TOM KEMP'S CENTRIFY BLOG

The Kerberos Consortium and the Future of Kerberos

Friday, October 5, 2007

Last week I was at the Massachusetts Institute of Technology (MIT) in Cambridge, Mass. participating in the launch of the Kerberos Consortium. Centrify is proud to be a founding sponsor of this consortium, joining fellow sponsors and supporters such as industry vendors Google, Sun and Apple; large financial firms are represented by the Financial Services Technology Consortium; as well as universities such as MIT, Stanford and the University of Michigan (my alma mater - Go Blue!) in supporting this important initiative.

Before I explain why we are so excited to join the Kerberos Consortium and what my interpretation is of the future of Kerberos, let me first answer some basic questions about Kerberos that readers may have and describe how Centrify utilizes Kerberos. If you are already a Kerberos guru and understand how Centrify uses Kerberos, feel free to skip to the "Kerberos Consortium" section below.

Kerberos 101

[Note that most of my answers to the next four questions are taken verbatim from this FAQ on the Kerberos.org site unless not explicitly quoted]:

What is Kerberos? "Besides being the name of the three-headed dog from ancient Greek mythology that guarded the gates of Hades, Kerberos is also a network authentication protocol invented at MIT in the mid-1980s. It became an IETF Standard in 1993, and MIT released its Kerberos software as Open Source in 1987 and been enhancing it ever since."

What is the significance of Kerberos? "It delivers strong mutual authentication between client and server, which makes it a very robust defense against phishing and so called 'man in the middle" attacks.'  And as discussed in the answer to the question below, it also enables single sign-on, a key requirement for many organizations.

How does it work? Apple has a nice description of Kerberos here which I will quote to answer that question:

"Picture walking into the local county fair and you are given two choices. You can either use your credit card at the entry of every ride or you can use it once at a booth, which grants you a ticket that you can use for the remainder of the day. It's a pretty simple choice if you're concerned about the security of your credit card information and want to have a hassle-free day at the park.

"This is exactly what Kerberos accomplishes in its implementation of Single Sign On in network environments. At the beginning of the workday, a user enters his/her password into the system once; this action decrypts a ticket from a server running as a Kerberos Key Distribution Center (KDC). The ticket holds a set of encrypted keys, which are used throughout the day to authenticate user access without exchanging sensitive password information. It expires after a given amount of time (typically one day), so even if a would-be intruder sniffs it out and decrypts the information, the user-access information remains safe in the long term."

Who is using Kerberos? "Kerberos is built in to all major operating systems, from companies like Microsoft, Apple, Red Hat and Sun as well as others.  Kerberos is the authentication mechanism for Microsoft's Active Directory and even for some devices like the X-Box.  The cable TV industry even uses Kerberos to authenticate set-top boxes and modems to their networks."

[End of borrowing answers from the Kerberos FAQ and Apple's website.]

Let me expand upon this "who is using Kerberos" question a bit more, because it ties in with the value proposition behind our Centrify DirectControl solution.

As mentioned above, most UNIX and Linux vendors ship Kerberos with their *nix operating systems, and most ship the MIT version of Kerberos. Even though Sun was the only *nix vendor listed as a sponsor, at the launch event I met representatives from Red Hat and HP who were there showing their support (and I know the team at MIT is talking with all the major OS vendors to get them officially signed up, with additional announcements to be made shortly). So we are talking many hundreds of thousands of *nix systems that have Kerberos residing as part of the underlying OS. Apple also utilizes MIT Kerberos as part of Mac OS X, and Apple signed up as a supporter of the Kerberos Consortium. Apple is shipping over 1.5 million Macs per quarter, so we are probably talking about 10+ million Mac OS X systems that have Kerberos.

That being said, it is hard to know how many of the millions of *nix and Mac systems out there are actually utilizing Kerberos, as Kerberos is not enabled by default (with the exception that Kerberos is enabled on the Mac when you use their directory plug-ins such as the Open Directory plug-in, which is a fairly common usage in university or enterprise settings that have Macs). I have talked to universities and large enterprises that have significant MIT Kerberos implementations in parallel with their Active Directory deployments on the Windows side, and the folks at MIT told me they had one user of their Kerberos implementation with over 50 million unique logons per month, so there clearly is sizable usage on the *nix side, but it is probably impossible to accurately determine what percent of *nix and Mac systems are actually using Kerberos.

