April through June 2010
The Kerberos Consortium begun work on the features of MIT Kerberos Release 1.9 (slated for release in December 2010). Notable features include tools to aid in the testing of Kerberos installations and for configuration validations by administrators. Another feature to be added is an automatic lock-out of accounts when a user fails authentication multiple ties. This feature was introduced as response to a request from one of the Members of the MIT Kerberos Consortium from the financial sector.
One significant progress in the evolution of MIT Kerberos will be the introduction of a new architecture for plugins in Rel 1.9, which would allow third-party plugin-developers to add new plugins that implement specific features. This architecture would also help developers in activating or deactivating features of interest when they compile MIT Kerberos as part of their application.
Since the developer and user communities around MIT Kerberos is international in composition, Release 1.9 will include the Camellia encryption algorithm which is popular in Japan and which may soon be mandated by the Japanese government for all products it acquires. This effort was the result of a close working relationship with the NTT software group in Japan.
January through March 2010
In the first Quarter of 2010, the Kerberos Consortium released Kerberos 1.8 with a number of important features requested by our customers and user community. High on the list of features is Crypto Modularity, which was requested by several organizations for government FIPS-140 compliance. This feature allows users to insert/replace our crypto library with their own FIPS-140 compliant library. Another simple (but often overlooked feature) is automatic password lock-out, in which the administrator can tailor the number/frequency of allowable erroneous password entries (leading to users being automatically locked out). Due to the heavy use of Kerberos in the government organizations, another feature added was pre-authentication support. This allows client computers with no previous transactions with the KDC Server to boot-up trust with the KDC by secure establishing the long-term cryptographic key, which is the starting point for the Kerberos authentication protocol. Finally, we have also begun code quality improvements and re-architecting, which is an undertaking that may take several months.
In addition to Rel 1.8, we have also addressed a number of security vulnerabilities found in our previous Rel 1.7. These improvements addressed numerous bugs reported by the user and developer community. As part of this general effort to improve the security quality of the MIT Kerberos code-base, we have also taken some design decisions that would discourage users from deploying weak cryptographic algorithms (such as DES). The improvements have been announced as Rel. 1.7.1.
October through December 2009
In the 2nd Quarter of fiscal year 2010, the Kerberos Consortium achieved a number of its goals set earlier in the year. The majority of features the Release 1.8 achieved Alpha or Beta status during that quarter, and they continue to undergo testing in preparation for Final Release 1.8 in the 3rd Quarter of the fiscal year. These features include cryptographic modularity (for FIPS-140 compliance for the Government sector), PKINIT feature for improved security of Kerberos infrastructure setup, test-driven development capabilities for better code quality and the automatic lockout feature for reducing dictionary attacks to Kerberos installations.
In October 2009 the Consortium held its Kerberos Conference at MIT, as part of its broad outreach efforts and requirements gathering process from the world-wide Kerberos community. Two notable keynotes were delivered by Phil Venables (Chief Security Officer, Goldman-Sachs) and Kim Cameron (Microsoft Chief Identity Architect). Attendance reached over 70 people for the 2-day event. In addition, during the same week the Kerberos Consortium also held its quarterly Board Of Directors meeting at MIT.
July through September 2009
April through June 2009
- Held Kerberos Interoperability Event and Executive Advisory Board meeting, hosted by Microsoft in Redmond Washington
- Attended Ubuntu Developer's Summit as invited guests and delivered plenary address
- Attended and held half-day workshop at RSA Security Conference as invited experts.
- Released MIT Kerberos 1.7, which includes an implementation of the Microsoft Protocol Extensions
- Reduced number of code defects from 70 to 10.
- Created port of MySQL database system to MIT Kerberos
...