|
DataMuseum.dkPresents historical artifacts from the history of: DKUUG/EUUG Conference tapes |
This is an automatic "excavation" of a thematic subset of
See our Wiki for more about DKUUG/EUUG Conference tapes Excavated with: AutoArchaeologist - Free & Open Source Software. |
top - metrics - downloadIndex: T U
Length: 357384 (0x57408)
Types: TextFile
Notes: Uncompressed file
└─⟦4f9d7c866⟧ Bits:30007245 EUUGD6: Sikkerheds distributionen
└─⟦386a9bfeb⟧ »./papers/Kerberos/V5DRAFT3-RFC.PS.Z«
└─⟦this⟧
%!PS-Adobe-1.0
%%Creator: lycus:jtkohl (John T Kohl,,E40-321M,31510,6176432831)
%%Title: stdin (ditroff)
%%CreationDate: Mon Oct 8 10:08:36 1990
%%EndComments
% Start of psdit.pro -- prolog for ditroff translator
% Copyright (c) 1985,1987 Adobe Systems Incorporated. All Rights Reserved.
% GOVERNMENT END USERS: See Notice file in TranScript library directory
% -- probably /usr/lib/ps/Notice
% RCS: $Header: psdit.pro,v 2.2 87/11/17 16:40:42 byron Rel $
/$DITroff 140 dict def $DITroff begin
/fontnum 1 def /fontsize 10 def /fontheight 10 def /fontslant 0 def
/xi {0 72 11 mul translate 72 resolution div dup neg scale 0 0 moveto
/fontnum 1 def /fontsize 10 def /fontheight 10 def /fontslant 0 def F
/pagesave save def}def
/PB{save /psv exch def currentpoint translate
resolution 72 div dup neg scale 0 0 moveto}def
/PE{psv restore}def
/m1 matrix def /m2 matrix def /m3 matrix def /oldmat matrix def
/tan{dup sin exch cos div}bind def
/point{resolution 72 div mul}bind def
/dround {transform round exch round exch itransform}bind def
/xT{/devname exch def}def
/xr{/mh exch def /my exch def /resolution exch def}def
/xp{}def
/xs{docsave restore end}def
/xt{}def
/xf{/fontname exch def /slotno exch def fontnames slotno get fontname eq not
{fonts slotno fontname findfont put fontnames slotno fontname put}if}def
/xH{/fontheight exch def F}bind def
/xS{/fontslant exch def F}bind def
/s{/fontsize exch def /fontheight fontsize def F}bind def
/f{/fontnum exch def F}bind def
/F{fontheight 0 le {/fontheight fontsize def}if
fonts fontnum get fontsize point 0 0 fontheight point neg 0 0 m1 astore
fontslant 0 ne{1 0 fontslant tan 1 0 0 m2 astore m3 concatmatrix}if
makefont setfont .04 fontsize point mul 0 dround pop setlinewidth}bind def
/X{exch currentpoint exch pop moveto show}bind def
/N{3 1 roll moveto show}bind def
/Y{exch currentpoint pop exch moveto show}bind def
/S /show load def
/ditpush{}def/ditpop{}def
/AX{3 -1 roll currentpoint exch pop moveto 0 exch ashow}bind def
/AN{4 2 roll moveto 0 exch ashow}bind def
/AY{3 -1 roll currentpoint pop exch moveto 0 exch ashow}bind def
/AS{0 exch ashow}bind def
/MX{currentpoint exch pop moveto}bind def
/MY{currentpoint pop exch moveto}bind def
/MXY /moveto load def
/cb{pop}def % action on unknown char -- nothing for now
/n{}def/w{}def
/p{pop showpage pagesave restore /pagesave save def}def
/abspoint{currentpoint exch pop add exch currentpoint pop add exch}def
/dstroke{currentpoint stroke moveto}bind def
/Dl{2 copy gsave rlineto stroke grestore rmoveto}bind def
/arcellipse{oldmat currentmatrix pop
currentpoint translate 1 diamv diamh div scale /rad diamh 2 div def
rad 0 rad -180 180 arc oldmat setmatrix}def
/Dc{gsave dup /diamv exch def /diamh exch def arcellipse dstroke
grestore diamh 0 rmoveto}def
/De{gsave /diamv exch def /diamh exch def arcellipse dstroke
grestore diamh 0 rmoveto}def
/Da{currentpoint /by exch def /bx exch def /fy exch def /fx exch def
/cy exch def /cx exch def /rad cx cx mul cy cy mul add sqrt def
/ang1 cy neg cx neg atan def /ang2 fy fx atan def cx bx add cy by add
2 copy rad ang1 ang2 arcn stroke exch fx add exch fy add moveto}def
/Barray 200 array def % 200 values in a wiggle
/D~{mark}def
/D~~{counttomark Barray exch 0 exch getinterval astore /Bcontrol exch def pop
/Blen Bcontrol length def Blen 4 ge Blen 2 mod 0 eq and
{Bcontrol 0 get Bcontrol 1 get abspoint /Ycont exch def /Xcont exch def
Bcontrol 0 2 copy get 2 mul put Bcontrol 1 2 copy get 2 mul put
Bcontrol Blen 2 sub 2 copy get 2 mul put
Bcontrol Blen 1 sub 2 copy get 2 mul put
/Ybi /Xbi currentpoint 3 1 roll def def 0 2 Blen 4 sub
{/i exch def
Bcontrol i get 3 div Bcontrol i 1 add get 3 div
Bcontrol i get 3 mul Bcontrol i 2 add get add 6 div
Bcontrol i 1 add get 3 mul Bcontrol i 3 add get add 6 div
/Xbi Xcont Bcontrol i 2 add get 2 div add def
/Ybi Ycont Bcontrol i 3 add get 2 div add def
/Xcont Xcont Bcontrol i 2 add get add def
/Ycont Ycont Bcontrol i 3 add get add def
Xbi currentpoint pop sub Ybi currentpoint exch pop sub rcurveto
}for dstroke}if}def
end
/ditstart{$DITroff begin
/nfonts 60 def % NFONTS makedev/ditroff dependent!
/fonts[nfonts{0}repeat]def
/fontnames[nfonts{()}repeat]def
/docsave save def
}def
% character outcalls
/oc {/pswid exch def /cc exch def /name exch def
/ditwid pswid fontsize mul resolution mul 72000 div def
/ditsiz fontsize resolution mul 72 div def
ocprocs name known{ocprocs name get exec}{name cb}
ifelse}def
/fractm [.65 0 0 .6 0 0] def
/fraction
{/fden exch def /fnum exch def gsave /cf currentfont def
cf fractm makefont setfont 0 .3 dm 2 copy neg rmoveto
fnum show rmoveto currentfont cf setfont(\244)show setfont fden show
grestore ditwid 0 rmoveto} def
/oce {grestore ditwid 0 rmoveto}def
/dm {ditsiz mul}def
/ocprocs 50 dict def ocprocs begin
(14){(1)(4)fraction}def
(12){(1)(2)fraction}def
(34){(3)(4)fraction}def
(13){(1)(3)fraction}def
(23){(2)(3)fraction}def
(18){(1)(8)fraction}def
(38){(3)(8)fraction}def
(58){(5)(8)fraction}def
(78){(7)(8)fraction}def
(sr){gsave .05 dm .16 dm rmoveto(\326)show oce}def
(is){gsave 0 .15 dm rmoveto(\362)show oce}def
(->){gsave 0 .02 dm rmoveto(\256)show oce}def
(<-){gsave 0 .02 dm rmoveto(\254)show oce}def
(==){gsave 0 .05 dm rmoveto(\272)show oce}def
end
% DIThacks fonts for some special chars
50 dict dup begin
/FontType 3 def
/FontName /DIThacks def
/FontMatrix [.001 0.0 0.0 .001 0.0 0.0] def
/FontBBox [-220 -280 900 900] def% a lie but ...
