Access control models are the core that identifies how a user accesses an object. An enterprise determines the best model based on the organization’s structure, the policies within the organization, and the benefits and risk associated with implementation. You’ll read about several models in the next section.
Be careful not to confuse the acronyms for rule-based access control (RuBAC) and role-based access control (RBAC). To make things more confusing, some people use the acronym RBAC for both models. For this reason, it is a good idea to simply write out the entire term instead of relying on the acronyms for these two models.
The following sections describe access control models in more detail.
The discretionary access control (DAC) model is the most widely used access control method. It is defined by the Trusted Computer System Evaluation Criteria (TCSEC) as “a means of restricting access to objects based on the identity of subjects and/or groups to which they belong. The controls are discretionary in the sense that a subject with certain access permission is capable of passing that permission (perhaps indirectly) on to any other subject (unless restricted by mandatory access control).”
DAC allows the owner of a resource to manage who can or cannot access the item. Owners maintain this access through ACLs, and they can delegate the ability to modify permissions to others. This removes the need for systems administrators to determine the importance of a document and who should have the necessary control. It puts the responsibility in the hands of the owner of the resource. Other than some highly specialized cases in the defense industry, every modern operating system supports DAC.
The Trusted Computer System Evaluation Criteria (TCSEC) are a set of requirements used to rate the security of a computer system. The U.S. Department of Defense (DoD) National Computer Security Center established the TCSEC. An entity in the “Rainbow Series,” it is often referred to as the Orange Book because of the color of its cover, but its official listing is DoD 5200.28-STD. The original version was created in 1983 and was updated in 1985. TCSEC was replaced by the Common Criteria for Information Technology Security Evaluation (ISO 15408) in 2005. These days, it is referred to as simply Common Criteria or CC.
Mandatory access control (MAC) allows a systems administrator to maintain the security aspect of an object. It was established by TCSEC and is defined as “a means of restricting access to objects based on the sensitivity (as represented by a label) of the information contained in the objects and the formal authorizations (i.e., clearance) of subjects to access information of such sensitivity.” MAC systems are sometimes used by government agencies to implement the national security classification system. The use of MAC in these cases ensures that one user cannot grant a second user access to information that would exceed the second user’s security clearance. For example, a user with access to a Top Secret document could not delegate that access to a user who possesses only a Confidential security clearance.
The access for an object is based on the sensitivity of the object versus the subject matter. The object’s access is related to the user who is attempting to access it. For example, if an object has a classification of Secret, the subject attempting to access the object must have a clearance of Secret or Top Secret. No ACLs are associated with the object, and neither the object nor the system user can change the sensitivity level. Similarly, a subject with a Top Secret clearance has access to an object that is at or below the clearance level.
MAC is considered one of the most secure access methods because it requires both the object and the subject to have security labels assigned to them. It is often used in a multilevel security (MLS) system. A MLS system allows the computer system to simultaneously process information of different classification levels and ensures a subject with the correct clearance can access only the information at his or her authorization level. In contrast, a multiple single level (MSL) environment does not allow different classification levels to commingle. A separate system would be used for each classification level.
Most access control systems can also be described as identity-based access control (IBAC) systems. This simply means that the access control decisions made by the system are based on the identity of the user.
Role-based access control (RBAC) is also known as nondiscretionary access control. It grants access to an object based on the subject’s role within the system. Three aspects are taken under consideration within an RBAC system:
Confidentiality rules within the U.S. government were established through the Bell-LaPadula Model and are described in the Orange Book. A MLS system is a Bell-LaPadula system. Three security principles are used in this model:
Administering access within an RBAC system is considered easier for the administrator because the access is based on roles within the organization and what each role is allowed to do. For example, an administrator may define a Human Resources role for the entire HR organization. If Kevin moves from the HR department to the finance department, he is simply removed from the Human Resources role and placed in the Finance role.
Separation of duties expands the RBAC controls. For example, although Kevin’s role may be Finance, this does not mean that he needs full access to all financial data. Separating each role into the activities users are responsible for provides more granular access control. This ensures that no single user has enough control to compromise the system. This mechanism helps to deter fraud, ensuring that at least two people are required to perform a critical task. Separation of duties is also related to the least-privilege security principle. This principle states that a user should not have any more access than is necessary for the user to do his or her job.
Some complex access control systems that span multiple organizations may also use organization-based access control (OrBAC), which also applies differing policies based on the user’s organizational membership.
