Military Cac For Mac
CAC ON YOUR Mac INSTALL CHECKLIST PAGE. NOTE: Between mid October 2019 and mid February 2020 everyone in the Army will be migrated to PIV AUTH certificate for Email access. You will no longer use your Email certificate for Enterprise Email.
The Common Access Card, also commonly referred to as the CAC is a smart card about the size of a credit card.[1] It is the standard identification for Active Duty United States Defense personnel, to include the Selected Reserve and National Guard, United States Department of Defense (DoD) civilian employees, United States Coast Guard (USCG) civilian employees and eligible DoD and USCG contractor personnel.[1] It is also the principal card used to enable physical access to buildings and controlled spaces, and it provides access to defense computer networks and systems. It also serves as an identification card under the Geneva Conventions (esp. the Third Geneva Convention). In combination with a personal identification number, a CAC satisfies the requirement for two-factor authentication: something the user knows combined with something the user has. The CAC also satisfies the requirements for digital signature and data encryption technologies: authentication, integrity and non-repudiation.
The CAC is a controlled item. As of 2008, DoD has issued over 17 million smart cards. This number includes reissues to accommodate changes in name, rank, or status and to replace lost or stolen cards. As of the same date, approximately 3.5 million unterminated or active CACs are in circulation. DoD has deployed an issuance infrastructure at over 1,000 sites in more than 25 countries around the world and is rolling out more than one million card readers and associated middleware.
- The Apple Store for Government is a convenient way to purchase Mac and iOS devices, as well as third-party products at special government pricing.
- AU9540 - AU9520 to be able to use the below readers on a Mac. Works on the following IOGear CAC reader models: GSR202, GSR202V, & GSR203. Some IOGear CAC readers have a firmware version that will not work on a Mac (AU9540), this page will show you how to change it to AU9520, which will work on your Mac using a program called.
- 4Usage
- 4.4Bar codes
Issuance[edit]
The CAC is issued to Active United States Armed Forces (Regular, Reserves and National Guard) in the Department of Defense and the U.S. Coast Guard; Coast Guard Auxiliary;, DoD civilians; USCG civilians; non-DoD/other government employees and State Employees of the National Guard; and eligible DoD and USCG contractors who need access to DoD or USCG facilities and/or DoD computer network systems:
- Active Duty U.S. Armed Forces (to include Cadets and Midshipmen of the U.S. Service Academies)
- Reserve members of the U.S. Armed Forces
- National Guard (Army National Guard and Air National Guard) members of the U.S. Armed Forces
- Emergency-Essential Employees
- Contingency Contractor Employees
- Contracted college & university ROTC Cadets and Midshipmen
- Deployed Overseas Civilians
- Non-Combatant Personnel
- DoD/Uniformed Service Civilians residing on military installations in CONUS, Hawaii, Alaska, Puerto Rico, or Guam
- DoD/Uniformed Service Civilians or Contracted Civilian residing in a foreign country for at least 365 days
- Presidential Appointees approved by the United States Senate
- DoD Civilian employees, and United States Military veterans with a Veterans Affairs Disability rating of 100% P&T
- Eligible DoD and USCG Contractor Employees
- Non-DoD/other government and state employees of the National Guard
Future plans include the ability to store additional information through the incorporation of RFID chips or other contactless technology to allow seamless access to DoD facilities.
The program that is currently used to issue CAC IDs is called the Real-Time Automated Personnel Identification System (RAPIDS). RAPIDS interfaces with the Joint Personnel Adjudication System (JPAS), and uses this system to verify that the candidate has passed a background investigation and FBI fingerprint check. Applying for a CAC requires DoD form 1172-2 to be filled out and then filed with RAPIDS.
The system is secure and monitored by the DoD at all times. Different RAPIDS sites have been set up throughout military installations in and out of combat theater to issue new cards.
Design[edit]
On the front of the card, the background shows the phrase 'U.S. DEPARTMENT OF DEFENSE' repeated across the card. A color photo of the owner is placed on the top left corner. Below the photo is the name of the owner. The top right corner displays the expiration date. Other information on the front include (if applicable) the owner's pay grade, rank and federal identifier. A PDF417 stacked two-dimensional barcode is displayed on the bottom left corner. And, an integrated circuit chip (ICC) is placed near the bottom-middle of the card.
