Suspecting Microsoft's Kerberos Change

SAN MATEO (05/15/2000) - Last week, I mentioned in passing that Microsoft Corp. had included in Windows 2000 a nonstandard version of the Kerberos security protocol. This subject bears a little more explanation.

The Kerberos standard is named for the mythological three-headed dog that guards the gates of Hades. It's used to authenticate users logging on to a server. Unlike NT LAN Manager (NTLM) authentication -- the LAN Manager-style authentication in Windows NT 4.0 -- Kerberos uses a more efficient "single sign-on" method to maintain security between users and servers on a variety of operating systems. Kerberos was originally developed at the Massachusetts Institute of Technology (MIT) in the early 1990s. The Internet Engineering Task Force (IETF) then adopted it as a networking standard (see www.ietf.org/rfc/rfc1510.txt for details).

Microsoft released Win2000 on Feb. 17, with Kerberos replacing the weaker NTLM security protocol. But outside observers noted angrily that PCs using Win2000 Professional couldn't exchange authorization information via standard Kerberos with Unix servers and others. This keeps the servers from providing access control in a domain -- unless the servers are Win2000.

Critics said Microsoft's change to the standard was part of an "embrace, extend, and extinguish" strategy. "They want to force everyone to use ... a Win2000 server," said Ted Ts'o, a former member of MIT's Kerberos development team, in the April 2000 Linux World (see www.linuxworld.com/linuxworld/lw-2000-04/f_lw-04-vcontrol_3.html).

During much of the Win2000 beta test, networking pros demanded that Microsoft reveal the secrets of its modifications to Kerberos. Microsoft developers said at various times that the company would do so.

On April 28, after my last column had been written, Microsoft posted on its Web site a document that explains the changes (see www.microsoft.com/technet/security/kerberos/default.asp). Microsoft had made use of an Authorization Data field that IETF had left undefined for future use.

The posting only raised more suspicions. To run the self-extracting file that installs the document, you must click OK to accept a nondisclosure agreement.

It states that the information in the document is a "trade secret of Microsoft" and you aren't licensed to use future versions or extensions of the standard.

Of course, you can bypass the agreement by opening the self-extracting file in WinZip before viewing it. The federal law's definition of "trade secret" stipulates that "the owner thereof has taken reasonable measures to keep such information secret." So it's unlikely that Microsoft could legally enforce nondisclosure.

The mere threat of legal action, of course, is enough to chill most competitive development. Jeremy Allison, a member of the open-source Samba project, said in an Internet newsgroup, "This, of course, is a very clever way to pretend to distribute the spec, whilst making it completely impossible to implement in open-source Kerberos servers" (see linuxtoday.com/stories/21066.html).

I sent an e-mail message to Microsoft asking about the "trade secret." A spokesman said an official response was held up in the aftermath of the "I Love You" worm that affected Microsoft's e-mail system.

Meanwhile, Bryan Muehlberger, principal at DirectPoint Information Group, a St.

Louis-based Microsoft Certified Solution Provider, offered a sympathetic view.

"Microsoft has made use of an available field, but not in a way that it was intended to be used -- and, of course, didn't document or mention this change anywhere," Muehlberger said. "In Microsoft's defense, they have to use the field this way. Basically, Microsoft has included in this field the SIDs [security identifiers] that specify a user's role/access to a particular resource. Since all resources in a Win2000 environment are protected by access control lists, if Microsoft did not include the SIDs in this field, then the resource would have to contact the Domain Controller for this information -- just like it does with NT LAN Manager authentication -- which hurts in terms of optimization."

What's your opinion? Send me your thoughts, using "Kerberos" as the subject.

Brian Livingston's latest book is Windows 2000 Secrets (IDG Books). Send comments to brian_livingston@infoworld.com . He regrets that he cannot answer individual questions.

Join the newsletter!

Error: Please check your email address.

More about DirectPoint Information GroupIETFInternet Engineering Task ForceLivingstonMassachusetts Institute of TechnologyMicrosoftMIT

Show Comments

Market Place