DCE 1.1: Authentication and Security Services - Key Distribution (Authentication) Services

DCE 1.1: Authentication and Security Services
Copyright © 1997 The Open Group

Key Distribution (Authentication) Services

This chapter specifies the key distribution, or authentication, services supported by DCE, together with the protocols associated with them. Currently, only one such service is supported, namely the Kerberos Key Distribution Service (KDS), so this whole chapter is devoted to that. The KDS is comprised of two specialised (sub-)services, the Authentication (Sub-)Service (AS) (not to be confused with the generic terminology "authentication service") and the Ticket-granting (Sub-)Service (TGS)- and for that reason the KDS is sometimes also referred to as the AS/TGS.

For an overview of this chapter, see Kerberos Key Distribution (Authentication) Service (KDS) through Cells-Cross-cell Authentication and Authorisation -which are considered a prerequisite for this whole chapter.

Notes:

This chapter is based on, and (unless stated otherwise) is technically aligned with, (a subset of) RFC 1510. However, for editorial reasons, this chapter stands independently, and no familiarity with RFC 1510 is required. (Thus, the part of this chapter that duplicates information in RFC 1510 is intended to be technically equivalent to that document, rewritten for the expository purposes of this document, and any technical discrepancies between the two are inadvertent and to be reconciled.) Differences between the two documents are minor and are readily justified, but the reader should note in particular the following changes:
1. What is called "cell" in DCE is called "realm" in RFC 1510.
2. The service called Key Distribution Service (KDS) here is called Key Distribution Center (KDC) there (the difference in terminology merely indicating their preferred communications medium, RPC or raw UDP).
3. The data type identifiers in the two documents are conservatively different, in an attempt to improve clarity and consistency (instead of, for example, using a mixture of ASN.1, C and other identifiers, such as "AP-REQ", "KRB_AP_REQ" and "authentication header" all referring to the same object in RFC 1510, Section 5.5.1), without affecting interoperability or placing conformance requirements on implementations.
For the convenience of the reader, cross-references between this document and RFC 1510 are explicitly indicated generously throughout this chapter, using notation of the form "[RFC 1510: x.y.z]" as a reference to RFC 1510, Section x.y.z.
Extensive use is made in this chapter of natural-language algorithmic descriptions. In them, it is the mainline "success" (non-error) case that is emphasised-in particular, this document permits different implementations to encounter errors (exceptions) in different orders, and so report different errors under the same external conditions. This is indicated by marking error conditions in algorithms by "{errStatusCode-NAME-OF-ERROR}" (perhaps with some explanatory material), leaving to implementations the decision at what point to abort a failed algorithm, and which error to report.
[RFC 1510: 5.1]
This chapter employs the "ASN.1/BER/DER" standards for data description/representation (IDL is used only in The krb5rpc RPC Interface ), which are defined in three CCITT (now ITU-T) Recommendations. The data description language used is Abstract Syntax Notation One (ASN.1), which is defined in CCITT X.208. The data representation (encoding) used for data described by ASN.1 is the Basic Encoding Rules (BER), which are defined in CCITT X.209. Familiarity with those documents, including the data types defined in them, is required for this chapter.
Additionally, the following Distinguished Encoding Restrictions (DER) to BER, as specified in CCITT X.509, Section 8.7- (only) the ones actually used in this chapter are repeated here, in order that this chapter can stand independently of CCITT X.509- are in effect:
1. The definite form of length encoding shall be used, encoded in the minimum number of octets.
2. For string types, the constructed form of encoding shall not be used.
3. Each unused bit in the final octet of the encoding of a BIT STRING value, if there are any, shall be reset (to 0).
Furthermore, implementations that transmit any currently unspecified bits of BIT STRING must reset them, for reasons of future extensibility and compatibility. (Note that some existing implementations emit full BER, not just the DER subset-new implementations that want to interoperate with those old implementations should therefore accept full BER, but in order to be conformant to this document they must generate DER.)
Finally, when ASN.1 descriptions are referenced during the course of pseudocode expositions, ASN.1 is augmented with the familiar (but non-ASN.1-standard) pseudocode dot notation for field elements. For SEQUENCEs, this takes the form illustrated by the example: if seq is a value of type SeqType ::= SEQUENCE {int [0] INTEGER, oct [1] OCTET}, then the values of the fields of seq are denoted seq.int and seq.oct, respectively. For BIT STRINGs, it takes a similar form: for example, if bits is a value of type Bits ::= BIT STRING {bit0 (0), bit1 (1), bit2 (2)}, then the values of the bits of bits are denoted bits.bit0, bits.bit1 and bits.bit2, respectively. If the value in question (for example, seq or bits) is implicitly understood from context, it (and the dot immediately following it) may even be omitted if no confusion will result. For SEQUENCE OFs, ASN.1 is further augmented with the familiar pseudocode bracket notation for arrays: if seqof is a value of type, say, SeqOfType ::= SEQUENCE OF {SeqType}, having 2 entries, then its entries are denoted seqof[0] and seqof[1].

Fundamental Concepts

[RFC 1510: 1]

This chapter deals with the authentication of (RPC) clients and servers, in the context of cells. The following general notational conventions will be used for these concepts. Recall that the home cell of a principal is the cell whose RS datastore holds the security information for the principal. (More precisely, "a" home cell of a principal should be spoken of, since some principals may be registered in multiple cells-though this is not to be recommended in general. DCE specifies just one, very specific, kind of multiply registered principal, namely cross-cell surrogate KDS server principals (see below), and in that case care should be taken to indicate which cell is being considered its home cell in a given situation. For non-KDS principals, continue to speak of "the" home cell, leaving to the reader the (easy) translation to the case of multiple-registration.)

X, Y, Z, W, X´, ···, are reserved for cells.
A, A´, ···, are reserved for clients, with home cells X, X´, ···, respectively.
B, B´, ···, are reserved for servers, with home cells Y, Y´, ···, respectively.
C, C´, ···, denote clients or servers, in arbitrary cells.

These (especially cells) often appear as subscripts (for example, KDS_Z, KDS_X,Y), but in order to improve legibility of embedded subscripts they will upgraded when they themselves appear in subscripts (for example, K_KDSZ, K_KDSXY instead of K_{KDS_Z}, K_KDS\dX,Y^).

The KDS is a distributed, partitioned RPC service, instantiated by a (conceptually unitary, but potentially replicated) RPC server in each cell Z, denoted KDS_Z. If the name of cell Z is, say, /.../cellZ, then the RPC service name of KDS_Z (used for RPC binding purposes) is determined from /.../cellZ/cell-profile via the krb5rpc interface UUID and version number (specified in The krb5rpc RPC Interface ) -typically, the name associated with this profile element will be /.../cellZ/sec, which will be an RPC server group pointing to the individual (replicated) KDS_Z server(s). (See RPC Binding Models for more details on binding models.) (The principal names of KDS servers (used for security purposes)- as opposed to their RPC server names (used for communications purposes) -are introduced in RS Names and Principal Names .)

The krb5rpc RPC Interface

[RFC 1510: 8.2]

Each KDS server, KDS_Z, supports the following RPC interface (data types not defined in this specification are defined in the referenced Open Group DCE 1.1 RPC Specification):

 

[uuid(8f73de50-768c-11ca-bffc-08001e039431), version(1.0)]
interface krb5rpc
{ /* begin running listing of krb5rpc interface */
    [idempotent] void
    kds_request (
        [in] handle_t                       rpc_handle,
        [in] unsigned32                     request_count,
        [in, size_is(request_count)] byte   request[],
        [in] unsigned32                     response_count_max,
        [out] unsigned32                    *response_count,
        [out, size_is(response_count_max), length_is(*response_count)]
            byte                            response[],
        [out] error_status_t                *status );
} /* end running listing of krb5rpc interface */

The semantics of kds_request() are that a client, C, invokes kds_request() to "send a KDS Request message" to a KDS server, KDS_Z; C receives a KDS Response message from KDS_Z when kds_request() returns. Its parameters are the following:

rpc_handle
RPC binding handle, bound by the client C to a KDS server KDS_Z.
request_count
Length, in bytes, of KDS Request.
request
(Array) value (that is, data bytes, or "contents octets") of KDS Request.
response_count_max
Length of buffer supplied (response[]) to receive KDS Response.
response_count
(Pointer to) length, in bytes, of KDS Response.
response
(Array) value of KDS Response.
status
(Pointer to) status code. The currently registered values for status (returnable by kds_request()) are the following:
- error_status_ok
  Success in the communications sense; that is, a (purported) KDS has successfully received, processed and responded to the request- hence, there is a well-formed response in the response[] output parameter. Whether or not the request was successful in the security sense must be determined by the examination of response[], as specified in AS and TGS Services (and the remainder of this chapter).
- Status codes other than error_status_ok may indicate some transient or permanent failure of the KDS, such as inability to allocate memory; an application should retry the remote call with a different replica if one is available.

The contents, formats and semantics of request[] and response[] (including their lengths, request_count and response_count) are defined below (beginning in AS and TGS Services , but their full elaboration consumes this entire chapter).

Note:: RFC 1510 specifies security protocols that can be supported (with the same security guarantees) over various communications mechanisms. Typical non-DCE implementations use UDP (port 88) as the communications mechanism (in conformance with RFC 1510). The krb5rpc interface as specified in this document uses RPC as the communications mechanism.

AS and TGS Services

[RFC 1510: 1]

There is no single service known as "the KDS service" supported by KDS servers. Instead, KDS servers support two services, each of which is associated with a specific kind of corresponding pair of request/response messages, as follows (for definitions of "initial" and "subsequent" tickets, see Tickets, Keys, and Cross-Registration ):

Authentication Service (AS)
AS Request/AS Response message pair (that is, request[] is a value of data type ASRequest, and response[] is a value of data type ASResponse). This is the service by which clients acquire new initial tickets.
Ticket-granting Service (TGS)
TGS Request/TGS Response message pair (that is, request[] is a value of data type TGSRequest, and response[] is a value of data type TGSResponse). This is the service by which clients either acquire new subsequent tickets, or manipulate old (initial or subsequent) tickets.

Thus, a KDS Request message is either an AS Request or TGS Request message, and a KDS Response message is either an AS Response or TGS Response message. The KDS supports one additional kind of response message, for reporting errors:

KDS Error message (that is, response[] is a value of data type KDSError). This is used, in lieu of a KDS Response, to return to the client status information from a failed KDS Request.

Tickets, Keys, and Cross-Registration

[RFC 1510: 1, 1.1, 2.1]

(Kerberos) tickets are the (trusted) information objects that the KDS manages (and which are returned by kds_request(), as will be seen in this chapter). Tickets have three kinds of identities associated with them:

Issuing cell TCBs, or what amounts to the same thing, issuing KDS server(s), say KDSZ´^{, ···,
KDS}Z´´^{The KDS server(s) (which are trusted third parties) that
(cooperatively) issued this ticket, also said to be
the issuing authorities for the ticket.}
Named client, say A (in cell X)
The client that this ticket authenticates to the targeted server (called B in next item). The ticket is also said to be issued in the name of A.
Targeted server, say B (in cell Y)
The server that this ticket authenticates to the named client (called A in previous item).

As will be seen below, there are relationships amongst A, B, X, Y and Z´, ···, Z´´ that must be satisfied for a ticket to be valid, namely a trust chain must be established:

: A -> TCB_X -> TCBZ´^{->
··· ->
TCB}Z´´^{->
TCB_Y ->
B}

Here, the arrows denote links in the trust chain, not communicated messages; more precisely (as discussed below), the above trust chain notation is actually shorthand for the trust chain of principals:

: A -> KDSX,X^->
KDSX,Z´^{->
··· ->
KDS}Z´´,Y^->
KDSY,Y^->
B

The following notation can be used:

: TktA,X,Z´,···,Z´´,Y,B^or
TktA,Z´,···,Z´´,B

for a ticket as described above. The home cells X and Y can be omitted from the notation because they are implicitly known from knowledge of A and B, but it is convenient to include them for information. All the issuing authorities can even be omitted from the notation if they are implicitly understood or are uninteresting in a given context:

 
TktA,···,B^{or Tkt}A,B

The simple special case of intra-cell tickets can be abbreviated:

: TktA,X,B^{(instead of
Tkt}A,X,X,B⁾

As described in Key-based Security: Kerckhoffs' Doctrine , encryption keys are the a priori trusted objects upon which the DCE trusted environment in general is leveraged (in accordance with Kerckhoffs' Doctrine), and in particular are the means by which tickets are protected. These keys come in 2 "flavours" (actually, as discussed below, encryption keys in general depend also on a selected encryption type and optionally a key version number, but these can be mostly omitted from the discussion and notation):

Long-term (or initial) key of a principal C, denoted K_C

It is stored in the RS_Z datastore of C's home cell Z, and it is considered to be secure if and only if it is known only by C and TCB_Z (or other TCB components; for example, on the local host). Long-term keys are primarily used to protect internal protocol meta-data (tickets).

Short-term (subsequent, session, conversation, "true session"; see Introduction to Security Services , especially the description of the TGS Response message in Kerberos Key Distribution (Authentication) Service (KDS) ) key shared by a client A and server B, denoted KA,B^{It is not stored in any RS datastore, but rather is generated dynamically
for transmittal by a ticket or an authentication header or
reverse-authentication header (these are defined later).
It is considered to be secure if and only if it is known only by A
and B, and by third parties they (implicitly or explicitly) trust:
TCB_X, TCBZ´^{, ···,
TCB}Z´´^{, TCB_Y (or other
TCB components).
Short-term keys are primarily used to protect application-level data
(though they are also used in internal protocols).}}

Tickets carry a short-term key in them, called a session key, and are protected by the long-term key of their targeted server. It is this session key that is the concrete manifestation of the abstract notion of "authentication" between a client and server. As will be seen, a client C can successfully use a ticket to authenticate to the targeted server only if C knows the ticket's session key (though C need not be the ticket's named client). That is, "stolen" tickets (obtained, say, by "wiretapping") are useless (assuming the keys involved are not compromised). Application data communicated between client and server is protected by a session key (transmitted by a ticket) or by a negotiated conversation key (transmitted by an authentication header or reverse-authentication header).

Tickets are further classified into two broad kinds of category:

Ticket-granting-ticket (TGT) versus service-ticket
Targeted to (that is, protected with the long-term key of) a KDS server or to a non-KDS server, respectively. (In general, the distinction between ticket-granting-tickets and service-tickets is to be avoided, unless it is absolutely necessary.)
Initial ticket versus subsequent ticket
Issued on the basis of, respectively, an unauthenticated (or merely preauthenticated) request, or an authenticated request. That is, the issuing authority(ies) are, respectively, uncertain or certain (in the sense of "certainty" afforded by a ticket-granting-ticket naming the client) that the identity of the requesting client (a communications concept), C, is the same as that of the ticket's named client or "claimed identity" (a security concept). Equivalently, initial tickets are those issued on the basis of the AS Request/Response message exchange, while subsequent tickets are those issued on the basis of the TGS Request/Response exchange. (See the definition of the tkt-Initial flag in Ticket Flags .)

This categorisation divides tickets into 4 classes (initial ticket-granting-tickets, subsequent ticket-granting-tickets, initial service-tickets and subsequent service-tickets), all of which can and do actually occur in practice. However, the category of initial service-tickets is rather rare. (An example would be a "password-changing" program that insisted on an initial ticket to guarantee that the user changing his/her password has "recent knowledge" of the old password (as opposed to an intruder requesting a password change via an unattended seat or hijacked session); if the password-changing program is running under an identity other than the KDS, this initial ticket will be an initial service ticket.)

In order for the definition of ticket to make sense, KDS servers must in fact "be principals", in the sense of being registered in the RS datastores in their cells, and this is always assumed to be the case. The principal corresponding to the KDS server in cell X is denoted by the same notation, KDS_X, if no confusion will result, or by the expanded notation KDSX,X^{if
emphasis is needed.
(Strictly speaking, the notation KDS_X should be
reserved for the KDS server "as for TCB component (communicating
entity)", and KDS}X,X^{should
be reserved to denote the KDS server "as for principal".)}

More generally, it is possible for a KDS server, KDS_X, to issue a ticket targeted to a KDS server, KDS_Y, other than itself. In order for this to happen, KDS_Y must know the key of a principal registered in RS_X- that principal is denoted by KDSX,Y^{.
This arrangement is called a cross-cell registration
of KDS servers; KDS}X,Y^{is called a surrogate
(principal) of KDS_Y in cell X, and its
long-term key stored in RS_X,
K}KDSXY^{, is called a cross-cell key.
At the same time, this same principal KDS}X,Y^{is also registered in RS_Y, with a different
principal stringname
(because it's in a different cell) but with the same cross-cell key,
K}KDSXY^{-and principal
(in RS_Y) is also called a surrogate
(principal) of KDS_Y. Thus, in this terminology,
"surrogate" refers to the principal KDS}X,Y^{registered in both RS_X and in RS_Y
(with the same key
K}KDSXY^{), the only distinction between the two being
their principal names (which reflects the cells they are being considered
in; that is, which RS datastore their
principal information is held in)-and for that reason, the
combined terminology cross-cell surrogate (double principal)
is sometimes used; and this principal is also
said to mediate the X -> Y trust link. Finally,
cross-cell registration also always entails the symmetrically defined
surrogate registration of KDS_X in RS_Y:
thus, KDS}Y,X^{is the surrogate of
KDS_X in cell
Y (and in cell X), both with the same long-term key
K}KDSYX^{, mediating the Y -> X trust link. (See

Cells-Cross-cell Authentication and Authorisation

for more discussion.)}

Some Basic Data Types

A number of common, non-security-specific data types are defined in this section. Note that the descriptions of the semantics of the data types in this section through KDS Errors are supported by descriptions of the KDS services in AS Request/Response Processing through KDS Error Processing , giving the rationale by which applications can evaluate the trust to be placed in the KDS's support of these semantics.

Protocol Version Numbers

[RFC 1510: 8.3]

Protocol version numbers are represented by the ProtocolVersionNumber data type, which is defined as follows:

 

ProtocolVersionNumber ::= INTEGER

Its semantics are that it identifies the KDS protocol version in use. Values for protocol version numbers are centrally registered. Currently registered values are collected in Registered Protocol Version Numbers .

Registered Protocol Version Numbers

[RFC 1510: 8.3]

The currently registered values for ProtocolVersionNumber are the following:

protoVersNum-KRB5 = 5-Kerberos version 5.

Protocol Message Types

[RFC 1510: 8.3]

Protocol message types are represented by the ProtocolMessageType data type, which is defined as follows:

 

ProtocolMessageType ::= INTEGER

Its semantics are that it identifies KDS protocol messages. Values for protocol message types are centrally registered. Currently registered values are collected in Registered Protocol Message Types .

Registered Protocol Message Types

[RFC 1510: 8.3]

The currently registered values for ProtocolMessageType are the following (the format and semantics of these messages are defined in Authentication Headers through KDS Errors ).

protoMsgType-AS-REQUEST = 10-AS Request.
protoMsgType-AS-RESPONSE = 11-AS Response.
protoMsgType-TGS-REQUEST = 12-TGS Request.
protoMsgType-TGS-RESPONSE = 13-TGS Response.
protoMsgType-AUTHN-HEADER = 14-Authentication Header.
protoMsgType-REVAUTHN-HEADER = 15- Reverse-authentication Header.
protoMsgType-KDS-ERROR = 30-KDS Error.

(Note that the other protocol message types defined in RFC 1510 are not defined or used in DCE.)

Timestamps, Microseconds, and Clock Skew

[RFC 1510: 5.2, 5.3.2]

Timestamps are represented by the TimeStamp data type, which is defined as follows:

 

TimeStamp ::= GeneralizedTime -- X.208 32.3b

Its semantics are that it indicates the generating system clock's UTC time (see the referenced Open Group DCE 1.1 Time Services Specification), in the syntax of CCITT X.208, Section 32.3b, measured to the granularity of seconds. This syntax is a string of 15 characters, the first 14 of which are the first 14 decimal digits of a DTS string format timestamp, and the 15th of which is the character "Z". Thus, if this syntax is denoted by "CCYYMMDDhhmmssZ", then CCYY indicates the (century and) year, MM the month, DD the day, hh the hour, mm the minute, and ss the second. For example, the TimeStamp "19950825163947Z" indicates the UTC time: "AD August 25, 1995, at 4:39:47 PM".

Note:: The appearance of the character "Z" is historical. It is a reference to the "Z" (usually verbalised as "Zulu") time zone. See the referenced Open Group DCE 1.1 Time Services Specification for more information.

Note that although the TimeStamp data type is a string type on which no ordering is defined a priori, there is an obvious sense (of "earlier" and "later") in which timestamps can be compared (see also the referenced Open Group DCE 1.1 Time Services Specification), and this ordering of TimeStamps will be assumed throughout this chapter. Similarly, there is an obvious sense in which arithmetic operations can be applied to TimeStamps. Namely, the ordering and arithmetic operations are those resulting from regarding the 14 digits of a TimeStamp as representing an integer, instead of merely a character string.

One particular timestamp is singled out for special attention (see KDS Request Body ); this is the "end-of-time" timestamp, which is defined as follows (midnight, January 1, 1970):

 

endOfTimeStamp TimeStamp ::= "197001010000Z"

Furthermore, endOfTimeStamp is considered to occur "later" than any other timestamp, in the order mentioned above.

Finally, some protocol elements require, in addition to a timestamp, a microsecondstamp (that is, "microsecond-granularity timestamp"). This is represented by the MicroSecond data type, which is defined as follows:

 

MicroSecond ::= INTEGER -- 0..999999

The only allowable values of this data type are in the range [0, 999999]. Nominally, the semantic of this data type is to indicate the number of microseconds past an accompanying (second-granularity) timestamp. However, the real security semantic of this data type is to function as a per-second nonce (see Nonces below).

Note:: Thus, implementations of the DCE security services on systems that do not have hardware clocks supporting microsecond granularity can finesse the MicroSecond data type by simply supporting its security semantic. This can be accomplished, for example, by a "pseudo-microsecond register", which merely increments by one (mod 1,000,000) after each request for a microsecondstamp (resetting the register to 0 every second is unnecessary). (In order to preserve the semantics of nonces, this assumes the hardware is incapable of servicing more than 1,000,000 such requests per second.)

Maximum Allowable Clock Skew

[RFC 1510: 1.2]

No two clocks in a distributed environment can be synchronised perfectly. In a DCE environment, the DTS service keeps clocks closely synchronised, and even maintains a measure of their inaccuracy (distance from UTC). The KDS's use of timestamps depends also on near-synchronisation with UTC, but further requires only, instead of the fine-grained DTS inaccuracies, a very coarse measure of clock skew (distance between the clock producing a timestamp and the clock interpreting it, independently of UTC). Namely, the KDS protocols require that clocks are synchronised with one another (and hence, because of DTS, with UTC) to within a maximum allowable clock skew, denoted maxClockSkew -which is not a single, fixed quantity, but is maintained separately for each clock (and can even be variable (for example, time-dependent or session-dependent) per clock, depending on local policy).

The maxClockSkew takes into consideration not only the non-perfect synchronisation of distinct clocks, but also the various expected (and, to some extent, the unexpected) delays due to communications transmission ("networking") and other processing. Typically, the values of maxClockSkew are on the order of 5 minutes-a figure that is much less than the typical lifetime of tickets, and is chosen so as not to introduce unwarranted security risks into the protocols described below. (Five minutes is so much greater than the typical inaccuracies guaranteed by DTS clock synchronisation that the granularity of seconds in TimeStamps (without including the DTS inaccuracies) is quite sufficient.)

All timestamp interpretations in this chapter are to be understood "modulo maxClockSkew" (where the word "modulo" is here used in its common English sense, not in its technical mathematical sense, for which the short form "mod" is reserved). For example, to say that two timestamps, T0^{and T}1^{, are "equal" means that
1T}0^{- T}1^{| <=
maxClockSkew
(where
maxClockSkew
is the maximum allowable clock skew appropriate to the
interpreting clock). Similarly, the "lifetime" of a ticket
(introduced below), which is nominally the (closed) time interval
[tkt-StartTime, tkt-ExpireTime], is in actuality to be
interpreted as [tkt-StartTime -
maxClockSkew,
tkt-ExpireTime +
maxClockSkew]
(where
maxClockSkew
is the one appropriate to the interpreting clock).}

Note:: In accordance with the actual semantic of the MicroSecond data type as a nonce instead of its nominal semantic as a microsecond, maxClockSkew is applied only to timestamps T, not to pairs <T, M> of timestamps and microsecondstamps. See the discussion of server "replay caches" (which is the only place that the semantics MicroSeconds are actually used), in Authenticators .

Cell Names

[RFC 1510: 5.2]

Cell (or, equivalently, realm) names are represented by the CellName data type, which is defined as follows:

 

CellName ::= GeneralString -- X.208 31.2; ISO 2022, 2375

Its semantics are that it provides references to cells by means of a "global naming/directory service" (see the referenced Open Group DCE 1.1 Directory Services Specification), which is "external" to security services (contrast this with RS names, below). Cell names themselves carry enough syntactic information to distinguish amongst different global naming services (hence a separate "-Type" field is not necessary for cell names, as it is for RS names). Acceptable syntaxes for cell names are centrally registered. Currently registered syntaxes are collected in Registered Syntaxes for Cell Names .

Note that global naming services are typically hierarchically organised, and interpret certain syntactic metacharacters (such as "/") as separators of hierarchical naming components. However, for the purposes of the security services provided by the KDS, cell names are uninterpreted ("opaque") (that is, not manipulated or processed, such as decomposing them into hierarchical components), except for testing for equality.

Registered Syntaxes for Cell Names

[RFC 1510: 7.1]

The currently registered syntaxes for CellNames are the following. Note that these syntaxes do not begin with an initial "/.../"; when these syntaxes are considered in conjunction with the fully qualified DCE syntax, an initial "/.../" is to be prepended, as specified in the referenced Open Group DCE 1.1 Directory Services Specification.

Internet DNS name type
The Internet Domain Naming System (DNS) syntax is specified in the referenced Open Group DCE 1.1 Directory Services Specification. It provides a hierarchical (little-endian) namespace, with "." as (non-escapable) component-separating metacharacter, and the characters "/", ":" are not permitted in names; for example, abc.def.com (or /.../abc.def.com in the fully qualified DCE syntax).
DCE X.500 name type
The DCE X.500 syntax is specified in the referenced Open Group DCE 1.1 Directory Services Specification. It provides a hierarchical (big-endian) namespace, with "/" as (escapable) component-separating metacharacter (other metacharacters "=", ",", "\" are used for other purposes), and the character ":" cannot occur in any component before the "=" (meta)character; for example, c=xy/o=fed/ou=cba (or /.../c=xy/o=fed/ou=cba in the fully qualified DCE syntax).
Prefixed name type(s)
The prefixed name type has the syntax:
```
 

NAMETYPE:rest-of-name
```
where NAMETYPE is a centrally registered prefix that contains no ".", "/" or ":", and where rest-of-name is a string whose syntax is determined by the value of NAMETYPE. Currently, there are no registered NAMETYPE prefixes.
Other name type(s)
All other cell naming syntaxes are reserved for future extensibility.

Transit Paths

[RFC 1510: 5.3.1]

Transit paths are represented by the TransitPath data type, which is defined as follows:

 

TransitPathType ::= INTEGER
TransitPathValue ::= OCTET STRING

TransitPath ::= SEQUENCE {
        transitPath-Type  [0] TransitPathType,
        transitPath-Value [1] TransitPathValue
}

Its semantics are that it indicates the trust chain of KDS servers that have participated in a cross-cell authentication. Its fields are the following:

transitPath-Type
The kind of transit path that transitPath-Value represents, including its syntax.
transitPath-Value
The transited path information itself, to be interpreted according to the value of transitPath-Type.

Values of TransitPathType are reserved for centrally registered transit path data types. The currently registered values are collected in Registered Transit Path Types .

Note:: Negative values of TransitPathType do not appear to be specified as unreserved (and therefore available for local assignment) by [RFC 1510: 5.3.1].

Registered Transit Path Types

[RFC 1510: 8.3, 3.3.3.1]

The currently registered values for TransitPathType are as follows:

transitPathType-DNS-X500 = 1
This transit path type is used for transit paths through cells with DNS and X.500 cell names, with an (optional) compression technique (where "optional" means that implementations need not employ compression on output, though they must accept it on input). It is defined as follows.

The transit paths (values of type transitPath-Value) of this transit path type represent the (underlying OCTET STRINGs of the) cell names (that is, CellName GeneralStrings) of the successive transited cells, treated as an unordered set (in other words, not necessarily in the order in which they were visited), expressed in a syntax that supports lexical compression (to conserve communications bandwidth), as specified below. This transit path type depends on the Internet DNS and DCE X.500 syntaxes being the only cell name types in effect; transit paths of this type typically contain no upper-case letters (since the "canonicalised" forms of names in these syntaxes contain no upper-case letters), though implementations must accept both cases on input.

