The statement that a Ticket-Granting Ticket (TGT) can be used indefinitely is fundamentally incorrect. A core security principle of the Kerberos protocol is that all tickets, including the TGT, have a defined and limited lifetime. This lifetime is configured by the Kerberos administrator and is enforced by the Key Distribution Center (KDC). This finite validity period is crucial for mitigating security risks, such as replay attacks and the misuse of compromised credentials. Once a TGT expires, the client must re-authenticate with the Authentication Service to obtain a new one.

A. TGT stands for Ticket-Granting Ticket, not Ticket Authorization Ticket. It is generated by the Authentication Service (AS), which is a component of the KDC.

C. This statement is correct. Kerberos clients store the TGT and subsequent service tickets in a local credentials cache, which can be a file (e.g., /tmp/krb5ccUID on Unix-like systems) or a dedicated memory area.

D. This statement is inaccurate. A TGT contains the client's network address (IP), not the server's. This binding of the ticket to a client address is a security measure to prevent its use from another machine.

1. IETF RFC 4120, "The Kerberos Network Authentication Service (V5)":

Section 1.3, "Tickets": This section explicitly states, "Each ticket has a limited lifetime." This directly refutes option B.

Section 5.3.1, "Ticket": The formal definition of a ticket includes the endtime field, which specifies the expiration time, and the caddr field, which contains the client's network address, refuting the claims in options B and D.

2. MIT Kerberos Documentation, "Kerberos V5 System Administrator's Guide":

Chapter 2, "How Kerberos Works": The documentation explains, "The TGT has a lifetime (typically about ten hours). When it expires, you must re-authenticate to the KDC to get a new one." This confirms the finite lifetime of the TGT. It also mentions, "The ticket is stored in a local credentials cache," which validates option C.

3. Neuman, B. C., & Ts'o, T. (1994). Kerberos: An Authentication Service for Computer Networks. IEEE Communications Magazine, 32(9), 33-38. https://doi.org/10.1109/35.312841:

Section "Tickets and Authenticators" (p. 34): The paper, authored by the creators of Kerberos, describes tickets containing a lifetime and a client network address. This foundational document confirms that finite lifetimes and client address binding are integral to the protocol's design.