{"id":103,"date":"2021-01-17T05:27:28","date_gmt":"2021-01-16T17:53:52","guid":{"rendered":"https:\/\/exampracticetests.com\/ISC\/SSCP\/systems-security-certified-practitioner-sscp-question0095\/"},"modified":"2021-01-17T05:43:48","modified_gmt":"2021-01-17T05:43:48","slug":"systems-security-certified-practitioner-sscp-question0095","status":"publish","type":"post","link":"https:\/\/exampracticetests.com\/ISC\/SSCP\/systems-security-certified-practitioner-sscp-question0095\/","title":{"rendered":"Systems Security Certified Practitioner &#8211; SSCP &#8211; Question0095"},"content":{"rendered":"<div class=\"question\">Which of the following is NOT true of the Kerberos protocol? <br \/><strong><br \/>A.<\/strong> Only a single login is required per session. <br \/><strong>B.<\/strong> The initial authentication steps are done using public key algorithm. <br \/><strong>C.<\/strong> The KDC is aware of all systems in the network and is trusted by all of them <br \/><strong>D.<\/strong> It performs mutual authentication<\/div>\n<p><\/p>\n<style> .hidden-div{ display:none } <\/style>\n<p>\t\t\t\t\t\t\t<button onclick=\"getElementById('hidden-div').style.display = 'block'\"> Show Answer <\/button> <button onclick=\"getElementById('hidden-div').style.display = 'none'\">Hide Answer<\/button><\/p>\n<div class=\"hidden-div\" id=\"hidden-div\"><span style=\"\"><\/p>\n<div class=\"answer\">Correct Answer: <strong>B<\/strong><\/div>\n<p><strong>Explanation:<\/strong> <\/p>\n<div class=\"explanation\">\nKerberos is a network authentication protocol. It is designed to provide strong authentication for client\/server applications by using secret-key cryptography. It has the following characteristics:<br \/>\nIt is secure: it never sends a password unless it is encrypted.<br \/>\nOnly a single login is required per session. Credentials defined at login are then passed between resources without the need for additional logins.<br \/>\nThe concept depends on a trusted third party \u2013 a Key Distribution Center (KDC). The KDC is aware of all systems in the network and is trusted by all of them. It performs mutual authentication, where a client proves its identity to a server and a server proves its identity to the client.<br \/>\nKerberos introduces the concept of a Ticket-Granting Server\/Service (TGS). A client that wishes to use a service has to receive a ticket from the TGS \u2013 a ticket is a time-limited cryptographic message \u2013 giving it access to the server. Kerberos also requires an Authentication Server (AS) to verify clients. The two servers combined make up a KDC.<br \/>\nWithin the Windows environment, Active Directory performs the functions of the KDC. The following figure shows the sequence of events required for a client to gain access to a service using Kerberos authentication. Each step is shown with the Kerberos message associated with it, as defined in RFC 4120 \u201cThe Kerberos Network Authorization Service (V5)\u201d.<br \/>\n<img decoding=\"async\" loading=\"lazy\" class=\"alignnone size-full\" src=\"https:\/\/exampracticetests.com\/ISC\/SSCP\/wp-content\/uploads\/exam\/__Page_046_Image_0001.jpg\" \/><br \/>\nKerberos Authentication Step by Step<br \/>\nStep 1: The user logs on to the workstation and requests service on the host. The workstation sends a message to the Authorization Server requesting a ticket granting ticket (TGT).<br \/>\nStep 2: The Authorization Server verifies the user\u2019s access rights in the user database and creates a TGT and session key. The Authorization Sever encrypts the results using a key derived from the user\u2019s password and sends a message back to the user workstation.<br \/>\nThe workstation prompts the user for a password and uses the password to decrypt the incoming message. When decryption succeeds, the user will be able to use the TGT to request a service ticket.<br \/>\nStep 3: When the user wants access to a service, the workstation client application sends a request to the Ticket Granting Service containing the client name, realm name and a timestamp. The user proves his identity by sending an authenticator encrypted with the session key received in Step 2.<br \/>\nStep 4: The TGS decrypts the ticket and authenticator, verifies the request, and creates a ticket for the requested server. The ticket contains the client name and optionally the client IP address. It also contains the realm name and ticket lifespan. The TGS returns the ticket to the user workstation. The returned message contains two copies of a server session key \u2013 one encrypted with the client password, and one encrypted by the service password.