Attribute-based access control (ABAC) systems grant access to the subject based on additional attributes that they must verify. For example, when accessing a system that is available only to residents of a particular town, the subject may have to enter an address within that town. This allows the administrator to have a more granular access control capability to the particular objects.
A MAC or DAC system uses ACLs for managing the access of information within a system. The RBAC method defines the access specifically on the role that the user has within the organization, and the operations in which that role can participate. A MAC or DAC focuses more on the information, whereas a RBAC system focuses more on the people and the actions they can or cannot do.
Attribute-based access control systems are an example of contextual access controls that use information about the current state of the user, connection, and device to make authorization decisions. Another common example of contextual access control is history-based access control (HBAC), which takes the past and present activity of the user into account when making access control decisions. For example, if a user who never logs on from nonoffice locations suddenly logs on from a foreign country, an HBAC system might deny this connection attempt because it differs from past activity.
ABAC systems are growing in popularity among security administrators. If you would like to learn more, the definitive reference on this topic is NIST Special Publication 800-162, “Guide to Attribute Based Access Control (ABAC) Definition and Considerations.”
Many organizations today are adopting Bring Your Own Device (BYOD) policies that allow users to access corporate systems and data using personally owned devices. To protect assets, organizations often limit BYOD device access to data. For example, companies might allow BYOD devices to access email and calendaring systems but deny those same devices access to restricted file servers containing extremely sensitive information. This is another example of an attribute-based access control system, where the attribute used in the access decision is an attribute of the device being used, rather than the user’s identity.
Rule-based access control (RuBAC) systems operate in a manner quite similar to MAC systems. The system administrator defines a set of rules for a system, service, or device, and then that set of rules determines future access.
The most common example of rule-based access control is a network firewall. Firewall administrators create a set of rules that describe the types of network traffic that are allowed to pass through the firewall. These rules may be based on source and destination Internet Protocol (IP) address, network protocol, network port, time of day, user identity, and many other attributes of the connection. When the rules used in RuBAC incorporate attributes of the user into those rules, the system may be considered both RuBAC and ABAC.
Risk-adaptive access control (RAdAC) systems take a more sophisticated approach to security decisions by incorporating information about both the security risk of an access control decision and the operational need for action into the risk determination process. Traditional access control systems simply grant or deny access based on the defined access control policies. Risk-adaptive approaches take additional information into account, as shown in FIGURE 5-1.
Authentication, with regard to a subject, is validating the subject’s claim of identity. There are multiple ways in which subjects can prove themselves.
Ensuring the authenticity of the subject can be determined by three factors. The more factors a subject can provide, the more trust one can put in that subject:
Having specific knowledge that is unique to a subject is one method of authentication. Examples of this factor include a password, a personal identification number (PIN), or a passphrase.
A password is generally combined with a unique identifier such as a username (or user ID), and it provides the additional authentication that the subject is legitimate. A password can have multiple limitations based on length, special characters, complexity, and reuse factor, or it may have no limitations. The more specific or unique a password is, the stronger it is, and; therefore, it has a lower chance of being guessed or cracked.
In the past, security best practice typically stated that users must use highly complex passwords and change those passwords regularly. In 2017, NIST released Special Publication 800-63B, “Digital Identity Guidelines,” which turned conventional wisdom about password policies on its head. Under the new guidelines, NIST recommends the following practices:
With so many applications and tools that you log on to these days, using best practices and keeping passwords safe is becoming more difficult. Tools such as password managers or password vaults are available for storing your passwords, but these also require a form of authentication to retrieve the information. Tools that allow you to answer questions about yourself are a method that tends to remove passwords altogether or, in some instances, may be used to retrieve your password from an application. For example, Kevin may have forgotten the password for his mobile service online account. After Kevin selects “Forgot password,” the application asks him security questions that were configured previously in his profile. Such questions may be:
Additional tactics could be a passphrase related to the application or the subject. For example, Kevin may be trying to log on to his 401(k) account but cannot remember the password. By creating a passphrase based on the tool he is accessing, Kevin may be able to add complexity and provide something he can easily recall:
Saving money for my future keeps me a happy Kevin = S$4mfkma:)K
Almost everyone is aware of the purpose of passwords, and many people use passwords daily. The problem is that passwords have turned into a risk. Years ago, when passwords were first implemented, they were relatively simple. Knowing how simple they were made it easier for attackers to steal them. Some of the ways that attackers steal passwords are:
Weaknesses of knowledge-based methodologies. One of the biggest challenges in using passwords is memorizing them. As previously stated, you should avoid reusing passwords and avoid writing them down. Accessing applications irregularly only adds to the problem with passwords. For example, Kevin accesses his mobile online account once a month to pay the bill. He often forgets the password and the passphrase he created for the account. Today, he makes multiple attempts at logging on, but after his fifth failed password he is locked out. He now needs to call the mobile carrier and speak with a representative, who might ask Kevin for his Social Security number and date of birth. Answering these questions over the phone is a security risk, and one-on-one customer service is an extra expense for the mobile phone carrier. Due to the extra expenses and risk of resetting a password, an organization might not choose the safest mechanism because it may be too expensive to maintain and administer.