On the Windows side of things, Microsoft also delivers Kerberos as part of the Windows platform, with Active Directory domain controllers not only supporting LDAP but also playing the part of a KDC. Microsoft implemented its own version of Kerberos but obviously leveraged the innovation that the inventors of Kerberos at MIT created and submitted to the IETF standards body. Because Kerberos is turned on and utilized by default in the Windows platform (starting with Windows 2000), clearly the Windows platform represents a huge chunk of the systems actively running Kerberos, and Microsoft to their credit has probably done the most of any OS vendor to unlock the value of Kerberos (i.e. integrating Kerberos and LDAP into a distributed authentication infrastructure that is the foundation of Active Directory). As we all know, there are many out there that like to beat up Microsoft regarding security, but it is ironic that Microsoft by default delivers the added security of Kerberos as part and parcel of the Windows platform while Kerberos is turned off by default in the *nix world.

Centrify's Use of Kerberos

One of the motivations behind our DirectControl solution is enabling the use of Kerberos in the non-Microsoft world much like Microsoft has provided that capability by default in the Windows platform. We do it by integrating the Windows and non-Windows world together, with Kerberos acting as one of the key underlying technologies that enable that integration to occur (LDAP is another example). Centrify DirectControl supports strong Kerberos-enabled Active Directory authentication and single sign-on for over 100 operating system versions of Linux, UNIX and Mac OS X systems. Centrify DirectControl effectively turns a non-Microsoft server, workstation or device into an Active Directory client, enabling an organization to secure that system using the same authentication, access control and Group Policy services currently deployed for its Windows systems.

Describing things at a lower level for my more technical readers, what we have done is integrate MIT Kerberos with OpenLDAP within our DirectControl agent to implement a GSS Mutually Authenticated & Encrypted connection to Active Directory (i.e., we are focusing on the client side of Kerberos and leaving the server side, AKA the KDC, to Active Directory).  DirectControl also sets up the *nix system and user environment so that other Kerberos-enabled applications work without requiring administrator or user configuration (i.e., DirectControl auto-generates a keytab and krb5.conf file that reflects the Active Directory forest and trust infrastructure as well get a TGT for the user when they log in so they can access other Kerberos services without having to run kinit).

DirectControl also enables Kerberos-based authentication to the most popular J2EE and web application servers, including Apache, Tomcat, JBoss, BEA WebLogic and IBM WebSphere. In addition, databases such as Oracle and IBM DB2 as well as enterprise applications such as SAP can take advantage of the Kerberos-based Active Directory integration provided by Centrify leveraging the GSSAPI interface to provide end-users with strong single sign-on authentication.

Finally, as a convenience for customers, Centrify has a resource center where customers can find precompiled binaries and documentation for a number of popular Open Source applications such as OpenSSH, PuTTY and telnet that have been Kerberos-enabled by Centrify to work seamlessly with Active Directory.

The Kerberos Consortium

Given Centrify's usage of Kerberos and our vision of helping to unlock the value of Kerberos in the non-Microsoft world, we were clearly interested when we heard that an industry group was forming around Kerberos. We first heard that a Kerberos Consortium would be forming via one of our contacts at Microsoft, and a subsequent breakfast meeting this summer with the Kerberos folks at MIT sealed our participation.

One of the rationales behind the Kerberos Consortium that is mentioned in the Consortium's FAQ is the following: "Kerberos has become one of the most widely adopted authentication methods in the history of computer networks.   It's become successful beyond MIT's internal capacity to respond to the world's demands for development, testing and support.  So we need a new organizational structure that can accommodate the demand."

We think this is a great idea. By creating a separate consortium and getting end-users and vendors more directly involved in shaping the direction of Kerberos, more investment is going to go into the R&D of this important protocol. Others agree, including vendors such as Red Hat, who said this in their security blog: "this Consortium is a great idea that will bring more partners, developers and standards work into play."