/Encoding 256 array def
0 1 255{Encoding exch /.notdef put}for
Encoding
dup 8#040/space put %space
dup 8#110/rc put %right ceil
dup 8#111/lt put %left top curl
dup 8#112/bv put %bold vert
dup 8#113/lk put %left mid curl
dup 8#114/lb put %left bot curl
dup 8#115/rt put %right top curl
dup 8#116/rk put %right mid curl
dup 8#117/rb put %right bot curl
dup 8#120/rf put %right floor
dup 8#121/lf put %left floor
dup 8#122/lc put %left ceil
dup 8#140/sq put %square
dup 8#141/bx put %box
dup 8#142/ci put %circle
dup 8#143/br put %box rule
dup 8#144/rn put %root extender
dup 8#145/vr put %vertical rule
dup 8#146/ob put %outline bullet
dup 8#147/bu put %bullet
dup 8#150/ru put %rule
dup 8#151/ul put %underline
pop
/DITfd 100 dict def
/BuildChar{0 begin
/cc exch def /fd exch def
/charname fd /Encoding get cc get def
/charwid fd /Metrics get charname get def
/charproc fd /CharProcs get charname get def
charwid 0 fd /FontBBox get aload pop setcachedevice
40 setlinewidth
newpath 0 0 moveto gsave charproc grestore
end}def
/BuildChar load 0 DITfd put
%/UniqueID 5 def
/CharProcs 50 dict def
CharProcs begin
/space{}def
/.notdef{}def
/ru{500 0 rls}def
/rn{0 750 moveto 500 0 rls}def
/vr{20 800 moveto 0 -770 rls}def
/bv{20 800 moveto 0 -1000 rls}def
/br{20 770 moveto 0 -1040 rls}def
/ul{0 -250 moveto 500 0 rls}def
/ob{200 250 rmoveto currentpoint newpath 200 0 360 arc closepath stroke}def
/bu{200 250 rmoveto currentpoint newpath 200 0 360 arc closepath fill}def
/sq{80 0 rmoveto currentpoint dround newpath moveto
640 0 rlineto 0 640 rlineto -640 0 rlineto closepath stroke}def
/bx{80 0 rmoveto currentpoint dround newpath moveto
640 0 rlineto 0 640 rlineto -640 0 rlineto closepath fill}def
/ci{355 333 rmoveto currentpoint newpath 333 0 360 arc
50 setlinewidth stroke}def
/lt{20 -200 moveto 0 550 rlineto currx 800 2cx s4 add exch s4 a4p stroke}def
/lb{20 800 moveto 0 -550 rlineto currx -200 2cx s4 add exch s4 a4p stroke}def
/rt{20 -200 moveto 0 550 rlineto currx 800 2cx s4 sub exch s4 a4p stroke}def
/rb{20 800 moveto 0 -500 rlineto currx -200 2cx s4 sub exch s4 a4p stroke}def
/lk{20 800 moveto 20 300 -280 300 s4 arcto pop pop 1000 sub
currentpoint stroke moveto
20 300 4 2 roll s4 a4p 20 -200 lineto stroke}def
/rk{20 800 moveto 20 300 320 300 s4 arcto pop pop 1000 sub
currentpoint stroke moveto
20 300 4 2 roll s4 a4p 20 -200 lineto stroke}def
/lf{20 800 moveto 0 -1000 rlineto s4 0 rls}def
/rf{20 800 moveto 0 -1000 rlineto s4 neg 0 rls}def
/lc{20 -200 moveto 0 1000 rlineto s4 0 rls}def
/rc{20 -200 moveto 0 1000 rlineto s4 neg 0 rls}def
end
/Metrics 50 dict def Metrics begin
/.notdef 0 def
/space 500 def
/ru 500 def
/br 0 def
/lt 250 def
/lb 250 def
/rt 250 def
/rb 250 def
/lk 250 def
/rk 250 def
/rc 250 def
/lc 250 def
/rf 250 def
/lf 250 def
/bv 250 def
/ob 350 def
/bu 350 def
/ci 750 def
/bx 750 def
/sq 750 def
/rn 500 def
/ul 500 def
/vr 0 def
end
DITfd begin
/s2 500 def /s4 250 def /s3 333 def
/a4p{arcto pop pop pop pop}def
/2cx{2 copy exch}def
/rls{rlineto stroke}def
/currx{currentpoint pop}def
/dround{transform round exch round exch itransform} def
end
end
/DIThacks exch definefont pop
ditstart
(psc)xT
576 1 1 xr
1(Times-Roman)xf 1 f
2(Times-Italic)xf 2 f
3(Times-Bold)xf 3 f
4(Times-BoldItalic)xf 4 f
5(Helvetica)xf 5 f
6(Helvetica-Bold)xf 6 f
7(Courier)xf 7 f
8(Courier-Bold)xf 8 f
9(Symbol)xf 9 f
10(DIThacks)xf 10 f
10 s
1 f
xi
%%EndProlog
%%Page: 1 1
10 s 0 xH 0 xS 1 f
32(--)Y
4323(--)X
555 672(Date:)N
749(8)X
809(October)X
1088(1990)X
555 768(From:)N
770(John)X
941(Kohl,)X
1141(Clifford)X
1419(Neuman,)X
1731(Jennifer)X
2010(Steiner)X
555 864(To:)N
686(RFC)X
856(readers)X
555 960(Re:)N
686(Kerberos)X
1001(Version)X
1275(5)X
1335(RFC,)X
1525(draft)X
1697(#3)X
555 1084(This)N
726(is)X
808(the)X
935(third)X
1115(draft)X
1296(of)X
1392(version)X
1657(5)X
1726(of)X
1822(the)X
1969(Kerberos)X
2293(Protocol.)X
2633(At)X
2742(this)X
2886(point,)X
3099(the)X
3226(protocol)X
3522(should)X
3764(be)X
3868(con-)X
555 1180(sidered)N
807(\256xed.)X
1007(Only)X
1187(minor)X
1398(changes\262,)X
1737(or)X
1824(bug)X
1964(\256xes)X
2135(will)X
2279(be)X
2375(made.)X
555 1304(Readers)N
834(should)X
1067(note)X
1225(several)X
1473(things:)X
555 1428(We)N
689(have)X
863(decided)X
1135(to)X
1219(use)X
1348(ASN.1)X
1590(encodings)X
1937(for)X
2052(all)X
2153(the)X
2272(protocol)X
2560(messages;)X
2906(therefore)X
3218(this)X
3354(draft)X
3527(is)X
3601(considerably)X
555 1524(shorter)N
798(in)X
880(the)X
998(packet)X
1228(format)X
1462(sections.)X
555 1648(We)N
691(are)X
814(are)X
937(suggesting)X
1303(the)X
1425(use)X
1555(of)X
1645(the)X
1766(CRC-32)X
2055(checksum)X
2399(to)X
2484(augment)X
2783(the)X
2904(integrity)X
3198(of)X
3288(the)X
3409(DES)X
3583(CBC)X
3765(encryp-)X
555 1744(tion)N
706(mode.)X
951(We)X
1090(are)X
1216(also)X
1372(suggesting)X
1741(the)X
1866(use)X
2000(of)X
2094(the)X
2219(RSA)X
2401(MD4)X
2597(checksum)X
2945(encrypted)X
3289(under)X
3499(a)X
3562(DES)X
3740(key)X
3882(as)X
3975(a)X
555 1840(cryptographic)N
1022(checksum)X
1364(for)X
1479(the)X
1598(KRB_SAFE)X
2018(exchange.)X
2383(Alternative)X
2765(checksum)X
3106(algorithms)X
3468(may)X
3626(be)X
3722(used,)X
3909(but)X
555 1936(may)N
713(not)X
835(be)X
931(supported)X
1267(in)X
1349(the)X
1467(initial)X
1673(implementation.)X
555 2060(The)N
716(confounder)X
1118(has)X
1261(been)X
1449(removed)X
1766(from)X
1958(the)X
2091(message)X
2398(speci\256cations)X
2869(and)X
3020(added)X
3247(to)X
3344(the)X
3477(speci\256cation)X
3917(for)X
555 2156(encryption.)N
960(This)X
1124(was)X
1271(done)X
1449(because)X
1726(the)X
1846(use)X
1975(of)X
2064(the)X
2184(confounder)X
2572(is)X
2647(really)X
2852(part)X
2999(of)X
3088(the)X
3208(encryption)X
3572(algorithm.)X
3944(In)X
555 2252(particular,)N
907(the)X
1029(length)X
1253(of)X
1344(the)X
1466(confounder)X
1856(is)X
1933(best)X
2086(determined)X
2470(with)X
2635(knowledge)X
3010(of)X
3100(the)X
3221(encryption)X
3587(method)X
3850(to)X
3935(be)X
555 2348(used.)N
555 2472(We)N
692(have)X
869(decided)X
1144(not)X
1271(to)X
1357(encrypt)X
1622(the)X
1744(authorization)X
2191(data)X
2349(and)X
2489(the)X
2611(additional)X
2955(tickets)X
3188(passed)X
3426(to)X
3512(the)X
3634(KDC)X
3827(in)X
3913(the)X
555 2568(request)N
809(for)X
925(additional)X
1267(tickets)X
1498(\(KRB_TGS_REQ\).)X
2168(Instead,)X
2441(these)X
2627(\256elds)X
2821(are)X
2941(integrity)X
3233(checked)X
3518(under)X
3722(the)X
3841(cryp-)X
555 2664(tographic)N
897(checksum)X
1257(included)X
1572(in)X
1673(the)X
1810(authenticator.)X
2308(We)X
2458(seek)X
2639(comments)X
3006(regarding)X
3352(the)X
3488(possible)X
3788(attacks)X
555 2760(and/or)N
780(the)X
898(consequences)X
1360(of)X
1447(only)X
1609(integrity-protecting)X
2252(these)X
2437(portions)X
2719(of)X
2806(the)X
2924(TGS_REP.)X
555 2884(The)N
703(pseudo-code)X
1132(provided)X
1440(in)X
1525(appendix)X
1841(A)X
1921(is)X
1996(a)X
2054("second)X
2332(pass")X
2525(and)X
2663(not)X