Note:: It must be emphasised that the "compression" component of this syntax is of a lexical nature only. TransitPaths must always faithfully represent every cell that has actually participated in a cross-cell authentication, and never short-circuit transit paths (for example, by recording only "third legs of trust triangles"). That is, transit paths are intended to give a complete secure record only of the sequence of individual links of cross-cell trust chains-the global evaluation of transit path trust (that is, of the "overall shape of the trust chain") is a higher-level function. In the DCE environment, this function is carried out by the PS, not the KDS (see Privilege (Authorisation) Services ).

In the transitPathType-DNS-X500 syntax, the initial "/.../" of the DCE naming syntax is always omitted (that is, it is implicitly present). Also for this syntax, the following characters are metacharacters; that is, they have special properties discussed in this section (and are to be distinguished from the metacharacters for the DNS and X.500 syntaxes-for those, see the referenced Open Group DCE 1.1 Directory Services Specification):

",": This metacharacter separates the (potentially compressed) representations of successive cell names of a transit path. These are called the components of the transit path, and they can be empty (that is, two ","s can occur successively, and "," can occur at the beginning and/or at the end of a transit path).
"\": An "escape" metacharacter. Any metacharacter (including "\" itself) can be escaped by (immediately) preceding it with a "\" (with the semantic that the escaped metacharacter is no longer considered to be a metacharacter; that is, it no longer has the special properties discussed here). Unless explicitly indicated otherwise, metacharacters appearing in this specification are assumed to be unescaped (that is, the character immediately preceding them, if any, is not a "\" character).
"/": When it occurs at the beginning of a component (otherwise, it's a non-metacharacter).
"*": (This notation is used in this section to denote a "space" character, for visual clarity.) When it occurs at the beginning of a component (otherwise, it's a non-metacharacter).
".": When it occurs at the end of a component (otherwise, it's a non-metacharcter).

In the transitPathType-DNS-X500 syntax, no component can both begin with a "/" and end with a ".". A component that is empty, or begins with "/", or ends with "." is said to be compressed; otherwise, it is said to be expanded. A transit path that contains one or more compressed components, or which begins or ends with a ",", is said to be compressed; otherwise, it is said to be expanded.

In any application of the transitPathType-DNS-X500 syntax, two cells will be singled out for special treatment: a "client" and a "server" cell (relative to a posited "client-server relationship", which will always be clear from context). Conceptually, the client cell always occurs at the beginning of a transit path, and the server cell always occurs at the end; however, these occurrences of these cells are always implicit, and are never indicated explicitly in a transit path (either compressed or expanded).

An empty transit path (one having no components) is represented by a character string of length 0; it indicates either a trust chain of length 0 (that is, an intra-cell trust path), or of length 1 (that is, a cross-cell trust path with a direct cross-cell registration between the client's cell and the server's cell, with no intermediaries). A non-empty expanded component "stands for itself" (that is, directly represents a cell name, in the DNS or X.500 naming syntax). A non-empty compressed component must consist of a non-empty string of non-metacharacters, prepended with an initial "/" or "*", or appended with a terminal ".", but not both.

Compressed transit paths represent expanded transit paths, by expanding their compressed components one at a time, left to right, according to the following rules (examples are given below):

A compressed component with an initial "/" represents the expanded component that results from appending the part of the compressed component following the initial "/" to the (expansion of the) preceding component, both of them representing cell names in the X.500 syntax.
A compressed component with an initial "*" must actually begin with the two-character sequence "*/", with the meaning that "*" escapes "/".
A compressed component with a terminal "." represents the expanded component that results from prepending the part of the compressed component preceding the terminal "." to the (expansion of the) preceding component, both of them representing cell names in the DNS syntax.
An empty component indicates that all the cells "between" the (expansion of the) component preceding it and the (expansion of the) component following it are to be interpolated. In the case of a "," occurring at the beginning or end of a transit path, this applies to the implicit initial (client) cell or final (server) cell, respectively. Here, "between" means "up to the least common ancestor with respect to (distinguished names of the) DNS and X.500 naming hierarchies". The (virtual) "global root" (denoted "/..." in the DCE naming syntax) is considered to be the (virtual) least common ancestor of all first-level DNS and first-level X.500 nodes, though it doesn't actually occur in expanded transit paths, of course.

Here are some examples of some compressed transit paths, and their expansions (where, for clarity in the expansions, the client and server cells are shown explicitly, and the symbol "->" is used with them and also in place of the "," metacharacter). (Recall that the initial "/.../" of the DCE naming syntax is only implicitly, not explicitly, present.)

com,def.,abc.,jkl.org,ghi.
Expands to:

client's cell -> com -> def.com -> abc.def.com -> jkl.org -> ghi.jkl.org -> server's cell
c=xy,/o=fed,/ou=cba,c=zw/o=lkj,/ou=ihg
Expands to:

client's cell -> c=xy -> c=xy/o=fed -> c=xy/o=fed/ou=cba -> c=zw/o=lkj -> c=zw/o=lkj/ou=ihg -> server's cell
c=uv/o=fed/ou=cba,,c=uv/o=lkj/ou=ihg
Expands to:

client's cell -> c=uv/o=fed/ou=cba -> c=uv/o=fed -> c=uv -> c=uv/o=lkj -> c=uv/o=lkj/ou=ihg -> server's cell
c=uv,*/o=fed
Expands to (since it is not compressed to begin with):

client's cell -> c=uv -> /o=fed -> server's cell
,com,c=uv,
Expands to:

client's cell (assumed to be abc.def.com) -> def.com -> com -> c=uv -> c=uv/o=lkj -> server's cell (assumed to be c=uv/o=lkj/ou=ihg)
,
Expands to the same thing as in the preceding example, assuming the client and server cells are the same as in that example.

RS Names

[RFC 1510: 5.2]

Registry Service (RS) names are represented by the RSName data type, which is defined as follows:

 

RSNameType ::= INTEGER
RSNameValue ::= SEQUENCE OF GeneralString

RSName ::= SEQUENCE {
        rsName-Type  [0] RSNameType,
        rsName-Value [1] RSNameValue
}

Its semantics are that it indicates the per-cell hierarchical names supported by the RS datastores. Its fields are the following:

rsName-Type
The kind of name that rsName-Value represents, including its syntax.
rsName-Value
The name information itself, to be interpreted according to the value of rsName-Type. The entries rsName-Value[0], rsName-Value[1], ···, are called the components of the RS name.

Values of RSNameType are reserved for centrally registered principal names types.

Note:: Negative values of RSNameType do not appear to be specified as unreserved (and therefore available for local assignment) by [RFC 1510: 5.2].

The currently registered values are collected in Registered RS Name Types .

Registered RS Name Types

[RFC 1510: 7.2, 8.2.3]

The currently registered values for RSNameType are the following:

rsNameType-PRINCIPAL = 1
Identifies principals registered in the RS datastore.
rsNameType-SERVER-INSTANCE = 2
The first component (rsName-Value[0]) of the RS name identifies an abstract service, and the remaining components (rsName-Value[i], i >= 1) identify various concrete instances; that is, principal identities under which this service renders its services.

Note:: The RS datastore contains various named items other than principals (for example, groups and organisations), however these are irrelevant to the Kerberos authentication architecture specified in this chapter, so they do not rate an RSNameType. In particular, there is no architectural relationship between server instances (as defined here) and RS groups.

As discussed in RS Editor RPC Interfaces , the RS identifies principals via a hierarchical ("/"-separated) string-based namespace whose syntax is identical to the CDS naming syntax (which is specified in the referenced Open Group DCE 1.1 Directory Services Specification). The sequence of components of those string-names map canonically to the sequence of (underlying GeneralStrings of the) components of rsName-Value of type rsNameType-PRINCIPAL.

The main use of the RS name type rsNameType-SERVER-INSTANCE is for the KDS itself, especially in cross-cell registrations. In that application, rsName-Value[0] is krbtgt (a name which is reserved for this use), and (the underlying GeneralString of) rsName-Value[1] is identical to the string-name of the cross-registered cell's KDS. This is illustrated by the following examples, assuming X and Y are cells with names cellX and cellY, respectively (actually, "cellX" and "cellY" denote cell names with an internal syntactic structure (for example, Internet DNS syntax or DCE X.500 syntax), but that is irrelevant for this example):

krbtgt/cellX
The RS name of KDSX,X^{, which is the principal of the
KDS server, KDS_X, for cell X.
It is held as a datastore item in RS_X's datastore.}
krbtgt/cellY
The RS name of KDSX,Y^{, which is the surrogate
principal of KDS_Y in cell X
(held in RS_X's datastore); it
is the same principal as the surrogate KDS}X,Y^{in
cell Y (held in RS_Y's datastore), in the
sense that these two
principals have the same long-term key, K}KDSXY^.

Unless stated otherwise, all RS names in this chapter identifying KDSs (including their surrogates) are assumed to have type rsNameType-SERVER-INSTANCE, and all non-KDSs are assumed to have type rsNameType-PRINCIPAL.

Note:: There are no security mechanisms in place to enforce adherence to these conventions. In particular, the mere occurrence in an RS name of a type indicator, such as rsNameType-SERVER-INSTANCE (indicating, according to the convention just articulated, a KDS surrogate), does not in itself imply any degree of trust in the RS name: all parts of the KDS protocol treat RS names of all types exactly the same. See also the uniqueness requirement in Principal Names . (This is sometimes expressed by saying that the RS name's type is "merely a hint".)

Principal Names

[RFC 1510: 5.2]

Principal names are represented by the CellAndRSName data type, which is defined as follows:

 

CellAndRSName ::= SEQUENCE {
        cellName [0] CellName,
        rsName   [1] RSName
}

Its semantics are that it represents a "fully qualified" (in the semantic sense, not the syntactic sense) principal name, consisting of a cell name and an RS name.

The relationship between the semantic CellAndRSName data type and the DCE syntactic string forms of principal names (or just stringnames, for short) is as follows: if cellAndRSName is a value of type CellAndRSName, whose underlying cellName is, say, cellX, and whose underlying rsName-Values (that is, their underlying GeneralStrings, disregarding their rsName-Types) are, say, <rsName0^{,
···, rsName}r-1^{>, then the
corresponding string form of cellAndRSName is:}

: /.../cellX/rsName0^/···/ rsNamer-1

Implementations of the DCE security services must guarantee that these stringnames are unique or unambiguous, in the sense that every such stringname refers to at most one principal. Users, including administrators, trust the implementation to guarantee this. In particular, in cross-cell operations, a cell's security administrator must not establish a trust link (that is, exchange KDS registrations) with multiple foreign cells having the same cell name, or whose RS namespace is not trusted to guarantee this uniqueness.

Note that the CellAndRSName data type doesn't occur directly in the remaining data types and protocols defined in the remainder of this chapter: the concept of principal name is used throughout, though its two component fields (cellName and rsName) appear separately, not bound together in a CellAndRSName data type.

Note:: It would make sense to use the identifier "PrincipalName" instead of "CellAndRSName" for the data type defined above. However, that would conflict with the terminology of RFC 1510, which uses the identifier "PrincipalName" to denote the data type called "RSName" in DCE. Unfortunately, RFC 1510's definition of "PrincipalName" conflicts with the commonsense notion of "principal name" (and with RFC 1510's own expository use of the notion of "principal name"), which connotes global uniqueness, not the mere per-cell-context local uniqueness of RSNames. Hence, to avoid confusion, the identifier "PrincipalName" is avoided altogether in DCE.

Host Addresses

[RFC 1510: 5.2]

Note:: The notion of "(transport-level) host addresses" properly belongs to the realm of communications (see the referenced Open Group DCE 1.1 RPC Specification), as opposed to that of security, and arguably should play no role in a security specification. Nevertheless, RFC 1510 does specify usages of host addresses for security purposes, namely that servers may (depending on policy) deny service to clients on the basis of the client's host address, unless such clients exhibit the appropriate "proxied" or "forwarded" credentials. In order to support coexistence of RFC 1510 environments and DCE environments, host addresses are therefore supported by DCE. However, KDS servers conformant to DCE must not issue initial tickets (to AS Requests) to clients that do not supply at least one host address, and non-KDS servers conformant to DCE must not deny service to clients on the basis of the client's host address(es) (these requirements could change in future revisions of DCE). Thus, host addresses do not currently figure into the DCE security model with nearly the significance they have in RFC 1510. See Part of Ticket to be Encrypted .

Host addresses are represented by the HostAddresses data type, which is defined as follows:

 

HostAddressType ::= INTEGER
HostAddressValue ::= OCTET STRING

HostAddresses ::= SEQUENCE OF SEQUENCE {
        hostAddr-Type  [0] HostAddressType,
        hostAddr-Value [1] HostAddressValue
}

Its semantics are that it represents the host (that is, computer) address(es) (zero or more of them) at which a host is connected to a communications (network) substrate. Its fields are the following:

hostAddr-Type
The kind of address that hostAddr-Value represents, including its syntax.
hostAddr-Value
The address information itself, to be interpreted according to the value of hostAddr-Type.

Non-negative values of HostAddressType are reserved for centrally registered host address types; negative values are unreserved (and may, therefore, be assigned locally). The currently registered values are collected in Registered Host Address Types .

Registered Host Address Types

[RFC 1510: 8.1]

Note:: In order for this specification to be complete, it should supply references to definitive specifications for the host address types listed below. However, that is not done in RFC 1510 (and therefore, in order not to preempt RFC 1510 on this point, it is not done here). Furthermore, it is not necessary to do so in DCE, because this information is insignificant in DCE environments (as explained in the Note in Host Addresses ; see also Part of Ticket to be Encrypted ). Therefore, such references are not given here, and so for the purposes of this specification the following list is supplied only because it is "suggestive".

The currently registered values for HostAddressType are the following:

hostAddrType-INTERNET = 2
Internet address (corresponding HostAddressValue is 4 octets long).
hostAddrType-CHAOSNET = 5
CHAOSnet address (corresponding HostAddressValue is 2 octets long).
hostAddrType-XNS = 6
XNS address (corresponding HostAddressValue is 6 octets long).
hostAddrType-ISO = 7
ISO address (corresponding HostAddressValue has variable length).
hostAddrType-DECNET-IV = 12
DECnet Phase IV address (corresponding HostAddressValue is 2 octets long).
hostAddrType-DDP = 16
AppleTalk DDP address (corresponding HostAddressValue is 3 octets long).

Sequence Numbers

[RFC 1510: 3.2.2, 5.3.2]

Sequence numbers are represented by the SequenceNumber data type, which is defined as follows:

 

SequenceNumber ::= INTEGER

Its semantics are that it indicates the sequence number of a message in a multi-message sequence (for example, the (potentially) several fragments of a fragmented message). The detailed use of sequence numbers is application-specific. Typically, the initial sequence number is chosen randomly (see below for "random" numbers), and subsequent sequence numbers are unit increments from the initial one. For security purposes, the individual messages (fragments) and the sequence numbers themselves must be bound together and protected in an appropriate application-specific way. (In the case of DCE RPC applications, the use of sequence numbers is specified as part of the RPC protocol specifications-see Protected RPC .)

Last Requests

[RFC 1510: 5.2]

Last requests are represented by the LastRequests data type, which is defined as follows:

 

LastRequestType ::= INTEGER
LastRequestValue ::= TimeStamp

LastRequests ::= SEQUENCE OF SEQUENCE {
        lastReq-Type  [0] LastRequestType,
        lastReq-Value [1] LastRequestValue
}

Its semantics are that it indicates information maintained by a principal's home KDS of the principal's most recent KDS service requests. Its fields are the following:

lastReq-Type
The kind of last request that lastReq-Value represents.
lastReq-Value
The time of the request, to be interpreted according to the value of lastReq-Type.

All values of LastRequestType are reserved for centrally registered last request types. The currently registered values are collected in Registered Last Request Types .

Registered Last Request Types

[RFC 1510: 5.2]

The currently registered values for LastRequestType are the following, together with the interpretation of corresponding values of LastRequestValue. Positive values pertain to the whole cell of the responding KDS server (which cell may contain multiple instances or replicas of KDS servers); negative values pertain only to the individual responding KDS server itself.

lastReqType-NONE = 0
No information is conveyed by lastReq-Value.
lastReqType-AS-TGT-ALL = 1; lastReqType-AS-TGT-ONE = -1
Time of most recent previous AS Request by this principal for an (initial) ticket-granting-ticket.
lastReqType-AS-REQ-ALL = 2; lastReqType-AS-REQ-ONE = -2
Time of most recent previous AS Request by this principal (for an initial ticket, whether a ticket-granting-ticket or a service-ticket).
lastReqType-TGT-PRESENTED-ALL = 3; lastReqType-TGT-PRESENTED-ONE = -3
Authentication time (see Part of Ticket to be Encrypted ) of the most recent ticket-granting-ticket presented by (in the sense of Client Sends TGS Request ) this principal in a previous successful TGS Request. (Note that a principal can have multiple outstanding valid ticket-granting-tickets issued to it.)
lastReqType-RENEWAL-ALL = 4; lastReqType-RENEWAL-ONE = -4
Time of most recent previous successful renewal by this principal.
lastReqType-KDS-REQ-ALL = 5; lastReqType-KDS-REQ-ONE = -5
Time of most recent previous KDS Request (AS Request or TGS Request) by this principal, of any type, successful or not.

Error Status Codes/Text/Data

[RFC 1510: 5.9.1]

Error status codes are represented by the ErrorStatusCode data type; error status text is represented by the ErrorStatusText data type; error status data is represented by the ErrorStatusData data type. These are defined as follows:

 

ErrorStatusCode ::= INTEGER
ErrorStatusText ::= GeneralString
ErrorStatusData ::= OCTET STRING

Their semantics are that they indicate error conditions of a failed KDS Request. Values of these three data types always occur as a triple consisting of an ErrorStatusCode, an ErrorStatusText (optionally) and an ErrorStatusData (optionally). The value of ErrorStatusCode identifies an error that occurred; ErrorStatusText is a character string accompanying ErrorStatusCode explaining the error in a human-readable fashion, and ErrorStatusData is supplementary information further explaining the error in machine-readable fashion. Note that since ErrorStatusData is merely an "opaque" OCTET STRING, its interpretation must be implicit from the corresponding ErrorStatusCode.

Values of error status codes (with associated error text and data) are centrally registered. The currently registered values are collected in Registered Error Status Codes/Text/Data .

Notes:

Negative values of ErrorStatusCode do not appear to be specified as unreserved (and therefore available for local assignment) by [RFC 1510: 5.9.1].
In addition to reporting error codes not specified here, implementations are also permitted to report errors at algorithmic execution points other than those specified in this chapter. For example, a server's failure to allocate memory for a data structure may be reported to the client.

Registered Error Status Codes/Text/Data

[RFC 1510: 8.3]

The currently registered values for error codes/text/data are the following. The notational convention is used where NAME-OF-ERROR denotes a string specific to each error condition:

errStatusCode-NAME-OF-ERROR
Values of ErrorStatusCode data type.
errStatusText-NAME-OF-ERROR
Values of ErrorStatusText data type.
errStatusData-NAME-OF-ERROR
Values of ErrorStatusData data type.

Registered status codes without accompanying registered status text and/or status data indicates that the latter are not currently specified (but may be in a later revision of this document). (Some terminology is used in these descriptions that won't be formally introduced until later.)

errStatusCode-NONE = 0
No error (that is, success).
errStatusCode-CLIENT-ENTRY-EXPIRED = 1
Client entry in RS datastore has expired.
errStatusCode-SERVER-ENTRY-EXPIRED = 2
Server entry in RS datastore has expired.
errStatusCode-BAD-PROTO-VERS-NUM = 3
Protocol version number not supported.
errStatusCode-CLIENT-OLD-MASTER-KEY-VERS-NUM = 4
Client's key encrypted in an old (expired) master key, in the following sense. It is recommended that implementations of DCE protect all copies of the RS datastore other than those actually in use (in the address spaces of trusted programs) at any given moment (such as on-disk files, tape backups, and so on) by encrypting them (or at least the sensitive data contained in them, especially accounts' long-term keys), using some policy-dependent or implementation-dependent trusted encryption mechanism. An encryption key used for this purpose is known as a master key. A master key is said to be "old" if it is expired or unavailable (for whatever reason-it may just have been lost). In such a case, accounts' keys are unavailable; that is, accounts are "locked out" until a new key is established by the security administrator. (Typical implementations use different master keys for different datastore entries, disambiguating them with version numbers, so that the datastore can be incrementally upgraded from one master key to another.) Thus, the master key plays no direct part in the protocol, but surfaces only in this failure code.
errStatusCode-SERVER-OLD-MASTER-KEY-VERS-NUM = 5
Server's key encrypted in old master key. (For explanation, see preceding error code.)
errStatusCode-CLIENT-UNKNOWN = 6
Client entry not found in RS datastore.
errStatusCode-SERVER-UNKNOWN = 7
Server entry not found in RS datastore.
errStatusCode-PRINCIPAL-NOT-UNIQUE = 8
Multiple entries for principal found in RS datastore.
errStatusCode-NULL-KEY = 9
Principal has NULL long-term key in RS datastore.
errStatusCode-CANNOT-POSTDATE = 10
Ticket not eligible for postdating.
errStatusCode-NEVER-VALID = 11
Requested ticket lifetime is too short (for example, this is always the case if the requested start time is later than the requested expiration time).
errStatusCode-POLICY = 12
Request not supported by local cell policy (as held in RS).
errStatusCode-BAD-OPTION = 13
Cannot accommodate requested option.
errStatusCode-ENCRYPTION-TYPE-NOT-SUPPORTED = 14
Encryption type(s) not supported.
errStatusCode-CHECKSUM-TYPE-NOT-SUPPORTED = 15
Checksum type not supported.
errStatusCode-AUTHN-DATA-TYPE-NOT-SUPPORTED = 16
Authentication data type not supported.
errStatusCode-TRANSIT-PATH-TYPE-NOT-SUPPORTED = 17
Transit path type not supported.
errStatusCode-CLIENT-REVOKED = 18
Credentials for client have been revoked.
errStatusCode-SERVER-REVOKED = 19
Credentials for server have been revoked.
errStatusCode-TKT-REVOKED = 20
Ticket has been revoked.
errStatusCode-CLIENT-NOT-VALID = 21
Client not (yet) valid, perhaps due to a transitory condition ("try again later").
errStatusCode-SERVER-NOT-VALID = 22
Server not (yet) valid, perhaps due to a transitory condition ("try again later").
errStatusCode-BAD-DECRYPTION = 31
Unsuccessful decryption (detected by the "built-in integrity" feature of DCE encryption types-see Encrypted Data ).
errStatusCode-TKT-EXPIRED = 32
Ticket expired (that is, server's system time is later than ticket's expiration time (modulo maxClockSkew)).
errStatusCode-TKT-INVALID = 33
Ticket is invalid (that is, its invalid option is selected).
errStatusCode-REPLAY = 34
Request is a repeat of an earlier one.
errStatusCode-NOT-US = 35
Request intended for another server, not this one.
errStatusCode-BAD-MATCH = 36
Ticket and authenticator do not match.
errStatusCode-CLOCK-SKEW = 37
Clock skew is (apparently) greater than maxClockSkew.
errStatusCode-BAD-ADDRESS = 38
Bad host address.
errStatusCode-PROTO-VERS-NUM-MISMATCH = 39
Protocol version number mismatch.
errStatusCode-BAD-PROTO-MSG-TYPE = 40
Invalid protocol message type.
errStatusCode-BAD-CHECKSUM = 41
Bad checksum. (Unless the checksum was incorrectly generated, this means that message stream modification has been detected.)
errStatusCode-BAD-MSG-ORDER = 42
Message is out of order (that is, doesn't conform to the protocol).
errStatusCode-BAD-KEY-VERS-NUM = 44
Bad key version number.
errStatusCode-SERVER-NO-KEY = 45
Server's key not available.
errStatusCode-BAD-MUTUAL-AUTHN = 46
Mutual authentication failure.
errStatusCode-BAD-DIRECTION = 47
Bad message direction (client <-> server direction reversed).
errStatusCode-BAD-AUTHN-METHOD = 48
Alternative authentication method is required.
- errStatusData-BAD-AUTHN-METHOD
  It is (the underlying OCTET STRING of) a value of the data type AuthnMethodData, defined by:
```
 

AuthnMethodType ::= INTEGER
AuthnMethodValue ::= OCTET STRING

AuthnMethodData ::= {
        authnMethod-Type  [0] AuthnMethodType,
        authnMethod-Value [1] AuthnMethodValue OPTIONAL
}
```
  Its semantics are that it indicates the alternative authentication method required. Its fields are the following:
  - authnMethod-Type
    The kind of authentication method required.
  - authnMethod-Value
    Any additional information required, to be interpreted according to the value of authnMethod-Type.
  Non-negative values of AuthnMethodType are reserved for centrally registered authentication data types; negative values are unreserved (and may, therefore, be assigned locally). There are no currently registered values.
errStatusCode-BAD-SEQ-NUM = 49
Bad sequence number (that is, message fragment is out of order).
errStatusCode-BAD-CHECKSUM-TYPE = 50
Bad type of checksum being used (for example, one which has been found to be insecure).
errStatusCode-GENERIC = 60
Generic, catch-all error code.
errStatusCode-FIELD-TOO-LONG = 61
Field is too long for this implementation.

Cryptography- and Security-Related Data Types

The data types defined in this section are specifically related to cryptography and security.

Nonces

[RFC 1510: 5.4.1, 5.8.1]

Nonces are represented by the Nonce data type, which is defined as follows:

 

Nonce ::= INTEGER

Its semantics are that it indicates a per-context unique (or distinct, or "one-time") number; that is, a number which is always distinguishable from any other when used in a given context (where an appropriate notion of "context" must be specified whenever nonces are used). In the particular application of nonces in this chapter (.cX sec4-12-3 and Client Receives TGS Response ), they are used to distinguish a client's KDS Requests from one another (to help thwart "replay attacks"). Therefore, the security semantics of nonces in this chapter are that client principals need to believe (to a degree compatible with the security policies in effect) that the nonces associated with distinct KDS Requests from the same client principal will always be distinct. Implementations must, for example, take into consideration that "instances" of the same client principal may be active in different login sessions, perhaps even simultaneously (but that is an implementation-specific consideration not discussed further here).

Notes:

Even though a nonce generator of "cryptographically high quality" is necessary for security, this notion is not further specified in DCE. In particular, no specific nonce algorithm is (currently) specified. (This lack of specification does not affect interoperability.)
In Conversation Manager in_data , nonces are introduced that are byte-vectors, instead of integers. However, the same principles as described above apply with appropriate modification of detail to that case, and need not be elaborated here.

Random Numbers

[RFC 1510: 3.1.3, 3.2.6]

Random "numbers" (actually, byte vectors) are represented by the Random data type, which is defined as follows:

 

Random ::= OCTET STRING

Its semantics are that it indicates a number which is unpredictable. That is, it is required that random number generators used in any implementation of the DCE Security Services are of cryptographic high-quality; that is, it must be computationally infeasible to predict the next random number to be generated, even if the sequence of all previously generated random numbers are known. In essence, this means that every possible value has equal probability of being generated as every other value, at every invocation of the random number generator, but there may be occasions when slight modifications of this idea are warranted (for example, when keys are "changed", the "new" key should be guaranteed to be different than the "old" key).

Notes:

Even though a random number generator of "cryptographically high quality" is necessary for security, this notion is not further specified in DCE. In particular, no specific random algorithm is (currently) specified. (This lack of specification does not affect interoperability.)
The BER encoding respects the (big-endian) identification that has been made between bit-sequences of length a multiple of 8 and byte sequences. Therefore, random "numbers" can be spoken of equivalently either as byte-vectors or as bit-vectors (but not as integers), without possibility of confusion.

Encryption Keys

[RFC 1510: 6.2]

Encryption keys are represented by the EncryptionKey data type, which is defined as follows:

 

EncryptionKeyType ::= INTEGER
EncryptionKeyValue ::= Random

EncryptionKey ::= SEQUENCE {
        encKey-Type  [0] EncryptionKeyType,
        encKey-Value [1] EncryptionKeyValue
}

Its semantics are that it indicates the key for (one or more) encryption mechanism(s) and/or checksum mechanisms (see below). Its fields are the following:

encKey-Type
The encKey-Type's key type; that is, the kind of encryption key that encKey-Value represents.
encKey-Value
The encKey-Type's encryption key information itself, to be interpreted according to the value of encKey-Type.

Non-negative values of EncryptionKeyType are reserved for centrally registered encryption key types; negative values are unreserved (and may, therefore, be assigned locally). The currently registered values are collected in Registered Encryption Key Types .

