|Protocol type:||Application layer protocol.|
464 (TCP, UDP) change/set password.
cat, Common Authentication Technology.|
krb-wg, Kerberos WG.
IANA: Kerberos parameters.|
Kerberos: The Network Authentication Protocol.
A record containing a Ticket and an Authenticator to be presented to a server as part of the authentication process.
A sequence of intermediate realms transited in the authentication process when communicating from one realm to another.
A record containing information that can be shown to have been recently generated using the session key known only by the client and server.
The process of determining whether a client may use a service, which objects the client is allowed to access and the type of access allowed for each.
A token that grants the bearer permission to access an object or service. In Kerberos, this might be a ticket whose use is restricted by the contents of the authorization data field, but which lists no network addresses, together with the session key necessary to use the ticket.
A ticket plus the secret session key necessary to successfully use that ticket in an authentication exchange.
KDC, Key Distribution Center.
A network service that supplies tickets and temporary session keys or an instance of that service or the host on which it runs. The KDC services both initial ticket and ticket-granting ticket requests. The initial ticket portion is sometimes referred to as the Authentication Server (or service). The ticket-granting ticket portion is sometimes referred to as the ticket-granting server (or service).
kvno, Key Version Number.
A tag associated with encrypted data identifies which key was used for encryption when a long-lived key associated with a principal changes over time. It is used during the transition to a new key so that the party decrypting a message can tell whether the data was encrypted with the old or the new key.
A named client or server entity that participates in a network communication, with one name that is considered canonical.
The canonical name used to uniquely identify a principal.
To encipher a record containing several fields in such a way that the fields cannot be individually replaced without either knowledge of the encryption key or leaving evidence of tampering.
An encryption key shared by a principal and the KDC, distributed outside the bounds of the system, with a long lifetime. In the case of a human user's principal, the secret key MAY be derived from a password.
A temporary encryption key used between two principals, with a lifetime limited to the duration of a single login session. In the Kerberos system, a session key is generated by the KDC. The session key is distinct from the sub-session key.
A temporary encryption key used between two principals, selected and exchanged by the principals using the session key, and with a lifetime limited to the duration of a single association. The sub-session key is also referred to as the subkey.
A record that helps a client authenticate itself to a server; it contains the client's identity, a session key, a timestamp, and other information, all sealed using the server's secret key. It only serves to authenticate a client when presented along with a fresh Authenticator.
[RFC 1964] The Kerberos Version 5 GSS-API Mechanism.
[RFC 2623] NFS Version 2 and Version 3 Security Issues and the NFS Protocol's Use of RPCSEC_GSS and Kerberos V5.
[RFC 2695] Authentication Mechanisms for ONC RPC.
[RFC 2712] Addition of Kerberos Cipher Suites to Transport Layer Security (TLS).
[RFC 3027] Protocol Complications with the IP Network Address Translator.
[RFC 3244] Microsoft Windows 2000 Kerberos Change Password and Set Password Protocols.
[RFC 3820] Internet X.509 Public Key Infrastructure (PKI) Proxy Certificate Profile.
[RFC 3961] Encryption and Checksum Specifications for Kerberos 5.
[RFC 3962] Advanced Encryption Standard (AES) Encryption for Kerberos 5.
[RFC 4120] The Kerberos Network Authentication Service (V5).
[RFC 4121] The Kerberos Version 5 Generic Security Service Application Program Interface (GSS-API) Mechanism: Version 2.
[RFC 4537] Kerberos Cryptosystem Negotiation Extension.
[RFC 1510] The Kerberos Network Authentication Service (V5).