Slashdot Mirror

← Back to Stories (view on slashdot.org)

MIT Launching Kerberos Consortium

Posted by ScuttleMonkey on from the passing-the-torch dept.

alphadogg writes to tell us that next week MIT will be throwing a 20th birthday party for their Kerberos authentication system. In celebration of this milestone they will also be launching a new consortium dedicated to preserving and evolving this standard for years to come. "Kerberos, originally created for MIT's Project Athena, is used mainly by enterprises and MIT's goal is to see the IETF security standard develop into a universal system for single sign-on. [...] 'Kerberos has.... become successful beyond MIT's internal capacity to respond to the world's demands for development, testing and support. So we need a new organizational structure that can accommodate the demand.'"

8 of 62 comments (clear)

  1. Re:And how wil MS influence this? by ackthpt · · Score: 4, Informative

    With MS embedding thier version of Kerberos into their OS's it's fairly certain they will try to influence the direction of this in thier favor. Just something to watch out for.

    Didn't we just cover this aspect of MS embedding crap in the EU ruling? They can do it in the US, perhaps Asia, but the EU will be telling them to OPEN UP. So if I wanted to use my own authentication system in the OS I should be able to, not Microsoft's.

    Oranisational Restructuring: "No, you want Bodkin, he shuffles orange and white papers, I now shuffle green and baby blue papers. Yellow and tan papers are down the hall to the left, shuffled by Morris."

    --

    A feeling of having made the same mistake before: Deja Foobar
  2. Re:And how wil MS influence this? by Anonymous+Crowbar · · Score: 4, Informative

    From the FAQ http://www.kerberos.org/about/FAQ.html Didn't you guys have some kind of big falling out with Microsoft around Kerberos? "We read about that, but MIT and Microsoft have a long history of working together on Kerberos. This history starts well before the release of Windows 2000. Since then, MIT and Microsoft have been working on standardizing some of the features such as realm referral that enhance the ease of configuration of the Active Directory product. To this day, MIT and Microsoft continue to work together on Kerberos standards. The most recent effort involves a joint proposal to protect Kerberos against weak passwords and provide enhanced user privacy. MIT and Microsoft have made a proposal and are working within the standards community to build consensus around this proposal." Not sure how easy it is to replace Kerberos in Microsoft OS, the fact is with all the companies I've worked with globally, all of them were just using Kerberos in AD since it was there. Sure, you can turn it off and replace it with another option but cost wise it doesn't make sense...and I would imagine in most cases there would not be a need to as well.

  3. Re:Laughably outdated by KidSock · · Score: 3, Informative

    My from-the-hip guess is that MIT has realized that they're a)dependent on Kerberos and b)nobody else uses it, so they need to generate some noise, make some unfounded claims, and hope to get some other people onboard. "Used in the enterprise"? Bull...

    FYI: Kerberos is the standard authentication protocol used on just about every enterprise network on the planet. All Windows clients that are members of an Active Directory domain use Kerberos to authenticate with fileservers, web services, LDAP servers and just about anything else that has domain credentials. That's probably 80% of Enterprise users alone. And the rest are probably using NFS which is rapidly moving to Kerberos authn' for everything.

  4. Re:Laughably outdated by secPM_MS · · Score: 4, Informative
    I would not call Kerberos outdated. Kerberos is based upon the Needham-Schroeder (NS) secret key approach and provides a rather comparable functionality to public key approaches. NS needs key distribution servers and the associated ticket granting servers, but these are in a security sense equivalent to the CA's and RA's of the PKI world.You can build authentication architectures upon either. The NS approach is computationally more efficient than the RSA math typically used by PKI.

    Kerberos is used extensively within Microsoft enterprise scenarios and is used in other non-Microsoft environments as well.

    Both Kerberos and PKI present management difficulties as you try to expand across large numbers of domains / forests with diverse security policies.

