This story appeared on Network World Fusion at

'Net Insider:

A different hell?
By Scott Bradner
Network World, 05/08/00            

The Internet Engineering Task Force (IETF) made a mistake, and Microsoft is exploiting it. Even worse, a Microsoft executive was quoted as saying that secrecy enhances security.

Kerberos is a security package that originally was developed at the Massachusetts Institute of Technology to help protect the MIT data network. For those readers who have forgotten their Greek mythology, Kerberos was the multiheaded dog that guarded the entrance to hell. This happens to be a singularly appropriate symbol for the MIT student network, because the school has what one might call "inquisitive" students who can make the job of protecting security on the net a close approximation of hell. Back in 1993, the IETF published an enhanced version, known as Kerberos V5, in RFC 1510 with the status of Proposed Standard.

Now Microsoft has included what it calls Kerberos V5 in Windows 2000. But it is not quite the same as what MIT or the IETF call Kerberos V5, and this is creating a problem.

When the IETF standardized Kerberos, it may have included too much extensibility in the protocol. For example, Kerberos tickets include a field called AuthorizationData that is used in determining if a Kerberos client can use a Kerberos-protected service. RFC 1510 defines some types of AuthorizationData but also allows for additional types "for local use."

In its Win 2000 Kerberos implementation, Microsoft made use of this extensibility to define an AuthorizationData type to carry Windows-specific user information. The addition of this information means that Windows Kerberos clients can only work with Microsoft Kerberos servers and not, for example, the freely available MIT Kerberos server.

While annoying, this would not be a serious issue if Microsoft would openly publish the details of how it is using this field so that MIT and others could add it to their implementations. Ever since Microsoft made this addition known, the company has been promising to reveal the details.

But the information has not been forthcoming, and this past week, a Microsoft executive was quoted as saying the company would not release the information because it would compromise the security of Windows.

He has it backward. Any security expert will tell Microsoft that the only way to ensure security is to open up so that many eyes can look at the details to ferret out any problems so they can be fixed. These eyes can also ensure there are no hidden backdoors. Secrecy weakens security instead of strengthening it.

Microsoft has since decided to release the details, but with significant restrictions. The details are available only so that the security can be reviewed. Others cannot use this information to build servers or clients that are compatible with Microsoft's modified version. Microsoft's Web page says, "Supporting Kerberos V5 in Windows 2000 is a demonstration of Microsoft's commitment to industry standards." I'll let you judge the level of commitment.

Disclaimer: Harvard does not need to resort to monopolistic behavior to maintain its position; competence suffices. But the above is my own observation.

All contents copyright 1995-2002 Network World, Inc.