- Authentication
-
Verifying the claimed identity of a
principal.
- Authentication header
-
A record containing a Ticket and an
Authenticator to be presented to a
server as part of the authentication
process.
- Authentication path
-
A sequence of intermediate realms transited
in the authentication process when
communicating from one realm to another.
- Authenticator
-
A record containing information that can
be shown to have been recently generated
using the session key known only by the
client and server.
- Authorization
-
The process of determining whether a
client may use a service, which objects
the client is allowed to access, and the
type of access allowed for each.
- Capability
-
A token that grants the bearer permission
to access an object or service. In
Kerberos, this might be a ticket whose
use is restricted by the contents of the
authorization data field, but which
lists no network addresses, together
with the session key necessary to use
the ticket.
- Ciphertext
-
The output of an encryption function.
Encryption transforms plaintext into
ciphertext.
- Client
-
A process that makes use of a network
service on behalf of a user. Note that
in some cases a Server may itself be a
client of some other server (e.g., a
print server may be a client of a file
server).
- Credentials
-
A ticket plus the secret session key
necessary to successfully use that
ticket in an authentication exchange.
- KDC
-
Key Distribution Center, a network service
that supplies tickets and temporary
session keys; or an instance of that
service or the host on which it runs.
The KDC services both initial ticket and
ticket-granting ticket requests. The
initial ticket portion is sometimes
referred to as the Authentication Server
(or service). The ticket-granting
ticket portion is sometimes referred to
as the ticket-granting server (or service).
- Kerberos
-
Aside from the 3-headed dog guarding
Hades, the name given to Project
Athena's authentication service, the
protocol used by that service, or the
code used to implement the authentication
service.
- Plaintext
-
The input to an encryption function or
the output of a decryption function.
Decryption transforms ciphertext into
plaintext.
- Principal
-
A uniquely named client or server
instance that participates in a network
communication.
- Principal identifier
-
The name used to uniquely identify each
different principal.
- Seal
-
To encipher a record containing several
fields in such a way that the fields
cannot be individually replaced without
either knowledge of the encryption key
or leaving evidence of tampering.
- Secret key
-
An encryption key shared by a principal
and the KDC, distributed outside the
bounds of the system, with a long lifetime.
In the case of a human user's
principal, the secret key is derived
from a password.
- Server
-
A particular Principal which provides a
resource to network clients.
- Service
-
A resource provided to network clients;
often provided by more than one server
(for example, remote file service).
- Session key
-
A temporary encryption key used between
two principals, with a lifetime limited
to the duration of a single login "session".
- Sub-session key
-
A temporary encryption key used between
two principals, selected and exchanged
by the principals using the session key,
and with a lifetime limited to the duration
of a single association.
- Ticket
-
A record that helps a client authenticate
itself to a server; it contains the
client's identity, a session key, a
timestamp, and other information, all
sealed using the server's secret key.
It only serves to authenticate a client
when presented along with a fresh
Authenticator.
