Authentication Systems
Unlock the complete study guide + 1,040 practice questions across 16 full exams.
Bundled into the existing Certified Information Systems Security Professional premium course — no separate purchase.
Included in this chapter:
- What an authentication system is and the model they share
- Kerberos: KDC, tickets, and time
- SAML, OAuth 2.0, and OpenID Connect
- RADIUS vs TACACS+: the AAA discriminators
- Exam-pattern recognition
Authentication protocols at a glance: purpose and tested properties
| Property | Kerberos | SAML | OAuth 2.0 / OIDC | RADIUS | TACACS+ |
|---|---|---|---|---|---|
| Primary purpose | Network authentication inside one domain (SSO) | Browser web SSO across organizations | OAuth: delegated authorization; OIDC: authentication | Centralized AAA for network access | Centralized AAA, esp. device administration |
| Artifact carried | Tickets (TGT + service tickets) | Signed XML assertion | Access token (OAuth) / signed JWT ID token (OIDC) | Attribute-value pairs in an Access-Request | Attribute-value pairs in TCP messages |
| Transport / encoding | Symmetric-key tickets over the network | XML over HTTP browser redirects | REST/JSON over HTTPS | UDP | TCP |
| What is encrypted | Tickets encrypted with shared keys | Assertion signed (and optionally encrypted) | Tokens over TLS; ID token is signed | Only the user password | The entire packet body |
| AAA structure | Authentication (tickets); authz via service | Authentication assertion (+ attributes) | OAuth = authorization; OIDC = authentication | Combines authentication and authorization | Separates authentication, authorization, accounting |
| Single point of failure / key risk | KDC compromise forges any ticket; clock skew | IdP signing-key compromise forges assertions | Stolen bearer token; mistaking OAuth for authN | Cleartext packet exposes attributes | TCP/connection-oriented; Cisco-origin |
Decision tree
Cheat sheet
Unlock with Premium — includes all practice exams and the complete study guide.
References
- Kerberos authentication overview (Windows Server)
- Maximum tolerance for computer clock synchronization (Kerberos policy)
- Replay attack (NIST Computer Security Resource Center glossary) Whitepaper
- Microsoft Defender for Identity security alerts (golden ticket / KRBTGT)
- Single sign-on SAML protocol (Microsoft identity platform)
- NIST SP 800-63C, Digital Identity Guidelines: Federation and Assertions Whitepaper
- OAuth 2.0 and OpenID Connect protocols (Microsoft identity platform)
- Network Policy Server (NPS) overview, RADIUS server