nerdexam
(ISC)2

CISSP-ISSAP · Question #221

Kerberos is a computer network authentication protocol that allows individuals communicating over a non-secure network to prove their identity to one another in a secure manner. Which of the following

The correct answer is A. Kerberos requires continuous availability of a central server. B. Dictionary and brute force attacks on the initial TGS response to a client may reveal the D. Kerberos requires the clocks of the involved hosts to be synchronized.. A, B, and D are correct because Kerberos depends entirely on its Key Distribution Center (KDC) - if that central server goes down, no authentication is possible. The TGS response to a client is encrypted with a key derived from the user's password, meaning an attacker who capture

Identity and Access Management (IAM) Architecture

Question

Kerberos is a computer network authentication protocol that allows individuals communicating over a non-secure network to prove their identity to one another in a secure manner. Which of the following statements are true about the Kerberos authentication scheme? Each correct answer represents a complete solution. Choose all that apply.

Options

  • AKerberos requires continuous availability of a central server.
  • BDictionary and brute force attacks on the initial TGS response to a client may reveal the
  • CKerberos builds on Asymmetric key cryptography and requires a trusted third party.
  • DKerberos requires the clocks of the involved hosts to be synchronized.

How the community answered

(25 responses)
  • A
    84% (21)
  • C
    16% (4)

Explanation

A, B, and D are correct because Kerberos depends entirely on its Key Distribution Center (KDC) - if that central server goes down, no authentication is possible. The TGS response to a client is encrypted with a key derived from the user's password, meaning an attacker who captures that ticket can perform offline dictionary or brute force attacks to crack it (a real-world attack known as Kerberoasting). Kerberos also embeds timestamps in tickets to prevent replay attacks, so all participating hosts must have synchronized clocks - typically within a 5-minute skew tolerance.

C is wrong because Kerberos is built on symmetric (shared-secret) key cryptography, not asymmetric (public/private key). The KDC shares a secret key with each principal, not a public key pair. The "trusted third party" part of C is technically true, but the asymmetric claim makes the whole statement false.

Memory tip: Think of Kerberos as "CATS" - Clocks must sync, Availability of the KDC is critical, Tickets can be cracked offline, Symmetric crypto (not asymmetric). If you see "asymmetric" or "public key" associated with Kerberos, it's a trap.

Topics

#Kerberos authentication#TGS vulnerabilities#KDC requirements#Clock synchronization

Community Discussion

No community discussion yet for this question.

Full CISSP-ISSAP Practice