Kerberos: An authentication system that enables two parties to exchange private information across an otherwise open network by assigning a unique key (called a ticket) to each user that logs on to the network and then embedding these tickets into messages sent by the users. For more information, see [MS-KILE].
Kerberos authenticator: A record sent with a ticket to a server to help certify the client's knowledge of the encryption key in the ticket, to help the server detect replay attacks by proving the authenticator is recently constructed, and to help the two parties select additional encryption keys for a particular connection authenticated by Kerberos. The use of authenticators, including how authenticators are validated, is specified in [RFC4120] section 5.5.1. For more information, see [KAUFMAN].
Kerberos principal: A unique individual account known to the Key Distribution Center (KDC). Often a user, but it can be a service offering a resource on the network.
key: (1) In the registry, a node in the logical tree of the data store.
(2) In cryptography, a generic term used to refer to cryptographic data that is used to initialize a cryptographic algorithm. Keys are also sometimes referred to as keying material.
key agreement: A key establishment procedure where the resulting secret keying material is a function of information contributed by two participants so that no party can predetermine the value of the secret keying material independently from the contributions of the other parties. See also, key transport. For more information, see section 3.1 in [SP800-56A] and section 3 in [IEEE1363].
key archival: Also referred to as key escrow. The process by which the entity requesting the certificate also submits the private key during the process. The private key is encrypted such that only a key recovery agent can obtain it, preventing accidental disclosure, but preserving a copy in case the entity is unable or unwilling to decrypt data.
key archival certificate: See key recovery certificate.
key derivation: The act of deriving a cryptographic key from another value (for example, the derivation of a cryptographic key from a password).
Key Distribution Center (KDC): The Kerberos service that implements the authentication and ticket granting services specified in the Kerberos protocol. The service runs on computers selected by the administrator of the realm or domain; it is not present on every machine on the network. It must have access to an account database for the realm that it serves. Windows KDCs are integrated into the domain controller role of Windows 2000 Server or Windows Server 2003. It is a network service that supplies tickets to clients for use in authenticating to services.
key escrow: See key archival.
key establishment: See key exchange.
key exchange key: The key used to protect the session key that is generated by the client. The key exchange key is derived from the response key during authentication.
key handle: The remote procedure call (RPC) context handle to a key.
key recovery certificate: A certificate with the unique object identifier (OID) in the extended key usage extension for key archival.
key transport: A key establishment procedure whereby one party (the sender) selects a value for the secret keying material and then securely distributes that value to another party (the receiver).
keyed-hash message authentication code: A symmetric keyed hashing algorithm used to verify the integrity of data to help ensure it has not been modified while in storage or transit.
Knowledge Consistency Checker (KCC): An internal Windows component of the Active Directory replication used to create spanning trees for domain controller to domain controller replication and to translate those trees into a set of abstract variables.
KRB_AP_REQ/KRB_AP_REP: The request and response messages used in the Authentication Protocol (AP) exchange.
KRB_AS_REQ/KRB_AS_REP: The request and response messages used in the Authentication Service (AS) Exchange.
KRB_CRED exchange: The Kerberos sub-protocol used by clients requiring the ability to send credentials from one host to another. This exchange is initiated when a client sends a KRB_CRED message, as specified in [RFC4120] 3.6.
KRB_PRIV exchange: The Kerberos sub-protocol used by clients requiring confidentiality and the ability to detect modifications of the messages they exchange with a server in a session already established through the Authentication Protocol (AP) exchange. This exchange is initiated when a client sends a KRB_PRIV message, as specified in [RFC4120] section 3.5.
KRB_TGS_REQ/KRB_TGS_REP: The request and response messages used in the ticket-granting service (TGS) exchange.