Page 985 - (ISC)² CISSP Certified Information Systems Security Professional Official Study Guide
P. 985
certificate, and LDAP is one of the protocols used.
LDAP and centralized access control systems can be used to support
single sign-on capabilities.
Kerberos
Ticket authentication is a mechanism that employs a third-party entity
to prove identification and provide authentication. The most common
and well-known ticket system is Kerberos.
The Kerberos name is borrowed from Greek mythology. A
three-headed dog named Kerberos, sometimes referred to as
Cerberus, guards the gates to the underworld. The dog faces
inward, preventing escape rather than denying entrance.
Kerberos offers a single sign-on solution for users and provides
protection for logon credentials. The current version, Kerberos 5,
relies on symmetric-key cryptography (also known as secret-key
cryptography) using the Advanced Encryption Standard (AES)
symmetric encryption protocol. Kerberos provides confidentiality and
integrity for authentication traffic using end-to-end security and helps
protect against eavesdropping and replay attacks. It uses several
different elements that are important to understand:
Key Distribution Center The key distribution center (KDC) is the
trusted third party that provides authentication services. Kerberos
uses symmetric-key cryptography to authenticate clients to servers. All
clients and servers are registered with the KDC, and it maintains the
secret keys for all network members.
Kerberos Authentication Server The authentication server hosts
the functions of the KDC: a ticket-granting service (TGS) and an
authentication service (AS). However, it is possible to host the ticket-
granting service on another server. The authentication service verifies
or rejects the authenticity and timeliness of tickets. This server is often
called the KDC.
Ticket-Granting Ticket A ticket-granting ticket (TGT) provides
