Glossary - Revision history

Ghudson at 16:41, 14 January 2010

2010-01-14T16:41:41Z

Ghudson at 16:53, 31 August 2009

2009-08-31T16:53:41Z

Ghudson at 16:53, 31 August 2009

2009-08-31T16:53:13Z

TomYu: swap PAC expansions; MSFT documentation prefers "Attribute" as far as I can tell

2009-07-21T20:13:31Z

swap PAC expansions; MSFT documentation prefers "Attribute" as far as I can tell

TomYu: corrections and elaborations

2009-07-17T00:49:01Z

corrections and elaborations

Ghudson at 17:23, 13 April 2009

2009-04-13T17:23:41Z

Ghudson at 23:24, 8 April 2009

2009-04-08T23:24:06Z

Ghudson: New page: This page exists to help demystify the Kerberos acronym soup. When adding an entry, please include a brief description of the term, as well as a link to where more information can be foun...

2009-04-08T23:22:26Z

New page: This page exists to help demystify the Kerberos acronym soup. When adding an entry, please include a brief description of the term, as well as a link to where more information can be foun...

New page

This page exists to help demystify the Kerberos acronym soup. When adding an entry, please include a brief description of the term, as well as a link to where more information can be found if the term is not defined in [http://www.ietf.org/rfc/rfc4120.txt RFC 4120].

* AS: Authentication Service -- The conceptual part of a KDC which is used to obtain initial credentials using a password or stored key.

* AD: Active Directory -- A Microsoft product which makes use of a Kerberos implementation.

* AD: Authorization Data -- Contained within the encrypted part of a ticket, the authorization data contains information communicated from the KDC to a service which may restrict the use of the ticket.

* etype: Encryption Type -- A Kerberos-specific encryption algorithm which ensures confidentially and integrity of information. Kerberos etypes frequently make use of a symmetric cipher algorithm such as DES or AES and a hash algorithm such as MD5 or SHA-1. Many etypes are specified in [http://www.ietf.org/rfc/rfc3961.txt RFC 3961] and [http://www.ietf.org/rfc/rfc3962.txt RFC 3962].

* FAST: Flexible Authentication Secure Tunneling -- An extension of the Kerberos AS and TGS exchanges which increases the security of the communication path between the client and KDC. Defined in an [http://tools.ietf.org/html/draft-ietf-krb-wg-preauth-framework Internet draft] at this time. A pre-authentication mechanism which works with the FAST extension is called a FAST factor.

* GSSAPI: Generic Security Services Application Programming Interface -- An API which applications can use to access multiple token-based authentication mechanisms including Kerberos. Also the only consistent API across different Kerberos implementations. Defined in [http://www.ietf.org/rfc/rfc2743.txt RFC 2743]; the network protocol for the Kerberos GSSAPI mechanism is defined in [http://tools.ietf.org/html/rfc4121.txt RFC 4121].

* KDB: Kerberos Database -- The database of principals and keys used by a KDC in the MIT Kerberos implementation.

* KDC: Key Distribution Center -- A server which implements the conceptual AS and TGS services to provide authentication tickets to clients.

* PA-DATA or padata: Pre-Authentication Data -- A sequence of typed octet strings contained within KDC requests and responses. These were initially specified to support pre-authentication mechanisms but have also used to extend the Kerberos protocol in other ways.

* PAC: Privilege Access Certificate -- A Microsoft-defined authorization data type. More information available [http://msdn.microsoft.com/en-us/library/aa302203.aspx here].

* SASL: Simple Authentication Security Layer -- A framework which can be used to negotiate security mechanisms within a protocol using TCP. Kerberos is often used within SASL by means of SASL's GSSAPI mechanism. SASL is specified in [http://www.ietf.org/rfc/rfc2222.txt RFC 2222], as is the GSSAPI SASL mechanism.

* SPNEGO: Simple and Protected GSSAPI Negotiation Mechanism -- A GSSAPI mechanism which can be used to negotiate which of several real mechanisms should be used. Defined in [http://www.ietf.org/rfc/rfc2478.txt RFC 2478].

