Glossary of Terms

ASN.1

Abstract Syntax Notation One. ASN.1 is a notation used describe messages. It describes them as a sequence of components. The described components may be sequences also. ASN.1 is used to describe the internals of Kerberos datagrams. Unless you are a software developer, you do not need to gain an understanding of ASN.1.

Authenticator

A record containing information that can be shown to have been recently generated using the session key known only by the client and server. (Definition taken from RFC1510)

Credentials

A ticket for the server and a session key which is used to authenticate the principal.

Cross-Realm Authentication

Kerberos has the ability for a KDC is one realm to authenticate a principal in another realm if a secret is shared between the KDCs of both realms. This inter-realm authentication is called cross-realm authentication.

Data Encryption Standard [DES]

An algorithm used for encrypted which was the official algorithm of the United Sates Government. It was developed by IBM with assistance from the NSA. The algorithm is a sixteen round block cipher which uses a 64bit block and a 56bit key.

Forwardable Ticket

A ticket granted by the KDC which allows the user to request additional tickets with different IP addresses. In effect, a TGT which allows the authenticated principal to request tickets valid on other additional machines.

Generic Security Services Application Programming Interface [GSS-API]

A set of C language bindings which provide security services to its callers. The API may be implemented on top of various cryptographic systems. Kerberos is one example of such a system.

Key Distribution Center [KDC]

The machine and software which perform the role of the trusted arbitrator in the Kerberos protocol.

Kerberos

An authentication protocol in which a trusted third party, an arbitrator, is relied upon to perform the authentication of clients on a TCP/IP network. The protocol was designed in a way that encrypted tickets are transmitted over the network rather than traditional plaintext passwords providing for secure network authentication.

Kerberize

(v.) The act of modifying a system, service, or piece of software to make use of the Kerberos protocol to perform authentication. (adj. kerberized) A system, service, or piece of software which supports authentication through Kerberos.

Network Time Protocol [NTP]

A protocol used to synchronizes clocks of hosts and routers on the Internet.

Postdatable ticket

In Kerberos 5, a ticket which is invalid initially and which becomes valid at some time in the future. Normal Kerberos tickets are only valid from the time they are requested until the time that they expire.

Preauthentication

Additional authentication which takes place before a KDC grants a TGT to a principal. An example of such authentication may be the satisfaction of a biometrics system.

Principal

A user or server for which a secret key is stored in the KDC database.

Proxiable Ticket

In Kerberos 5, a ticket which allows you to request a TGT for alternative IP addresses.

Realm

The scope of a Kerberos deployment. Specifically, the organization domain for which the KDC is trusted to authenticate principals.

Renewable Ticket

In Kerberos 5, a ticket which allows the principal a maximum renewable lifetime in addition to the standard ticket lifetime. Renewable tickets may be used to acquire additional tickets from the KDC as long as the ticket is valid. Renewed tickets can be requested up to the maximum renewable lifetime of the original renewable ticket.

Salt

A seed value used in the encryption of a plaintext password to expand the number of possible resulting ciphertexts from a given plaintext. The use of a salt value is a defensive measure used to protect encrypted passwords against dictionary attacks.

Stash File

A disk store of secret keys.

Ticket

A data message consiting of the client's identity, a session key, a timestamp, and other information all encrypted with the server's secret key. It is used to perform authentication.

Ticket Granting Service [TGS]

A service which is capable and authorized in the issuing of tickets to clients after they have acquire a Ticket Granting Ticket (TGT).

Ticket Granting Ticket [TGT]

A ticket which contains a session key to be used in communication between the client and the KDC.

Transitive Cross-Realm Authentication

In Kerberos 5, the ability to chain trust together between realms building in effect a trust path so that a principal in realm X that wishes to authenticate a principal in realm Z does not need the KDC for realm X to share a secret with realm Z if both realm X and realm Z share a secret with realm Y. Realm Y can be used as a "hop" in a trust path.

Triple DES

A variant of DES in which data is encrypted three times with standard DES using two different keys.