Subject: kfw-3.2.2-beta1 is available
From: Tom Yu
Date: Wed, 10 Oct 2007 00:29:09 -0400
To: kerberos-announce@MIT.EDU

Hash: SHA1

The MIT Kerberos Development Team and Secure Endpoints Inc. are proud to 
announce the first beta release of MIT's Kerberos for Windows product, 
Version 3.2.2.

Please send bug reports and feedback to

What's New in KFW 3.2.2

  *  Network Identity Manager Application
     o Application window always raised when prompting for new credentials,
       so prompt is not obscured by other windows.
     o Password entry field accepts 1024 characters.
     o Add --show and --hide command line options.
     o Defines a new color schema.  Color values are no longer imported from
       the user's desktop theme.
     o Notification icon reflects status of the default identity instead of 
       all identities.
  *  Credential Cache API changes
     o The CCAPI implementation is now compatible with Windows Terminal
  *  Kerberos v5 Library Improvements
     o Based on krb5-1.6.3.
     o MSLSA: ccache properly translates Unicode strings to the local ANSI
       character set.
     o krb5_get_profile() is exported from krb5_32.dll.
  *  Installer Changes
     o Remove the registration requirement for administrative installations
       when using the MSI installer.
     o MSVC DLLs include DST 2007 changes.

  *  Build system changes 
     o NIM Schema files can now support external file inclusion. 
     o Add static ordinals to DLL exports. 
     o krbcc credential cache api implementation can now be compiled with
       Microsoft Visual Studio 2005. 
     o Enable builds on 64 bit Windows. 
     o NIM API version is now 10.

For descriptions of changes to earlier versions, see the release notes for
each version, at

KFW 3.2.2 will be released by October 28, 2007, when the MSVC DLLs with DST
changes will be needed.

Supported Versions of Microsoft Windows

This release requires 32-bit editions of Microsoft Windows 2000 and
higher or the WOW64 environment of 64-bit editions of Microsoft 
Windows XP and higher.


Binaries and source code can be downloaded from the MIT Kerberos web site:

Important notice regarding Kerberos 4 support

In the past few years, several developments have shown the inadequacy
of the security of version 4 of the Kerberos protocol.  These
developments have led the MIT Kerberos Team to begin the process of
ending support for version 4 of the Kerberos protocol.  The plan
involves the eventual removal of Kerberos 4 support from the MIT
implementation of Kerberos.

The Data Encryption Standard (DES) has reached the end of its useful
life.  DES is the only encryption algorithm supported by Kerberos 4,
and the increasingly obvious inadequacy of DES motivates the
retirement of the Kerberos 4 protocol.  The National Institute of
Standards and Technology (NIST), which had previously certified DES as
a US government encryption standard, has officially announced[1] the
withdrawal of the Federal Information Processing Standards (FIPS) for

NIST's action reflects the long-held opinion of the cryptographic
community that DES has too small a key space to be secure.  Breaking
DES encryption by an exhaustive search of its key space is within the
means of some individuals, many companies, and all major governments.
Consequently, DES cannot be considered secure for any long-term keys,
particularly the ticket-granting key that is central to Kerberos.

Serious protocol flaws[2] have been found in Kerberos 4.  These flaws
permit attacks which require far less effort than an exhaustive search
of the DES key space.  These flaws make Kerberos 4 cross-realm
authentication an unacceptable security risk and raise serious
questions about the security of the entire Kerberos 4 protocol.

The known insecurity of DES, combined with the recently discovered
protocol flaws, make it extremely inadvisable to rely on the security
of version 4 of the Kerberos protocol.  These factors motivate the MIT
Kerberos Team to remove support for Kerberos version 4 from the MIT
implementation of Kerberos.

The process of ending Kerberos 4 support began with release 1.3 of MIT
Kerberos 5. In release 1.3, the default run-time configuration of the 
KDC disables support for version 4 of the Kerberos protocol. Release 1.4
of MIT Kerberos continues to include Kerberos 4 support (also disabled
in the KDC with the default run-time configuration).  We intend to 
completely remove Kerberos 4 support from MIT Kerberos for Windows 4.0.

The MIT Kerberos Team has ended active development of Kerberos 4,
except for the eventual removal of all Kerberos 4 functionality.  We
will continue to provide critical security fixes for Kerberos 4, but
routine bug fixes and feature enhancements are at an end.

** The MIT Kerberos Team has decided that the MIT Kerberos for 
** Windows 3.x release series will be the last versions to contain
** Kerberos 4 support.  Beginning with 4.0 release, MIT Kerberos for
** Windows will be Kerberos 5 only.  At that time MIT will repackage
** the existing Kerberos 4 libraries in a stand-alone installer for
** those organizations that require continued use of Kerberos 4.

We recommend that any sites which have not already done so begin a
migration to Kerberos 5.  Kerberos 5 provides significant advantages
over Kerberos 4, including support for strong encryption,
extensibility, improved cross-vendor interoperability, and ongoing
development and enhancement.

If you have questions or issues regarding migration to Kerberos 5, we
recommend discussing them on the mailing list.


[1] National Institute of Standards and Technology.  Announcing
     Approval of the Withdrawal of Federal Information Processing
     Standard (FIPS) 43-3, Data Encryption Standard (DES); FIPS 74,
     Guidelines for Implementing and Using the NBS Data Encryption
     Standard; and FIPS 81, DES Modes of Operation.  Federal Register
     05-9945, 70 FR 28907-28908, 19 May 2005.  DOCID:fr19my05-45

[2] Tom Yu, Sam Hartman, and Ken Raeburn. The Perils of
     Unauthenticated Encryption: Kerberos Version 4. In Proceedings of
     the Network and Distributed Systems Security Symposium. The
     Internet Society, February 2004.
Version: GnuPG v1.4.6 (SunOS)


kerberos-announce mailing list
Kerberos mailing list