Kerberos is perhaps the most-widely used authentication protocol on Earth, embedded in everything from Microsoft Windows to Sun Microsystems' Solaris operating system and multiple flavors of Linux. But the technological landscape has changed considerably since it first went live in 1987, as have the security threats.
For the Massachusetts Institute of Technology (MIT) team that maintains Kerberos, the focus these days is on adapting it to meet the needs of smaller, business-to-business Web services and a workforce increasingly dependent on mobile devices. In doing so, their goal is to make it the universal authentication method.
The team has made significant progress in that regard, announcing Monday that Microsoft has joined the MIT Kerberos Consortium as a founding sponsor, a move that will significantly boost the consortium's goal of unlimited support for Kerberos-based single sign-on tools across the global communication infrastructure.
But there are limits to what can be done on the security side, according to security luminary Dan Geer, who helped develop Kerberos as a member of Project Athena in the mid-1980s.
Not what Kerberos was designed for
Geer, who is now vice president and chief scientist at Waltham, Mass.-based data security firm Verdasys Inc., said the biggest problem is that Kerberos simply wasn't designed to deal with many of the attacks being launched today.
The protocol does its job as well now as it did at the beginning, he said. But attackers have found ways to get around it.
"What if the probability in a transaction is not that I'm okay and you're okay and the Internet is the problem but that the other end is already compromised?" he asked.
A year ago Geer wrote a paper suggesting that 15% to 30% of all desktops had some degree of remote control not intended by the user. Since then, he noted, Microsoft Security Solutions Group program manager Mike Danseglio has estimated that two thirds of all PCs are compromised.
"Under those circumstances, authentication technology doesn't matter," he said. "If the person presenting the credentials is unwittingly compromised, he said, the protocol worked but the person's machine is still under the control of someone else. That's not the problem we set out to solve with Kerberos. No protocol solves this. It's an endpoint problem."
Security experts often make the point that solid security is based on layers of technology and policies, and this case is no exception. Microsoft Windows Client Group Director Austin Wilson shares Geer's assessment, but noted that Kerberos is but one link in the larger security chain.
"There are a lot of basic things you have to do to keep the bots from getting on your machine in the first place, like having a firewall turned on, keeping your antivirus software up to date and being careful about the URLs you click on," Wilson said.
Building an alliance
Security experts have also made the point that the better the compatibility between vendors and technologies, the more effectively everyone can work to ensure security. To that end, the MIT Kerberos team can point to progress.
Explaining the importance of Microsoft joining as a founding sponsor, consortium executive director Stephen Buckley noted that while Kerberos has grown to become the most widely deployed system for authentication and authorization in modern computer networks, it is currently mostly available only in large enterprise networks. With Microsoft's added muscle, the consortium can expand Kerberos' reach to protect consumers doing business on the public Internet from phishing and other types of attacks.
"Microsoft joining the Kerberos Consortium is significant because they represent a vast number Kerberos users," Buckley said. "It's an important step forward towards our common ambition to create a universal authentication platform for the world's computer networks."
Monday's announcement means Slava Kavsan, director of development for Windows Core Security at Microsoft, will take a seat on the executive board of the consortium, which was launched last September. Other board members are Jordan Hubbard of Apple, Paul Armstrong of Google, Wyllys Ingersoll of Sun, and Wilson D'Souza of MIT.
Other founding sponsors of the consortium include Carnegie Mellon University, Cornell University, Duke University, Iowa State University, Michigan State University, NASA, Pennsylvania State University and The U.S. Department of Defense.
Microsoft's change of heart
Microsoft's participation is a major leap from the days when the software giant was pushing to sidestep Kerberos and develop its own Kerberos-like authentication method, said Paul Hill, a consulting architect at MIT.
"We deployed Kerberos 5 in the mid-1990s and also started looking at interoperability issues with Windows 2000," Hill said. Regarding Microsoft's initial desire to create its own version of Kerberos, Hill said, "Microsoft eventually saw how entrenched Kerberos is, and so interoperability became a key focus. Since them, we've worked with them closely on that."
Microsoft has implemented the Kerberos protocol in a number of its products including Windows 2000, Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008. Kerberos is also the primary authentication mechanism offered by Microsoft Active Directory.
"Today, the majority of enterprise deployments consist of a large number of heterogeneous systems," said Microsoft's Kavsan. "Microsoft's implementation of Kerberos on the server side as well as the client side provides our customers with a smooth deployment experience, and we want these implementations to interoperate with others in these diverse environments."
Three future pillars
MIT's Kerberos interoperability efforts are part of a larger future strategy based on three pillars: making the technology available in smaller environments and on cellular devices; and making it work better in a business-to-business world that is increasingly dependent on Web services.
Several things have to happen on the Kerberos path to world domination, said Sam Hartman, the consortium's chief technologist. Kerberos needs to be available in much smaller footprints in terms of code size and CPU requirements, Hartman said, noting that it is more limited today to larger enterprise environments. It must also be made to work well on cellular wireless networks where there is often high latency and sometimes packets don't make it through the pipeline. Hartman also wants to make improvements in how the Kerberos interface is used on limited-function devices.
The second pillar, he said, involves making it so Kerberos doesn't depend so much on the strength of the platform, and the third pillar involves adapting Kerberos to the world of business-to-business Web services.
"Through this work and with the consortium we have an exciting chance to make Kerberos the universal method authentication," Hartman said.