As a security vendor focused on identity and access management, we think this type of an investment in an industry group that is trying to make authentication more secure is a net good thing and should be applauded, especially an investment in an organization that has delivered innovation in the past that has been adopted in some significant manner by all the major OS vendors and/or the relevant standards bodies. Who knows if this investment will pay off or any major vendors will adopt any of the new innovations emanating from the Consortium, but having the Consortium around gives innovation in this area a better chance of succeeding than not. It already has major industry players such as Google, Apple and Sun directly involved (including Centrify !), and expect some other significant industry players to announce their support and sponsorship shortly.

Even if the investment in added R&D does not turn into net new technology that later becomes adopted by industry players, the Kerberos Consortium also has significant value by providing a forum and mechanism for vendors to collaboratively work together from an interoperability perspective. Different vendors have differing Kerberos implementations, and providing a lab environment and facilitating engineers from different vendors to work together to ensure interoperability is a great thing. At Centrify we want to continue to deliver improved interoperability of our Active Directory-centric approach with what other vendors are doing around Kerberos, and this Consortium can and will help facilitate our relationship with other vendors in the industry, and our customers will be the beneficiary.

Another benefit of the Consortium, at least from a Centrify perspective, is that we will have a front row seat at seeing what the future of Kerberos may look like (as well as potentially help contribute to its future), which in turn will enable us to stay ahead of the curve and figure out ways to leverage this emerging technology to the benefit of our customers.

The Future of Kerberos

Clearly the Kerberos Consortium was just formed and more vendors are in the process of signing up for it, so the roadmap is not yet baked and will clearly evolve. But in participating in the launch and talking with other vendors who are participating in the Consortium, as well as having lunch with Stephen Buckley and Sam Hartman and the rest of the Kerberos team, it is clear that we are going to see much more activity with respect to Kerberos in the area of mobile devices and PDAs.

Which, if you step back, makes sense given that one of the Consortium's supporters (Apple) is re-drawing the map when it comes to mobile devices with the iPhone, and another sponsor of the Consortium (Google) is rumored to be entering the market with its own device (the Google Phone?), and another sponsor (Sun) offers its Java technology to device manufacturers in the form of the JavaPhone. Anything to improve security of mobile devices would help these vendors sell more devices, not only to consumers to stop phishing and identity theft, but also make these devices more amenable to be deployed in the enterprise. To Centrify, that is great news, as it gives us more opportunity to make integration of non-Microsoft systems and devices into customers' enterprise Active Directory deployments happen. We already have a few Linux-based device vendors embedding our technology as part of our OEM program, so this is a nice, logical extension.

Another future direction for Kerberos is in the area of interoperability with SAML. We applaud this as Centrify not only supports Kerberos but we also support SAML in the context of our DirectControl offerings around Active Directory Federation Services (ADFS). Here is what the Kerberos Consortium has to say in their FAQ about working with SAML and the Liberty Alliance:

"We believe there is significant opportunity to work with Liberty and other SAML based formats.  One area in which Liberty and Kerberos can work together is that Kerberos could carry SAML assertions to provide authorization information.  Another way in which these technologies can work together is that Kerberos can be used as a mechanism to obtain SAML assertions.  Ultimately, this work will allow Liberty to be used in client-server environments where Kerberos works best today and to allow Kerberos to take advantage of the expressive power of SAML and Liberty."

Finally, another roadmap item that I was able to get the sense that it is a high priority is expanding support for Kerberos within databases and applications. Some databases today support Kerberos (e.g., IBM DB2 with the DirectControl for DB2 agent installed) but others do not (e.g., mySQL). Having a consortium comprised of leading end-users and industry vendors can better influence application and database vendors to add support for this important authentication technology than the influence of a single university (MIT). Centrify is working with one database vendor to have them add Kerberos support, and having the Kerberos Consortium in place with its focus on interoperability testing will allow that vendor to make sure its Kerberos implementation works nicely with other vendors' solutions as well.

We shall see how things shake out, but at the very least it seems clear that this three-headed dog still has some bark left!!

< Previous Article: DirectControl Web Enhancements
> Next Article: Offtopic: Windows Gurus … or extras in “Men in Tights”?