Help: IE doesn't work silently
Please Help! My environment: Server: Mit Kerberos and Jboss 4.2.3 on the same machine running Debian. Client: Windows XP with Kerberos for Windows. It works perfectly with Firefox, but prompts for user and password with IE. What can I do to work silently with IE? The big difference is that in Firefox I can set mit gssapi, but in IE I can't. So IE doesn't see my mit kerberos ticket. Is there a way to put kerberos ticket in ms cache? I'd really appreciate your help! Thanks in advance! Inacio -- Prodesan S/A (http://www.prodesan.com.br/) Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
AES-CTS, SHA-96bit in Kerberos are FIPS 140-2 Compliant ?
Hi Does anyone know AES-CTS and SHA-96bit (mandatory cipher suites for Kerberos) are FIPS 140-2 compliant or not ? AES-CBS and SHA1 (160bit) are listed in the NIST FIPS140-2 approved crypto/hash list, but AES-CTS and SHA-96bit are NOT listed in the list. In case of Windows Vista/7/Sever 2k8, Kerberos is FIPS140-2 compliant and AES128/256-CTS-SHA-96 is available in FIPS140-2 compliant mode. Regards, Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
ANNOUNCEMENT: Network Identity Manager Version 2.0 Available as an Update to Kerberos for Windows
URL: http://www.secure-endpoints.com/netidmgr/v2/ Secure Endpoints Inc. is proud to announce the public availability of Network Identity Manager v2 (2.0.0.304). Version 2.0 is the end of a three year effort to improve the usability and capabilities of the product. Improved usability: * Users no longer have to type their username/realm each time they wish to obtain credentials for a Kerberos v5 identity. Instead, they select previously used identities from a list. * A New Identity Wizard walks the user through the configuration of all derived credential types when creating a new identity. * Progress dialogs inform the user of progress of each stage of the credential acquisition process. * Users can assign an icon to each identity to assist in distinguishing identities from one another. * The basic identity view now includes: o an animated battery that visualizes the remaining lifetime and permits users to quickly recharge the credential. o summary information describing the types and numbers of each derived credential obtained by the identity. o dynamic progress bars when credential renewal takes place in the background. o a star button to represent the current default identity and permit setting an alternate default identity. * The notification icon context menu has been improved to reduce the need to open the Network Identity Manager window. * The user documentation has been significantly rewritten. The PDF manual has been retired and the Windows Help documentation is comprehensive. New functionality: * Multiple identity providers can now be active simultaneously. * In addition to the Kerberos v5 identity provider, a KeyStore provider is included and an X.509 identity provider is under development. * The KeyStore provider permits a locally assigned password to be used to protect the passwords of multiple Kerberos v5 principals. Unlocking the KeyStore results in the acquisition of credentials for each of the configured Kerberos v5 identities. Open Framework: * The Network Identity Manager v2 SDK can be used to develop custom identity providers, credential providers, and tool providers. Installers are available to update 32-bit and 64-bit Kerberos for Windows 3.2.x. Downloads and documentation are available from URL: http://www.secure-endpoints.com/netidmgr/v2/ Jeffrey Altman and Asanka Herath Secure Endpoints Inc. Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Re: AES-CTS, SHA-96bit in Kerberos are FIPS 140-2 Compliant ?
Somebody naming themselves Kerberos Athena claimed: Date:Sat, 06 Mar 2010 12:00:10 +0900 To: kerberos@mit.edu From:Kerberos Athena athena.kerbe...@gmail.com Subject: AES-CTS, SHA-96bit in Kerberos are FIPS 140-2 Compliant ? Hi Does anyone know AES-CTS and SHA-96bit (mandatory cipher suites for Kerberos) are FIPS 140-2 compliant or not ? AES-CBS and SHA1 (160bit) are listed in the NIST FIPS140-2 approved crypto/hash list, but AES-CTS and SHA-96bit are NOT listed in the list. In case of Windows Vista/7/Sever 2k8, Kerberos is FIPS140-2 compliant and AES128/256-CTS-SHA-96 is available in FIPS140-2 compliant mode. Regards, AES-CTS = AES-CBC. There is no difference. You do mean AES-CBC and not AES-CBS, right? CBC by itself is a multiple block protocol. It specifies nothing about how messages that are not integral multiples of the block size are to be encoded. There are several popular methods for stuffing messages into blocks. The simplest one, and the one used in kerberos for des-cbc-crc, is to pad the last block with 0's. It turns out that if you do this padding, when you decode the ciphertext of the last block, the portion of the last block that corresponds to the pad bytes will contain exactly the ciphertext of the block preceeding. That means you actually don't need to ship that part of the immediately preceding block. That is all there is to ciphertext stealing = CTS. There's a more complete description of CTS (and kerberos and many other things) in Schneier's _Applied Cryptograph_, a standard reference: http://www.schneier.com/book-applied.html What you call SHA-96bit is exactly SHA1 (160bit). SHA1 always generates 160 bits of output. 96 bit means that only 96 bits gets used. SHA1 is defined to generate up to 160 bits of usable output. The standard goes on to define that if you don't need that many bits of output, you should drop the bits on the right. It's still SHA1 and (since it's a recommended practice in a NIST standard) must surely qualify as approved. Note that FIPS-2 covers a software+hardware implementation, it does not cover the protocol. So, kerberos the protocol will never appear as being FIPS compliant. A particular software *implementation* of kerberos might qualify as FIPS 140-2 security level 1 compliant, if you pay the big bucks for the testing. In the case of MicroSoft, they did spring for the big bucks, http://technet.microsoft.com/en-us/library/cc750357.aspx You'd have to ask them what that means in terms of kerberos. If you are correct that microsoft provides AES128/256-CTS-SHA-96 in FIPS140-2 compliant mode, then I don't understand why you think that AES-CBC or SHA-1 (as used in kerberos) might not be approved algorithms. Are you thinking the documentation exemption for proprietary systems on page 13 applies? Sometime back folks elsewhere talked about how OpenSSL had fips 140-2 compliance. What was tested and what was in compliance was a peculiar form of the object code. Not the source. If you're curious, read, http://www.openssl.org/docs/fips/UserGuide-1.1.1.pdf There's additional interesting info there as well, and pointers to more. Marcus Watts Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos