HP Open Source Security for OpenVMS Volume 3: Kerberos


  Table of Contents





Verification of the claimed identity of a principal.

authentication header 

A record containing a ticket and an authenticator to be presented to a server as part of the authentication process.

authentication path 

A sequence of intermediate realms transited in the authentication process when communicating from one realm to another.


A record containing information that can be shown to have been recently generated using the session key known only by the client and server.


The process of determining whether a client may use a service, the objects the client is allowed to access, and the type of access allowed.


The output of an encryption function. Encryption transforms plaintext into ciphertext.


A process that uses a network service on behalf of a user. In some cases a server may itself be a client of some other server. (For example, a print server may be a client of a file server.)


A ticket plus the secret session key necessary to successfully use that ticket in an authentication exchange.


(Key Distribution Center) A network service that supplies tickets and temporary session keys, or an instance of that service or the host on which it runs. The KDC services both initial ticket and ticket-granting ticket requests.

The initial ticket portion is sometimes referred to as the authentication server (or service). The ticket-granting ticket portion is sometimes referred to as the ticket-granting server (or service).


1. In ancient mythology, the three-headed dog guarding Hades. 2. The name given to Project Athena's authentication service, the protocol used by that service, or the code used to implement the authentication service.


The input to an encryption function or the output of a decryption function. Decryption transforms ciphertext into plaintext.


A uniquely named client or server instance that participates in a network communication.

principal identifier 

The name used to uniquely identify each different principal.


The administrative domain that encompasses Kerberos clients and servers.


To encipher a record containing several fields in such a way that the fields cannot be individually replaced without either knowledge of the encryption key or leaving evidence of tampering.

secret key 

An encryption key shared by a principal and the KDC, distributed outside the bounds of the system, with a long lifetime. In the case of a human user's principal, the secret key is derived from a password.


A particular principal that provides a resource to network clients.


A resource provided to network clients; often provided by more than one server (for example, remote file service).

session key 

A temporary encryption key used between two principals, with a lifetime limited to the duration of a single login session.

subsession key 

A temporary encryption key used between two principals, selected and exchanged by the principals using the session key, and with a lifetime limited to the duration of a single association.


A record that helps a client authenticate itself to a server; it contains the client's identity, a session key, a timestamp, and other information, all sealed using the server's secret key. It only serves to authenticate a client when presented along with a fresh authenticator.