kfw-3.1-beta-2 is available

Sat Oct 21 15:37:49 EDT 2006

There has been a report indicating that there is a problem with
the use of NIM to obtain credentials for principals whose password
has expired.   I have been unable to replicate the problem.  I would
appreciate it if other users could try to obtain credentials for a
principal with an expired password and report back to kfw-bugs at mit.edu
if there is a problem.

Thanks.

Jeffrey Altman
Secure Endpoints Inc.

Tom Yu wrote:
> The MIT Kerberos Development Team is proud to announce the second *BETA*
> release of the next revision of our Kerberos for Windows product,
> Version 3.1.
> 
> Please send bug reports and feedback to kfw-bugs at mit.edu.
> 
> What's New:
> ===========
> 
> Version 3.1 fixes bugs and adds minor functionality:
> 
> *  Improvements to the Network Identity Manager
> 
>     1. A serious memory leak has been fixed
> 
>     2. Principal names containing numbers are no longer considered
>        invalid
> 
>     3. Locales other than en_US are now supported
> 
>     4. Arbitrary sort ordering of credentials
> 
>     5. Support for FILE: ccaches
> 
>     6. Credential properties may be selected by the user for display
> 
>     7. User selected font support
> 
>     8. Tool Tip support added to the Toolbar
> 
>     9. Identities can be added without obtaining credentials
> 
>    10. Kerberos 5 Realm editor has been added
> 
> * The MSLSA: ccache is disabled in WOW64 environments prior to Microsoft
>   Windows Vista Beta 2 (Windows XP 64, 2003 64, etc.)
> 
> * The installers are built using the latest toolkit versions NSIS (2.18)
>   and WIX (2.0.4220.0)
> 
> 
> Version 3.0 provided several often requested new features:
> 
> * thread-safe Kerberos 5 libraries (provided by Kerberos 5 release
>    1.4.4)
> 
> * a replacement for the Leash Credential Manager called the Network
>    Identity Manager
> 
>     - a visually enticing application that takes advantage of all of the
>       modern XP style User Interface enhancements
> 
>     - supports the management of multiple Kerberos 5 identities in a
>       variety of credential cache types including CCAPI and FILE.
> 
>     - credentials can be organized by credential cache location or by
>       identity
> 
>     - a single identity can be marked as the default for use by
>       applications that request the current default credential cache
> 
>     - Network Identity Manager is built upon the Khimaira Identity
>       Management Framework introduced this past summer at the AFS &
>       Kerberos Best Practices Conference at CMU.
> 
>     - Credential Managers for Kerberos 5 and Kerberos 4 are provided.
>       Credential Managers for other credential types including AFS
>       and KX.509/KCA are available.  Contact Secure Endpoints Inc.
>       for details.  <https://www.secure-endpoints.com>
> 
>     - The Khimaira framework is a pluggable engine into which custom
>       Identity Managers and Credential Managers can be added.
>       Organizations interested in building plug-ins for the Network
>       Identity Manager may contact Jeffrey Altman at
>       jaltman at secure-endpoints.com
> 
> * a Kerberos specific WinLogon Network Provider that will use the
>    username and password combined with the MIT Kerberos default realm in
>    an effort to obtain credentials at session logon
> 
> 
> Important changes since the 2.6.5 release:
> ==========================================
> 
> * This release requires 32-bit editions of Microsoft Windows 2000 or
>    higher. Support for Microsoft Windows 95, 98, 98 Second Edition, ME,
>    and NT 4.0 has been discontinued.  Users of discontinued platforms
>    should continue to use MIT Kerberos for Windows 2.6.5.
> 
> * Version 3.0 does not include any internal support for AFS.   The
>    aklog.exe utility now ships as a part of OpenAFS for Windows.
>    <http://www.openafs.org/windows.html>  The Secure Endpoints Inc. AFS
>    credential manager for the Network Identity Manager has been incorporated
>    into OpenAFS for Windows 1.5.9 and above.
> 
> 
> Downloads
> =========
> 
> Binaries and source code can be downloaded from the MIT Kerberos web site:
>    http://web.mit.edu/kerberos/
> 
> 
> Acknowledgments
> ===============
> 
> The MIT Kerberos team would like to thank Secure Endpoints Inc.
