🏠 Back to Exam Syllabus 📺 RooCloud on YouTube 🌐 RooCloud Practice Exams

CISSP 14.2 - Implementing Authentication Systems (Part 2 of 2)

This episode of the ISC2 Certified Information Systems Security Professional (CISSP) exam prep series goes deep on the ticket-based system that runs internal single sign-on, part of identity and access management in Domain 5. It then covers the two protocols that centralize remote access and quietly authenticate thousands of daily logins.

What this episode covers

Watch the full episode above for the worked examples and detailed explanations of each concept.

Frequently Asked Questions

What is Kerberos and how does it prove identity with tickets?

Kerberos is a ticket-based authentication system that uses a trusted third party to vouch for who you are. Once you prove your identity, it issues you tickets, and your account presents those tickets to reach resources without logging in again. It leans on symmetric-key cryptography and gives authentication traffic both confidentiality and integrity, defending against eavesdropping and replay, much like a theme park wristband verified once at the gate.

What are the moving parts inside Kerberos?

The key distribution center is the trusted third party that authenticates everyone and holds the secret keys. Inside it sit the authentication service, which verifies identities, and the ticket-granting service, which hands out tickets. A ticket is encrypted proof that you may access a specific object with a limited lifetime, a ticket-granting ticket proves you already authenticated, a principal is any entity that can request a ticket, and a realm is the logical domain Kerberos rules over.

How does the Kerberos login actually flow?

In a careful exchange where your password never crosses the wire. The client sends only the username and domain to the authentication server, which confirms you exist. The key distribution center then builds a session key and a timestamped ticket-granting ticket, encrypting the session key with a hash of your password, and ships both back. Your client decrypts the session key using a hash of the password you typed, so a wrong password simply fails to decrypt.

Where is Kerberos fragile?

In a couple of important places. The key distribution center is a single point of failure, so compromising it exposes every secret key on the network, and taking it offline means no one can authenticate at all. Kerberos is also strict about time: by default every system must sit within five minutes of the others, so organizations sync clocks against a common source, since a machine that drifts out of sync loses access to protected resources.

How do RADIUS and TACACS+ differ?

RADIUS centralizes authentication for remote connections when an organization runs several access servers, and by default it encrypts only the password, not the whole session. TACACS+ improves on that by separating authentication, authorization, and accounting into distinct processes that can live on separate servers, encrypting the entire exchange rather than just the password, and running over a connection-oriented transport for more reliable delivery.

📚 Master the ISC2 CISSP Exam!

Ready to test your knowledge? Access chapter-specific Multiple Choice Questions (MCQs) and full-length practice exams for the ISC2 CISSP certification at RooCloud.com. Solve the chapter-wise questions to reinforce this lesson before moving to the next episode.


Reference: This article is based on concepts discussed in CISSP 14.2 - Implementing Authentication Systems (Part 2 of 2).