Smart Cards and CAC
What It Is
A smart card is a credit-card-sized device with an embedded secure element (a tamper-resistant chip) that stores cryptographic keys and performs operations on-chip. Like a YubiKey, private keys never leave the device. Unlike a YubiKey, smart cards require a separate card reader (USB or built into a laptop's chassis).
CAC (Common Access Card) is the US Department of Defense's smart card standard. Every military service member and DoD civilian carries one. A CAC contains: X.509 certificates for identification, email signing, and encryption, plus a photo ID. The PIV (Personal Identity Verification) standard (FIPS 201) is the civilian federal equivalent.
FortrOS supports smart cards and CAC as a first-class option alongside YubiKeys. Government and military orgs that require CAC + PIN use smart cards for all operations where FortrOS would otherwise use a YubiKey.
How It Works
PIV (Personal Identity Verification)
Smart cards used in FortrOS implement the PIV standard (NIST SP 800-73), which defines:
- Card slots: Predefined certificate/key slots for different purposes (PIV Authentication, Digital Signature, Key Management, Card Authentication)
- PIN protection: Operations require the cardholder's PIN (something you know + something you have = two-factor)
- On-card crypto: RSA and ECC operations happen on the card's secure element. Private keys are generated on-card or imported and cannot be exported.
The PIV interface is standardized -- any PIV-compliant card works with any PIV-compliant reader and software. This includes CAC cards, federal PIV cards, and commercial PIV cards from vendors like Gemalto/Thales and IDEMIA.
PKCS#11 Interface
Software accesses smart cards through PKCS#11 (also called Cryptoki) -- a
standard API for cryptographic tokens. On Linux, opensc-pkcs11.so provides
the PKCS#11 module that talks to PIV/CAC cards via the PC/SC (Personal
Computer/Smart Card) protocol.
Applications don't need to know what brand of card is inserted -- they talk to PKCS#11, PKCS#11 talks to PC/SC, PC/SC talks to the reader, the reader talks to the card. This abstraction is why FortrOS can support YubiKeys (which also implement PIV) and CAC cards through the same code path.
CAC + PIN
CAC authentication in FortrOS follows the same two-factor model as YubiKey + touch:
| Factor | YubiKey | CAC |
|---|---|---|
| Something you have | Physical YubiKey | Physical CAC card |
| Something you know | YubiKey PIN (FIDO2) or touch (HMAC) | Card PIN |
| Interface | USB (direct) | Card reader (USB or built-in) |
| Standard | FIDO2, PIV, HMAC | PIV (FIPS 201) |
The card PIN is verified by the card's secure element, not by the host software. A brute-force attack on the PIN locks the card after a configured number of attempts (typically 3-5). The host never sees the PIN in plaintext -- it's sent to the card over the secure channel.
How FortrOS Uses It
Smart cards fill every role that YubiKeys fill:
Enrollment: The admin presents a CAC + PIN instead of a YubiKey. The card's PIV Authentication key generates a signature proving physical presence. The provisioner verifies against the card's certificate chain.
Hibernate lock/unlock: The card's Key Management slot derives the hibernate encryption key. CAC + PIN required to resume. Same two-factor model as YubiKey + PIN.
Disaster recovery: Admin CAC cards hold LUKS keyslots, same as admin YubiKeys. The key derivation uses the card's cryptographic response, not a stored secret.
Employee identification: Non-admin users carry CACs for hibernate lock/unlock and identity verification. No org admin capabilities. In military orgs, this is the standard -- every user already has a CAC.
Reader Requirements
FortrOS nodes need a USB smart card reader (or a laptop with a built-in reader) for smart card operations. The reader is passive -- it just provides the electrical connection between the host and the card. All crypto happens on the card.
For headless servers (no physical operator), smart cards aren't practical. These nodes use TPM-only authentication for normal boot and rely on admin smart cards only during provisioning and disaster recovery (physical presence required).
Alternatives
YubiKey: Same cryptographic capabilities (YubiKey 5 implements PIV), USB form factor with built-in reader. More convenient for non-military orgs. FortrOS supports both interchangeably via the shared PIV/PKCS#11 interface.
TPM-only: No physical token needed. Weaker authorization (any genuine TPM can enroll, vs. CAC requiring physical card + PIN). Suitable for large-scale data center provisioning where card presentation isn't practical.
FIDO2 security keys: USB keys that support WebAuthn/FIDO2 but may not implement PIV. Not interchangeable with CAC for government use. YubiKeys support both FIDO2 and PIV; standalone FIDO2 keys typically don't.
Links
- NIST SP 800-73: PIV Interfaces
- FIPS 201: PIV of Federal Employees
- OpenSC -- Open source smart card tools and PKCS#11 module
- DoD CAC Reference Center
- PC/SC Specification