SSCP · Question #897
SSCP Question #897: Real Exam Question with Answer & Explanation
The correct answer is B: password guessing. Both Kerberos and SESAME ultimately derive their cryptographic session keys from user passwords, meaning an attacker who captures authentication traffic can launch an offline dictionary or brute-force attack - this is the classic password guessing vulnerability that both protocol
Question
Like the Kerberos protocol, SESAME is also subject to which of the following?
Options
- Atimeslot replay
- Bpassword guessing
- Csymmetric key guessing
- Dasymmetric key guessing
Explanation
Both Kerberos and SESAME ultimately derive their cryptographic session keys from user passwords, meaning an attacker who captures authentication traffic can launch an offline dictionary or brute-force attack - this is the classic password guessing vulnerability that both protocols share at their foundation.
Why the distractors are wrong:
- A (timeslot replay): Both Kerberos and SESAME specifically defend against replay attacks using timestamps and ticket lifetimes, so this is a problem they solve, not one they share.
- C (symmetric key guessing): While both protocols use symmetric encryption, the symmetric keys themselves are long and randomly generated - they're not directly guessable. The weakness is in the password used to derive or protect those keys, not the keys themselves.
- D (asymmetric key guessing): SESAME actually introduced public-key cryptography as an enhancement over Kerberos. Asymmetric keys are computationally infeasible to guess by design.
Memory tip: Think of it as the "human factor" rule - no matter how sophisticated a protocol is, if it roots trust in a human-chosen password, password guessing is always on the table. Both Kerberos and SESAME share this same human-at-the-bottom-of-the-chain weakness.
Topics
Community Discussion
No community discussion yet for this question.