Kerberos for Windows 3.2.2 announcement text for your review
Jeffrey Altman
jaltman at secure-endpoints.com
Mon Oct 22 17:09:34 EDT 2007
Please update the release dates for KFW 4.0.
Kevin Koch wrote:
> The MIT Kerberos Development Team and Secure Endpoints Inc. are proud to
> announce the release of MIT's Kerberos for Windows product,
> Version 3.2.2.
>
> Please send bug reports and feedback to kfw-bugs at mit.edu.
>
> Supported Versions of Microsoft Windows
> =======================================
>
> This release requires 32-bit editions of Microsoft Windows 2000 and
> higher or the WOW64 environment of 64-bit editions of Microsoft
> Windows XP and higher.
>
> Downloads
> =========
>
> Binaries and source code can be downloaded from the MIT Kerberos web site:
> http://web.mit.edu/kerberos/dist/index.html
>
> What's New in KFW 3.2.2:
> ========================
>
> * Network Identity Manager Application
> o Application window always raised when prompting for new credentials,
> so prompt is not obscured by other windows.
> o Password entry field accepts 1024 characters.
> o Add --show and --hide command line options.
> o Defines a new color schema. Color values are no longer imported from
> the user's desktop theme.
> o Notification icon reflects status of the default identity instead of
> all identities.
> * Credential Cache API changes
> o The CCAPI implementation is now compatible with Windows Terminal
> Server.
> * Kerberos v5 Library Improvements
> o Based on krb5-1.6.3.
> o MSLSA: ccache properly translates Unicode strings to the local ANSI
> character set.
> o krb5_get_profile() is exported from krb5_32.dll.
> * Installer Changes
> o Remove the registration requirement for administrative installations
> when using the MSI installer.
> o MSVC DLLs include DST 2007 changes.
>
> * Build system changes
> o NIM Schema files can now support external file inclusion.
> o Add static ordinals to DLL exports.
> o krbcc credential cache api implementation can now be compiled with
> Microsoft Visual Studio 2005.
> o Enable builds on 64 bit Windows.
>
> What's New in KFW 3.2.1:
> ========================
>
> * Network Identity Manager Application
> o The default identity background color has been removed.
> o The Basic view updates to reflect deleted and modified identities.
> o The watermark can be controlled by a registry setting.
> * Kerberos v5 Library Improvements
> o Based on krb5-1.6.2
>
> What's New in KFW 3.2.0:
> ========================
>
> * Network Identity Manager Application
> o A simplified basic mode has been added to the "obtain new
> credentials dialog". The basic mode replaces the credential
> browser with a button that can be used to access the advanced
> configuration functions. This advanced mode provides the
> credential browser and a tabbed view of the configuration
> dialogs for each of the available credential providers.
> o A simplified default application view that shows only the
> status of the active identities.
> o A new command-line option to netidmgr.exe is available to
> shutdown a running instance of Network Identity Manager.
> Specify "-x" or "--exit" to force the existing instance to
> terminate.
> o The use of ellipsis on menu items now follows the Windows
> Style Guide. Ellipsis is only used when additional information
> is required from the user before carrying out the designated
> action. If displaying a dialog is the action, no ellipsis
> is used.
> o Improved handling of window focus when opening and closing
> modal dialogs.
> o Reduce the number of alerts presented to the user by combining
> duplicates into a single alert.
> o Do not generate alerts if there is nothing that the user
> can do to correct the situation. Alerts that are displayed
> provide actions the user can take if desired.
> o Renew and Destroy menus provide "All" and "Individual identity
> names" as choices.
> o The Renew and Destroy toolbar buttons provide dropdown menus
> permitting the action to be applied to either "All" or one
> specific identity.
> o The "default" action of left clicking the notification icon
> is now configurable. The default configuration is "open/close
> NIM window". The alternate is to open the new credentials
> dialog. This can be specified by the user on the General
> Options page.
> o The alerter window can now display multiple alerts simultaneously.
> o Ensure that the NIM window is displayed on an active desktop.
> If not, move it to the primary desktop and center it.
> o New Basic mode display that shows only the state of the
> identity and its expiration time. Use F7 or View->Advanced
> to switch to the previous display that is configurable by the
> user to show details about each credential.
> o New Color Scheme derived from current Windows Desktop Color
> Scheme.
