GLOSSARY FOR SECURITY AND SINGLE SIGN-ON

authentication: The process of verifying the identity of a user, device, or other entity in a computer system, often as a prerequisite to allowing access to resources in a system.

authorization: Permission given to a user, program, or process to access an object or set of objects. In Oracle, authorization is done through the role mechanism. A single person or a group of people can be granted a role or a group of roles. A role, in turn, can be granted other roles.

client: A client relies on a service. A client can sometimes be a user, sometimes a process acting on behalf of the user during a database link (sometimes called a proxy).

cryptographic checksum: A mechanism that computes a value for a message packet, based on the data it contains, and passes it along with the data to authenticate that the data has not been tampered with. The recipient of the data recomputes the cryptographic checksum and compares it with the cryptographic checksum passed with the data; if they match, it is "probabilistic" proof the data was not tampered with during transmission. The important property of a cryptographic checksum is that without knowing the secret key, a malicious interceptor has only an infinitesimally small chance of being able to construct an altered message with a valid corresponding checksum.

initial ticket: An initial ticket or ticket granting ticket (TGT) is retrieved by running the kinit program and providing a password. When run successfully, the user is granted a ticket granting ticket that identifies them as having the right to ask for additional service tickets. No tickets can be obtained without an initial ticket.

Kerberos: A network authentication service developed under Massachusetts Institute of Technology's Project Athena that strengthens security in distributed environments. Kerberos is a trusted third-party authentication system that relies on shared secrets and assumes that the third party is secure. It provides single sign-on capabilities and database link authentication (MIT Kerberos only) for users, provides centralized password storage, and enhances PC security.

KDC/TGS: Key Distribution Center/Ticket Granting Service. The KDC maintains a list of user principals and is contacted through the kinit program for the user's initial ticket--the ticket-granting ticket (TGT). The Ticket Granting Service maintains a list of service principals and is contacted when a user wants to authenticate to a server providing such a service.

The KDC/TGS is a trusted third party that must run on a secure host. It creates ticket-granting tickets and service tickets. The KDC and TGS are usually the same entity.

kinstance: An instantiation or location of a service. This is an arbitrary string, but the host machine name for a service is typically specified.

network authentication service: A means for authenticating clients to servers, servers to servers, and users to both clients and servers in distributed environments. A network authentication service is a repository for storing information about users and the services on different servers to which they have access, as well as information about clients and servers on the network. An authentication server can be a physically separate machine, or it can be a facility co-located on another server within the system. To ensure availability, some authentication services may be replicated to avoid a single point of failure.

principal: A Kerberos object, consisting of kservice/kinstance@REALM. See also kservice, kinstance, and realm. A uniquely-identified client or server.

realm: A Kerberos object. A set of clients and servers operating under a single key distribution center/ticket-granting service (KDC/TGS). kservices that are in different realms but that have the same name are unique.

service: A network resource used by clients; for example, an Oracle database server.

service name: For Kerberos-based authentication, the kservice portion of a service principal.

service table: A service table is a list of service principals that exist on a kinstance. This information must be extracted from Kerberos and copied to the Oracle server machine before Kerberos can be used by Oracle.

session key: A key shared by at least two parties (usually a client and a server).

smart card: A device external to a server that provides user authentication. Smart carads may operate using challenge-response mechanisms, or by providing one-time passwords. Smart cards providing one-time use passwords are synchronized with a service on the server so that the server expects the same password generated by the smart card. Challenge-response cards operate as follows: a user enters his PIN into the card. The server that he is trying to access offers a challenge in the form of a number. The user enters the number into his smart card, and receives a number back from the card, which he offers to the server. If the number is what the server expects, access is allowed.

SQL*Net: An Oracle product that works with an Oracle Server and enables two or more computers that run the Oracle Server or Oracle tools such as SQL*Forms to exchange data through a third-party network. SQL*Net supports distributed processing and distributed database capability. SQL*Net is an "open system" because it is independent of the communication protocol, and users can interface SQL*Net to many network environments.

service ticket: Trusted information used to authenticate the client. A ticket-granting ticket is also known as the initial ticket, is obtained by directly or indirectly running kinit and providing a password, and is used by the client to ask for service tickets. A "service ticket" is used by a client to authenticate to a service.

ticket: A ticket is a piece of information that helps identify who the owner is. See service ticket.