CISSP-ISSAP · Question #221
Kerberos is a computer network authentication protocol that allows individuals communicating over a non-secure network to prove their identity to one another in a secure manner. Which of the following
The correct answer is A. Kerberos requires continuous availability of a central server. B. Dictionary and brute force attacks on the initial TGS response to a client may reveal the D. Kerberos requires the clocks of the involved hosts to be synchronized.. A, B, and D are correct because Kerberos depends entirely on its Key Distribution Center (KDC) - if that central server goes down, no authentication is possible. The TGS response to a client is encrypted with a key derived from the user's password, meaning an attacker who capture
Question
Kerberos is a computer network authentication protocol that allows individuals communicating over a non-secure network to prove their identity to one another in a secure manner. Which of the following statements are true about the Kerberos authentication scheme? Each correct answer represents a complete solution. Choose all that apply.
Options
- AKerberos requires continuous availability of a central server.
- BDictionary and brute force attacks on the initial TGS response to a client may reveal the
- CKerberos builds on Asymmetric key cryptography and requires a trusted third party.
- DKerberos requires the clocks of the involved hosts to be synchronized.
How the community answered
(25 responses)- A84% (21)
- C16% (4)
Explanation
A, B, and D are correct because Kerberos depends entirely on its Key Distribution Center (KDC) - if that central server goes down, no authentication is possible. The TGS response to a client is encrypted with a key derived from the user's password, meaning an attacker who captures that ticket can perform offline dictionary or brute force attacks to crack it (a real-world attack known as Kerberoasting). Kerberos also embeds timestamps in tickets to prevent replay attacks, so all participating hosts must have synchronized clocks - typically within a 5-minute skew tolerance.
C is wrong because Kerberos is built on symmetric (shared-secret) key cryptography, not asymmetric (public/private key). The KDC shares a secret key with each principal, not a public key pair. The "trusted third party" part of C is technically true, but the asymmetric claim makes the whole statement false.
Memory tip: Think of Kerberos as "CATS" - Clocks must sync, Availability of the KDC is critical, Tickets can be cracked offline, Symmetric crypto (not asymmetric). If you see "asymmetric" or "public key" associated with Kerberos, it's a trap.
Topics
Community Discussion
No community discussion yet for this question.