2787(fully)X
2960("debugged".)X
3400(We)X
3534(welcome)X
3846(com-)X
555 2980(ments)N
766(on)X
866(errors)X
1074(and)X
1210(suggestions)X
1603(for)X
1717(more)X
1902(or)X
1989(less)X
2129(detail)X
2327(there.)X
555 3104(Please)N
780(send)X
947(any)X
1083(comments)X
1432(about)X
1630(this)X
1765(draft)X
1937(to)X
2019(the)X
2137(mailing)X
2401(list)X
7 f
2546(krb-protocol@athena.mit.edu.)X
1 f
555 3228(We)N
687(thank)X
885(you)X
1025(for)X
1139(your)X
1306(interest)X
1562(in)X
1644(Kerberos,)X
1979(and)X
2115(look)X
2277(forward)X
2552(to)X
2634(hearing)X
2895(your)X
3062(comments.)X
3 f
555 3420(Major)N
794(changes)X
1085(since)X
1274(draft)X
1468(2)X
1 f
555 3544(This)N
717(list)X
834(doesn't)X
1090(include)X
1346(rewordings,)X
1747(typos)X
1940(&)X
2022(such.)X
10 f
555 3668(g)N
1 f
755(All)X
877(messages)X
1200(are)X
1319(now)X
1477(encoded)X
1765(using)X
1958(ASN.1)X
10 f
555 3792(g)N
1 f
755(Confounders)X
1189(are)X
1308(now)X
1466(considered)X
1834(part)X
1979(of)X
2066(the)X
2184(encryption)X
2547(function)X
10 f
555 3916(g)N
1 f
755(KRB_AS_REQ)X
1281(and)X
1417(KRB_TGS_REQ)X
1992(now)X
2150(share)X
2340(a)X
2396(single)X
2607(message)X
2899(format)X
8 s
10 f
555 5584(hhhhhhhhhhhhhhhhhh)N
1 f
555 5664(\262)N
603(Among)X
811(the)X
905(minor)X
1074(changes,)X
1311(some)X
1462(of)X
1531(the)X
1625(ASN.1)X
1817(encodings)X
2092(need)X
2228(to)X
2294(be)X
2370(cleaned)X
2580(up)X
2660(a)X
2704(little.)X
10 s
555 6144(Section)N
2216(-)X
2263(1)X
2323(-)X
1 p
%%Page: 1 2
10 s 0 xH 0 xS 1 f
0 32(--)N
4323(--)X
555 672(Network)N
856(Working)X
1161(Group)X
3679(John)X
3850(Kohl)X
555 768(Request)N
833(for)X
947(Comments:)X
1335(DRAFT)X
1617(3)X
3367(B.)X
3460(Clifford)X
3738(Neuman)X
3504 864(Jennifer)N
3783(Steiner)X
3364 960(MIT)N
3531(Project)X
3778(Athena)X
3511 1056(8)N
3571(October)X
3850(1990)X
1534 1488(The)N
1679(Kerberos)X
1994(Network)X
2295(Authentication)X
2791(Service)X
2152 1680(DRAFT)N
3 f
555 1872(STATUS)N
885(OF)X
1016(THIS)X
1226(MEMO)X
1 f
755 1996(This)N
924(DRAFT)X
1213(document)X
1556(gives)X
1752(an)X
1855(overview)X
2181(and)X
2324(speci\256cation)X
2756(of)X
2850(the)X
2975(Version)X
3256(5)X
3323(protocol)X
3617(for)X
3738(the)X
3863(Ker-)X
555 2092(beros)N
755(network)X
1044(authentication)X
1523(system.)X
1810(Version)X
2089(4,)X
2174(described)X
2507(elsewhere,)X
8 s
2849 2067(1,)N
2908(2)X
10 s
2965 2092(is)N
3043(presently)X
3362(in)X
3449(production)X
3821(use)X
3953(at)X
555 2188(MIT's)N
780(Project)X
1027(Athena,)X
1299(and)X
1435(at)X
1513(other)X
1698(Internet)X
1968(sites.)X
2170(Distribution)X
2576(of)X
2663(this)X
2798(memo)X
3018(is)X
3091(unlimited.)X
3 f
555 2380(OVERVIEW)N
1 f
755 2504(This)N
924(DRAFT)X
1212(RFC)X
1388(describes)X
1713(the)X
1837(concepts)X
2144(and)X
2286(model)X
2512(upon)X
2698(which)X
2920(the)X
3044(Kerberos)X
3365(network)X
3654(authentica-)X
555 2600(tion)N
699(system)X
941(is)X
1014(based.)X
1257(It)X
1326(also)X
1475(speci\256es)X
1771(the)X
1889(present)X
2141(proposal)X
2437(for)X
2551(Version)X
2825(5.)X
755 2724(The)N
901(motivations,)X
1319(goals,)X
1529(assumptions,)X
1965(and)X
2102(rationale)X
2403(behind)X
2641(design)X
2870(decisions)X
3188(are)X
3307(treated)X
3546(cursorily;)X
3873(they)X
555 2820(are)N
675(fully)X
846(described)X
1174(for)X
1288(the)X
1406(previous)X
1702(version)X
1958(in)X
2040(the)X
2158(Kerberos)X
2473(portion)X
2724(of)X
2811(the)X
2929(Athena)X
3181(Technical)X
3518(Plan.)X
8 s
3680 2795(1)N
10 s
3732 2820(The)N
3877(pro-)X
555 2916(tocols)N
788(are)X
929(under)X
1154(review,)X
1435(and)X
1593(are)X
1734(not)X
1878(proposed)X
2214(as)X
2323(an)X
2441(Internet)X
2733(standard)X
3047(at)X
3146(this)X
3302(time.)X
3525(Comments)X
3912(are)X
555 3012(encouraged.)N
1040(Requests)X
1403(for)X
1571(additions)X
1938(to)X
2074(an)X
2224(electronic)X
2615(mailing)X
2933(list)X
3104(on)X
3258(Kerberos)X
3627(discussions,)X
7 f
555 3108(kerberos@athena.mit.edu,)N
1 f
1737(may)X
1905(be)X
2010(addressed)X
2356(to)X
7 f
2475(kerberos)X
9 f
2861(-)X
7 f
2907(request@athena.mit.edu.)X
1 f
555 3204(This)N
720(mailing)X
987(list)X
1107(is)X
1183(gatewayed)X
1550(onto)X
1715(the)X
1836(Usenet)X
2082(as)X
2171(the)X
2291(group)X
7 f
2528(comp.protocols.kerberos.)X
1 f
3722(Requests)X
555 3300(for)N
744(further)X
1058(information,)X
1551(including)X
1948(documents)X
2390(and)X
2601(code)X
2848(availability,)X
3323(may)X
3556(be)X
3726(sent)X
3949(to)X
7 f
555 3396(info)N
9 f
749(-)X
7 f
795(kerberos@athena.mit.edu.)X
3 f
555 3684(ACKNOWLEDGMENTS)N
1 f
755 3808(The)N
926(Kerberos)X
1267(model)X
1512(is)X
1610(based)X
1838(on)X
1963(Needham)X
2316(and)X
2477(Schroeder's)X
2906(trusted)X
3169(third-party)X
3557(authentication)X
555 3904(scheme)N
8 s
796 3879(3)N
10 s
853 3904(and)N
994(on)X
1099(modi\256cations)X
1559(suggested)X
1900(by)X
2005(Denning)X
2306(and)X
2446(Sacco.)X
8 s
2658 3879(4)N
10 s
2714 3904(The)N
2863(original)X
3136(design)X
3369(and)X
3509(implementation)X
555 4000(of)N
647(Kerberos)X
967(Versions)X
1277(1)X
1342(through)X
1616(4)X
1681(are)X
1805(due)X
1946(to)X
2033(two)X
2178(former)X
2422(Project)X
2674(Athena)X
2931(members,)X
3270(Steve)X
3473(Miller)X
3698(of)X
3789(Digital)X
555 4096(Equipment)N
930(Corporation)X
1340(and)X
1479(Clifford)X
1760(Neuman)X
2055(of)X
2145(the)X
2266(University)X
2627(of)X
2717(Washington,)X
3147(along)X
3348(with)X
3513(Jerome)X
3768(Saltzer,)X
555 4192(Technical)N
899(Director)X
1194(of)X
1288(Project)X
1542(Athena,)X
1821(and)X
1964(Jeffrey)X
2215(Schiller,)X
2511(MIT)X
2685(Campus)X
2974(Network)X
3281(Manager.)X
3633(Many)X
3846(other)X
555 4288(members)N
869(of)X
956(Project)X
1203(Athena)X
1455(have)X
1627(also)X
1776(contributed)X
2161(to)X
2243(the)X
2361(work)X
2546(on)X
2646(Kerberos.)X
3 f
12 s
555 4480(1.)N
675(Introduction)X
1 f
10 s
755 4604(Kerberos)N
1074(provides)X
1374(a)X
1433(means)X
1661(of)X
1751(verifying)X
2068(the)X
2189(identities)X
2505(of)X
2595(principals,)X
2954(\(e.g.)X
3120(a)X
3179(workstation)X
3580(user)X
3737(or)X
3827(a)X
3886(net-)X
555 4700(work)N
746(server\))X
996(on)X
1102(an)X
1204(open)X
1386(\(i.e.)X
1557(unprotected\))X
1989(network.)X
2317(This)X
2484(is)X
2562(accomplished)X
3028(without)X
3297(relying)X
3549(on)X
3654(authentica-)X
555 4796(tion)N
701(by)X
803(the)X
923(host)X
1078(operating)X
1403(system,)X
1667(without)X
1933(basing)X
2164(trust)X
2328(on)X
2430(host)X
2584(addresses\262,)X
2973(without)X
3238(requiring)X
3553(physical)X
3841(secu-)X
555 4892(rity)N
690(of)X
781(all)X
885(the)X
1006(hosts)X
1193(on)X
1296(the)X
1417(network,)X
1723(and)X
1862(under)X
2068(the)X
2189(assumption)X
2576(that)X
2719(packets)X
2983(traveling)X
3291(along)X
3492(the)X
3613(network)X
3899(can)X
555 4988(be)N
667(read,)X
862(modi\256ed,)X
1202(and)X
1354(inserted)X
1644(at)X
1738(will.)X
1938(Kerberos)X
2269(performs)X
2595(authentication)X
3085(under)X
3304(these)X
3505(conditions)X
3873(as)X
3975(a)X
