UNIT 4: User Authentication IT 244: Information Security

Authentication
The basis of computer security is controlled access: someone is authorized to take some
action on something. For access control to work, we need to be sure who the “someone” is.
Authentication is the process of ascertaining or confirming an identity. It is necessary for
determining whether a user (or other entity) should be allowed access to a system.

Computer system does not have the cues we do with face-to-face communication that lets us
recognize our friends. Instead computers depend on data to recognize others. Determining
who a person really is consists of two separate steps:

• Identification is the act of asserting who a person is.

• Authentication is the act of proving that asserted identity: that the person is who she says
she is.

We have phrased these steps from the perspective of a person seeking to be recognized,
using the term “person” for simplicity. In fact, such recognition occurs between people,
computer processes (executing programs), network connections, devices, and similar active
entities. In security, all these entities are called subjects.

The two concepts of identification and authentication are easily and often confused.
Identities, like names, are often well known, public, and not protected. On the other hand,
authentication is necessarily protected. If someone’s identity is public, anyone can claim to
be that person. What separates the pretenders from the real person is proof by
authentication.

Authentication mechanisms use any of three qualities to confirm a user’s identity:

• Something the user knows. Passwords, PIN numbers, passphrases, a secret handshake,
and mother’s maiden name are examples of what a user may know.

• Something the user is. These authenticators, called biometrics, are based on a physical
characteristic of the user, such as a fingerprint, the pattern of a person’s voice, or a face
(picture). These authentication methods are old (we recognize friends in person by their
faces or on a telephone by their voices) but are just starting to be used in computer
authentications.

• Something the user has. Identity badges, physical keys, a driver’s license, or a uniform are
common examples of things people have that make them recognizable.

Two or more forms can be combined; for example, a bank card and a PIN combine something
the user has (the card) with something the user knows (the PIN).
Arjun Lamichhane Page 1
 UNIT 4: User Authentication IT 244: Information Security

Password Based Authentication(Something You Know)

An ideal password is something that you know, something that a computer can verify that
you know, and something nobody else can guess even with access to unlimited computing
resources. But in practice it's difficult to even come close to this ideal.

In addition, many other things that we don't call "password" act as passwords. For example,
the PIN number used with an ATM card is, in effect, a password. And if you forget your
password, a user-friendly website might authenticate you based on your pet name, your first
school name, or your date of birth, in which case, these things are acting as passwords. A
problem with such passwords is that they are often not secret.

If left to their own devices, users tend to select bad passwords, which makes password
cracking surprisingly easy. From a security perspective, a solution to the password problem
would be to instead use randomly generated cryptographic keys. The work of cracking such
a "password" would be equivalent to an exhaustive key search, in which case our passwords
could be made at least as strong as our cryptography. The problem with such an approach is
that humans must remember their passwords and we're not good at remembering randomly
selected bits.

Choosing Passwords
Not all passwords are created equal. For example, everyone would probably agree that the
following passwords are weak:

• Frank
• Pikachu
• 10251960
• AustinStamp

especially if your name happens to be Frank, or Austin Stamp, or your birthday is on

10/25/1960.

Security often rests on passwords and, consequently, users should have passwords that are
difficult to guess. However, users must be able to remember their passwords. With that in
mind, are the following passwords better than the weak passwords above?

• jfIej(43j-EmmL+y
• 09864376537263
• POkemON

Arjun Lamichhane Page 2

 UNIT 4: User Authentication IT 244: Information Security

• FSa7Yago

The first password, jfIej (43j-EmmL+y, would certainly be difficult for Trudy to guess, but
it would also be difficult for Alice to remember. Such a password is likely to end up on the
proverbial post-it note stuck to the front of Alice's computer. This could make Trudy's job
much easier than if Alice had selected a "less secure" password.

The second password on the list above is also probably too much for most users to
remember. Even the highly trained U.S. military personal responsible for launching nuclear
missiles are only required to remember 12-digit firing codes.

The third password POkemON might be difficult to guess, since it's not a standard
dictionary word due to the digits and the upper case letters. However, if the user were known
to be a fan of Pokémon, this password might be relatively easy prey.

The final password, FSa7Yago, might appear to reside in the difficult to guess, but too
difficult to remember category. However, there is a trick to help the user remember it—it's
based on a passphrase. That is, FSa7Yago is derived from the phrase "four score and seven
years ago." Consequently, this password should be relatively easy for Alice to remember, and
yet relatively difficult for Trudy to guess.

Password Verification
For a computer to determine the validity of a password, it must have something to compare
against. That is, the computer must have access to the correct password in some form. But
it's probably a bad idea to simply store the actual passwords in a file, since this would be a
prime target for Trudy. Here, as in many other areas in information security, cryptography
provides a sound solution. It might be tempting to encrypt the password file with a
symmetric key. However, to verify passwords, the file must be decrypted, so the decryption
key must be as accessible as the file itself. Consequently, if Trudy can steal the password file,
she can probably steal the key as well. Consequently, encryption is of little value here.

So, instead of storing raw passwords in a file or encrypting the password file, it's more secure
to store hashed passwords. For example, if Alice's password is FSa7Yago, we could store

y = h(FSa7Yago)

in a file, where h is a secure cryptographic hash function. Then when someone claiming to be
Alice enters a password x, it is hashed and compared to y, and if y = h(x) then the entered
password is assumed to be correct and the user is authenticated.

The advantage of hashing passwords is that if Trudy obtains the password file, she does not
obtain the actual passwords—instead she only has the hashed passwords. Note that we are

Arjun Lamichhane Page 3

 UNIT 4: User Authentication IT 244: Information Security

relying on the one-way property of cryptographic hash functions to protect the passwords.
Of course, if Trudy knows the hash value y, she can conduct a forward search attack by
guessing likely passwords x until she finds an x for which y = h(x), at which point she will
have cracked the password. But at least Trudy has work to do after she has obtained the
password file.

Suppose Trudy has a dictionary containing N common passwords, say,

d0, d1, d2, … , dN-1

Then she could precompute the hash of each password in the dictionary,

y0=h(d0),y1=h( d1),y2=( d2), … ,yN-1=h( dN-1+)

Now if Trudy gets access to a password file containing hashed passwords, she only needs to
compare the entries in the password file to the entries in her precomputed dictionary of
hashes. Furthermore, the precomputed dictionary could be reused for each password file,
thereby saving Trudy the work of recomputing the hashes. And if Trudy is feeling
particularly generous, she could post her dictionary of common passwords and their
corresponding hashes online, saving all other attackers the work of computing these hashes.
From the good guy's point of view, this is a bad thing, since the work of computing the hashes
has been largely negated.

Other Password Issues

As bad as it is, password cracking is only the tip of the iceberg when it comes to problems
with passwords. Today, most users need multiple passwords, but users can't (or won't)
remember a large number of passwords. This results in a significant amount of password
reuse, and any password is only as secure as the least secure place it's used. If Trudy finds
one of your passwords, she would be wise to try it (and slight variations of it) in other places
where you use a password.

Social engineering is also a major concern with passwords. For example, if someone calls
you, claiming to be a system administrator who needs your password to correct a problem
with your account, would you give away your password? According to a recent survey, 34%
of users will give away their password if you ask for it, and the number increases to 70% if
you offer a candy bar as incentive.

Keystroke logging software and similar Spyware are also serious threats to password-based
security. The failure to change default passwords is a major source of attacks as well.

An interesting question is, who suffers from bad passwords? The answer is that it depends.
If you choose your birthday for your ATM PIN number, only you stand to lose. On the other

Arjun Lamichhane Page 4

 UNIT 4: User Authentication IT 244: Information Security

hand, if you choose a weak password at work, the entire company stands to lose. This
explains why banks usually let users choose any PIN number they desire for their ATM cards,
but companies generally try to force users to select reasonably strong passwords.

Token Based Authentication (Something You Have)

Token-based authentication is a protocol which allows users to verify their identity, and in
return receive a unique access token. During the life of the token, users then access the
website or app that the token has been issued for, rather than having to re-enter credentials
each time they go back to the same webpage, app, or any resource protected with that same
token.

Auth tokens work like a stamped ticket. The user retains access as long as the token remains
valid. Once the user logs out or quits an app, the token is invalidated.

Token-based authentication is different from traditional password-based or server-based

authentication techniques. Tokens offer a second layer of security, and administrators have
detailed control over each action and transaction.

Before we had authentication tokens, we had passwords and servers. We used traditional
methods to ensure that the right people had access to the right things at the right time. It
wasn't always effective.

Consider passwords. Typically, they involve:

 User generation. Someone comes up with a combination of letters, numbers, and

symbols.

 Memory. The person must keep that unique combination in their mind.

 Repetition. Whenever the user needs to access something, the password has to be
entered.

Password theft is common. In fact, one of the first documented cases of password theft
happened all the way back in 1962. People can't remember all of their passwords, so they
resort to tricks, such as:

 Writing them all down. Loose pieces of paper filled with passwords are security
nightmares.

 Repeating them. People tend to use the same password in multiple places. If one
password is discovered, many accounts may be vulnerable.

 Slightly changing them. People change one letter or number when prompted to update
a password.
Arjun Lamichhane Page 5
 UNIT 4: User Authentication IT 244: Information Security

Passwords also require server authentication. Each time the person logs on, the computer
creates a record of the transaction. Memory load increases accordingly.

Token authentication is different. With token authentication, a secondary service verifies a

server request. When verification is complete, the server issues a token and responds to the
request.

The user may still have one password to remember, but the token offers another form of
access that's much harder to steal or overcome. And the session's record takes up no space
on the server.

Authentication Token Types

All authentication tokens allow access, but each type works a little differently.

These are three common types of authentication tokens:

 Connected: Keys, discs, drives, and other physical items plug into the system for
access. If you've ever used a USB device or smartcard to log into a system, you've used
a connected token.

 Contactless: A device is close enough to a server to communicate with it, but it doesn't
plug in. Microsoft's so-called "magic ring" would be an example of this type of token.

 Disconnected: A device can communicate with the server across long distances, even
if it never touches another device at all. If you've ever used your phone for a two-
factor authentication process,
you've used this type of token.

In all three of these scenarios, a user must

do something to start the process. They
may need to enter a password or answer
a question. But even when they complete
those preliminary steps perfectly, they
can't gain access without the help of an
access token.

Using a token-based authentication system, visitors will verify credentials just once. In
return, they'll get a token that allows access for a time period you define.

The process works like this:

 Request: The person asks for access to a server or protected resource. That could
involve a login with a password, or it could involve some other process you specify.

Arjun Lamichhane Page 6

 UNIT 4: User Authentication IT 244: Information Security

 Verification: The server determines that the person should have access. That could
involve checking the password against the username, or it could involve another
process you specify.

 Tokens: The server communicates with the authentication device, like a ring, key,
phone, or similar device. After verification, the server issues a token and passes it to
the user.

 Storage: The token sits within the user's browser while work continues.

If the user attempts to visit a different part of the server, the token communicates with the
server again. Access is granted or denied based on the token.

Administrators set limits on tokens. You could allow a one-use token that is immediately
destroyed when the person logs out. Or you could set the token to self-destruct at the end of
a specified time period.

Biometrics(Something You Are)

Biometrics represent the "something you are" method of authentication or, as Schneier so
aptly puts it, "you are your key". There are many different types of biometrics, including such
long-established methods as fingerprints.

Recently, biometrics based on speech recognition, gait (walking) recognition, and even a
digital doggie (odor recognition) have been developed. Biometrics are currently a very active
topic for research. In the information security arena, biometrics are seen as a more secure
alternative to passwords. For biometrics to be a practical replacement for passwords, cheap
and reliable systems are needed. Today, usable biometric systems exist, including laptops
using thumbprint authentication, palm print systems for secure entry into restricted
facilities, the use of fingerprints to unlock car doors, and so on. But given the potential of
biometrics—and the well-known weaknesses of password-based authentication—it's
perhaps surprising that biometrics are not more widely used.

An ideal biometric would satisfy all of the following:

• Universal — A biometric should apply to virtually everyone. In reality, no biometric

applies to everyone. For example, a small percentage of people do not have readable
fingerprints.

• Distinguishing — A biometric should distinguish with virtual certainty. In reality, we can't

hope for 100% certainty, although, in theory, some methods can distinguish with very low
error rates.

Arjun Lamichhane Page 7

 UNIT 4: User Authentication IT 244: Information Security

• Permanent — Ideally, the physical characteristic being measured should never change. In
practice, it's sufficient if the characteristic remains stable over a reasonably long period of
time.

• Collectable — The physical characteristic should be easy to collect without any potential
to cause harm to the subject. In practice, collectability often depends heavily on whether the
subject is cooperative or not.

