RSS |
 |
| |
No Place Like Home: Kansas Criminal Data Secured With PKI June 28, 1999 By Kelly Jackson Higgins In some of the most remote counties in Kansas, sheriff's deputies now register for digital certificates so they can access the state's massive criminal repository. This lets them check pertinent information, such as the conviction records of suspects in their custody. The Kansas Bureau of Investigation (KBI) installed a PKI (public-key infrastructure) last fall to secure its VPN (virtual private network) for the state's law-enforcement entities, including sheriff, judge and county prosecutors' offices, as well as police departments. The VPN replaced a dedicated SNA network that did not even have a logon procedure. Before it could install the new VPN, which is part of the overall Kansas Criminal Justice Information System, the KBI had to assure the FBI that its transmissions of criminal history data over the Internet were secure. "I knew exactly what I wanted from the beginning--a VPN solution using digital certificates," says Norma Jean Schaefer, IT consultant for the KBI. "And I need to be in control of who gets certificates." PKI technology isn't exactly mainstream, mostly because of its complexity and management concerns. But the KBI has set up about 4,000 users with Entrust's PKI software, and plans to expand to around 12,000 users within a year. Here's how it works: A law-enforcement officer checking on a suspect logs on to the Check Point Software SecuRemote server at the KBI through the SecuRemote client software on his or her PC. The client software authenticates itself with its assigned digital certificate, and the PKI server authenticates itself to the client machine with its digital certificate. The client and server then exchange encryption keys to secure the network connection, and the officer's request is sent to the criminal repository. At this point, the officer again has to prove he or she is a legitimate user, this time with a Security Dynamics' SecurID token. "Anybody who comes to us has to have a digital certificate--it's the only way in and out," Schaefer says. PKI technology has gotten a bad rap when it comes to performance, given all the security checkpoints for users to access information. But officials at the KBI say performance hasn't been a problem--at least not so far. The agency runs Crysallis' ITS accelerator card in its firewalls, which offloads the encryption algorithm calculations. Still, the KBI's PKI system has yet to be seriously tested. "We have only 700 desktops out there" using the PKI system, Schaefer notes. "When we grow to 12,000 users, the accelerator card is really going to help us." Encryption key pairs and certification authorities in PKI systems don't have a reputation for user-friendliness either, so training for the KBI's network was a major undertaking. "A lot of [law-enforcement] people never even had a PC before," says Ron Rohrer, information resource manager for the KBI. "We were training people who had never dealt with this kind of technology, and they exceeded our expectations." Aside from using the key pairs to access the criminal repository, the KBI also uses digital signatures and encrypts e-mail within the agency, as well as transfers of sensitive files. "We will eventually deploy encrypted e-mail across the rest of the state criminal justice system," Rohrer says. Tell us about your network and we may profile it in a future issue. Send e-mail to centerfold@nwc.com or call (516)-562-5914
| |