Registered Encryption Key Types

[RFC 1510: 6.3.1, 8.3]

The currently registered values for EncryptionKeyType are the following:

encKeyType-TRIVIAL = 0

K has type encKeyType-TRIVIAL if and only if K is the trivial key; that is, it is the empty OCTET STRING, of length 0.

encKeyType-DES = 1
K has type encKeyType-DES if and only if K is a DES key (64 bits long, though with only 56 "active" bits, and of odd parity-see Encryption/Decryption Mechanisms ). It is furthermore required (compare Keys to be Avoided ) that implementations must avoid DES keys K that are weak or semi-weak, or for which the variant key K ^ Kf0^{is weak
or semi-weak; and they should avoid generating keys for which K
or K ^ K}f0^{is possibly weak (though they should
accept such keys from foreign sources).
(The reason for the conditions concerning the variant key is because of
the use of variant keys in the algorithm of

Registered Checksum Types
.)
Here, K}f0 denotes the 64-bit vector (of even parity):
<0xf0,0xf0,0xf0,0xf0,0xf0,0xf0,0xf0,0xf0>

Checksums

[RFC 1510: 6.4]

Checksums are represented by the CheckSum data type, which is defined as follows:

 

CheckSumType ::= INTEGER
CheckSumValue ::= OCTET STRING

CheckSum ::= SEQUENCE {
        cksum-Type  [0] CheckSumType,
        cksum-Value [1] CheckSumValue
}

Its semantics are that it indicates a (non-invertible) checksum (or message digest, or one-way function) of some plaintext (which must be specified in context). Its fields are the following:

cksum-Type
The CheckSum's checksum type; that is, the kind of checksum mechanism used to generate the cksum-Value.
cksum-Value
The CheckSum's checksumtext; that is, the actual cryptographic information conveyed by this data structure, to be interpreted according to the value of cksum-Type. It is the checksumtext, of checksum type cksum-Type, of (the underlying byte string of) an application-specific data value.

Non-negative values of CheckSumType are reserved for centrally registered checksum mechanism types; negative values are unreserved (and may, therefore, be assigned locally). The currently registered values are collected in Registered Checksum Types .

Registered Checksum Types

[RFC 1510: 6.4.5, 8.3, 9.1]

The currently registered values for CheckSumType are the following.

Notes:

The DES-CBC checksum was defined in DES-CBC Checksum , but it does not occur in the following list.)
DCE does not specify a trivial checksum, say "cksumType-TRIVIAL", paralleling the encKeyType-TRIVIAL of Registered Encryption Key Types . It would be possible to specify such a trivial checksum (having, say cksumType-TRIVIAL = 0, and whose corresponding checksumtext, cksum-Value is always the bit-vector of length 0), but it is unnecessary to do so. The reason is that the only place the checkSum data type occurs in DCE is as the authnr-Cksum field of authenticators (see Authenticators ), which is an optional field. Therefore, any application that wants to "transmit a checksum of type cksumType-TRIVIAL" needs merely to omit this field.
[RFC 1510: 6.3.1]

cksumType-MD4-DES = 3
Let K be an encryption key of type encKeyType-DES, and let P be a plaintext bit-message. Then the corresponding cksum-Value, denoted:
```
 

MD4-DES(K, P)
```
is defined by the following pseudocode algorithm:
```
 
R64^{= RANDOM}64^{();
P' = <R}64^{, P>;
C}128^{= MD4(P');
P" = <R}64^{, C}128^{>;
K' = K ^ K}f0^{;
MD4-DES(K, P) = DES-CBC(K', P");}
```
In words: First generate a random 64-bit vector, R64^{(called a confounder when used in this context-see

CBC Mode
).
Let P´ denote P prepended with R}64^{, and let
C}128^{denote the 128-bit checksum MD4(P´). Let
P´´ denote the
concatenation of R}64^{and C}128^{,
and let K´ denote the variant key K ^ K}f0^{(see

Registered Encryption Key Types
).
Then the checksum MD4-DES(K, P) is equal to
DES-CBC(K´, P´´) (which is 192 bits long).}
cksumType-MD5-DES = 8
Let K be an encryption key of type encKeyType-DES, and let P be a plaintext bit-message. Then the corresponding cksum-Value, denoted:
```
 

MD5-DES(K, P)
```
is defined by the following pseudocode algorithm:
```
 
R64^{= RANDOM}64^{();
P' = <R}64^{, P>;
C}128^{= MD5(P');
P" = <R}64^{, C}128^{>;
K' = K ^ K}f0^{;
MD5-DES(K, P) = DES-CBC(K', P");}
```
In words: First generate a random 64-bit vector, R64^{(called a confounder when used in this context-see

CBC Mode
).
Let P´ denote P prepended with R}64^{, and let
C}128^{denote the 128-bit checksum MD5(P´). Let
P´´ denote the
concatenation of R}64^{and C}128^{,
and let K´ denote the variant key K ^ K}f0^{(see

Registered Encryption Key Types
).
Then the checksum MD5-DES(K, P) is equal to
DES-CBC(K´, P´´) (which is 192 bits long).}
cksumType-CL-RPC = -32767
Checksum used in the CL-RPC Conversation Manager protocol-see Conversation Manager out_data for details.
Note:
This checksum type is, strictly speaking, "unregistered" according to the convention stated in Checksums concerning negative values of CheckSumType. Note also that the value -32767 may be represented as the hexadecimal value 0x8001 in a 16-bit two's complement signed data type (for example, C short on typical implementations).
cksumType-CO-RPC = -32766
Checksum used in the CO-RPC protocol-see CO Verifier auth_value.credentials for details.
Note:
This checksum type is, strictly speaking, "unregistered" according to the convention stated in Checksums concerning negative values of CheckSumType. Note also that the value -32766 may be represented as the hexadecimal value 0x8002 in a 16-bit two's complement signed data type (for example, C short on typical implementations).

Encrypted Data

[RFC 1510: 6.1]

Note:: This section and its subsection give the detailed definition of the notation "{M}K" introduced in Kerberos Key Distribution (Authentication) Service (KDS) .

Encrypted data is represented (after it has been encrypted) by the EncryptedData data type, which is defined as follows:

 

EncryptionType ::= INTEGER
EncKeyVersionNumber ::= INTEGER
CipherText ::= OCTET STRING

EncryptedData ::= SEQUENCE {
        encData-EncType    [0] EncryptionType,
        encData-KeyVersNum [1] EncKeyVersionNumber OPTIONAL,
        encData-CipherText [2] CipherText
}

Its semantics are that it indicates an (invertible) encryption of some plaintext (which must be specified in context). Its fields are the following:

encData-EncType
The EncryptedData's encryption type; that is, the kind of encryption mechanism used to generate the encData-CipherText. Encryption mechanisms depend on encryption keys, so the encData-EncType implicitly declares an associated EncryptionKey encKey-Type (though a given encKey-Type may be associated with multiple encData-EncTypes). Once it has been negotiated (that is, agreed upon, in an application-specific manner), it remains constant throughout a given client-server conversation, until it is renegotiated or the conversation ends. As used in DCE, the key version number is (using notation and terminology introduced later in this chapter):

Present, in the context of long-term keys K_A associated with principals A. (These are the keys stored in RS datastores.)

Absent, in the context of short-term session keys KA,B^{shared between principals A and B.
(These are the keys transmitted in tickets; they are generated by KDS
and PS servers.)}
Optionally present (application-specific choice), in the context of short-term conversation keys K^A,B^{and
Kx^^'1xu'}A,B^{shared between principals
A and B.
(These are the negotiated "conversation keys" transmitted in
authentication headers and reverse-authentication headers; they
are generated by A and B, respectively.)}

The key version number is generally omitted from the notations of this chapter, and usually speaks of "the" encryption type in a given context (this will never cause confusion).
encData-KeyVersNum
The EncryptedData's encryption key version number; that is, a number selecting the precise encryption key (value of type EncryptionKey, appropriate to encryption type encData-EncType) used to generate the encData-CipherText. It need only be present under conditions where multiple keys may be outstanding. It is generally omitted from the notations of this chapter, preferring to speak of "the" key (modulo its version number) in a given context (this will never cause confusion).
encData-CipherText
The EncryptedData's ciphertext; that is, the actual cryptographic information (the encryption of some plaintext bit-string) conveyed by this data structure, to be interpreted according to the values of encData-EncType and encData-KeyVersNum. It is the ciphertext, of encryption type encData-EncType and key version number encData-KeyVersNum (if present), of (the underlying bit-string of) an application-specific data value.

Non-negative values of EncryptionType are reserved for centrally registered encryption types; negative values are unreserved (and may, therefore, be assigned locally). The currently registered values are collected in Registered Encryption Types .

Registered Encryption Types

[RFC 1510: 6.1, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 8.3, 9.1]

The currently registered values for EncryptionType are the following:

encType-TRIVIAL = 0

Let K be an encryption key of type encKeyType-TRIVIAL, and let P be a plaintext bit-message. Then the corresponding encData-CipherText is simply the plaintext P itself, 0-padded if necessary to have length a non-negative multiple of 8 bits (because it must be an OCTET STRING). This encryption type does not afford an adequate basis for security in a potentially hostile ("open") environment.

encType-DES-CBC-CRC = 1
Let K be an encryption key of type encKeyType-DES, and let P be a plaintext bit-message. Then the corresponding encData-CipherText, denoted:
```
 

DES-CBC-CRC(K, P)
```
is defined by the following pseudocode algorithm:
```
 
R64^{= RANDOM}64^{();
P' = <R}64^{, 0}32^{, P>;
C}32^{= CRC\z§}₃₂(0₃₂, P');
P" = <R₆₄, C₃₂, P>;
DES-CBC-CRC(K, P) = DES-CBC(K, P");
```
In words: First generate a random 64-bit vector, R₆₄ (called a confounder when used in this context-see CBC Mode ). Let P´ denote P prepended with R₆₄ and with a 32-bit 0-vector (0₃₂), and let C₃₂ denote the 32-bit (twisted) checksum CRC^§₃₂(0, P´) with seed 0 (for padding, see Cyclic Redundancy Checksums ). Let P´´ denote P prepended with R₆₄ and C₃₂. Then the ciphertext DES-CBC-CRC(K, P) is equal to DES-CBC(K, P´´) (for initialisation vector and padding, see CBC Mode ).
encType-DES-CBC-MD4 = 2
Let K be an encryption key of type encKeyType-DES, and let P be a plaintext bit-message. Then the corresponding encData-CipherText, denoted:
```
 

DES-CBC-MD4(K, P)
```
is defined by the following pseudocode algorithm:
```
 
R₆₄ = RANDOM₆₄();
P' = <R₆₄, 0₁₂₈, P>;
C₁₂₈ = MD4(P');
P" = <R₆₄, C₁₂₈, P>;
DES-CBC-MD4(K, P) = DES-CBC(K, P");
```
In words: First generate a random 64-bit vector, R₆₄ (called a confounder when used in this context-see CBC Mode ). Let P´ denote P prepended with R₆₄ and with a 128-bit 0-vector (0₁₂₈), and let C₁₂₈ denote the 128-bit checksum MD4(P´) (no padding is used here). Let P´´ denote P prepended with R₆₄ and C₁₂₈. Then the ciphertext DES-CBC-MD4(K, P) is equal to DES-CBC(K, P´´) (for initialisation vector and padding, see CBC Mode ).
encType-DES-CBC-MD5 = 3
Let K be an encryption key of type encKeyType-DES, and let P be a plaintext bit-message. Then the corresponding encData-CipherText, denoted:
```
 

DES-CBC-MD5(K, P)
```
is defined by the following pseudocode algorithm:
```
 
R₆₄ = RANDOM₆₄();
P' = <R₆₄, 0₁₂₈, P>;
C₁₂₈ = MD5(P');
P" = <R₆₄, C₁₂₈, P>;
DES-CBC-MD5(K, P) = DES-CBC(K, P");
```
In words: First generate a random 64-bit vector, R₆₄ (called a confounder when used in this context-see CBC Mode ). Let P´ denote P prepended with R₆₄ and with a 128-bit 0-vector (0₁₂₈), and let C₁₂₈ denote the 128-bit checksum MD5(P´) (no padding is used here). Let P´´ denote P prepended with R₆₄ and C₁₂₈. Then the ciphertext DES-CBC-MD5(K, P) is equal to DES-CBC(K, P´´) (for initialisation vector and padding, see CBC Mode ).

Note that, by including a checksum in the ciphertext itself, the DES-CBC-CRC DES-CBC-MD4 and DES-CBC-MD5 ciphertexts exhibit built-in integrity; that is, correct decryption can be determined solely by inspecting the internal consistency of the resulting plaintext itself, without relying on information external to it. Said another way: "integrity (at this level) is the concern of the cryptography layer itself, not of the consumer of cryptographic services". In particular, the length of the plaintext need not be conveyed explicitly (at "application level"; that is, by the consumer of cryptographic services) for the purposes of integrity. (However, if the plaintext P is derived from an "original" application-level message M which has been padded to an integral number of DES blocks, then conveying the number of padding bytes is usually a convenient thing to do, and conveying the length of M is a common way to do that.)

Note:: It is intended that all encryption mechanisms (except for encType-TRIVIAL) registered in this document shall incorporate built-in integrity similar to that of encType-DES-CBC-CRC, encType-DES-CBC-MD4 and encType-DES-CBC-MD5.
Note that the degree of assurance of this built-in integrity depends upon the strength of the cryptographic algorithms involved. In particular, non-collision-proof checksums (such as CRC-32) may be susceptible to attacks (such as truncation attacks) that render some assertions invalid (such as the one in the preceding paragraph about not needing to explicitly convey the length of the plaintext).

Passwords

[RFC 1510: 1.2, 6]

Passwords are represented by the PassWord data type, which is defined here to be merely a byte-string.

Its semantics are that it indicates a (byte string representation of a) character string (typically a "memorisable but unguessable" one, relative to some natural language) associated with a principal, C, from which the long-term encryption key K_C for C (relative to a specified encryption type encType), held in the RS datastore, is derived. The notion of passwords exists because there is a need for humans to be able to securely store a secret, and the best way to do that is to memorise it ("store it in their brain"), which is within normal human capabilities for passwords but not for random ("strong") encryption keys. DCE specifies one or more password-to-encryption-key mapping for each supported encryption key type, and these mappings are centrally registered. The currently registered ones are collected in Registered Password-to-Key Mappings .

Note:: Passwords per se are irrelevant to the KDS (because they do not appear in kds_request()); they are relevant only to the Login Facility. However, password-to-key mappings do have security significance and depend on cryptography, so it is appropriate to define them in this chapter. Note furthermore that implementations may further restrict (on an implementation-specific basis) the passwords they accept (for example, to avoid easily guessable passwords, or passwords that map into possibly weak keys, and so on-such things are presently beyond the scope of this specification).

Registered Password-to-Key Mappings

[RFC 1510: 6.3.4]

The password-to-key mappings supported by DCE return as an output parameter an encryption key of an appropriate type, and take as input parameters the following two data items:

passWord

The password itself. It is a value of type PassWord; that is, a byte string. Typically it is derived from the character string password input parameter to sec_login_validate_identity() or sec_login_valid_and_cert_ident(). The mapping of character string to byte string by those routines is specified as follows (see Minimum Implementation Requirements ): they take as input PCS character strings, and map them to byte strings by mapping each character to a byte value according to the US ASCII mapping (or equivalently, for PCS characters, ISO 8859-1). (In particular, of course, upper-case letters are considered to be distinct from lower-case letters.)

salt
An initialising string (also called seed, pepper, mix-in string, and so on). Its value is a byte string. If no salt is explicitly specified, it defaults to the default salt, which consists (in a manner specified below) of:

cellName
The (home) cell of the principal whose password is to be mapped; that is, the name of the cell in whose RS datastore the principal is registered. It is a value of type CellName, which is a GeneralString.

rsName
The RS name of the principal whose password is to be mapped. It is a value of type RSName, which consists of an rsName-Type and of an rsName-Value which is a sequence of GeneralStrings-call the components of this sequence rsName₀, ···, rsName_r-1.

Corresponding to the input parameters cellName and rsName (which are GeneralStrings), the underlying BER string of "contents octets" of their GeneralStrings is denoted (that is, the BER encoding stripped of its "identifier octets" and "length octets"-no "end-of-contents octets" are present because of the DER in force), which are strings of octets, by respectively:

RSN, with components RSN₀, ···, RSN_r-1

The default salt, mentioned above but not yet specified explicitly, is now defined to be:

: DEFAULTSALT = <CN, RSN₀, ···, RSN_r-1>

In words: DEFAULTSALT is the concatenation of (the underlying strings of octets of) CN and of the components of RSN.

With the above notations, the currently registered password-to-key mappings, corresponding to the currently registered encryption key types, are defined as follows.

encKeyType-TRIVIAL

All passWords, cellNames and rsNames map to the unique (trivial) key of type encKeyType-TRIVIAL.

encKeyType-DES
The mapping of a passWord and salt (the latter, unless explicitly indicated otherwise, defaults to DEFAULTSALT) to a key K of type encKeyType-DES is defined by the following algorithm.
First, pad the password and salt:
```
 

PWS = <passWord, salt, 0, ···, 0>
```
In words: PWS ("password-with-salt") is the concatenation of (the byte strings) passWord and of salt, appended with 0-bits to a (positive) multiple of 64 bits. PWS is considered to be a (pseudocode) array of 64-bit blocks, denoted:
```
 

PWS = <PWS[0], ···, PWS[p-1]>
```
where each PWS[j] has length 64 bits. The key K is then defined by the following pseudocode:
```
 

K = <0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00>;
for (j = 0; j <= p-1; j += 1) {
        if (j is even) {
                K ^= PWS[j];
        } else {
                K ^= REVERSE(PWS[j]);
        }
}

FIX-PARITY(K);
K' = DES-CBC-CKSUM(K, PWS);
FIX-PARITY(K');

if (K' is weak or semi-weak) {
        K' ^= <0x00,0x00,0x00,0x00,0x00,0x00,0x00,0xf0>;
        FIX-PARITY(K');
}
```
In words: First, initialise a 64-bit vector K by "fan-folding" PWS, as specified in the pseudocode above, where REVERSE() is the transformation that maps any bit-vector <b₀, ···, b_k-1> to its reversal, <b_k-1, ···, b₀>. This K may not be a DES key, because it may not have odd parity, so next adjust the parity bits of K so that it has odd parity (that's the definition of FIX-PARITY()). Then, apply the indicated DES-CBC checksum to K and PWS (thereby "uniformly distributing the password and salt over DES key space"), calling the result K´. Again, adjust the parity of K´. Finally, if K´ is a weak or semi-weak DES key, XOR it with the indicated constant (and adjust the parity again). The final output of this algorithm (the desired result of the password-to-key mapping), is the resulting K´.
Note:
Since this is a "public algorithm", it is not permissible to modify it to avoid the possibly-weak DES keys mentioned in Possibly Weak Keys , or other DES keys that may in the future be discovered to hold weaknesses. However, at a higher level, implementations are permitted (even encouraged) to reject passwords that would result in all DES keys that are weak in all known senses.

Minimum Implementation Requirements

All implementations must support passwords and salts consisting of characters drawn from the DCE Portable Character Set (PCS) (see Appendix A, Universal Unique Identifier, of the referenced Open Group DCE 1.1 Directory Services Specification).

Note:: Some implementations may support passwords consisting of characters beyond the PCS. Users should be aware, however, that there are practical limitations on the makeup of passwords, associated with "seat portability". Namely, "input methods" for all GeneralStrings do not necessarily exist at all "seats" from which the user may want to login. Therefore, users must restrict the choice of characters in their passwords to the characters they know will be supported at all the seats from which they will want to login. For universal seat portability, users must restrict their passwords to the DCE PCS (because of the PCS minimal implementation requirement for all implementations of DCE stated in this section).

Authentication Data

[RFC 1510: 5.4.1]

Authentication data is represented by the AuthnData data type, which is defined as follows:

 

AuthnDataType ::= INTEGER
AuthnDataValue ::= OCTET STRING

AuthnData ::= SEQUENCE {
        authnData-Type  [1] AuthnDataType,
        authnData-Value [2] AuthnDataValue
}

Its semantics are that it indicates information that is exchanged between clients and KDS servers (in KDS Request/Response exchanges), which may be required before KDS services (that is, ticket issuance) can be accessed. (Note that the KDS does not support ACLs for access control to its AS/TGS services-just the opposite: tickets are required before PACs can be obtained, on which ACLs are based.) In the case of AS Request/Responses (as opposed to TGS Request/Responses), this information is usually referred to as pre-authentication data, because AS Request/Responses are, in fact, "unauthenticated" (in the sense of not containing an "authentication header" as defined in Authentication Headers ). Its fields are the following:

authnData-Type
The kind of authentication data that AuthnData-Value represents, including its format.
authnData-Value
The authentication data information itself, to be interpreted according to the value of authnData-Type.

Non-negative values of AuthnDataType are reserved for centrally registered authentication data types; negative values are unreserved (and may, therefore, be assigned locally). The currently registered values are collected in Registered Authentication Data Types .

Registered Authentication Data Types

[RFC 1510: 8.3]

The currently registered values for AuthnDataType are the following:

authnDataType-TGS-REQ = 1
authnData-Value contains (the underlying OCTET STRING of) an authentication header (defined in Authentication Headers ), for use in a TGS Request.
Note:
(Reverse-)Authentication data does not occur in a TGS Response -see KDS Server Receives TGS Request and Sends TGS Response .
authnDataType-PW-SALT = 3
authnData-Value contains (encoded as an OCTET STRING) a "salt" (whose underlying contents octets are to be used in computing the principal's key from its password-see Registered Password-to-Key Mappings ). (A zero-length salt is a valid value-in particular, it does not mean "use default salt".) See Client Receives AS Response .

Authorisation Data

[RFC 1510: 5.2]

Authorisation data is represented by the AuthzData data type, which is defined as follows:

 

AuthzDataType ::= INTEGER
AuthzDataValue ::= OCTET STRING

AuthzData ::= SEQUENCE OF SEQUENCE {
        authzData-Type  [0] AuthzDataType,
        authzData-Value [1] AuthzDataValue
}

Its semantics are that it indicates information that may be (depending on application-specific authorisation policy) needed by a server in order to determine a client's access to the server's services. Its fields are the following:

authzData-Type
The kind of authorisation data that authzData-Value represents, including its format.
authzData-Value
The authorisation data information itself, to be interpreted according to the value of authzData-Type.

Non-negative values of AuthzDataType are reserved for centrally registered authorisation data types; negative values are unreserved (and may, therefore, be assigned locally). The currently registered values are collected in Registered Authorisation Data Types .

Note:

The usage semantics to be attached to authorisation data is application-specific, but typically a value authzData of data type AuthzData is used for access based on the so-called "AND model"; that is, the elements of the array, authzData[0], ···, authzData[n-1], all "further restrict" one another. That is to say, it is typically used to determine access in the following manner:

 

if (authzData[0], ···, authzData[n-1] all grant access) {
        GRANT access;
} else {
        DENY access;
}

Registered Authorisation Data Types

[RFC 1510: 8.3]

The currently registered values for AuthzDataType are the following:

authzDataType-PAC = 64
Pickled PACs, as specified in Pickled PACs .

Tickets

[RFC 1510: 5.3.1]

Tickets are represented by the Ticket data type, which is defined as follows:

 

Ticket ::= [APPLICATION 1] SEQUENCE {
        tkt-ProtoVersNum  [0] ProtocolVersionNumber,
        tkt-ServerCell    [1] CellName,
        tkt-ServerName    [2] RSName,
        tkt-EncryptedPart [3] EncryptedData
}

Its semantics have been described in Tickets, Keys, and Cross-Registration , where the notation Tkt_A,B for a ticket with named client A in cell X and targeted server B in cell Y are introduced (eliding, here, any issuing authority(ies), KDS_Z´, ···, KDS_Z´´ from the notation). In terms of this notation, its fields are the following:

tkt-ProtoVersNum

The protocol version number of the Ticket data type. Its value is protoVersNum-KRB5.

tkt-ServerCell

B's home cell, Y.

tkt-ServerName

B's RS name in RS_Y.

tkt-EncryptedPart

The encryption type (encData-EncType), key version number (encData-KeyVersNum) and ciphertext (encData-CipherText) encryption of (the underlying BER-encoded bit-string of) a value of type TicketEncryptPart, which is defined in Part of Ticket to be Encrypted . The "pre-encrypted" plaintext of this field (which is a value of the data type TicketEncryptPart) is denoted by tkt-EncryptPart.

Part of Ticket to be Encrypted

[RFC 1510: 5.3.1]

The encrypted data carried in a ticket is represented (before it is encrypted) by the TicketEncryptPart data type, which is defined as follows:

 

TicketEncryptPart ::= [APPLICATION 3] SEQUENCE {
        tkt-Flags         [ 0] TicketFlags,
        tkt-SessionKey    [ 1] EncryptionKey,
        tkt-ClientCell    [ 2] CellName,
        tkt-ClientName    [ 3] RSName,
        tkt-TransitPath   [ 4] TransitPath,
        tkt-AuthnTime     [ 5] TimeStamp,
        tkt-StartTime     [ 6] TimeStamp OPTIONAL,
        tkt-ExpireTime    [ 7] TimeStamp,
        tkt-MaxExpireTime [ 8] TimeStamp OPTIONAL,
        tkt-ClientAddrs   [ 9] HostAddresses OPTIONAL,
        tkt-AuthzData     [10] AuthzData OPTIONAL
}

Its fields are the following:

tkt-Flags

Options (represented by flag bits) selected by this ticket. The TicketFlags data type is defined in detail in Ticket Flags . (In KDS Server Receives AS Request and Sends AS Response and KDS Server Receives TGS Request and Sends TGS Response , when a KDS server creates a ticket its options are considered to be deselected by default unless they are explicitly selected.)

tkt-SessionKey
The session key, K_A,B, associated with this ticket; that is, the actual data item that represents the ensuing client-server session. (Either it or a subsequently negotiated conversation ("true session") key can be used to protect client-server communications.) Any principal that knows this session key is considered to be "the same principal (relative to this ticket)" as the principal A.
tkt-ClientCell
A's home cell, X.
tkt-ClientName
A's RS name in RS_X.
tkt-TransitPath
The transit path of this ticket.
tkt-AuthnTime
The authentication time of this ticket; that is, the time of A's original (AS) authentication (the time at which A's home KDS server, KDS_X, issued the original initial ticket-granting-ticket, Tkt_A,KDSX, on which Tkt_A,B is ultimately based, by a sequence of TGS Requests).
tkt-StartTime
The start time of this ticket; that is, the time before which Tkt_A,B is not to be honoured (accepted as evidence of authentication by B). Together with the expiration time of this ticket (tkt-ExpireTime), this field determines the lifetime of the ticket, namely, the time interval [tkt-StartTime, tkt-ExpireTime] (modulo maxClockSkew). This field must be present if Tkt_A,B is postdated (tkt-Postdated flag is set), and it may be present at other (depending on local policy); in its absence, the start time of this ticket defaults to the ticket's authentication time (tkt-AuthnTime).
tkt-ExpireTime
The (relative) expiration time of this ticket; that is, the time after which Tkt_A,B is not to be honoured by B. Thus, the (relative) lifetime of the ticket is the time interval [tkt-StartTime, tkt-ExpireTime] (modulo maxClockSkew).
Note:
Individual servers may decline to honour certain tickets which have not yet expired, depending on local policy.
tkt-MaxExpireTime
The absolute (or maximum) expiration time of this ticket; that is, the time beyond which KDS servers will not issue a renewed ticket based on Tkt_A,B. Thus, the absolute (or maximum) lifetime of the ticket is the time interval [tkt-StartTime, tkt-MaxExpireTime] (modulo maxClockSkew). This field is present if and only if Tkt_A,B's tkt-Renewable flag is set, in which case it must indicate a time later than tkt-ExpireTime; in its absence, the absolute expiration time of this ticket defaults to the ticket's expiration time (tkt-ExpireTime).
tkt-ClientAddrs
Zero (if absent) or more (if present) client host addresses. In the zero-address case, the ticket can be used from any "location" (that is, transport address-this is discussed further shortly); in the non-zero-address case, these are the addresses from which the ticket is "supposed" to be used (depending on server policy). In the RFC 1510 environment (as opposed to the DCE environment), this means the following:
- A server B must never deny service to a client A presenting a Tkt_A,B on the basis of A's "location" (that is, the transport address of the host from which A is communicating, as reported to B by its local host's operating system's implementation of the transport provider), provided that A's location is among the addresses indicated by Tkt_A,B's tkt-ClientAddrs (and, if applicable, Tkt_A,B has been properly proxied or forwarded-see Ticket Flags ).
- On the other hand, if A's location is not among the addresses indicated by Tkt_A,B's tkt-ClientAddrs, then B may deny service, depending on B's policy.
Thus, in the RFC 1510 environment, the decision by the target server B to honour such address restrictions is an optional server policy decision; that is, B may, depending on policy, choose to enforce or ignore the tkt-ClientAddrs field (possibly even on a per-client per-call basis). In the current DCE environment (that is, in environments conformant to DCE), this optionality has been removed, and the policy decision has been taken that the tkt-ClientAddrs field is never used to deny service: all servers B (including all system servers such as KDS and PS, and all application servers conforming to DCE) must always honour tickets Tkt_A,B having arbitrary host address fields tkt-ClientAddrs (provided they are otherwise acceptable), regardless of the location of the client A-with the sole exception that the KDS's AS service always requires clients to supply at least one host address in every AS Request (see the Note in Host Addresses ). (This policy decision could conceivably change in future revisions of DCE, though there is no current intent to do so. Therefore, in order to support an orderly transition to such a possible future environment, clients are encouraged to use the tkt-ClientAddrs field as specified herein with this in mind.)
In particular, the HostAddressType field(s) of the HostAddresses data type (see Host Addresses ) are always ignored in the DCE environment. (This is the reason that references need not be supplied in DCE for the registered host address types listed in Registered Host Address Types .)
tkt-AuthzData
The authorisation data associated with this ticket. If it is not present, no authorisation data is associated with the ticket (and therefore a server relying on the presence of such data for its access decisions must deny access).

