Kerberos and Microsoft products ?

g.w@hurderos.org g.w at hurderos.org
Tue Oct 25 08:36:40 EDT 2005 

On Oct 21,  6:31pm, ronnie sahlberg wrote:
} Subject: Re: Kerberos and Microsoft products ?

>On Oct 21,  4:26pm, "Tim Alsop" wrote:
>} Subject: Kerberos and Microsoft products ?
>> Hi,
>>
>> I have just been told by a company (name of company is anonymous)
>> that they were recently told by Microsoft, that in the next version
>> of Windows, Kerberos will be removed and replaced by something else
>> instead. This suggests that Active Directory will no longer be a
>> Kerberos server, and Windows will not use Kerberos to authenticate
>> users to domain controllers ?
>>
>> My question is, has anybody else been told the same ? Is this a
>> missunderstanding, or based on fact ?
>>
>> Thanks, Tim


> I do not think that is correct.
>
> I am certain that they will use kerberos however it is in my opinion
> very likely that they will change their kerberos infrastructure to
> rely significantly on digital certificates and the new pkinit
> draft/standard instead of user passwords and preauthentication.
>
> I.e.  they will probably make changes to kerberos but not get rid of
> kerberos instead they will use pkinit+kerberos.
>
> Speculation:
>
> I would not be surprised if they also do things like stuff the PAC
> inside the pkinit fields/certificate instead of inside the
> authorization data fields and if they also modify the kdc to take
> the PAC and other autorization data from within the AS-REQ and put
> it inside the krbtgt ticket it sends back and that the client in
> further tgs-req and also ap-req also contains a copy of that data.
>
> It would provide an interesting side channel where they could provide
> authorization data from the certificate all the way to the AP-REQ sent
> to a service.
>
> I bet there are very interesting features that such a mechanism
> would provide.  (at elast that is what i would do instead of only
> using pkinit as a vehicle for pre authentication)

Interesting, its finally started, also interesting most illimunaries
in the OSS community and open-architecture haven't seen it coming.

What evolves may be called Kerberos but it will be a 'Kerberos' which
is steadily evolved to limit inter-operability or work-alike products,
Samba4 anyone.  Anyone who didn't or doesn't see this coming doesn't
understand the strategic importance of authentication and particularly
authorization as a factor in application tying.

The architecture Ronnie suggests is probably spot-on.  I just finished
a couple of weeks of cycling, thinking and implementation on a similar
architecture for Hurderos [1].  Our work was motivated by two-factor
authentication but the principles of the architecture are extremely
powerful.

Beyond obvious technical merits the strategy of tightly integrating
certificates/encryption with authorization reduces the overall
effectiveness of products which simply re-implement protocols.  At
that point inter-operation requires not only faithful protocol
replication but re-implementation of some data element which can be
conveniently protected, not only with strong cryptography but a
variety of laws such as the DMCA.

Apologies for grinding my favorite axe.

Best wishes for a productive week to everyone.

Greg

---------------------------------------------------------------------------
[1]
Within our architecture authorization is a sibling identity created by
a genetic combination of the user's identity and the identity of the
service which they wish to access.  All of the identities are
represented by 160-bit numbers.  Two-factor authentication falls out
of this in a fairly natural fashion.

The user is provided with an RSA encrypted/signed packet containing
their authorization identity for a service requiring two-factor
authentication.  We send this up to the KDC as the authorization
payload field.  The KDC decrypts the payload and stuffs the identity
back into the authorization fields of the service ticket.  The target
server can then lookup the authorization identity in the directory
server to make the authorization decision.

So authorization requires not only an initial authentication but
something which the user posseses.  A something which only a
particular piece of software (tin foil hat) or an organization can
provide to them.
---------------------------------------------------------------------------

}-- End of excerpt from ronnie sahlberg

As always,
Dr. Greg 'GW' Wettstein
------------------------------------------------------------------------------
                         The Hurderos Project
         Open Identity, Service and Authorization Management
                       http://www.hurderos.org

More information about the Kerberos mailing list