A client submits a user’s identity in the clear text alone with a timestamp encrypted by the hash of the user’s password to the Kerberos Authentication Server. The Kerberos message is encapsulated as KRB_AS_REQ. Which of the following best describes the purpose of the process?
A. Identification
B. Authentication
C. Pre-authentication
D. The TGT (Ticket-granting ticket)

Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.

My suggested answer is A. Identification.

According to the CISSP official study guide, identification is “the process by which a subject professes an identity and accountability is initiated.”

Kerberos is a protocol for verifying the identity of principals. In Kerberos V4 and older, a password was not required for authentication; the user’s identity would authenticate the user. In Kerberos V5, Pre-Authentication is introduced to extend the protocol.

Authentication is “to confirm the identity of an entity when that identity is presented” (NIST SP 800-32), or “verifying the identity of a user, process, or device, often as a prerequisite to allowing access to resources in an information system” (FIPS 200).

The TGT (Ticket-granting ticket) is issued to the client if the authentication succeeds.

The 5 Whys Technique

• Q: Why does the client submit the user’s identity to the authentication server (AS)?
  A: For the server to identify the subject from the directory.
• Q: Why does the AS server identify the subject?
  A: To authenticate the subject by validating the timestamp.
• Q: Why does the AS server authenticate the subject?
  A: To assert the subject’s identity by issuing the TGT (Ticket-granting ticket).
• Q: Why does the AS server assert the subject’s identity?
  A: For the client to request the service ticket.

Pre-Authentication

In previous versions of Kerberos (v4 and older), a password was not required for authentication. A simple valid user name would authenticate the user. In Kerberos v5, a password is required. This is called Pre-Authentication. It’s possible to disable Pre-Authentication in order to provide backward compatibility for old Kerberos v4 libraries and Unix apps and so on.

Warning: Disabling Pre-Authentication is a serious degradation of security.

Source: Geir Olsen

Reference

• Kerberos
• Kerberos Simplified
• Kerberos (protocol)
• Kerberos Pre-Authentication
• The Kerberos Network Authentication Service (RFC 4120)
• A Generalized Framework for Kerberos Pre-Authentication (RFC 6113)
• Kerberos Operation

A BLUEPRINT FOR YOUR SUCCESS IN CISSP

My new book, The Effective CISSP: Security and Risk Management, helps CISSP aspirants build a solid conceptual security model. It is not only a tutorial for information security but also a study guide for the CISSP exam and an informative reference for security professionals.

• It is available on Amazon.
• Readers from countries or regions not supported by Amazon can get your copy from the author’s web site.

一個客戶端以用戶密碼的哈希值將時間戳記加密後，連同用戶身份以明碼(cleartext)方式提交給Kerberos身份驗證服務器。 此Kerberos消息封裝為KRB_AS_REQ。 以下哪項最能描述過程的目的？
A. Identification
B. Authentication
C. Pre-authentication
D. TGT (Ticket-granting ticket)