Kerberos

Question 1

Password, PIN, images, etc.

Answer 1

Something user knows

Question 2

Smart cards, keys, tokens

Answer 2

Something user possess

Question 3

Fingerprint, face, retina

Answer 3

Something user is

Question 4

Voice pattern, handwriting style, typing rhythm

Answer 4

Something the user does

Question 5

Method to ensure two similar encrypted passwords have different hash

Answer 5

Salting passwords

Question 6

If k is compromised, all leaked. Reveals two users have same passowrd

Answer 6

Cannot encrypt all passwords with same key

Question 7

Protected from passive eavesdroppers and active malicious users

Answer 7

Security in kerberos

Question 8

Users shouldn’t notice authentication taking place

Answer 8

transparency

Question 9

large numbers of users and servers

Answer 9

scalability in kerberos

Question 10

eavesdropping, tampering, replay

Answer 10

malicious user eavesdrops, tampers, or replays other users’ conversation to gain unauthorized access

Question 11

malicious user with access to workstation pretends to be user from same workstation

Answer 11

user impersonation

Question 12

malicious user changes network address of his workstation to impersonate another workstation

Answer 12

network address impersonation

Question 13

trusted authentication service on network

Answer 13

trusted third party

Question 14

• password can never travel over network
• password cannot be stored in any form on client machine
• password should never be stored in unecrypted form
• user is asked to enter password only once per work session

Answer 14

Kerberos password design objectives

Question 15

Application server cannot contain authentication info for their users?

Answer 15

• admin can disable account of any user by acting in single location

Question 16

Both user and application must prove authenticity

Answer 16

mutual authentication

Question 17

Proves that user has authenticated

Answer 17

ticket

Question 18

encrypts ticket with key known to server, but not user

Answer 18

authentication server

Question 19

client cannot ___ or ____ contents of ticket

Answer 19

know or modify

Question 20

Malicious user may steal service ticket of another user on same workstation

Answer 20

Ticket hijacking

Question 21

Server must verify that the user who is presenting the ticket is the same user to whom the ticket was issued

Answer 21

Ticket hijacking

Question 22

Attacker can misconfigure the network so that he receives messages addressed to a legitimate server

Answer 22

No server authentication

Question 23

Server must prove identity to users

Answer 23

No server authentication

Question 24

Receving ticket from client is not enough to guarantee authenticity

Answer 24

Replay attack

Question 25

Client sends _____ where the username and current timestamp are included and encrypts it with the session key

Answer 25

the authenticator

Question 26

Critical for machines to be time synchronized

Answer 26

Using session key for authentication

Question 27

Server remembers authenticators which have arrived within the last 2 minutes and reject them if they are replicas

Answer 27

Replay cache

Question 28

Prove identity once to obtain a special ___ ticket

Answer 28

Ticket Granting Service

Question 29

Use ___ to get tickets for any network service

Answer 29

TGS

Question 30

Client cannot forge or tamper with it

Answer 30

TGS ticket

Question 31

Used to obtain service ticket and short-term session key for each network service

Answer 31

TGS ticket

Question 32

Network divided into realms

Answer 32

Kerberos in large networks

Question 33

• Get ticket from home-realm TGS from home-realm KDC
• Get ticket for remote realm TGS from home realm TGS
• Get ticket from remote service from realms TGS
• use remote realm ticket to acccess service

Answer 33

Kerberos in large networks

Question 34

Separate session key for each user-server pair

Answer 34

Short term session keys

Question 35

Long-term secrets used only to derive short-term keys

Answer 35

Short term session keys

Question 36

Used to prevent replays with synchronized clocks

Answer 36

Authenticator

Question 37

Symmetric cryptography only

Answer 37

Kerberos

Question 38

Server can access other servers on user’s behalf

Answer 38

Kerberos v5

Question 39

Better user-server authentication

Answer 39

Kerberos v5

Question 40

Separate subkey for each user-server session instead of re-using session key contain in ticket

Answer 40

Kerberos v5

Question 41

Authentication via subkeys, not timestamp increments

Answer 41

Kerberos v5