Malware is malicious software that inadvertently gets downloaded to your computer system without your knowing it. This software can be downloaded when surfing webpages, clicking on webpage items, opening email attachments, or executing an application that has malicious code embedded. Examples of malware are Trojan horses, keystroke logging tools, worms, and viruses.
Third-party participants and tools also create havoc when only knowledge-based access authentication factors are used. You might have downloaded malware, such as a keystroke logger, to your computer without knowing it. These tools are used to steal your password, and your account can then become compromised. This can lead to the loss of money, personal information such as account numbers and Social Security numbers, and additional PII.
Trojan horse malware, which is also referred to as a Trojan, is another tool often used by attackers to pull password information from a user. When the Trojan is installed on a computer system, the attacker has complete access to the system. The subject may never know that it is there. Some of the malicious activities carried out by Trojans include:
Removing a Trojan can be difficult because you don’t know what damage it has inflicted on your system. Antivirus software can assist in blocking Trojans. It’s highly important to keep antivirus software up to date; however, there is no fail-safe method for keeping a computer system secure.
In addition to malware used on computer systems to gather information about the user, additional tactics have been implemented with changes and additions to technology:
So how exactly does a subject get an initial or saved password or PIN? How does authentication ensure that the subject is valid if the initial authentication failed? Should you allow the subject to reset his or her own password, or should you provide a temporary password?
Several options for password and PIN distribution are the postal mail, SMS messages, email, and the phone system. For instance, when Kevin is unable to log on to his online banking portal, the bank may choose to send him a temporary PIN. One option is to send this PIN to the cell phone he has registered with the bank. The bank sends Kevin an SMS message and asks him to enter the PIN into the portal within a preset amount of time, such as 60 seconds. The bank has identified this cell phone as Kevin’s because he provided it during his initial enrollment process. The SMS message is the fastest and one of the safest ways to get the temporary PIN to Kevin. The bank may also choose to send a follow-up email to Kevin to inform him that the text was sent with a temporary PIN. If Kevin did not receive the SMS message, he should inform the bank as a precaution.
Another tactic for gaining information is called shoulder surfing. For instance, Kevin likes to work on his computer at his local coffee shop, but people around him may be able to see what he is doing, including entering passwords for his accounts. Although a password may be blocked out on the screen, the username is still available, and people can watch Kevin type his password on the keyboard and memorize the keystrokes.
The passwords used for various systems are also kept internally, on a workstation or server. How do enterprises secure them? How are passwords stored when you check a Remember Me checkbox on a website? The passwords maintained through a third-party application or through another tool should be encrypted so if hackers access them, the passwords cannot be read and used to gain access to your accounts.
In addition to something you know, something you have can help identify you and/or prove your claim of identity. This identifier can be an automated teller machine (ATM) card, a token, a driver’s license, or a passport—anything that supports your identity claim simply because you have it. These forms of authentication do not require you to remember a password, but they are something you must have in your possession to authenticate. Consider an example where you visit a bank and request the withdrawal of funds. You can’t simply walk up to the teller and say “I’m Bob, please give me $500.” (Wouldn’t that be nice?) The teller will certainly ask you to prove your claim of identity. You’d most likely satisfy this request by showing her your driver’s license. The license contains your name and picture, and the teller uses it to authenticate you before giving you cash.
A token is a physical or software device that can be used instead of a password or in conjunction with a password or PIN. Tokens come in many forms, such as a card with a screen and/or a keypad. There are two varieties of token devices:
Smart card. A smart card is a card that is the same size as a credit card and has a computer chip embedded in it. The computer chip holds data pertaining to the owner of the card and is used in various transactions through a smart card reader. Smart cards are also referred to as integrated circuit cards (ICCs). Smart cards are considered reliable because the information stored within the card cannot be easily accessed if the card is lost or stolen, but it can be used by other subjects if additional forms of verification are not required.
