Kerberos originated from Greek mythology, the ferocious three-headed guard dog of Hades, which comprises clients, the key distribution center (KDC), and servers. The KDC is composed of an authentication service (AS) and a ticket-granting service (TGS). Which of the following is incorrect? (Wentz QOTD)
A. Kerberos can work using DES, AES, or optionally public-key cryptography.
B. Kerberos might be subject to attacks that an attacker impersonates any user.
C. A client sends a username and password encrypted by AES to the AS for authentication.
D. The AS returns an encrypted Ticket-Granting-Ticket (TGT) to the client after authentication.
Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.
My suggested answer is C. A client sends a username and password encrypted by AES to the AS for authentication.
Wentz’s book, The Effective CISSP: Security and Risk Management, helps CISSP and CISM aspirants build a solid conceptual security model. It is a tutorial for information security and a supplement to the official study guides for the CISSP and CISM exams and an informative reference for security professionals.
The first Kerberos message is AS_REQ as depicted in the diagram above. According to Wikipedia, “the client sends a cleartext message of the user ID to the AS (Authentication Server) requesting services on behalf of the user. (Note: Neither the secret key nor the password is sent to the AS.)”
Fulvio Ricciardi explains how Kerberos works in detail.
Reference
- Kerberos (protocol)
- RFC 4120: The Kerberos Network Authentication Service (V5)
- Kerberos (Wireshark capture file)
- Encryption Types
- How the Kerberos Version 5 Authentication Protocol Works
Kerberos 起源於希臘神話中兇猛的冥王三頭護衛犬,它由客戶端、密鑰分發中心 (KDC) 和服務器組成。 KDC 由身份驗證服務 (AS) 和票證授予服務 (TGS) 組成。 以下哪個是不正確的? (Wentz QOTD)
A. Kerberos 可以使用 DES、AES 或可選擇公鑰加密來工作。
B. Kerberos 可能會受到攻擊者冒充任何用戶的攻擊。
C. 客戶端將經過AES加密的用戶名和密碼發送給AS進行認證。
D、AS在認證後向客戶端返回加密的Ticket-Granting-Ticket(TGT)。
Should the correct answer to this question be A? On the OSG Version 9, page 696. It says “The client encrypts the username with AES for transmission to the KDC”, which contains AS. The book also mentioned “Kerberos 5 relies on symmetric-key cryptography using the AES”.
Thank you for your feedback, Jane. I’m afraid the description of Kerberos in OSG version 9, page 696, is not technically correct.
1. The client’s identity is sent in cleartext, not including the password.
2. Kerberos builds primarily on symmetric cryptography but may be optionally supported by asymmetric cryptography.
3. Kerberos encryption types (cipher suites) commonly support DES, RC4, and AES.
Please refer to this post for details:
https://wentzwu.com/2022/08/29/kerberos-pre-authentication/