555 5084(trusted)N
793(third-party)X
1156(authentication)X
1630(service)X
1878(using)X
2071(conventional)X
2505(\(shared)X
2762(secret)X
2970(key\263\))X
3173(cryptography.)X
8 s
10 f
555 5184(hhhhhhhhhhhhhhhhhh)N
1 f
555 5264(\262)N
607(Note,)X
767(however,)X
1022(that)X
1138(many)X
1300(applications)X
1628(use)X
1732(Kerberos')X
2005(functions)X
2262(only)X
2395(upon)X
2542(the)X
3 f
2639(initiation)X
1 f
2908(of)X
2980(a)X
3027(stream-based)X
3382(network)X
3610(con-)X
555 5344(nection,)N
780(and)X
892(assume)X
1100(the)X
1198(absence)X
1419(of)X
1492(any)X
1604(``hijackers'')X
1938(who)X
2068(might)X
2238(subvert)X
2446(such)X
2583(a)X
2631(connection.)X
2963(Such)X
3111(use)X
3216(implicitly)X
3486(trusts)X
3645(the)X
555 5424(host)N
678(addresses)X
938(involved.)X
555 5504(\263)N
2 f
(Secret)S
1 f
766(and)X
2 f
878(private)X
1 f
1079(are)X
1176(often)X
1327(used)X
1464(interchangeably)X
1891(in)X
1961(the)X
2059(literature.)X
2341(In)X
2414(our)X
2519(usage,)X
2700(it)X
2756(takes)X
2907(two)X
3023(\(or)X
3117(more\))X
3289(to)X
3359(share)X
3512(a)X
3559(secret,)X
555 5584(thus)N
680(a)X
726(shared)X
910(DES)X
1049(key)X
1159(is)X
1220(a)X
2 f
1266(secret)X
1 f
1436(key.)X
1578(Something)X
1874(is)X
1934(only)X
2065(private)X
2259(when)X
2414(no)X
2495(one)X
2604(but)X
2703(its)X
2781(owner)X
2957(knows)X
3141(it.)X
3226(Thus,)X
3387(in)X
3454(public)X
3631(key)X
555 5664(cryptosystems,)N
953(one)X
1061(has)X
1162(a)X
1206(public)X
1382(and)X
1490(a)X
2 f
1534(private)X
1 f
1731(key.)X
10 s
555 6144(Section)N
815(1.)X
2216(-)X
2263(1)X
2323(-)X
2 p
%%Page: 2 3
10 s 0 xH 0 xS 1 f
0 32(--)N
4323(--)X
3 f
2115 416(DRAFT)N
2411(3)X
1 f
755 672(The)N
904(authentication)X
1382(process)X
1647(proceeds)X
1957(as)X
2048(follows:)X
2334(A)X
2415(client)X
2616(sends)X
2817(a)X
2876(request)X
3131(to)X
3216(the)X
3337(authentication)X
3814(server)X
555 768(\(AS\))N
734(requesting)X
1091("credentials")X
1528(for)X
1645(a)X
1704(given)X
1905(server.)X
2165(The)X
2313(AS)X
2438(responds)X
2746(with)X
2911(these)X
3099(credentials,)X
3490(encrypted)X
3829(in)X
3913(the)X
555 864(client's)N
814(key.)X
993(The)X
1141(credentials)X
1512(consist)X
1757(of)X
1847(1\))X
1937(a)X
1996("ticket")X
2263(for)X
2380(the)X
2501(server)X
2721(and)X
2860(2\))X
2950(a)X
3009(temporary)X
3361(\(session\))X
3668(encryption)X
555 960(key.)N
736(The)X
886(client)X
1089(forwards)X
1400(the)X
1523(ticket)X
1726(\(which)X
1974(contains)X
2266(the)X
2389(client's)X
2650(identity)X
2919(and)X
3060(a)X
3121(copy)X
3302(of)X
3394(the)X
3516(session)X
3771(key,)X
3931(all)X
555 1056(encrypted)N
896(in)X
982(the)X
1104(server's)X
1383(key\))X
1549(to)X
1634(the)X
1755(server.)X
2015(The)X
2163(session)X
2417(key)X
2556(\(now)X
2744(shared)X
2977(by)X
3080(the)X
3201(client)X
3402(and)X
3541(server\))X
3788(is)X
3864(used)X
555 1152(to)N
648(authenticate)X
1067(the)X
1196(client,)X
1425(and)X
1572(optionally)X
1927(authenticate)X
2345(the)X
2473(server.)X
2740(It)X
2819(may)X
2987(also)X
3146(be)X
3252(used)X
3429(to)X
3521(encrypt)X
3792(further)X
555 1248(communication)N
1073(between)X
1361(the)X
1479(two)X
1619(parties.)X
755 1372(The)N
915(implementation)X
1452(consists)X
1740(of)X
1842(one)X
1993(or)X
2095(more)X
2295(authentication)X
2783(servers)X
3045(running)X
3328(on)X
3442(physically)X
3805(secure)X
555 1468(hosts.)N
782(The)X
930(authentication)X
1407(servers)X
1658(maintain)X
1961(a)X
2020(database)X
2320(of)X
2409(principals)X
2747(\(i.e.,)X
2914(users)X
3101(and)X
3239(servers\))X
3516(and)X
3654(their)X
3823(secret)X
555 1564(keys.)N
764(Libraries)X
1076(provide)X
1343(encryption)X
1708(and)X
1846(implement)X
2210(the)X
2330(Kerberos)X
2647(protocol.)X
2975(In)X
3063(order)X
3254(to)X
3337(add)X
3474(authentication)X
3949(to)X
555 1660(its)N
650(transactions,)X
1073(a)X
1129(typical)X
1367(network)X
1650(application)X
2026(adds)X
2193(one)X
2329(or)X
2416(two)X
2556(calls)X
2723(to)X
2805(the)X
2923(Kerberos)X
3238(library.)X
755 1784(The)N
906(Kerberos)X
1227(protocol)X
1520(consists)X
1799(of)X
1892(several)X
2146(sub-protocols)X
2607(\(or)X
2726(exchanges\).)X
3153(There)X
3366(are)X
3490(two)X
3635(methods)X
3931(by)X
555 1880(which)N
776(a)X
837(client)X
1040(can)X
1177(ask)X
1309(a)X
1370(Kerberos)X
1690(server)X
1912(for)X
2031(credentials.)X
2444(In)X
2536(the)X
2659(\256rst)X
2808(approach,)X
3148(the)X
3270(client)X
3472(sends)X
3674(a)X
3734(cleartext)X
555 1976(request)N
812(for)X
931(a)X
992(ticket)X
1195(for)X
1313(the)X
1435(desired)X
1691(server)X
1912(to)X
1998(the)X
2120(AS.)X
2286(The)X
2435(reply)X
2624(is)X
2701(sent)X
2854(encrypted)X
3195(in)X
3281(the)X
3403(client's)X
3663(secret)X
3875(key.)X
555 2072(Usually)N
831(this)X
973(request)X
1232(is)X
1312(for)X
1433(a)X
1496(ticket-granting)X
1995(ticket)X
2200(\(TGT\))X
2437(which)X
2660(can)X
2799(later)X
2969(be)X
3072(used)X
3246(with)X
3415(the)X
3539(ticket-granting)X
555 2168(server)N
779(\(TGS\).)X
1051(In)X
1144(the)X
1268(second)X
1517(method,)X
1803(the)X
1927(client)X
2131(sends)X
2335(a)X
2397(request)X
2655(to)X
2743(the)X
2867(TGS.)X
3084(The)X
3235(client)X
3439(sends)X
3643(the)X
3767(TGT)X
3949(to)X
555 2264(the)N
677(TGS)X
852(in)X
938(the)X
1060(same)X
1249(manner)X
1514(as)X
1605(if)X
1678(it)X
1746(were)X
1927(contacting)X
2285(any)X
2425(other)X
2614(application)X
2994(server)X
3215(which)X
3434(requires)X
3716(Kerberos)X
555 2360(credentials.)N
963(The)X
1108(reply)X
1293(is)X
1366(encrypted)X
1703(in)X
1785(the)X
1903(session)X
2154(key)X
2290(from)X
2466(the)X
2584(TGT.)X
755 2484(Once)N
955(obtained,)X
1281(credentials)X
1659(may)X
1827(be)X
1933(used)X
2110(to)X
2202(verify)X
2424(the)X
2551(identity)X
2824(of)X
2920(the)X
3047(principals)X
3392(to)X
3483(a)X
3548(transaction,)X
3949(to)X
555 2580(check)N
771(the)X
897(integrity)X
1195(of)X
1289(messages)X
1619(exchanged)X
1990(between)X
2285(them,)X
2492(or)X
2586(to)X
2675(encrypt)X
2943(the)X
3068(messages,)X
3418(thereby)X
3686(protecting)X
555 2676(the)N
673(privacy)X
934(of)X
1021(the)X
1139(communication)X
1657(between)X
1945(them.)X
2165(Which)X
2399(option)X
2623(is)X
2696(chosen)X
2939(depends)X
3222(on)X
3322(the)X
3440(application.)X
755 2800(To)N
867(verify)X
1082(the)X
1203(identities)X
1519(of)X
1609(the)X
1730(principals)X
2069(to)X
2154(a)X
2213(transactions,)X
2639(the)X
2760(client)X
2961(forwards)X
3270(the)X
3390(ticket)X
3590(to)X
3674(the)X
3794(server.)X
555 2896(Since)N
755(the)X
875(ticket)X
1075(is)X
1150(sent)X
1301(in)X
1385(the)X
1505(clear,)X
1704(and)X
1842(might)X
2050(be)X
2148(intercepted)X
2527(and)X
2664(reused)X
2895(by)X
2996(an)X
3093(attacker,)X
3389(additional)X
3730(informa-)X
555 2992(tion)N
704(is)X
781(sent)X
934(to)X
1020(prove)X
1227(that)X
1371(the)X
1493(message)X
1789(was)X
1938(originated)X
2287(by)X
2391(the)X
2513(principal)X
2822(to)X
2908(whom)X
3132(the)X
3254(ticket)X
3456(was)X
3605(issued.)X
3869(This)X