There are two primary types of smart cards:
Time-variable token. A time-variable token is a synchronous token in the form of a one-time password. It is a dynamic password in that it can be used only once. After a single use, it is no longer valid. A time-variable token is valid for a specific period of time, such as 60 seconds. When authentication is based on time, the token (hardware or software) time must be synchronized with an authentication server. The time and the seed record are the main components. The seed record is the symmetric encryption key, which is shared between the token and the authentication server. This seed record encrypts the clock time; the result is a one-time password. The same seed record is used for both the token and the authentication server. Because the authentication server knows that this token is the only other device with that seed record, it knows that the token code entered comes from the person holding this particular token.
A Common Access Card (CAC) was implemented under Homeland Security Presidential Directive 12 (HSPD-12). It is used by the DoD for authentication and access to federal facilities and computer systems. This card holds information regarding the user such as his or her identity, clearance level, and physical and logical access capabilities. In 1987, the International Organization for Standardization (ISO) and International Electrotechnical Commission (IEC) implemented ISO/IEC 7816 for ICC with contacts, such as smart cards.
Challenge-response device. A challenge-response device is an asynchronous token. Authentication occurs via communication with the token device, the authentication server, and the user. A request is sent to the authentication server and a challenge (a random set of numbers) is returned. The user enters this challenge into the token, the token encrypts it, and another value is returned. The user then uses this end value as the password. Once the authentication server receives this end value, it decrypts it. If the end value matches the challenge, the user is authenticated. This exchange between the user, authentication server, and token device is shown in FIGURE 5-2.
The most significant weakness in “something you have” authentication is that a possession-based authentication factor may be lost or stolen.
Something you are authentication is based on characteristics about a specific person. The characteristics can be voice, facial features, retinal patterns, handwriting, and repetitive actions. These characteristics are called biometrics. This section provides only a brief summary of biometrics.
Enrollment in a biometric system brings an extra level of security to the authentication system because the person must be physically present during the process. It is also an advantage for individuals because they will not need to remember a password to gain access.
The technology behind biometrics involves scanning and analyzing the unique characteristics of a user and matching them against information that was collected during enrollment. The information about individuals can be used for either identification or verification. Biometric access control systems may be physiologically based or behavior-based.
Physiologically based biometrics. Physiologically based biometric authentication uses attributes of the user that are unique. Such attributes include fingerprints, facial features, and retinal patterns. A scanning device scans for biometrics, and the subject must enroll his or her information before access is granted. When a user accesses a scanner, multiple points of reference are scanned, analyzed, and compared with the data stored in the database. If enough points match between the user and the database, access can be granted or denied.
The number of devices that use biometrics for authentication is increasing. Multiple universal serial bus (USB) and laptop manufacturers are incorporating this technology into their systems. Many companies now sell portable external fingerprint biometric scanners.
Behavior-based biometrics. Behavior-based biometric authentication creates a characteristic about users based on their patterns. These patterns can be generated from aspects such as their typing rhythm, which can be unique—different people type at a different pace and rhythm. Organizations can use biometric software to analyze users’ typing rhythms. The software records the time that each key is depressed, as well as the length of time between keystrokes. A unique profile is created for each user. If an attacker tries to impersonate a user but types the user’s password too slowly or too quickly, the attacker won’t be authenticated.
Financial institutions use pattern matching for online web access. They may create a profile of a user based on the times he or she logs onto the system. If a user rarely logs onto the system at 3:00 a.m. on a Saturday, for example, the financial institution’s website might prompt the user to enter additional information for verification purposes.
An individual’s handwriting can also be used as an authentication method. This requires additional hardware when used with computer systems. Many stores already use handwriting authentication devices when accepting credit card purchases. Your signature is compared with the signature on your credit card.
The major weakness with biometric authentication is that users often find these techniques intrusive and inconvenient.
Now that you understand the various methods of authentication, it is important to understand how they can work together to create a more secure environment and thwart identity theft. Understanding what the user is trying to access and the risk associated with a loss of the data determines what methods or combination of methods should be used.
A single-factor authentication uses only one of the authentication factors (something you have, something you are, or something you know). This type of authentication tends to be associated with a password, and it’s the least secure because of the simplistic nature of passwords. Because passwords have been around for a while, attackers have created tools and methods to get past them. Using symbols, special characters, and additional controls when creating passwords can help strengthen them. Some additional examples of a single-factor authentication are a driver’s license and a house key.
