Next: Useful KDC parameters to
Up: Introduction
Previous: Fundamental assumptions about the
Contents
Index
Below is a list of terms used throughout this document.
- Authentication
- Verifying the claimed identity of a principal.
- Authentication header
- A record containing a Ticket and an Authenticator to be presented to a
server as part of the authentication process.
- Authentication path
- A sequence of intermediate realms transited in the authentication
process when communicating from one realm to another.
- Authenticator
- A record containing information that can be shown to
have been recently generated using the session key known only by the
client and server.
- Authorization
- The process of determining whether a client may use a
service, which objects the client is allowed to access, and the
type of access allowed for each.
- Ciphertext
- The output of an encryption function. Encryption transforms plaintext
into ciphertext.
- Client
- A process that makes use of a network service on behalf of a
user. Note that in some cases a Server may itself be a client of
some other server (e.g. a print server may be a client of a file server).
- Credentials
- A ticket plus the secret session key necessary to
successfully use that ticket in an authentication exchange.
- KDC
- Key Distribution Center, a network service that supplies
tickets and temporary session keys; or an
instance of that service or the host on which it runs.
The KDC services both initial ticket and ticket-granting ticket
requests.
The initial ticket portion is sometimes referred to as the
Authentication Server (or service).
The ticket-granting ticket portion is sometimes referred to as the
ticket-granting server (or service).
- Kerberos
- Aside from the 3-headed dog guarding Hades, the name given
to Project Athena's authentication service, the protocol used by that
service, or the code used to implement the authentication service.
- Plaintext
- The input to an encryption function or the output of a decryption
function. Decryption transforms ciphertext into plaintext.
- Principal
- A uniquely named client or server instance that participates in
a network communication.
- Principal identifier
- The name used to uniquely identify each different
principal.
- Seal
- To encipher a record containing several fields in such a way
that the fields cannot be individually replaced without either
knowledge of the encryption key or leaving evidence of tampering.
- Secret key
- An encryption key shared by a principal and the KDC,
distributed outside the bounds of the system, with a long lifetime.
In the case of a human user's principal, the secret key is derived from a
password.
- Server
- A particular Principal which provides a resource to network clients.
- Service
- A resource provided to network clients; often provided by more than one
server (for example, remote file service).
- Session key
- A temporary encryption key used between two principals,
with a lifetime limited to the duration of a single login
session.
- Sub-session key
- A temporary encryption key used between two
principals, selected and exchanged by the principals using the session
key, and with a lifetime limited to the duration of a single
association.
- Ticket
- A record that helps a client authenticate itself to a server; it contains
the client's identity, a session key, a timestamp, and other
information, all sealed using the server's secret key. It only serves to
authenticate a client when presented along with a fresh Authenticator.
Next: Useful KDC parameters to
Up: Introduction
Previous: Fundamental assumptions about the
Contents
Index
Autobuild
2009-09-05