555 3088(information)N
969(\(authenticator\))X
1478(is)X
1567(encrypted)X
1919(in)X
2016(the)X
2149(session)X
2415(key,)X
2586(and)X
2737(includes)X
3039(a)X
3110(timestamp.)X
3518(The)X
3678(timestamp)X
555 3184(proves)N
790(that)X
931(the)X
1050(message)X
1343(was)X
1489(recently)X
1769(generated)X
2103(and)X
2240(is)X
2314(not)X
2436(a)X
2492(replay.)X
2753(Encrypting)X
3129(the)X
3247(authenticator)X
3686(in)X
3768(the)X
3886(ses-)X
555 3280(sion)N
722(key)X
872(proves)X
1120(that)X
1274(it)X
1352(was)X
1511(generated)X
1858(by)X
1971(a)X
2040(party)X
2238(possessing)X
2613(the)X
2744(session)X
3008(key.)X
3197(Since)X
3408(no)X
3521(one)X
3670(except)X
3913(the)X
555 3376(requesting)N
911(principal)X
1218(and)X
1356(the)X
1476(server)X
1695(know)X
1895(the)X
2015(session)X
2268(key)X
2406(\(it)X
2498(is)X
2572(never)X
2772(sent)X
2922(over)X
3086(the)X
3205(network)X
3489(in)X
3572(the)X
3691(clear\))X
3896(this)X
555 3472(guarantees)N
919(the)X
1037(identity)X
1301(of)X
1388(the)X
1506(client.)X
755 3596(The)N
901(integrity)X
1193(of)X
1281(the)X
1400(messages)X
1724(exchanged)X
2089(between)X
2378(principals)X
2715(can)X
2848(also)X
2998(be)X
3095(guaranteed)X
3469(using)X
3662(the)X
3780(session)X
555 3692(key)N
704(passed)X
951(in)X
1046(the)X
1177(ticket,)X
1408(and)X
1557(contained)X
1902(in)X
1997(the)X
2128(credentials.)X
2549(This)X
2723(approach)X
3050(affords)X
3310(detection)X
3636(not)X
3770(only)X
3944(of)X
555 3788(replay,)N
798(but)X
922(also)X
1073(of)X
1162(message)X
1456(stream)X
1691(modi\256cation)X
2116(\(MSM\).)X
2417(This)X
2580(is)X
2654(accomplished)X
3116(by)X
3217(generating)X
3577(and)X
3714(passing)X
3975(a)X
555 3884(cryptographic)N
1042(checksum)X
1404(of)X
1512(the)X
1650(client's)X
1926(message.)X
2278(The)X
2443(checksum)X
2804(is)X
2897(computed)X
3253(using)X
3466(the)X
3604(session)X
3875(key.)X
555 3980(Privacy)N
824(of)X
915(the)X
1037(messages)X
1364(exchanged)X
1732(between)X
2024(principals)X
2363(can)X
2498(be)X
2597(secured)X
2866(by)X
2969(encrypting)X
3335(the)X
3456(data)X
3613(to)X
3698(be)X
3797(passed)X
555 4076(using)N
748(the)X
866(session)X
1117(key)X
1253(passed)X
1487(in)X
1569(the)X
1687(ticket,)X
1905(and)X
2041(contained)X
2373(in)X
2455(the)X
2573(credentials.)X
755 4200(The)N
909(authentication)X
1392(exchanges)X
1756(mentioned)X
2123(above)X
2344(require)X
2601(read-only)X
2938(access)X
3173(to)X
3264(the)X
3391(Kerberos)X
3714(database.)X
555 4296(Sometimes,)N
959(however,)X
1285(the)X
1412(data)X
1575(in)X
1666(the)X
1793(database)X
2099(must)X
2283(be)X
2388(modi\256ed,)X
2720(such)X
2895(as)X
2990(when)X
3192(adding)X
3438(new)X
3600(principals)X
3944(or)X
555 4392(changing)N
872(a)X
931(password.)X
1297(This)X
1462(is)X
1538(done)X
1717(using)X
1913(a)X
1972(protocol)X
2262(between)X
2553(a)X
2612(client)X
2813(and)X
2952(a)X
3011(third)X
3185(Kerberos)X
3503(server,)X
3743(the)X
3863(Ker-)X
555 4488(beros)N
749(Administration)X
1253(Server)X
1483(\(KADM\).)X
1842(The)X
1987(administration)X
2469(protocol)X
2756(is)X
2829(not)X
2951(described)X
3279(in)X
3361(this)X
3496(document.)X
3 f
555 4680(Inter-Realm)N
999(Operation)X
1 f
755 4804(The)N
916(Kerberos)X
1247(protocol)X
1550(is)X
1639(designed)X
1960(to)X
2058(operate)X
2331(across)X
2568(organizational)X
3063(boundaries.)X
3491(A)X
3585(client)X
3798(in)X
3895(one)X
555 4900(organization)N
989(can)X
1134(be)X
1243(authenticated)X
1704(to)X
1799(a)X
1868(server)X
2097(in)X
2191(another.)X
2504(Each)X
2697(organization)X
3130(wishing)X
3415(to)X
3509(run)X
3648(a)X
3716(Kerberos)X
555 4996(server)N
783(establishes)X
1161(its)X
1267(own)X
1436("realm".)X
1756(The)X
1912(name)X
2117(of)X
2215(the)X
2343(realm)X
2556(in)X
2648(which)X
2874(a)X
2940(client)X
3148(is)X
3231(registered)X
3578(is)X
3661(part)X
3816(of)X
3913(the)X
555 5092(client's)N
811(name,)X
1025(and)X
1161(can)X
1293(be)X
1389(used)X
1556(by)X
1656(the)X
1774(end)X
1910(service)X
2158(to)X
2240(decide)X
2470(whether)X
2749(to)X
2831(honor)X
3038(a)X
3094(request.)X
755 5216(By)N
878(exchanging)X
1278(an)X
1384("inter-realm")X
1837(key,)X
2003(the)X
2131(administrators)X
2618(of)X
2714(two)X
2863(realms)X
3106(can)X
3247(allow)X
3454(a)X
3519(client)X
3726(authenti-)X
555 5312(cated)N
746(in)X
829(the)X
948(local)X
1125(realm)X
1329(to)X
1412(use)X
1540(its)X
1636(authentication)X
2111(remotely.)X
2456(The)X
2601(exchange)X
2925(of)X
3012(an)X
3108(inter-realm)X
3485(key)X
3621(registers)X
3913(the)X
555 5408(ticket-granting)N
1057(service)X
1315(of)X
1412(each)X
1590(realm)X
1803(as)X
1900(a)X
1966(principal)X
2281(in)X
2373(the)X
2501(other)X
2696(realm.)X
2949(A)X
3036(client)X
3243(is)X
3325(then)X
3492(able)X
3655(to)X
3746(obtain)X
3975(a)X
555 5504(ticket-granting)N
1051(ticket)X
1252(for)X
1369(the)X
1490(remote)X
1736(realm's)X
2000(ticket-granting)X
2495(service)X
2746(from)X
2925(its)X
3023(local)X
3202(realm.)X
3448(When)X
3663(that)X
3806(ticket-)X
555 5600(granting)N
853(ticket)X
1062(is)X
1146(used,)X
1344(the)X
1473(remote)X
1726(ticket-granting)X
2228(service)X
2486(uses)X
2654(the)X
2782(inter-realm)X
3169(key)X
3315(to)X
3407(decrypt)X
3678(the)X
3806(ticket-)X
555 5696(granting)N
848(ticket,)X
1072(and)X
1214(is)X
1293(thus)X
1452(certain)X
1697(that)X
1843(it)X
1913(was)X
2064(issued)X
2290(by)X
2396(the)X
2520(client's)X
2781(local)X
2962(Kerberos.)X
3322(Tickets)X
3583(issued)X
3808(by)X
3913(the)X
555 5792(remote)N
798(ticket-granting)X
1290(service)X
1538(will)X
1682(indicate)X
1956(that)X
2096(the)X
2214(client)X
2412(was)X
2557(authenticated)X
3005(in)X
3087(its)X
3182(local)X
3358(realm.)X
555 6144(Section)N
815(1.)X
2216(-)X
2263(2)X
2323(-)X
3 p
%%Page: 3 4
10 s 0 xH 0 xS 1 f
0 32(--)N
4323(--)X
3 f
2115 416(DRAFT)N
2411(3)X
1 f
755 672(A)N
838(realm)X
1046(is)X
1124(said)X
1278(to)X
2 f
1365(communicate)X
1 f
1818(with)X
1985(another)X
2251(realm)X
2459(if)X
2532(the)X
2654(two)X
2798(realms)X
3036(share)X
3230(an)X
3330(inter-realm)X
3711(key,)X
3871(or)X
3962(if)X
555 768(the)N
682(local)X
866(realm)X
1077(shares)X
1306(an)X
1410(inter-realm)X
1795(key)X
1939(with)X
2109(an)X
2213(intermediate)X
2642(realm)X
2853(that)X
3001(communicates)X
3492(with)X
3662(the)X
3788(remote)X
555 864(realm.)N
803(An)X
2 f
926(authentication)X
1413(path)X
1 f
1580(is)X
1658(the)X
1781(sequence)X
2101(of)X
2193(intermediate)X
2619(realms)X
2858(that)X
3003(are)X
3127(transited)X
3427(in)X
3513(communicating)X
555 960(from)N
731(one)X
867(realm)X
1070(to)X
1152(another.)X
755 1084(Realms)N
1026(are)X
1156(typically)X
1467(organized)X
1815(hierarchically.)X
2328(Each)X
2519(realm)X
2732(shares)X
2963(a)X
3029(key)X
3175(with)X
3347(its)X
3452(parent)X
3683(and)X
3829(a)X
3895(dif-)X
555 1180(ferent)N
775(key)X
923(with)X
1097(each)X
1277(child.)X
1509(If)X
1595(an)X
1703(inter-realm)X
2092(key)X
2240(is)X
2325(not)X
2458(directly)X
2734(shared)X
2975(by)X
3086(two)X
3237(realms,)X
