Glossary

This page exists to help demystify the Kerberos acronym soup. When adding an entry, please include a brief description of the term, as well as a link to where more information can be found if the term is not defined in RFC 4120.

• AS: Authentication Service -- The conceptual part of a KDC which is used to obtain initial credentials using a password or stored key.

• AD: Active Directory -- A Microsoft product which makes use of a Kerberos implementation.

• AD: Authorization Data -- Contained within the encrypted part of a ticket, the authorization data contains information communicated from the KDC to a service which may restrict the use of the ticket.

• ccache or cc: Credentials Cache -- A file or other storage unit containing a list of tickets for the same client principal.

• etype: Encryption Type -- A Kerberos-specific encryption algorithm which ensures confidentially and integrity of information. Kerberos etypes frequently make use of a symmetric cipher algorithm such as DES or AES and a hash algorithm such as MD5 or SHA-1. Many etypes are specified in RFC 3961 and RFC 3962.

• FAST: Flexible Authentication Secure Tunneling -- An extension of the Kerberos AS and TGS exchanges which increases the security of the communication path between the client and KDC. Defined in an Internet draft at this time. A pre-authentication mechanism which works with the FAST extension is called a FAST factor.

• GSSAPI: Generic Security Services Application Programming Interface -- An API which applications can use to access multiple token-based authentication mechanisms including Kerberos. Also the only consistent API across different Kerberos implementations. Defined in RFC 2743; the network protocol for the Kerberos GSSAPI mechanism is defined in RFC 4121.

• KDB: Kerberos Database -- The database of principals and keys used by a KDC in the MIT Kerberos implementation.

• KDC: Key Distribution Center -- A server which implements the conceptual AS and TGS services to provide authentication tickets to clients.

• keytab or kt: A file or other storage unit containing a list of long-term key entries for principals. For example, a server might use a keytab file to store its host key.

• PA-DATA or padata: Pre-Authentication Data -- A sequence of typed octet strings contained within KDC requests and responses. These were initially specified to support pre-authentication mechanisms but have also used to extend the Kerberos protocol in other ways.

• PAC: Privilege Access Certificate -- A Microsoft-defined authorization data type. More information available here.

• SASL: Simple Authentication Security Layer -- A framework which can be used to negotiate security mechanisms within a protocol using TCP. Kerberos is often used within SASL by means of SASL's GSSAPI mechanism. SASL is specified in RFC 2222, as is the GSSAPI SASL mechanism.

• SPNEGO: Simple and Protected GSSAPI Negotiation Mechanism -- A GSSAPI mechanism which can be used to negotiate which of several real mechanisms should be used. Defined in RFC 2478.

• TGS: Ticket-Granting Service -- The conceptual part of a KDC which is used to obtain service tickets using a TGT.

• TGT: Ticket-Granting Ticket -- A ticket with a specially named service principal, which can be used to obtain additional service tickets from the KDC.