- Email: [email protected]
Kerberos gets cracked
Network Securiiy
accuracy rate. The company also sees other applications for the technology. It envisions customers using it for credit card verification and to control computer access and deter cellular phone fraud.
Kerberos gets crocked Atoosa Savarnejad The cracking of Kerberos is a sharp reminder to users: don’t get too smug in your security system. When two Purdue University students cracked Version 4 of the Internet security system last month, they added to the growing list of shortcomings found in the last few months in widely-used encryption methods. Kerberos is a system that uses encryption to protect users at financial and educational institutions and government agencies. The flaw which made cracking Kerberos relatively easy as the software does not generate random numbers that are long enough, allowing the numbers to be easily guessed and then used to decipher user’s secret ‘session keys’. Furthermore, because of the way the program was originally written at MIT, the numbers, which are supposed to be random, are actually based on times and dates. ‘This only goes to show that the government is not protecting companies the way it should”, said Hans Van Braun, director of computer security research at Creative Strategies in San Francisco. Van Braun said that he blamed the National Computer Security Agency, a federal agency, for holding back on the ability for companies to use stronger encryption by limiting the length of the encryption to something it can break. “They are more concerned with their ability to crack
6
March 1996
encryption codes than security for the companies”, Van Braun said. Ironically, developers of Kerberos Version 4 at Massachusetts Institute of Technology knew about the flaw as early as 1989. But they had reportedly not counted on the system being around for as long as it has been, according to Jeffrey Schiller, a developer of Kerberos and network manager at MIT. Some vendors say there are fixes for Version 4 Kerberos. “The bug is in the public domain version of Kerberos. We have rewritten the code so we don’t use any of the MIT stuff”, said Laurie Anderson, director of communications at Cybersafe Corp. Anderson said that Cybersafe has made significant enhancements to the product. Their version features “easy installation and configuration, graphic user interface for administrators, incremental database propagation and password checking”. Their product is named Cybersafe Challenger and is based on Kerberos.
IBM to develop secure version Atoosa Savarnejad The demand for tighter security has prompted IBM to look at ways to make its Internet Connection Server more secure for its mainframe users. IBM is currently engineering a secure version of its Internet Connection Server for MVS customers, including System/390 users. The server resides on an OS/390 system. The secure version of the Internet Connection Server would meet the Secure Sockets Layer (SSL) and Secure HyperText Transfer Protocol (SHTTP) standards of security said Janet Walbridge, public relations manager for IBM.
The Internet Connection Server for MVS allows all MVS customers to build a World Wide Web server, delivering their current data through an industry-standard Web browser. A business can use the Internet Connection Server for MVS to create a Web server on either the Internet or an internal network. Ira Machefsky, an analyst with Giga Information Group in Santa Clara, California, USA, said that having a security system on any Internet server, whether it be a mainframe or a PC, was pretty much standard+ But he wasn’t surprised that a security system for access to the Internet for mainframe computers was late in coming. “There aren’t that many people who care about this. It’s pretty low-volume”, he said. To make things easier, IBM announced late last year that it has enabled its customers with an OS/390 who have Parallel Enterprise Server can hook up to the Internet without much difficulty. OS/390 includes an Internet BonusPak that can be installed in a partition on an existing mainframe without upgrading the whole machine to the new operating system. IBM has equipped the System/390 with direct Web browser interface to CICS and the ability to access mainframe data via MQSeries middleware. The Internet Connection Server joins a family of eight Internet Collection software products. The Internet Server product family currently allows access to the Internet via OS/2 Warp. Windows and AIX. IBM is currently working on integrating CICS and DB/2 gateways into its family, allowing for an Internet server to link’to existing enterprise applications and data.
01996 Elsevier Science Ltd
accuracy rate. The company also sees other applications for the technology. It envisions customers using it for credit card verification and to control computer access and deter cellular phone fraud.
Kerberos gets crocked Atoosa Savarnejad The cracking of Kerberos is a sharp reminder to users: don’t get too smug in your security system. When two Purdue University students cracked Version 4 of the Internet security system last month, they added to the growing list of shortcomings found in the last few months in widely-used encryption methods. Kerberos is a system that uses encryption to protect users at financial and educational institutions and government agencies. The flaw which made cracking Kerberos relatively easy as the software does not generate random numbers that are long enough, allowing the numbers to be easily guessed and then used to decipher user’s secret ‘session keys’. Furthermore, because of the way the program was originally written at MIT, the numbers, which are supposed to be random, are actually based on times and dates. ‘This only goes to show that the government is not protecting companies the way it should”, said Hans Van Braun, director of computer security research at Creative Strategies in San Francisco. Van Braun said that he blamed the National Computer Security Agency, a federal agency, for holding back on the ability for companies to use stronger encryption by limiting the length of the encryption to something it can break. “They are more concerned with their ability to crack
6
March 1996
encryption codes than security for the companies”, Van Braun said. Ironically, developers of Kerberos Version 4 at Massachusetts Institute of Technology knew about the flaw as early as 1989. But they had reportedly not counted on the system being around for as long as it has been, according to Jeffrey Schiller, a developer of Kerberos and network manager at MIT. Some vendors say there are fixes for Version 4 Kerberos. “The bug is in the public domain version of Kerberos. We have rewritten the code so we don’t use any of the MIT stuff”, said Laurie Anderson, director of communications at Cybersafe Corp. Anderson said that Cybersafe has made significant enhancements to the product. Their version features “easy installation and configuration, graphic user interface for administrators, incremental database propagation and password checking”. Their product is named Cybersafe Challenger and is based on Kerberos.
IBM to develop secure version Atoosa Savarnejad The demand for tighter security has prompted IBM to look at ways to make its Internet Connection Server more secure for its mainframe users. IBM is currently engineering a secure version of its Internet Connection Server for MVS customers, including System/390 users. The server resides on an OS/390 system. The secure version of the Internet Connection Server would meet the Secure Sockets Layer (SSL) and Secure HyperText Transfer Protocol (SHTTP) standards of security said Janet Walbridge, public relations manager for IBM.
The Internet Connection Server for MVS allows all MVS customers to build a World Wide Web server, delivering their current data through an industry-standard Web browser. A business can use the Internet Connection Server for MVS to create a Web server on either the Internet or an internal network. Ira Machefsky, an analyst with Giga Information Group in Santa Clara, California, USA, said that having a security system on any Internet server, whether it be a mainframe or a PC, was pretty much standard+ But he wasn’t surprised that a security system for access to the Internet for mainframe computers was late in coming. “There aren’t that many people who care about this. It’s pretty low-volume”, he said. To make things easier, IBM announced late last year that it has enabled its customers with an OS/390 who have Parallel Enterprise Server can hook up to the Internet without much difficulty. OS/390 includes an Internet BonusPak that can be installed in a partition on an existing mainframe without upgrading the whole machine to the new operating system. IBM has equipped the System/390 with direct Web browser interface to CICS and the ability to access mainframe data via MQSeries middleware. The Internet Connection Server joins a family of eight Internet Collection software products. The Internet Server product family currently allows access to the Internet via OS/2 Warp. Windows and AIX. IBM is currently working on integrating CICS and DB/2 gateways into its family, allowing for an Internet server to link’to existing enterprise applications and data.
01996 Elsevier Science Ltd