An Old Dog's New Tricks
The last of Hercules' fabled 12 labors was retrieving a dog from hell. The dog's name was Kerberos, and it was no ordinary canine. Among other attributes, Kerberos' three heads let it see in every direction at once, a useful characteristic for guarding the gate to Hades.
When researchers at the Massachusetts Institute of Technology (MIT) invented a distributed security technology in the early 1980s, they named it after this mythical beast. MIT made the Kerberos source code freely available, and the technology was picked up and used by other organizations. The Internet Engineering Task Force (IETF) published RFC 1510, which standardized Kerberos. The Distributed Computing Environment (DCE), promoted by the Open Group, adopted Kerberos as its core security solution. But despite these strong endorsements, the technology never became popular.
Until now, that is. If you plan to use Windows 2000, get ready for Kerberos -- it's unavoidable. Microsoft has made this relatively old dog the core technology for distributed security in Windows 2000.
Is this a good thing? I think the answer is yes, for a couple of reasons. First, the current solution for distributed security in Windows NT, known as NTLM, is a relic of OS/2. Savvy network administrators know that NTLM is not the world's finest security technology. While it's better than nothing, it was never even close to state of the art. By design, Kerberos is both faster and significantly more secure. Just as important, Kerberos has been subjected to years of scrutiny by security experts. Since no one yet knows how to prove that a technology is truly secure, this kind of open analysis is the best approach available. By replacing the less robust NTLM technology with one that is well-understood and unquestionably better, Microsoft substantially improves your chances of creating a secure environment.
Kerberos relies on secret key encryption, which raises another question: Why not go with a public, key-based solution? Novell did this with NDS, and it's worked quite well. Although the Windows 2000 implementation of Kerberos does support a smart card-based login option that uses public key technology, the protocol still depends primarily on the traditional secret key approach. Why not use the more modern and arguably more flexible public key?
In general, Windows 2000 provides pretty good support for public key technology. After all, the Secure Sockets Layer (SSL) protocol that's become the standard for the Internet relies on public key, and distributed applications of all types can use SSL in Windows 2000. But you can never totally get away from Kerberos in NT's next release -- it's how users log in. According to Microsoft, its designers shied away from depending on public key for a number of reasons. It's slower than Kerberos, and speed is always a nice thing to have. More importantly, using today's standard public key technology effectively requires a significant public key infrastructure. Among the most important components of this infrastructure are organizations acting as certification authorities and, very likely, smart card readers on most desktops. While Novell created its own solutions -- there wasn't much choice when NDS was designed --many standards have since been defined. But the security gods at Microsoft weren't willing to bet the next generation of their flagship operating system on this infrastructure as it exists today -- they didn't believe it was complete enough. To them, Kerberos was a more prudent choice.
When I first heard this argument, I wasn't convinced. Public key is cool, and it's very likely to be the primary security technology we'll be using 10 years from now. Microsoft's security people say that both public key technology and Kerberos will coexist for some time, and they're certainly right about that. By making Kerberos an inescapable part of Windows 2000, they're creating a self-fulfilling prophecy. But watching the difficulties companies have had in getting cross-vendor public key to work today has convinced me that Microsoft made the right decision. Kerberos is not brand new, Kerberos is not sexy, but this old dog is a very safe choice.
Admit it -- you think security is boring. Most people do. But that doesn't mean it's not important, and Microsoft's adoption of Kerberos looks like progress. Network administrators will have a few new things to think about, since they must now understand and correctly configure arcane parameters such as ticket lifetimes. But the result is the consistency and, yes, the boredom that comes with having a truly secure environment. And when it comes to security, boredom can be a very good thing. -- David Cappell is principal of Chappell & Associates (Minneapolis), an education and consulting firm. Contact him at david@chappellassoc.com.