CREST Practitioner Security Analyst (CPSA) Practice

Which of the following is true regarding the Kerberos protocol?

• A. It is a method used for transferring files securely.
• B. It uses tickets for authentication over non-secure networks.
• C. It operates without any form of encryption.
• D. It is used exclusively for email transmission.

The correct answer is: It uses tickets for authentication over non-secure networks.

The Kerberos protocol is a network authentication protocol designed to provide secure authentication for users and services over potentially insecure networks. The key aspect of Kerberos is its use of tickets for authentication. When a user attempts to access a service, Kerberos provides a ticket that contains the user's identity and session information. This ticket is encrypted and can only be decrypted by the intended service, allowing for secure user authentication without the need to send passwords over the network. Using tickets mitigates the risks associated with password-based authentication, especially in environments where network security cannot be guaranteed. The design allows users to authenticate once and obtain multiple tickets for various services, thus enabling single sign-on functionality while maintaining a high level of security. Given this context, the assertion that Kerberos uses tickets for authentication over non-secure networks accurately reflects the protocol's core function and strengths. The other options either misrepresent its purpose or functionality, such as suggesting that Kerberos is solely for file transfer or email transmission, or that it operates without encryption, which contradicts its fundamental design that heavily relies on encryption to protect ticket data.