* TGS: Ticket-Granting Service -- The conceptual part of a KDC which is used to obtain service tickets using a TGT.

* TGT: Ticket-Granting Ticket -- A ticket with a specially named service principal, which can be used to obtain additional service tickets from the TGT.

← Older revision		Revision as of 16:41, 14 January 2010
Line 8:		Line 8:

	* ccache or cc: Credentials Cache -- A file or other storage unit containing a list of tickets for the same client principal.		* ccache or cc: Credentials Cache -- A file or other storage unit containing a list of tickets for the same client principal.
		+
		+	* DAL: Database Access Layer -- The plugin interface used to communicate between libkdb5 and the back-end database library (DB2, LDAP, or an external plugin).

	* etype: Encryption Type -- A Kerberos-specific encryption algorithm which ensures confidentially and integrity of information. Kerberos etypes frequently make use of a symmetric cipher algorithm such as DES or AES and a hash algorithm such as MD5 or SHA-1. Many etypes are specified in [http://www.ietf.org/rfc/rfc3961.txt RFC 3961] and [http://www.ietf.org/rfc/rfc3962.txt RFC 3962].		* etype: Encryption Type -- A Kerberos-specific encryption algorithm which ensures confidentially and integrity of information. Kerberos etypes frequently make use of a symmetric cipher algorithm such as DES or AES and a hash algorithm such as MD5 or SHA-1. Many etypes are specified in [http://www.ietf.org/rfc/rfc3961.txt RFC 3961] and [http://www.ietf.org/rfc/rfc3962.txt RFC 3962].

@@ Line 25: / Line 25: @@
 * PAC: Privilege Attribute Certificate (or Privilege Access Certificate; sources conflict on the expansion) -- A Microsoft-defined authorization data type.  More information available [http://msdn.microsoft.com/en-us/library/aa302203.aspx here].
-* S4U: A pair of krb5 [http://msdn.microsoft.com/en-us/library/cc246071(PROT.13).aspx protocol extensions] from Microsoft.  The first, S4U2Self (aka "protocol transition"), allows a service to acquire service tickets from a client to itself, as if a client had authenticated to it with krb5.  S4U2Proxy (aka "constrained delegation") allows a service to request tickets from a client to another service if allowed by the KDC.  Together these extensions allow a trusted service to act as an intermediary between a user and a second service.
+* S4U: A pair of krb5 [http://msdn.microsoft.com/en-us/library/cc246071(PROT.13).aspx protocol extensions] from Microsoft.  The first, S4U2Self (aka "protocol transition"), allows a service to acquire service tickets from a client to itself, as if a client had authenticated to it with krb5.  The second, S4U2Proxy (aka "constrained delegation") allows a service to request tickets from a client to another service if allowed by the KDC.  Together these extensions allow a trusted service to act as an intermediary between a user and a second service.
 * SASL: Simple Authentication Security Layer -- A framework which can be used to negotiate security mechanisms within a protocol using TCP.  Kerberos is often used within SASL by means of SASL's GSSAPI mechanism.  Currently the base SASL specification is [http://www.ietf.org/rfc/rfc4422.txt RFC 4422], and the "GSSAPI" (Kerberos) SASL mechanism is specified by [http://www.ietf.org/rfc/rfc4752.txt RFC 4752].  SASL was originally specified in [http://www.ietf.org/rfc/rfc2222.txt RFC 2222].

← Older revision		Revision as of 16:53, 31 August 2009
Line 24:		Line 24:

	* PAC: Privilege Attribute Certificate (or Privilege Access Certificate; sources conflict on the expansion) -- A Microsoft-defined authorization data type. More information available [http://msdn.microsoft.com/en-us/library/aa302203.aspx here].		* PAC: Privilege Attribute Certificate (or Privilege Access Certificate; sources conflict on the expansion) -- A Microsoft-defined authorization data type. More information available [http://msdn.microsoft.com/en-us/library/aa302203.aspx here].
		+
		+	* S4U: A pair of krb5 [http://msdn.microsoft.com/en-us/library/cc246071(PROT.13).aspx protocol extensions] from Microsoft. The first, S4U2Self (aka "protocol transition"), allows a service to acquire service tickets from a client to itself, as if a client had authenticated to it with krb5. S4U2Proxy (aka "constrained delegation") allows a service to request tickets from a client to another service if allowed by the KDC. Together these extensions allow a trusted service to act as an intermediary between a user and a second service.

