kfw-3.1-beta-2 is available - Kerberos

This is a discussion on kfw-3.1-beta-2 is available - Kerberos ; -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The MIT Kerberos Development Team is proud to announce the second *BETA* release of the next revision of our Kerberos for Windows product, Version 3.1. Please send bug reports and feedback to kfw-bugs@mit.edu . ...

+ Reply to Thread
Results 1 to 2 of 2

Thread: kfw-3.1-beta-2 is available

  1. kfw-3.1-beta-2 is available

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    The MIT Kerberos Development Team is proud to announce the second *BETA*
    release of the next revision of our Kerberos for Windows product,
    Version 3.1.

    Please send bug reports and feedback to kfw-bugs@mit.edu.

    What's New:
    ===========

    Version 3.1 fixes bugs and adds minor functionality:

    * Improvements to the Network Identity Manager

    1. A serious memory leak has been fixed

    2. Principal names containing numbers are no longer considered
    invalid

    3. Locales other than en_US are now supported

    4. Arbitrary sort ordering of credentials

    5. Support for FILE: ccaches

    6. Credential properties may be selected by the user for display

    7. User selected font support

    8. Tool Tip support added to the Toolbar

    9. Identities can be added without obtaining credentials

    10. Kerberos 5 Realm editor has been added

    * The MSLSA: ccache is disabled in WOW64 environments prior to Microsoft
    Windows Vista Beta 2 (Windows XP 64, 2003 64, etc.)

    * The installers are built using the latest toolkit versions NSIS (2.18)
    and WIX (2.0.4220.0)


    Version 3.0 provided several often requested new features:

    * thread-safe Kerberos 5 libraries (provided by Kerberos 5 release
    1.4.4)

    * a replacement for the Leash Credential Manager called the Network
    Identity Manager

    - a visually enticing application that takes advantage of all of the
    modern XP style User Interface enhancements

    - supports the management of multiple Kerberos 5 identities in a
    variety of credential cache types including CCAPI and FILE.

    - credentials can be organized by credential cache location or by
    identity

    - a single identity can be marked as the default for use by
    applications that request the current default credential cache

    - Network Identity Manager is built upon the Khimaira Identity
    Management Framework introduced this past summer at the AFS &
    Kerberos Best Practices Conference at CMU.

    - Credential Managers for Kerberos 5 and Kerberos 4 are provided.
    Credential Managers for other credential types including AFS
    and KX.509/KCA are available. Contact Secure Endpoints Inc.
    for details.

    - The Khimaira framework is a pluggable engine into which custom
    Identity Managers and Credential Managers can be added.
    Organizations interested in building plug-ins for the Network
    Identity Manager may contact Jeffrey Altman at
    jaltman@secure-endpoints.com

    * a Kerberos specific WinLogon Network Provider that will use the
    username and password combined with the MIT Kerberos default realm in
    an effort to obtain credentials at session logon


    Important changes since the 2.6.5 release:
    ==========================================

    * This release requires 32-bit editions of Microsoft Windows 2000 or
    higher. Support for Microsoft Windows 95, 98, 98 Second Edition, ME,
    and NT 4.0 has been discontinued. Users of discontinued platforms
    should continue to use MIT Kerberos for Windows 2.6.5.

    * Version 3.0 does not include any internal support for AFS. The
    aklog.exe utility now ships as a part of OpenAFS for Windows.
    The Secure Endpoints Inc. AFS
    credential manager for the Network Identity Manager has been incorporated
    into OpenAFS for Windows 1.5.9 and above.


    Downloads
    =========

    Binaries and source code can be downloaded from the MIT Kerberos web site:
    http://web.mit.edu/kerberos/


    Acknowledgments
    ===============

    The MIT Kerberos team would like to thank Secure Endpoints Inc.
    for its support during the development
    of this release.



    Important notice regarding Kerberos 4 support
    =============================================

    In the past few years, several developments have shown the inadequacy
    of the security of version 4 of the Kerberos protocol. These
    developments have led the MIT Kerberos Team to begin the process of
    ending support for version 4 of the Kerberos protocol. The plan
    involves the eventual removal of Kerberos 4 support from the MIT
    implementation of Kerberos.

