•  AS sends a ticket-granting server
                              (TGS), also part of the key
                              distribution center (KDC), service
                              ticket using TGT.  This is encrypted
                              with the session key.
                          •  TGS grants service ticket #1, encrypts
                              with the session key, and sends it to
                              George.
                          •  George requests service with ticket
                              #1 using a service ticket to
                              application server #1.
                          •  For access to another application
                              server, repeat the last three steps.
            •  SESAME:
                   •  Europeans developed this as an
                       improvement to Kerberos
                   •  Uses public-key cryptography
                   •  Uses privileged attribute certificate (PAC)
                       instead of Kerberos tickets


            Access Controls
               ▪  Discretionary Access Control (DAC):
                       •  Classification labeling of objects by
                          owner.
               ▪  Mandatory access control (MAC):
                       •  Uses sensitivity labels.
               ▪  Rule-based access control:
                       •  Example: firewall or router access lists.
               ▪  Role-based access control (RBAC):
                       •  Based on job functions.