Which of the following describes the sequence of steps required for a Kerberos session to be established
between a user (Principal P1), and an application server (Principal P2)?
A.
Principals P1 and Principals P2 authenticate to the Key Distribution Center (KDC),
B.
Principal P1 receives a Ticket Granting Ticket (TGT), and then Principal P2 requests a service ticket from
the KDC.
C.
Principal P1 authenticates to the Key Distribution Center (KDC), Principal P1 receives a Ticket Granting
Ticket (TGT), and Principal P1 requests a service ticket from the Ticket Granting Service (TGS) in order to
access the application server P2
D.
Principal P1 authenticates to the Key Distribution Center (KDC),
E.
Principal P1 requests a Ticket Granting Ticket (TGT) from the authentication server, and then Principal P1
requests a service ticket from the application server P2
F.
Principals P1 and P2 authenticate to the Key Distribution Center (KDC), Principal P1 requests a Ticket
Granting Ticket (TGT) from the authentication server, and application server P2 requests a service ticket
from P1
Explanation:
In the following sequence, the user (Principle P1) is Emily and the server (Principal P2) is a print server:
1. Emily comes in to work and enters her username and password into her workstation at 8:00 A.M. The
Kerberos software on Emily’s computer sends the username to the authentication service (AS) on the KDC,
which in turn sends Emily a ticket granting ticket (TGT) that is encrypted with Emily’s password (secret key).
2. If Emily has entered her correct password, then this TGT is decrypted and Emily gains access to her local
workstation desktop.
3. When Emily needs to send a print job to the print server, her system sends the TGT to the ticket granting
service (TGS), which runs on the KDC, and a request to access the print server. (The TGT allows Emily to
prove she has been authenticated and allows her to request access to the print server.)
4. The TGS creates and sends a second ticket to Emily, which she will use to authenticate to the print server.
This second ticket contains two instances of the same session key, one encrypted with Emily’s secret key
and the other encrypted with the print server’s secret key. The second ticket also contains an authenticator,
which contains identification information on Emily, her system’s IP address, sequence number, and a
timestamp.
5. Emily’s system receives the second ticket, decrypts and extracts the embedded session key, adds a second
authenticator set of identification information to the ticket, and sends the ticket on to the print server.
6. The print server receives the ticket, decrypts and extracts the session key, and decrypts and extracts the
two authenticators in the ticket. If the print server can decrypt and extract the session key, it knows the KDC
created the ticket, because only the KDC has the secret key used to encrypt the session key. If the
authenticator information that the KDC and the user put into the ticket matches, then the print server knows
it received the ticket from the correct principal.
7. Once this is completed, it means Emily has been properly authenticated to the print server and the server
prints her document.
Incorrect Answers:
A: Principal P2 does not need to authenticate to the Key Distribution Center (KDC). There are more steps
required than there are listed in this answer.
B: Principal P1 must authenticate first. Principal P2 does not request a service ticket from the KDC. There are
more steps required than there are listed in this answer.
D: There are more steps required than there are listed in this answer.
E: Principal P1 must authenticate first. Principal P1 does not request a service ticket from the application server
P2. There are more steps required than there are listed in this answer.
F: Principal P2 does not need to authenticate to the Key Distribution Center (KDC). Principal P2 does not
request a service ticket from Principal P1. There are more steps required than there are listed in this answer.Harris, Shon, All In One CISSP Exam Guide, 6th Edition, McGraw-Hill, 2013, p. 210