Below is a list of terms used throughout this document.
Verifying the claimed identity of a principal.
A record containing a Ticket and an Authenticator to be presented to a server as part of the authentication process.
A sequence of intermediate realms transited in the authentication process when communicating from one realm to another.
A record containing information that can be shown to have been recently generated using the session key known only by the client and server.
The process of determining whether a client may use a service, which objects the client is allowed to access, and the type of access allowed for each.
A token that grants the bearer permission to access an object or service. In Kerberos, this might be a ticket whose use is restricted by the contents of the authorization data field, but which lists no network addresses, together with the session key necessary to use the ticket.
The output of an encryption function. Encryption transforms plaintext into ciphertext.
A process that makes use of a network service on behalf of a user. Note that in some cases a Server may itself be a client of some other server (e.g., a print server may be a client of a file server).
A ticket plus the secret session key necessary to successfully use that ticket in an authentication exchange.
Key Distribution Center, a network service that supplies tickets and temporary session keys; or an instance of that service or the host on which it runs. The KDC services both initial ticket and ticket-granting ticket requests. The initial ticket portion is sometimes referred to as the Authentication Server (or service). The ticket-granting ticket portion is sometimes referred to as the ticket-granting server (or service).
Aside from the 3-headed dog guarding Hades, the name given to Project Athena's authentication service, the protocol used by that service, or the code used to implement the authentication service.
The input to an encryption function or the output of a decryption function. Decryption transforms ciphertext into plaintext.
A uniquely named client or server instance that participates in a network communication.
The name used to uniquely identify each different principal.
To encipher a record containing several fields in such a way that the fields cannot be individually replaced without either knowledge of the encryption key or leaving evidence of tampering.
An encryption key shared by a principal and the KDC, distributed outside the bounds of the system, with a long lifetime. In the case of a human user's principal, the secret key is derived from a password.
A particular Principal which provides a resource to network clients.
A resource provided to network clients; often provided by more than one server (for example, remote file service).
A temporary encryption key used between two principals, with a lifetime limited to the duration of a single login "session".
A temporary encryption key used between two principals, selected and exchanged by the principals using the session key, and with a lifetime limited to the duration of a single association.
A record that helps a client authenticate itself to a server; it contains the client's identity, a session key, a timestamp, and other information, all sealed using the server's secret key. It only serves to authenticate a client when presented along with a fresh Authenticator.