• Reliable, robust, and user-friendly — These are just some of the additional real-world
considerations for a practical biometric system. Some biometrics that have shown promise
in laboratory conditions have subsequently failed to deliver similar performance in practice.
Biometrics are also applied in various identification problems. In the identification problem
we are trying to answer the question "Who are you?" while for the authorization problem,
we want to answer the question, "Are you who you say you are?" That is, in identification,
the goal is to identify the subject from a list of many possible subjects. This occurs, for
example, when a suspicious fingerprint from a crime scene is sent to the FBI fingerprint
database for comparison with all of the millions of fingerprint records currently on file.

There are two phases to a biometric system. First, there is an enrollment phase, where
subjects have their biometric information gathered and entered into a database. Typically,
during this phase very careful measurement of the pertinent physical information is
required. Since this is one-time work (per subject), it's acceptable if the process is slow and
multiple measurements are required. In some fielded systems, enrollment has proven to be
a weak point since it may be difficult to obtain results that are comparable to those obtained
under laboratory conditions.

The second phase in a biometric system is the recognition phase. This occurs when the
biometric detection system is used in practice to determine whether (for the authentication
problem) to authenticate the user or not. This phase must be quick, simple, and accurate.

Types of Errors

There are two types of errors that can occur in biometric recognition. Suppose Bob poses as
Alice and the system mistakenly authenticates Bob as Alice. The rate at which such
misauthentication occurs is the fraud rate. Now suppose that Alice tries to authenticate as
herself, but the system fails to authenticate her. The rate at which this type of error occurs is
the insult rate.

For any biometric, we can decrease the fraud or insult rate at the expense of the other. For
example, if we require a 99% voiceprint match, then we can obtain a low fraud rate, but the
insult rate will be high, since a speaker's voice will naturally change slightly from time to

Arjun Lamichhane Page 8

 UNIT 4: User Authentication IT 244: Information Security

time. On the other hand, if we set the threshold at a 30% voiceprint match, the fraud rate will
likely be high, but the system will have a low insult rate.

The equal error rate is the rate for which the fraud and insult rates are the same. That is, the
parameters of the system are adjusted until the fraud rate and insult rate are precisely in
balance. This is a useful measure for comparing different biometric systems.

Types of Authentication Methods

The following are a few common authentication methods used for network security designed
to beat cybercriminals and some of the biometric authentication technologies below are ones
that you might use daily.

Facial recognition: These systems use a person’s unique facial features to identify them. It’s
used in a variety of places such as smartphones, credit card payments, and law enforcement.

Fingerprint Recognition: Fingerprint authentication uses a person’s unique fingerprint to

verify their identity, using a device like a FIDO2 Authentication Token. It can be used to
secure everything from mobile devices to automobiles, even buildings, making it the most
widespread biometric authentication technology.

Eye Recognition: Eye recognition uses the unique pattern of someone’s iris or retina to
identify them. Because this type of biometric authentication is harder to implement, it’s less
common than the other types of biometric authentication options. An iris scan requires an
infrared light source, a camera that can see IR, and minimal light pollution in order to ensure
accuracy. Although it poses its challenges, it is one of the most accurate biometric
authentication systems available when those conditions are met. Eye recognition is generally
used in situations where security is most critical such as nuclear research facilities, etc.

Voice Recognition: Voice recognition uses the tone, pitch, and frequencies that are unique
to an individual to authenticate them. This is the most commonly used biometric to verify
users when they contact a call center for customer service support (for example, online
banking)

Retina/Iris Recognition: Retina or also known as iris recognition, uses the pattern of
someone’s iris or retina to identify them. This type of biometric authentication is less
common as it is harder to implement. It requires the implementation of an infrared light
source, a camera that can see IR, and minimal light pollution to ensure accuracy. However, it
happens to be one of the most accurate biometric authentication methods when those
conditions are met. So it’s typically used in situations where security is most critical (nuclear
research facilities, for instance).

Arjun Lamichhane Page 9

 UNIT 4: User Authentication IT 244: Information Security

Gait Recognition: Gain recognition authenticates using the way someone walks to identify
them. Each person walks a little differently, so the way a person puts one foot in front of the
other is an effective way to verify their identity. As of now, it’s not a common form of
authentication but it’s expected to become more common as future forms of authentication
become more popular.