3502(the)X
3631(hierarchical)X
555 1276(organization)N
986(allows)X
1225(an)X
1331(authentication)X
1815(path)X
1983(to)X
2075(be)X
2181(easily)X
2398(constructed.)X
2838(If)X
2922(a)X
2988(hierarchical)X
3397(organization)X
3827(is)X
3909(not)X
555 1372(used,)N
751(it)X
824(may)X
991(be)X
1096(necessary)X
1438(to)X
1529(consult)X
1789(some)X
1986(database)X
2291(in)X
2381(order)X
2579(to)X
2669(construct)X
2991(an)X
3095(authentication)X
3577(path)X
3743(between)X
555 1468(realms.)N
755 1592(Although)N
1087(realms)X
1331(are)X
1460(typically)X
1770(hierarchical,)X
2200(intermediate)X
2631(realms)X
2875(may)X
3043(be)X
3148(bypassed)X
3471(to)X
3562(achieve)X
3837(inter-)X
555 1688(realm)N
770(authentication)X
1256(through)X
1537(alternate)X
1846(authentication)X
2332(paths.)X
2573(It)X
2654(is)X
2738(important)X
3080(for)X
3205(the)X
3334(end)X
3481(service)X
3740(to)X
3833(know)X
555 1784(which)N
784(realms)X
1031(were)X
1221(transited)X
1530(when)X
1736(deciding)X
2044(how)X
2214(much)X
2424(faith)X
2603(to)X
2697(place)X
2899(in)X
2993(the)X
3123(authentication)X
3609(process.)X
3922(To)X
555 1880(facilitate)N
859(this)X
997(decision,)X
1307(a)X
1366(\256eld)X
1531(in)X
1616(the)X
1737(ticket)X
1938(contains)X
2227(the)X
2347(names)X
2574(of)X
2663(the)X
2783(realms)X
3019(that)X
3161(were)X
3340(involved)X
3642(in)X
3726(authenti-)X
555 1976(cating)N
771(the)X
889(client.)X
1127(The)X
1272(encoding)X
1586(and)X
1722(use)X
1849(of)X
1936(this)X
2071(\256eld)X
2233(is)X
2306(described)X
2634(later)X
2797(in)X
2879(this)X
3014(document.)X
3 f
555 2168(Proxy)N
780(and)X
928(Authentication)X
1459(Forwarding)X
1 f
755 2292(At)N
858(times)X
1054(it)X
1121(may)X
1282(be)X
1381(necessary)X
1717(for)X
1834(a)X
1893(principal)X
2201(to)X
2286(allow)X
2487(a)X
2546(service)X
2797(to)X
2882(perform)X
3164(an)X
3263(operation)X
3589(on)X
3692(its)X
3790(behalf.)X
555 2388(The)N
702(service)X
952(must)X
1129(be)X
1227(able)X
1383(to)X
1467(take)X
1623(on)X
1725(the)X
1845(identity)X
2111(of)X
2200(the)X
2320(client,)X
2540(but)X
2664(only)X
2828(for)X
2944(a)X
3002(particular)X
3332(purpose.)X
3647(A)X
3726(principal)X
555 2484(can)N
687(allow)X
885(a)X
941(service)X
1189(to)X
1271(take)X
1425(on)X
1525(the)X
1643(principal's)X
2006(identity)X
2270(for)X
2384(a)X
2440(particular)X
2768(purpose)X
3042(by)X
3142(granting)X
3429(it)X
3493(a)X
3549(proxy.)X
755 2608(Authentication)N
1253(forwarding)X
1632(is)X
1707(an)X
1805(instance)X
2090(of)X
2179(the)X
2299(proxy)X
2507(problem)X
2795(where)X
3013(the)X
3132(service)X
3381(is)X
3455(granted)X
3717(complete)X
555 2704(use)N
687(of)X
779(the)X
902(client's)X
1163(identity.)X
1472(An)X
1594(example)X
1890(where)X
2111(it)X
2179(might)X
2389(be)X
2489(used)X
2660(is)X
2737(when)X
2935(a)X
2995(user)X
3153(logs)X
3310(in)X
3396(to)X
3482(a)X
3542(remote)X
3789(system)X
555 2800(and)N
691(wants)X
898(authentication)X
1372(to)X
1454(work)X
1639(from)X
1815(that)X
1955(system)X
2197(as)X
2284(if)X
2353(the)X
2471(login)X
2655(were)X
2832(local.)X
755 2924(In)N
851(order)X
1050(to)X
1141(complicate)X
1522(the)X
1649(use)X
1785(of)X
1881(stolen)X
2101(credentials,)X
2498(Kerberos)X
2822(tickets)X
3060(are)X
3188(typically)X
3497(valid)X
3685(from)X
3869(only)X
555 3020(those)N
756(network)X
1051(addresses)X
1391(speci\256cally)X
1788(included)X
2096(in)X
2190(the)X
2320(ticket.)X
2570(For)X
2713(this)X
2860(reason,)X
3122(a)X
3190(client)X
3400(wishing)X
3685(to)X
3779(grant)X
3975(a)X
555 3116(proxy)N
762(must)X
937(request)X
1189(a)X
1245(new)X
1399(ticket)X
1597(valid)X
1777(for)X
1891(the)X
2009(network)X
2292(address)X
2553(of)X
2640(the)X
2758(service)X
3006(to)X
3088(be)X
3184(granted)X
3445(the)X
3563(proxy.)X
755 3240(Kerberos)N
1087(supports)X
1395(proxy)X
1619(and)X
1772(authentication)X
2263(forwarding)X
2657(through)X
2943(the)X
3077(combined)X
3429(effects)X
3680(of)X
3783(several)X
555 3336(\256elds)N
761(in)X
856(the)X
987(tickets)X
1229(it)X
1306(issues.)X
1570(The)X
1728(proxiable)X
2064(and)X
2213(forwardable)X
2635(\257ags)X
2819(in)X
2913(the)X
3043(ticket-granting)X
3547(ticket)X
3757(indicate)X
555 3432(whether)N
844(a)X
910(proxy)X
1127(can)X
1269(be)X
1375(granted)X
1646(without)X
1920(requiring)X
2243(the)X
2370(user)X
2533(to)X
2624(enter)X
2814(a)X
2879(password)X
3211(again.)X
3454(The)X
3608(host)X
3770(address)X
555 3528(\256eld)N
721(optionally)X
1069(restricts)X
1347(the)X
1469(proxy)X
1680(to)X
1765(being)X
1966(used)X
2136(from)X
2315(a)X
2374(particular)X
2705(network)X
2991(address.)X
3295(Finally,)X
3564(the)X
3685(authoriza-)X
555 3624(tion)N
703(data)X
861(\256eld)X
1027(allows)X
1259(the)X
1380(client)X
1581(to)X
1666(include)X
1925(information)X
2326(in)X
2411(the)X
2532(proxy)X
2742(restricting)X
3090(its)X
3188(use.)X
3358(The)X
3506(content)X
3765(and)X
3904(use)X
555 3720(of)N
642(this)X
777(\256eld)X
939(are)X
1058(described)X
1386(in)X
1468(greater)X
1712(detail)X
1910(in)X
1992(sections)X
2270(2.3,)X
2410(5,)X
2490(and)X
2626(6.)X
3 f
12 s
555 4008(1.1.)N
747(Glossary)X
1134(of)X
1238(terms)X
1 f
10 s
555 4132(Below)N
784(is)X
857(a)X
913(list)X
1030(of)X
1117(terms)X
1315(used)X
1482(throughout)X
1853(this)X
1988(document.)X
3 f
555 4352(Authentication)N
1 f
1355(Verifying)X
1687(the)X
1805(claimed)X
2079(identity)X
2343(of)X
2430(a)X
2486(principal.)X
3 f
555 4572(Authentication)N
1093(header)X
1 f
1362(A)X
1447(record)X
1679(containing)X
2043(a)X
2105(Ticket)X
2336(and)X
2478(an)X
2580(Authenticator)X
3047(to)X
3135(be)X
3237(presented)X
3571(to)X
3659(a)X
3721(server)X
3944(as)X
1355 4668(part)N
1500(of)X
1587(the)X
1705(authentication)X
2179(process.)X
3 f
555 4888(Authentication)N
1097(path)X
1 f
1366(A)X
1455(sequence)X
1781(of)X
1879(intermediate)X
2311(realms)X
2556(transited)X
2862(in)X
2954(the)X
3082(authentication)X
3566(process)X
3837(when)X
1355 4984(communicating)N
1873(from)X
2049(one)X
2185(realm)X
2388(to)X
2470(another.)X
3 f
555 5204(Authenticator)N
1 f
1355(A)X
1446(record)X
1685(containing)X
2056(information)X
2467(that)X
2620(can)X
2765(be)X
2874(shown)X
3115(to)X
3209(have)X
3393(been)X
3577(recently)X
3868(gen-)X
1355 5300(erated)N
1572(using)X
1765(the)X
1883(session)X
2134(key)X
2270(known)X
2508(only)X
2670(by)X
2770(the)X
2888(client)X
3086(and)X
3222(server.)X
3 f
555 5520(Authorization)N
1 f
1355(The)X
1503(process)X
1767(of)X
1857(determining)X
2267(whether)X
2549(a)X
2608(client)X
2809(may)X
2969(use)X
3098(a)X
3156(service,)X
3446(which)X
3664(objects)X
3913(the)X
1355 5616(client)N
1553(is)X
1626(allowed)X
1900(to)X
1982(access,)X
2228(and)X
2364(the)X
2482(type)X
2640(of)X
2727(access)X
2953(allowed)X
3227(for)X
3341(each.)X
3 f
555 5836(Capability)N
1 f
1355(A)X
1453(token)X
1671(that)X
1831(grants)X
2067(the)X
2204(bearer)X
2445(permission)X
2835(to)X
2936(access)X
3181(an)X
3296(object)X
3531(or)X
3637(service.)X
3944(In)X
555 6144(Section)N
815(1.1.)X
2216(-)X
