Kerberos security evolves for B2B, mobile tech

By Bill Brenner, Senior News Writer 02 Apr 2008 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

Kerberos is perhaps the most-widely used authentication protocol on Earth, embedded in everything from Microsoft Windows to Sun Microsystems' Solaris operating system and multiple flavors of Linux. But the technological landscape has changed considerably since it first went live in 1987, as have the security threats.

For the Massachusetts Institute of Technology (MIT) team that maintains Kerberos, the focus these days is on adapting it to meet the needs of smaller, business-to-business Web services and a workforce increasingly dependent on mobile devices. In doing so, their goal is to make it the universal authentication method.

Microsoft's implementation of Kerberos on the server side as well as the client side provides our customers with a smooth deployment experience. Slava Kavsan, director of development for Windows Core Security, Microsoft

The team has made significant progress in that regard, announcing Monday that Microsoft has joined the MIT Kerberos Consortium as a founding sponsor, a move that will significantly boost the consortium's goal of unlimited support for Kerberos-based single sign-on tools across the global communication infrastructure.

But there are limits to what can be done on the security side, according to security luminary Dan Geer, who helped develop Kerberos as a member of Project Athena in the mid-1980s.

Not what Kerberos was designed for
Geer, who is now vice president and chief scientist at Waltham, Mass.-based data security firm Verdasys Inc., said the biggest problem is that Kerberos simply wasn't designed to deal with many of the attacks being launched today.

The protocol does its job as well now as it did at the beginning, he said. But attackers have found ways to get around it.

"What if the probability in a transaction is not that I'm okay and you're okay and the Internet is the problem but that the other end is already compromised?" he asked.

A year ago Geer wrote a paper suggesting that 15% to 30% of all desktops had some degree of remote control not intended by the user. Since then, he noted, Microsoft Security Solutions Group program manager Mike Danseglio has estimated that two thirds of all PCs are compromised.

Examining Kerberos: Kerberos: Authentication with some drawbacks Kerberos is one of the most-widely used authentication methods today, but experts explain that it comes with some weaknesses. Video: Changes ahead for MIT Kerberos Consortium MIT's Kerberos Consortium members discuss the evolution of Kerberos, changes ahead for the widly used Internet authentication platform and the issues that threaten its future.

"Under those circumstances, authentication technology doesn't matter," he said. "If the person presenting the credentials is unwittingly compromised, he said, the protocol worked but the person's machine is still under the control of someone else. That's not the problem we set out to solve with Kerberos. No protocol solves this. It's an endpoint problem."

Security experts often make the point that solid security is based on layers of technology and policies, and this case is no exception. Microsoft Windows Client Group Director Austin Wilson shares Geer's assessment, but noted that Kerberos is but one link in the larger security chain.

"There are a lot of basic things you have to do to keep the bots from getting on your machine in the first place, like having a firewall turned on, keeping your antivirus software up to date and being careful about the URLs you click on," Wilson said.

Building an alliance
Security experts have also made the point that the better the compatibility between vendors and technologies, the more effectively everyone can work to ensure security. To that end, the MIT Kerberos team can point to progress.

Explaining the importance of Microsoft joining as a founding sponsor, consortium executive director Stephen Buckley noted that while Kerberos has grown to become the most widely deployed system for authentication and authorization in modern computer networks, it is currently mostly available only in large enterprise networks. With Microsoft's added muscle, the consortium can expand Kerberos' reach to protect consumers doing business on the public Internet from phishing and other types of attacks.

Podcast: Early Kerberos chief discusses protocol's future Dan Geer on Kerberos: Security luminary Dan Geer talks about his role in the development of the Kerberos authentication protocol and how he sees the technology evolving to meet today's threats. Download MP3 | Subscribe to Security Wire Weekly

"Microsoft joining the Kerberos Consortium is significant because they represent a vast number Kerberos users," Buckley said. "It's an important step forward towards our common ambition to create a universal authentication platform for the world's computer networks."

Monday's announcement means Slava Kavsan, director of development for Windows Core Security at Microsoft, will take a seat on the executive board of the consortium, which was launched last September. Other board members are Jordan Hubbard of Apple, Paul Armstrong of Google, Wyllys Ingersoll of Sun, and Wilson D'Souza of MIT.