> <https://www.secure-endpoints.com> for its support during the development
> of this release.
> 
> 
> 
> Important notice regarding Kerberos 4 support
> =============================================
> 
> In the past few years, several developments have shown the inadequacy
> of the security of version 4 of the Kerberos protocol.  These
> developments have led the MIT Kerberos Team to begin the process of
> ending support for version 4 of the Kerberos protocol.  The plan
> involves the eventual removal of Kerberos 4 support from the MIT
> implementation of Kerberos.
> 
> The Data Encryption Standard (DES) has reached the end of its useful
> life.  DES is the only encryption algorithm supported by Kerberos 4,
> and the increasingly obvious inadequacy of DES motivates the
> retirement of the Kerberos 4 protocol.  The National Institute of
> Standards and Technology (NIST), which had previously certified DES as
> a US government encryption standard, has officially announced[1] the
> withdrawal of the Federal Information Processing Standards (FIPS) for
> DES.
> 
> NIST's action reflects the long-held opinion of the cryptographic
> community that DES has too small a key space to be secure.  Breaking
> DES encryption by an exhaustive search of its key space is within the
> means of some individuals, many companies, and all major governments.
> Consequently, DES cannot be considered secure for any long-term keys,
> particularly the ticket-granting key that is central to Kerberos.
> 
> Serious protocol flaws[2] have been found in Kerberos 4.  These flaws
> permit attacks which require far less effort than an exhaustive search
> of the DES key space.  These flaws make Kerberos 4 cross-realm
> authentication an unacceptable security risk and raise serious
> questions about the security of the entire Kerberos 4 protocol.
> 
> The known insecurity of DES, combined with the recently discovered
> protocol flaws, make it extremely inadvisable to rely on the security
> of version 4 of the Kerberos protocol.  These factors motivate the MIT
> Kerberos Team to remove support for Kerberos version 4 from the MIT
> implementation of Kerberos.
> 
> The process of ending Kerberos 4 support began with release 1.3 of MIT
> Kerberos 5. In release 1.3, the default run-time configuration of the
> KDC disables support for version 4 of the Kerberos protocol. Release 1.4
> of MIT Kerberos continues to include Kerberos 4 support (also disabled
> in the KDC with the default run-time configuration), but we intend to
> completely remove Kerberos 4 support from some future release of MIT
> Kerberos.
> 
> The MIT Kerberos Team has ended active development of Kerberos 4,
> except for the eventual removal of all Kerberos 4 functionality.  We
> will continue to provide critical security fixes for Kerberos 4, but
> routine bug fixes and feature enhancements are at an end.
> 
> We recommend that any sites which have not already done so begin a
> migration to Kerberos 5.  Kerberos 5 provides significant advantages
> over Kerberos 4, including support for strong encryption,
> extensibility, improved cross-vendor interoperability, and ongoing
> development and enhancement.
> 
> If you have questions or issues regarding migration to Kerberos 5, we
> recommend discussing them on the kerberos at mit.edu mailing list.
> 
>                                References
> 
> [1] National Institute of Standards and Technology.  Announcing
>      Approval of the Withdrawal of Federal Information Processing
>      Standard (FIPS) 43-3, Data Encryption Standard (DES); FIPS 74,
>      Guidelines for Implementing and Using the NBS Data Encryption
>      Standard; and FIPS 81, DES Modes of Operation.  Federal Register
>      05-9945, 70 FR 28907-28908, 19 May 2005.  DOCID:fr19my05-45
> 
> [2] Tom Yu, Sam Hartman, and Ken Raeburn. The Perils of
>      Unauthenticated Encryption: Kerberos Version 4. In Proceedings of
>      the Network and Distributed Systems Security Symposium. The
>      Internet Society, February 2004.
>      http://web.mit.edu/tlyu/papers/krb4peril-ndss04.pdf
> 

_______________________________________________
kerberos-announce mailing list
kerberos-announce at mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos-announce
________________________________________________
Kerberos mailing list           Kerberos at mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos