CAC, PIV, and Smart Card
When preparing for security exams such as Security+ or SSCP, you should know the differences between a CAC, PIV, and smart card. These are also known as a common access card (CAC), a personal identity verification (PIV) card, and a smart card. All three are used for authentication. More specifically, each of them are in the Something You Have factor of authentication.
Users prove their identity with authentication and there are three factors of authentication. They are commonly known as:
- Something you know, such as a password or PIN
- Something you have, such as a smart card, CAC, PIV, or RSA token
- Something you are, using biometrics
Pass the Security+ exam the first time you take it.
CompTIA Security+: Get Certified Get Ahead: SY0-401 Study Guide
A smart card is a credit card sized card that has an embedded microchip and one or more certificates. The information on the card identifies the user and the certificate also includes the user’s private key used for asymmetric cryptography.
Users are often required to enter a personal identification number (PIN) along with the smart card. Using a smart card (something you have) and a PIN (something you know) provides multifactor authentication. Combining two or more factors of authentication is more secure than using only a single factor.
Both a CAC and PIV provide the same benefits of a smart card, but also include photo identification.
A common access card (CAC) is a smart card used by employees and other personnel in the United States Department of Defense (DoD). A CAC includes a picture of the user along with other information such as their name. DoD employees wear the CAC as a badge and can show it to guards to prove their identity. They can also use it as a smart card to log onto systems.
A personal identity verification (PIV) card is also a specialized type of smart card used by personnel in United States federal agencies. Just as a CAC does, the PIV card includes a picture of the user along with their name. A PIV can be used for visual verification of users, and then as a smart card when users log onto their computer.
Benefits of Smart Card, CAC, and PIV
Each of these provide some specific benefits worth emphasizing. They are:
- Authentication. A basic purpose is to allow users to prove their identity.
- Confidentiality. The certificate can be used with asymmetric cryptography to ensure confidentiality of data.
- Integrity. The certificate can also be used with digital signatures and provide integrity for the message.
- Non-repudiation. In addition to providing integrity, a digital signature also provides integrity.
Security+ Practice Test Question
Q. Which of the following includes a photo and can be used for identification?
Master Security+ Performance Based Questions Video
Security+ Practice Question Answer: D
A common access card (CAC) includes a picture used for identification and can also be used as a smart card. While not included in the answers, a personal identity verification (PIV) card also includes a picture and can be used as a smart card. A media access control (MAC) address is assigned to a network interface card or wireless network adapter. Discretionary access control (DAC) is an access control model; Microsoft’s NTFS uses DAC. Role based access control (RBAC) is an access control model; RBAC uses roles or groups and users are placed into a role or group based on their assigned jobs.