Page 987 - (ISC)² CISSP Certified Information Systems Security Professional Official Study Guide
P. 987
decrypts the symmetric key using a hash of the user’s password.
Note that the client’s password is never transmitted over
the network, but it is verified. The server encrypts a symmetric key
using a hash of the user’s password, and it can only be decrypted
with a hash of the user’s password. As long as the user enters the
correct password, this step works. However, it fails if the user
enters the incorrect password.
When a client wants to access an object, such as a resource hosted on
the network, it must request a ticket through the Kerberos server. The
following steps are involved in this process:
1. The client sends its TGT back to the KDC with a request for access
to the resource.
2. The KDC verifies that the TGT is valid and checks its access control
matrix to verify that the user has sufficient privileges to access the
requested resource.
3. The KDC generates a service ticket and sends it to the client.
4. The client sends the ticket to the server or service hosting the
resource.
5. The server or service hosting the resource verifies the validity of
the ticket with the KDC.
6. Once identity and authorization is verified, Kerberos activity is
complete. The server or service host then opens a session with the
client and begins communications or data transmission.
Kerberos is a versatile authentication mechanism that works over local
LANs, remote access, and client-server resource requests. However,
Kerberos presents a single point of failure—the KDC. If the KDC is
compromised, the secret key for every system on the network is also
compromised. Also, if a KDC goes offline, no subject authentication
can occur.
It also has strict time requirements and the default configuration