There are three color code schemes used on the front of the CAC. A blue bar across the owner's name shows that the owner is a non-U.S. citizen. A green bar shows that the owner is a contractor. No bar is for all other personnel—including military personnel and civil workers, among others.
The back of the card has a ghost image of the owner. And if applicable, the card also contains the date of birth, blood type, DoD benefits number, Geneva Convention category, and DoD Identification Number (also used as the Geneva Convention number, replacing the previously used Social Security Number). The DoD number is also known as the Electronic Data Interchange Personal Identifier (EDIPI). A Code 39 linear barcode, as well as a magnetic strip is placed on the top and bottom of the card. The DoD ID/EDIPI number stays with the owner throughout his or her career with the DoD or USCG, even when he or she changes armed services or other departments within the DoD or the USCG. For retired U.S. military personnel who subsequently become DoD or USCG civilians or DoD or USCG contractors, the DoD ID/EDIPI Number on their CAC will be the same as on their DD Form 2 Retired ID Card. For non-military spouses, unremarried former spouses, and widows/widowers of active, Reserve or Retired U.S. military personnel who themselves become DoD or USCG civilians or DoD or USCG contractors, the DoD ID/EDIPI Number on their CAC will be the same as on their DD 1173 Uniformed Services Privilege and Identification Card (e.g., Dependent ID card).
The front of the CAC is fully laminated, while the back is only laminated in the lower half (to avoid interference with the magnetic stripe).[2]
The CAC is said to be resistant to identity fraud,[3] tampering, counterfeiting, and exploitation and provides an electronic means of rapid authentication.
There are currently four different variants of CACs.[1] The Geneva Conventions Identification Card is the most common CAC and is given to active duty/reserve armed forces and uniformed service members. The Geneva Convention Accompany Forces Card is issued to emergency-essential civilian personnel. The ID and Privilege Common Access Card is for civilians residing on military installations. The ID card is for DOD/Government Agency identification for civilian employees.
Encryption[edit]
Until 2008, all CACs were encrypted using 1,024-bit encryption. Starting 2008, the DoD switched to 2,048-bit encryption.[4] Personnel with the older CACs had to get new CACs by the deadline.[4] On October 1, 2012, all certificates encrypted with less than 2,048-bits were placed on revocation status, rendering legacy CACs useless except for visual identification.[4]
Usage[edit]
The CAC is designed to provide two-factor authentication: what you have (the physical card) and what you know (the PIN). This CAC technology allows for rapid authentication, and enhanced physical and logical security. The card can be used in a variety of ways.
Visual identification[edit]
The CAC can be used for visual identification by way of matching the color photo with the owner. This is used for when the user passes through a guarded gate, or purchases items from a store, such as a PX/BX that require a level of privileges to use the facility. Some states allow the CAC to be used as a government-issued ID card, such as for voting or applying for a drivers license.
Magnetic stripe[edit]
The magnetic stripe can be read by swiping the card through a magnetic stripe reader, much like a credit card. The magnetic stripe is actually blank when the CAC is issued. However, its use is reserved for localized physical security systems.[5]
Integrated circuit chip (ICC)[edit]
The integrated circuit chip (ICC) contains information about the owner, including the PIN and one or more PKI digital certificates. The ICC comes in different capacities, with the more recent versions issued at 64 and 144 kilobytes (KB).[citation needed]
The CAC can be used for access into computers and networks equipped with one or more of a variety of smartcard readers. Once inserted into the reader, the device asks the user for a PIN. Once the PIN is entered, the PIN is matched with the stored PIN on the CAC. If successful, the EDIPI number is read off the ID certificate on the card, and then sent to a processing system where the EDIPI number is matched with an access control system, such as Active Directory or LDAP. The DoD standard is that after three incorrect PIN attempts, the chip on the CAC will lock.
The EDIPI number is stored in a PKI certificate. Depending on the owner, the CAC contains one or three PKI certificates. If the CAC is used for identification purposes only, an ID certificate is all that is needed. However, in order to access a computer, sign a document, or encrypt email, signature and encryption certificates are also required.
A CAC works in virtually all modern computer operating systems. Besides the reader, drivers and middleware are also required in order to read and process a CAC. The only approved Microsoft Windows middleware for CAC is ActivClient—available only to authorized DoD personnel. Other non-Windows alternatives include LPS-Public—a non-hard drive based solution.
DISA now requires all DoD-based intranet sites to provide user authentication by way of a CAC in order to access the site. Authentication systems vary depending on the type of system, such as Active Directory, RADIUS, or other access control list.
CAC is based on X.509 certificates with software middleware enabling an operating system to interface with the card via a hardware card reader. Although card manufacturers such as Schlumberger provided a suite of smartcard, hardware card reader and middleware for both Linux and Windows, not all other CAC systems integrators did likewise. In an attempt to correct this situation, Apple Federal Systems has done work for adding some support for Common Access Cards to their later Snow Leopard operating system updates out of the box using the MUSCLE (Movement for the Use of Smartcards in a Linux Environment) project. The procedure for this was documented historically by the Naval Postgraduate School in the publication 'CAC on a Mac'[6] although today the school uses commercial software. According to the independent military testers and help desks, not all cards are supported by the open source code associated with Apple's work, particularly the recent CACNG or CAC-NG PIV II CAC cards.[7] Third party support for CAC Cards on the Mac are available from vendors such as Centrify and Thursby Software.[8] Apple's Federal Engineering Management suggest not using the out-of-the-box support in Mac OS X 10.6 Snow Leopard[9] but instead supported third party solutions. Mac OS X 10.7 Lion has no native smart card support. Thursby's PKard for iOS software extends CAC support to Apple iPads and iPhones. Some work has also been done in the Linux realm. Some users are using the MUSCLE project combined with Apple's Apple Public Source Licensed Common Access Card software. Another approach to solve this problem, which is now well documented, involves the use of a new project, CoolKey,[10] to gain Common Access Card functionality. This document is available publicly from the Naval Research Laboratory's Ocean Dynamics and Predictions Branch.[11] The Software Protection Initiative offers a LiveCD with CAC middleware and DoD certificate within a browser-focused, minimized Linux OS, called LPS-Public[12] that works on x86 Windows, Mac, and Linux computers.
Bar codes[edit]
The CAC has two types of bar codes: PDF417 in the front and Code 39 in the rear.
Includes Parallels ® Toolbox: 30+ one-click productivity tools to help with take quick screenshots, minimize distractions, or download video and audio from the web. /parallel-desktop-for-mac.html. Easily convert your existing PC to a virtual machine, or install a new. Run thousands of Windows programs side-by-side on your Mac without rebooting. Save money and avoid buying a second computer to run PC programs.
