Internet Security Professional Reference:Kerberos

Internet Security Professional Reference, Second Edition
(Publisher: Macmillan Computer Publishing)
Author(s): Authors Multiple
ISBN: 156205760x
Publication Date: 07/16/97

Table of Contents

KRB_CRED Definition

The KRB_CRED message contains a sequence of tickets to be sent and information needed to use the tickets, including the session key from each. The information needed to use the tickets is encrypted under an encryption key previously exchanged. The message fields are as follows:

   KRB-CRED = {
               pvno[0]                INTEGER,
               msg-type[1]            INTEGER, -- KRB_CRED
               tickets[2]             SEQUENCE OF Ticket,
               enc-part[3]            EncryptedData
              }

   EncKrbCredPart = {
               ticket-info[0]         SEQUENCE OF KrbCredInfo,
               nonce[1]               INTEGER OPTIONAL,
               timestamp[2]           KerberosTime OPTIONAL,
               usec[3]                INTEGER OPTIONAL,
               s-address[4]           HostAddress OPTIONAL,
               r-address[5]           HostAddress OPTIONAL
                    }

   KrbCredInfo = {
               key[0]                 EncryptionKey,
               prealm[1]              Realm OPTIONAL,
               pname[2]               PrincipalName OPTIONAL,
               flags[3]               TicketFlags OPTIONAL,
               authtime[4]            KerberosTime OPTIONAL,
               starttime[5]           KerberosTime OPTIONAL,
               endtime[6]             KerberosTime OPTIONAL
               renew-till[7]          KerberosTime OPTIONAL,
               srealm[8]              Realm OPTIONAL,
               sname[9]               PrincipalName OPTIONAL,
               caddr[10]              HostAddresses OPTIONAL
                 }

Table 9.11 describes the fields in this message.

**Table 9.11**
KRB_CRED Message Fields

Field	Description

pvno and msg-type	Described earlier. msg-type is KRB_CRED.
tickets	The tickets obtained from the Key Distribution Center specifically for use by the intended recipient. Successive tickets are paired with the corresponding KrbCredInfo sequence from the enc-part of the KRB-CRED message.
enc-part	Holds an encoding of the EncKrbCredPart sequence encrypted under the session key shared between the sender and the intended recipient. This encrypted encoding is used for the enc-part field of the KRB-CRED message.
nonce	If practical, an application may require the inclusion of a nonce generated by the recipient of the message. If the same value is included as the nonce in the message, it provides evidence that the message is fresh and has not been replayed by an attacker. A nonce must never be reused.
timestamp and usec	Specifies the time that the KRB-CRED message was generated. The time is used to provide assurance that the message is fresh.
s-address and r-address	Described earlier. Used to provide additional assurance of the integrity of the KRB-CRED message.
key	Exists in the corresponding ticket passed by the KRB-CRED message and is used to pass the session key from the sender to the intended recipient.

The following fields are optional. If present, they can be associated with the credentials in the remote ticket file. If left out, it is assumed that the recipient of the credentials already knows their value.

Field	Description

prealm and pname	The name and realm of the delegated principal identity.
lags, authtime, starttime, endtime, renew-till, srealm, sname, and caddr	Contain the values of the corresponding fields from the ticket found in the ticket field. Descriptions of sname, and caddr. The fields are identical to the descriptions in the KDC-REP message.

Table of Contents