    The Data Encryption Standard (DES) has reached the end of its useful
    life. DES is the only encryption algorithm supported by Kerberos 4,
    and the increasingly obvious inadequacy of DES motivates the
    retirement of the Kerberos 4 protocol. The National Institute of
    Standards and Technology (NIST), which had previously certified DES as
    a US government encryption standard, has officially announced[1] the
    withdrawal of the Federal Information Processing Standards (FIPS) for
    DES.

    NIST's action reflects the long-held opinion of the cryptographic
    community that DES has too small a key space to be secure. Breaking
    DES encryption by an exhaustive search of its key space is within the
    means of some individuals, many companies, and all major governments.
    Consequently, DES cannot be considered secure for any long-term keys,
    particularly the ticket-granting key that is central to Kerberos.

    Serious protocol flaws[2] have been found in Kerberos 4. These flaws
    permit attacks which require far less effort than an exhaustive search
    of the DES key space. These flaws make Kerberos 4 cross-realm
    authentication an unacceptable security risk and raise serious
    questions about the security of the entire Kerberos 4 protocol.

    The known insecurity of DES, combined with the recently discovered
    protocol flaws, make it extremely inadvisable to rely on the security
    of version 4 of the Kerberos protocol. These factors motivate the MIT
    Kerberos Team to remove support for Kerberos version 4 from the MIT
    implementation of Kerberos.

    The process of ending Kerberos 4 support began with release 1.3 of MIT
    Kerberos 5. In release 1.3, the default run-time configuration of the
    KDC disables support for version 4 of the Kerberos protocol. Release 1.4
    of MIT Kerberos continues to include Kerberos 4 support (also disabled
    in the KDC with the default run-time configuration), but we intend to
    completely remove Kerberos 4 support from some future release of MIT
    Kerberos.

    The MIT Kerberos Team has ended active development of Kerberos 4,
    except for the eventual removal of all Kerberos 4 functionality. We
    will continue to provide critical security fixes for Kerberos 4, but
    routine bug fixes and feature enhancements are at an end.

    We recommend that any sites which have not already done so begin a
    migration to Kerberos 5. Kerberos 5 provides significant advantages
    over Kerberos 4, including support for strong encryption,
    extensibility, improved cross-vendor interoperability, and ongoing
    development and enhancement.

    If you have questions or issues regarding migration to Kerberos 5, we
    recommend discussing them on the kerberos@mit.edu mailing list.

    References

    [1] National Institute of Standards and Technology. Announcing
    Approval of the Withdrawal of Federal Information Processing
    Standard (FIPS) 43-3, Data Encryption Standard (DES); FIPS 74,
    Guidelines for Implementing and Using the NBS Data Encryption
    Standard; and FIPS 81, DES Modes of Operation. Federal Register
    05-9945, 70 FR 28907-28908, 19 May 2005. DOCID:fr19my05-45

    [2] Tom Yu, Sam Hartman, and Ken Raeburn. The Perils of
    Unauthenticated Encryption: Kerberos Version 4. In Proceedings of
    the Network and Distributed Systems Security Symposium. The
    Internet Society, February 2004.
    http://web.mit.edu/tlyu/papers/krb4peril-ndss04.pdf

    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.4.3 (SunOS)

    iQCVAwUBRTfymabDgE/zdoE9AQJk+gQAl59c3ILPvaKlBg4KWWAR6IJNbghzEuec
    mbtG15DFWue94/z7h5wskQvMVGh4lyuHOmVk53K+8cZvnERTA/MizYiUk119mvAn
    d4ERzBVW92JW60txxQNZhJQZiOaJRquPA2L8rjfaQ8jG9f7Yok U7HFAu45MGpd3M
    kpcXNTZjCO8=
    =rc1B
    -----END PGP SIGNATURE-----

    _______________________________________________
    kerberos-announce mailing list
    kerberos-announce@mit.edu
    https://mailman.mit.edu/mailman/list...beros-announce
    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  2. Re: kfw-3.1-beta-2 is available

    There has been a report indicating that there is a problem with
    the use of NIM to obtain credentials for principals whose password
    has expired. I have been unable to replicate the problem. I would
    appreciate it if other users could try to obtain credentials for a
    principal with an expired password and report back to kfw-bugs@mit.edu
    if there is a problem.

