Effective CISSP Questions

Kerberos originated from Greek mythology, the ferocious three-headed guard dog of Hades, which comprises clients, the key distribution center (KDC), and servers. The KDC is composed of an authentication service (AS) and a ticket-granting service (TGS). Which of the following is incorrect? (Wentz QOTD)
A. Kerberos can work using DES, AES, or optionally public-key cryptography.
B. Kerberos might be subject to attacks that an attacker impersonates any user.
C. A client sends a username and password encrypted by AES to the AS for authentication.
D. The AS returns an encrypted Ticket-Granting-Ticket (TGT) to the client after authentication.

Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.

My suggested answer is C. A client sends a username and password encrypted by AES to the AS for authentication.

Wentz’s book, The Effective CISSP: Security and Risk Management, helps CISSP and CISM aspirants build a solid conceptual security model. It is a tutorial for information security and a supplement to the official study guides for the CISSP and CISM exams and an informative reference for security professionals.

Kerberos Operation
Kerberos Operation (Source: Fulvio Ricciardi)

The first Kerberos message is AS_REQ as depicted in the diagram above. According to Wikipedia, “the client sends a cleartext message of the user ID to the AS (Authentication Server) requesting services on behalf of the user. (Note: Neither the secret key nor the password is sent to the AS.)”

Fulvio Ricciardi explains how Kerberos works in detail.


Kerberos 起源於希臘神話中兇猛的冥王三頭護衛犬,它由客戶端、密鑰分發中心 (KDC) 和服務器組成。 KDC 由身份驗證服務 (AS) 和票證授予服務 (TGS) 組成。 以下哪個是不正確的? (Wentz QOTD)
A. Kerberos 可以使用 DES、AES 或可選擇公鑰加密來工作。
B. Kerberos 可能會受到攻擊者冒充任何用戶的攻擊。
C. 客戶端將經過AES加密的用戶名和密碼發送給AS進行認證。

Leave a Reply