-----BEGIN PGP SIGNED MESSAGE-----
The MIT Kerberos Development Team is proud to announce a public beta
of the next major revision of our Kerberos for Windows product,
Version 3.0 provides several often requested new features:
* thread-safe Kerberos 5 libraries (provided by Kerberos 5 release 1.4.3)
* a replacement for the Leash Credential Manager called the Network
- a visually enticing application that takes advantage of all of the
modern XP style User Interface enhancements
- supports the management of multiple Kerberos 5 identities in a
variety of credential cache types including CCAPI and FILE.
- credentials can be organized by credential cache location or by
- a single identity can be marked as the default for use by
applications that request the current default credential cache
- Network Identity Manager is built upon the Khimaira Identity
Management Framework introduced this past summer at the AFS &
Kerberos Best Practices Conference at CMU.
- Credential Managers for Kerberos 5 and Kerberos 4 are
provided. An AFS Credential Manager will be made available by
Secure Endpoints Inc.
- The Khimaira framework is a pluggable engine into which custom
Identity Managers and Credential Managers can be added.
Organizations interested in building plug-ins for the Network
Identity Manager may contact Jeffrey Altman at either
[hidden email] or [hidden email]
* a Kerberos specific WinLogon Network Provider that will use the
username and password combined with the MIT Kerberos default realm
in an effort to obtain credentials at session logon
Important changes since the 2.6.5 release:
* This release requires 32-bit editions of Microsoft Windows 2000 or
higher. Support for Microsoft Windows 95, 98, 98 Second Edition,
ME, and NT 4.0 has been discontinued. Users of discontinued
platforms should continue to use MIT Kerberos for Windows 2.6.5.
* Version 3.0 does not include any internal support for AFS. The
aklog.exe utility now ships as a part of OpenAFS for
Windows. <http://www.openafs.org> The AFS credential manager for the
Network Identity Manager will be shipped separately by Secure
Endpoints Inc. and will be incorporated into a future release of
Binaries and source code can be downloaded from the MIT Kerberos web site:
Known Bugs and Bug Reports
* The MSI installer still contains references to the Leash Ticket
Manager and installs a shortcut to the old Leash documentation
which is no longer installed.
* The Network Identity Manager cannot distinguish between two
identities or realms that differ only by the use of upper or
lower case letters.
Please send reports of new bugs to [hidden email]. Additional
feedback can be sent to [hidden email].
The MIT Kerberos team would like to thank Jet Propulsion Laboratory and
Secure Endpoints Inc. for their support during the development of this
Important notice regarding Kerberos 4 support
In the past few years, several developments have shown the inadequacy
of the security of version 4 of the Kerberos protocol. These
developments have led the MIT Kerberos Team to begin the process of
ending support for version 4 of the Kerberos protocol. The plan
involves the eventual removal of Kerberos 4 support from the MIT
implementation of Kerberos.
The Data Encryption Standard (DES) has reached the end of its useful
life. DES is the only encryption algorithm supported by Kerberos 4,
and the increasingly obvious inadequacy of DES motivates the
retirement of the Kerberos 4 protocol. The National Institute of
Standards and Technology (NIST), which had previously certified DES as
a US government encryption standard, has officially announced the
withdrawal of the Federal Information Processing Standards (FIPS) for
NIST's action reflects the long-held opinion of the cryptographic
community that DES has too small a key space to be secure. Breaking
DES encryption by an exhaustive search of its key space is within the
means of some individuals, many companies, and all major governments.
Consequently, DES cannot be considered secure for any long-term keys,
particularly the ticket-granting key that is central to Kerberos.
Serious protocol flaws have been found in Kerberos 4. These flaws
permit attacks which require far less effort than an exhaustive search
of the DES key space. These flaws make Kerberos 4 cross-realm
authentication an unacceptable security risk and raise serious
questions about the security of the entire Kerberos 4 protocol.
The known insecurity of DES, combined with the recently discovered
protocol flaws, make it extremely inadvisable to rely on the security
of version 4 of the Kerberos protocol. These factors motivate the MIT
Kerberos Team to remove support for Kerberos version 4 from the MIT
implementation of Kerberos.
The process of ending Kerberos 4 support began with release 1.3 of MIT
Kerberos 5. In release 1.3, the default run-time configuration of the
KDC disables support for version 4 of the Kerberos protocol. Release
1.4 of MIT Kerberos continues to include Kerberos 4 support (also
disabled in the KDC with the default run-time configuration), but we
intend to completely remove Kerberos 4 support from some future
release of MIT Kerberos, possibly as early as the 1.5 release of MIT
The MIT Kerberos Team has ended active development of Kerberos 4,
except for the eventual removal of all Kerberos 4 functionality. We
will continue to provide critical security fixes for Kerberos 4, but
routine bug fixes and feature enhancements are at an end.
We recommend that any sites which have not already done so begin a
migration to Kerberos 5. Kerberos 5 provides significant advantages
over Kerberos 4, including support for strong encryption,
extensibility, improved cross-vendor interoperability, and ongoing
development and enhancement.
If you have questions or issues regarding migration to Kerberos 5, we
recommend discussing them on the [hidden email] mailing list.
 National Institute of Standards and Technology. Announcing
Approval of the Withdrawal of Federal Information Processing
Standard (FIPS) 43-3, Data Encryption Standard (DES); FIPS 74,
Guidelines for Implementing and Using the NBS Data Encryption
Standard; and FIPS 81, DES Modes of Operation. Federal Register
05-9945, 70 FR 28907-28908, 19 May 2005. DOCID:fr19my05-45
 Tom Yu, Sam Hartman, and Ken Raeburn. The Perils of
Unauthenticated Encryption: Kerberos Version 4. In Proceedings of
the Network and Distributed Systems Security Symposium. The
Internet Society, February 2004.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (SunOS)
-----END PGP SIGNATURE-----
krbdev mailing list [hidden email]
|Free forum by Nabble||Edit this page|