Solved CASP+ - Cryptography & PKI

---

Hello guys,

in the Cryptography & PKI unit you describe the Kerberos process with a smartcard. For me it is a bit misleading. You say in the second step the TGT request is made to the AS using private key. In the third step you say the AS uses the public key for decryption. Doesn't this sequence describe the signing and signature verification process?
Because I would encrypt with the public key and decrypt with the private key, wouldn't it?

Maybe you can give two more sentences to explain this.

Thanks and greetings
Sven

@Sven-Richter , hope all is well. I am not sure what episode(s) you may be referring to in your question?

I have gone back through both PKI episodes in the Security Engineering & Cryptography section of the CASP+ (CAS-004) course, and Kerberos is mentioned only once in the PKI - Advanced episode (2nd of the 2 in the PKI block) at approximately the 24 - 25-minute mark, & not at all in the PKI - Basics episode.

Neither episode discusses Kerberos as a process, nor goes into the steps involved in using Kerberos/how it functions.

Can you provide a specific episode name and the approximate timestamp for where the discussion you are asking about takes place? That would be helpful to allow me to narrow down what it is you are asking about and try to address your question.

Cheers,

Adam

Hi @Adam-Gordon,

I mean in CompTIA CASP+ (CAS-004) - the session "Cryptography & PKI" under Security Architecture. From minute 17 you explain the slide and as it is written on the slide it confuses me a bit :).

Thanks,
Sven

@Sven-Richter , Thank you for the clarification... I was looking at the wrong section of the course...

The process being described in the episode involves the use of a smartcard, which can add a layer of complexity/confusion because its process occurs outside of the initial operations of the Kerberos process ...

Assume that steps 1 - 3 in/on the slide correspond to steps 1 - 3 in the listing below.

Assume that step 4 in/on the slide corresponds to step 4 in the listing below.

Let' see if the following will help to clarify:

Kerberos - ticket based authentication solution relying on symmetric encryption using AES. Provides Confidentiality and Integrity for authentication traffic end to end, protecting against replay attacks and eavesdropping.

Components:

1. Key Distribution Center (KDC) - trusted third party that provides authentication services. Maintains the secret keys for all registered entities.

2. Authentication Server (AS) - verifies and accepts/rejects tickets based on authenticity and timeliness.

3. Ticket Granting Server (TGS) - issues tickets to authorized users

The KDC's functionality overall is broken down into the AS and TGS elements. In many Kerberos implementations both KDC is implemented as a single server solution with the AS and TGS functionality provided as services running on the KDC.

Ticket - an encrypted message that provides some form or type of proof depending on what type of ticket it is. 2 types:

a. Ticket-Granting Ticket (TGT) - proof that a subject has authenticated through a KDC successfully and is authorized to request additional Service Tickets to access objects

b. Service Ticket (ST) - proof that a subject is authorized to access an object

Kerberos logon process:

1. user provides a username and password through a client

2. client sends ONLY the username to the KDC (user password is NEVER sent)

3. KDC verifies username against directory database

4. KDC generates a symmetric key to be used by the client and the KDC to communicate. It encrypts the key with a hash of the user's password. KDC also generates an encrypted time-stamped Ticket Granting Ticket (TGT).

5. KDC transmits the encrypted symmetric key and the TGT to the client

6. Client installs the TGT and uses till expires. Client also will decrypt the symmetric key from the KDC by using a hash of their password

Client attempting access to an object:

1. client sends their TGT back to the KDC along with a request to access the resource

2. KDC verifies that the TGT is valid, and that the user has proper authorization to access the resource

3. KDC generates a Service Ticket (ST) and sends it to the client

4. client sends the ST to the appropriate server hosting the resource or providing the service

5. the server verifies ST validity with the KDC

6. client is granted access to the resource

Hopefully that helps....

@Adam-Gordon - thank you very much for your detailed explanation.