Microsoft Finally Publishes Secret Kerberos Format

FRAMINGHAM (04/28/2000) - Microsoft Corp. on Friday published a key proprietary data format that has been at the heart of interoperability questions surrounding "standards-based" Kerberos security in Windows 2000.

The data format, however, is only for review and analysis. Microsoft has yet to decide if it will license the format to either third-party vendors or developers.

Microsoft is not conducting a formal review process of the data format, called a Privilege Access Certificate (PAC), but it has asked a host of "interested parties" to review it.

Standards experts have been asking Microsoft to publish the data format for the past 2 years, but Microsoft officials said they could not make it public until after Win 2000 shipped. The operating system was released on Feb. 17.

Microsoft uses the PAC in its implementation of Kerberos 5 in Win 2000. It is used in the standard's authorization data field, or auth-data field, to insert Windows Secure ID information that binds tickets to Windows access control lists.

The Internet Engineering Task Force (IETF) left the field in the Kerberos 5 standard open to vendor interpretation, a move the IETF says it now regrets.

Critics charge that Microsoft's PAC locks users into its version of Kerberos.

In a security release published Friday, Microsoft said, "Consistent with the guidelines of the specification, Microsoft uses this field [auth-data] to transport authorization data to improve network logon and application performance." The release was not clear, however, on whether that function was standard across all implementations of Kerberos.

"We hope this will answer questions that have been raised that this auth-data field is special to Microsoft and will affect interoperability and security in a negative way," says Shanen Boettcher, product manager for Win 2000.

"Hopefully, users can answer the questions: Will this work with what I have?

And will it be secure?"

Users have voiced concerns that they were having trouble establishing interoperability between their Unix-based Kerberos implementations and Win 2000.

Kerberos servers, or KDCs, act as trusted third parties, providing tickets that clients and servers can exchange using secret-key cryptography to prove who they are and to establish encrypted communication. Ideally, KDCs maintain trust relationships and create single sign-on to access resources regardless of network operating system.

Microsoft has yet to decide if it will license the data format so other vendors can support it in their KDCs or applications.

"Today's release is not about licensing. We will engage [independent software vendors] in that discussion later," Boettcher says.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

More about IETFInternet Engineering Task ForceMicrosoft

Show Comments