Kerberos

Protocol suite:	TCP/IP.
Protocol type:	Application layer protocol.
Ports:	88 (UDP). 464 (TCP, UDP) change/set password.
SNMP MIBs:
Working groups:	cat, Common Authentication Technology. krb-wg, Kerberos WG.
Links:	IANA: Kerberos parameters. Kerberos: The Network Authentication Protocol.

Glossary:

Authentication header.
A record containing a Ticket and an Authenticator to be presented to a server as part of the authentication process.

Authentication path.
A sequence of intermediate realms transited in the authentication process when communicating from one realm to another.

Authenticator.
A record containing information that can be shown to have been recently generated using the session key known only by the client and server.

Authorization.
The process of determining whether a client may use a service, which objects the client is allowed to access and the type of access allowed for each.

Capability.
A token that grants the bearer permission to access an object or service. In Kerberos, this might be a ticket whose use is restricted by the contents of the authorization data field, but which lists no network addresses, together with the session key necessary to use the ticket.

Credentials.
A ticket plus the secret session key necessary to successfully use that ticket in an authentication exchange.

KDC, Key Distribution Center.
A network service that supplies tickets and temporary session keys or an instance of that service or the host on which it runs. The KDC services both initial ticket and ticket-granting ticket requests. The initial ticket portion is sometimes referred to as the Authentication Server (or service). The ticket-granting ticket portion is sometimes referred to as the ticket-granting server (or service).

kvno, Key Version Number.
A tag associated with encrypted data identifies which key was used for encryption when a long-lived key associated with a principal changes over time. It is used during the transition to a new key so that the party decrypting a message can tell whether the data was encrypted with the old or the new key.

PKINIT.

Principal.
A named client or server entity that participates in a network communication, with one name that is considered canonical.

Principal identifier.
The canonical name used to uniquely identify a principal.

Seal.
To encipher a record containing several fields in such a way that the fields cannot be individually replaced without either knowledge of the encryption key or leaving evidence of tampering.

Secret key.
An encryption key shared by a principal and the KDC, distributed outside the bounds of the system, with a long lifetime. In the case of a human user's principal, the secret key MAY be derived from a password.

Session key.
A temporary encryption key used between two principals, with a lifetime limited to the duration of a single login session. In the Kerberos system, a session key is generated by the KDC. The session key is distinct from the sub-session key.

Sub-session key.
A temporary encryption key used between two principals, selected and exchanged by the principals using the session key, and with a lifetime limited to the duration of a single association. The sub-session key is also referred to as the subkey.

Ticket.
A record that helps a client authenticate itself to a server; it contains the client's identity, a session key, a timestamp, and other information, all sealed using the server's secret key. It only serves to authenticate a client when presented along with a fresh Authenticator.

RFCs:

[RFC 1964] The Kerberos Version 5 GSS-API Mechanism.