kfw-3.1-beta-2 is available
Jeffrey Altman
jaltman2 at nyc.rr.com
Sat Oct 21 15:37:49 EDT 2006
There has been a report indicating that there is a problem with
the use of NIM to obtain credentials for principals whose password
has expired. I have been unable to replicate the problem. I would
appreciate it if other users could try to obtain credentials for a
principal with an expired password and report back to kfw-bugs at mit.edu
if there is a problem.
Thanks.
Jeffrey Altman
Secure Endpoints Inc.
Tom Yu wrote:
> The MIT Kerberos Development Team is proud to announce the second *BETA*
> release of the next revision of our Kerberos for Windows product,
> Version 3.1.
>
> Please send bug reports and feedback to kfw-bugs at mit.edu.
>
> What's New:
> ===========
>
> Version 3.1 fixes bugs and adds minor functionality:
>
> * Improvements to the Network Identity Manager
>
> 1. A serious memory leak has been fixed
>
> 2. Principal names containing numbers are no longer considered
> invalid
>
> 3. Locales other than en_US are now supported
>
> 4. Arbitrary sort ordering of credentials
>
> 5. Support for FILE: ccaches
>
> 6. Credential properties may be selected by the user for display
>
> 7. User selected font support
>
> 8. Tool Tip support added to the Toolbar
>
> 9. Identities can be added without obtaining credentials
>
> 10. Kerberos 5 Realm editor has been added
>
> * The MSLSA: ccache is disabled in WOW64 environments prior to Microsoft
> Windows Vista Beta 2 (Windows XP 64, 2003 64, etc.)
>
> * The installers are built using the latest toolkit versions NSIS (2.18)
> and WIX (2.0.4220.0)
>
>
> Version 3.0 provided several often requested new features:
>
> * thread-safe Kerberos 5 libraries (provided by Kerberos 5 release
> 1.4.4)
>
> * a replacement for the Leash Credential Manager called the Network
> Identity Manager
>
> - a visually enticing application that takes advantage of all of the
> modern XP style User Interface enhancements
>
> - supports the management of multiple Kerberos 5 identities in a
> variety of credential cache types including CCAPI and FILE.
>
> - credentials can be organized by credential cache location or by
> identity
>
> - a single identity can be marked as the default for use by
> applications that request the current default credential cache
>
> - Network Identity Manager is built upon the Khimaira Identity
> Management Framework introduced this past summer at the AFS &
> Kerberos Best Practices Conference at CMU.
>
> - Credential Managers for Kerberos 5 and Kerberos 4 are provided.
> Credential Managers for other credential types including AFS
> and KX.509/KCA are available. Contact Secure Endpoints Inc.
> for details. <https://www.secure-endpoints.com>
>
> - The Khimaira framework is a pluggable engine into which custom
> Identity Managers and Credential Managers can be added.
> Organizations interested in building plug-ins for the Network
> Identity Manager may contact Jeffrey Altman at
> jaltman at secure-endpoints.com
>
> * a Kerberos specific WinLogon Network Provider that will use the
> username and password combined with the MIT Kerberos default realm in
> an effort to obtain credentials at session logon
>
>
> Important changes since the 2.6.5 release:
> ==========================================
>
> * This release requires 32-bit editions of Microsoft Windows 2000 or
> higher. Support for Microsoft Windows 95, 98, 98 Second Edition, ME,
> and NT 4.0 has been discontinued. Users of discontinued platforms
> should continue to use MIT Kerberos for Windows 2.6.5.
>
> * Version 3.0 does not include any internal support for AFS. The
> aklog.exe utility now ships as a part of OpenAFS for Windows.
> <http://www.openafs.org/windows.html> The Secure Endpoints Inc. AFS
> credential manager for the Network Identity Manager has been incorporated
> into OpenAFS for Windows 1.5.9 and above.
>
>
> Downloads
> =========
>
> Binaries and source code can be downloaded from the MIT Kerberos web site:
> http://web.mit.edu/kerberos/
>
>
> Acknowledgments
> ===============
>
> The MIT Kerberos team would like to thank Secure Endpoints Inc.