PDF417 Sponsor Barcode[edit]
Example value | Field name | Size | Description |
---|---|---|---|
'IDUS' | Identification Code | 4 | Sponsor/Dependent card |
'3' | Bar Code Version | 1 | |
XX | PDF417 Size | 2 | |
X | PDF417 Checksum | 1 | |
X | PDF417 RSize | 1 | |
'1' | Sponsor flag | 1 | 1=Sponsor 0=Dependent |
'GREATHOUSE, TUYET' | Name | 27 | Last, First |
'999100096' | Person Designator Identifier | 9 | 999-10-0096 |
'1' | Family sequence number | 1 | |
' ' | Reserved for future use | 9 | |
'00' | DEERS dependent suffix | Sponsor v3 | |
'60' | Height (inches) | 2 | 5' 0' |
'150' | Weight (pounds) | 3 | 150 lbs |
'RD' | Hair Color | 2 | BK=Black BR=Brown BD=Blonde RD=Red GY=Gray WH=White BA=Bald OT=Other |
'BR' | Eye Color | 2 | BK=Black BR=Brown HZ=Hazel BL=Blue GY=Gray GR=Green OT=Other |
'1992OCT31' | Date of birth | 9 | 19921031 |
'S' | Direct Care Flag | 1 | S=Unlimited |
'M' | CHAMPUS Flag | 1 | M=Civilian Health Care CHAMPUS |
'Y' | Comissary flag | 1 | Y=Eligible and active |
'Y' | MWR flag | 1 | Y=Eligible and active |
'U' | Exchange flag | 1 | U=Unlimited |
'2011OCT31' | CHAMPUS Effective Date | 9 | 20111031 |
'2057SEP30' | CHAMPUS Expiration Date | 9 | 20570930 |
'2RET ' | Form number | 6 | DD Form 2 - Retired |
'2011NOV04' | Card Issue Date | 9 | 20111104 |
'INDEF ' | Card Expiration Date | 9 | Indefinite |
'8 ' | Card Security Code | 4 | |
'H' | Service/Component Code | 1 | |
'RET ' | Status | 6 | RET=Retired member entitled to retired pay |
'USA ' | Branch of service | 5 | USA=U.S. Army |
'PVT ' | Rank | 6 | PVT=Private |
'E2 ' | Pay grade | 4 | |
'I ' | Geneva Convention Code | 3 | |
'UNK' | Blood Type | 3 |
PDF417 Dependent Barcode[edit]
Example value | Field name | Size | Description |
---|---|---|---|
'IDUS' | Identification Code | 4 | Sponsor/Dependent card |
.. | .. | .. | .. |
'0' | Sponsor flag | 1 | 1=Sponsor 0=Dependent |
.. | .. | .. | .. |
'RET ' | Sponsor Status | 6 | RET=Retired member entitled to retired pay |
'USA ' | Sponsor Branch of service | 5 | USA=U.S. Army |
'PVT ' | Sponsor Rank | 6 | PVT=Private |
'E2 ' | Sponsor Pay grade | 4 | |
' TRUMBOLD, ERIC ' | Sponsor Name | 27 | |
'999100096' | Sponsor Person Designator Identifier | 27 | |
'CH' | Relationship | 2 | SP=Spouse CH=Child |
RFID technology[edit]
There are also some security risks in RFID. To prevent theft of information in RFID, in November 2010, 2.5 million radio frequency shielding sleeves were delivered to the DoD, and another roughly 1.7 million more were to be delivered the following January 2011.[13] RAPIDS ID offices worldwide are required to issue a sleeve with every CAC.[13] When a CAC is placed in a holder along with other RFID cards, it can also cause problems, such as attempting to open a door with an access card when it is in the same holder as a CAC. Despite these challenges at least one civilian organization, NOAA, uses the RFID technology to access facilities nationwide. Access is usually granted after first removing the CAC from the RF shield and then holding it against a reader either mounted on a wall or located on a pedestal.[14] Once the CAC is authenticated to a local security server either the door will release or a signal will be displayed to security guards to grant access to the facility.
Common problems[edit]
The ICC is fragile and regular wear can make the card unusable. Older cards tended to de-laminate with repeated insertion/removal from readers, but this problem appears to be less significant with the newer (PIV-compliant) cards. Also, the gold contacts on the ICC can become dirty and require cleaning with either solvents or a rubber pencil eraser.
Fixing or replacing a CAC typically requires access to a RAPIDS facility, causing some practical problems. In remote locations around the world without direct Internet access or physical access to a RAPIDS facility, a CAC is rendered useless if the card expires, or if the maximum number of re-tries of the PIN is reached. Based on the regulations for CAC use, a user on TAD / TDY must visit a RAPIDS facility to replace or unlock a CAC, usually requiring travel to another geographical location or even returning to one's home location. The CAC PMO[15] has also created a CAC PIN Reset workstation capable of resetting a locked CAC PIN.
For some DoD networks, Active Directory (AD) is used to authenticate users. Access to the computer's parent Active Directory is required when attempting to authenticate with a CAC for a given computer, for the first time. Use of, for example a field replaced laptop computer that was not prepared with the user's CAC before shipment would be impossible to use without some form of direct access to Active Directory beforehand. Other remedies include establishing contact with the intranet by using public broadband Internet and then VPN to the intranet, or even satellite Internet access via a VSAT system when in locations where telecommunications is not available, such as in a natural disaster location.
