Application for GSOC 2012: Michael Worsham

Synopsis

                                                 

A smart card, typically a type of chip card, is a plastic card that contains an embedded computer chip–either a memory or microprocessor type–that stores and transacts data. This data is usually associated with either value, information, or both and is stored and processed within the card's chip. The card data is transacted via a reader that is part of a computing system. Systems that are enhanced with smart cards are in use today throughout several key applications, including healthcare, banking, entertainment, and transportation.

Smart cards improve the convenience and security of any transaction. They provide tamper-proof storage of user and account identity. Smart cards also provide vital components of system security for the exchange of data throughout virtually any type of network. They protect against a full range of security threats, from careless storage of user passwords to sophisticated system hacks. The costs to manage password resets for an organization or enterprise are very high, thus making smart cards a cost-effective solution in these environments.

The combination of a smart card and the user’s personal identity number (PIN) provides Two-Factor Authentication, where two items are needed: something physical the user has (a smart card) and something the user knows (a PIN). Since something physical and something non-physical are both required, the result is a much more secure means of authenticating users.

When it comes to the US Government's Department of Defense, the National Institute of Standards and Technology (NIST) responded to Directive HSPD-122 with the Personal Identity Verification (PIV) program, which leverages smart cards to centralize authentication to a single, manageable token that can hold a variety of pertinent information. These smart cards are usually referred to as Common Access Cards or its short acronym of 'CAC' cards.[1]

The CAC, a "smart" card about the size of a credit card, is the standard identification for active-duty military personnel, Selected Reserve, DoD civilian employees, and eligible contractor personnel. It is also the principal card used to enable physical access to buildings and controlled spaces, and it provides access to defense computer networks and systems. The CAC enables the encryption and cryptographic signing of email, facilitates the use of public key infrastructure (PKI) authentication tools, and establishes an authoritative process for the use of identity credentials.[2]

Worldwide, people are now using smart cards for a wide variety of daily tasks, which include: Government / Military Aspects, Healthcare, E-Commerce and Web Site Authentication.

Project

Develop a Personal Identity Verification (PIV) module that could be implemented into the Drupal CMS platform to allow for Smart Card (SC) or US Government Department of Defense Common Access Card (CAC) card log-in and verification to secure websites.

As a bonus, there is an open source Smart Card project (http://www.opensc-project.org/opensc) project that actually has a list of supported / confirmed smart cards, the reader hardware and libraries that can be used for development and testing needs.

There was once sandbox-related activity found here http://drupal.org/sandbox/larquin/1292622, but it seems to have been abandoned. I think it would be a benefit to the Drupal CMS project and community as a whole to have a module of this caliber actually be produced and available.

Profit for Drupal

Success Criteria

Roadmap

  1. Share the idea with the Drupal community. Receive and evaluate ideas.
  2. Deploy a Apache SSL/HTTPS server instance with SC/CAC reading capabilities.
  3. Setup proof of concept with Drupal CMS and PIV module in place.
  4. Create user profile. Test module against SC/CAC reader for reads and profile update.
  5. Test verification. Attempt to login to secure Drupal CMS site using SC/CAC card.
  6. Record demo of actual CAC card use against said proof of concept environment.
  7. User acceptance testing, clean up documentation steps.
  8. Present PIV module to Drupal community.

Biography

Name: Michael Worsham (Swampcritter)

PHP Experience: One year (debug only)

Drupal Experience: Five years (infrastructure/architect support)

Linux Experience: Over fifteen years

Apache Experience: Over fifteen years

MySQL Experience: Ten years

I have over seventeen years of hands-on, technical and team-lead managerial experience. Within the Drupal.org community, I have been usually present in the High-Performance and MySQL groups as these relate to back-end LAMP needs more than the actual PHP programming aspects of Drupal. I have been in the past an active participant for the Drupal.org redesign implementers. As for my actual professional work aspects, when I was with Morris Communications LLC, I was their Senior System Engineer & IT Architect and actually designed and integrated the infrastructure that now known as the Morris SMS platform (solution consists of PressFlow 6, multi-memcached instances, integrated authcache/memcache patch, reverse squid proxies) which they are actively using today for a number of their on-going projects. Today, I support the US Government working on a number of projects supporting the warfighter including the high-profile Veterans Affairs Post 9/11 GI Bill Project.


[1] http://www.cantongroup.com/personal-identity-verification

[2] http://www.cac.mil/common-access-card/