One Pass for All

January 2002
By Henry S. Kenyon

Navy entry token replaces former identification techniques.

In the near future, access to U.S. naval vessels and facilities will be accomplished with the swipe of a card. The service is issuing smart cards for entry control and record-keeping purposes to all of its personnel. The rollout is part of a larger program to provide the devices for all U.S. Defense Department employees.

Protecting government facilities is paramount under any circumstances, and one way to accomplish this task is to determine which individuals may enter a certain area and to note their arrival and departure. Embedded chips in devices similar to credit cards provide organizations with more security because they are difficult to duplicate or forge. Smart cards have been available in the commercial sector for several years, but the U.S. government is spearheading their use through large-scale deployments across the armed forces.

The U.S. Navy’s smart card program is a part of this larger effort. According to Robert Carey, e-business team leader at the Navy’s chief information officer’s office, Arlington, Virginia, the service is the largest user of embedded identification cards. The current Defense Departmentwide smart card initiative began in 1999. Approximately 60,000 cards have been issued since March 2001, and the goal is to distribute one million throughout the services. Card deployment is tied to the delivery of upgraded real-time automated personnel identification system (RAPIDS) workstations. Carey notes that an important part of the program is to create an infrastructure to produce cards on land or at sea.

The Defense Department access card office will upgrade roughly 1,600 RAPIDS stations over the next 12 to 15 months. In addition to these stations, the Navy has four mobile issuance laboratories built into 40-foot trailers, each containing six workstations. While the Navy cannot easily change the deployment schedule for the RAPIDS workstations, the trailers enable teams to travel, for example, to its facilities at the Norfolk Naval Base in Virginia or Camp Lejeune, North Carolina, to issue cards on-site. “It allows us the flexibility to move and issue [cards] as we see fit, as opposed to relying on the Defense Department schedule,” he says.

The driving reason for the accelerated rollout is to coincide with the deployment of the Navy/Marine Corps Intranet (NMCI). Every NMCI computer will have a smart card reader built into the keyboard. The smart card is the service’s public key infrastructure (PKI) access token that allows personnel to log on securely, send and sign encrypted e-mails and visit secure Web sites, Carey explains.

The need to meet the requirements of the NMCI rollout drove the smart card program. Originally the Defense Department had planned to issue the cards and distribution infrastructure on a slightly slower schedule. However, this would not fit into the NMCI deployment because a common access card (CAC) is needed to log on the network. The Navy procured 42,000 terminals for fiscal year 2001, Carey explains. Larger orders will follow in subsequent years. “We knew we had to get ahead of the Defense Department’s curve so we could ensure that our customers had their cards when they required them,” he says.

The CACs contain a 32-kilobyte microchip operating with Java software. A magnetic strip is located on the back of the card, and bar codes are printed on both the front and back. These multiple systems were installed to allow the cards to be read by a number of existing systems. “We cannot assume that everybody has a chip reader right out of the chute,” Carey says.

The cards also will help with shipboard activities such as quarterdeck access. Sailors boarding a ship will swipe their cards on a podium where a ruggedized laptop computer produces a picture of the cardholder. Once identification has been verified, access to the ship is granted. This same process would be used for sailors leaving the ship and is available for shore-based facilities.

The CACs will replace the standard green identification cards currently used by the services. Carey notes that the Navy stopped issuing the old cards in the fall of 2001 and replaced them with smart cards. For example, approximately 4,000 cards were issued at the Naval Surface Warfare Center in Crane, Indiana. The majority of the base is Navy, but roughly 700 U.S. Army personnel also are stationed there. When the NMCI is installed, the smart cards will be the identification and access mechanism for everyone on the base, regardless of service affiliation, he says.

Deploying upgraded RAPIDS stations at sea poses bandwidth and size issues because the smart card printers are large and bulky. The goal is to replace all of the terminals currently used to make green identification cards, Carey explains. Approximately 96 mobile stations are used at sea, with larger vessels such as aircraft carriers and amphibious assault ships operating multiple stations. The ability to produce the cards locally is important because if a card is lost, a sailor cannot do his or her job until it is replaced, he says.

The CACs are similar to credit cards and equally durable, he says. The chip is very rugged, and the side of the card with the person’s photograph is laminated. However, on some first-issue cards that have been in service for more than six months, the printed information is wearing away on the unlaminated sides. The Navy is discussing plans to laminate both sides of the card. The devices also have a three-year shelf life, he adds. The decision to reissue cards every three years is based not on durability, but on issues such as PKI certificates, he says.

One advantage of the CAC is that it can convey several types of information that legacy scanning equipment can read. Although Carey considers bar code readers and magnetic stripes to be old technology, they serve to make the device more flexible to provide additional layers of security. The cards will continually evolve, incorporating a mix of old and new technologies as they become practical. Such new systems might use a password and some other type of validation in the form of an embedded certificate or biometrics such as a fingerprint or iris scan, he predicts.

The Navy is heavily involved with the Defense Department’s biometrics program office, Carey explains. Although the first generation of smart cards will not have any additional technologies, current plans include integrating biometrics systems into future generations of CACs. Carey notes that a fingerprint can be reduced to an algorithm that uses only 500 bytes of information, which easily fits on a 32-kilobyte chip. Another option is an iris scan, although he admits that he does not know how large a file size it would require. “We have not decided to go down that path yet, but clearly biometrics is going to play heavily in smart card technology in the near future,” he says.

Although biometrics systems may be several years away from deployment, Carey expects the next generation of CACs to feature some form of radio frequency technology. These types of devices are already widely used in many secure facilities. But adding new technologies to the card will have to be balanced with cost, he maintains. Per-unit expense is a major concern because one million cards a year will be issued, so expensive biometrics devices will probably be installed later, he says.

During the early part of the rollout in spring 2001, the Navy also helped to identify and correct flaws in the system, Carey explains. The problems centered on scalability and network infrastructure issues pertaining to large-scale certificate downloads. During initial beta testing, 20 RAPIDS stations had been installed at facilities around the country. These facilities produced a smart card in about 10 minutes. However, the network performance began to degrade as more stations were added. “It’s like an office LAN. If there are too many people on an insufficiently sized LAN, nobody gets any work done,” he says.

As more users tried to work on the system, 10- to 15-minute card-issuance times increased up to 40 minutes, or it failed totally due to network traffic. Insufficient bandwidth, server capacity and software issues were identified, and steps were taken to solve the problems. The flaws have since been corrected, he adds, noting that the system will expand over time. A team studied and solved the system’s scalability difficulties over the summer. T-1 lines were installed to provide dedicated bandwidth between nodes, Carey says. “Today there may be about 125 clients online at any one time. In six months, there will be 1,000. Next year, we’ll need to be able to support 2,500 simultaneous transactions on this network. We will not have the ability to look back and try to upscale ourselves,” he says.

Enjoyed this article? SUBSCRIBE NOW to keep the content flowing.