    If quantum computing ever truly breaks classic PKI approaches, the alternatives will be to develop PKI approaches that are more resistant to quantum attacks (problems are known that are believed to be resistant) and/or to use NS / Kerberos with doubled key length (quantum search attacks roughly square root the effective key size).

  5. NFS v4 uses Kerberos by ShaggyZet · · Score: 4, Informative

    Here is Linux's NFS v4 architecture. Other implementation's use kerberos too. Kerberos is one of the major improvements to NFS v4.

    http://developer.osdl.org/dev/nfsv4/site/architecture/

    1. Re: NFS v4 uses Kerberos by Dolda2000 · · Score: 2, Informative

      Here is Linux's NFS v4 architecture. Other implementation's use kerberos too. Kerberos is one of the major improvements to NFS v4. In all honesty, though, Kerberos isn't precisely new to NFSv4, it's just that support for it has been mandated by NFSv4. Kerberos authentication is supported at the RPC layer, which is the same regardless if being used for NFSv4, v3, v2 or even portmapper, NIS or SGI FAM, if you will. AFAIK, Linux's NFSv2/3 implementation supports Kerberos authentication as well, ever since the support was added to support NFSv4. I shan't bet on it, but I think Solaris has supported Kerberos authentication for earlier NFS protocols for quite a while.

      The actual improvements in NFSv4 include such things as compound calls (which is, on a completely unrelated note, also a new feature in Microsoft's SMB 2.0) which, at least supposedly, improves performance due to network latency. It also included symbolic UID/GID mapping (rather than working with numerical IDs). It also works better through firewalls by using a single TCP connection for everything (although personally, I think the firewall problem should be fixed instead...). While there exists an extension for POSIX APIs for NFSv3, NFSv4 has ACL support on its own, and I think it supports XATTRs as well (though the Linux implementation doesn't yet).

      I'm pretty sure it includes other improvements as well, but I cannot remember any others right now. For me, the most important feature of the new protocol as such was the symbolic ID mapping, since it means that I can access my NFS home directories on my laptop without also having to use NIS and other things that wouldn't work when I take the laptop out from my home network.

  6. Re:Laughably outdated by Anonymous Coward · · Score: 2, Informative

    Yeah, dumbass. Kerberos is implemented in NFSv4, and it's the only robust way to secure NFS. You, sir, are a clueless slashtard.

  7. MIT: Whitewash much? by Kadin2048 · · Score: 3, Informative
    I wonder who wrote that tripe, the MS legal team? And I wonder how much they paid MIT for the privilege.

    Truth be told, there was a big falling out between MS and MIT over Kerberos. Microsoft, as they are wont to do, tried to take Kerberos and proprietize it. The MIT guys said "not so fast," and took them to court over it. On the eve of what most assumed would be a judgment not in their favor, Microsoft suddenly had an 11th-hour change of heart and revealed their changes (although with poison-pill licensing terms attached, at least initially).

    From an article published in 2000:

    Slammed in a court brief for the proprietary way it implements the Kerberos Web security standard in Windows 2000, Microsoft (MSFT) has moved to reassure customers and disarm critics by publishing the formerly secret details of its version of Kerberos - just one day before the brief was filed. ... "They don't want anyone competing against them," says Paul Hill, co-leader of the Kerberos team at MIT, where the security standard was developed. "It's typical Microsoft behavior." ... Microsoft's implementation of Kerberos seems a textbook example of [embrace, extend, extinguish]. ... The version of Kerberos in every Windows 2000 PC formally complies with the standard specification. It also takes advantage of an undefined field in the spec to store authorization data for Microsoft's operating system. (Emphasis mine)
    "Joint proposal" my ass. Microsoft got dragged into that kicking and screaming. They would have buried Kerberos long ago if they had gotten their way.

    As an eventual result of this, some of Microsoft's changes were written up as an (informational, non-standards-track) RFC, which takes pains to repeat, over and over, that Microsoft's implementation was compatible with the original. The monopolist doth protest too much, I think.
    --
    "Ladies and gentlemen, my killbot features Lotus Notes and a machine gun. It is the finest available."