> o Improved display updating algorithms reduce flicker
> o The proper icon sizes are now used in the information bubble
> and the status bar.
> o Task Bar buttons are created for visible windows and dialogs
> o Plug-in Help can now be added to the Help menu
> o Improved HtmlHelp user documentation with Indexing
> o Improved HtmlHelp developer documentation with Indexing
> o Improved PDF user documentation
> * Network Identity Manager Kerberos v5 Support
> o Do not show cached prompts to user if they have expired
> o Correct the possibility that a krb5_ccache handle might be
> freed twice.
> o Import settings from Kerberos Profile if there are no equivalent
> defaults specified in the registry. Support per-realm settings.
> o An identity that matches the MSLSA will not renew its credentials
> from the MSLSA if the user obtained the credentials from
> elsewhere.
> o When importing an identity from the MSLSA that has never been
> seen before, create an entry in the identity database.
> o Do not attempt to renew non-renewable identities
> o Permit an identity to be configured as the default identity
> even if it doesn't have any credentials.
> * Kerberos v5 Library Improvements
> o Based on MIT release 1.6+
> o On Vista MSLSA: krb5_ccache can be used to store tickets
> including TGTs for alternative principals to the LSA credential
> cache
> o On Vista a more efficient interface for enumerating the contents
> of the LSA credential cache is available.
> o Vista support is only built if the Vista SDK version of
> NTSecAPI.H is used.
> o On Vista, if a process is UAC limited, the MSLSA will report
> that no tickets are present in the cache rather than return
> tickets with invalid session keys.
> o get_os_ccname() uses GetEnvironmentVariable() instead of
> getenv() to read the KRB5CCNAME environment variable. This
> allows the correct default credential cache name to be returned
> by krb5_cc_default_name(). This works around a problem where a
> gssapi application would trigger an Obtain New Credentials prompt
> from NIM only to have it obtain the wrong credential cache.
> * Winsock Helper Library Improvements
> o DNS queries that terminate with a dot would not properly match
> the hostnames listed within the DNS response preventing a
> successful return. This resulted in "kinit -4" failing to find
> the KDCs.
> * Integrated Logon Improvements
> o Remove the reliance on the Windows Logon Event handler and
> replace it with a LogonScript that executes kfwlogon.dll via a
> call to rundll32.exe. This change permits the integrated logon
> functionality to work on all supported platforms: Windows 2000
> to Windows Vista.
> o Disable the use of integrated logon if the Network Provider is
> called as a result of a non-interactive logon. The non-interactive
> logon does not process the specified LogonScript. As a result,
> the intermediate credential cache file would not be processed
> nor cleaned up.
> o Obtained credentials are stored into an API credential cache
> whose name is API:<principal>
> o Add a debugging mode which when activated logs to the Windows
> Application Event Log.
> [HKLM\System\CurrentControlSet\Services\MIT Kerberos\NetworkProvider]
>
> DWORD "Debug"
> * Leash32 Library Changes
> o Modify the leash functions to use krb5_string_to_deltat() to
> parse ticket_lifetime and renew_lifetime from the profile.
> Previously the leash functions expected those fields to be
> integer representation of minutes without the use of any units.
> This change is for consistency with KFM and the rest of the krb5
> library.
> o Modify the private functions acquire_tkt_for_princ() and
> acquire_tkt_no_princ() that are called from gssapi32.dll so that
> they will work on Windows Vista and so that the MSLSA: principal
> is only imported if it matches the default identity and no
> credentials for that identity are present.
> o Remove all AFS functionality.
>
> Microsoft Vista User Account Control (UAC)
> ==========================================
>
> Microsoft Vista UAC mode prevents accounts that are members of the
> local Administrators group from accessing Kerberos session keys from
> the LSA credentials cache. The MIT Kerberos MSLSA krb5_ccache type
> will not report the existence of Kerberos tickets which do not have
> valid session keys.
>
> Users are encouraged to login to Microsoft Vista with accounts
> that are not members of the local machine Administrators group in
> order to obtain the best single sign-on experience with MIT Kerberos
> for Windows and Network Identity Manager.
>
>
> Important notice regarding Kerberos 4 support
> =============================================
>
> In the past few years, several developments have shown the inadequacy
> of the security of version 4 of the Kerberos protocol. These
> developments have led the MIT Kerberos Team to begin the process of
> ending support for version 4 of the Kerberos protocol. The plan
> involves the eventual removal of Kerberos 4 support from the MIT
> implementation of Kerberos.