Note that tickets are not in general interpretable (in the sense of being decryptable) by their named clients (except in the case where the named client also happens to be the targeted server). Nevertheless, the information in them is otherwise (securely) available to the named client. Namely (as seen in Client Receives AS Response and Client Receives TGS Response ), all the fields except tkt-TransitPath and tkt-AuthzData are available in the KDS Response that delivers the ticket to the client. The client knows tkt-TransitPath because it is itself involved in passing this ticket to the corresponding issuing authorities identified by the transit path. The tkt-AuthzData field is not dealt with in this chapter, but as seen in Privilege (Authorisation) Services , this information is communicated to the client by the PS in a DCE environment.

Ticket Flags

[RFC 1510: 2, 5.2, 5.3.1]

The options that may be selected by a ticket, Tkt_A,B (that is, requested by the named client A, specified by issuing authority(ies), or interpreted by the targeted server B), are represented by the TicketFlags data type, which is defined as follows:

 

TicketFlags ::= BIT STRING {
        tkt-Forwardable (1),
        tkt-Forwarded   (2),
        tkt-Proxiable   (3),
        tkt-Proxied     (4),
        tkt-Postdatable (5),
        tkt-Postdated   (6),
        tkt-Invalid     (7),
        tkt-Renewable   (8),
        tkt-Initial     (9)
}

The semantics of these bits are that if a value of type TicketFlags has the corresponding bit set (to 1) then the option is selected; if the bit is reset (to 0), the option is deselected. The bits indicate the following options (bits not currently specified are reserved for future usage):

tkt-Forwardable
This Tkt_A,B is forwardable; that is, this flag grants KDS servers the right to issue a forwarded Tkt*_A,B (which may even be a ticket-granting-ticket) based on Tkt_A,B. By a forwarded Tkt*_A,B is meant a ticket that is used by the (same) client A from a (potentially) different "location" (host address, tkt-ClientAddrs) than A's "location" when Tkt_A,B was originally issued. (Here, the notion of "same client A" is relative to a ticket, and it means any client that knows the session key carried in the ticket.)
tkt-Forwarded
This Tkt_A,B has either itself been forwarded (see just above), or has been issued based on a ticket that had previously been forwarded.
tkt-Proxiable
This Tkt_A,B is proxiable; that is, this flag grants KDS servers the right to issue a proxied Tkt*_A,B (but not a ticket-granting-ticket -this is the only difference between forwarding and proxying from the point of view of the KDS, though applications may opt to distinguish between them for other purposes) based on Tkt_A,B. By a proxied Tkt*_A,B is meant a ticket that is used by the (same) client A from a (potentially) different host address (tkt-ClientAddrs) than that to which Tkt_A,B was originally issued. (Here, the notion of "same client A" is relative to a ticket, and it means any client that knows the session key carried in the ticket.)
tkt-Proxied
This Tkt_A,B has either itself been proxied (see just above), or has been issued based on a ticket that had previously been proxied.
tkt-Postdatable
This Tkt_A,B is postdatable; that is, this flag grants KDS servers the right to issue a postdated Tkt*_A,B based on Tkt_A,B. By a postdated Tkt*_A,B is meant a ticket that has substantially the same information in it as Tkt_A,B but with a new start time (tkt-StartTime).
tkt-Postdated
This Tkt_A,B has been postdated.
tkt-Invalid
This Tkt_A,B is invalid; that is, this flag grants KDS servers the right to issue a valid Tkt*_A,B based on Tkt_A,B. By a valid (or validated) Tkt*_A,B is meant a ticket that has substantially the same information in it as Tkt_A,B but with its invalid option (tkt-Invalid) deselected, with the semantic that target (non-KDS) end-servers B are to honour only valid tickets. This flag is used in conjunction with the tkt-Postdated flag.
Note:
This flag is supported for security purposes-it does not introduce any new functionality that is not otherwise available. In order to be used effectively, it needs to be used with a "revocation" (or "hotlist") mechanism, which is not specified in this revision of DCE. Namely, use of this flag forces the KDS to be "visited" in order for a postdated ticket (which is always originally issued in an invalid state) to be rendered valid, thereby giving the KDS a timely opportunity to revoke tickets by checking them against the hotlist.
tkt-Renewable
This Tkt_A,B is renewable; that is, this flag grants KDS servers the right to issue a renewed Tkt*_A,B based on Tkt_A,B. By a renewed Tkt*_A,B is meant a ticket that has substantially the same information in it as Tkt_A,B but with a new (later) expiration time (tkt-ExpireTime).
Note:
This flag is supported for security purposes-it does not introduce any new functionality that is not otherwise available. In order to be used effectively, it needs to be used with a "revocation" (or "hotlist") mechanism, which is not specified in this revision of DCE. Namely, use of this flag forces the KDS to be "visited" before the absolute expiration time of tickets, thereby giving the KDS a timely opportunity to revoke tickets by checking them against the hotlist.
tkt-Initial
This Tkt_A,B is an initial ticket; that is, it was issued in response to an AS Request to A's home KDS_X. If tkt-Initial is reset, the ticket is said to be a subsequent ticket; that is, it was issued in response to a TGS Request to some KDS server.

Note that the above descriptions do not give complete details. For that, see that detailed descriptions of these flags, in AS Request/Response Processing and TGS Request/Response Processing .

Authenticators

[RFC 1510: 3.2.3, 5.3.2]

Authenticators are represented by the Authenticator data type, which is defined as follows:

 

Authenticator ::= [APPLICATION 2] SEQUENCE  {
        authnr-ProtoVersNum    [0] ProtocolVersionNumber,
        authnr-ClientCell      [1] CellName,
        authnr-ClientName      [2] RSName,
        authnr-Cksum           [3] CheckSum OPTIONAL,
        authnr-ClientMicroSec  [4] MicroSecond,
        authnr-ClientTime      [5] TimeStamp,
        authnr-ConversationKey [6] EncryptionKey OPTIONAL,
        authnr-SeqNum          [7] SequenceNumber OPTIONAL,
        authnr-AuthzData       [8] AuthzData OPTIONAL
}

Its semantics are that it accompanies Tkt_A,B in a client-server service request, and proves to B that this request is "really from A", in the sense that it was sent from A "now" (modulo maxClockSkew). Its fields are the following:

authnr-ProtoVersNum

The protocol version number of the Authenticator data type. Its value is protoVersNum-KRB5.

authnr-ClientCell

A's home cell.

authnr-ClientName

A's RS name in its cell.

authnr-Cksum

The checksum of the (application-specific) message that this authenticator accompanies. (This is used internally in the KDS protocol itself in the KDS Request "application", as specified below.)

authnr-ClientMicroSec

A's microsecondstamp, interpreted in conjunction with A's timestamp (authnr-ClientTime, below). The timestamp and microsecond timestamp pair, <T, M> (= <authnr-ClientTime, authnr-ClientMicroSec>), is used (differently) by clients and servers as a nonce. It is used by clients as a nonce to match up request/reply (authentication header/reverse-authentication header) pairs (see, for example, CO Verifier auth_value.credentials ). It is the client's responsibility to store the timestamp and microsecond pairs <T, M> of all outstanding requests for which it remains interested in replies. It is also used by servers as a nonce to ensure they do not accept duplicate authenticators from the same client, because to do so risks a faked authentication due to "replay attacks" (which, incidentally, threaten authenticity only, not integrity or confidentiality, because they do not involve the compromise of a key). It is the server's responsibility to maintain a replay cache for this purpose, storing the timestamp and microsecondstamp pairs <T, M> from all authenticators it receives from all clients over the time interval 1T - S| <= maxClockSkew, where S is the server's system timestamp.

Note:: This timestamp-based technique for replay detection is not the only possible technique; for example, random-number-based "challenge/response" techniques for environments that do not want to rely on a time service. Such techniques are supported elsewhere in DCE.

authnr-ClientTime
A's timestamp when it generated this authenticator. This timestamp (modulo maxClockSkew) has the semantics of convincing the receiving server B that the communication it is having with client A (securely identified in the accompanying Tkt_A,B) is happening in real-time. In colloquial terms: "A is `online' and is communicating with B `now'."
authnr-ConversationKey
A's choice of a conversation (or subsession or "true session") key, K^_A,B, indicating that A prefers this key to be used to protect client-server communications. If absent, the session key K_A,B in Tkt_A,B (tkt-SessionKey) is to be used as the conversation key. This is part of conversation key negotiation between A and B.
authnr-SeqNum
A's choice of sequence number. If absent, this application is not using sequence numbers, or no sequence number is applicable to this message (for example, it might be a non-fragmented message).
authnr-AuthzData
Additional authorisation data included by A. This is authorisation data additional to that specified in the accompanying Tkt_A,B (tkt-AuthzData). Note that its contents are completely up to A's discretion, unlike the tkt-AuthzData which is sealed in the ticket by the KDS server. Therefore, even though its use depends on application-specific authorisation policy, it is typically used only to "further restrict" A's access rights at B; that is, it is typically used to determine access in the manner paraphrased as: "If both tkt-AuthzData and authnr-AuthzData grant access, then access is granted, otherwise it is denied". Or in pseudocode:
```
 

if ((this application does not require tkt-AuthzData)
1|  (tkt-AuthzData is present and grants access)) {
        if ((this application does not require authnr-AuthzData)
        1|  (authnr-AuthzData is present and grants access)) {
                GRANT access;
        }
} else {
        DENY access;
}
```

This can be used to support "least privilege" access policies.

Authentication Headers

[RFC 1510: 5.5.1]

Authentication headers are represented by the AuthnHeader data type, which is defined as follows (where APPLICATION 14 indicates protoMsgType-AUTHN-HEADER-see Registered Protocol Message Types ):

 

AuthnHeader ::= [APPLICATION 14] SEQUENCE {
        authnHdr-ProtoVersNum    [0] ProtocolVersionNumber,
        authnHdr-ProtoMsgType    [1] ProtocolMessageType,
        authnHdr-Flags           [2] AuthnHeaderFlags,
        authnHdr-Tkt             [3] Ticket,
        authnHdr-EncryptedAuthnr [4] EncryptedData
}

Its semantics are that it supplies the forward authentication information that actually "authenticates a client A to a server B", by binding together an authenticator and a ticket, Tkt_A,B (naming A and targeted to B), associated with one another. Its fields are the following:

authnHdr-ProtoVersNum

The protocol version number of the AuthnHeader data type. Its value is protoVersNum-KRB5.

authnHdr-ProtoMsgType

The kind of protocol message this AuthnHeader represents. Its value is protoMsgType-AUTHN-HEADER.

authnHdr-Flags

Selected authentication header options. The AuthnHeaderFlags data type is defined in Authentication Header Flags . In Client Sends Authentication Header , when a client creates an authentication header its options are considered to be deselected by default unless they are explicitly selected.

authnHdr-Tkt
The ticket, Tkt_A,B, associated with the client-server session that this authentication header is authenticating.
authnHdr-EncryptedAuthnr
The encryption type (encData-EncType), key version number (encData-KeyVersNum) and ciphertext (encData-CipherText) encryption of (the underlying BER-encoded bit-string of) the authenticator (of type Authenticator) associated with the client-server session that this authentication header is authenticating. The "pre-encrypted" plaintext of this field (which is a value of the data type Authenticator) is denoted by authnHdr-EncryptAuthnr.

Of course, it is the final two fields that are the most significant -and for that reason, an authentication header is sometimes referred to as a "ticket and authenticator" (both of which are cryptographically protected).

Authentication Header Flags

[RFC 1510: 5.2, 5.5.1]

The options that may be selected by an authentication header (that is, specified by the client A named by Tkt_A,B (authnHdr-Tkt), or interpreted by the targeted server B) are represented by the AuthnHeaderFlags data type, which is defined as follows:

 

AuthnHeaderFlags ::= BIT STRING {
        authnHdr-UseSessionKey  (1),
        authnHdr-MutualRequired (2)
}

The semantics of these bits are that if a value of type AuthnHeaderFlags has the corresponding bit set then the option is selected; if the bit is reset, the option is deselected. The bits represent the following options (bits not currently specified are reserved for future usage):

authnHdr-UseSessionKey
Usually (that is, if this option is deselected), Tkt_A,B is protected with B's long-term key, K_B. But if this option is selected, then the Tkt_A,B (authnHdr-Tkt) in this authentication header is protected with a session key, K^*, carried in an auxiliary (ticket-granting-)ticket targeted to B, Tkt^*. For more explanation, see The use-session-key Option (however, the explanation there is slight, since the use-session-key option is not used in the internal KDS protocol).
authnHdr-MutualRequired
A expects B to return a reverse-authentication header (of data type RevAuthnHeader), thereby completing mutual authentication by "authenticating the server to the client" (see Reverse-Authentication Headers ).

The use-session-key Option

[RFC 1510: 3.2.3]

The use-session-key option is not used anywhere in DCE. therefore a detailed explanation of it would lead too far afield and is not appropriate here. However, a rough explanation of how it might be used at application level is given in this section, as an indication of its potential. Such an application-level usage is said to be a "user-to-user authentication protocol". (In this section a shorthand notation is used; for example, omitting ticket fields that are unnecessary for the purposes here.)

Recall (see Kerberos Key Distribution (Authentication) Service (KDS) ) that the basic Kerberos protocol for a client A to authenticate to a server B begins by having the client A obtain a session key K_A,KDS and a ticket, Tkt_A,KDS, from the AS, and then proceeds with the following series of exchanges (retaining here only those terms that are critical to the discussion at hand):

A -> TGS: B, Tkt_A,KDS
A < TGS: {B, K_A,B} Kx^[^^]'1xu'_A,KDS, Tkt_A,B
A -> B: Tkt_A,B
··· and so on, ···

where Tkt_A,B = {A, K_A,B}K_B. The main point to focus on for the purposes of this discussion is that Tkt_A,B is protected with the long-term key K_B of B. This requires, in order for B to be able to decrypt Tkt_A,B, that B "knows" (has access to) its long-term key. But the requirement of having its long-term key readily accessible could be a risk for B, especially if the machine on which B runs is not physically secured (for example, a "public workstation").

The above protocol can be modified so that Tkt_A,B is replaced by another ticket, Tkt^*_A,B, which is protected with a short-term (session) key (whose compromise represents a much smaller risk), K^* = K_B,KDS, as follows. Suppose that A has obtained a copy of B's (ticket-granting-)ticket, Tkt_B,KDS, (= {B, K_B,KDS}K_KDS); note this is not a security risk to A or B, and the manner of A's obtaining B's ticket need not be secure -for example, B might have sent a copy of Tkt_B,KDS to A, or B might have "published" its Tkt_B,KDS in a public place (such as in a directory service datastore) and A retrieved a copy of it. Then the required protocol can be achieved by:

A -> TGS: B, Tkt_A,KDS, Tkt_B,KDS
A < TGS: {K_A,B} Kx^[^^]'1xu'_A,KDS, Tkt^*_A,B
A -> B: Tkt^*_A,B
··· and so on, ···

where Tkt_B,KDS (also denoted "Tkt^*", without subscripts, in this context) is an "additional ticket" (trusted by B) that conveys to the KDS (via the use-session-key option) the session key K_B,KDS (also denoted "K^*", without subscripts, in this context) that is used to protect Tkt^*_A,B; that is, Tkt^*_A,B = {A, K_A,B}K^*.

As presented in this brief discussion, the advantage of using Tkt^*_A,B instead of Tkt_A,B is by no means apparent. But it becomes a powerful tool when embedded in an overall architecture of so-called secret-key certificates (as opposed to public-key certificates), here implemented as tickets used in new ways, because it permits many of the advantages of public-key protocols to be implemented using secret-key encryption. The deeper exploration of this is, however, beyond the scope of this specification.

Reverse-Authentication Headers

[RFC 1510: 5.5.2]

Reverse-authenticator headers are represented by the RevAuthnHeader data type, which is defined as follows (where APPLICATION 15 indicates protoMsgType-REVAUTHN-HEADER-see Registered Protocol Message Types ):

 

RevAuthnHeader ::= [APPLICATION 15] SEQUENCE {
        revAuthnHdr-ProtoVersNum  [0] ProtocolVersionNumber,
        revAuthnHdr-ProtoMsgType  [1] ProtocolMessageType,
        revAuthnHdr-EncryptedPart [2] EncryptedData
}

Its semantics are that it supplies the reverse authentication information that actually "authenticates a server B to a client A", by extracting certain information from a corresponding authentication header (that the client trusts is only accessible by the legitimate server) and returning it (securely) to the client. Its fields are the following:

revAuthnHdr-ProtoVersNum
The protocol version number of the RevAuthnHeader data type. Its value is protoVersNum-KRB5.
revAuthnHdr-ProtoMsgType
The kind of protocol message this RevAuthnHeader represents. Its value is protoMsgType-REVAUTHN-HEADER.
revAuthnHdr-EncryptedPart
The encryption type (encData-EncType), key version number (encData-KeyVersNum) and ciphertext (encData-CipherText) encryption of (the underlying BER-encoded bit-string of) a value of type RevAuthnHeaderEncryptPart, which is defined in Part of Reverse-authentication Header to be Encrypted . The "pre-encrypted" plaintext of this field (which is a value of the data type RevAuthnHeaderEncryptPart) is denoted by revAuthnHdr-EncryptPart.

Part of Reverse-authentication Header to be Encrypted

[RFC 1510: 5.5.2]

The part of a reverse-authentication header to be encrypted is represented (before it is encrypted) by the RevAuthnHeaderEncryptPart data type, which is defined as follows:

 

RevAuthnHeaderEncryptPart ::= [APPLICATION 27] SEQUENCE {
        revAuthnHdr-ClientTime      [0] TimeStamp,
        revAuthnHdr-ClientMicroSec  [1] MicroSecond,
        revAuthnHdr-ConversationKey [2] EncryptionKey OPTIONAL,
        revAuthnHdr-SeqNum          [3] SequenceNumber OPTIONAL
}

Its fields are the following:

revAuthnHdr-ClientTime

The corresponding authentication header's client timestamp (authnr-ClientTime).

revAuthnHdr-ClientMicroSec

The corresponding authentication header's client microsecondstamp (authnr-ClientMicroSec).

revAuthnHdr-ConversationKey
B's choice of a conversation key, Kx^^'1xu'_A,B, indicating that B prefers this key to be used to protect client-server communications instead of either the session key K_A,B in the corresponding authentication header's Tkt_A,B (tkt-SessionKey), or the client's choice of conversation key K^_A,B (authnr-ConversationKey) if present, as part of conversation key negotiation between A and B.
revAuthnHdr-SeqNum
B's indication of sequence number. It is equal to the authnr-SeqNum field of the corresponding authentication header (or is absent if that field was omitted).

KDS (AS and TGS) Requests

[RFC 1510: 5.4.1]

AS Requests are represented by the ASRequest data type, and TGS Requests are represented by the TGSRequest data type. These are defined in terms of a common underlying data type, KDSRequest, as follows (where APPLICATION 10 indicates protoMsgType-AS-REQUEST, and APPLICATION 12 indicates protoMsgType-AS-RESPONSE-see Registered Protocol Message Types ):

 

ASRequest ::= [APPLICATION 10] KDSRequest
TGSRequest ::= [APPLICATION 12] KDSRequest

KDSRequest ::= SEQUENCE {
        req-ProtoVersNum [1] ProtocolVersionNumber,
        req-ProtoMsgType [2] ProtocolMessageType,
        req-AuthnData    [3] SEQUENCE OF AuthnData OPTIONAL,
        req-Body         [4] KDSRequestBody
}

Its semantics are to indicate a calling client A's request to a KDS server KDS_Z to return a Tkt_A,B targeted to a server B (where B may be another KDS server, KDS_Z´). KDS servers (such as KDS_Z) support requests for the following two distinct kinds of services:

Request for a "(manipulated) old" Tkt

(Re-)issue a ticket that has substantially previously existed, by manipulating a presented ticket (in req-AuthnData). (A rigorous definition is given in Client Sends TGS Request .) The old ticket may be of almost any type (the exception being that ticket-granting-tickets cannot be proxied), and the manipulation may be any one of the following:

Validation
Validate an (invalid) ticket.
Renewal
Renew a (renewable) ticket.
Forwarding
Forward a (forwardable) (ticket-granting- or service-)ticket.
Proxying
Proxy a (proxiable) (non-ticket-granting-)service-ticket.

Note:: Some implementations may support the simultaneous combination of proxying and fowarding, because these do not really conflict with one another, but other combinations are more problematic (validation conflicts with forwarding/proxying, renewal conflicts with validation/fowarding/proxying), so an implementation that supported those combinations would have to specify their semantics (in an implementation-specific manner).

Request for a "new" ticket

Issue a ticket that hasn't substantially previously existed. (A rigorous definition is given in Client Sends TGS Request .) The new ticket may of any type (initial or subsequent, ticket-granting-ticket or service-ticket).

The fields of KDSRequest are the following:

req-ProtoVersNum
The protocol version number of the KDSRequest data type. Its value is protoVersNum-KRB5.
req-ProtoMsgType
The kind of protocol message this KDSRequest represents. If this is an AS Request, its value is protoMsgType-AS-REQUEST; if a TGS Request, it is protoMsgType-TGS-REQUEST.
req-AuthnData
This KDS Request's authentication data-it has different semantics depending on exactly what kind of KDS Request this is:
1. If this is an AS Request, this field is not present (currently -if it were present, it would be called "pre-authentication" data).
2. If this is a TGS Request for a new ticket, this field authenticates the calling client A to the KDS server KDS_Z, by containing one element of authentication data of type (authnData-Type) authnData-TGS-REQ, whose value (authnData-Value) contains (therefore) a ticket and an authentication header (value of type AuthnHeader) whose checksum (authnr-Cksum) contains the checksum of req-Body (see Client Sends TGS Request ).
3. If this is a TGS Request for an old ticket, this field contains the old ticket that is to be manipulated.
req-Body
The body bgcolor="#FFFFFF" of this KDSRequest, of type KDSRequestBody, which is defined in KDS Request Body .

KDS Request Body

[RFC 1510: 5.4.1]

KDS Request message bodies are represented by the KDSRequestBody data type, which is defined as follows:

 

KDSRequestBody ::= SEQUENCE {
        req-Flags              [ 0] KDSRequestFlags,
        req-ClientName         [ 1] RSName OPTIONAL,
        req-ServerCell         [ 2] CellName,
        req-ServerName         [ 3] RSName,
        req-StartTime          [ 4] TimeStamp OPTIONAL,
        req-ExpireTime         [ 5] TimeStamp,
        req-MaxExpireTime      [ 6] TimeStamp OPTIONAL,
        req-Nonce              [ 7] Nonce,
        req-EncTypes           [ 8] SEQUENCE OF EncryptionType,
        req-ClientAddrs        [ 9] HostAddresses OPTIONAL,
        req-EncryptedAuthzData [10] EncryptedData OPTIONAL,
        req-AdditionalTkts     [11] SEQUENCE OF Ticket OPTIONAL
}

Its fields are the following:

req-Flags

KDS options selected by this KDS Request (requested by the calling client A, or interpreted by the KDS server KDS_Z). The KDSRequestFlags data type is defined in KDS Request Flags . (In Client Sends AS Request to KDS and Client Sends TGS Request , when a client creates a KDS request its options are considered to be deselected by default unless they are explicitly selected.)

req-ClientName

A's RS name in its cell.

Note:: There is no field in KDSRequestBody for A's cell name -it is unnecessary according to the AS and TGS Request/Response protocols.)

req-ServerCell

B's cell.

req-ServerName

B's RS name in its cell.

req-StartTime

A's desired start time for a new postdated ticket.

req-ExpireTime

A's desired expiration time for a new ticket. The particular value endOfTimeStamp (see Timestamps, Microseconds, and Clock Skew ) is interpreted specially by the KDS server, namely as a request for a ticket with the largest expiration time it will issue, according to its policy.

Note:: This interpretation of endOfTimeStamp is not in RFC 1510.)

req-MaxExpireTime

A's desired absolute expiration time for a new renewable ticket.

Note:: For this field, endOfTimeStamp does not have a special interpretation.)

req-Nonce

Nonce generated by A (to be returned in KDS Response, defined in KDS (AS and TGS) Responses ).

req-EncTypes

A list of A's preferences of encryption types to be used to protect a new ticket.

req-ClientAddrs

A's desired client host addresses for a new (potentially proxiable and/or forwardable) ticket.

req-EncryptedAuthzData

The encryption type (encData-EncType), key version number (encData-KeyVersNum) and ciphertext (encData-CipherText) encryption of (the underlying BER-encoded bit-string of) a value of type AuthzData. It is used to indicate A's request for authorisation data. If this is an AS Request, it is not present. (See Client Sends TGS Request and Client Sends PTGS Request for its use with the PS.) The "pre-encrypted" plaintext of this field (a value of the data type AuthzData) is denoted by req-EncryptAuthzData.

req-AdditionalTkts
Additional tickets, to be used in conjunction with this KDS Request's selected KDS options (req-Flags) which require such additional tickets. Each option that requires an additional ticket requires exactly one such additional ticket, and the list req-AdditionalTkts is in one-to-one correspondence with such selected option(s), in the same order as the ordinal number(s) of such selected option(s). Currently, there is only one option that requires an additional ticket: the use-session-key option (req-UseSessionKey), which requires a Tkt^* to carry the session key K^* indicated by the option (see Authentication Header Flags ). (Additional tickets are not used in the internal KDS protocol.)

KDS Request Flags

[RFC 1510: 5.2, 5.4.1]

The options that may be requested in a KDS Request are represented by the KDSRequestFlags data type, which is defined as follows:

 

KDSRequestFlags ::= BIT STRING {
        req-Forwardable   ( 1),
        req-Forward       ( 2),
        req-Proxiable     ( 3),
        req-Proxy         ( 4),
        req-Postdatable   ( 5),
        req-Postdate      ( 6),
        req-Renewable     ( 8),
        req-RenewableOK   (27),
        req-UseSessionKey (28),
        req-Renew         (30),
        req-Validate      (31)
}

The semantics of these bits are that if a value of type KDSRequestFlags has the corresponding bit set then the option is selected; if the bit is reset, the option is deselected. The bits represent the following options (bits not currently specified are reserved for future usage):

req-Forwardable
New ticket is to be forwardable.
req-Forward
Old ticket is to be forwarded.
req-Proxiable
New ticket is to be proxiable.
req-Proxy
Old ticket is to be proxied.
req-Postdatable
New ticket is to be postdatable.
req-Postdate
New ticket is to be postdated.
req-Renewable
New ticket is to be renewable.
req-RenewableOK
New ticket is preferred to be non-renewable and have A's desired maximum lifetime, but if KDS_Z declines to issue such a ticket then A will accept a renewable ticket whose maximum lifetime is as close as possible to (but not exceeding) the desired maximum lifetime.
req-UseSessionKey
New ticket is to be protected with the session key (tkt-SessionKey) of a presented additional ticket (req-AdditionalTkts), instead of with B's long-term key. In order to use this option, A must somehow acquire possession of an appropriate additional ticket. Internally (in the KDS protocols), this option is not used.
req-Renew
Old ticket is to be renewed.
req-Validate
Old ticket is to be validated.

KDS (AS and TGS) Responses

[RFC 1510: 5.4.2]

AS Responses are represented by the ASResponse data type, and TGS Responses are represented by the TGSResponse data type. These are defined in terms of a common underlying data type, KDSResponse, which is defined as follows (where APPLICATION 11 indicates protoMsgType-TGS-REQUEST, and APPLICATION 13 indicates protoMsgType-TGS-RESPONSE-see Registered Protocol Message Types ):

 

ASResponse ::= [APPLICATION 11] KDSResponse
TGSResponse ::= [APPLICATION 13] KDSResponse

KDSResponse ::= SEQUENCE {
        resp-ProtoVersNum  [0] ProtocolVersionNumber,
        resp-ProtoMsgType  [1] ProtocolMessageType,
        resp-AuthnData     [2] AuthnData OPTIONAL,
        resp-ClientCell    [3] CellName,
        resp-ClientName    [4] RSName,
        resp-Tkt           [5] Ticket,
        resp-EncryptedPart [6] EncryptedData
}

Its semantics are to indicate the called KDS_Z's response to a client A's request for a ticket. Its fields are the following:

resp-ProtoVersNum
The protocol version number of the KDSResponse data type. Its value is protoVersNum-KRB5.
resp-ProtoMsgType
The kind of protocol message this KDSResponse represents. If this is an AS Response, its value is protoMsgType-AS-RESPONSE; if a TGS Response, it is protoMsgType-TGS-RESPONSE.
resp-AuthnData
This KDS Response's authentication data. It is used to return information to A. (See PS Server Receives PTGS Request and Sends PTGS Response for its use with the PS, where it is actually used to return authorisation data, not "authentication data".)
resp-ClientCell
A's cell.
resp-ClientName
A's RS name in its cell.
resp-Tkt
The issued ticket. If this is an AS Response, it is an initial ticket. If this is a TGS Response, it is a subsequent ticket, and it is a new or old ticket depending on the TGS Request options selected. A KDS server KDS_Z always returns a ticket whose named client is the requested one (however in the case of an AS Request, which is unauthenticated, the message itself could be modified in transit, so the message A sends may not be the message KDS_Z receives). It also usually returns a ticket whose targeted server B is the requested one, the only exception being in the case that B's home cell is not Z, in which KDS_Z returns a special cross-cell referral ticket (see Client Sends TGS Request and KDS Server Receives TGS Request and Sends TGS Response ).
resp-EncryptedPart
The encryption type (encData-EncType), key version number (encData-KeyVersNum) and ciphertext (encData-CipherText) encryption of (the underlying BER-encoded bit-string of) a value of type KDSResponseEncryptPart, which is defined in Part of KDS Response to be Encrypted . The "pre-encrypted" plaintext of this field (a value of the data type KDSResponseEncryptPart) is denoted by resp-EncryptPart.

