In preparation for my CISSP I will collect sources and notes here.
I am reading CISSP for Dummies. I originally bought a much denser book but after learning that the CISSP certification is 50 miles wide and 10 inches deep, I figured a less dense book would suffice, and more importantly save me some time.
I went into CISSP for Dummies knowing that it would probably only go about 5 inches deep and that I would need to identify my areas of weakness and do more research to complement what I am reading. What follows is the other 5 inches addressing the areas I needed more work in.
Kerberos: http://www.youtube.com/watch?v=7-LjpO2nTJo&feature=related. I found this video to be very helpful. It is easy to get lost in all the keys and exchanges, especially when trying to read it in text format. In summary and from a higher more memorable level:
A secure connection between the client and authentication server is established by encrypting the traffic with the client's secret key. This secret key is based on the password that is stored in the authentication server. The user on the client computer enters a password and it is used to decrypt the messages from the authentication server. If it is not the right password then the messages will not be decipherable and the process halts. Over this secure connection, the Authentication Server sends the client it's Ticket Generating Service Session Key. It also sends it an encrypted message that only the Ticket Generating Service can decrypt. The client simply forwards this message along to the Ticket Generating Service.
When the Ticket Generating Service receives the message from the Authentication Server via the client it decrypts it using a secret key that only the Authentication Server and the Ticket Generating Service know. This reveals the Ticket Generating Service Session key and client associated with the key.
Next the Client establishes a secure connection with the Ticket Generating Service by using the Ticket Generating Service Session key that only Ticket Generating Service and the Client know. This is a dynamic key that was generated by the Authentication Server and not only establishes a secure connection between the Ticket Generating Service and the Client but also limits the time the connection can last.
Over this secure connection, the Ticket Generating Service sends the client a Client/Server Session key. It also sends an encrypted message to be sent to the Server that includes the Client/Server Session key and Client ID and time limit associated with the key.
Now the Server and Client can establish mutual trust.
In layman's terms:
You go to the security gate of a building and ask to go to the accounting department. The security guard verifies your identity and gives you a document that he signs stating that you are who you say you are and that you are allowed to go to the receptionist.
You arrive at the receptionist and she takes the document, verifies the signature, verifies that you are the person identified in the document and gives you a new signed document stating that you can go to the accounting department.
Upon arriving at the accounting department, they take the document, verify the signature, verify that you are the person identified in the document, and then asks, "so what can we do for you?"
And after all that, now imagine that this makes Single Sign On possible - in other words this is supposed to reduce complexity by reducing the number of logons needed to enter various systems.