Busting CAC Myths

  • Published
  • By Mr. Raymond Brant
  • AFCA Public Affairs
Rumors and urban legends are circulating that the “gold chip” on the Common Access Card (CAC) contains people’s DNA, family member information or even a complete copy of a worker’s official government records.

“This simply is not the case,” said Major Martin Solis, Chief, Identity Management Branch at the Air Force Communications Agency. 

The gold computer chip is where the CAC gets its “Smart Card” nickname. The chip contains personal information which is essentially the same information 

that was contained on previous ID cards such as name, rank, date of birth, along with gender, meal entitlement code and organ donor election (military only).

 Additionally, the chip contains computer programs or applications, which protect the information on the chip, yet allow the information to be read by appropriately configured government computers and websites.

Besides those basic functions, the gold chip contains three electronic “certificates”, which are unique identifiers registered by DoD and assigned to each CAC owner. 
These certificates provide official electronic verification of your identity and also allow you to digitally sign and encrypt e-mails. 

IDENTITY: The identity certificate is used to grant access to the network and protected websites such as the Air Force Portal and Defense Travel System. By using this identity certificate on the chip instead of the less secure user name and password, we’ve made it more difficult for our adversaries to gain unauthorized access to our networks. For example, a hacker would first have to get their hands on a CAC and then guess the Personal Identification Number (PIN). As a safeguard, the chip’s self-protecting application only allows three guesses before the chip becomes locked (at which point a user would NEWShave to personally visit the Military Personnel Flight or find a specialized CAC Pin Reset workstation). This mechanism prevents unauthorized use of the card – a security precaution that effectively renders a lost card worthless to an adversary who might stumble upon one. 

DIGITAL SIGNATURE: The digital signature certificate is used to “digitally sign” documents and e-mail. A digital signature is more difficult to “forge” since your unique identifier is used to create the digital signature. Likewise, a digitally signed e-mail will give you assurances that every letter, comma, period, space, etc., is exactly what the author put in the document. 

ENCRYPTION: As the name implies, the encryption certificate protects your data by “scrambling” your e-mail into something incomprehensible  by means of a key or code, so that it can be reconverted only by an authorized recipient holding the matching key or code. As such, electronic encryption protects email from being intercepted and read by unauthorized individuals. When using the unclassified network, referred to as the NIPRNET, this encryption is especially useful for Privacy Act Information, Official Use Only and other sensitive but unclassified data. However, one very important note is that even with digital encryption, classified information is still NOT authorized on the NIPRNET.

“As we progress within the Information Warfare battlefield, the Department
of Defense will continue to increase security and protect personal information both on the card, and on the network,” said Major Solis. We all have a role to play in protecting our networks. The information that travels across our network is far too valuable for us to become complacent. The Air Force must, and will, continue to bolster its network security to protect operationally sensitive and personal identity information. Using the “Smart Card” with its gold chip to log on to our networks is one key step in that direction, so make sure you are ready!