Part of KDS Response to be Encrypted

[RFC 1510: 5.4.2]

The encrypted data carried in a KDS Response is represented (before it is encrypted) by the KDSResponseEncryptPart data type, which is defined as follows:

 

ASResponseEncryptPart ::= [APPLICATION 25] KDSResponseEncryptPart
TGSResponseEncryptPart ::= [APPLICATION 26] KDSResponseEncryptPart

KDSResponseEncryptPart ::= SEQUENCE {
        resp-SessionKey    [ 0] EncryptionKey,
        resp-LastRequests  [ 1] LastRequests,
        resp-Nonce         [ 2] Nonce,
        resp-KeyExpireDate [ 3] TimeStamp OPTIONAL,
        resp-Flags         [ 4] TicketFlags,
        resp-AuthnTime     [ 5] TimeStamp,
        resp-StartTime     [ 6] TimeStamp OPTIONAL,
        resp-ExpireTime    [ 7] TimeStamp,
        resp-MaxExpireTime [ 8] TimeStamp OPTIONAL,
        resp-ServerCell    [ 9] CellName,
        resp-ServerName    [10] RSName,
        resp-ClientAddrs   [11] HostAddresses OPTIONAL
}

Its fields are the following. Note that most of this duplicates information that is present in the enclosed Tkt_A,B (resp-Tkt), so that A can check its conformance to what it had requested in the corresponding KDS Request (A cannot actually decrypt Tkt_A,B itself, unless A happens to know the long-term key of the targeted server B). (The only information in Tkt_A,B that is not repeated in KDSResponseEncryptPart are its transit path and authorisation data.)

resp-SessionKey

Duplicate of resp-Tkt's session key (tkt-SessionKey).

resp-LastRequests

Last request information that KDS_X (A's home KDS server) has pertaining to client A. Typically only usefully present in an AS Response. It is legal in a TGS Response (in fact, it's not an optional field, though implementations typically support a policy of returning only an empty array of resp-LastRequests in TGS Responses), and some implementations may indeed return last request information in TGS Responses, but it's not normally useful there-the last request information is normally intended to be displayed to the user, for example, at login-time, but most service-level applications do not do that.

resp-Nonce

Copy of the corresponding KDS Request's nonce (req-Nonce).

resp-KeyExpireDate

The time at which A's long-term key K_A (of the selected encryption type, held in RS_X) is scheduled to expire; that is, later than which (modulo maxClockSkew) KDS_X (A's home KDS server) will not use it for protecting AS Responses and tickets targeted to A (which are the only data KDS servers protect with long-term keys). This supports principal long-term key management (subject to local policy). Typically only present in AS Responses, not TGS Responses.

resp-Flags

Duplicate of resp-Tkt's ticket flags (tkt-Flags).

resp-AuthnTime

Duplicate of resp-Tkt's authentication time (tkt-AuthnTime).

resp-StartTime

Duplicate of resp-Tkt's start time, if present (tkt-StartTime).

resp-ExpireTime

Duplicate of resp-Tkt's expiration time (tkt-ExpireTime).

resp-MaxExpireTime

Duplicate of resp-Tkt's absolute expiration time, if present (tkt-MaxExpireTime).

resp-ServerCell

B's cell.

resp-ServerName

B's RS name in its cell.

resp-ClientAddrs

Duplicate of resp-Tkt's client host addresses, if present (tkt-ClientAddrs).

KDS Errors

[RFC 1510: 5.9.1]

KDS Errors are represented by the KDSError data type, which is defined as follows (where APPLICATION 30 indicates protoMsgType-KDS-ERROR -see Registered Protocol Message Types ):

 

KDSError ::= [APPLICATION 30] SEQUENCE {
        err-ProtoVersNum   [ 0] ProtocolVersionNumber,
        err-ProtoMsgType   [ 1] ProtocolMessageType,
        err-ClientTime     [ 2] TimeStamp OPTIONAL,
        err-ClientMicroSec [ 3] MicroSecond OPTIONAL,
        err-ServerTime     [ 4] TimeStamp,
        err-ServerMicroSec [ 5] MicroSecond,
        err-StatusCode     [ 6] ErrorStatusCode,
        err-ClientCell     [ 7] CellName OPTIONAL,
        err-ClientName     [ 8] RSName OPTIONAL,
        err-ServerCell     [ 9] CellName,
        err-ServerName     [10] RSName,
        err-StatusText     [11] ErrorStatusText OPTIONAL,
        err-StatusData     [12] ErrorStatusData OPTIONAL
}

Its semantics are that it indicates diagnostic information returned from a server C to a calling client A concerning a failed (in the security sense) service request. The primary usage is when C is a KDS server KDS_Z, but it can also be used by applications if they so desire. In any case, KDS Error messages are unprotected, therefore the information carried in them must be viewed with suspicion in a hostile environment. Its fields are the following:

err-ProtoVersNum
The protocol version number of this KDSError data type. Its value is protoVersNum-KRB5.
err-ProtoMsgType
The kind of protocol message this KDSError represents. Its value is protoMsgType-KDS-ERROR.
err-ClientTime
A's timestamp from accompanying authenticator (authnHdr-EncryptAuthnr.authnr-ClientTime), if present. Otherwise, it is absent.
err-ClientMicroSec
A's microsecondstamp from accompanying authenticator (authnHdr-EncryptAuthnr.authnr-ClientMicroSec), if present. Otherwise, it is absent.
err-ServerTime
C's system time at which the error occurred.
err-ServerMicroSec
C's system microsecond time at which the error occurred.
err-StatusCode
Status code identifying the kind of error that occurred.
err-ClientCell
A's cell from accompanying ticket (tkt-EncryptPart.tkt-ClientCell), if present (not from accompanying authenticator, authnHdr-EncryptAuthnr.authnr-ClientCell, if present). Otherwise, it is absent.
err-ClientName
A's RS name from accompanying ticket (tkt-EncryptPart.tkt-ClientName, if present (not from accompanying authenticator, authnHdr-EncryptAuthnr.authnr-ClientName, if present). Otherwise, it is absent.
err-ServerCell
C's cell.
err-ServerName
C's RS name in its cell.
err-StatusText
Status text associated to err-StatusCode.
err-StatusData
Status data associated to err-StatusCode.

RS Information

[RFC 1510: 4]

Every KDS_Z requires access to certain (non-volatile) information. Such information is held in the RS_Z datastore, not in the KDS_Z itself. RS_Z maintains local cell-wide property and policy information, as well as information pertaining to individual principals, relevant to KDS_Z's processing of KDS Requests (below). These information items, together with the KDS Error status code values associated with them, are the following:

Cell name

This cell's name.

KDS server's RS name

RS name of the KDS server in this cell. If the cell name of this cell Z is, say, cellZ, then the RS_Z name of KDS_Z is krbtgt/cellZ.

Supported protocol version numbers

The protocol version numbers supported by KDS_Z {errStatusCode-BAD-PROTO-VERS-NUM}.

Supported authentication methods

The authentication methods supported by KDS_Z {errStatusCode-BAD-AUTHN-METHOD}.

Supported authentication data types

The authentication data types supported by KDS_Z {errStatusCode-AUTHN-DATA-TYPE-NOT-SUPPORTED}.

Supported transit path types

The transit path types supported by KDS_Z {errStatusCode-TRANSIT-PATH-TYPE-NOT-SUPPORTED}.

Supported encryption key types

The encryption key types supported by KDS_Z.

Supported encryption types

The encryption types supported by KDS_Z.

Supported checksum types

The checksum types supported by KDS_Z {errStatusCode-CHECKSUM-TYPE-NOT-SUPPORTED, errStatusCode-BAD-CHECKSUM-TYPE}.

Per-end-principal RS names

Entries for end-principals (that is, non-KDS-principals) stored in RS_Z's datastore.

Per-foreign-KDS RS names
Entries for KDS principals KDS_Z,Z´ from foreign cells Z´ cross-registered with cell Z. If the cell name of foreign cell Z´ is, say, cellZ´, then the RS_Z name of KDS_Z,Z´ is krbtgt/cellZ´ {errStatusCode-NOT-US}.
Per-principal long-term key(s), with version numbers
One (or more, as distinguished by their key version numbers) key(s) for each encryption type supported. "The" key (modulo its version number, and eliding the encryption type from the notation) for principal C and is denoted K_C {errStatusCode-CLIENT-OLD-MASTER-KEY-VERS-NUM, errStatusCode-SERVER-OLD-MASTER-KEY-VERS-NUM, errStatusCode-NULL-KEY, errStatusCode-SERVER-NO-KEY, errStatusCode-BAD-KEY-VERS-NUM}.
Per-principal "salt"
Information used by principals to use in combination with their passwords (which are not, in general, stored in the RS datastore), in order to derive their long-term keys (see Registered Password-to-Key Mappings ).
Conversation key negotiation
Boolean indicating whether KDS_Z will accept client-supplied (in authentication headers, authnHdr-EncryptAuthnr.authnr-ConversationKey) conversation keys be used to protect client-KDS sessions, or KDS_Z will insist on supplying them itself (in reverse-authentication headers, revAuthnHdr-ConversationKey).
Maximum clock skew
Value(s) (certainly a cell-value one, though potentially also per-principal values) of maxClockSkew (see Timestamps, Microseconds, and Clock Skew ), such that the authentication protocols specified herein fail if the KDS (or PS) encounter a timestamp from a principal whose clock skew compared to the KDS's (or PS's) clock exceeds maxClockSkew {errStatusCode-CLOCK-SKEW}.
Per-principal long-term key(s) expiration dates(s)
The time later than which (modulo maxClockSkew) KDS_Z will not use a principal's long-term key for protecting AS Responses and tickets targeted to C (which are the only data KDS servers protect with long-term keys).
Postdatability permitted
Boolean indicating whether or not KDS_Z will issue new postdatable or postdated tickets {errStatusCode-CANNOT-POSTDATE}.
Renewability permitted
Boolean indicating whether or not KDS_Z will issue new renewable tickets.
Proxiability permitted
Boolean indicating whether or not KDS_Z will issue new proxiable tickets.
Forwardability permitted
Boolean indicating whether or not KDS_Z will issue new forwardable tickets.
Cell-wide minimum ticket lifetime
Minimum lifetime for which KDS_Z will issue a new ticket. (A ticket request that would result in a ticket with a lifetime less than this minimum will be rejected by the KDS.) {errStatusCode-NEVER-VALID}.
Cell-wide default ticket-granting-ticket lifetime
Default lifetime for which KDS_Z will issue a new ticket-granting-ticket.
Cell-wide maximum ticket lifetime
Maximum lifetime for which KDS_Z will issue a new ticket.
Per-principal maximum ticket lifetime
Maximum lifetime for which KDS_Z will issue a new ticket naming or targeting a principal C.
Cell-wide postdate maximum
Furthest date in the future for which KDS_Z will issue a postdatable ticket naming or targeting a principal C.
Per-principal postdate maximum
Furthest date in the future for which KDS_Z will issue a postdatable ticket.
Cell-wide maximum renewable ticket lifetime
Maximum lifetime for which KDS_Z will issue a new renewable ticket (if it issues new renewable tickets at all).
Per-principal maximum renewable ticket lifetime
Maximum lifetime for which KDS_Z will issue a new renewable ticket naming or targeting a principal C (if it issues new renewable tickets at all).
Client addresses
Boolean indicating whether KDS_Z requires client addresses (tkt-ClientAddrs) to be present in all tickets.
Per-principal last request(s)
Last request(s) information maintained for C, per local policy.
Replay cache
Replay cache used by KDS_Z (see Authenticators ) {errStatusCode-REPLAY}.
Hot list (revocation) information
Information about (potentially) compromised entities (clients, servers, tickets, and so on), which have therefore been revoked (no longer supported by the security services). These entities comprise RS_Z's hot list. For example, whenever a hot-listed (revoked) ticket is presented to KDS_Z in (the req-AuthnData field of) a TGS Request, KDS_Z will refuse to honour it. (Note that when a ticket's maximum expiration time has passed, KDS_Z will not honour it under any circumstances, so there is no need to keep such tickets on the hot list.) {errStatusCode-CLIENT-REVOKED, errStatusCode-SERVER-REVOKED, errStatusCode-TKT-REVOKED}.
Next hops
Information about what cell a client should visit next (among those cross-registered with Z) if the server requested by the client in a TGS Request is not registered in RS_Z. There are various (policy-dependent) strategies for determining next hops. For example, some links may be more trusted than others, hence more suitable for some purposes than others.
A common next hop strategy is the following up-over-down algorithm. If the server requested by a client is not registered in Z, then the next hop is:
1. the server's cell, if Z holds a direct cross-registration to the server's cell, otherwise
2. the first ancestor cell (in the namespace sense) of the server's cell which is cross-registered with Z, if Z holds such a cross-registration, otherwise
3. the parent cell of Z, if Z holds a cross-registration with it.

AS Request/Response Processing

[RFC 1510: 1, 3.1]

This section specifies in detail the processing that occurs during an AS Request/Response exchange; that is, this section specifies the issuing of new initial tickets. There are three steps involved:

A client prepares an AS Request and sends it to a KDS server.
A KDS server receives the AS Request from a client, processes it, prepares an AS Response (success case) or KDS Error (failure case), and returns that to the client.
A client receives an AS Response or KDS Error.

The details of the three steps of the success case are specified next. (For the failure case, see KDS Error Processing .)

Client Sends AS Request to KDS

[RFC 1510: 3.1.1, A.1]

Consider a client A that wants to obtain an initial ticket, Tkt_A,B, from KDS_X, where X is A's home cell. (Usually, though not necessarily, an initial ticket is a ticket-granting-ticket; that is, the target server B will usually be KDS_X itself. In any case, B must be in cell X, or the AS Request will fail.) Then A prepares an AS Request, asReq (a value of the data type ASRequest), and "sends it" (that is, calls kds_request()) to KDS_X, according to the following algorithm. Note that it is A's responsibility to know (or to securely determine) all the information necessary to correctly formulate the AS Request message-especially, KDS_X's cell name and RS name (that's why "well-known principal names" (involving the component krbtgt) are used for KDS servers), as well as the RS names of A itself and of B. Since the AS Request is unauthenticated, KDS_X cannot know with certainty the principal identity of this calling client, A-in particular, A may request (or its request may be modified in transit) that the initial ticket in question be issued "in the name of" (that is, name) a client A´ other than A itself (though in that case the resulting Tkt_A´,KDSX will be unusable by A, unless A knows A´'s long-term key-except perhaps for cryptanalysis; for example, for an "offline dictionary attack").

Protocol version number

The protocol version number (asReq.req-ProtoVersNum) is set to protoVersNum-KRB5.

Protocol message type

The protocol message type (asReq.req-ProtoMsgType) is set to protoMsgType-AS-REQUEST.

Client name

The client name (asReq.req-Body.req-ClientName) is set to A's RS name in RS_X.

Server cell

The server cell (asReq.req-Body.req-ServerCell) is set to KDS_X's cell name; that is, to the name of the cell X, say cellX. This is also A's cell name-a KDS server can issue initial tickets naming only clients in its own cell, and targeted only to servers in its own cell.

Server name

The server name (asReq.req-Body.req-ServerName) is set to B's RS name in its cell. (In the usual case of an AS Request for an initial ticket-granting-ticket; that is, B = KDS_X, this RS name will be krbtgt/cellX, assuming that the cell name is cellX).

Options

Forwardable
If A desires that Tkt_A,B be forwardable, the forwardable option (asReq.req-Body.req-Flags.req-Forwardable) is selected.

Proxiable
If A desires that Tkt_A,B be proxiable, the proxiable option (asReq.req-Body.req-Flags.req-Proxiable) is selected.

Postdatable
If A desires that Tkt_A,B be postdatable, the postdatable option (asReq.req-Body.req-Flags.req-Postdatable) is selected.

Postdate
If A desires that Tkt_A,B be postdated, the postdate option (asReq.req-Body.req-Flags.req-Postdate) is selected.

Renewable
If A desires that Tkt_A,B be renewable, the renewable option (asReq.req-Body.req-Flags.req-Renewable) is selected.

Renewable-okay
If A does not desire that Tkt_A,B be renewable, but A will nevertheless accept a renewable Tkt_A,B with a shorter lifetime than desired in lieu of no Tkt_A,B at all, then the renewable-okay option (asReq.req-Body.req-Flags.req-RenewableOK) is selected.

Other; use-session-key, validate, renew, proxy, forward
All of asReq's options that have not been selected by any of the above steps are deselected. Currently, these include the use-session-key (asReq.req-Body.req-Flags.req-UseSessionKey), validate (asReq.req-Body.req-Flags.req-Validate), renew (asReq.req-Body.req-Flags.req-Renew), proxy (asReq.req-Body.req-Flags.req-Proxy) and forward (asReq.req-Body.req-Flags.req-Forward) options.
Start time
If the postdate option for Tkt_A,B has been selected, then the start time (asReq.req-Body.req-StartTime) is set to the desired starting time. Otherwise, the start time is omitted.
Expiration time
The expiration time (asReq.req-Body.req-ExpireTime) is set to the desired expiration time for Tkt_A,B.
Maximum expiration time
If the renewable option has been selected, then the maximum expiration time (asReq.req-Body.req-MaxExpireTime) is set to the desired maximum expiration time for Tkt_A,B. Otherwise, the maximum expiration time is omitted.
Additional tickets
The additional tickets field (asReq.req-Body.req-AdditionalTkts) is omitted.
Nonce
The nonce field (asReq.req-Body.req-Nonce) is set to a nonce value.
Encryption types
The encryption types field (asReq.req-Body.req-EncTypes) is set to the list of encryption types acceptable to A for protecting Tkt_A,B. A arranges this list in priority order of desirability (from A's point of view), beginning with the most desirable and ending with the least desirable. (For maximum interoperability, the client A should send a list consisting of a single entry, indicating encryption type encType-DES-CBC-CRC, since all KDS servers are required to support clients requesting that single encryption type- at least for the present revision of this document.)
Client addresses
If A desires that Tkt_A,B contain client host addresses, then the client address field (asReq.req-Body.req-ClientAddrs) is set to the desired addresses. Otherwise, the client address field is omitted. In the present revision of DCE, clients must supply at least one address, or else the KDS will reject the AS Request.
Authorisation data
The authorisation data field (asReq.req-Body.req-EncryptedAuthzData) is omitted.
Authentication data
The (pre-)authentication data (asReq.req-AuthnData) is (currently) omitted.

At this point, the asReq message is well-formed, and A sends it to KDS_X.

KDS Server Receives AS Request and Sends AS Response

[RFC 1510: 2.1, 3.1.2, 3.1.3, A.2]

Consider an AS Request, asReq, received by KDS_X. That is, asReq is a value of type ASRequest, with protocol version number (asReq.req-ProtoVersNum) protoVersNum-KRB5 and protocol message type (asReq.req-ProtoMsgType) protoMsgType-AS-REQUEST. Denote by A the client requested (asReq.req-Body.req-ClientName) to be named in the to-be-issued initial Tkt_A,B. Then KDS_X executes the algorithm below. If the algorithm executes successfully, KDS_X prepares an AS Response (asResp, of type ASResponse) containing the newly issued initial Tkt_A,B (asResp.resp-Tkt) and "returns" it (that is, returns from the kds_request() invocation) to the calling client (which may be different from the requested client, A). If unsuccessful, KDS_X prepares a KDS Error (kdsErr, of type KDSError) and returns it to the calling client.

The following algorithm first discusses how KDS_X constructs Tkt_A,B-also denoted asTkt when the emphasis is on the details of AS Request processing-and then how it constructs the rest of the AS Response, asResp.

Authentication data processing

The (pre-)authentication data (asReq.req-AuthnData) is processed according to local policy (typically, it is absent).

Protocol version number

The new initial ticket's protocol version number (asTkt.tkt-ProtoVersNum) is set to protoVersNum-KRB5.

Server cell

The requested server cell name (asReq.req-Body.req-ServerCell) is checked to be X's cell name. (This is because KDS_X can issue initial tickets naming only clients in its own cell, since it must have access to their long-term key, with which it will protect asResp.)

Server name

The requested server name (asReq.req-Body.req-ServerName) is checked to be KDS_X's RS name. KDS_X copies this into the new initial ticket's server name (asTkt.tkt-ServerName). KDS_X also checks that it itself has a datastore entry in RS_X {errStatusCode-SERVER-UNKNOWN}.

Client cell

The client cell (asTkt.tkt-EncryptPart.tkt-ClientCell) is set to X's cell name (which must be A's cell name, too).

Client name
The requested client name (asReq.req-Body.req-ClientName) (that is, A's RS name) is checked to have a datastore entry in RS_X {errStatusCode-CLIENT-UNKNOWN}. KDS_X copies A's RS name into the new initial ticket's client name (asTkt.tkt-EncryptPart.tkt-ClientName). A thereby becomes the client named by the new initial ticket Tkt_A,B.
Encryption types
KDS_X selects from the list of requested encryption types (asReq.req-Body.req-EncTypes) the earliest one on the list that it is willing to accommodate (according to local policy)-call this encType. (Recall that the list had been generated in priority order of desirability, from A's point of view. For guaranteed interoperability, all KDS servers are required to support clients requesting the single encryption type enctype-DES-CBC-CRC-at least for the present revision of this document.) {errStatusCode-ENCRYPTION-TYPE-NOT-SUPPORTED}.
Long-term key retrieval
KDS_X retrieves A's most recent long-term key K_A (and its key version number, for the selected encryption type encType) from RS_X.
Session key generation
KDS_X generates a new (random) session key (of the selected encryption type, encType), K_A,KDSX, and copies it into Tkt_A,B's session key field (asTkt.tkt-EncryptPart.tkt-SessionKey).
Authentication time
Tkt_A,B's authentication time (asTkt.tkt-EncryptPart.tkt-AuthnTime) is set to KDS_X's system time.
Start time
If the requested start time (asReq.req-Body.req-StartTime) is absent, or if it indicates a time earlier than Tkt_A,B's authentication time (asTkt.tkt-EncryptPart.tkt-AuthnTime), then Tkt_A,B's start time (asTkt.tkt-EncryptPart.tkt-StartTime) is omitted (indicating a default to the authentication time). Otherwise (that is, a requested start time is present and indicates a time later than or equal to the authentication time), if the postdate option (asReq.req-Body.req-Flags.req-Postdate) is selected, then Tkt_A,B's start time is set to the requested start time; if the postdate option is deselected, Tkt_A,B's start time is omitted (indicating a default to the authentication time) or is set to KDS_X's system time (see also the postdated and invalid options, below) {errStatusCode-POLICY}.
Expiration time
KDS_X sets Tkt_A,B's expiration time (asTkt.tkt-EncryptPart.tkt-ExpireTime) to the earliest of the following:
- Tkt_A,B's start time (or authentication time, if the start time is absent) plus the maximum ticket lifetime associated with the named client A.
- Tkt_A,B's start time (or authentication time, if the start time is absent) plus the maximum ticket lifetime associated with the target server KDS_X.
- Tkt_A,B's start time (or authentication time, if the start time is absent) plus the cell-wide maximum ticket lifetime associated with the issuing authority KDS_X.
KDS_X checks that the resulting lifetime of Tkt_A,B is greater than or equal to the cell-wide minimum ticket lifetime associated with the issuing authority KDS_X {errStatusCode-NEVER-VALID}.
Maximum expiration time
If either the renewable option (asReq.req-Body.req-Flags.req-Renewable) has been selected, or if the renewable-okay option (asReq.req-Body.req-Flags.req-RenewableOK) has been selected and Tkt_A,B's expiration time is earlier than the requested expiration time, then Tkt_A,B's maximum expiration time (asTkt.tkt-EncryptPart.tkt-MaxExpireTime) is present (otherwise it is omitted) and is set to the earliest of:
- Tkt_A,B's start time (or authentication time, if the start time is absent) plus the maximum renewable ticket lifetime associated with the named client A.
- Tkt_A,B's start time (or authentication time, if the start time is absent) plus the maximum renewable ticket lifetime associated with the target server KDS_X.
- Tkt_A,B's start time (or authentication time, if the start time is absent) plus the cell-wide maximum renewable ticket lifetime associated with the issuing authority KDS_X.
Transit path
Tkt_A,B's transit path (asTkt.tkt-EncryptPart.tkt-TransitPath) is omitted.
Client addresses
Tkt_A,B's client address field (asTkt.tkt-EncryptPart.tkt-ClientAddrs) is set to the requested client addresses (asReq.req-Body.req-ClientAddrs), if present. (In particular, no attempt is made to check that this AS Request originated from one of the requested client addresses, if present.) Otherwise, it is omitted. In the present revision of DCE, at least one client address must be supplied by the client, otherwise the KDS will fail the AS Request.
Authorisation data
KDS_X checks that the requested authorisation data asReq.req-Body.req-EncryptedAuthzData) is omitted. (Since the AS Request is unauthenticated, KDS_X cannot vouch for such authorisation data.) Tkt_A,B's authorisation data field (asTkt.tkt-EncryptPart.tkt-AuthzData) is omitted.
Additional tickets
KDS_X checks that no additional tickets (asReq.req-Body.req-AdditionalTkts) are present.
Options
- Forwardable
  If the forwardable option (asReq.req-Body.req-Flags.req-Forwardable) has been requested and if forwardability is permitted by KDS_X, then Tkt_A,B's forwardable option (asTkt.tkt-EncryptPart.tkt-Flags.tkt-Forwardable) is selected.
- Proxiable
  If the Proxiable option (asReq.req-Body.req-Flags.req-Proxiable) has been requested and if proxiability is permitted by KDS_X, and if B != KDS_X, then Tkt_A,B's proxiable option (asTkt.tkt-EncryptPart.tkt-Flags.tkt-Proxiable) is selected. (If B = KDS_X, then this AS request is denied, because ticket-granting-tickets are not proxiable.)
- Postdatable
  If the postdatable option (asReq.req-Body.req-Flags.req-Postdatable) has been requested and if postdatability is permitted by KDS_X, then Tkt_A,B's postdatable option (asTkt.tkt-EncryptPart.tkt-Flags.tkt-Postdatable) is selected.
- Postdated
  If Tkt_A,B's start time is present, then Tkt_A,B's postdated option (asTkt.tkt-EncryptPart.tkt-Flags.tkt-Postdated) is selected.
- Invalid
  If Tkt_A,B's postdated option is selected (above), then Tkt_A,B's invalid option (asTkt.tkt-EncryptPart.tkt-Flags.tkt-Invalid) is selected.
- Renewable, renewable-okay
  If Tkt_A,B's maximum expiration time is present and if renewability is permitted by KDS_X, then Tkt_A,B's renewable option (asTkt.tkt-EncryptPart.tkt-Flags.tkt-Renewable) is selected.
- Other; use-session-key, validate, renew, proxy, forward
  KDS_X checks that no other KDS options have been requested. Currently, these are the use-session-key (asReq.req-Body.req-Flags.req-UseSessionKey), validate (asReq.req-Body.req-Flags.req-Validate), renew (asReq.req-Body.req-Flags.req-Renew), proxy (asReq.req-Body.req-Flags.req-Proxy) and forward (asReq.req-Body.req-Flags.req-Forward) options {errStatusCode-BAD-OPTION}.
- Initial
  Tkt_A,B's initial option (asTkt.tkt-EncryptPart.tkt-Flags.tkt-Initial) is selected. (This marks Tkt_A,B as an initial ticket.)
- Other; proxied, forwarded
  All of Tkt_A,B's options that have not been selected by any of the above steps are deselected. Additionally, the forwarded (asTkt.tkt-EncryptPart.tkt-Flags.tkt-Forwarded) and proxied (asTkt.tkt-EncryptPart.tkt-Flags.tkt-Proxied) options are deselected.
Encryption
KDS_X encrypts asTkt.tkt-EncryptPart using KDS_X's long-term key K_KDSX (of the chosen encryption type encType, and key version number). This is the ciphertext portion of Tkt_A,B (asTkt.tkt-EncryptedPart.encData-CipherText). KDS_X also sets the encryption type (asTkt.tkt-EncryptedPart.encData-EncType) to encType and the key version number (asTkt.tkt-EncryptedPart.encData-KeyVersNum) to K_KDSX's version number.

