Next: , Previous: Environmental Assumptions, Up: Reference Manual


4.2 Glossary of terms

Authentication
Verifying the claimed identity of a principal.
Authentication header
A record containing a Ticket and an Authenticator to be presented to a server as part of the authentication process.
Authentication path
A sequence of intermediate realms transited in the authentication process when communicating from one realm to another.
Authenticator
A record containing information that can be shown to have been recently generated using the session key known only by the client and server.
Authorization
The process of determining whether a client may use a service, which objects the client is allowed to access, and the type of access allowed for each.
Capability
A token that grants the bearer permission to access an object or service. In Kerberos, this might be a ticket whose use is restricted by the contents of the authorization data field, but which lists no network addresses, together with the session key necessary to use the ticket.
Ciphertext
The output of an encryption function. Encryption transforms plaintext into ciphertext.
Client
A process that makes use of a network service on behalf of a user. Note that in some cases a Server may itself be a client of some other server (e.g. a print server may be a client of a file server).
Credentials
A ticket plus the secret session key necessary to successfully use that ticket in an authentication exchange.
Encryption Type (etype)
When associated with encrypted data, an encryption type identifies the algorithm used to encrypt the data and is used to select the appropriate algorithm for decrypting the data. Encryption type tags are communicated in other messages to enumerate algorithms that are desired, supported, preferred, or allowed to be used for encryption of data between parties. This preference is combined with local information and policy to select an algorithm to be used.
KDC
Key Distribution Center, a network service that supplies tickets and temporary session keys; or an instance of that service or the host on which it runs. The KDC services both initial ticket and ticket-granting ticket requests. The initial ticket portion is sometimes referred to as the Authentication Server (or service). The ticket-granting ticket portion is sometimes referred to as the ticket-granting server (or service).
Kerberos
The name given to the Project Athena's authentication service, the protocol used by that service, or the code used to implement the authentication service. The name is adopted from the three-headed dog which guards Hades.
Key Version Number (kvno)
A tag associated with encrypted data identifies which key was used for encryption when a long lived key associated with a principal changes over time. It is used during the transition to a new key so that the party decrypting a message can tell whether the data was encrypted using the old or the new key.
Plaintext
The input to an encryption function or the output of a decryption function. Decryption transforms ciphertext into plaintext.
Principal
A named client or server entity that participates in a network communication, with one name that is considered canonical.
Principal identifier
The canonical name used to uniquely identify each different principal.
Seal
To encipher a record containing several fields in such a way that the fields cannot be individually replaced without either knowledge of the encryption key or leaving evidence of tampering.
Secret key
An encryption key shared by a principal and the KDC, distributed outside the bounds of the system, with a long lifetime. In the case of a human user's principal, the secret key MAY be derived from a password.
Server
A particular Principal which provides a resource to network clients. The server is sometimes referred to as the Application Server.
Service
A resource provided to network clients; often provided by more than one server (for example, remote file service).
Session key
A temporary encryption key used between two principals, with a lifetime limited to the duration of a single login "session". In the Kerberos system, a session key is generated by the KDC. The session key is distinct from the sub-session key, described next..
Sub-session key
A temporary encryption key used between two principals, selected and exchanged by the principals using the session key, and with a lifetime limited to the duration of a single association. The sub- session key is also referred to as the subkey.
Ticket
A record that helps a client authenticate itself to a server; it contains the client's identity, a session key, a timestamp, and other information, all sealed using the server's secret key. It only serves to authenticate a client when presented along with a fresh Authenticator.