Cryptology Methods in Organizationsa, CAC vs. User/Password

Cryptology Methods in Organizationsa, CAC vs. User/Password

This text explores the different cryptology methods used for authentication within organizations. It compares the Common Access Card (CAC), used by federal agencies, with traditional username and password systems.

  • CAC: The CAC offers two-factor authentication with a physical card and a PIN. PKI certificates on the card enable encryption and secure communication. This method is more secure than single-factor authentication. However, it has limitations such as the "bathroom effect" and the inability to access multiple systems simultaneously.

  • Username/Password: This method is widely used due to its simplicity but is inherently less secure than the CAC. It is vulnerable to password-related attacks.

Future Directions: The text suggests exploring derived credentials on mobile devices as a potential improvement. This could increase flexibility and address some of the CAC's limitations.

Cryptogoly and user and passwords are two different methods of connecting to the same application: one for commercial customers and one for Federal agencies.

The commercial customers authenticate with a user and password. Federal agencies can access the system via a Common Access Card (CAC), or if they do not have a CAC card, they can also access the system with a user and a password. The website application authenticates the CAC cards using GEOAxIS. GEOAxIS relies on the implementation of Oracle Access Manager (OAM). OAM relies on Apache modules installed on the web servers to intercept HTTP calls and process AuthN and AuthZ authentication.AuthN is authorized one's identity, and AuthZ authorizes and establishes privileges.

The CAC card can contain 144 kilobytes of data storage and memory on an integrated circuit chip. This card enables rapid authentication and enhanced physical and logical access security, as described by DOD (n.d.). The data includes Public Key Infrastructure (PKI) certificates, digital fingerprints, digital photos, organizational information, personal identity verification (PIV) certificates, and an expiration date as described by DOD (n.d.) The card includes a bar code used by federal services and agencies, including name, date of birth, DOD identification number, personal category, pay grade, benefits, and organization. Until 2012, the card contained the person's Social Security Number but was replaced by the DOD identification number.

The PKI certificate on the card takes advantage of public key cryptography. The data is coded and decoded or encrypted during the cryptographic process as described by Peltier (2013). Plain text, when encrypted, is called cipher text. The cipher text can be read once it is decrypted. When using public key cryptography, two associated keys are used to encrypt and decrypt data. There is a private key and a public key. A public or private key can be used for encryption or decryption depending on the desired operation, as Peltier (2013) points out. A key is used to encrypt data, and the related key can is used to decrypt the information. A public key is typically made available for other users to obtain. The PKI certificates on the CAC card can be used to send encrypted emails and for encryption purposes.

The user and password offer single-factor authentication, whereas the CAC cards provide two authentications: the PIN and the card. As described by Edwards & Keiser (2016), the CAC card advantage or strength is its physical form factor and policies governing its use as an authentication tool. The DOD did not go with a contactless card because someone or something could eavesdrop on the traffic between the card and the card reader.

Some disadvantages of using the CAC card include what some call the bathroom effect. One can get up from a workstation where a person is to use the bathroom and leave the CAC card in the reader, which is very easy to steal, as described by Edwards and Keiser (2016). Another issue identified is when troops at a command post need to access more than one system at a time but only have one CAC card to access one system.

One improvement to the CAC card, as described by Edwards & Keiser (2016), is happening because of the absence of CAC support on a mobile platform. Some federal agencies and services pilot derived credentials that can be carried on a mobile device instead of using the CAC card to generate authentication. They point out that NIST SP 800-157 provides strategies for using credentials derived from a CAC card.


Peltier, T. R. (2013). Information Security Fundamentals, Second Edition, 2nd Edition Retrieved from

Pentagon Brief (2006). CAC log-on to increase network security. Pentagon Brief

Edwards, J., & Keiser, E. (2016). Common access cards lacking. C4isr, , 22. Retrieved from

DOD (n.d). Common Access Card (CAC) Security. Department of Defense, , 6. Retrieved from

Posts in this series