Documentation
LiveWireEnabling PIV/CAC Authentication in LiveWireDownload PDF
Enabling PIV/CAC Authentication in LiveWire : About PIV/CAC Authentication
About PIV/CAC Authentication
PIV/CAC login is supported via TLS's client authentication option as described in the TLS standard. This option allows authentication using a private key and digital certificate. The PIV/CAC card contains the private key and certificate and performs the cryptographic operations necessary to verify the holder's identity.
Users are generally familiar with the idea of making secure connections to websites, such as a banking site, from their browsers. Such secure connections are often indicated by a "lock" icon or other indicator in the user's browser that a secure, trusted connection has been made and if the connection fails, they are warned that the connection is not secure and discouraged from continuing. In this scenario, the website sends the user's browser a digital certificate containing its identity (e.g., "www.bankofamerica.com") and its public key. If the certificate appears valid, the user's browser will use the information it contains to cryptographically challenge the website to prove it is in possession of the corresponding private key. If the website is successful, a secure connection is made. The user typically authenticates their identity by entering their name and a password into a page on the website.
The user's name and password are convenient for authentication, but in more secure environments, they may have unacceptable limitations, such as the password being weak or easily guessed. In these situations, a more secure approach called "client-side authentication" may be used. In this approach, the user also possesses a private key and certificate and they are used, rather than a name and password, to authenticate the user's identity in the same way that the server authenticates its identity to the user's browser. This mutual authentication approach is more secure because it is far more difficult to guess the user's private key than it is to guess their password. The user's certificate and private key may be stored anywhere but are typically stored in a secure location which requires a password or some other secret to access it. In the case of the PIV/CAC cards, they are stored on the card and a PIN, entered by the user, is required to authorize the card to use the private key when it's needed to negotiate the secure connection. Used in this way, the user is said to be using a form of two-factor authentication, where the PIN is something the user knows and the PIV/CAC card is something the user possesses.