Kerberos Authentication Model: Definitions and Notational Conventions

In order to discuss the internal workings of the Kerberos authentication model, we will need to define some terms and notational conventions:

Authentication ticket, ticket
A record of authentication issued by a Kerberos authentication server to a client system as proof of that client's user being authentic.
Authenticated service
A service which is only provided to users who have authenticated themselves via Kerberos and whose clients can present valid authentication tickets as proof of authentication.
Target service
The authenticated service for which a client is requesting a ticket or to which the client is presenting a ticket.
Initial ticketing service
The service (provided by the Kerberos KDC) by which clients receive their initial (ticket-granting) tickets.
Ticket-granting service
The service (provided by the Kerberos KDC) by which clients receive tickets to specific target services (service tickets).
Ticket-granting ticket
A ticket provided on demand by the initial ticketing service which must be presented to the ticket-granting service in order to request a service ticket.
Clear text
Unencrypted data.
Ciphertext
Encrypted data.
DES
A (somewhat) strong, symmetric encryption algorithm used by Kerberos. Uses 64-bit encryption keys. Given ciphertext and the DES key with which it was encrypted, it is possible to decrypt the ciphertext to yield the original clear text. Decrypting a DES-encrypted ciphertext with the wrong key produces garbled clear text.
Dual encryption
The concept of encrypting clear text twice -- once with each of two different keys. The basis of authentication under the Kerberos model.
string_to_key()
A function used to convert arbitrary strings (such as users' passwords) into valid DES keys.
Principal
The Kerberos term for a user's "username".
{String}Key
Notation for "The string DES-encrypted using as the DES key".
Ttype
Notation for "A ticket of type ".
Kowner
Notation for "The secret key associated with ".
TGT
Notation for an encrypted ticket-granting ticket, {Ttgs,Ksession}Ktgs.

Next Page