiving the current identification card.

What is Public Key Infrastructure?
Public Key Infrastructure (PKI) is the new, commercially developed system for easy e-mail encryption and verification.

PKI is a relatively simple system that utilizes the security features found in many of today's popular software programs and packages such as Microsoft Outlook, Internet Explorer, and Netscape Navigator. As more and more transactions that are vital to the mission of the warfighter are sent over publicly accessible communication lines, PKI will help ensure that these transmissions are safe from outside threats.

How PKI Works
PKI works using standard cryptographic principals. Specifically, PKI uses public key cryptography. In simple terms, the cryptographic processes "code" and "decode" information. In PKI, the applicable terms are encrypt and decrypt. When information or text is encrypted it becomes cipher text. Cipher text can not be read until it is decrypted.
In public key cryptography two related keys are used to encrypt and decrypt information. One key is private and the other is public. Either key can be used for encryption or decryption depending on the desired operation. When one key is used to encrypt information only the related key can be used to decrypt the information. The public portion of the key can be made available for other users to easily obtain.
1. John's computer will use Mary's public key to encrypt the message.
2. Mary will decrypt the message using her private key.
3. Mary encrypts a response using John's public key.
4. John uses his private key to then decrypt the message.
5. Anyone who attempts to read the message without the private key will see the subject line, but the body of the message will appear as nothing but garbled text.

Smart Card Authentication Middleware:
Smart card middleware manages the passwords and private keys that produce the user's online identity and authenticate access to critical resources. Smart card digital identity software provides a high level interface to PKI credentials and other login credentials residing on the card. The middleware acts as a conduit between the cryptographic functionalities provided by the card and the network applications.

Some uses of the smart card middleware:
· Network login, remote access, and secure web access
· Email signing with legally enforceable digital signatures
· Email encryption and decryption
· Management of basic benefit, entitlement, medical, and demographic data to reduce paperwork

ERGOSECUREtm 2.0 SC Adjustable "Smart" Ergonomic Keyboard

ERGOSECURE 2.0 SC adjustable keyboard offers a combined smart card and fingerprint sensor that supports strong multifactor identification and authentication for positively verifying user identity. ERGOSECURE 2.0 SC allows the greatest degree of confidence for sensitive access, communication and transactions.

1 - Factor PIN or Password - What you KNOW
2 - Factor Smart Card - What you HAVE
3 - Factor Fingerprint Scan - Who you ARE

Bundled Smart Card SKU's:

ERGOSECURE 2.0 SC - Smart Card Reader Keyboard AC Bundle SKU: TBD
· 1 ERGOSECURE 2.0 SC smart card reader keyboard
· 1 Activcard Gold v2.2 License
· 1 ActivCard Goldv2.2 Media Package (CD-rom, manual, and hard license)
· 1 16K ActivCard smart card
· 1 Maintenance Package

ERGOSECURE 2.0 SC - Smart Card Reader Keyboard SLB Package SKU: TBD
· 1 ERGOSECURE 2.0 SC smart card reader keyboard
· 1 Schlumberger Middleware License
· 1 Schlumberger CD-Rom
· 1 Schlumberger Cyberflex Access II 32 K smart Card
· 1 Maintenance Package

ERGOSECURE 2.4 SC Biometric - Smart Card Reader & Biometric Sensor Keyboard Trinity Bundle SKU: TBD
· 1 ERGOSECURE 2.4 SC Biometric smart card reader with biometric sensor
· 1 ActivCard Trinity 4.1 License
· 1 ActivCard Trinity 4.1 Media Package (CD-rom, manual, and hard license)
· 1 16K ActivCard smart card
· 1 Maintenance Package