At this point, Tkt_A,B is well-formed, and KDS_X turns its attention to completing the construction of the AS Response message, asResp.

Protocol version number

The protocol version number (asResp.resp-ProtoVersNum) is set to protoVersNum-KRB5.

Protocol message type

The protocol message type (asResp.resp-ProtoMsgType) is set to protoMsgType-AS-RESPONSE.

Authentication data

The authentication data (asResp.resp-AuthnData) is either omitted, or it consists of a single element (asResp.resp-AuthnData[0]); in the latter case, the type (asResp.resp-AuthnData[0].authnData-Type) is authnDataType-PW-SALT and the value (asResp.resp-AuthnData[0].authnData-Value) is the salt to be used by the client to derive its long-term key (via the algorithm of Registered Password-to-Key Mappings ).

Client cell
The client cell (asResp.resp-ClientCell) is set to Tkt_A,B's client cell (asTkt.tkt-EncryptPart.tkt-ClientCell).
Client name
The client name (asResp.resp-ClientName) is set to Tkt_A,B's client name (asTkt.tkt-EncryptPart.tkt-ClientName).
Ticket
The ticket (asResp.resp-Tkt) is set to the newly created Tkt_A,B (asTkt).
Session key
The session key (asResp.resp-EncryptPart.resp-SessionKey) is set to Tkt_A,B's session key, K_A,KDSX (asTkt.tkt-EncryptPart.tkt-SessionKey).
Nonce
The nonce (asResp.resp-EncryptPart.resp-Nonce) is set to the nonce that the calling client sent (asReq.req-Body.req-Nonce).
Client addresses
The client address field (asResp.resp-EncryptPart.resp-ClientAddrs) is set to Tkt_A,B's client address field (asTkt.tkt-EncryptPart.tkt-ClientAddrs), if present. Otherwise, it is omitted.
Server cell
The server cell (asResp.resp-EncryptPart.resp-ServerCell) is set to Tkt_A,B's server cell (asTkt.tkt-ServerCell).
Server name
The server name (asResp.resp-EncryptPart.resp-ServerName) is set to Tkt_A,B's server name (asTkt.tkt-ServerName).
Authentication time
The authentication time (asResp.resp-EncryptPart.resp-AuthnTime) is set to Tkt_A,B's authentication time (asTkt.tkt-EncryptPart.tkt-AuthnTime).
Start time
The start time (asResp.resp-EncryptPart.resp-StartTime) is set to Tkt_A,B's start time (asTkt.tkt-EncryptPart.tkt-StartTime), if present. Otherwise, it is omitted.
Expiration time
The expiration time (asResp.resp-EncryptPart.resp-ExpireTime) is set to Tkt_A,B's expiration time (asTkt.tkt-EncryptPart.tkt-ExpireTime).
Maximum expiration time
The maximum expiration time (asResp.resp-EncryptPart.resp-MaxExpireTime) is set to Tkt_A,B's maximum expiration time (asTkt.tkt-EncryptPart.tkt-MaxExpireTime), if present. Otherwise, it is omitted.
Key expiration date
The key expiration date (asResp.resp-EncryptPart.resp-KeyExpireDate) is set to the expiration date of A's long-term key (of the selected encryption type and key version number), K_A.
Last requests
The last requests field (asResp.resp-EncryptPart.resp-LastRequests) is set to A's last requests information.
Options
The options (asResp.resp-EncryptPart.resp-Flags) are set to Tkt_A,B's options (asTkt.tkt-EncryptPart.tkt-Flags).
Encryption
KDS_X encrypts asResp.resp-EncryptPart using A's long-term key K_A (using the chosen encryption type encType). This is the ciphertext portion of the AS Response (asResp.resp-EncryptedPart.encData-CipherText). KDS_X also sets the encryption type (asResp.resp-EncryptedPart.encData-EncType) to encType and the key version number (asResp.resp-EncryptedPart.encData-KeyVersNum) to the version number of the client's long-term key.

At this point, the KDS Response is well-formed, and KDS_X returns it to the calling client.

Client Receives AS Response

[RFC 1510: 3.1.5, A.3, A.4]

Consider a client A that receives an AS Response, asResp (that is, asResp is a value of type ASResponse, with protocol version number (asResp.resp-ProtoVersNum) protoVersNum-KRB5 and protocol message type (asResp.resp-ProtoMsgType) protoMsgType-AS-RESPONSE), in response to an AS Request, asReq (as the result of calling kds_request()) to KDS_X. Then A processes asResp according to the following algorithm. In the case this algorithm completes successfully, A is justified in believing that the returned Tkt_A,B (or asTkt; that is, asResp.resp-Tkt) is correctly and securely targeted to KDS_X, and that it contains the values returned elsewhere in asResp (in particular, that A is the client named by Tkt_A,B), and using it (especially, its session key, K_A,KDSX) in subsequent TGS Requests and Authentication Headers it sends to KDS_X. In the case the algorithm fails, A takes (application-specific) recovery action.

Here, the notions of "success" or "failure" of this algorithm are taken to mean "conforming to A's request (asReq)", where the criteria of "conformance" are application-specific. Typically, but not necessarily, A will be satisfied only if KDS_X formulates Tkt_A,B exactly as A requested. For example, A may have requested a very long maximum expiration time but KDS_X issued only a somewhat shorter one-whether A views that as a success or failure is an application-specific determination. (Note that A cannot inspect Tkt_A,B directly, because A cannot decrypt it -A has to rely on the other, unencrypted, fields of the AS Response message.)

Client cell

The named client's cell (asResp.resp-ClientCell) is checked for conformance to A's cell name (which A had implicitly sent (asReq.req-Body.req-ServerCell), by sending its AS Request to KDS_X).

Client name

The client name (asResp.resp-ClientName) is checked for conformance to what A requested (asReq.req-Body.req-ClientName); that is, to A's RS name.

Authentication data

The authentication data (asResp.resp-AuthnData), if present, is scanned for its least element (that is, the minimal i) for which the type (asResp.resp-AuthnData[i].authnData-Type) is authnDataType-PW-SALT, and then the client derives its long-term key, K_A, from its password and the included salt (asResp.resp-AuthnData[i].authnData-Value) (see Registered Password-to-Key Mappings ). If the authentication data is absent, then the client derives its long-term key from its password and the default salt (see Registered Password-to-Key Mappings ).

Ticket
Tkt_A,B (asTkt, asResp.resp-Tkt) is not directly interpretable (in the sense of being decryptable) by A, but the information in it is largely available elsewhere in asResp.
Decryption
The encryption type, encType (asResp.resp-EncryptedPart.encData-EncType), is checked for conformance to what A had requested (asReq.req-Body.req-EncTypes). If it is acceptable, then A attempts to decrypt the ciphertext portion of the AS Response (asResp.resp-EncryptedPart.encData-CipherText), using its long-term key K_A (which A must know or derive; for example, from its password and salt as described above), of encryption type encType and the indicated key version number (asResp.resp-EncryptedPart.encData-KeyVersNum). A successful decryption is recognised by the built-in integrity afforded by the ciphertext itself. In this way, A learns the information carried in asResp.resp-EncryptPart. If A encounters an unsuccessful decryption, it takes application-specific action-this presumably includes rejection of asResp as untrustworthy (the ability to successfully decrypt asResp.resp-EncryptedPart proves to A that it was encrypted by the legitimate KDS_X (since A trusts its long-term key K_A to be secure), and that it is not being spoofed by a counterfeit KDS_X). In particular, if A is not the client requested in asResp (and named in asTkt), in the sense of not knowing the correct long-term key of that client, then A will not be able to successfully decrypt asResp, and consequently will not be able to gain access to the information in asResp.resp-EncryptPart (in particular, its session key, K_A,KDSX (asResp.resp-EncryptPart.resp-SessionKey)).
Note:
This assumes (as stated) that A trusts its long-term key K_A. In the terminology of the Login Facility (see Login Facility and Security Client Daemon (SCD) ), the successful decryption of asResp.resp-EncryptedPart.encData-CipherText amounts to "validation of Tkt_A,B". In order for arbitrary other parties (other than A) to become convinced of the genuineness of Tkt_A,B, the subtler protocols involved in "certification of Tkt_A,B" (see Further Discussion of Certification ) must be employed.
Nonce
The nonce (asResp.resp-EncryptPart.resp-Nonce) is checked for equality with the requested nonce (asReq.req-Body.req-Nonce). If it is not equal, then this asResp does not correspond to asReq, and a "replay attack" may be suspected, and A takes application-specific action.
Last requests
The last requests (asResp.resp-EncryptPart.resp-LastRequests) are inspected. If they do not match A's own knowledge of its previous requests, then a potential breach of security may be suspected, and A typically invokes recovery measures consistent with local policy.
Key expiration date
The key expiration date (asResp.resp-EncryptPart.resp-KeyExpireDate) is inspected if present. If it indicates a date in the "near" future, then A should invoke key update procedures according to local policy (see RS Editor RPC Interfaces ). Typically, this will involve A's "changing its password"-a comparatively "cheap" undertaking. Failure to do so risks A's long-term key K_A, and hence its password, actually expiring, which would require A to re-register itself with RS_X (for encryption type encType) -a comparatively "expensive" undertaking in itself, in addition to the lost opportunities for service access while the long-term key is expired.
Server cell
The server cell (asResp.resp-EncryptPart.resp-ServerCell) is checked for conformance to what A requested (asReq.req-Body.req-ServerCell); that is, to KDS_X's cell name, or to X's cell name.
Server name
The server name (asResp.resp-EncryptPart.resp-ServerName) is checked for conformance to what A requested (asReq.req-Body.req-ServerName); that is, to KDS_X's RS name.
Session key
The session key (which A trusts is secure), K_A,KDSX (asResp.resp-EncryptPart.resp-SessionKey), is saved for later use in protecting communications with KDS_X; that is, subsequent TGS Requests.
Authentication time
The authentication time (asResp.resp-EncryptPart.resp-AuthnTime) is checked for conformance to what A expects (typically, it should be equal to A's system time (modulo maxClockSkew)).
Start time
The start time (asResp.resp-EncryptPart.resp-StartTime) is checked for conformance to what A requested. Namely, if A requested Tkt_A,B to be postdated, then the start time is checked to be present and checked for conformance to the start time A requested (asReq.req-Body.req-StartTime); otherwise, the start time should be absent.
Expiration time
The expiration time (asResp.resp-EncryptPart.resp-ExpireTime) is checked for conformance to what A requested (asReq.req-Body.req-ExpireTime).
Maximum expiration time
The maximum expiration time (asResp.resp-EncryptPart.resp-MaxExpireTime) is checked for conformance to what A requested. It should be only present (at most) if A had selected the renewable option (asReq.req-Body.req-Flags.req-Renewable) and supplied a requested maximum expiration time (asReq.req-Body.req-MaxExpireTime), or if A had selected the renewable-okay option (asReq.req-Body.req-Flags.req-RenewableOK).
Client addresses
If A requested that Tkt_A,B contain client host addresses, then the client address field (asResp.resp-EncryptPart.resp-ClientAddrs) is checked to be present and checked for conformance to what A requested (asReq.req-Body.req-ClientAddrs). Otherwise, the client addresses should be absent.
Options
The options field (asResp.resp-EncryptPart.resp-Flags) is inspected for conformance to what A requested (asReq.req-Body.req-Flags).

This completes the specification of the AS Request/Response exchange.

(Reverse-)Authentication Header Processing

[RFC 1510: 1, 3.2.1]

This section specifies in detail the processing that occurs during an authentication/reverse-authentication header exchange. There are three steps involved:

A client prepares an authentication header and sends it to a target server as part of an "authenticated request for (RPC) service" (for example, this could be a TGS Request, in which case the target server is a KDS server). Typically, this authentication header will be merely a part of the whole message sent from client to server, and the rest of the message will contain RPC protocol information and the input parameters for the RPC service request.
A server receives an authentication header from a client, processes it, prepares a reverse-authentication header (in the case of a successful client-to-server authentication, and the client has requested the mutual authentication option) or an error message (in the case of a failed client-to-server authentication), and returns that to the client (though some servers may not return errors depending on their policy). Typically, in the success case, the server will also proceed to perform the requested service (subject to authorisation constraints) and return the output RPC parameters to the client in addition to the reverse-authentication header.
A client receives a reverse-authentication header (success case, if it had requested mutual authentication in its authentication header) or an error (failure case). Typically, in the success case, it also receives the results of its RPC service request, which it will then decide to accept or reject (on the basis of the reverse-authentication header).

The details of the three steps of the success case are specified next.

Note that it is A's responsibility to know (or to securely determine) all the information necessary to correctly formulate its message to B-especially, B's cell name and RS name.

Finally, note that not every RPC request/response needs to carry an authentication/reverse-authentication header; only those that need to establish a session or conversation (either initial or re-established) key need do so. Once such a key has been established (and trusted by both client and server), it can be used to protect numerous subsequent RPCs-see Protected RPC for details.

Notes:

It should be noted that the descriptions here are "typical" of authentication/reverse-authentication header processing. But since the interpreters (A and B) of the authentication/reverse-authentication headers are in general application-specific, this whole discussion should be understood to implicitly accommodate some such wording as "··· or other such processing as the application requires or allows ···". For example, an especially cautious server may refuse to accept proxied tickets, or an especially lenient one may provide a "grace period" during which it will accept tickets that expire during a session. Another example is that a password-changing program might demand an initial ticket, to guard against the possibility of a miscreant's hijacking a user session by simply sitting down at an unattended seat. See also TGS Request/Response Processing , which is the only place authentication/reverse-authentication headers are used internally in the KDS protocol "application".

The presentation of Client Sends Authentication Header through Client Receives Reverse-Authentication Header is cast in terms of: "client A using Tkt_A,B (with session key K_A,B) to authenticate to server B". It will be observed, though, that a third principal A´ could be injected into the discussion, and the whole presentation recast as: "client A using Tkt_A´,B (with session key K_A´,B) to authenticate to server B, provided that A knows the session key K_A´,B". This notation becomes burdensome to the exposition, so it won't be employed here. Far from being a minor consequence of the authentication architecture, systematic use of this idea is central to the privilege architecture (with A´ = PS, the Privilege Server-see Introduction to Security Services and Privilege (Authorisation) Services ).

Client Sends Authentication Header

[RFC 1510: 3.2.2, A.9]

Consider a client A in cell X which has successfully executed a KDS Request (.Fn kds_request ), that is, whose KDS Response it accepts (in the sense of Client Receives AS Response and/or Client Receives TGS Response ). Thus, A is in possession of a Tkt_A,B received from KDS_Y, kdsTkt, whose contents it knows, especially its session key K_A,B (and its encryption type encType), and now A wants to use Tkt_A,B to "authenticate to" (that is, engage in protected communications with) server B in cell Y. The following algorithm specifies how A prepares an authentication header, authnHdr (a value of the AuthnHeader data type) containing Tkt_A,B (authnHdr.authnHdr-Tkt), and a newly generated authenticator authnr (authnHdr.authnHdr-EncryptAuthnr, of type Authenticator), and sends it to B for this purpose.

The following algorithm first discusses how A constructs the newly generated authenticator, authnr, and then how it constructs the rest of the authentication header, authnHdr.

Protocol version number

The protocol version number (authnr.authnr-ProtoVersNum) is set to protoVersNum-KRB5.

Client cell

The client cell (authnr.authnr-ClientCell) is set to A's cell name; that is, to X's cell name.

Client name

The client name (authnr.authnr-ClientName) is set to A's RS name.

Client timestamp

The client timestamp (authnr.authnr-ClientTime) is set to A's system time.

Client microsecondstamp

The client microsecond stamp (authnr.authnr-ClientMicroSec) is set to A's system microsecond time.

Conversation key
If A desires to use a conversation key of its own choosing, say K^_A,B (of the same encryption type, encType), instead of the KDS_Y-generated session key K_A,B, to protect this client-server session, then it sets the conversation key (authnr.authnr-ConversationKey) to K^_A,B. Otherwise this field is omitted. (The keys K_A,B, K^_A,B and Kx^^`1xu`_A,B all have the same encryption type, encType.)
Checksum
If this application uses checksums, then A uses an application-specific checksum type (authnr.authnr-Cksum.cksum-Type) to set the checksum value (authnr.authnr-Cksum.cksum-Value) to the checksum of some application-specific plaintext (typically, this will be the checksum of the "service" portion of the message that this authenticator is authenticating). Otherwise the checksum is omitted. (In the case of DCE RPC applications, the use of checksums is specified as part of the RPC protocol specifications-see Protected RPC .)
Sequence number
The sequence number (authnr.authnr-SeqNum) is processed in an application-specific manner (perhaps omitting it).
Authorisation data
If this application uses additional authorisation data, then A sets the authorisation data field (authnr.authnr-AuthzData) to application-specific additional authorisation data. Otherwise, this field is omitted.
Encryption
A encrypts authnr, using the encryption type encType and the session key K_A,B (not the conversation key K^_A,B, even if present) in the accompanying Tkt_A,B. This is the ciphertext portion of the authentication header (authnHdr.authnHdr-EncryptedAuthnr.encData-CipherText). A also sets the encryption type (authnHdr.authnHdr-EncryptedAuthnr.encData-EncType) to encType and the key version number (authnHdr.authnHdr-EncryptedAuthnr.encData-KeyVersNum) to an appropriate application-specific value, if any (usually it is omitted).

At this point, authnr is well-formed and encrypted, and A turns its attention to completing the construction of the authentication header, authnHdr.

Protocol version number

The protocol version number (authnHdr.authnHdr-ProtoVersNum) is set to protoVersNum-KRB5.

Protocol message type

The protocol message type (authnHdr.authnHdr-ProtoMsgType) is set to protoMsgType-AUTHN-HEADER.

Ticket
The ticket (authnHdr.authnHdr-Tkt) is set to Tkt_A,B (kdsTkt).
Authenticator
The encrypted authenticator (authnHdr.authnHdr-EncryptedAuthnr) is set to the encryption of authnr as constructed above.
Options
- Use-session-key
  If the accompanying Tkt_A,B (kdsTkt, authnHdr.authnHdr-Tkt), is protected with a session key, K^* (carried in a (ticket-granting-)ticket targeted to B), instead of with B's long-term key K_B, then the use-session-key option (authnHdr.authnHdr-Flags.authnHdr-UseSessionKey) is selected (see The use-session-key Option ).
- Mutual authentication
  If A desires that B return a reverse-authentication header with its response, the mutual authentication option (authnHdr.authnHdr-Flags.authnHdr-MutualRequired) is selected.
- Other
  All of authnHdr's options that have not been selected by any of the above steps are deselected (unless they are used in application-specific ways). Currently, there are no other options that haven't already been mentioned above.

At this point, authnHdr is well-formed, and A sends it to B.

Server Receives Authentication Header and Sends Reverse-Authentication Header

[RFC 1510: 3.2.3, 3.2.4, A.10, A.11]

Consider an authentication header, authnHdr, received by a server, B in cell Y, containing a Tkt_A,B (ahTkt, authnHdr.authnHdr-Tkt) and an authenticator, authnr (authnHdr.authnHdr-EncryptAuthnr). (For example, KDS servers receive such an authentication header in the first authentication data field of a TGS Request (tgsReq.req-AuthnData[0].authnData-Value, with tgsReq.req-AuthnData[0].authnData-Type = authnDataType-TGS-REQ)-see KDS Server Receives TGS Request and Sends TGS Response .) Thus, authnHdr is a value of type AuthnHeader, with protocol version number (authnHdr.authnHdr-ProtoVersNum) protoVersNum-KRB5 and protocol message type (authnHdr.authnHdr-ProtoMsgType) protoMsgType-AUTHN-HEADER. Then B executes the algorithm below. If the algorithm executes successfully, B is justified in believing that it can at this time engage in secure communications with the client A named in Tkt_A,B, protecting their communications with the session key K_A,B carried in Tkt_A,B, or with the conversation key K^_A,B carried in the authentication header itself (authnHdr.authnHdr-EncryptAuthnr.authnr-ConversationKey) (or with another conversation key, Kx^^'1xu'_A,B, of B's own choosing-see below). That is, the authentication header "authenticates the client A to the server B".

The following algorithm first discusses how B processes authnHdr, and then, if the mutual authentication option (authnHdr.authnHdr-Flags.authnHdr-MutualRequired) has been selected, how B constructs a reverse-authentication header, revAuthnHdr (of type RevAuthnHeader), to return to A.

Authentication header options:

Use-session-key
If the use-session-key option (authnHdr.authnHdr-Flags.authnHdr-UseSessionKey) is deselected, B knows that ahTkt is protected with its long-term key K_B. If it is selected, B knows that ahTkt is protected with a session key, K^* (see The use-session-key Option ).

Mutual authentication
If the mutual authentication option (authnHdr.authnHdr-Flags.authnHdr-MutualRequired) is selected, B knows A expects a reverse-authentication header to be returned.
Ticket protocol version number
The protocol version number (ahTkt.tkt-ProtoVersNum) is checked to be protoVersNum-KRB5.
Ticket server cell
The server cell (ahTkt.tkt-ServerCell) is checked to be the name of B's cell; that is, Y's cell name.
Ticket server name
The server name (ahTkt.tkt-ServerName) is checked to be B's RS name.
Ticket decryption
The encryption type protecting Tkt_A,B, encType (ahTkt.tkt-EncryptedPart.encData-EncType), is checked for support by B, as is the key version number (ahTkt.tkt-EncryptedPart.encData-KeyVersNum) if present. If the use-session-key option is deselected, B uses its long-term key K_B to attempt to decrypt Tkt_A,B's ciphertext (ahTkt.tkt-EncryptedPart.encData-CipherText); otherwise, B uses the session key, K^*. A successful decryption is recognised by the built-in integrity afforded by the ciphertext itself. In this way, B learns the information carried in Tkt_A,B, in particular its session key K_A,B (ahTkt.tkt-EncryptPart.tkt-SessionKey).
Authenticator decryption
The encryption type protecting the authenticator (authnHdr.authnHdr-EncryptedAuthnr.encData-EncType) is checked to be the same as that protecting Tkt_A,B, namely encType. B decrypts the authenticator's ciphertext (authnHdr.authnHdr-EncryptedAuthnr.encData-CipherText) using the session key K_A,B (not K^*, even if the use-session-key option is selected). The key version number (authnHdr.authnHdr-EncryptedAuthnr.encData-KeyVersNum), if present, is processed in an application-specific way (usually, it is omitted). A successful decryption is recognised by the built-in integrity afforded by the ciphertext itself-this is what convinces B that A knows the session key K_A,B; that is, this is what actually "authenticates" A to B. In this way, B learns the information carried in authnr (authnHdr.authnHdr-EncryptAuthnr).
Authenticator protocol version number
The authenticator's protocol version number (authnr.authnr-ProtoVersNum) is checked to be protoVersNum-KRB5.
Client cell
The client cells from ahTkt (ahTkt.tkt-EncryptPart.tkt-ClientCell) and from authnr (authnr.authnr-ClientCell) are checked to be the same (namely, to A's cell name; that is, X's cell name).
Client name
The client names from ahTkt (ahTkt.tkt-EncryptPart.tkt-ClientName) and from authnr (authnr.authnr-ClientName) are checked to be the same (namely, to A's RS name).
Client addresses
If there are client addresses present in ahTkt (ahTkt.tkt-EncryptPart.tkt-ClientAddrs) and if B requires that client addresses be used, then B checks that A is communicating from one of them (as reported by B's operating system, according to the level of trust B places in that); that is, that authnHdr was received from one of the addresses on the list.
Client timestamp
A's timestamp (authnr.authnr-ClientTime) is checked to be equal to B's system time (modulo maxClockSkew). It is in this way that B becomes convinced that it is communicating with A in real-time.
Client microsecondstamp
A's microsecondstamp (authnr.authnr-ClientMicroSec), together with its timestamp, are checked to not be present in B's replay cache. They are then stored in the replay cache.
Authentication time
The authentication time (ahTkt.tkt-EncryptPart.tkt-AuthnTime) is typically ignored by application-level servers (see TGS Request/Response Processing for the case of KDS servers).
Start time
The start time (ahTkt.tkt-EncryptPart.tkt-StartTime) is checked to be earlier than or equal to B's system time (modulo maxClockSkew).
Expiration time
The expiration time (ahTkt.tkt-EncryptPart.tkt-ExpireTime) is checked to be later than or equal to B's system time (modulo maxClockSkew).
Maximum expiration time`
The maximum expiration time (ahTkt.tkt-EncryptPart.tkt-MaxExpireTime) is typically ignored by application-level servers (see TGS Request/Response Processing for the case of KDS servers).
Sequence number
The sequence number (authnr.authnr-SeqNum) is processed in an application-specific manner.
Conversation key
If a conversation key K^_A,B (authnr.authnr-ConversationKey) is present, B decides (in an application-specific way) whether it will use it to protect this client-server session, or if it will use ahTkt's session key K_A,B or will generate its own conversation key Kx^^'1xu'_A,B for this purpose (informing A of it in the accompanying revAuthnHdr).
Transit path
The transit path (ahTkt.tkt-EncryptPart.tkt-TransitPath) is typically ignored by application-level servers (see TGS Request/Response Processing for the case of KDS servers, and PTGS Request/Response Processing for the case of PS servers).
Checksum
If a checksum (authnr.authnr-Cksum) is present, it is processed in an application-specific way.
Ticket options:
- Invalid
  The invalid option (ahTkt.tkt-EncryptPart.tkt-Flags.tkt-Invalid) is typically checked by application-level servers to be deselected (see TGS Request/Response Processing for the case of KDS servers).
- Forwardable, forwarded, proxiable, proxied, postdatable, postdated, renewable, initial
  All other options are ignored by application-level servers (see TGS Request/Response Processing for the case of KDS servers). Currently, these include forwardable (ahTkt.tkt-EncryptPart.tkt-Flags.tkt-Forwardable), forwarded (ahTkt.tkt-EncryptPart.tkt-Flags.tkt-Forwarded), proxiable (ahTkt.tkt-EncryptPart.tkt-Flags.tkt-Proxiable), proxied (ahTkt.tkt-EncryptPart.tkt-Flags.tkt-Proxied), postdatable (ahTkt.tkt-EncryptPart.tkt-Flags.tkt-Postdatable), postdated (ahTkt.tkt-EncryptPart.tkt-Flags.tkt-Postdated), renewable (ahTkt.tkt-EncryptPart.tkt-Flags.tkt-Renewable), and initial (ahTkt.tkt-EncryptPart.tkt-Flags.tkt-Initial).
Ticket authorisation data
If ticket authorisation data (ahTkt.tkt-EncryptPart.tkt-AuthzData) is present, B uses it (in an application-specific way) to make authorisation decisions.
Authenticator authorisation data
If additional authenticator authorisation data (authnr.authnr-AuthzData) is present, B uses it (in an application-specific way) to make authorisation decisions.

At this point, B has completed its processing of authnHdr. If A has not requested mutual authentication (by the authnHdr.authnHdr-Flags.authnHdr-MutualRequired option), B proceeds with the application-specific performance of its service (which might include checking authorisation controls, and sending return parameters (potentially protected with a session or conversation key) back to A without a reverse-authentication header, and so on). Otherwise, B turns its attention to constructing a reverse-authentication header, revAuthnHdr, to be sent back to A, as follows:

Protocol version number

The protocol version number (revAuthnHdr.revAuthnHdr-ProtoVersNum) is set to protoVersNum-KRB5.

Protocol message type

The protocol message type (revAuthnHdr.revAuthnHdr-ProtoMsgType) is set to protoMsgType-REVAUTHN-HEADER.

Client timestamp

The client timestamp (revAuthnHdr.revAuthnHdr-EncryptPart.revAuthnHdr-ClientTime) is set to the timestamp A sent in its authentication header (authnr.authnr-ClientTime).

Client microsecondstamp

The client microsecondstamp (revAuthnHdr.revAuthnHdr-EncryptPart.revAuthnHdr-ClientMicroSec) is set to the microsecondstamp A sent in its authentication header (authnr.authnr-ClientMicroSec).

Conversation key
If B wants to protect the current client-server session with a key of its own choosing, instead of either the KDS_Y-generated session key (K_A,B) or the A-generated conversation key (K^_A,B) if present, then B generates a conversation key Kx^^'1xu'_A,B (of the same encryption type, encType) and returns it in the conversation key field (revAuthnHdr.revAuthnHdr-EncryptPart.revAuthnHdr-ConversationKey). Otherwise, it is omitted.
Sequence number
The sequence number (revAuthnHdr.revAuthnHdr-EncryptPart.revAuthnHdr-SeqNum) is processed in an application-specific manner (perhaps omitting it).
Encryption
B encrypts revAuthnHdr.revAuthnHdr-EncryptPart, using the encryption type encType and session key K_A,B (not K^_A,B or Kx^^'1xu'_A,B, even if they exist) specified by the authentication header authnHdr. This is the ciphertext portion of the reverse-authentication header (revAuthnHdr.revAuthnHdr-EncryptedPart.encData-CipherText). B also sets the encryption type (revAuthnHdr.revAuthnHdr-EncryptedPart.encData-EncType) to encType and the key version number (revAuthnHdr.revAuthnHdr-EncryptedPart.encData-KeyVersNum) to an appropriate application-specific value.

