There are parallels between the trust models in Kerberos and Public Key Infrastructure (PKI). When we
compare them side by side, Kerberos tickets correspond most closely to which of the following?

A.
public keys

B.
private keys

C.
public-key certificates

D.
private-key certificates

Explanation:
Public Key describes a system that uses certificates or the underlying public key cryptography on which the
system is based.
In the traditional public key model, clients are issued credentials or “certificates” by a Certificate Authority (CA).
The CA is a trusted third party. Public key certificates contain the user’s name, the expiration date of the
certificate etc. The most common certificate format is X.509. Public key credentials in the form of certificates
and public-private key pairs can provide a strong distributed authentication system.
The Kerberos and public key trust models are very similar. A Kerberos ticket is analogous to a public key
certificate (a Kerberos ticket is supplied to provide access to resources). However, Kerberos tickets usually
have lifetimes measured in days or hours rather than months or years.
Incorrect Answers:
A: Kerberos tickets do not actually contain public keys. They use symmetric cryptography which uses one
shared key instead of asymmetric cryptography which uses public-private key pairs.
B: Kerberos tickets do not contain private keys. They use symmetric cryptography which uses one shared key
instead of asymmetric cryptography which uses public-private key pairs.
D: Private-key certificates are always kept by the authentication provider; they are never distributed to subjects
that require access to resources. The public key is given to the subject to provide access to a resource in a
similar way to a Kerberos ticket.

Tipton, Harold F. and Micki Krause, Information Security Management Handbook, 5th Edition, Auerbach
Publications, Boca Raton, 2006, p. 1438