>
> The Data Encryption Standard (DES) has reached the end of its useful
> life. DES is the only encryption algorithm supported by Kerberos 4,
> and the increasingly obvious inadequacy of DES motivates the
> retirement of the Kerberos 4 protocol. The National Institute of
> Standards and Technology (NIST), which had previously certified DES as
> a US government encryption standard, has officially announced[1] the
> withdrawal of the Federal Information Processing Standards (FIPS) for
> DES.
>
> NIST's action reflects the long-held opinion of the cryptographic
> community that DES has too small a key space to be secure. Breaking
> DES encryption by an exhaustive search of its key space is within the
> means of some individuals, many companies, and all major governments.
> Consequently, DES cannot be considered secure for any long-term keys,
> particularly the ticket-granting key that is central to Kerberos.
>
> Serious protocol flaws[2] have been found in Kerberos 4. These flaws
> permit attacks which require far less effort than an exhaustive search
> of the DES key space. These flaws make Kerberos 4 cross-realm
> authentication an unacceptable security risk and raise serious
> questions about the security of the entire Kerberos 4 protocol.
>
> The known insecurity of DES, combined with the recently discovered
> protocol flaws, make it extremely inadvisable to rely on the security
> of version 4 of the Kerberos protocol. These factors motivate the MIT
> Kerberos Team to remove support for Kerberos version 4 from the MIT
> implementation of Kerberos.
>
> The process of ending Kerberos 4 support began with release 1.3 of MIT
> Kerberos 5. In release 1.3, the default run-time configuration of the
> KDC disables support for version 4 of the Kerberos protocol. Release 1.4
> of MIT Kerberos continues to include Kerberos 4 support (also disabled
> in the KDC with the default run-time configuration), but we intend to
> completely remove Kerberos 4 support from some future release of MIT
> Kerberos.
>
> The MIT Kerberos Team has ended active development of Kerberos 4,
> except for the eventual removal of all Kerberos 4 functionality. We
> will continue to provide critical security fixes for Kerberos 4, but
> routine bug fixes and feature enhancements are at an end.
>
> ** The MIT Kerberos Team has decided that the MIT Kerberos for
> ** Windows 3.x release series will be the last versions to contain
> ** Kerberos 4 support. Beginning with 4.0 release, MIT Kerberos for
> ** Windows will be Kerberos 5 only. At that time MIT will repackage
> ** the existing Kerberos 4 libraries in a stand-alone installer for
> ** those organizations that require continued use of Kerberos 4.
> ** MIT KFW 4.0 is targeted for release during the first quarter of
> ** 2008.
>
> We recommend that any sites which have not already done so begin a
> migration to Kerberos 5. Kerberos 5 provides significant advantages
> over Kerberos 4, including support for strong encryption,
> extensibility, improved cross-vendor interoperability, and ongoing
> development and enhancement.
>
> If you have questions or issues regarding migration to Kerberos 5, we
> recommend discussing them on the kerberos at mit.edu mailing list.
>
> References
>
> [1] National Institute of Standards and Technology. Announcing
> Approval of the Withdrawal of Federal Information Processing
> Standard (FIPS) 43-3, Data Encryption Standard (DES); FIPS 74,
> Guidelines for Implementing and Using the NBS Data Encryption
> Standard; and FIPS 81, DES Modes of Operation. Federal Register
> 05-9945, 70 FR 28907-28908, 19 May 2005. DOCID:fr19my05-45
>
> [2] Tom Yu, Sam Hartman, and Ken Raeburn. The Perils of
> Unauthenticated Encryption: Kerberos Version 4. In Proceedings of
> the Network and Distributed Systems Security Symposium. The
> Internet Society, February 2004.
> http://web.mit.edu/tlyu/papers/krb4peril-ndss04.pdf
> https://mailman.mit.edu/mailman/listinfo/kerberos-announce
>
> _______________________________________________
> kfwdev mailing list
> kfwdev at mit.edu
> http://mailman.mit.edu/mailman/listinfo/kfwdev
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3355 bytes
Desc: S/MIME Cryptographic Signature
Url : http://mailman.mit.edu/pipermail/kfwdev/attachments/20071022/9a4e27b3/attachment.bin
More information about the kfwdev
mailing list