Multifactor authentication approaches are the current standard for securing access to sensitive systems. In a multifactor authentication approach, individuals are asked to authenticate using at least two different techniques that fit into different factor categories. For example, a user might be asked to combine something they know (a password) with something they have (a mobile phone). Two of the most common forms of multifactor authentication are two-factor authentication and three-factor authentication.
Two-factor authentication requires a user to provide two independent authentication mechanisms from different categories in order to authenticate. Two-factor authentication is also referred to as strong authentication. It generally combines something you have and something you know or something you have and something you are. For example, Kevin’s organization has implemented two-factor authentication, which requires him to enter a PIN (something you know) and a token password (something you have). In order for an attacker to be able to access the same resource, he or she would need to know Kevin’s PIN and have the token in hand. Another example of two-factor authentication is an ATM card (something you have) and the PIN (something you know). When Kevin wants to access the money in his banking account through an ATM machine, he needs to provide the debit card and the PIN in order to start the transaction.
Is a debit or credit card a single-factor or a two-factor authentication method? Recently, some vendors have chosen not to require a PIN or signature when using a debit or credit card if the purchase is below a certain amount. Does this now make the credit card a single-factor authenticator? If the cashier does not compare the signature on the credit card with the signature on the slip, is the credit card a single-factor or two-factor authenticator?
Another form of two-factor authentication is something you are and something you have. For example, security managers of a government facility want to implement two-factor authentication for access to a secure area, but they do not want to use smart cards because the cards can be lost or stolen. To ensure that only authorized people can access the secure area, the managers may choose a two-factor authentication that requires a retinal scan followed by a PIN.
Three-factor authentication, also a form of strong authentication, includes all authentication factors of something you know, something you are, and something you have. For example, obtaining access to a highly classified room may require a badge, a PIN, and a retinal scan. Because the room is restricted to only a few people, authentication of those who enter is extremely important to ensure that the classified information inside the room does not get into the wrong hands.
Most security professionals recognize these three factors (something you have, something you know, and something you are) as the three standard authentication categories. You may also see lists of authentication factors that refer to four or five factors.
The first of these, somewhere you are, uses location-based authentication. This approach uses the physical location of the user as an authentication factor, assuming that someone in a restricted area is authenticated to some degree. It is arguable whether this is actually an authentication factor, as the person may have gained access to that facility using some other authentication approach, making location simply a proxy for those other techniques. Location is also not directly tied to an individual, because many people could have authorized access to the same physical location. While location-based controls are commonly used, they are not actually a means of authenticating an individual.
The second commonly cited factor, something you do, is known as behavior-based authentication. These techniques look at characteristic patterns of the user’s behavior, such as their rate and patterns of typing, time of access, and similar characteristics. These approaches are not commonly accepted as reliably confirming a user’s identity on their own, so they cannot be considered an authentication factor.
Kerberos is a network security protocol that provides authentication and authorization services on a network. Communication on an unsecure network allows attackers to listen in on the network to steal your credentials. Kerberos uses strong cryptography in order for the client to prove its identity to the server. Once the identity is proven, the communication is encrypted. Credentials obtained are used to verify the identity of the user and ensure the integrity of messages between the client and the system it’s authenticating to. Some of the benefits associated with implementing a Kerberos system are:
Kerberos is based on three systems: the Kerberos-trusted Key Distribution Center (KDC), the Kerberos Ticket-Granting Service (TGS), and the Kerberos Authentication Service. Kerberos provides the ability for systems to communicate in a secure manner over an unsecure network. Kerberos is also an example of a single sign-on system, providing enterprises with scalability and flexibility. Kerberos provides:
The name “Kerberos” comes from Greek mythology, the three-headed dog that guarded the entrance to Hades. It is an authentication and authorization method that is currently being used in Windows operating systems.
Kerberos was developed in the late 1980s at the Massachusetts Institute of Technology (MIT) under the Athena program. It is based on Needham and Schroeder’s trusted third-party authentication protocol. Kerberos is freely available through MIT but is implemented in many commercial off-the-shelf (COTS) products. The mechanisms for Kerberos are validated in Request for Comments (RFC) 4120. You can view RFC 4120 on the Internet Engineering Task Force website at http://www.ietf.org/rfc/rfc4120.txt.
