Difference between revisions of "Glossary"
From K5Wiki
(New page: This page exists to help demystify the Kerberos acronym soup. When adding an entry, please include a brief description of the term, as well as a link to where more information can be foun...) |
(No difference)
|
Revision as of 18:22, 8 April 2009
This page exists to help demystify the Kerberos acronym soup. When adding an entry, please include a brief description of the term, as well as a link to where more information can be found if the term is not defined in RFC 4120.
- AS: Authentication Service -- The conceptual part of a KDC which is used to obtain initial credentials using a password or stored key.
- AD: Active Directory -- A Microsoft product which makes use of a Kerberos implementation.
- AD: Authorization Data -- Contained within the encrypted part of a ticket, the authorization data contains information communicated from the KDC to a service which may restrict the use of the ticket.
- etype: Encryption Type -- A Kerberos-specific encryption algorithm which ensures confidentially and integrity of information. Kerberos etypes frequently make use of a symmetric cipher algorithm such as DES or AES and a hash algorithm such as MD5 or SHA-1. Many etypes are specified in RFC 3961 and RFC 3962.
- FAST: Flexible Authentication Secure Tunneling -- An extension of the Kerberos AS and TGS exchanges which increases the security of the communication path between the client and KDC. Defined in an Internet draft at this time. A pre-authentication mechanism which works with the FAST extension is called a FAST factor.
- GSSAPI: Generic Security Services Application Programming Interface -- An API which applications can use to access multiple token-based authentication mechanisms including Kerberos. Also the only consistent API across different Kerberos implementations. Defined in RFC 2743; the network protocol for the Kerberos GSSAPI mechanism is defined in RFC 4121.
- KDB: Kerberos Database -- The database of principals and keys used by a KDC in the MIT Kerberos implementation.
- KDC: Key Distribution Center -- A server which implements the conceptual AS and TGS services to provide authentication tickets to clients.
- PA-DATA or padata: Pre-Authentication Data -- A sequence of typed octet strings contained within KDC requests and responses. These were initially specified to support pre-authentication mechanisms but have also used to extend the Kerberos protocol in other ways.
- PAC: Privilege Access Certificate -- A Microsoft-defined authorization data type. More information available here.
- SASL: Simple Authentication Security Layer -- A framework which can be used to negotiate security mechanisms within a protocol using TCP. Kerberos is often used within SASL by means of SASL's GSSAPI mechanism. SASL is specified in RFC 2222, as is the GSSAPI SASL mechanism.
- SPNEGO: Simple and Protected GSSAPI Negotiation Mechanism -- A GSSAPI mechanism which can be used to negotiate which of several real mechanisms should be used. Defined in RFC 2478.
- TGS: Ticket-Granting Service -- The conceptual part of a KDC which is used to obtain service tickets using a TGT.
- TGT: Ticket-Granting Ticket -- A ticket with a specially named service principal, which can be used to obtain additional service tickets from the TGT.