At this point, the revAuthnHdr is well-formed, and B returns it to the calling client.

Client Receives Reverse-Authentication Header

[RFC 1510: 3.2.5, A.12]

Consider a reverse-authentication header, revAuthnHdr, received by a client A, in response to an authentication header, authnHdr (with the mutual authentication option selected), that A had earlier sent to a server B. (This is a purely application-level scenario, not a system-level scenario, as the KDS rejects TGS Requests that request mutual authentication-see KDS Server Receives TGS Request and Sends TGS Response .) Thus, revAuthnHdr is a value of type RevAuthnHeader, with protocol version number (revAuthnHdr.revAuthnHdr-ProtoVersNum) protoVersNum-KRB5 and protocol message number (revAuthnHdr.revAuthnHdr-ProtoMsgType) protoMsgType-REVAUTHN-HEADER. Then A executes the algorithm below. If the algorithm executes successfully, A is justified in believing that it can at this time participate in secure communications with the server B targeted by the Tkt_A,B in the corresponding authentication header (authnHdr.authnHdr-Tkt.tkt-ServerCell and authnHdr.authnHdr-Tkt.tkt-ServerName), protecting their communications with the session key K_A,B (authnHdr.authnHdr-Tkt.tkt-EncryptPart.tkt-SessionKey), or with a negotiated conversation key K^_A,B (authnHdrauthnHdr-EncryptPart.authnr-ConversationKey) or Kx^^'1xu'_A,B (revAuthnHdr.revAuthnHdr-EncryptPart.revAuthnHdr-ConversationKey) if these exist (if multiples of these exist, the choice of which to use is dependent on application-specific negotiation-resolution policy). That is, the reverse-authentication header "authenticates the server B to the client A".

Decryption
The encryption type of the reverse-authentication header, encType (revAuthnHdr.revAuthnHdr-EncryptedPart.encData-EncType), is checked for conformance for what A had requested (authnHdr.authnHdr-Tkt.tkt-EncryptedPart.encData-EncType). If it is acceptable, A then attempts to decrypt the ciphertext portion of the reverse-authentication header (revAuthnHdr.revAuthnHdr-EncryptedPart.encData-CipherText), using the session key K_A,B (authnHdr.authnHdr-Tkt.tkt-EncryptPart.tkt-SessionKey) of encryption type encType and key version number authnHdr.authnHdr-EncryptedPart.encData-KeyVersNum if present (not K^_A,B or Kx^^'1xu'_A,B, even if these exist). A successful decryption is recognised by the built-in integrity afforded by the ciphertext itself. If A encounters an "unsuccessful" decryption, it takes application-specific action-this presumably includes rejection of revAuthnHdr as untrustworthy.
Client timestamp
The client timestamp (revAuthnHdr.revAuthnHdr-EncryptPart.revAuthnHdr-ClientTime) is checked for conformance with the client timestamp that A had sent B (authnHdr.authnHdr-EncryptPart.authnr-ClientTime).
Client microsecondstamp
The client microsecondstamp (revAuthnHdr.revAuthnHdr-EncryptPart.revAuthnHdr-ClientMicroSec) is checked for conformance with the client microsecondestamp that A had sent to B (authnHdr.authnHdr-EncryptPart.authnr-ClientMicroSec). It is this step and the previous one that convince A it is securely communicating with B ("now").
Conversation key

If a conversation key Kx^^'1xu'_A,B
(revAuthnHdr.revAuthnHdr-EncryptPart.revAuthnHdr-ConversationKey)
is present, A processes it in an application-specific way
(typically, it is used to protect this client-server session).
Sequence number
The sequence number (revAuthnHdr.revAuthnHdr-EncryptPart.revAuthnHdr-SeqNum) is processed in an application-specific manner.

This completes the specification of the Authentication/Reverse-authentication Header exchange.

TGS Request/Response Processing

[RFC 1510: 1, 3.3]

This section specifies in detail the processing that occurs during a TGS Request/Response exchange. That is, this section specifies the manipulating of old tickets, as well as the issuing of new tickets (both service-tickets and ticket-granting-tickets which are used in cross-cell authentication). There are three steps involved:

A client prepares a TGS Request and sends it to a KDS server.
A KDS server receives the TGS Request from a client, processes it, prepares an TGS Response (success case) or KDS Error (failure case), and returns that to the client.
A client receives a TGS Response or KDS Error.

The details of the three steps of the success case are specified next.

Note:: It has been argued by some that there is no compelling security-related reason that the TGS service needs to be authenticated (in the sense of (Reverse-)Authentication Header Processing ; that is, an Authentication Header accompanies the TGS Request). (As seen in KDS Server Receives TGS Request and Sends TGS Response , the TGS service is not mutually authenticated; that is, no Reverse-authentication Header accompanies the TGS Response). Nevertheless, the TGS service as specified below is indeed authenticated.

Client Sends TGS Request

[RFC 1510: 3.3.1, A.5]

Consider a client A in cell X which has in its possession some ticket, say Tkt_A,···,B, naming A and targeted to some server B in some cell Y (possibly X = Y-this important special case is included in everything written in this section). When it is necessary in this section to write out in full the trust chain of this ticket, it will be written as:

: Tkt_A,···,B = Tkt_{A,X,···,W,Y,B}

As always, Tkt_A,···,B is one of two kinds of ticket, depending on the kind of server (B) it is targeted to:

Tkt_A,···,B may be a service-ticket, in which case B is a non-KDS server.
Tkt_A,···,B may be a ticket-granting-ticket, in which case B is the server KDS_Y in one of its guises, KDS_W,Y (possibly KDS_Y,Y), as a principal in Y.

Since Tkt_A,···,B names A, A knows the contents of Tkt_A,···,B, especially its session key, which is denoted K_A,B (which is of the same encryption type, encType, as is used to protect Tkt_A,···,B). Note that the key K_A,B can always be used as a session key between A and KDS_Y (even though it is nominally only a session key between A and B, with possibly B != KDS_Y). This is because Tkt_A,···,B is protected in the long-term key of B, which KDS_Y knows, so KDS_Y has access to K_A,B too.

What A wants to do is "present" Tkt_A,···,B to KDS_Y, and receive in return another ticket, which is denoted:

 

Tkt*_A,···,B*

which is "based on Tkt_A,···,B", naming A, and targeted to another (perhaps the same) server B* in Y. That is, A wants to send to KDS_Y a TGS Request tgsReq (a value of the data type TGSRequest) containing Tkt_A,···,B (ahTkt, in its tgsReq.req-AuthnData field, as the authnHdr.authnHdr-Tkt field of an authentication header authnHdr), and receive in response a TGS Response tgsResp (a value of data type TGSResponse) containing Tkt*_A,···,B* (tgsTkt, in its tgsResp.resp-Tkt field). A prepares tgsReq according to the algorithm below and "sends it" (that is, calls kds_request()) to KDS_Y.

There are two distinct cases to consider throughout, according to what kind of service A requests:

Request for a "manipulated old" ticket (that is, targeted to the same server B* as the server B targeted by the presented ticket)-A wants KDS_Y to "manipulate" the presented Tkt_A,···,B in some way, and return it as Tkt*_A,···,B (currently, the manipulations supported are: validation, renewal, proxying and forwarding; thus, most of the information in Tkt*_A,···,B was already "substantially pre-existing" in Tkt_A,···,B). In this case, Tkt_A,···,B can be either a service-ticket or a ticket-granting-ticket.
Request for a "newly issued" ticket (that is, targeted to a different server B* than the server B targeted by the presented ticket)-A wants KDS_Y to issue a new Tkt*_A,···,B* "based on" the presented Tkt_A,···,B. In this case, Tkt_A,···,B must be a ticket-granting-ticket targeted to B = KDS_W,Y, and the resulting Tkt*_A,···,B* will be targeted to a server B* other than KDS_W,Y (depending on conditions detailed in the algorithm below):
- Service-ticket (targeted to a non-KDS server B*)
  Tkt*_A,···,B* will be a "new" service-ticket targeted to a non-KDS server B* in Y.
- Cross-cell referral (ticket-granting-)ticket (targeted to a new KDS server B* != B)
  Tkt*_A,···,B* will be a "new" ticket targeted to another KDS server B* = KDS_Y,Z (Z != W) which is (cross-)registered with Y.

Clients (such as A) do not typically intentionally request cross-cell referral tickets. Except for their initial ticket-granting-ticket they only intentionally request ultimate service-tickets. But if such a request cannot be fulfilled, a cross-cell referral ticket is returned as a by-product of the algorithm, as described below:

Protocol version number

The protocol version number (tgsReq.req-ProtoVersNum) is set to protoVersNum-KRB5.

Protocol message type

The protocol message type (tgsReq.req-ProtoMsgType) is set to protoMsgType-TGS-REQUEST.

Client name

The client name (tgsReq.req-Body.req-ClientName) is set to A's RS name in RS_X.

Server cell
The server cell (tgsReq.req-Body.req-ServerCell) is set to the cell name of the ultimate end-server that A desires Tkt*_A,···,B* to be targeted to. (If this is a request for a manipulated old Tkt*_A,···,B*, this ultimate server cell name is the same as Tkt_A,···,B's targeted server's cell name (ahTkt.tkt-ServerCell); that is, Y's cell name.)
Server name
The server name (tgsReq.req-Body.req-ServerName) is set to the RS name of the ultimate server that A desires Tkt*_A,···,B* to be targeted to. (If this is a request for a manipulated old Tkt*_A,···,B*, this ultimate server RS name is the same as Tkt_A,···,B's targeted server's RS name (ahTkt.tkt-ServerName), which must exist in RS_Y.)
Options
- Forwardable
  If it is desired that a newly issued ticket be forwardable, the forwardable option (tgsReq.req-Body.req-Flags.req-Forwardable) is selected.
- Proxiable
  If it is desired that a newly issued ticket (which must be a service-ticket, not a ticket-granting-ticket) be proxiable, the proxiable option (tgsReq.req-Body.req-Flags.req-Proxiable) is selected.
- Postdatable
  If it is desired that a newly issued ticket be postdatable, the postdatable option (tgsReq.req-Body.req-Flags.req-Postdatable) is selected.
- Postdate
  If it is desired that a newly issued ticket be postdated, the postdate option (tgsReq.req-Body.req-Flags.req-Postdate) is selected.
- Renewable
  If it is desired that a newly issued ticket be renewable, the renewable option (tgsReq.req-Body.req-Flags.req-Renewable) is selected.
- Renewable-okay
  If it is not desired that a newly issued ticket be renewable but A will nevertheless accept a renewable ticket with a shorter lifetime than desired in lieu of no ticket at all, then the renewable-okay option (tgsReq.req-Body.req-Flags.req-RenewableOK) is selected.
- Use-session-key
  The use-session-key option (tgsReq.req-Body.req-Flags.req-UseSessionKey) is deselected.
- Validate
  If it is desired that an old ticket be validated, the validate option (tgsReq.req-Body.req-Flags.req-Validate) is selected.
- Renew
  If it is desired that an old ticket be renewed, the renew option (tgsReq.req-Body.req-Flags.req-Renew) is selected.
- Proxy
  If it is desired that an old ticket (which must be a service-ticket, not a ticket-granting-ticket) be proxied, the proxy option (tgsReq.req-Body.req-Flags.req-Proxy) is selected.
- Forward
  If it is desired that an old ticket be forwarded, the forward option (tgsReq.req-Body.req-Flags.req-Forward) is selected.
Start time
If the postdate option has been selected, then the start time (tgsReq.req-Body.req-StartTime) is set to the desired starting time. Otherwise, the start time is omitted.
Expiration time
The expiration time (tgsReq.req-Body.req-ExpireTime) is set to the desired expiration time. (In the case of a request to manipulate an old ticket, this can be used to "clip" the lifetime of the manipulated ticket to a shorter time.)
Maximum expiration time
If the renewable option has been selected, then the maximum expiration time (tgsReq.req-Body.req-MaxExpireTime) is set to the desired maximum expiration time. (In the case of a request to manipulate an old ticket, this can be used to "clip" the lifetime of the manipulated ticket to a shorter maximum time.) Otherwise, the maximum expiration time is omitted.
Additional tickets
The additional tickets field (tgsReq.req-Body.req-AdditionalTkts) is omitted. (The only option that currently requires an additional ticket is the use-session-key option, and that option is deselected in TGS Requests.)
Nonce
The nonce field (asReq.req-Body.req-Nonce) is set to a nonce value.
Encryption types
The encryption types field (tgsReq.req-Body.req-EncTypes) is set to the list of encryption types acceptable to A for protecting a newly issued ticket. The list is arranged in priority order of desirability, beginning with most desirable and ending with least desirable. (For maximum interoperability, the client A should send a list consisting of a single entry, indicating the same encryption type, encType, as that used to protect the presented ticket Tkt_A,···,B. It is to be presumed that if this TGS request is a request for a manipulated old ticket, the resulting manipulated ticket will be re-encrypted in the newly chosen encryption type if it is different from encType-however, that is not apparent from RFC 1510.)
Client addresses
If A desires that a newly issued ticket contain client host addresses, then the client address field (tgsReq.req-Body.req-ClientAddrs) is set to the desired addresses. Otherwise, the client address field is omitted. (If this is a request to manipulate an old ticket, these addresses will only be used in the manipulated ticket if the old ticket is forwarded or proxied; otherwise, the client addresses in the ticket authenticating this request-see the bullet on authentication data, below-will be used.)
Authorisation data
If A desires that a newly issued ticket contain authorisation data supplied by A, such data (a value of type AuthzData) is encrypted using the encryption type encType and using the conversation key K^_A,B (authnr.authnr-ConversationKey, see below) if present, otherwise using the session key K_A,B, and the authorisation data field (tgsReq.req-Body.req-EncryptedAuthzData) is then set to the resulting encrypted value (a value of type EncryptedData). Otherwise this field is omitted. (Typically, it is omitted, an exception being where A is a privilege server PS_X, requesting a privilege-(ticket-granting-)ticket from KDS_X (in the case where PS_X and KDS_X are not co-located, so that an message must be transmitted)-see Privilege (Authorisation) Service (PS) and Privilege (Authorisation) Services .)
Authentication data
The first entry (tgsReq.req-AuthnData[0]) in the list (tgsReq.req-AuthnData) of authentication data items is set to have authentication data type (tgsReq.req-AuthnData[0].authnData-Type) authnDataType-TGS-REQ, and its authentication data value (tgsReq.req-AuthnData[0].authnData-Value) is set to (the underlying OCTET STRING of) an authentication header, authnHdr, that A constructs, based on Tkt_A,···,B (authnHdr.authnHdr-Tkt). The construction of authnHdr proceeds as in Client Sends Authentication Header , with the following supplements (authnr denotes the authenticator authnHdr.authnHdr-EncryptAuthnr):
- Conversation key
  The conversation key field (authnr.authnr-ConversationKey) is set to a newly generated conversation key, K^_A,B (of the same encryption key type, encType), if A desires such a key to be used (instead of K_A,B) to protect this client-server session (between A and KDS_Y). (If authorisation data (tgsReq.req-Body.req-EncryptedAuthzData) and K^_A,B are both present, note that K^_A,B had to be generated earlier in order to be used to encrypt the authorisation data-see above.)
- Checksum
  A sets the checksum type (authnr.authnr-Cksum.cksum-Type) to a checksum type that uses the same encryption key type as the encryption type encType (except that if encType = encKeyType-TRIVIAL, then authnr.authnr-Cksum is omitted altogether), and uses it to compute the checksum value (authnr.authnr-Cksum.cksum-Value), over the KDS Request body bgcolor="#FFFFFF" (tgsReq.req-Body, which is well-formed at this point). (For maximum interoperability, the client A should use the checksum type cksumType-MD4-DES, since all KDS servers are required to support clients using that checksum type-at least for the present revision of this document.)
- Sequence number
  The sequence number (authnr.authnr-SeqNum) is omitted.
- Authorisation data
  The authorisation data field (authnr.authnr-AuthzData) is omitted.
- Encryption
  A encrypts authnr, using the encryption type encType and the session key K_A,B (not K^_A,B, even if present). This is the ciphertext portion of the authentication header (authnHdr.authnHdr-EncryptedAuthnr.encData-CipherText). A also sets the encryption type (authnHdr.authnHdr-EncryptedAuthnr.encData-EncType) to encType and the key version number (authnHdr.authnHdr-EncryptedAuthnr.encData-KeyVersNum) to an appropriate value depending on local policy, if any (typically, it is omitted).
- Options
  - Use-session-key
    The use-session-key option (tgsReq.req-Body.req-Flags.req-UseSessionKey) is deselected.
  - Mutual authentication
    The mutual authentication option (authnHdr.authnHdr-Flags.authnHdr-MutualRequired) is deselected. (As seen in KDS Server Receives TGS Request and Sends TGS Response , KDS_Y rejects any TGS Request that has this option selected.)
- Other
  The other entries (tgsReq.req-AuthnData[i], i >= 1) in the list of authentication data are omitted.

At this point, the tgsReq message is well-formed, and A sends it to KDS_Y.

KDS Server Receives TGS Request and Sends TGS Response

[RFC 1510: 3.3.2, 3.3.3, A.6]

Consider a TGS Request, tgsReq, received by KDS_Y from A. Thus, tgsReq is a value of data type TGSRequest, with protocol version number (tgsReq.req-ProtoVersNum) protoVersNum-KRB5 and protocol message type (tgsReq.req-ProtoMsgType) protoMsgType-TGS-REQUEST. Then KDS_Y executes the algorithm below. If the algorithm executes successfully, KDS_Y returns a TGS Response (tgsResp, of type TGSResponse), containing the "manipulated old" or "newly issued" ticket, Tkt*_A,···,B* (tgsResp.resp-Tkt, also denoted tgsTkt), to A. If unsuccessful, KDS_Y returns a KDS Error (kdsErr, of type KDSError).

The following algorithm discusses (in an appropriate order) how KDS_Y handles the authentication header authnHdr (and therefore the authenticator authnr and presented ticket, ahTkt (Tkt_A,···,B)) accompanying tgsReq, how it manipulates the old or issues the new ticket Tkt*_A,···,B*, and how it constructs the remainder of the TGS Response, tgsResp (which does not include a reverse-authentication header). (The manner in which KDS_Y handles the authentication header is an extension of the "mainline" usage of the authentication header by not-necessarily-KDS servers as specified in Server Receives Authentication Header and Sends Reverse-Authentication Header , but it is all repeated here, both because its processing is intertwined with the processing of other parts of the TGS Request, and to indicate error conditions specific to KDS servers.)

Authentication data
The first entry (tgsReq.req-AuthnData[0]) in the authentication data list (tgsReq.req-AuthnData) is checked to be present and to be of authentication data type (tgsReq.req-AuthnData[0].authnData-Type) authnDataType-TGS-REQ. (Other entries (tgsReq.req-AuthnData[i], i >= 1), if present, are ignored.) Thus, the authentication data value (tgsReq.req-AuthnData[0].authnData-Value) is regarded as (the underlying OCTET STRING of) an authentication header, authnHdr, containing an authenticator authnr (authnHdr.authnHdr-EncryptAuthnr) constructed by A, and an "authenticating ticket" Tkt_A,···,B (ahTkt, authnHdr.authnHdr-Tkt) naming A and targeted to some server B in cell Y (which may be either a non-KDS server or KDS_Y in one of its guises KDS_W,Y) {errStatusCode-AUTHN-DATA-TYPE-NOT-SUPPORTED}.
Protocol version number
The protocol version number of Tkt_A,···,B (ahTkt.tkt-ProtoVersNum) is checked to be protoVersNum-KRB5.
Server cell
The server cell in Tkt_A,···,B (ahTkt.tkt-ServerCell) is checked to be KDS_Y's cell name; that is, Y's cell name.
Server name
The server name in Tkt_A,···,B (ahTkt.tkt-ServerName) is checked to indicate either a non-KDS server B in Y, or KDS_Y in one of its guises KDS_W,Y.
Authentication header options:
- Use-session-key
  If the use-session-key option (authnHdr.authnHdr-Flags.authnHdr-UseSessionKey) is selected, then KDS_Y rejects this TGS Request, returning a KDS Error. Otherwise, KDS_Y knows that the "authenticating" ticket, ahTkt (Tkt_A,···,B), is protected with the long-term key K_B of the server B it is targeted to (as indicated by ahTkt.tkt-ServerCell and ahTkt.tkt-ServerName) (K_B = K_KDSWY if B = KDS_W,Y).
- Mutual authentication
  If the mutual authentication option (authnHdr.authnHdr-Flags.authnHdr-MutualRequired) is selected (so that A expects a reverse-authentication header, to be returned), then KDS_Y rejects this TGS Request, returning a KDS Error (see KDS Error Processing ).
Ticket decryption
KDS_Y uses the key protecting ahTkt (K_B = K_KDSWY, determined above), together with the indicated encryption type encType (ahTkt.tkt-EncryptedPart.encData-EncType) and key version number (ahTkt.tkt-EncryptedPart.encData-KeyVersNum) if relevant, to decrypt the ciphertext (ahTkt.tkt-EncryptedPart.encData-CipherText) of the authenticating ticket ahTkt (Tkt_A,···,B). A successful decryption is recognised by the built-in integrity afforded by the ciphertext itself. In this way, KDS_Y learns the information carried in ahTkt (Tkt_A,···,B), especially its session key (K_A,B, or K_A,KDSWY).
Authenticator decryption
KDS_Y uses ahTkt's session key (K_A,B, or K_A,KDSWY), together with the encryption type encType (which must be the same as (authnHdr.authnHdr-EncryptedAuthnr.encData-EncType), to decrypt the authentication header's ciphertext (authnHdr.authnHdr-EncryptedAuthnr.encData-CipherText). (The key version number (authnHdr.authnHdr-EncryptedAuthnr.encData-KeyVersNum) should not be present.) A successful decryption is recognised by the built-in integrity afforded by the ciphertext itself-this is what convinces KDS_Y that A knows ahTkt's session key; that is, this is what actually "authenticates" A to KDS_Y (modulo timestamp considerations, below). In this way, KDS_Y learns the information carried in authnr (authnHdr.authnHdr-EncryptAuthnr).
Authenticator protocol version number
The authenticator's protocol version number (authnr.authnr-ProtoVersNum) is checked to be protoVersNum-KRB5.
Client cell
The client cells from ahTkt (ahTkt.tkt-EncryptPart.tkt-ClientCell) and from authnr (authnr.authnr-ClientCell) are checked to be the same (namely, to A's cell name; that is, X's cell name).
Client name
The client names from ahTkt (ahTkt.tkt-EncryptPart.tkt-ClientName) and from authnr (authnr.authnr-ClientName) are checked to be the same (namely, to A's RS name).
Client addresses
If there are client addresses present in ahTkt (ahTkt.tkt-EncryptPart.tkt-ClientAddrs), then KDS_Y checks that A is communicating from one of them (as reported by KDS_Y's operating system, according to the level of trust KDS_Y places in that); that is, that authnHdr was received from one of the addresses on the list.
Client timestamp
A's timestamp (authnr.authnr-ClientTime) is checked to be equal to KDS_Y's system time (modulo maxClockSkew). It is in this way that KDS_Y becomes convinced that it is communicating with A in real-time (and this completes the "authentication" of A to KDS_Y).
Client microsecondstamp
A's microsecondstamp (authnr.authnr-ClientMicroSec), together with its timestamp, are checked to not be present in KDS_Y's replay cache. They are then stored in the replay cache. (They can be purged from the replay cache later, as discussed in Authenticators .)
Start time
ahTkt's start time (ahTkt.tkt-EncryptPart.tkt-StartTime) is checked to be earlier than or equal to KDS_Y's system time (modulo maxClockSkew).
Expiration time
ahTkt's expiration time (ahTkt.tkt-EncryptPart.tkt-ExpireTime) is checked to be later than (or later-than-or-equal-to, on an implementation-dependent basis) KDS_Y's system time (modulo maxClockSkew). (In particular, an expired ahTkt (Tkt_A,···,B) cannot be renewed by the renew option processing step, below.)
Maximum expiration time
ahTkt's maximum expiration time (ahTkt.tkt-EncryptPart.tkt-MaxExpireTime) is dealt with below.
Sequence number
The sequence number (authnr.authnr-SeqNum) is processed in an application-specific manner.
Conversation key
If a conversation key K^_A,B (authnr.authnr-ConversationKey), of encryption type encType is present, KDS_Y will use it (instead of ahTkt's session key K_A,B (or K_A,KDSWY)) to protect this client-server session (but it will not generate its own conversation key, Kx^^'1xu'_A,B, for this purpose, because KDS_Y does not return a reverse-authentication header).
Transit path
ahTkt's transit path (ahTkt.tkt-EncryptPart.tkt-TransitPath) is dealt with below.
Checksum
The checksum (authnr.authnr-Cksum) is checked to be present (unless encType = encType-TRIVIAL, in which case it must be absent), its checksum type (authnr.authnr-Cksum.cksum-Type) is checked to be supported by and acceptable to KDS_Y (in particular, this checksum type must use the same encryption key type as the encryption type encType, and the checksum value (authnr.authnr-Cksum.cksum-Value) is checked to be the checksum of the KDS Request body bgcolor="#FFFFFF" (tgsReq.req-Body). (For guaranteed interoperability, all KDS servers are required to support the checksum type cksumType-MD4-DES-at least for the present revision of this document.)
Ticket options:
- Invalid
  If ahTkt's invalid option (ahTkt.tkt-EncryptPart.tkt-Flags.tkt-Invalid) is selected, then KDS_Y checks that this tgsReq's validate option (tgsReq.req-Body.req-Flags.req-Validate) is selected.
- Forwardable, forwarded, proxiable, proxied, postdatable, postdated, renewable, initial
  All other ahTkt options are dealt with below. Currently, these include forwardable (ahTkt.tkt-EncryptPart.tkt-Flags.tkt-Forwardable), forwarded (ahTkt.tkt-EncryptPart.tkt-Flags.tkt-Forwarded), proxiable (ahTkt.tkt-EncryptPart.tkt-Flags.tkt-Proxiable), proxied (ahTkt.tkt-EncryptPart.tkt-Flags.tkt-Proxied), postdatable (ahTkt.tkt-EncryptPart.tkt-Flags.tkt-Postdatable), postdated (ahTkt.tkt-EncryptPart.tkt-Flags.tkt-Postdated), renewable (ahTkt.tkt-EncryptPart.tkt-Flags.tkt-Renewable), and initial (ahTkt.tkt-EncryptPart.tkt-Flags.tkt-Initial).

At this point, KDS_Y has completed its preliminary processing of the authentication header authnHdr (including authnr and ahTkt (Tkt_A,···,B)), and now turns its attention to constructing the manipulated old or newly-to-be-issued tgsTkt (Tkt*_A,···,B*).

Protocol version number

tgsTkt's protocol version number (tgsTkt.tkt-ProtoVersNum) is set to protoVersNum-KRB5.

Client cell

tgsTkt's client cell (tgsTkt.tkt-EncryptPart.tkt-ClientCell) is set to A's (authenticated) cell name (that is, to X's cell name).

Client name

tgsTkt's client name (tgsTkt.tkt-EncryptPart.tkt-ClientName) is set to A's (authenticated) RS name in RS_X.

Server cell

If the requested server cell name (tgsReq.req-Body.req-ServerCell) is not KDS_Y's cell name-that is, not Y's cell name (this will be the case if A is requesting a service-ticket to an ultimate end-server in some cell other than Y)- then KDS_Y sets tgsTkt's cell name (tgsTkt.tkt-ServerCell) to that of a cell, Z, that A is supposed to use as the next hop towards the requested server cell, if possible-this indicates to A that tgsTkt is to be used as a new cross-cell referral ticket (see Cells-Cross-cell Authentication and Authorisation ), and it is the only instance in which a KDS server ever issues a ticket which is targeted to a server other than the one requested by the client A (and this is how A detects that it has received a cross-cell referral ticket). Otherwise, KDS_Y copies the requested server cell name (that is, Y's cell name) into tgsTkt's cell name.