    Thanks.

    Jeffrey Altman
    Secure Endpoints Inc.

    Tom Yu wrote:
    > The MIT Kerberos Development Team is proud to announce the second *BETA*
    > release of the next revision of our Kerberos for Windows product,
    > Version 3.1.
    >
    > Please send bug reports and feedback to kfw-bugs@mit.edu.
    >
    > What's New:
    > ===========
    >
    > Version 3.1 fixes bugs and adds minor functionality:
    >
    > * Improvements to the Network Identity Manager
    >
    > 1. A serious memory leak has been fixed
    >
    > 2. Principal names containing numbers are no longer considered
    > invalid
    >
    > 3. Locales other than en_US are now supported
    >
    > 4. Arbitrary sort ordering of credentials
    >
    > 5. Support for FILE: ccaches
    >
    > 6. Credential properties may be selected by the user for display
    >
    > 7. User selected font support
    >
    > 8. Tool Tip support added to the Toolbar
    >
    > 9. Identities can be added without obtaining credentials
    >
    > 10. Kerberos 5 Realm editor has been added
    >
    > * The MSLSA: ccache is disabled in WOW64 environments prior to Microsoft
    > Windows Vista Beta 2 (Windows XP 64, 2003 64, etc.)
    >
    > * The installers are built using the latest toolkit versions NSIS (2.18)
    > and WIX (2.0.4220.0)
    >
    >
    > Version 3.0 provided several often requested new features:
    >
    > * thread-safe Kerberos 5 libraries (provided by Kerberos 5 release
    > 1.4.4)
    >
    > * a replacement for the Leash Credential Manager called the Network
    > Identity Manager
    >
    > - a visually enticing application that takes advantage of all of the
    > modern XP style User Interface enhancements
    >
    > - supports the management of multiple Kerberos 5 identities in a
    > variety of credential cache types including CCAPI and FILE.
    >
    > - credentials can be organized by credential cache location or by
    > identity
    >
    > - a single identity can be marked as the default for use by
    > applications that request the current default credential cache
    >
    > - Network Identity Manager is built upon the Khimaira Identity
    > Management Framework introduced this past summer at the AFS &
    > Kerberos Best Practices Conference at CMU.
    >
    > - Credential Managers for Kerberos 5 and Kerberos 4 are provided.
    > Credential Managers for other credential types including AFS
    > and KX.509/KCA are available. Contact Secure Endpoints Inc.
    > for details.
    >
    > - The Khimaira framework is a pluggable engine into which custom
    > Identity Managers and Credential Managers can be added.
    > Organizations interested in building plug-ins for the Network
    > Identity Manager may contact Jeffrey Altman at
    > jaltman@secure-endpoints.com
    >
    > * a Kerberos specific WinLogon Network Provider that will use the
    > username and password combined with the MIT Kerberos default realm in
    > an effort to obtain credentials at session logon
    >
    >
    > Important changes since the 2.6.5 release:
    > ==========================================
    >
    > * This release requires 32-bit editions of Microsoft Windows 2000 or
    > higher. Support for Microsoft Windows 95, 98, 98 Second Edition, ME,
    > and NT 4.0 has been discontinued. Users of discontinued platforms
    > should continue to use MIT Kerberos for Windows 2.6.5.
    >
    > * Version 3.0 does not include any internal support for AFS. The
    > aklog.exe utility now ships as a part of OpenAFS for Windows.
    > The Secure Endpoints Inc. AFS
    > credential manager for the Network Identity Manager has been incorporated
    > into OpenAFS for Windows 1.5.9 and above.
    >
    >
    > Downloads
    > =========
    >
    > Binaries and source code can be downloaded from the MIT Kerberos web site:
    > http://web.mit.edu/kerberos/
    >
    >
    > Acknowledgments
    > ===============
    >
    > The MIT Kerberos team would like to thank Secure Endpoints Inc.
    > for its support during the development
    > of this release.
    >
    >
    >
    > Important notice regarding Kerberos 4 support
    > =============================================
    >
    > In the past few years, several developments have shown the inadequacy
