MIT Researchers Hope to Kick Kerberos Up a Notch

A twenty-year-old technology could be set to become a worldwide standard for authentication. By one estimate, it already may be.

That’s the thinking, at least, from network security researchers at MIT, who today launched a new effort to develop and expand Kerberos. The authentication protocol, developed in the 80s, already resides in one form or another in a staggering 100 million-plus network installations worldwide. (For example, Microsoft’s Windows operating systems have used Kerberos as an authentication method since Windows 2000.)

The goal of the researchers’ new Kerberos Consortium is to continue developing the technology, pitch it to a new class of developers and extend its use into emerging mobile and wireless devices. The group will also play watchdog over the technology, making sure companies don’t tweak its open-system flavor too much.

“MIT has managed this for a long time, making sure everyone played well together,” said Stephen Buckley, executive director of the Consortium. Buckley told InternetNews.com that a chief goal now is to prevent the fracturing of Kerberos, especially as it moves into such areas as mobile devices and mobile e-commerce.

The researchers also hope to ramp up the funding of Kerberos development by pulling in industry partners to help foot the bill and participate in new projects. Early converts to this effort include Stanford University, the University of Michigan, and deep-pocketed corporate backers like Apple Computer, Sun Microsystems and Google.

“Without Kerberos as part of the fabric of our infrastructure for identify management, there is no way we could manage the thousands and thousands of systems we manage each day,” said Bruce Vincent, chief IT architect and technology strategist at Stanford.

Even with corporate backers, MIT will keep Kerberos an open system, Buckley added.

To those outside the computing cognoscenti circle, Kerberos may sound more like a character from “Halo 3” than a key networking protocol. Those in the know, however, recognize its importance as a longstanding means of authenticating users across large computing networks.

In fact, anyone who has even played a networked Xbox console game may have already been unknowingly using the venerable technology, said Sam Hartman, MIT’s chief Kerberos technologist.

Until now, the Kerberos team for years has been perfectly happy to keep such a low profile, quietly adding new features and improvements as needed. Their main impetus in coming into the limelight today with the Kerberos Consortium, however, is that your father’s Kerberos just can’t keep pace with the current generation of mobile technologies and other emerging devices.

If Kerberos were readily available on mobile devices, consortium members said, it could help address myriad communications issues in healthcare — for example, securing secure mobile records that are channeled to doctors at bedside or working remotely. It might also be used to protect transactions and prevent ID theft and phishing in the consumer space, Hartman said.

This is good news to Tom Kemp, CEO of Centrify Corp., which has more than 250 customers for its Kerberos-based compliance solutions in healthcare and other industries. Not surprisingly, Centrify is another charter member of the new MIT group.

Despite a widespread installation base and an impressive list of corporate supporters, the consortium does have its work cut out for it. For one thing, there are only a handful of researchers at MIT working on Kerberos — so staffing could be an immediate problem, consortium members said.

Additionally, there are threats to keeping Kerberos an open system. Companies have been piling customized layers on top of it for years, members added, so any rules and regulations the Kerberos Consortium issues may not go over so well with those using specialized versions.

There are also more overlapping and competing security technologies to contend with, especially in the mobile space. Hartman said Kerberos Consortium members hope to work closely with other network security organizations involved in ID authentication, like the Liberty Alliance, to make sure their technologies are in sync and, where appropriate, interoperable.

“We need to take advantage of those [technologies] to find where Kerberos has the right fit,” he added.