CAC Card, PIV Card, Smartcard and PKI Certificate Authentication for SSH
Government organizations operate under strict information security guidelines. Their security policies require encrypted and strongly authenticated access methods to be used with high value assets. In the context of the ubiquitous SSH protocol this often means the use of certificate authentication.
While PKI and certificates offer a strong, scalable, and centrally managed authentication of users and servers, they are still vulnerable to attacks on the private keys of the end-entities. Stealing a user's private key allows an attacker to impersonate that user, which may lead to serious security breaches. In high-security environments the use of certificates is often combined with the use of hardware security tokens such as smartcards or USB tokens.
Combining hardware tokens or smartcards with certificate authentication provides the advantage that the private key of an entity cannot be stolen by malware that collects SSH keys.
In the governmental context commonly used security tokens are:
CAC Card with Tectia SSH
The DoD Common Access Card is an identification card that is issued to the personnel of US Department of Defense. CAC is a smartcard that functions as the standard identification for active duty uniformed service personnel, selected reserve personnel, civilian employees of DoD, and some contractors that work for DoD. Common Access Card also works as the principal token for physical access to buildings and it provides access to DoD computer networks and systems.
The access to computers, online systems and networks is based on a PKI certificate and an associated private key that are stored on the chip of the CAC card. The certificate is presented to the server, while the private key remains on the card (and only on the card). Using the private key on the CAC requires the user to be in possession of the card, and aware of the PIN or passphrase that protects the key. The card and the PIN form the required two factors for authentication.
Tectia SSH is the leading commercial and professionally supported implementation of the Secure Shell protocol. Tectia SSH supports PKI authentication as well as the use of certificates on hardware security tokens and smartcards, such as CAC. Using Tectia SSH with CAC requires no patching or additional components. CAC is supported out-of-the-box.
PIV Card with Tectia SSH
While the CAC is limited to the personnel and contractors of the Department of Defense, the other branches of the US Federal government use a separate but similar authentication and identification system - the Personal Identity Verification standard (PIV).
Like the CAC, the PIV card is also a smartcard that contains a certificate and a private key to be used to gain access to computers, networks, and online resources. PIV is the standard method for strong authentication within the US Federal government.
The PIV system is described in Federal Information Processing Standards publication FIPS 201-2.
Tectia SSH's support for PKI authentication covers also the use of PIV cards.