Domain 5 of 8 · Chapter 6 of 6

Authentication Systems

Unlock the complete study guide + 1,040 practice questions across 16 full exams.

Bundled into the existing Certified Information Systems Security Professional premium course — no separate purchase.

Included in this chapter:

  • What an authentication system is and the model they share
  • Kerberos: KDC, tickets, and time
  • SAML, OAuth 2.0, and OpenID Connect
  • RADIUS vs TACACS+: the AAA discriminators
  • Exam-pattern recognition

Authentication protocols at a glance: purpose and tested properties

PropertyKerberosSAMLOAuth 2.0 / OIDCRADIUSTACACS+
Primary purposeNetwork authentication inside one domain (SSO)Browser web SSO across organizationsOAuth: delegated authorization; OIDC: authenticationCentralized AAA for network accessCentralized AAA, esp. device administration
Artifact carriedTickets (TGT + service tickets)Signed XML assertionAccess token (OAuth) / signed JWT ID token (OIDC)Attribute-value pairs in an Access-RequestAttribute-value pairs in TCP messages
Transport / encodingSymmetric-key tickets over the networkXML over HTTP browser redirectsREST/JSON over HTTPSUDPTCP
What is encryptedTickets encrypted with shared keysAssertion signed (and optionally encrypted)Tokens over TLS; ID token is signedOnly the user passwordThe entire packet body
AAA structureAuthentication (tickets); authz via serviceAuthentication assertion (+ attributes)OAuth = authorization; OIDC = authenticationCombines authentication and authorizationSeparates authentication, authorization, accounting
Single point of failure / key riskKDC compromise forges any ticket; clock skewIdP signing-key compromise forges assertionsStolen bearer token; mistaking OAuth for authNCleartext packet exposes attributesTCP/connection-oriented; Cisco-origin

Decision tree

What is being authenticated? match the scenario boundary first Login inside one domain Kerberos (TGT + tickets) Cross-org web / API app Authenticate the user, or just delegate API access? Network-device access (AAA) Per-command device admin with full encryption? Authenticate user (browser SSO) SAML (XML assertion) Authenticate user (mobile / API) OpenID Connect (ID token) Only delegate access OAuth 2.0 (access token) Yes TACACS+ (TCP) No: open-standard VPN / Wi-Fi RADIUS (UDP)

Cheat sheet

  • An authentication protocol transports a verifiable artifact so the resource trusts the authority instead of re-checking the credential
  • Kerberos issues tickets from a central KDC so the password never crosses the network on each access
  • The KDC has two parts: the AS authenticates the user, the TGS issues per-service tickets
  • A TGT proves identity to the KDC; a service ticket proves authorization to one service
  • Kerberos timestamps every ticket, so it depends on synchronized clocks to reject replays
  • Kerberos provides mutual authentication, so the client verifies the server too
  • The KDC is a single point of failure: compromise it and an attacker forges tickets for anyone
  • SAML carries a signed XML assertion from an IdP to an SP for browser-based web SSO
  • SAML fits browser web SSO but is heavyweight for mobile and API clients
  • OAuth 2.0 delegates authorization; it does not authenticate the user
  • OpenID Connect is an authentication layer on top of OAuth 2.0 that adds an ID token
  • RADIUS and TACACS+ both centralize AAA, but four properties separate them
  • RADIUS runs over UDP and encrypts only the user's password, leaving the rest of the packet in cleartext
  • RADIUS combines authentication and authorization; TACACS+ separates authentication, authorization, and accounting
  • TACACS+ runs over TCP, encrypts the whole packet body, and is the choice for device administration
  • RADIUS is the open IETF standard; TACACS+ originated at Cisco
  • Match the scenario's boundary and resource type to the protocol before reasoning further
  • Certificate path validation chains each signature up to a trust anchor
  • OCSP gives real-time revocation; stapling adds privacy by delivering it in the handshake
  • Mutual TLS with per-device X.509 certificates is the machine-to-machine identity control
  • Windows AD: cross-forest Kerberos trust, NTLM fallback on IP access, GC 3268, LDAPS 636

Unlock with Premium — includes all practice exams and the complete study guide.

References

  1. Kerberos authentication overview (Windows Server)
  2. Maximum tolerance for computer clock synchronization (Kerberos policy)
  3. Replay attack (NIST Computer Security Resource Center glossary) Whitepaper
  4. Microsoft Defender for Identity security alerts (golden ticket / KRBTGT)
  5. Single sign-on SAML protocol (Microsoft identity platform)
  6. NIST SP 800-63C, Digital Identity Guidelines: Federation and Assertions Whitepaper
  7. OAuth 2.0 and OpenID Connect protocols (Microsoft identity platform)
  8. Network Policy Server (NPS) overview, RADIUS server