> <https://www.secure-endpoints.com> for its support during the development
> of this release.
>
>
>
> Important notice regarding Kerberos 4 support
> =============================================
>
> In the past few years, several developments have shown the inadequacy
> of the security of version 4 of the Kerberos protocol. These
> developments have led the MIT Kerberos Team to begin the process of
> ending support for version 4 of the Kerberos protocol. The plan
> involves the eventual removal of Kerberos 4 support from the MIT
> implementation of Kerberos.
>
> The Data Encryption Standard (DES) has reached the end of its useful
> life. DES is the only encryption algorithm supported by Kerberos 4,
> and the increasingly obvious inadequacy of DES motivates the
> retirement of the Kerberos 4 protocol. The National Institute of
> Standards and Technology (NIST), which had previously certified DES as
> a US government encryption standard, has officially announced[1] the
> withdrawal of the Federal Information Processing Standards (FIPS) for
> DES.
>
> NIST's action reflects the long-held opinion of the cryptographic
> community that DES has too small a key space to be secure. Breaking
> DES encryption by an exhaustive search of its key space is within the
> means of some individuals, many companies, and all major governments.
> Consequently, DES cannot be considered secure for any long-term keys,
> particularly the ticket-granting key that is central to Kerberos.
>
> Serious protocol flaws[2] have been found in Kerberos 4. These flaws
> permit attacks which require far less effort than an exhaustive search
> of the DES key space. These flaws make Kerberos 4 cross-realm
> authentication an unacceptable security risk and raise serious
> questions about the security of the entire Kerberos 4 protocol.
>
> The known insecurity of DES, combined with the recently discovered
> protocol flaws, make it extremely inadvisable to rely on the security
> of version 4 of the Kerberos protocol. These factors motivate the MIT
> Kerberos Team to remove support for Kerberos version 4 from the MIT
> implementation of Kerberos.
>
> The process of ending Kerberos 4 support began with release 1.3 of MIT
> Kerberos 5. In release 1.3, the default run-time configuration of the
> KDC disables support for version 4 of the Kerberos protocol. Release 1.4
> of MIT Kerberos continues to include Kerberos 4 support (also disabled
> in the KDC with the default run-time configuration), but we intend to
> completely remove Kerberos 4 support from some future release of MIT
> Kerberos.
>
> The MIT Kerberos Team has ended active development of Kerberos 4,
> except for the eventual removal of all Kerberos 4 functionality. We
> will continue to provide critical security fixes for Kerberos 4, but
> routine bug fixes and feature enhancements are at an end.
>
> We recommend that any sites which have not already done so begin a
> migration to Kerberos 5. Kerberos 5 provides significant advantages
> over Kerberos 4, including support for strong encryption,
> extensibility, improved cross-vendor interoperability, and ongoing
> development and enhancement.
>
> If you have questions or issues regarding migration to Kerberos 5, we
> recommend discussing them on the kerberos at mit.edu mailing list.
>
> References
>
> [1] National Institute of Standards and Technology. Announcing
> Approval of the Withdrawal of Federal Information Processing
> Standard (FIPS) 43-3, Data Encryption Standard (DES); FIPS 74,
> Guidelines for Implementing and Using the NBS Data Encryption
> Standard; and FIPS 81, DES Modes of Operation. Federal Register
> 05-9945, 70 FR 28907-28908, 19 May 2005. DOCID:fr19my05-45
>
> [2] Tom Yu, Sam Hartman, and Ken Raeburn. The Perils of
> Unauthenticated Encryption: Kerberos Version 4. In Proceedings of
> the Network and Distributed Systems Security Symposium. The
> Internet Society, February 2004.
> http://web.mit.edu/tlyu/papers/krb4peril-ndss04.pdf
>
_______________________________________________
kerberos-announce mailing list
kerberos-announce at mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos-announce
________________________________________________
Kerberos mailing list Kerberos at mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
More information about the Kerberos
mailing list