2263(3)X
2323(-)X
4 p
%%Page: 4 5
10 s 0 xH 0 xS 1 f
0 32(--)N
4323(--)X
3 f
2115 416(DRAFT)N
2411(3)X
1 f
1355 672(Kerberos,)N
1704(this)X
1853(might)X
2073(be)X
2183(a)X
2253(ticket)X
2465(whose)X
2704(use)X
2845(is)X
2932(restricted)X
3265(by)X
3379(the)X
3511(contents)X
3812(of)X
3913(the)X
1355 768(authorization)N
1809(data)X
1974(\256eld,)X
2167(but)X
2300(which)X
2527(lists)X
2685(no)X
2795(network)X
3088(addresses;)X
3448(together)X
3741(with)X
3913(the)X
1355 864(session)N
1606(key)X
1742(necessary)X
2075(to)X
2157(use)X
2284(the)X
2402(ticket.)X
3 f
555 1084(Ciphertext)N
1 f
1355(The)X
1501(output)X
1726(of)X
1814(an)X
1910(encryption)X
2273(function.)X
2600(Encryption)X
2976(transforms)X
3339(plaintext)X
3639(into)X
3783(cipher-)X
1355 1180(text.)N
3 f
555 1400(Client)N
1 f
1355(A)X
1439(process)X
1706(that)X
1852(makes)X
2083(use)X
2216(of)X
2309(a)X
2371(network)X
2660(service,)X
2934(on)X
3040(behalf)X
3267(of)X
3360(a)X
3422(user.)X
3622(Note)X
3804(that)X
3949(in)X
1355 1496(some)N
1546(cases)X
1738(a)X
3 f
1796(Server)X
1 f
2046(may)X
2205(itself)X
2386(be)X
2483(a)X
2540(client)X
2739(of)X
2827(some)X
3017(other)X
3203(server)X
3421(\(e.g.)X
3585(a)X
3642(print)X
3814(server)X
1355 1592(may)N
1513(be)X
1609(a)X
1665(client)X
1863(of)X
1950(a)X
2006(\256le)X
2128(server\).)X
3 f
555 1812(Credentials)N
1 f
1355(A)X
1438(ticket)X
1641(plus)X
1799(the)X
1922(secret)X
2135(session)X
2391(key)X
2532(necessary)X
2870(to)X
2956(successfully)X
3372(use)X
3503(that)X
3647(ticket)X
3849(in)X
3935(an)X
1355 1908(authentication)N
1829(exchange.)X
3 f
555 2128(KDC)N
1 f
1355(Key)X
1523(Distribution)X
1943(Center,)X
2211(a)X
2281(network)X
2578(service)X
2840(that)X
2994(supplies)X
3290(tickets)X
3532(and)X
3681(temporary)X
1355 2224(session)N
1608(keys;)X
1799(or)X
1888(an)X
1986(instance)X
2271(of)X
2360(that)X
2502(service)X
2752(or)X
2841(the)X
2960(host)X
3114(on)X
3215(which)X
3432(it)X
3497(runs.)X
3696(The)X
3842(KDC)X
1355 2320(services)N
1648(both)X
1824(initial)X
2044(ticket)X
2255(and)X
2404(ticket-granting)X
2909(ticket)X
3120(requests.)X
3456(The)X
3614(initial)X
3833(ticket)X
1355 2416(portion)N
1618(is)X
1703(sometimes)X
2077(referred)X
2365(to)X
2459(as)X
2558(the)X
2687(Authentication)X
3194(Server)X
3435(\(or)X
3560(service\).)X
3886(The)X
1355 2512(ticket-granting)N
1850(ticket)X
2051(portion)X
2305(is)X
2381(sometimes)X
2746(referred)X
3025(to)X
3110(as)X
3200(the)X
3320(ticket-granting)X
3814(server)X
1355 2608(\(or)N
1469(service\).)X
3 f
555 2828(Kerberos)N
1 f
1355(Aside)X
1580(from)X
1774(the)X
1910(3-headed)X
2243(dog)X
2401(guarding)X
2724(Hades,)X
2983(the)X
3119(name)X
3330(given)X
3545(to)X
3644(the)X
3779(Athena)X
1355 2924(authentication)N
1848(service,)X
2135(the)X
2272(protocol)X
2578(used)X
2764(by)X
2883(that)X
3042(service,)X
3329(or)X
3435(the)X
3572(code)X
3763(used)X
3949(to)X
1355 3020(implement)N
1717(the)X
1835(authentication)X
2309(service.)X
3 f
555 3240(Plaintext)N
1 f
1355(The)X
1524(input)X
1731(to)X
1836(an)X
1955(encryption)X
2341(function)X
2651(or)X
2761(the)X
2902(output)X
3149(of)X
3259(a)X
3338(decryption)X
3724(function.)X
1355 3336(Decryption)N
1736(transforms)X
2099(ciphertext)X
2440(into)X
2584(plaintext.)X
3 f
555 3556(Principal)N
1 f
1355(A)X
1434(uniquely)X
1734(named)X
1968(client)X
2166(or)X
2253(server)X
2470(instance)X
2753(that)X
2893(participates)X
3283(in)X
3365(a)X
3421(network)X
3704(commun-)X
1355 3652(ication.)N
3 f
555 3872(Principal)N
890(identi\256er)X
1 f
1355(The)X
1500(name)X
1694(used)X
1861(to)X
1943(uniquely)X
2243(identify)X
2512(each)X
2680(different)X
2977(principal.)X
3 f
555 4092(Seal)N
1 f
1355(To)X
1466(encipher)X
1765(a)X
1823(record)X
2051(containing)X
2411(several)X
2661(\256elds,)X
2876(in)X
2960(such)X
3129(a)X
3187(way)X
3343(that)X
3484(the)X
3603(\256elds)X
3797(cannot)X
1355 4188(be)N
1458(individually)X
1871(replaced)X
2171(without)X
2442(either)X
2651(knowledge)X
3029(of)X
3122(the)X
3246(encryption)X
3615(key)X
3757(or)X
3850(leav-)X
1355 4284(ing)N
1477(evidence)X
1783(of)X
1870(tampering.)X
3 f
555 4504(Secret)N
804(key)X
1 f
1369(An)X
1501(encryption)X
1878(key)X
2028(shared)X
2272(by)X
2385(a)X
2454(principal)X
2772(and)X
2921(the)X
3052(KDC,)X
3274(distributed)X
3649(outside)X
3913(the)X
1355 4600(bounds)N
1612(of)X
1705(the)X
1829(system,)X
2096(with)X
2263(a)X
2324(long)X
2491(lifetime.)X
2805(In)X
2897(the)X
3020(case)X
3184(of)X
3276(a)X
3337(human)X
3580(user's)X
3797(princi-)X
1355 4696(pal,)N
1493(the)X
1611(secret)X
1819(key)X
1955(is)X
2028(derived)X
2289(from)X
2465(a)X
2521(password.)X
3 f
555 4916(Server)N
1 f
1355(A)X
1433(particular)X
1761(Principal)X
2070(which)X
2286(provides)X
2582(a)X
2638(resource)X
2931(to)X
3013(network)X
3296(clients.)X
3 f
555 5136(Service)N
1 f
1355(A)X
1442(resource)X
1744(provided)X
2057(to)X
2147(network)X
2438(clients;)X
2697(often)X
2890(provided)X
3203(by)X
3311(more)X
3504(than)X
3670(one)X
3814(server)X
1355 5232(\(for)N
1496(example,)X
1808(remote)X
2051(\256le)X
2173(service\).)X
3 f
555 5452(Session)N
829(key)X
1 f
1361(A)X
1445(temporary)X
1801(encryption)X
2170(key)X
2312(used)X
2484(between)X
2777(two)X
2922(principals,)X
3283(with)X
3450(a)X
3511(lifetime)X
3785(limited)X
1355 5548(to)N
1437(the)X
1555(duration)X
1842(of)X
1929(a)X
1985(single)X
2196(communications)X
2745("session".)X
3 f
555 5768(Ticket)N
1 f
1355(A)X
1441(record)X
1674(that)X
1821(helps)X
2017(a)X
2080(client)X
2285(authenticate)X
2700(itself)X
2887(to)X
2976(a)X
3039(server;)X
3285(it)X
3356(contains)X
3650(the)X
3775(client's)X
555 6144(Section)N
815(1.1.)X
2216(-)X
2263(4)X
2323(-)X
5 p
%%Page: 5 6
10 s 0 xH 0 xS 1 f
0 32(--)N
4323(--)X
3 f
2115 416(DRAFT)N
2411(3)X
1 f
1355 672(identity,)N
1650(a)X
1717(session)X
1979(key,)X
2146(a)X
2213(timestamp,)X
2597(and)X
2744(other)X
2940(information,)X
3369(all)X
3479(sealed)X
3710(using)X
3913(the)X
1355 768(server's)N
1639(secret)X
1856(key.)X
2041(It)X
2119(only)X
2290(serves)X
2519(to)X
2609(authenticate)X
3025(a)X
3089(client)X
3295(when)X
3497(presented)X
3833(along)X
1355 864(with)N
1517(a)X
1573(new)X
1727(Authenticator.)X
3 f
12 s
555 1152(2.)N
675(Message)X
1046(Exchanges)X
1 f
10 s
555 1276(The)N
713(following)X
1057(sections)X
1348(describe)X
1649(the)X
1780(interactions)X
2186(between)X
2486(network)X
2781(clients)X
3022(and)X
3170(servers)X
3430(and)X
3578(the)X
3708(messages)X
555 1372(involved)N
855(in)X
937(those)X
1126(exchanges.)X
3 f
12 s
555 1564(2.1.)N
747(The)X
931(Authentication)X
1568(Service)X
1892(\(AS\))X
2102(Exchange)X
1 f
10 s
755 1688(This)N
918(section)X
1166(describes)X
1486(the)X
1605(initial)X
1811(interaction)X
2174(between)X
2462(a)X
2518(client)X
2716(and)X
2852(the)X
2970(Kerberos)X
3285(Authentication)X
3781(Server.)X
555 1784(This)N
719(exchange)X
1045(is)X
1120(usually)X
1373(initiated)X
1657(by)X
1758(a)X
1815(client)X
2014(when)X
2209(it)X
2274(wishes)X
2513(to)X