Server name
If tgsTkt is a new cross-cell referral ticket (see preceding step), then KDS_Y sets tgsTkt's server name (tgsTkt.tkt-ServerName) to the RS name of the chosen cross-registered surrogate KDS server, KDS_Y,Z, in RS_Z. Otherwise, the requested server name (tgsReq.req-Body.req-ServerName) is checked to have a datastore entry in RS_Y, and KDS_Y sets tgsTkt's server name to the requested server name.
Encryption types
KDS_Y selects from the list of requested encryption types (tgsReq.req-Body.req-EncTypes) the earliest one on the list that it can accommodate, depending on policy-call this encType. (Typically, encType* = encType. This will happen, for example, in the common case of a client A sending a list consisting of a single entry, indicating the same encryption type, encType, as that used to protect the presented ticket Tkt_A,···,B.) {errStatusCode-ENCRYPTION-TYPE-NOT-SUPPORTED}.
Session key generation
KDS_Y generates a new (random) session key (of the selected encryption type, encType*), K*_A,B*, and copies it into tgsTkt's session key field (tgsTkt.tkt-EncryptPart.tkt-SessionKey).
Authentication time
tgsTkt's authentication time (tgsTkt.tkt-EncryptPart.tkt-AuthnTime) is set to ahTkt's authentication time (ahTkt.tkt-EncryptPart.tkt-AuthnTime).
Start time
If the requested start time (tgsReq.req-Body.req-StartTime) is absent, or if it is present and indicates a time earlier than tgsTkt's (that is, ahTkt's) authentication time or KDS_Y's system time, then tgsTkt's start time (tgsTkt.tkt-EncryptPart.tkt-StartTime) is set to tgsTkt's authentication time or KDS_Y's system time, whichever is later. Otherwise (that is, a start time is present and indicates a time later than or equal to both tgsTkt's authentication time and KDS_Y's system time), if the postdated option (tgsReq.req-Body.req-Flags.req-Postdate) is selected, KDS_Y sets tgsTkt's start time to the requested start time; otherwise, tgsTkt's start time is omitted. (See also the postdated and invalid options, below.) {errStatusCode-CANNOT-POSTDATE}.
Expiration time
KDS_Y sets tgsTkt's expiration time (tgsTkt.tkt-EncryptPart.tkt-ExpireTime) to the minimum of the following:
- tgsTkt's start time (or authentication time, if the start time is absent) plus the maximum ticket lifetime associated with the named client A (or the maximum ticket lifetime associated with the cross-cell principal KDS_W,Y in the case that X != Y, since then KDS_Y doesn't have access to A's maximum ticket lifetime).
- tgsTkt's start time (or authentication time, if the start time is absent) plus the maximum ticket lifetime associated with the server targeted by tgsTkt (tgsTkt.tkt-ServerName).
- tgsTkt's start time (or authentication time, if the start time is absent) plus the cell-wide maximum ticket lifetime associated with the issuing authority KDS_Y.
KDS_Y checks that the resulting lifetime of tgsTkt is greater than or equal to the cell-wide minimum ticket lifetime associated with the issuing authority KDS_Y (see also the renew and renewable options, below) {errStatusCode-NEVER-VALID}.
Maximum expiration time
If ahTkt's renewable option (ahTkt.tkt-EncryptPart.tkt-Flags.tkt-Renewable) is selected, and if either the renewable option (tgsReq.req-Body.req-Flags.req-Renewable) has been selected, or if the renewable-okay option (tgsReq.req-Body.req-Flags.req-RenewableOK) has been selected and ahTkt's expiration time is earlier than the requested expiration time, then tgsTkt's maximum expiration time (tgsTkt.tkt-EncryptPart.tkt-MaxExpireTime) is present (otherwise it is omitted) and is set to the minimum of:
- tgsTkt's start time (or authentication time, if the start time is absent) plus the maximum renewable ticket lifetime associated with the named client A (or the maximum ticket lifetime associated with the cross-cell principal KDS_W,Y in the case that X != Y, since then KDS_Y doesn't have access to A's maximum ticket lifetime).
- tgsTkt's start time (or authentication time, if the start time is absent) plus the maximum renewable ticket lifetime associated with the server targeted by tgsTkt (tgsTkt.tkt-ServerName).
- tgsTkt's start time (or authentication time, if the start time is absent) plus the cell-wide maximum renewable ticket lifetime associated with the issuing authority KDS_Y.
(See also the renewable option, below, which may recalculate this maximum expiration time.)
Transit path
If ahTkt is itself a cross-cell referral ticket, Tkt_{A,X,···,W,KDSWY} (which KDS_Y recognises by decrypting it and inspecting its transit path), then KDS_Y sets tgsTkt's transit path (tgsTkt.tkt-EncryptPart.tkt-TransitPath) to the compression (see Registered Transit Path Types ) of the concatenation (in this order) of ahTkt's transit path with W's (not Y's) cell name. Otherwise (that is, if ahTkt is not a cross-cell referral ticket), tgsTkt's transit path is set to ahTkt's transit path {errStatusCode-TRANSIT-PATH-TYPE-NOT-SUPPORTED}.
Client addresses
tgsTkt's client address field (tgsTkt.tkt-EncryptPart.tkt-ClientAddrs) is set to ahTkt's client address field (ahTkt.tkt-EncryptPart.tkt-ClientAddrs), if present. Otherwise, it is omitted. (See also the forward and proxy options, below, which can change this client address field.)
Authorisation data
tgsTkt's authorisation data field (tgsTkt.tkt-EncryptPart.tkt-AuthzData) is set to the concatenation (in this order) of ahTkt's authorisation data (ahTkt.tkt-EncryptPart.tkt-AuthzData) if present, with the TGS Request's authorisation data (tgsReq.req-Body.req-EncryptAuthzData, obtained by decrypting tgsReq.req-Body.req-EncryptedAuthzData using the conversation key authnr.authnr-ConversationKey K^_A,Y if present, otherwise using the session key K_A,B, both of encryption type encType), if present. If neither is present, this field is omitted.
Notes:
Additional tickets
Additional tickets (tgsReq.req-Body.req-AdditionalTkts) are processed as required according to the options (below) selected that require additional tickets.
Options
- Validate
  If the validate option (tgsReq.req-Body.req-Flags.req-Validate) is requested, and if ahTkt's invalid option (ahTkt.tkt-EncryptPart.tkt-Flags.tkt-Invalid) is set, and if ahTkt's start time (ahTkt.tkt-EncryptPart.tkt-StartTime) is earlier than or equal to KDS_Y's system time (modulo maxClockSkew), then Tkt*_A,···,B* is set equal to Tkt_A,···,B, except that tgsTkt's invalid option (tgsTkt.tkt-EncryptPart.tkt-Flags.tkt-Invalid) is deselected.
- Renew
  If the renew option (tgsReq.req-Body.req-Flags.req-Renew) is requested, and if ahTkt's renewable option (ahTkt.tkt-EncryptPart.tkt-Flags.tkt-Renewable) is selected, and if ahTkt's maximum expiration time (ahTkt.tkt-EncryptPart.tkt-MaxExpireTime) is later than or equal to KDS_Y's system time (modulo maxClockSkew), then tgsTkt is set equal to ahTkt, except that tgsTkt's start time (tgsTkt.tkt-EncryptPart.tkt-StartTime) is set to KDS_Y's system time and tgsTkt's expiration time (tgsTkt.tkt-EncryptPart.tkt-ExpireTime) is set to the minimum of:
  - ahTkt's maximum expiration time (ahTkt.tkt-EncryptPart.tkt-MaxExpireTime).
  - tgsTkt's start time (which is KDS_Y's system time at this point) plus the lifetime of ahTkt (ahTkt.tkt-EncryptPart.tkt-ExpireTime - ahTkt.tkt-EncryptPart.tkt-StartTime).
- Renewable-okay
  If the renewable-okay option (tgsReq.req-Body.req-Flags.req-RenewableOK) is requested, and if ahTkt's renewable option (ahTkt.tkt-EncryptPart.tkt-Flags.tkt-Renewable) is selected, and if tgsTkt's expiration time (tgsTkt.tkt-EncryptPart.tkt-ExpireTime) is earlier than the requested expiration time (tgsReq.req-Body.req-ExpireTime), then the renewable option (tgsReq.req-Body.req-Flags.req-Renewable) is selected (so that the renewable step below is processed) and the requested maximum expiration time (tgsReq.req-Body.req-MaxExpireTime) is set equal to the minimum of:
  - ahTkt's maximum expiration time (ahTkt.tkt-EncryptPart.tkt-MaxExpireTime).
  - The requested expiration time (tgsReq.req-Body.req-ExpireTime).
- Renewable
  If the renewable option (tgsReq.req-Body.req-Flags.req-Renewable) option is requested, and if ahTkt's renewable option (ahTkt.tkt-EncryptPart.tkt-Flags.tkt-Renewable) is selected, then tgsTkt's renewable option (tgsTkt.tkt-EncryptPart.tkt-Flags.tkt-Renewable) is selected, and tgsTkt's maximum expiration time (tgsTkt.tkt-EncryptPart.tkt-MaxExpireTime) is (re)calculated as in the maximum expiration time step, above.
- Use-session-key
  If the request's use-session-key option (tgsReq.req-Body.req-Flags.req-UseSessionKey) has not been requested, then KDS_Y knows that A wants tgsTkt to be protected with the long-term key of its targeted server (see encryption step, below). If the request's use-session-key has been requested, then KDS_Y knows that A wants tgsTkt to be protected with its targeted server's ticket-granting-ticket's session key (see encryption step, below), accordingly it verifies that the accompanying additional Tkt^* (tgsReq.req-Body.req-AdditionalTkts) is present and is a (valid) ticket-granting-ticket targeted to B; if the use-session-key has been requested, but Tkt^* is not present or if KDS_Y cannot decrypt it and verify it is a ticket-granting-ticket targeted to B, the KDS_Y rejects the request.
- Initial
  tgsTkt's initial option (tgsTkt.tkt-EncryptPart.tkt-Flags.tkt-Initial), is deselected. (This marks tgsTkt as a subsequent (that is, non-initial) ticket.)
Encryption
If the use-session-key option (tgsReq.req-Body.req-Flags.req-UseSessionKey) has not been requested, then the long-term key K_B* (of encryption type encType*) of the server B* targeted by tgsTkt (Tkt*_A,···,B*) is used to protect it; if the use-session-key option has been requested, then the session key K^* = K_B,KDSWY (of encryption type encType*) in the accompanying ticket-granting-ticket Tkt^* = Tkt_B,KDSWY is used to protect it (see The use-session-key Option ). KDS_Y uses the chosen key to encrypt the encrypted part of tgsTkt (tgsTkt.tkt-EncryptPart). This is the ciphertext portion of tgsTkt (tgsTkt.tkt-EncryptedPart.encData-CipherText). KDS_Y also sets the encryption type (tgsTkt.tkt-EncryptedPart.encData-EncType) to encType*, and the key version number (tgsTkt.tkt-EncryptedPart.encData-KeyVersNum) is set to its appropriate value.

At this point, tgsTkt (Tkt*_A,···,B*) is well-formed, and KDS_Y turns its attention to completing the construction of the TGS Response message, tgsResp.

Protocol version number

The protocol version number (tgsResp.resp-ProtoVersNum) is set to protoVersNum-KRB5.

Protocol message type

The protocol message type (tgsResp.resp-ProtoMsgType) is set to protoMsgType-TGS-RESPONSE.

Authentication data

The authentication data (tgsResp.resp-AuthnData) is omitted. (In particular, no reverse-authentication header is transmitted back to the client.)

Client cell

The client cell (tgsResp.resp-ClientCell) is set to tgsTkt's client cell name (tgsTkt.tkt-EncryptPart.tkt-ClientCell); that is, A's cell name to X's cell name.

Client name

The client name (tgsResp.resp-ClientName) is set to tgsTkt's client name (tgsTkt.tkt-EncryptPart.tkt-ClientName); that is, A's RS name.

Ticket
The ticket (tgsResp.resp-Tkt) is set to tgsTkt (Tkt*_A,···,B*).
Session key
The session key (tgsResp.resp-EncryptPart.resp-SessionKey) is set to tgsTkt's (Tkt*_A,···,B*'s) session key, K*_A,B* (tgsTkt.tkt-EncryptPart.tkt-SessionKey, of encryption type encType*).
Nonce
The nonce (tgsResp.resp-EncryptPart.resp-Nonce) is set to the nonce that A sent (tgsReq.req-Body.req-Nonce).
Client addresses
The client address field (tgsResp.resp-EncryptPart.resp-ClientAddrs) is set to tgsTkt's client address field if tgsTkt has been newly forwarded or proxied on this TGS Request (that is, the forward option (tgsReq.req-Body.req-Flags.req-Forward) is selected, above). Otherwise, it is omitted.
Server cell
The server cell (tgsResp.resp-EncryptPart.resp-ServerCell) is set to tgsTkt's server cell (tgsTkt.tkt-ServerCell).
Server name
The server name (tgsResp.resp-EncryptPart.resp-ServerName) is set to tgsTkt's server name (tgsTkt.tkt-ServerName).
Authentication time
The authentication time (tgsResp.resp-EncryptPart.resp-AuthnTime) is set to tgsTkt's authentication time (tgsTkt.tkt-EncryptPart.tkt-AuthnTime).
Start time
The start time (tgsResp.resp-EncryptPart.resp-StartTime) is set to tgsTkt's start time (tgsTkt.tkt-EncryptPart.tkt-StartTime), if present. Otherwise, it is omitted.
Expiration time
The expiration time (tgsResp.resp-EncryptPart.resp-ExpireTime) is set to tgsTkt's expiration time (tgsTkt.tkt-EncryptPart.tkt-ExpireTime).
Maximum expiration time
The maximum expiration time (tgsResp.resp-EncryptPart.resp-MaxExpireTime) is set to tgsTkt's maximum expiration time (tgsTkt.tkt-EncryptPart.tkt-MaxExpireTime), if present. Otherwise, it is omitted.
Key expiration date
The key expiration date (tgsResp.resp-EncryptPart.resp-KeyExpireDate) is omitted.
Last requests
The last requests field (tgsResp.resp-EncryptPart.resp-LastRequests) is set, if policy permits, to A's last requests information (see Last Requests ), if available. (If this is a cross-cell request, that information wouldn't be available. Even if the information is available, KDS_Y may or may not send it back to the client, according to its policy; normally it is included only in AS Responses, not TGS Responses-see Part of KDS Response to be Encrypted .)
Options
The options (tgsResp.resp-EncryptPart.resp-Flags) are set to tgsTkt's options (tgsTkt.tkt-EncryptPart.tkt-Flags).
Encryption
KDS_Y encrypts tgsResp.resp-EncryptPart using the encryption type encType and ahTkt's (Tkt_A,···,B's) session key K_A,B, unless A has requested that a conversation key K^_A,B (authnr.authnr-ConversationKey) be used, in which case KDS_Y uses that key instead. This is the ciphertext portion of the TGS Response (tgsResp.resp-EncryptedPart.encData-CipherText). KDS_Y also sets the encryption type (tgsResp.resp-EncryptedPart.encData-EncType) to encType. The key version number (tgsResp.resp-EncryptedPart.encData-KeyVersNum) is omitted.

At this point, the KDS Response is well-formed, and the KDS returns it to the calling client.

Client Receives TGS Response

[RFC 1510: 3.3.4, A.4, A.7]

Consider a client A that receives a TGS Response, tgsResp (that is, tgsResp is a value of data type TGSResponse, with protocol version number (tgsResp.resp-ProtoVersNum) protoVersNum-KRB5 and protocol message type (tgsResp.resp-ProtoMsgType) protoMsgType-TGS-RESPONSE), in response to a TGS Request, tgsReq (as the result of calling kds_request()) to KDS_Y. A processes tgsResp according to the algorithm below. In the case this algorithm completes successfully, A is justified in believing that the returned tgsTkt (or Tkt*_A,···,B*; that is, tgsResp.resp-Tkt) is correctly and securely targeted to the server B* specified (tgsResp.resp-EncryptPart.resp-ServerCell and tgsResp.resp-EncryptPart.resp-ServerName), and that it contains the values returned elsewhere in the tgsResp (in particular, that A is the client named by tgsTkt), and using it (especially, its session key, K*_A,B*, of encryption type encType*) in subsequent Authentication Headers it sends in service requests to the targeted server, or in subsequent TGS Requests. In the case the algorithm fails, A takes (application-specific) recovery action.

Here, the notions of "success" or "failure" of this algorithm are taken to mean "conforming to A's request (tgsReq)", where the criteria of "conformance" are application-specific. Typically, but not necessarily, A will be satisfied only if KDS_Y formulates the TGS Response exactly as A requested. For example, A may have requested a very long maximum expiration time but KDS_Y issued only a somewhat shorter one -whether A views that as a success or failure is an application-specific determination.

Client cell

The named client's cell (tgsResp.resp-ClientCell) is checked for conformance to what A requested in the authenticator to its TGS Request (authnr.authnr.ClientCell, where authnr is carried in tgsReq.req-AuthnData as described previously).

Client name

The client name (tgsResp.resp-ClientName) is checked for conformance to what A requested (tgsReq.req-Body.req-ClientName).

Authentication data

The authentication data (tgsResp.resp-AuthnData) is ignored.

Ticket

tgsTkt (tgsResp.resp-Tkt) is not directly interpretable (in the sense of being decryptable) by A (unless A happens to also be the server targeted by tgsTkt), but the information in it is largely available elsewhere in tgsResp.

Decryption
The encryption type, encType (tgsResp.resp-EncryptedPart.encData-EncType), is checked to be the same as the encryption type protecting the ahTkt (Tkt_A,···,B) A had presented to KDS_Y in the authentication header of its TGS Request (authnHdr.authnHdr-Tkt). If it is acceptable, then A attempts to decrypt the ciphertext portion of the TGS Response (tgsResp.resp-EncryptedPart.encData-CipherText), using the session key K_A,B from ahTkt, unless A has requested that a conversation key K^_A,B (authnr.authnr-ConversationKey) be used, in which case A uses that key instead. (Note that this differs from the case of an AS Response, which is protected with A's long-term key, not a session key.) A successful decryption is recognised by the built-in integrity afforded by the ciphertext itself. In this way, A learns the information carried in tgsResp.resp-EncryptPart. If A encounters an "unsuccessful" decryption, it takes application-specific action-this presumably includes rejection of tgsResp as untrustworthy (the ability to successfully decrypt tgsResp.resp-EncryptedPart proves to A that it was encrypted by the legitimate KDS_Y (since A trusts the key K_A,B or K^_A,B to be secure), and that it is not being spoofed by a counterfeit KDS_Y. In particular, if A is not the client requested in tgsReq, in the sense of not knowing the correct session key (K_A,B or K^_A,B), then A will not be able to successfully decrypt tgsResp, and consequently will not be able to gain access to the information in tgsResp.resp-EncryptPart (in particular, its session key, K*_A,B* (tgsResp.resp-EncryptPart.resp-SessionKey, of encryption type encType*-see below)).
Nonce
The nonce (tgsResp.resp-EncryptPart.resp-Nonce) is checked for equality with the requested nonce (tgsReq.req-Body.req-Nonce). If it is not equal, then this tgsResp does not correspond to tgsReq, and a "replay attack" may be suspected, to which A takes application-specific action.
Last requests
The last requests (tgsResp.resp-EncryptPart.resp-LastRequests) are typically ignored (it may be inspected if present, but it is typically not present-see Part of KDS Response to be Encrypted ).
Key expiration date
The key expiration date (tgsResp.resp-EncryptPart.resp-KeyExpireDate) is typically ignored (it may be inspected if present, but it is typically not present-see Part of KDS Response to be Encrypted ).
Server cell
The server cell (tgsResp.resp-EncryptPart.resp-ServerCell) is checked for conformance to what A requested (tgsReq.req-Body.req-ServerCell). (See also next step.)
Server name
The server name (tgsResp.resp-EncryptPart.resp-ServerName) is checked for conformance to what A requested (tgsReq.req-Body.req-ServerName). (If the server cell (tgsResp.resp-EncryptPart.resp-ServerCell) and server name (tgsResp.resp-EncryptPart.resp-ServerName) do not identify the server that A requested, then A knows tgsTkt is a new cross-cell referral ticket, and A will normally send a TGS Request to the new cross-cell KDS server it names.)
Session key
The encryption type, encType* (tgsTkttkt-EncryptedPart.encData-Enctype), of the session key (which A trusts is secure), K*_A,B* (tgsResp.resp-EncryptPart.resp-SessionKey), is checked for conformance to what A had requested (tgsReqreg-Body.reg-EncTypes), and K*_A,B* is saved for later use (for example, in protecting communications with the server B*).
Authentication time
The authentication time (tgsResp.resp-EncryptPart.resp-AuthnTime) is checked for conformance to what A expects (namely, A's authentication time from ahTkt and from A's original initial ticket-granting-ticket on which tgsTkt is ultimately based).
Start time
The start time (tgsResp.resp-EncryptPart.resp-StartTime) is checked for conformance to what A requested. Namely, if A requested tgsTkt to be postdated, then the start time is checked to be present and checked for conformance to the start time A requested (tgsReq.req-Body.req-StartTime); otherwise, the start time should be absent.
Expiration time
The expiration time (tgsResp.resp-EncryptPart.resp-ExpireTime) is verified for conformance to what A requested (tgsReq.req-Body.req-ExpireTime).
Maximum expiration time
The maximum expiration time (tgsResp.resp-EncryptPart.resp-MaxExpireTime) is checked for conformance to what A requested. It should only be present (at most) if A had selected the renewable option (tgsReq.req-Body.req-Flags.req-Renewable) and supplied a requested maximum expiration time (tgsReq.req-Body.req-MaxExpireTime), or if A had selected the renewable-okay option (tgsReq.req-Body.req-Flags.req-RenewableOK).
Client addresses
If A requested that tgsTkt contain client host addresses (as part of a forward or proxy request), then the client address field (tgsResp.resp-EncryptPart.resp-ClientAddrs) is verified to be present and checked for conformance to what A requested (tgsReq.req-Body.req-ClientAddrs). Otherwise, the client addresses are checked for conformance to the client addresses in the ticket-granting-ticket accompanying the TGS Request (ahTkt.tkt-EncryptPart.tkt-ClientAddrs), if present.
Options
The options field (tgsResp.resp-EncryptPart.resp-Flags) is inspected for conformance to what A requested (tgsReq.req-Body.req-Flags).

This completes the specification of the TGS Request/Response exchange.

KDS Error Processing

[RFC 1510: 3.1.6, A.20]

This section specifies in detail the processing that occurs when a KDS server encounters a failure during its processing of an AS Request or a TGS Request, and returns a KDS Error to the requesting client. (Actually, KDS Error messages may be of some use to arbitrary application servers, not just KDS servers. That scenario is not examined in this section, though the discussion given here can easily be generalised to that situation.)

Consider a KDS Request, kdsReq, received by KDS_Y from a client A. This KDS Request is either an AS Request or a TGS Request, and KDS_Y performs the algorithm specified above accordingly. If it encounters one or more algorithmic failures, it chooses one (normally, the first one it encounters dynamically) to return in a KDS Error message. KDS_Y then proceeds to execute the algorithm below. This results in KDS_Y returning a KDS Error kdsErr (of type KDSError) to A.

authnr is written for the authenticator accompanying a KDS Request (carried in kdsReq.req-AuthnData as described previously), provided it is present and KDS_Y can decrypt the encrypted authenticator successfully. In that case, the description is authnr (and the information in it) "is available".

Protocol version number
The protocol version number (kdsErr.err-ProtoVersNum) is set to protoVersNum-KRB5.
Protocol message type
The protocol message type (kdsErr.err-ProtoMsgType) is set to protoMsgType-KDS-ERROR.
Client cell
The client cell (kdsErr.err-ClientCell) is set to the request's client cell (authnr.authnr-ClientCell), if available. Otherwise, it is omitted.
Client name
The client name (kdsErr.err-ClientName) is set to the request's client name (authnr.authnr-ClientName), if available. Otherwise, it is omitted.
Server cell
The server cell (kdsErr.err-ServerCell) is set to the request's server cell name (kdsReq.req-ServerCell), which is KDS_Y's cell name; that is, Y's cell name.
Server name
The server name (kdsErr.err-ServerName) is set to the request's server's RS name (kdsReq.req-ServerName), which is KDS_Y's RS name.
Client timestamp
The client timestamp (kdsErr.err-ClientTime) is set to the request's client timestamp (authnr.authnr-ClientTime), if available. Otherwise, it is omitted.
Client microsecondstamp
The client microsecondstamp (kdsErr.err-ClientMicroSec) is set to the request's client microsecondstamp (authnr.authnr-ClientMicroSec), if available. Otherwise, it is omitted.
Server timestamp
The server timestamp (kdsErr.err-ServerTime) is set to KDS_Y's system time.
Server microsecondstamp
The server microsecondstamp (kdsErr.err-ServerMicroSec) is set to KDS_Y's microsecondstamp.
Status code
The status code (kdsErr.err-StatusCode) is set to the status code of the error being reported by this KDS Error message.
Status text
The status text (kdsErr.err-StatusText) is set to the status text associated with the status code being reported, if any. Otherwise it is omitted.
Status data
The status data (kdsErr.err-StatusData) is set to the status data associated with the status code being reported, if any. Otherwise it is omitted.

This completes the specification of the KDS Error message processing.

Cross-Cell Authentication

[RFC 1510: 1.1]

As seen in AS Request/Response Processing and TGS Request/Response Processing , the authentication of a client A in cell X to a server B in cell Y is quite straightforward if X = Y. But the case X != Y requires a sequence of non-obvious cross-cell referrals. The low-level details have already been specified above (in TGS Request/Response Processing ), but without a higher-level understanding of cross-cell referrals the whole scenario remains obscure and mysterious. This section presents this higher-level view (see also Cells-Cross-cell Authentication and Authorisation ).

Consider a client A in cell X that wants to authenticate to an ultimate non-KDS end-server B in cell Y, with X != Y. A begins by obtaining an (initial or subsequent) ticket, Tkt_A,KDSX, protected with KDS_X's long-term key K_KDSX.

A then sends a TGS Request to KDS_X, presenting Tkt_A,KDSX (in req-AuthnData) to KDS_X, requesting a service-ticket targeted to B in Y. Note that A must know the principal name of B (comprising the cell name of Y and the RS name of B in Y), but A does not a priori know the intermediate cells in the trust chain between X and Y-that is, A knows the structure of the namespace, but only the network of KDS servers knows the structure of the trust graph (consisting of the cross-cell registrations of KDS servers with one another).

Since B's home cell is Y (!= X), KDS_X does not know B's long-term key K_B+3, and so it cannot construct the requested service-ticket targeted to B. Instead, KDS_X chooses a cell Z which is cross-registered with X to be used as the next hop towards Y, and returns to A a TGS Response which contains (in resp-Tkt) a cross-cell referral ticket, Tkt_A,X,KDSXZ. This TGS Response and Tkt_A,X,KDSXZ contain a newly generated session key K_A,KDSXZ between A and KDS_X,Z, and Tkt_A,X,KDSXZ is protected with the long-term key K_KDSXZ shared between the two surrogate KDS principals KDS_X,Z cross-registered in RS_X and in RS_Z.

When A receives this TGS Response from KDS_X, it recognises that it has received (resp-Tkt) a cross-cell referral ticket instead of the service-ticket it had requested, because the TGS Response contains information (in resp-ServerCell and resp-ServerName) telling A that the target of resp-Tkt is not the server B that A had requested (and a cross-cell referral ticket is the only instance in which a KDS server ever issues a ticket targeted to a server other than that requested by the client). Accordingly, A now formulates a new TGS Request, to KDS_Z (KDS_X,Z) this time, again requesting a service-ticket targeted to B. The ticket A present (in req-AuthnData) in this TGS Request to KDS_Z is the cross-cell referral ticket, Tkt_A,X,KDSXZ, A just received from KDS_X.

When KDS_Z receives this TGS Request, it decrypts Tkt_A,X,KDSXZ with the long-term key K_KDSXZ, thereby learning its session key K_A,KDSZ (this authenticates A to KDS_Z and secures communications between them, and establishes the A -> KDS_X -> KDS_Z trust chain).

Now shift notation slightly (for purposes of an inductive argument) and write Z´ instead of Z. If Z´ = Y, then KDS_Z´ = KDS_Y can satisfy A's TGS Request, and can return to A the Tkt_A,X,Y,B A requested. Otherwise, the above procedure is iterated: KDS_Z´ returns (if possible) to A another new cross-cell referral ticket, Tkt_{A,X,Z´,KDSZ´Z´´}, to a next-hop cell Z´´ which is even closer to the desired cell Y. This process continues through a sequence of cross-cell referrals, Z´, Z´´, ···, Z´´´, until it eventually terminates (if no errors are encountered) when the desired cell Z´´´´ = Y is ultimately reached. For at that point, A's TGS Request to KDS_Y (KDS_Z´´´Y) for a service-ticket targeted to B (protected in B's long-term key K_B+3) will finally be satisfied, and is returned to A in the TGS Response from KDS_Y. A recognises that it has finally received a service-ticket targeted to its desired end-server B, so can then proceed to use this Tkt\dA,X,Z´,Z´´,···,Z´´´,Y,B to authenticate itself to, and protect its communications with, B.

In particular, note that the successive steps of this cross-cell authentication scenario are all secure, because the referral information (cell name and RS name of successive KDS servers to be contacted, session keys, and so on) is securely determined by a chain of trusted KDS servers and securely transmitted to A at each stage.

Finally, it is to be noted that this chapter has not explained how authorisation data or UUIDs make their appearance in the protocol. That is the province of the Privilege Service, as specified in Privilege (Authorisation) Services .

Please note that the html version of this specification may contain formatting aberrations. The definitive version is available as an electronic publication on CD-ROM from The Open Group.

Contents

Next section

Index