logo_kerberos.gif

Difference between revisions of "Glossary"

From K5Wiki
Jump to: navigation, search
(New page: This page exists to help demystify the Kerberos acronym soup. When adding an entry, please include a brief description of the term, as well as a link to where more information can be foun...)
(No difference)

Revision as of 18:22, 8 April 2009

This page exists to help demystify the Kerberos acronym soup. When adding an entry, please include a brief description of the term, as well as a link to where more information can be found if the term is not defined in RFC 4120.

  • AS: Authentication Service -- The conceptual part of a KDC which is used to obtain initial credentials using a password or stored key.
  • AD: Active Directory -- A Microsoft product which makes use of a Kerberos implementation.
  • AD: Authorization Data -- Contained within the encrypted part of a ticket, the authorization data contains information communicated from the KDC to a service which may restrict the use of the ticket.
  • etype: Encryption Type -- A Kerberos-specific encryption algorithm which ensures confidentially and integrity of information. Kerberos etypes frequently make use of a symmetric cipher algorithm such as DES or AES and a hash algorithm such as MD5 or SHA-1. Many etypes are specified in RFC 3961 and RFC 3962.
  • FAST: Flexible Authentication Secure Tunneling -- An extension of the Kerberos AS and TGS exchanges which increases the security of the communication path between the client and KDC. Defined in an Internet draft at this time. A pre-authentication mechanism which works with the FAST extension is called a FAST factor.
  • GSSAPI: Generic Security Services Application Programming Interface -- An API which applications can use to access multiple token-based authentication mechanisms including Kerberos. Also the only consistent API across different Kerberos implementations. Defined in RFC 2743; the network protocol for the Kerberos GSSAPI mechanism is defined in RFC 4121.
  • KDB: Kerberos Database -- The database of principals and keys used by a KDC in the MIT Kerberos implementation.
  • KDC: Key Distribution Center -- A server which implements the conceptual AS and TGS services to provide authentication tickets to clients.
  • PA-DATA or padata: Pre-Authentication Data -- A sequence of typed octet strings contained within KDC requests and responses. These were initially specified to support pre-authentication mechanisms but have also used to extend the Kerberos protocol in other ways.
  • PAC: Privilege Access Certificate -- A Microsoft-defined authorization data type. More information available here.
  • SASL: Simple Authentication Security Layer -- A framework which can be used to negotiate security mechanisms within a protocol using TCP. Kerberos is often used within SASL by means of SASL's GSSAPI mechanism. SASL is specified in RFC 2222, as is the GSSAPI SASL mechanism.
  • SPNEGO: Simple and Protected GSSAPI Negotiation Mechanism -- A GSSAPI mechanism which can be used to negotiate which of several real mechanisms should be used. Defined in RFC 2478.
  • TGS: Ticket-Granting Service -- The conceptual part of a KDC which is used to obtain service tickets using a TGT.
  • TGT: Ticket-Granting Ticket -- A ticket with a specially named service principal, which can be used to obtain additional service tickets from the TGT.