Kerberos: An authentication system that enables two parties to exchange private information across an otherwise open network by assigning a unique key (called a ticket) to each user that logs on to the network and then embedding these tickets into messages sent by the users. For more information, see [MS-KILE].
Kerberos authenticator: A record sent with a ticket to a server to certify the client's knowledge of the session key in the ticket; to help the server detect replay attacks by proving that the authenticator is recently constructed; and to help the two parties select additional session keys for a particular connection authenticated by Kerberos. The use of authenticators, including how authenticators are validated, is specified in [RFC4120] section 5.5.1. For more information, see [KAUFMAN].
Kerberos constrained delegation: A form of authentication delegation in which Kerberos can be used to impersonate users that send requests for certain services, as opposed to all services.
Kerberos principal: A unique individual account known to the Key Distribution Center (KDC). Often a user, but it can be a service offering a resource on the network.
key: (1) In the registry, a node in the logical tree of the data store.
(2) In cryptography, a generic term used to refer to cryptographic data that is used to initialize a cryptographic algorithm. Keys are also sometimes referred to as keying material.
key agreement: A key establishment procedure in which the resulting secret keying material is a function of information contributed by two participants, so that no party can predetermine the value of the secret keying material independently from the contributions of the other parties. See also key transport. For more information, see [SP800-56A] section 3.1 and [IEEE1363] section 3.
key archival: Also referred to as key escrow. The process by which the entity requesting the certificate also submits the private key during the process. The private key is encrypted such that only a key recovery agent can obtain it, preventing accidental disclosure, but preserving a copy in case the entity is unable or unwilling to decrypt data.
key archival certificate: See key recovery certificate.
key attestation: See attestation.
key derivation: The act of deriving a cryptographic key from another value (for example, the derivation of a cryptographic key from a password).
Key Distribution Center (KDC): The Kerberos service that implements the authentication and ticket granting services specified in the Kerberos protocol. The service runs on computers selected by the administrator of the realm or domain; it is not present on every machine on the network. It must have access to an account database for the realm that it serves. Windows KDCs are integrated into the domain controller role of a Windows Server acting as a Domain Controller. It is a network service that supplies tickets to clients for use in authenticating to services.
key escrow: See key archival.
key establishment: See key exchange.
key exchange: A synonym for key establishment. The procedure that results in shared secret keying material among different parties. Key agreement and key transport are two forms of key exchange. For more information, see [CRYPTO] section 1.11, [SP800-56A] section 3.1, and [IEEE1363] section 3.
key handle: The remote procedure call (RPC) context handle to a key.
key recovery agent (KRA): A user, machine, or registration authority that has enrolled and obtained a key recovery certificate. A KRA is any entity that possesses a KRAprivate key and certificate. For more information on KRAs and the archival process, see [MSFT-ARCHIVE].
key transport: A key establishment procedure whereby one party (the sender) selects a value for the secret keying material and then securely distributes that value to another party (the receiver).
keyed-hash Message Authentication Code: A symmetric keyed hashing algorithm used to verify the integrity of data to help ensure that it has not been modified while in storage or transit.
Knowledge Consistency Checker (KCC): An internal Windows component of the Active Directory replication that is used to create spanning trees for domain controller to domain controller replication and to translate those trees into a set of abstract variables.
KRB_AP_REQ/KRB_AP_REP: The request and response messages used in the Authentication Protocol (AP) exchange.
KRB_AS_REQ/KRB_AS_REP: The request and response messages used in the Authentication Service (AS) Exchange.
KRB_CRED exchange: The Kerberos subprotocol used by clients that require the ability to send credentials from one host to another. This exchange is initiated when a client sends a KRB_CRED message, as specified in [RFC4120] 3.6.
KRB_PRIV exchange: The Kerberos subprotocol used by clients that require confidentiality and the ability to detect modifications of the messages they exchange with a server in a session that is already established through the Authentication Protocol (AP) exchange. This exchange is initiated when a client sends a KRB_PRIV message, as specified in [RFC4120] section 3.5.
KRB_SAFE exchange: The Kerberos subprotocol used by clients to detect modifications of messages they exchange with a server in a session that is already established through the AP exchange. This exchange is initiated when a client sends a KRB_SAFE message, as specified in [RFC4120] section 3.4.
KRB_TGS_REQ/KRB_TGS_REP: The request and response messages used in the ticket-granting service (TGS) exchange.