Difference between revisions of "Glossary"
From K5Wiki
Line 6: | Line 6: | ||
* AD: Authorization Data -- Contained within the encrypted part of a ticket, the authorization data contains information communicated from the KDC to a service which may restrict the use of the ticket. |
* AD: Authorization Data -- Contained within the encrypted part of a ticket, the authorization data contains information communicated from the KDC to a service which may restrict the use of the ticket. |
||
+ | |||
+ | * ccache or cc: Credentials Cache -- A file or other storage unit containing a list of tickets for the same client principal. |
||
* etype: Encryption Type -- A Kerberos-specific encryption algorithm which ensures confidentially and integrity of information. Kerberos etypes frequently make use of a symmetric cipher algorithm such as DES or AES and a hash algorithm such as MD5 or SHA-1. Many etypes are specified in [http://www.ietf.org/rfc/rfc3961.txt RFC 3961] and [http://www.ietf.org/rfc/rfc3962.txt RFC 3962]. |
* etype: Encryption Type -- A Kerberos-specific encryption algorithm which ensures confidentially and integrity of information. Kerberos etypes frequently make use of a symmetric cipher algorithm such as DES or AES and a hash algorithm such as MD5 or SHA-1. Many etypes are specified in [http://www.ietf.org/rfc/rfc3961.txt RFC 3961] and [http://www.ietf.org/rfc/rfc3962.txt RFC 3962]. |
||
Line 16: | Line 18: | ||
* KDC: Key Distribution Center -- A server which implements the conceptual AS and TGS services to provide authentication tickets to clients. |
* KDC: Key Distribution Center -- A server which implements the conceptual AS and TGS services to provide authentication tickets to clients. |
||
+ | |||
+ | * keytab or kt: A file or other storage unit containing a list of long-term key entries for principals. For example, a server might use a keytab file to store its host key. |
||
* PA-DATA or padata: Pre-Authentication Data -- A sequence of typed octet strings contained within KDC requests and responses. These were initially specified to support pre-authentication mechanisms but have also used to extend the Kerberos protocol in other ways. |
* PA-DATA or padata: Pre-Authentication Data -- A sequence of typed octet strings contained within KDC requests and responses. These were initially specified to support pre-authentication mechanisms but have also used to extend the Kerberos protocol in other ways. |
Revision as of 12:23, 13 April 2009
This page exists to help demystify the Kerberos acronym soup. When adding an entry, please include a brief description of the term, as well as a link to where more information can be found if the term is not defined in RFC 4120.
- AS: Authentication Service -- The conceptual part of a KDC which is used to obtain initial credentials using a password or stored key.
- AD: Active Directory -- A Microsoft product which makes use of a Kerberos implementation.
- AD: Authorization Data -- Contained within the encrypted part of a ticket, the authorization data contains information communicated from the KDC to a service which may restrict the use of the ticket.
- ccache or cc: Credentials Cache -- A file or other storage unit containing a list of tickets for the same client principal.
- etype: Encryption Type -- A Kerberos-specific encryption algorithm which ensures confidentially and integrity of information. Kerberos etypes frequently make use of a symmetric cipher algorithm such as DES or AES and a hash algorithm such as MD5 or SHA-1. Many etypes are specified in RFC 3961 and RFC 3962.
- FAST: Flexible Authentication Secure Tunneling -- An extension of the Kerberos AS and TGS exchanges which increases the security of the communication path between the client and KDC. Defined in an Internet draft at this time. A pre-authentication mechanism which works with the FAST extension is called a FAST factor.
- GSSAPI: Generic Security Services Application Programming Interface -- An API which applications can use to access multiple token-based authentication mechanisms including Kerberos. Also the only consistent API across different Kerberos implementations. Defined in RFC 2743; the network protocol for the Kerberos GSSAPI mechanism is defined in RFC 4121.
- KDB: Kerberos Database -- The database of principals and keys used by a KDC in the MIT Kerberos implementation.
- KDC: Key Distribution Center -- A server which implements the conceptual AS and TGS services to provide authentication tickets to clients.
- keytab or kt: A file or other storage unit containing a list of long-term key entries for principals. For example, a server might use a keytab file to store its host key.
- PA-DATA or padata: Pre-Authentication Data -- A sequence of typed octet strings contained within KDC requests and responses. These were initially specified to support pre-authentication mechanisms but have also used to extend the Kerberos protocol in other ways.
- PAC: Privilege Access Certificate -- A Microsoft-defined authorization data type. More information available here.
- SASL: Simple Authentication Security Layer -- A framework which can be used to negotiate security mechanisms within a protocol using TCP. Kerberos is often used within SASL by means of SASL's GSSAPI mechanism. SASL is specified in RFC 2222, as is the GSSAPI SASL mechanism.
- SPNEGO: Simple and Protected GSSAPI Negotiation Mechanism -- A GSSAPI mechanism which can be used to negotiate which of several real mechanisms should be used. Defined in RFC 2478.
- TGS: Ticket-Granting Service -- The conceptual part of a KDC which is used to obtain service tickets using a TGT.
- TGT: Ticket-Granting Ticket -- A ticket with a specially named service principal, which can be used to obtain additional service tickets from the KDC.