Kerberos Authentication Model: Definitions and Notational
Conventions
In order to discuss the internal workings of the Kerberos authentication
model, we will need to define some terms and notational conventions:
- Authentication ticket, ticket
- A record of authentication issued by a Kerberos authentication server to
a client system as proof of that client's user being authentic.
- Authenticated service
- A service which is only provided to users who have authenticated
themselves via Kerberos and whose clients can present valid authentication
tickets as proof of authentication.
- Target service
- The authenticated service for which a client is requesting a ticket or
to which the client is presenting a ticket.
- Initial ticketing service
- The service (provided by the Kerberos KDC) by which clients receive
their initial (ticket-granting) tickets.
- Ticket-granting service
- The service (provided by the Kerberos KDC) by which clients receive
tickets to specific target services (service tickets).
- Ticket-granting ticket
- A ticket provided on demand by the initial ticketing service which must
be presented to the ticket-granting service in order to request a service
ticket.
- Clear text
- Unencrypted data.
- Ciphertext
- Encrypted data.
- DES
- A (somewhat) strong, symmetric encryption algorithm used by Kerberos.
Uses 64-bit encryption keys. Given ciphertext and the DES key with which it
was encrypted, it is possible to decrypt the ciphertext to yield the
original clear text. Decrypting a DES-encrypted ciphertext with the wrong
key produces garbled clear text.
- Dual encryption
- The concept of encrypting clear text twice -- once with each of two
different keys. The basis of authentication under the Kerberos model.
- string_to_key()
- A function used to convert arbitrary strings (such as users' passwords)
into valid DES keys.
- Principal
- The Kerberos term for a user's "username".
- {String}Key
- Notation for "The string DES-encrypted using as the DES key".
- Ttype
- Notation for "A ticket of type ".
- Kowner
- Notation for "The secret key associated with ".
- TGT
- Notation for an encrypted ticket-granting ticket, {Ttgs,Ksession}Ktgs.
Next Page