Explaining U.S. Government Smart Cards

Over the last two years, Centrify has continually expanded its smart card support for both Red Hat and Macintosh.  Our on-premise solutions support the reading and authentication with many well known existing and new US Military and Civilian smart cards.  This article helps explain those smart card characteristics and our on-going commitment to to the smart card community.

  • CACNG / Dual Identity / Dual Persona

This card is called by many different names, from Dual-Persona [1], CACNG, and Dual-Identity. The card supports an on-going Government strategy to have both a Military (CAC) identity and Civilian (PIV) identity for one person.  Hence the name “dual identity” or “dual persona”.

The card has four certificates – CAC Identity, CAC Signing, CAC Encryption, and PIV Authorization.

Centrify DirectControl for Mac and Centrify Express for Smart Card have supported this type of card since 2011.  In 2012, we upgraded our software so that one smart card driver (CACNG tokend) could read and present all four certificates.  See below for an example.

Centrify for Express Smart Card

Military CAC website [2] mentions Centrify Express as an enabler for Dual Persona cards.

  • Alternate Token Card (a.k.a. Alt-token card)

This is a card given to people who work for government, but do not have official DMDC CAC cards, e.g., contractors or temporary duty station military personnel.

It is similar to the CAC card, but it generally follows a different provisioning and certificate model.  Sometimes an Alt-token card will have one certificate, other times it may have two – depending on the roles assigned. In contrast, a regular CAC smart card will always have three certificates with specific purposes and conventions.

Centrify DirectControl for Mac, Centrify Express for Smart Card, and Centrify DirectControl for Red Hat have supported this smart card type since early 2013.

  • Alternate Identity Smart Card (a.k.a. smart card user name mapping)

The “alternate identity” smart card is unique in how it’s created and provisioned within Active Directory.  This card generally lacks a UPN (User Principal Name), which uniquely identifies the smart card user to Active Directory.  This may be done in an attempt to grant different user privileges to one smart card certificate.  In this way, the user’s certificate can be mapped to multiple Active Directory users, creating a convenient mechanism for IT Administrators who don’t want to create multiple smart cards for different user roles.  [3]

Centrify DirectControl for Mac, Centrify Express for Smart Card, and Centrify DirectControl for Red Hat will support this smart card type in the upcoming 2013.2 release of our software, which will be out in June 2013.

  • PIV-I (Interoperability)

Lastly, the PIV Interoperability card is often issued by organizations outside the federal government. [4]  From a workstation’s perspective, the PIV-I card behaves in the same way as a federal PIV card, which DirectControl for Mac, Express for Smart Card, and DirectControl for Red Hat have supported since 2011.

Centrify is very proud of our ongoing smart card support.  We continue to expand and support our government and non-government smart card customers with new product features.  Feel free to contact me further if you’d like to learn more about smart cards and Centrify’s software solutions.

[1] “Tactics, Techniques, & Procedures (TTP) – Dual Persona Personal Identity Verification (PIV) Authorization Certificate”
http://www.jbmhh.army.mil/WEB/JBMHH/Master%20Files/images/TTP-DualPersonaPIVAuthCert.pdf

[2] Military CAC website: 
http://militarycac.com/cacenablers.htm

[3] “Mapping One Smartcard Certificate to Multiple Accounts.” 
http://blogs.technet.com/b/askds/archive/2009/08/10/mapping-one-smartcard-certificate-to-multiple-ac…

[4] “Personal Identity Verification Interoperability For Non-Federal Issuers”
https://cio.gov/wp-content/uploads/downloads/2012/09/PIV_Interoperabillity_Non-Federal_Issuers_May-2…