	* SASL: Simple Authentication Security Layer -- A framework which can be used to negotiate security mechanisms within a protocol using TCP. Kerberos is often used within SASL by means of SASL's GSSAPI mechanism. Currently the base SASL specification is [http://www.ietf.org/rfc/rfc4422.txt RFC 4422], and the "GSSAPI" (Kerberos) SASL mechanism is specified by [http://www.ietf.org/rfc/rfc4752.txt RFC 4752]. SASL was originally specified in [http://www.ietf.org/rfc/rfc2222.txt RFC 2222].		* SASL: Simple Authentication Security Layer -- A framework which can be used to negotiate security mechanisms within a protocol using TCP. Kerberos is often used within SASL by means of SASL's GSSAPI mechanism. Currently the base SASL specification is [http://www.ietf.org/rfc/rfc4422.txt RFC 4422], and the "GSSAPI" (Kerberos) SASL mechanism is specified by [http://www.ietf.org/rfc/rfc4752.txt RFC 4752]. SASL was originally specified in [http://www.ietf.org/rfc/rfc2222.txt RFC 2222].

@@ Line 23: / Line 23: @@
 * PA-DATA or padata: Pre-Authentication Data -- A sequence of typed octet strings contained within KDC requests and responses.  These were initially specified to support pre-authentication mechanisms but have also used to extend the Kerberos protocol in other ways.
-* PAC: Privilege Access Certificate (or Privilege Attribute Certificate; sources conflict on the expansion) -- A Microsoft-defined authorization data type.  More information available [http://msdn.microsoft.com/en-us/library/aa302203.aspx here].
+* PAC: Privilege Attribute Certificate (or Privilege Access Certificate; sources conflict on the expansion) -- A Microsoft-defined authorization data type.  More information available [http://msdn.microsoft.com/en-us/library/aa302203.aspx here].
 * SASL: Simple Authentication Security Layer -- A framework which can be used to negotiate security mechanisms within a protocol using TCP.  Kerberos is often used within SASL by means of SASL's GSSAPI mechanism.  Currently the base SASL specification is [http://www.ietf.org/rfc/rfc4422.txt RFC 4422], and the "GSSAPI" (Kerberos) SASL mechanism is specified by [http://www.ietf.org/rfc/rfc4752.txt RFC 4752].  SASL was originally specified in [http://www.ietf.org/rfc/rfc2222.txt RFC 2222].

← Older revision		Revision as of 23:24, 8 April 2009
Line 27:		Line 27:
	* TGS: Ticket-Granting Service -- The conceptual part of a KDC which is used to obtain service tickets using a TGT.		* TGS: Ticket-Granting Service -- The conceptual part of a KDC which is used to obtain service tickets using a TGT.

−	* TGT: Ticket-Granting Ticket -- A ticket with a specially named service principal, which can be used to obtain additional service tickets from the ~~TGT~~.	+	* TGT: Ticket-Granting Ticket -- A ticket with a specially named service principal, which can be used to obtain additional service tickets from the KDC.

