| Kerberos Infrastructure HOWTO | ||
|---|---|---|
| Prev | ||
Abstract Syntax Notation One. ASN.1 is a notation used describe messages. It describes them as a sequence of components. The described components may be sequences also. ASN.1 is used to describe the internals of Kerberos datagrams. Unless you are a software developer, you do not need to gain an understanding of ASN.1.
A record containing information that can be shown to have been recently generated using the session key known only by the client and server. (Definition taken from RFC1510)
A ticket for the server and a session key which is used to authenticate the principal.
Kerberos has the ability for a KDC is one realm to authenticate a principal in another realm if a secret is shared between the KDCs of both realms. This inter-realm authentication is called cross-realm authentication.
An algorithm used for encrypted which was the official algorithm of the United Sates Government. It was developed by IBM with assistance from the NSA. The algorithm is a sixteen round block cipher which uses a 64bit block and a 56bit key.
A ticket granted by the KDC which allows the user to request additional tickets with different IP addresses. In effect, a TGT which allows the authenticated principal to request tickets valid on other additional machines.
A set of C language bindings which provide security services to its callers. The API may be implemented on top of various cryptographic systems. Kerberos is one example of such a system.
The machine and software which perform the role of the trusted arbitrator in the Kerberos protocol.
An authentication protocol in which a trusted third party, an arbitrator, is relied upon to perform the authentication of clients on a TCP/IP network. The protocol was designed in a way that encrypted tickets are transmitted over the network rather than traditional plaintext passwords providing for secure network authentication.
(v.) The act of modifying a system, service, or piece of software to make use of the Kerberos protocol to perform authentication. (adj. kerberized) A system, service, or piece of software which supports authentication through Kerberos.
A protocol used to synchronizes clocks of hosts and routers on the Internet.
In Kerberos 5, a ticket which is invalid initially and which becomes valid at some time in the future. Normal Kerberos tickets are only valid from the time they are requested until the time that they expire.
Additional authentication which takes place before a KDC grants a TGT to a principal. An example of such authentication may be the satisfaction of a biometrics system.
A user or server for which a secret key is stored in the KDC database.
In Kerberos 5, a ticket which allows you to request a TGT for alternative IP addresses.
The scope of a Kerberos deployment. Specifically, the organization domain for which the KDC is trusted to authenticate principals.
In Kerberos 5, a ticket which allows the principal a maximum renewable lifetime in addition to the standard ticket lifetime. Renewable tickets may be used to acquire additional tickets from the KDC as long as the ticket is valid. Renewed tickets can be requested up to the maximum renewable lifetime of the original renewable ticket.
A seed value used in the encryption of a plaintext password to expand the number of possible resulting ciphertexts from a given plaintext. The use of a salt value is a defensive measure used to protect encrypted passwords against dictionary attacks.
A disk store of secret keys.
A data message consiting of the client's identity, a session key, a timestamp, and other information all encrypted with the server's secret key. It is used to perform authentication.
A service which is capable and authorized in the issuing of tickets to clients after they have acquire a Ticket Granting Ticket (TGT).
A ticket which contains a session key to be used in communication between the client and the KDC.
In Kerberos 5, the ability to chain trust together between realms building in effect a trust path so that a principal in realm X that wishes to authenticate a principal in realm Z does not need the KDC for realm X to share a secret with realm Z if both realm X and realm Z share a secret with realm Y. Realm Y can be used as a "hop" in a trust path.
A variant of DES in which data is encrypted three times with standard DES using two different keys.