There’s a new feature in Mac OS X 10.5 called Back to my Mac. It allows you to connect from one mac to another for screen sharing, shared folders or other features . The authentication behind this new feature is Peer to Peer Kerberos. Each Mac runs a local KDC. Each user on the Mac has a Kerberos principal. The Mac generates a realm name starting with LKDC: that contains the hash of a public key created for the machine. A KDC location plugin allows the Mac to find out how to contact the appropriate KDC for one of these peer-to-peer realms. Then, normal Kerberos authentication can take place. The MIT Kerberos team worked with Apple to design this feature. It provided several of UI and security challenges and was an interesting partnership.
This mechanism effectively allows the benefits of Kerberos such as caching of tickets to be used by everyone not just those in an enterprise. Like any other Kerberos authentication, the mechanism can be expanded to support other authentication schemes such as smart cards or authentication tokens in addition to passwords. It makes it easier for programmers because the same security mechanisms can be used both for enterprise security and for peer-to-peer security.
In terms of Kerberos deployment, this is a huge step forward. Apple join the set of companies that are using strong security in consumer-facing products.
The most interesting thing to take away from this is that infrastructure security systems like Kerberos can be easy to use. Users don’t know that they have set up a Kerberos realm or even that they are using Kerberos. I think this will be a good response to claims that good security is too hard to use or deploy. Instead we should focus on writing the necessary user interface to make the security easy to use so that it doesn’t get in the way.
I’ve glossed over an important technical issue. It turns out knowing what realm you need to use in order to contact a particular machine in a secure manner is hard. There are several solutions with different tradeoffs. I don’t know which one Apple ultimately ended up picking. If It is interesting to people I can discuss the design of systems like this and the tradeoffs. Right now, though, I’m focused on the security usability implications of the high level experience. I’d like to think Alexandra Ellwood for research that helped form a basis for this article.