See also[edit]
- FIPS 201 (PIV)
References[edit]
- ^ abc'COMMON ACCESS CARD (CAC)'. US Department of Defense. Retrieved 18 January 2017.
- ^'Central Issuance Facility Common Access Card (CAC) Production - Federal Business Opportunities: Opportunities'.
- ^DOD to Drop Social Security Numbers from ID Cards
- ^ abcAirForceTimes. '404 - AirForceTimes'.
- ^'CHIPS Articles: Access Approved: Biometrics and Smart Cards Open Doors to Improved Efficiency'. Archived from the original on 2014-07-14.
- ^cisr. 'CISR - Publications - Technical Reports'. Archived from the original on 2006-09-04. Retrieved 2006-09-17.
- ^'MilitaryCAC's Mac OS X support landing page'.
- ^'Thursby Software - Securing enterprise and personal mobility'. Thursby Software Systems, Inc.
- ^'Re: [Fed-Talk] Pkinit working on Snow Leopard but need forwardable TGT'.
- ^'Archived copy'. Archived from the original on 2012-11-26. Retrieved 2013-02-12.CS1 maint: archived copy as title (link)
- ^http://www7320.nrlssc.navy.mil/pubs/2006/CommonAccessCardLinux.pdf
- ^http://spi.dod.mil/lipose.htm
- ^ ab'Defense Department order RF shields from National Laminating - SecureIDNews'. SecureIDNews.
- ^https://pedestalpro.com/.Missing or empty
title=
(help) - ^Navy CAC PMO
External links[edit]
- 'AKO CAC Reference Center'. us.army.mil.
- 'CAC: Common Access Card'. cac.mil.
- 'CAC Installation assistance and troubleshooting for your home computer or personal laptop'. militarycac.com.
- 'Defense Manpower Data Center'. dmdc.osd.mil.
- 'RAPIDS Site Locator'. dmdc.osd.mil.
How to Install CAC Reader for Mac – If you are still searching for the best ways for “How to use MAC in a PC?”, then you first need to have a CAC smart card reader. In this article, you will come to know everything around the CAC card reader. You will know “what is CAC card reader for Mac”, “How to Install CAC card reader for Mac” and how to use CAC card reader for Mac as well. Several brands of CAC smart card reader are available in the market, so you may have confusion while you going to buy CAC card reader. But once you go through this article, you will get the complete knowledge base for how to buy CAD card reader online. Next, there are some key precautions, you may take while purchasing a CAC card reader.
- Make sure your preferred CAC card reader is compatible for MAC OS, Windows OS (7/8/10/XP/Vista) of 32/64 bits. Many CAC card readers are also there in the market which works well with earlier MAC versions but not with the latest versions.
- Your smart CAC card reader should be supportable for banks, post offices, and chip cards issued to be used for across the country.
- Before fixing any deal with the seller, you should once make sure for the refund. In case, you face some kind of tech issues or physical damages, you can get refund the cost of products from the sellers.
- Before buying a Common Access Card (CAC), you should cross-check that all the drivers are accurately placed. Many times, the issues may be different. Therefore, you shouldn’t forget to ask the warranty card with your CAC reader for Mac.
Next is the section which let you know “What is CAC Card Reader?” & “How to Use CAC card reader for MAC ?”
What is CAC car Reader for MAC?
CAC or common access card is a smart card issued by the United States Department of The defense used by multifactor authentication. CAC cards the used as standard identification of on-duty military officer, reserve personnel, civilians, and non-DOD government workers. CAC card also identifies the National Guard and eligible contractors. This can also be used as an ID card to access computer networks and government buildings.
Common Access Card looks like a standard debit card which has a pre-inbuilt microchip. It enables users for encryption and cryptographic signature of an email. Additionally, it is also utilized as a Public Key Infrastructure authentication tools. Users are authenticated by their digital images, two digital fingerprints, PKI certificate, social security number as well as an organizational affiliation.
