Computer Security Weekly, May 29, 2000


Special "Don't Talk to That Stranger From Redmond" Edition

Well, it's never a slow week in security (or insecurity), but there has not been a lot that doesn't concern the systems internals geeks.

One item that deserves a bit of explanation involves Microsoft and Kerberos. Kerberos is a security system for protecting access over insecure networks, like the Internet. If you are logging into a remote site, generally you have to give a password. That is the standard security access control. However, if the network is insecure, like the Internet, there is a chance, however small, that someone might intercept your session just as you are logging in, and therefore learn your password. Kerberos gets around this by never having you send your actual password. Kerberos will get a request to verify that you are who you are by the remote system Kerberos will then send you a "challenge." You perform a calculation with both the challenge and your password, and send Kerberos the answer. Kerberos does the same calculation, and then lets the remote system know that you obviously *do* know the password, since the calculations match. Note that your password never gets sent over the net.

Microsoft has implemented Kerberos in Windows 2000. Except that it isn't quite Kerberos. Kerberos is an open standard, that anyone can use. Microsoft has added additional information to its version so that nobody else can implement a Kerberos system on a mixed network, using both Microsoft and non-Microsoft systems, unless Microsoft is the top level authentication for the entire system.

This creates a number of problems. The whole point behind Kerberos is that you can secure a mixed network, using a system that everyone agrees to and understands. Now Microsoft has turned that on its head, and ensured that nobody can secure anything unless Microsoft is in control. There are well known security problems with Windows, so using it as the prime security control for a major system is just asking for trouble.

But there is one other possible solution. You can cut Microsoft out of the picture entirely. That is what the international standards bodies are now considering. Since Microsoft has clearly violated the spirit of the protocol, the standard may now be changed in such a way that Microsoft's implementation becomes illegal. At that point, Microsoft has two choices. They can go back to being the most insecure operating system on the planet. Or they can admit that they were wrong, and follow the rules.

http://dailynews.yahoo.com/h/is/20000519...

mailto:rslade@vcn.bc.ca
mailto:rslade@sprint.ca
mailto:robertslade@usa.net
mailto:p1@canada.com Robert Slade's Guide to Computer Viruses, 0-387-94663-2, (800-SPRINGER)
The copyright of the article Computer Security Weekly, May 29, 2000 in Computer Security is owned by Robert Slade. Permission to republish Computer Security Weekly, May 29, 2000 in print or online must be granted by the author in writing.

Go To Page: 1

Articles in this Topic    Discussions in this Topic