@@ Line 13: / Line 13: @@
 * FAST: Flexible Authentication Secure Tunneling -- An extension of the Kerberos AS and TGS exchanges which increases the security of the communication path between the client and KDC.  Defined in an [http://tools.ietf.org/html/draft-ietf-krb-wg-preauth-framework Internet draft] at this time.  A pre-authentication mechanism which works with the FAST extension is called a FAST factor.
-* GSSAPI: Generic Security Services Application Programming Interface -- An API which applications can use to access multiple token-based authentication mechanisms including Kerberos.  Also the only consistent API across different Kerberos implementations.  Defined in [http://www.ietf.org/rfc/rfc2743.txt RFC 2743]; the network protocol for the Kerberos GSSAPI mechanism is defined in [http://tools.ietf.org/html/rfc4121.txt RFC 4121].
+* GSSAPI: Generic Security Services Application Programming Interface -- An API which applications can use to access multiple token-based authentication mechanisms including Kerberos.  Also the only consistent API across different Kerberos implementations.  Defined in [http://www.ietf.org/rfc/rfc2743.txt RFC 2743] (protocol) and [http://www.ietf.org/rfc/rfc2744.txt RFC 2744] (C language bindings); the network protocol for the Kerberos GSSAPI mechanism is defined in [http://tools.ietf.org/html/rfc4121.txt RFC 4121].
 * KDB: Kerberos Database -- The database of principals and keys used by a KDC in the MIT Kerberos implementation.
@@ Line 23: / Line 23: @@
 * PA-DATA or padata: Pre-Authentication Data -- A sequence of typed octet strings contained within KDC requests and responses.  These were initially specified to support pre-authentication mechanisms but have also used to extend the Kerberos protocol in other ways.
-* PAC: Privilege Access Certificate -- A Microsoft-defined authorization data type.  More information available [http://msdn.microsoft.com/en-us/library/aa302203.aspx here].
+* PAC: Privilege Access Certificate (or Privilege Attribute Certificate; sources conflict on the expansion) -- A Microsoft-defined authorization data type.  More information available [http://msdn.microsoft.com/en-us/library/aa302203.aspx here].
-* SASL: Simple Authentication Security Layer -- A framework which can be used to negotiate security mechanisms within a protocol using TCP.  Kerberos is often used within SASL by means of SASL's GSSAPI mechanism.  SASL is specified in [http://www.ietf.org/rfc/rfc2222.txt RFC 2222], as is the GSSAPI SASL mechanism.
+* SASL: Simple Authentication Security Layer -- A framework which can be used to negotiate security mechanisms within a protocol using TCP.  Kerberos is often used within SASL by means of SASL's GSSAPI mechanism.  Currently the base SASL specification is [http://www.ietf.org/rfc/rfc4422.txt RFC 4422], and the "GSSAPI" (Kerberos) SASL mechanism is specified by [http://www.ietf.org/rfc/rfc4752.txt RFC 4752].  SASL was originally specified in [http://www.ietf.org/rfc/rfc2222.txt RFC 2222].
-* SPNEGO: Simple and Protected GSSAPI Negotiation Mechanism -- A GSSAPI mechanism which can be used to negotiate which of several real mechanisms should be used.  Defined in [http://www.ietf.org/rfc/rfc2478.txt RFC 2478].
+* SPNEGO: Simple and Protected GSSAPI Negotiation Mechanism -- A GSSAPI mechanism which can be used to negotiate which of several real mechanisms should be used.  Defined in [http://www.ietf.org/rfc/rfc4178.txt RFC 4178]. (originally [http://www.ietf.org/rfc/rfc2478.txt RFC 2478])
 * TGS: Ticket-Granting Service -- The conceptual part of a KDC which is used to obtain service tickets using a TGT.

@@ Line 6: / Line 6: @@
 * AD: Authorization Data -- Contained within the encrypted part of a ticket, the authorization data contains information communicated from the KDC to a service which may restrict the use of the ticket.
 * etype: Encryption Type -- A Kerberos-specific encryption algorithm which ensures confidentially and integrity of information.  Kerberos etypes frequently make use of a symmetric cipher algorithm such as DES or AES and a hash algorithm such as MD5 or SHA-1.  Many etypes are specified in [http://www.ietf.org/rfc/rfc3961.txt RFC 3961] and [http://www.ietf.org/rfc/rfc3962.txt RFC 3962].
@@ Line 16: / Line 18: @@
 * KDC: Key Distribution Center -- A server which implements the conceptual AS and TGS services to provide authentication tickets to clients.
 * PA-DATA or padata: Pre-Authentication Data -- A sequence of typed octet strings contained within KDC requests and responses.  These were initially specified to support pre-authentication mechanisms but have also used to extend the Kerberos protocol in other ways.