When the CAC cardholder inserts the card into a smart card reader, h/she is asked for their associated PIN. Once the user entered a PIN, the smart card reader uses standard internet protocols to match the data on the CAC card’s chip with the data on the server. Once the data is matched, the software authenticates the user to access the network otherwise. During the whole session when a user accesses PC, the card stays in the smart reader. Once it is removed from the reader, the system becomes inaccessible again for invalid users.
If you have Mac OS, you can install the smart card reader for Mac. In the next section, you will know how to install a CAC reader for the Mac operating system.
How to Use CAC Reader for Mac?
If still wonder how to use CAC card reader for Mac, here we have listed out some effective steps. Just follow step by step—
- But before getting started, you should make sure that you already have a Mac supportable CAC card reader. If you already have, then you can start now.
- First, cross-check that your CAC card reader is perfectly connected and recognized by your Mac PC. To do this simply head to “About this Mac”, then select “More Info”, then proceed to “System Report” and Hardware.
- From Hardware Tab, click over USB, and then click USB plus.
- Now click on SCRx31 USB Smart Card Reader.
Once you follow all these steps, you have done almost. Users are also recommended to use Safari, internet browser as it works properly with Mac OS.
- Now next how to authenticate yourself with CAC smart card reader—
- Launch/Open Safari internet browser
- Head over to File. Then click on New Private Window.
- Now open AKO and Login with your CAC card. (If you don’t have AKO account, you need to register here)
- Select your CAC certificate. Then, click “Continue”.
- Now enter your PIN in prompted Window (PIN was created when you were assigned CAC card)
How to Install CAC card reader for MAC?
Before going to install CAC card reader for Mac, you should once make sure for the following—
- Your Card reader should be compatible and supportable with Mac. Check whether your Mac accepts the reader or not.
- Cross-check your Mac OS and CAC card version. Replace the outdated version with the latest one. You should also update your DOD certificates.
If you have already done the same, you are eligible to follow these steps to install CAC card reader for Mac.
Step-1: Purchase Mac supportable Card Reader
Several card readers are available to buy online and offline. Since you required CAC card reader for Mac, you need to buy the MAC friendly card reader. In case you already have card reader, but it’s not Mac supportable, you can update the firmware. However, it’s very difficult for non-tech savvy personals. So, It’s better to purchase the latest CAC card reader which is Mac compatible.
Step-2: Plug-in Your Card Reader
Once you avail the best quality Mac friendly Card Reader, your next step is to plug-in your card reader. Also, make sure your PC has accepted the CAC card reader. In case your card reader is not working well, there might be an issue with your DOD certificates.
So, you need to update DOD certificate. But you never need to worry if you don’t know how to update DoD CAC card reader. In the next section, you will know about the effective DIY steps to update DOD certificates. If you are a Chrome or Safari user, you just need to follow these steps—
- Press (Shift + Command + U) to access the utilities.
- Now search for the Option “Keychain Access” and Right-click over it.
- Next, select Login and go to All Items
- Download the four files named as Mac All Certs, Mac Root Cert 2, Mac Root Cert 3, Mac Root Cert 3.
- Once you download all required files, you need to double click each one to install them in your Keychain Access.
Military Cac Macbook Pro
Except if you are a Firefox user, you need to follow these steps to install CAC smart reader in your Mac PC
- Download AllCerts Zip file
- Once you download the zip, you need to unzip files by double click.
- Search for Firefox on the top left and then click “Preferences”.
- Next, you need to follow this path: “Advanced”, then select “Certificate”, and then after “View Certificates”.
- Click now on “Authorities”. Then choose the option “Import”.
- Finally, you are required to import all files from AllCerts folder.
- Now check all the three boxes and click “OK”.
Step-3: Download and Install CAC Enabler:
Military Cac Card Reader For Mac
- First, download the ZIP files and unzip the folder by double click.
- Next, press and hold down the button “CTRL” and Click the program.
- Now choose the “Open” and continue the installation process.
- After successful installation, now you need to restart your computer.