<br \/>\nStep 5: The client application now sends a service request to the server containing the ticket received in Step 4 and an authenticator. The service authenticates the request by decrypting the session key. The server verifies that the ticket and authenticator match, and then grants access to the service. This step as described does not include the authorization performed by the Intel AMT device, as described later.<br \/>\nStep 6: If mutual authentication is required, then the server will reply with a server authentication message.<br \/>\nThe Kerberos server knows &#8220;secrets&#8221; (encrypted passwords) for all clients and servers under its control, or it is in contact with other secure servers that have this information. These &#8220;secrets&#8221; are used to encrypt all of the messages shown in the figure above.<br \/>\nTo prevent &#8220;replay attacks,&#8221; Kerberos uses timestamps as part of its protocol definition. For timestamps to work properly, the clocks of the client and the server need to be in synch as much as possible. In other words, both computers need to be set to the same time and date. Since the clocks of two computers are often out of synch, administrators can establish a policy to establish the maximum acceptable difference to Kerberos between a client&#8217;s clock and server&#8217;s clock. If the difference between a client&#8217;s clock and the server&#8217;s clock is less than the maximum time difference specified in this policy, any timestamp used in a session between the two computers will be considered authentic. The maximum difference is usually set to five minutes.<br \/>\nNote that if a client application wishes to use a service that is &#8220;Kerberized&#8221; (the service is configured to perform Kerberos authentication), the client must also be Kerberized so that it expects to support the necessary message responses. For more information about Kerberos, see <a href=\"http:\/\/web.mit.edu\/kerberos\/www\/.\" title=\"External link\" rel=\"nofollow noopener\" target=\"_blank\">http:\/\/web.mit.edu\/kerberos\/www\/.<\/a><br \/>\nReferences: Introduction to Kerberos Authentication from Intel and <a href=\"http:\/\/www.zeroshell.net\/eng\/kerberos\/Kerberos-definitions\/#1.3.5.3\" title=\"External link\" rel=\"nofollow noopener\" target=\"_blank\">http:\/\/www.zeroshell.net\/eng\/kerberos\/Kerberos-definitions\/#1.3.5.3<\/a> and <a href=\"http:\/\/www.ietf.org\/rfc\/rfc4120.txt\" title=\"External link\" rel=\"nofollow noopener\" target=\"_blank\">http:\/\/www.ietf.org\/rfc\/rfc4120.txt<\/a><\/div>\n<p><\/strong><\/span> <\/div>\n","protected":false},"excerpt":{"rendered":"<p>Which of the following is NOT true of the Kerberos protocol? A. Only a single login is required per session. B. The initial authentication steps are done using public key algorithm. C. The KDC is aware of all systems in the network and is trusted by all of them D. It performs mutual authentication Show [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[2],"tags":[1078,98,3],"class_list":["post-103","post","type-post","status-publish","format-standard","hentry","category-systems-security-certified-practitioner-sscp","tag-choices","tag-question-0095","tag-systems-security-certified-practitioner-sscp"],"_links":{"self":[{"href":"https:\/\/exampracticetests.com\/ISC\/SSCP\/wp-json\/wp\/v2\/posts\/103","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/exampracticetests.com\/ISC\/SSCP\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/exampracticetests.com\/ISC\/SSCP\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/exampracticetests.com\/ISC\/SSCP\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/exampracticetests.com\/ISC\/SSCP\/wp-json\/wp\/v2\/comments?post=103"}],"version-history":[{"count":1,"href":"https:\/\/exampracticetests.com\/ISC\/SSCP\/wp-json\/wp\/v2\/posts\/103\/revisions"}],"predecessor-version":[{"id":1179,"href":"https:\/\/exampracticetests.com\/ISC\/SSCP\/wp-json\/wp\/v2\/posts\/103\/revisions\/1179"}],"wp:attachment":[{"href":"https:\/\/exampracticetests.com\/ISC\/SSCP\/wp-json\/wp\/v2\/media?parent=103"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/exampracticetests.com\/ISC\/SSCP\/wp-json\/wp\/v2\/categories?post=103"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/exampracticetests.com\/ISC\/SSCP\/wp-json\/wp\/v2\/tags?post=103"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}