Vein Recognition: Vein recognition uses the pattern of blood vessels in a person’s hand or
finger to identify them. This type of biometric authentication uses infrared light to map the
veins under the skin in your hands or fingers. Vein recognition is extremely accurate, more
than retina/iris recognition.

Biometrics clearly have many potential advantages over passwords. In particular, biometrics
are difficult, although not impossible, to forge. In the case of fingerprints, Trudy could steal
Alice's thumb, or, in a less gruesome attack, Trudy might be able to use a copy of Alice's
fingerprint. Of course, a more sophisticated system might be able to detect such an attack,
but then the system will be more costly, thereby reducing its desirability as a replacement
for passwords.

There are also many potential software-based attacks on authentication. For example, it may
be possible to subvert the software that does the comparison or to manipulate the database
that contains the enrollment data. Such attacks apply to most authentication systems,
regardless of whether they are based on biometrics, passwords, or other techniques.

Biometrics have a great deal of potential as a substitute for passwords, but biometrics are
not foolproof. And given the enormous problems with passwords and the vast potential of
biometrics, it's perhaps surprising that biometrics are not more widely used today. This
should change in the future as biometrics become more robust and inexpensive.

Two-Factor Authentication

Password generator
A password generator is a small device that the user must have (and use) to log in to a
system. Suppose that Alice has a password generator, and she wants to authenticate herself
to Bob. Bob sends a random "challenge" R to Alice, which Alice then inputs into the password
generator along with her PIN number. The password generator then produces a response,
which Alice transmits to Bob. If the response is correct, Bob is convinced that he's indeed
talking to Alice, since only Alice is supposed to have the password generator. This process is
illustrated in following figure:

Arjun Lamichhane Page 10

 UNIT 4: User Authentication IT 244: Information Security

For a challenge-response authentication scheme to work, Bob must be able to verify that
Alice's response is correct. For the example in Figure above, Bob and the password generator
must both have access to the key K, since the password generator needs the key to compute
the hash, and Bob needs the key to verify Alice's response. Alice accesses the key K only
indirectly—by entering her PIN into the key generator.

The password generator scheme requires both "something you have" (the password
generator) and "something you know" (the PIN). Any authentication method that requires
two out of the three "somethings" is known as two-factor authentication. Another example
of a two-factor authentication is an ATM card, where the user must have the card and know
the PIN number. Other examples of two-factor authentication include a credit card together
with a signature, a biometric thumbprint system that also requires a password, and a cell
phone that requires a PIN.

Kerberos Protocol
Traditionally, when users access computer systems, they do so by entering a password. The
challenge with this authentication method is that if hackers obtain the password, they can
take on the user's identity and gain access to an organization's network. Organizations need
a better way to protect their systems and users. This is where Kerberos comes in.

A Kerberos is a system or router that provides a gateway between users and the internet.
Therefore, it helps prevent cyber attackers from entering a private network. It is a server,
referred to as an “intermediary” because it goes between end-users and the web pages they
visit online.

In mythology, Kerberos (also known as Cerberus) is a large, three-headed dog that guards
the gates to the underworld to keep souls from escaping. In our world, Kerberos is the
computer network authentication protocol initially developed in the 1980s by

Arjun Lamichhane Page 11

 UNIT 4: User Authentication IT 244: Information Security

Massachusetts Institute of Technology (MIT) computer scientists. It performs mutual

authentication between the user and the server with the help of a trusted third-party Key
Distribution Center (KDC) that provides authentication and ticket-granting service. The idea
behind Kerberos is to authenticate users while preventing passwords from being sent over
the internet.

How Kerberos Authentication Works

A Key Distribution Center consists of an Authentication Server (AS) and Ticket Granting
Server (TGS). TGT is a Ticket Granting Ticket.

1. The user enters the login and password. The user ID goes to the Authentication Server
(AS) with a request for services on behalf of the user.

2. AS checks if the user login is in the database. If there is information about that user, then
AS can generate a client secret key according to the user’s ID and password. AS sends to
the user:

o The client/TSG session key (encrypted with the client secret key);

o TGT including the user ID, network address and ticket validity period +
Client/TGS session key (encrypted with the TGS secret key).

3. The user decodes the first message but can’t decode the second one, because the user
doesn’t have the TSG secret key. The client sends message to the TGS:

Arjun Lamichhane Page 12

 UNIT 4: User Authentication IT 244: Information Security

o The TGT received from AS + Server ID + TGS/Client secret key (encrypted with
the TGS secret key);

o The authenticator including the client ID and timestamp (encrypted with the
Client/TSG session key).

