Title: Secrecy is not security

A different hell?

By Scott Bradner

The IETF make a mistake and Microsoft is exploiting it. Even worse, a Microsoft executive was quoted as saying that secrecy enhances security.

Kerberos is a security package that was originally developed at MIT to protect to help protect the MIT data network. (For you readers who have forgotten their Greek mythology, Kerberos was the N-headed dog that guarded the entrance to hell. This happens to be a singularly appropriate symbol for the MIT student network since MIT has what one might call "inquisitive students" that can make the job of protecting security on the net approximate hell.) Back in 1993 the IETF published an enhanced version, known as Kerberos V5, in RFC 1510 with the status of Proposed Standard. Now Microsoft has included what they call Kerberos V5 in Windows 2000. But it is not quite the same as what MIT or the IETF call Kerberos V5 and this is creating a problem.

When the IETF standardized Kerberos it may have included too much extensibility in the protocol. For example Kerberos tickets include a field called "AuthorizationData" that is used in determining if a Kerberos client can use a Kerberos-protected service. RFC 1510 defines some types of AuthorizationData but also allows for additional types "for local use." In their Windows 2000 Kerberos implementation Microsoft made use of this extensibility to define an AuthorizationData type to carry Windows-specific user information. The addition of this information means that Windows Kerberos clients can only work with Microsoft Kerberos servers and not, for example, the freely available MIT Kerberos server. While annoying, this would not be a serious issue if Microsoft would openly publish the details of how they were using this field so that MIT and others could add it to their implementations. Ever since the fact that Microsoft had made this addition became known Microsoft has been promising that they would reveal the details. But the information has not been forthcoming and last week a Microsoft executive was quoted as saying that Microsoft would not release the information because it would compromise the security of Windows to do so.

He has it backward. Any security expert will tell them that the only way to ensure security is to open up so that many eyes can look at the details to ferret out security problems so that they can get fixed. These eyes can also ensure that there are no hidden "back doors." Secrecy weakens security instead of strengthening it.

Since then Microsoft has decided to release the details but with significant restrictions. The details are only so that the security can be reviewed. Others can not use this information to build servers or clients that are compatible with Microsoft's modified version. Microsoft's web page says " Supporting Kerberos v5 in Windows 2000 is a demonstration of Microsoft's commitment to industry standards..." I'll let you judge the level of commitment.

disclaimer: Harvard does not need to resort to monopolistic behavior to maintain its position, competence suffices. But the above is my own behaviorism observation.