The process for Kerberos authentication involves three primary steps: client authentication, client service authorization, and client service requests. It is important to understand the entire process because Kerberos authentication proves an identity across an unsecure network connection.
The following steps are performed during client authentication:
An authenticator is a message that consists of the client ID and the timestamp.
The following steps are performed during client service authorization:
When a client requests a service, the following steps are taken:
The Kerberos authentication, authorization, and service request processes are shown in FIGURE 5-3.
Kerberos performs authentication as a trusted third-party authentication service via a shared secret key (symmetric key). When a client wants to obtain authentication credentials for a server that it does not have credentials for, the exchange between the authentication server and the client is initiated by the client. The client’s secret key is used for encryption and decryption. This exchange obtains credentials for a TGS, which will also be used for obtaining subsequent credentials.
One of the primary reasons for implementing Kerberos is that without it, the principals do not trust one another. Principals can be applications, users, or network services. The principals trust only the Key Distribution Center (KDC), which is why the KDC creates tickets for the communication among the principals. Communication among principals is vouched for by the KDC, and the KDC ensures that it is acceptable for the principals to talk to one another.
The KDC acts as a trusted third party. The purpose of a KDC is to provide a secure environment for distributing keys. It provides tickets and temporary session keys for both initial tickets and ticket-granting requests and acts as both an authentication service and a ticket-granting service.
Because Kerberos is formed on symmetric encryption and shared secret keys, the database for all of the secret keys for the principals on the network is maintained by the KDC. As an authentication server, it authenticates a principal via a pre-exchanged secret key. After the authentication occurs, the KDC acts as a TGS. As a TGS, it provides a ticket to a principal establishing a trusted relationship among other principals. The principals trust the integrity of the KDC, which is an essential part of Kerberos security.
A secret key has a long lifetime and is shared between the KDC and the client or server. It may be used for subsequent needs such as password changes. A session key is destroyed after the session is complete and is generated only when needed. The session key is shared between the client and the server.
Principals are preregistered with a secret key in the KDS through a system registration process. A set of these principals is called a “realm,” and the realm is used to administer logical group resources and users. When added to the Kerberos realm, the principal is given a realm key used for initial trusted communications. Once a principal becomes a member of a Kerberos realm, the principal can then be authenticated by the authentication server.
Tickets are generated by the KDC and provided to the principal when authentication is needed. For example, when Kevin needs to access a specific file share, a request is made to the KDC. The KDC, in return, provides the TGT and client/TGS session key. Kevin will use the TGT for authorization to the file share.
As a whole, Kerberos is a very secure protocol. However, all protocols have weaknesses. It is important to note that any weaknesses with Kerberos are based on the concepts within the protocol and not the underlying cryptography.
Like any authentication system, Kerberos can have weaknesses if improperly implemented. Security administrators should be aware of these potential weaknesses, which include:
Many organizations use Kerberos daily for employee authentication and access to resources. Consider this example of appropriate use of Kerberos in the business environment, featuring Kevin.
Kevin logs on daily to the corporate network with his computer system. He provides a username and password. When Kevin logs on, his user ID is sent to the authentication server on the KDC. A TGT is provided to Kevin, and it is encrypted with Kevin’s password (secret key). If it is the correct password, the TGT will be decrypted and access is granted to the computer system. The secret key will reside temporarily on the computer system.
Later in the day, Kevin needs to print some documents for his meeting. Kevin’s system sends the TGT to the TGS on the KDC. The TGS creates a client/server session key and provides it to Kevin’s system, which he uses to authenticate to the print server. This second ticket contains the session key that is encrypted by Kevin’s secret key and another session key that is encrypted by the print server’s secret key. This second ticket also contains a timestamp and the computer system’s IP address. These components added to the second ticket are the authenticator.
Kevin’s system receives the second ticket, decrypts it with his secret key, and removes the session key. Kevin’s system also adds a second authenticator and sends the ticket to the print server. The print server receives the second ticket and decrypts it with its secret key and removes the session key and the two authenticators. If the print server is able to decrypt the session key, it knows to trust Kevin’s system because it knows the KDC created the ticket.
Remember that only the KDC has the key to encrypt the session key. Also, if the authenticators from the KDC and Kevin’s computer system match, it knows the request was sent for the correct principal.
The beauty of Kerberos is that Kevin does not even need to be aware that any of this is taking place. It is the responsibility of Kerberos and the operating system to handle all of these ticket requests. Kevin merely needs to provide the correct username and password for his account.