Search /
Advanced search  |  Help  |  Site map
Click for Layer 8! No, really, click NOW!
Networking for Small Business
Where's my gigabit Internet, anyway?
Americans cool with lab-grown organs, but not designer babies
IE6: Retired but not dead yet
Enterprise who? Google says little about Apps, business cloud services in Q1 report
DDoS Attackers Change Techniques To Wallop Sites
Can we talk? Internet of Things vendors face a communications 'mess'
AMD's profitability streak ends at two quarters
Michaels says breach at its stores affected nearly 3M payment cards
Exclusive: Google's Project Loon tests move to LTE band in Nevada
H-1B loophole may help California utility offshore IT jobs
How a cyber cop patrols the underworld of e-commerce
For Red Hat, it's RHEL and then…?
Will the Internet of Things Become the Internet of Broken Things?
Kill switches coming to iPhone, Android, Windows devices in 2015
Israeli start-up, working with GE, out to detect Stuxnet-like attacks
Galaxy S5 deep-dive review: Long on hype, short on delivery
Google revenue jumps 19 percent but still disappoints
Windows XP's retirement turns into major security project for Chinese firm
Teen arrested in Heartbleed attack against Canadian tax site
Still deploying 11n Wi-Fi?  You might want to think again
Collaboration 2.0: Old meets new
9 Things You Need to Know Before You Store Data in the Cloud
Can Heartbleed be used in DDoS attacks?
Secure browsers offer alternatives to Chrome, IE and Firefox
Linksys WRT1900AC Wi-Fi router: Faster than anything we've tested

Microsoft's Kerberos shuck and jive

Today's breaking news
Send to a friendFeedback

Slammed in a court brief for the proprietary way it implements the Kerberos Web security standard in Windows 2000, Microsoft (MSFT) has moved to reassure customers and disarm critics by publishing the formerly secret details of its version of Kerberos - just one day before the brief was filed.

Better late than never? Perhaps, but Microsoft has attached licensing restrictions to the site where the details are published, essentially locking down the information as a confidential "trade secret."

In other words, the information can be reviewed, but no competitor can exploit the published details in order to write code that could make use of it.

"They don't want anyone competing against them," says Paul Hill, co-leader of the Kerberos team at MIT, where the security standard was developed. "It's typical Microsoft behavior."

Microsoft critics have long deplored the company's cavalier attitude toward standards, famously summed up as "embrace, extend and extinguish," a phrase attributed to the current head of the software giant's Windows group, Paul Maritz, during the ongoing Microsoft antitrust trial. The implication is that Microsoft embraces standards that ensure basic interoperability on the Internet but adds proprietary extensions to those standards that make rival systems less interoperable - with the intent of extinguishing competition.

Microsoft's implementation of Kerberos seems a textbook example of this alleged modus operandi. Web specifications typically contain parts that are left undefined, onto which vendors may add their own extensions, allowing for variation in implementation. The version of Kerberos in every Windows 2000 PC formally complies with the standard specification. It also takes advantage of an undefined field in the spec to store authorization data for Microsoft's operating system.

In a paper filed in the antitrust trial on April 28, expert witness Rebecca Henderson, an MIT professor who supported the government's proposed remedy of splitting Microsoft in two, concluded that because Microsoft hadn't published those extensions, "no non-Microsoft server can utilize the security features of the PC operating system."

Microsoft begs to differ, pointing out that it published the extensions on April 27 - timing which it claims is a pure coincidence. The Redmond, Wash., software monolith also argues that its version of Kerberos is fully interoperable.

As proof of its interoperability, Shanen Boettcher, lead product manager for Windows 2000 Server, cites customers such as Morgan Stanley Dean Witter that installed Windows 2000 desktops in a network running an existing Kerberos implementation by a company called CyberSafe in Issaquah, Wash. According to Microsoft, the successful installation of its Kerberos implementation alongside CyberSafe's "validates the interoperability of Kerberos in the Windows 2000 operating system."

But this validity depends on the definition of "interoperable." In Microsoft's view, Kerberos interoperability covers only the authentication process (the password system that validates a user's identity), which is defined in the open part of the spec. That interoperability does not, however, extend to the authorization process (the system that decides if a particular user has access to resources on the network), which is the part Microsoft addressed in that carefully guarded undefined field.

Microsoft is treating the authorization process as totally proprietary because authorization to use a Microsoft application requires a Windows 2000 Server. "If you want access rights to applications on Windows, it has to process its own authorization," says Boettcher.

Customers, like Morgan Stanley, that want to access basic functions such as file and print services from Windows 2000 desktops must purchase and run a Microsoft Windows 2000 Kerberos Server, even if they already have another Kerberos implementation in use.

For Hill, that amounts to Microsoft gratuitously tying the desktop to the server.

"Microsoft has created a system that forces Morgan Stanley and many other government and academic institutions to run Microsoft servers," he says. "These organizations now have to duplicate essentially the same data into two separate systems."

As Hill sees it, this way of implementing Kerberos shatters the notion of an interoperable "standard." And the licensing restrictions Microsoft has imposed on publishing the data-field information mean that it still isn't a standard at all.

"It's a clear demonstration that Microsoft has no intention of changing its business practices," says Hill. "It's using its monopoly on the desktop to force people to use its server."

For more in-depth coverage of the Internet Economy, visit The Industry Standard, a sister publication to Network World. Copyright 2000 The Industry Standard. All rights reserved.


NWFusion offers more than 40 FREE technology-specific email newsletters in key network technology areas such as NSM, VPNs, Convergence, Security and more.
Click here to sign up!
New Event - WANs: Optimizing Your Network Now.
Hear from the experts about the innovations that are already starting to shake up the WAN world. Free Network World Technology Tour and Expo in Dallas, San Francisco, Washington DC, and New York.
Attend FREE
Your FREE Network World subscription will also include breaking news and information on wireless, storage, infrastructure, carriers and SPs, enterprise applications, videoconferencing, plus product reviews, technology insiders, management surveys and technology updates - GET IT NOW.