    > of the security of version 4 of the Kerberos protocol. These
    > developments have led the MIT Kerberos Team to begin the process of
    > ending support for version 4 of the Kerberos protocol. The plan
    > involves the eventual removal of Kerberos 4 support from the MIT
    > implementation of Kerberos.
    >
    > The Data Encryption Standard (DES) has reached the end of its useful
    > life. DES is the only encryption algorithm supported by Kerberos 4,
    > and the increasingly obvious inadequacy of DES motivates the
    > retirement of the Kerberos 4 protocol. The National Institute of
    > Standards and Technology (NIST), which had previously certified DES as
    > a US government encryption standard, has officially announced[1] the
    > withdrawal of the Federal Information Processing Standards (FIPS) for
    > DES.
    >
    > NIST's action reflects the long-held opinion of the cryptographic
    > community that DES has too small a key space to be secure. Breaking
    > DES encryption by an exhaustive search of its key space is within the
    > means of some individuals, many companies, and all major governments.
    > Consequently, DES cannot be considered secure for any long-term keys,
    > particularly the ticket-granting key that is central to Kerberos.
    >
    > Serious protocol flaws[2] have been found in Kerberos 4. These flaws
    > permit attacks which require far less effort than an exhaustive search
    > of the DES key space. These flaws make Kerberos 4 cross-realm
    > authentication an unacceptable security risk and raise serious
    > questions about the security of the entire Kerberos 4 protocol.
    >
    > The known insecurity of DES, combined with the recently discovered
    > protocol flaws, make it extremely inadvisable to rely on the security
    > of version 4 of the Kerberos protocol. These factors motivate the MIT
    > Kerberos Team to remove support for Kerberos version 4 from the MIT
    > implementation of Kerberos.
    >
    > The process of ending Kerberos 4 support began with release 1.3 of MIT
    > Kerberos 5. In release 1.3, the default run-time configuration of the
    > KDC disables support for version 4 of the Kerberos protocol. Release 1.4
    > of MIT Kerberos continues to include Kerberos 4 support (also disabled
    > in the KDC with the default run-time configuration), but we intend to
    > completely remove Kerberos 4 support from some future release of MIT
    > Kerberos.
    >
    > The MIT Kerberos Team has ended active development of Kerberos 4,
    > except for the eventual removal of all Kerberos 4 functionality. We
    > will continue to provide critical security fixes for Kerberos 4, but
    > routine bug fixes and feature enhancements are at an end.
    >
    > We recommend that any sites which have not already done so begin a
    > migration to Kerberos 5. Kerberos 5 provides significant advantages
    > over Kerberos 4, including support for strong encryption,
    > extensibility, improved cross-vendor interoperability, and ongoing
    > development and enhancement.
    >
    > If you have questions or issues regarding migration to Kerberos 5, we
    > recommend discussing them on the kerberos@mit.edu mailing list.
    >
    > References
    >
    > [1] National Institute of Standards and Technology. Announcing
    > Approval of the Withdrawal of Federal Information Processing
    > Standard (FIPS) 43-3, Data Encryption Standard (DES); FIPS 74,
    > Guidelines for Implementing and Using the NBS Data Encryption
    > Standard; and FIPS 81, DES Modes of Operation. Federal Register
    > 05-9945, 70 FR 28907-28908, 19 May 2005. DOCID:fr19my05-45
    >
    > [2] Tom Yu, Sam Hartman, and Ken Raeburn. The Perils of
    > Unauthenticated Encryption: Kerberos Version 4. In Proceedings of
    > the Network and Distributed Systems Security Symposium. The
    > Internet Society, February 2004.
    > http://web.mit.edu/tlyu/papers/krb4peril-ndss04.pdf
    >


    _______________________________________________
    kerberos-announce mailing list
    kerberos-announce@mit.edu
    https://mailman.mit.edu/mailman/list...beros-announce
    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos

+ Reply to Thread