Читаем CISSP Practice полностью

247. a. The primary goal of Kerberos is to prevent system users from claiming the identity of other users in a distributed computing environment. The Kerberos authentication system is based on secret key cryptography. The Kerberos protocol provides strong authentication of users and host computer systems. Further, Kerberos uses a trusted third party to manage the cryptographic keying relationships, which are critical to the authentication process. System users have a significant degree of control over the workstations used to access network services, and these workstations must therefore be considered not trusted.

Kerberos was developed to provide distributed network authentication services involving client/server systems. A primary threat in this type of client/server system is the possibility that one user claims the identity of another user (impersonation), thereby gaining access to system services without the proper authorization. To protect against this threat, Kerberos provides a trusted third party accessible to network entities, which supports the services required for authentication between these entities. This trusted third party is known as the Kerberos key distribution server, which shares secret cryptographic keys with each client and server within a particular realm. The Kerberos authentication model is based upon the presentation of cryptographic tickets to prove the identity of clients requesting services from a host system or server.

The other three choices are incorrect because they cannot reduce the risk of impersonation. For example: (i) passwords can be shared, guessed, or captured and (ii) memory tokens and smart tokens can be lost or stolen. Also, these three choices do not use a trusted third party to strengthen controls as Kerberos does.

248. What do the weaknesses of Kerberos include?

1. Subject to dictionary attacks.

2. Works with existing security systems software.

3. Intercepting and analyzing network traffic is difficult.

4. Every network application must be modified.

a. 1 and 2

b. 2 and 3

c. 1 and 4

d. 3 and 4

248. c. Kerberos is an authentication system with encryption mechanisms that make network traffic secure. Weaknesses of Kerberos include (i) it is subject to dictionary attacks where passwords can be stolen by an attacker and (ii) it requires modification of all network application source code, which is a problem with vendor developed applications with no source code provided to users. Kerberos strengths include that it can be added to an existing security system and that it makes intercepting and analyzing network traffic difficult. This is due to the use of encryption in Kerberos.

249. Less common ways to initiate impersonation attacks on the network include the use of which of the following?

a. Firewalls and account names

b. Passwords and account names

c. Biometric checks and physical keys

d. Passwords and digital certificates

249. c. Impersonation attacks involving the use of physical keys and biometric checks are less likely due to the need for the network attacker to be physically near the biometric equipment. Passwords and account names are incorrect because they are the most common way to initiate impersonation attacks on the network. A firewall is a mechanism to protect IT computing sites against Internet-borne attacks. Most digital certificates are password-protected and have an encrypted file that contains identification information about its holder.

250. Which of the following security services can Kerberos best provide?

a. Authentication

b. Confidentiality

c. Integrity

d. Availability

250. a. Kerberos is a de facto standard for an authentication protocol, providing a robust authentication method. Kerberos was developed to enable network applications to securely identify their peers and can be used for local/remote logins, remote execution, file transfer, transparent file access (i.e., access of remote files on the network as though they were local) and for client/server requests. The Kerberos system includes a Kerberos server, applications which use Kerberos authentication, and libraries for use in developing applications which use Kerberos authentication. In addition to secure remote procedure call (Secure RPC), Kerberos prevents impersonation in a network environment and only provides authentication services. Other services such as confidentiality, integrity, and availability must be provided by other means. With Kerberos and secure RPC, passwords are not transmitted over the network in plaintext.