|
|
|
|
40.1 Kerberos Terminology
The following glossary defines some Kerberos
terminology.
- credential
-
Users or clients need to present some kind of credentials
that authorize them to request services. Kerberos knows two kinds of
credentials—tickets and authenticators.
- ticket
-
A ticket is a per-server credential used by a client to
authenticate at a server from which it is requesting a service. It
contains the name of the server, the client's name, the client's Internet
address, a time stamp, a lifetime, and a random session key. All this
data is encrypted using the server's key.
- authenticator
-
Combined with the ticket, an authenticator is used to prove
that the client presenting a ticket is really the one it claims to be. An
authenticator is built of the client's name, the workstation's IP
address, and the current workstation's time all encrypted with the
session key only known to the client and the server from which it is
requesting a service. An authenticator can only be used once, unlike a
ticket. A client can build an authenticator itself.
- principal
-
A Kerberos principal is a
unique
entity (a user or service) to which it can assign a ticket. A principal
consists of the following components:
-
Primary—the first part of
the principal, which can be the same as your username in the case of
a user.
-
Instance—some optional
information characterizing the primary. This string is separated from
the primary by a /.
-
Realm—this specifies your
Kerberos realm. Normally, your realm is your
domain name in uppercase letters.
- mutual authentication
-
Kerberos ensures that both client and
server can be sure of each others identity. They share a session
key, which they can use to communicate securely.
- session key
-
Session keys are temporary private keys
generated by Kerberos. They are known to the
client and used to encrypt the communication between the client and the
server for which it requested and received a ticket.
- replay
-
Almost all messages sent in a network can be eavesdropped,
stolen, and resent. In the Kerberos context, this
would be most dangerous if an attacker manages to obtain your request for
a service containing your ticket and authenticator. He could then try to
resend it (replay) to impersonate you. However,
Kerberos implements several mechanisms to deal
with that problem.
- server or service
-
Service is used to refer to a specific action to
perform. The process behind this action is referred to as a
server.
|
|
|