Other founding sponsors of the consortium include Carnegie Mellon University, Cornell University, Duke University, Iowa State University, Michigan State University, NASA, Pennsylvania State University and The U.S. Department of Defense.

Microsoft's change of heart
Microsoft's participation is a major leap from the days when the software giant was pushing to sidestep Kerberos and develop its own Kerberos-like authentication method, said Paul Hill, a consulting architect at MIT.

"We deployed Kerberos 5 in the mid-1990s and also started looking at interoperability issues with Windows 2000," Hill said. Regarding Microsoft's initial desire to create its own version of Kerberos, Hill said, "Microsoft eventually saw how entrenched Kerberos is, and so interoperability became a key focus. Since them, we've worked with them closely on that."

Microsoft has implemented the Kerberos protocol in a number of its products including Windows 2000, Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008. Kerberos is also the primary authentication mechanism offered by Microsoft Active Directory.

"Today, the majority of enterprise deployments consist of a large number of heterogeneous systems," said Microsoft's Kavsan. "Microsoft's implementation of Kerberos on the server side as well as the client side provides our customers with a smooth deployment experience, and we want these implementations to interoperate with others in these diverse environments."

Three future pillars
MIT's Kerberos interoperability efforts are part of a larger future strategy based on three pillars: making the technology available in smaller environments and on cellular devices; and making it work better in a business-to-business world that is increasingly dependent on Web services.

Several things have to happen on the Kerberos path to world domination, said Sam Hartman, the consortium's chief technologist. Kerberos needs to be available in much smaller footprints in terms of code size and CPU requirements, Hartman said, noting that it is more limited today to larger enterprise environments. It must also be made to work well on cellular wireless networks where there is often high latency and sometimes packets don't make it through the pipeline. Hartman also wants to make improvements in how the Kerberos interface is used on limited-function devices.

The second pillar, he said, involves making it so Kerberos doesn't depend so much on the strength of the platform, and the third pillar involves adapting Kerberos to the world of business-to-business Web services.

"Through this work and with the consortium we have an exciting chance to make Kerberos the universal method authentication," Hartman said.

Video - The future of Kerberos: MIT Kerberos Consortium members discuss the need for better interoperability between vendors using Kerberos, and what Microsoft is doing to help.(5 min)

Tags: Two-Factor and Multifactor Authentication Strategies,  Web Authentication and Access Control,  Enterprise Single Sign-On (SSO),  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Two-Factor and Multifactor Authentication Strategies PCI compliance requirement 7: Restrict access PCI compliance requirement 9: Physical access Best practices: How to implement and maintain enterprise user roles Changing times for identity management RSA researcher Ari Juels: RFID tags may be easily hacked Apple iPhone app could boost two-factor CA steers DLP towards access, identity management PKI and digital certificates: Security, authentication and implementation Security token and smart card authentication Enterprise single sign-on: Easing the authentication process Web Authentication and Access Control Changing times for identity management How to use single sign-on for Web access control to prevent malware IBM USB banking device stops keyloggers, malware Can mutual authentication beat phishing or man-in-the-middle attacks? Could someone place a rootkit on an internal network through a router? Sun launches open source OpenSSO for identity management Should a new user have to confirm an email address to gain access? Shared Identity Providers Could Soothe Password Chaos Users can no longer reach any Microsoft login site. Any ideas? Vista WIL: How to take control of data integrity levels Enterprise Single Sign-On (SSO) Changing times for identity management Kerberos configuration as an authentication system for single sign-on How to use single sign-on for Web access control to prevent malware Learn about enterprise strategy for server virtualization single sign-on Enterprise single sign-on: Easing the authentication process Exploring authentication methods: How to develop secure systems User provisioning and SSO for PeopleSoft- and Unix-based products Sun launches open source OpenSSO for identity management Pre-requisites for implementing enterprise single sign-on (SSO) Startup Symplified delivers SSO in the cloud Enterprise Single Sign-On (SSO) Research

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary AAA server  (SearchSecurity.com) authentication  (SearchSecurity.com) authentication, authorization, and accounting  (SearchSecurity.com) federated identity management  (SearchSecurity.com) Kerberos  (SearchSecurity.com) password hardening  (SearchSecurity.com) typeprint analysis  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary