Description Glossary RFCs Publications Obsolete RFCs


Protocol suite: TCP/IP.
Protocol type:Application layer protocol.
Ports: 88 (UDP).
464 (TCP, UDP) change/set password.
Working groups: cat, Common Authentication Technology.
krb-wg, Kerberos WG.
Links: IANA: Kerberos parameters.
Kerberos: The Network Authentication Protocol.


Authentication header.
A record containing a Ticket and an Authenticator to be presented to a server as part of the authentication process.

Authentication path.
A sequence of intermediate realms transited in the authentication process when communicating from one realm to another.

A record containing information that can be shown to have been recently generated using the session key known only by the client and server.

The process of determining whether a client may use a service, which objects the client is allowed to access and the type of access allowed for each.

A token that grants the bearer permission to access an object or service. In Kerberos, this might be a ticket whose use is restricted by the contents of the authorization data field, but which lists no network addresses, together with the session key necessary to use the ticket.

A ticket plus the secret session key necessary to successfully use that ticket in an authentication exchange.

KDC, Key Distribution Center.
A network service that supplies tickets and temporary session keys or an instance of that service or the host on which it runs. The KDC services both initial ticket and ticket-granting ticket requests. The initial ticket portion is sometimes referred to as the Authentication Server (or service). The ticket-granting ticket portion is sometimes referred to as the ticket-granting server (or service).

kvno, Key Version Number.
A tag associated with encrypted data identifies which key was used for encryption when a long-lived key associated with a principal changes over time. It is used during the transition to a new key so that the party decrypting a message can tell whether the data was encrypted with the old or the new key.


A named client or server entity that participates in a network communication, with one name that is considered canonical.

Principal identifier.
The canonical name used to uniquely identify a principal.

To encipher a record containing several fields in such a way that the fields cannot be individually replaced without either knowledge of the encryption key or leaving evidence of tampering.

Secret key.
An encryption key shared by a principal and the KDC, distributed outside the bounds of the system, with a long lifetime. In the case of a human user's principal, the secret key MAY be derived from a password.

Session key.
A temporary encryption key used between two principals, with a lifetime limited to the duration of a single login session. In the Kerberos system, a session key is generated by the KDC. The session key is distinct from the sub-session key.

Sub-session key.
A temporary encryption key used between two principals, selected and exchanged by the principals using the session key, and with a lifetime limited to the duration of a single association. The sub-session key is also referred to as the subkey.

A record that helps a client authenticate itself to a server; it contains the client's identity, a session key, a timestamp, and other information, all sealed using the server's secret key. It only serves to authenticate a client when presented along with a fresh Authenticator.


[RFC 1964] The Kerberos Version 5 GSS-API Mechanism.

[RFC 2623] NFS Version 2 and Version 3 Security Issues and the NFS Protocol's Use of RPCSEC_GSS and Kerberos V5.

[RFC 2695] Authentication Mechanisms for ONC RPC.

[RFC 2712] Addition of Kerberos Cipher Suites to Transport Layer Security (TLS).

[RFC 3027] Protocol Complications with the IP Network Address Translator.

[RFC 3244] Microsoft Windows 2000 Kerberos Change Password and Set Password Protocols.

[RFC 3820] Internet X.509 Public Key Infrastructure (PKI) Proxy Certificate Profile.

[RFC 3961] Encryption and Checksum Specifications for Kerberos 5.

[RFC 3962] Advanced Encryption Standard (AES) Encryption for Kerberos 5.

[RFC 4120] The Kerberos Network Authentication Service (V5).

[RFC 4121] The Kerberos Version 5 Generic Security Service Application Program Interface (GSS-API) Mechanism: Version 2.

[RFC 4537] Kerberos Cryptosystem Negotiation Extension.


Obsolete RFCs:

[RFC 1510] The Kerberos Network Authentication Service (V5).

Description Glossary RFCs Publications Obsolete RFCs