A record containing a Ticket and an Authenticator to be presented
to a server as part of the authentication process.
Authentication path
A sequence of intermediate realms transited in the authentication
process when communicating from one realm to another.
Authenticator
A record containing information that can be shown to have been
recently generated using the session key known only by the client
and server.
Authorization
The process of determining whether a client may use a service,
which objects the client is allowed to access, and the type of
access allowed for each.
Capability
A token that grants the bearer permission to access an object or
service. In Kerberos, this might be a ticket whose use is
restricted by the contents of the authorization data field, but
which lists no network addresses, together with the session key
necessary to use the ticket.
Ciphertext
The output of an encryption function. Encryption transforms
plaintext into ciphertext.
Client
A process that makes use of a network service on behalf of a user.
Note that in some cases a Server may itself be a client of some
other server (e.g. a print server may be a client of a file
server).
Credentials
A ticket plus the secret session key necessary to successfully use
that ticket in an authentication exchange.
Encryption Type (etype)
When associated with encrypted data, an encryption type identifies
the algorithm used to encrypt the data and is used to select the
appropriate algorithm for decrypting the data. Encryption type
tags are communicated in other messages to enumerate algorithms
that are desired, supported, preferred, or allowed to be used for
encryption of data between parties. This preference is combined
with local information and policy to select an algorithm to be
used.
KDC
Key Distribution Center, a network service that supplies tickets
and temporary session keys; or an instance of that service or the
host on which it runs. The KDC services both initial ticket and
ticket-granting ticket requests. The initial ticket portion is
sometimes referred to as the Authentication Server (or service).
The ticket-granting ticket portion is sometimes referred to as the
ticket-granting server (or service).
Kerberos
The name given to the Project Athena's authentication service, the
protocol used by that service, or the code used to implement the
authentication service. The name is adopted from the three-headed
dog which guards Hades.
Key Version Number (kvno)
A tag associated with encrypted data identifies which key was used
for encryption when a long lived key associated with a principal
changes over time. It is used during the transition to a new key
so that the party decrypting a message can tell whether the data
was encrypted using the old or the new key.
Plaintext
The input to an encryption function or the output of a decryption
function. Decryption transforms ciphertext into plaintext.
Principal
A named client or server entity that participates in a network
communication, with one name that is considered canonical.
Principal identifier
The canonical name used to uniquely identify each different
principal.
Seal
To encipher a record containing several fields in such a way that
the fields cannot be individually replaced without either
knowledge of the encryption key or leaving evidence of tampering.
Secret key
An encryption key shared by a principal and the KDC, distributed
outside the bounds of the system, with a long lifetime. In the
case of a human user's principal, the secret key MAY be derived
from a password.
Server
A particular Principal which provides a resource to network
clients. The server is sometimes referred to as the Application
Server.
Service
A resource provided to network clients; often provided by more
than one server (for example, remote file service).
Session key
A temporary encryption key used between two principals, with a
lifetime limited to the duration of a single login "session". In
the Kerberos system, a session key is generated by the KDC. The
session key is distinct from the sub-session key, described next..
Sub-session key
A temporary encryption key used between two principals, selected
and exchanged by the principals using the session key, and with a
lifetime limited to the duration of a single association. The sub-
session key is also referred to as the subkey.
Ticket
A record that helps a client authenticate itself to a server; it
contains the client's identity, a session key, a timestamp, and
other information, all sealed using the server's secret key. It
only serves to authenticate a client when presented along with a
fresh Authenticator.