12 K

Kerberos: An authentication system that enables two parties to exchange private information across an otherwise open network by assigning a unique key (called a ticket) to each user that logs on to the network and then embedding these tickets into messages sent by the users. For more information, see [MS-KILE].

Kerberos authenticator: A record sent with a ticket to a server to help certify the client's knowledge of the encryption key in the ticket, to help the server detect replay attacks by proving the authenticator is recently constructed, and to help the two parties select additional encryption keys for a particular connection authenticated by Kerberos. The use of authenticators, including how authenticators are validated, is specified in [RFC4120] section 5.5.1. For more information, see [KAUFMAN].

Kerberos principal: A unique individual account known to the Key Distribution Center (KDC). Often a user, but it can be a service offering a resource on the network.

key: (1) In the registry, a node in the logical tree of the data store.

(2) In cryptography, a generic term used to refer to cryptographic data that is used to initialize a cryptographic algorithm. Keys are also sometimes referred to as keying material.

key agreement: A key establishment procedure where the resulting secret keying material is a function of information contributed by two participants so that no party can predetermine the value of the secret keying material independently from the contributions of the other parties. See also, key transport. For more information, see section 3.1 in [SP800-56A] and section 3 in [IEEE1363].

key archival: Also referred to as key escrow. The process by which the entity requesting the certificate also submits the private key during the process. The private key is encrypted such that only a key recovery agent can obtain it, preventing accidental disclosure, but preserving a copy in case the entity is unable or unwilling to decrypt data.

key archival certificate: See key recovery certificate.

key derivation: The act of deriving a cryptographic key from another value (for example, the derivation of a cryptographic key from a password).

Key Distribution Center (KDC): The Kerberos service that implements the authentication and ticket granting services specified in the Kerberos protocol. The service runs on computers selected by the administrator of the realm or domain; it is not present on every machine on the network. It must have access to an account database for the realm that it serves. Windows KDCs are integrated into the domain controller role of Windows 2000 Server or Windows Server 2003. It is a network service that supplies tickets to clients for use in authenticating to services.

key escrow: See key archival.

key establishment: See key exchange.

key exchange: A synonym for key establishment. The procedure that results in shared secret keying material among different parties. Key agreement and key transport are two forms of key exchange. For more information, see [CRYPTO] section 1.11, [SP800-56A] section 3.1, and [IEEE1363] section 3.

key exchange key: The key used to protect the session key that is generated by the client. The key exchange key is derived from the response key during authentication.

key handle: The remote procedure call (RPC) context handle to a key.

key recovery agent (KRA): A user, machine, or registration authority that has enrolled and obtained a key recovery certificate. A KRA is any entity that possesses a KRA private key and certificate. For more information on KRAs and the archival process, see [MSFT-ARCHIVE].

key recovery certificate: A certificate with the unique object identifier (OID) in the extended key usage extension for key archival.

key transport: A key establishment procedure whereby one party (the sender) selects a value for the secret keying material and then securely distributes that value to another party (the receiver).

keyed hash: A cryptographic hash computed over both a symmetric key and data, as specified in [RFC2617]. For more information, see [RFC2104].

keyed-hash message authentication code: A symmetric keyed hashing algorithm used to verify the integrity of data to help ensure it has not been modified while in storage or transit.

keyholder: The entity that holds a private key and is therefore capable of signing and decrypting. The keyholder of a public key is defined as the keyholder of the corresponding private key.

keying material: The data from which the main mode (MM) and quick mode (QM) security association (SA) authentication and encryption keys are generated.

Knowledge Consistency Checker (KCC): An internal Windows component of the Active Directory replication used to create spanning trees for domain controller to domain controller replication and to translate those trees into a set of abstract variables.

KRB_AP_REQ/KRB_AP_REP: The request and response messages used in the Authentication Protocol (AP) exchange.

KRB_AS_REQ/KRB_AS_REP: The request and response messages used in the Authentication Service (AS) Exchange.

KRB_CRED exchange: The Kerberos sub-protocol used by clients requiring the ability to send credentials from one host to another. This exchange is initiated when a client sends a KRB_CRED message, as specified in [RFC4120] 3.6.

KRB_PRIV exchange: The Kerberos sub-protocol used by clients requiring confidentiality and the ability to detect modifications of the messages they exchange with a server in a session already established through the Authentication Protocol (AP) exchange. This exchange is initiated when a client sends a KRB_PRIV message, as specified in [RFC4120] section 3.5.

KRB_SAFE exchange: The Kerberos sub-protocol used by clients to detect modifications of messages they exchange with a server in a session already established through the AP exchange. This exchange is initiated when a client sends a KRB_SAFE message, as specified in[RFC4120] 3.4.

KRB_TGS_REQ/KRB_TGS_REP: The request and response messages used in the ticket-granting service (TGS) exchange.