4. The TGS decrypts the first message, gets the TGT + TGS/Client session key, with which it
decrypts the second message. The TGS checks if the user ID from the first message
matches the ID from the second message and if the timestamp doesn’t exceed the ticket
validity period. In case everything is right, the TSG sends to the user:

o The user ID, network address, ticket validation period + Client/Server session key
(encrypted with the Server secret key);

o The client/server session key (encrypted with the Client/TGS secret key).

5. The client sends the following to the Server which it tries to get access to:

o The user ID, network address, ticket validation period + Client/Server session key
(encrypted with encrypted with Server secret key);

o The authenticator including the ID and timestamp (encrypted with the

Client/Server session key).

6. The targeted server decrypts user’s messages, checks if the User ID from the both
messages have the same value and if the validity period is not exceeded, then sends to
the client the following parameter to confirm its identity:

o Timestamp + 1 (encrypted with the Client/Server session key).

The client checks if the timestamp value is timestamp + 1, which shows the true identity of
the server. If it is so, the client can trust the server and start working with it.

Security Issues for User Authentication

Authentication vulnerabilities in cybersecurity refer to weaknesses and flaws in the
processes and mechanisms used to verify the identity of users or systems. These
vulnerabilities can emerge for various reasons, often rooted in technology, human behavior,
or both.

1. Phishing Attacks
Phishing attacks involve tricking users into divulging their sensitive information by posing
as a trustworthy entity. Be cautious of unsolicited emails or messages requesting your login

Arjun Lamichhane Page 13

 UNIT 4: User Authentication IT 244: Information Security

credentials. Always verify the sender's authenticity before clicking links or providing
personal information.

2. Credential Stuffing
Credential stuffing occurs when cybercriminals use stolen usernames and passwords from
one platform to access multiple accounts on various websites. To avoid falling victim to this
vulnerability, refrain from using the same login credentials across different platforms.
Consider using a password manager to generate and store unique passwords for each
account.

3. Weak Passwords
One of the most common authentication vulnerabilities is weak passwords. Many users still
opt for easily guessable passwords, such as "123456" or "password." Creating strong, unique
passwords for each account is essential to mitigate this risk. Hence, businesses must
encourage their customers to use strong passwords. Also, companies should consider relying
on secure password storage mechanisms to ensure the highest level of security.

4. Insecure Authentication Protocols

Outdated or insecure authentication protocols can leave your online accounts vulnerable.
Always use secure and up-to-date authentication methods, such as OAuth 2.0 or OpenID
Connect, to protect your information from potential breaches.

5. Brute Force Attacks

Brute force attacks involve systematically trying all possible combinations of passwords
until the correct one is found. To safeguard against this, implement account lockout policies
and CAPTCHA challenges after a certain number of failed login attempts. Additionally, use
multi-factor authentication (MFA) to add an extra layer of security.

6. Session Hijacking
Session hijacking, or session stealing, occurs when an attacker intercepts and steals a user's
session identifier. To prevent this, websites should implement secure communication
channels, such as HTTPS, and use secure, randomly generated session tokens that are not
easily predictable.

7. Lack of Multi-Factor Authentication (MFA)

The lack of MFA is a significant vulnerability that many users overlook. MFA adds an extra
layer of security by requiring users to provide multiple verification forms before gaining
access to their accounts. By enabling MFA, you significantly enhance your account's
protection against unauthorized access.

Arjun Lamichhane Page 14

 UNIT 4: User Authentication IT 244: Information Security

8. Human Negligence
According to Shred-it 2020 report, up to 31% of C-suite executives reported employee
negligence to be the second major cause of their data breaches.

Human error can result in serious authentication vulnerabilities that are far easier to take
advantage of than brute-force attacks, SQL injections, and authentication bypasses. This
negligence includes actions such as:

 Leaving a computer on and unlocked in a public place

 Losing devices to theft

 Leaking sensitive information to strangers

 Writing bad code

References
Configuring Kerberos Authentication Protocol. (2024). Retrieved from Data Sunrise:
https://www.datasunrise.com/professional-info/set-kerberos-protocol/

Stallings, W., & Brown, L. (2015). Computer Security Principles and Practice. New Jersey:
Pearson Education.

Arjun Lamichhane Page 15