2596(obtain)X
2817(authentication)X
3292(credentials)X
3661(for)X
3776(a)X
3833(given)X
555 1880(server.)N
820(The)X
973(client's)X
1236(secret)X
1451(key)X
1594(is)X
1674(used)X
1848(for)X
1969(encryption)X
2339(and)X
2482(decryption.)X
2892(This)X
3061(exchange)X
3392(is)X
3472(typically)X
3779(used)X
3953(at)X
555 1976(the)N
675(initiation)X
985(of)X
1074(a)X
1132(login)X
1318(session,)X
1591(to)X
1675(obtain)X
1897(credentials)X
2267(for)X
2383(a)X
2441(Ticket-Granting)X
2980(Server,)X
3231(which)X
3448(will)X
3593(subsequently)X
555 2072(be)N
660(used)X
835(obtain)X
1063(credentials)X
1439(for)X
1561(other)X
1754(servers)X
2010(\(see)X
2168(section)X
2423(2.3\))X
2578(without)X
2850(requiring)X
3172(further)X
3419(use)X
3554(of)X
3649(the)X
3775(client's)X
555 2168(secret)N
776(key.)X
965(This)X
1140(exchange)X
1477(is)X
1563(also)X
1725(used)X
1905(to)X
1999(request)X
2263(credentials)X
2643(for)X
2769(services)X
3060(which)X
3288(must)X
3475(not)X
3609(be)X
3717(mediated)X
555 2264(through)N
838(the)X
970(Ticket-Granting)X
1521(Service,)X
1816(but)X
1952(rather)X
2174(require)X
2435(a)X
2504(principal's)X
2880(secret)X
3101(key,)X
3270(such)X
3450(as)X
3550(the)X
3681(password-)X
555 2360(changing)N
869(service\262.)X
755 2484(The)N
933(exchange)X
1290(consists)X
1596(of)X
1716(two)X
1889(messages:)X
2267(KRB_AS_REQ)X
2826(from)X
3034(the)X
3184(client)X
3414(to)X
3528(Kerberos,)X
3895(and)X
555 2580(KRB_AS_REP)N
1067(or)X
1154(KRB_ERROR)X
1644(in)X
1726(reply.)X
1951(The)X
2096(formats)X
2361(for)X
2475(these)X
2660(messages)X
2983(are)X
3102(described)X
3430(in)X
3512(section)X
3759(6.3.)X
755 2704(In)N
843(the)X
961(request,)X
1233(the)X
1351(client)X
1549(sends)X
1747(\(in)X
1856(cleartext\))X
2180(its)X
2275(own)X
2433(identity)X
2697(and)X
2833(the)X
2951(identity)X
3215(of)X
3302(the)X
3420(server)X
3637(for)X
3751(which)X
3967(it)X
555 2800(is)N
638(requesting)X
1002(credentials.)X
1420(The)X
1574(response,)X
1904(KRB_AS_REP,)X
2445(contains)X
2741(a)X
2806(ticket)X
3013(for)X
3136(the)X
3263(client)X
3470(to)X
3561(present)X
3822(to)X
3913(the)X
555 2896(server,)N
799(and)X
941(a)X
1003(session)X
1260(key)X
1402(that)X
1548(will)X
1698(be)X
1800(shared)X
2036(by)X
2142(the)X
2266(client)X
2470(and)X
2612(the)X
2736(server.)X
2999(The)X
3150(session)X
3407(key)X
3549(and)X
3691(additional)X
555 2992(information)N
966(are)X
1098(encrypted)X
1448(in)X
1543(the)X
1673(client's)X
1941(secret)X
2161(key.)X
2349(The)X
2506(KRB_AS_REP)X
3030(message)X
3334(contains)X
3633(information)X
555 3088(which)N
772(can)X
905(be)X
1002(used)X
1170(to)X
1253(detect)X
1466(replays,)X
1739(and)X
1876(to)X
1959(associate)X
2270(it)X
2335(with)X
2498(the)X
2617(message)X
2910(to)X
2993(which)X
3210(it)X
3275(replies.)X
3549(Various)X
3823(errors)X
555 3184(can)N
688(occur;)X
910(these)X
1095(are)X
1214(indicated)X
1528(by)X
1628(an)X
1724(error)X
1901(response)X
2202(\(KRB_ERROR\))X
2746(instead)X
2993(of)X
3080(the)X
3198(KRB_AS_REP)X
3710(response.)X
555 3280(The)N
707(error)X
890(message)X
1188(is)X
1267(not)X
1395(encrypted.)X
1778(The)X
1929(KRB_ERROR)X
2425(message)X
2723(also)X
2878(contains)X
3171(information)X
3575(which)X
3797(can)X
3935(be)X
555 3376(used)N
724(to)X
808(associate)X
1120(it)X
1186(with)X
1350(the)X
1470(message)X
1764(to)X
1848(which)X
2066(it)X
2132(replies.)X
2408(The)X
2555(lack)X
2710(of)X
2798(encryption)X
3162(in)X
3245(the)X
3364(KRB_ERROR)X
3855(mes-)X
555 3472(sage)N
718(thwarts)X
974(the)X
1092(ability)X
1316(to)X
1398(detect)X
1610(replays.)X
755 3596(In)N
843(the)X
962(normal)X
1210(case)X
1370(the)X
1488(authentication)X
1962(server)X
2179(does)X
2346(not)X
2468(know)X
2666(whether)X
2945(the)X
3063(client)X
3261(is)X
3334(actually)X
3608(the)X
3726(principal)X
555 3692(named)N
793(in)X
879(the)X
1001(request.)X
1297(It)X
1370(simply)X
1611(sends)X
1813(a)X
1873(reply)X
2062(without)X
2330(knowing)X
2634(or)X
2725(caring)X
2950(whether)X
3233(they)X
3395(are)X
3518(the)X
3640(same.)X
3869(This)X
555 3788(is)N
633(acceptable)X
998(because)X
1278(nobody)X
1543(but)X
1669(the)X
1791(principal)X
2100(whose)X
2329(identity)X
2597(was)X
2746(given)X
2948(in)X
3034(the)X
3156(request)X
3412(will)X
3560(be)X
3660(able)X
3818(to)X
3904(use)X
555 3884(the)N
690(reply.)X
912(Its)X
1029(critical)X
1289(information)X
1704(is)X
1794(encrypted)X
2148(in)X
2247(that)X
2404(principal's)X
2784(key.)X
2977(The)X
3138(initial)X
3360(request)X
3628(supports)X
3935(an)X
555 3980(optional)N
840(\256eld)X
1005(that)X
1148(can)X
1283(be)X
1382(used)X
1552(to)X
1637(pass)X
1798(additional)X
2141(information)X
2542(that)X
2685(might)X
2894(be)X
2993(needed)X
3243(for)X
3359(the)X
3479(initial)X
3687(exchange.)X
555 4076(This)N
717(\256eld)X
879(may)X
1037(be)X
1133(used)X
1300(for)X
1414(pre-authentication)X
2018(if)X
2087(desired,)X
2359(but)X
2481(the)X
2599(mechanism)X
2984(is)X
3057(not)X
3179(currently)X
3489(speci\256ed.)X
3 f
555 4268(2.1.1.)N
775(Generation)X
1182(of)X
1269(KRB_AS_REQ)X
1817(message)X
1 f
755 4392(The)N
904(client)X
1106(may)X
1268(specify)X
1524(a)X
1584(number)X
1853(of)X
1944(options)X
2203(in)X
2289(the)X
2411(initial)X
2621(request.)X
2917(Among)X
3181(these)X
3370(options)X
3629(are)X
3752(whether)X
555 4488(the)N
678(requested)X
1010(ticket)X
1212(is)X
1289(to)X
1375(be)X
1475(renewable,)X
1850(proxiable,)X
2197(or)X
2288(forwardable;)X
2723(whether)X
3006(it)X
3074(should)X
3311(be)X
3411(postdated)X
3742(or)X
3833(allow)X
555 4584(postdating)N
910(of)X
999(derivative)X
1342(tickets;)X
1594(and)X
1731(whether)X
2011(a)X
2068(renewable)X
2420(ticket)X
2619(will)X
2764(be)X
2861(accepted)X
3164(in)X
3247(lieu)X
3388(of)X
3476(a)X
3533(non-renewable)X
555 4680(ticket)N
777(if)X
870(the)X
1012(requested)X
1364(ticket)X
1586(expiration)X
1955(date)X
2133(cannot)X
2391(be)X
2511(satis\256ed)X
2817(by)X
2941(a)X
3021(non-renewable)X
3542(ticket)X
3763(\(due)X
3949(to)X
555 4776(con\256guration)N
1002(constraints;)X
1391(see)X
1514(section)X
1761(4\).)X
755 4900(The)N
912(client)X
1121(prepares)X
1425(the)X
1554(KRB_AS_REQ)X
2091(message)X
2394(containing)X
2763(a)X
2830(\256eld)X
3003(of)X
3101(desired)X
3364(options,)X
3650(the)X
3779(desired)X
555 4996(start)N
716(time)X
881(\(after)X
1078(which)X
1296(the)X
1416(ticket)X
1616(should)X
1851(be)X
1949(valid\),)X
2178(the)X
2298(desired)X
2552(expiration)X
2899(time)X
3063(\(after)X
3260(which)X
3478(the)X
3598(ticket)X
3798(should)X
555 5092(be)N
651(invalid\),)X
940(the)X
1058(desired)X
1310(encryption)X
1673(type,)X
1851(the)X
1969(client's)X
2225(name,)X
2439(and)X
2575(the)X
2693(server's)X
2968(name,)X
3182(and)X
3318(sends)X
3516(it)X
3580(to)X
3662(the)X
3780(KDC.)X
8 s
10 f
555 5424(hhhhhhhhhhhhhhhhhh)N
1 f
555 5504(\262)N
604(The)X
720(password-changing)X
1233(request)X
1434(must)X
1576(not)X
1675(be)X
1752(honored)X
1977(unless)X
2153(the)X
2247(requester)X
2496(can)X
2600(provide)X
2811(the)X
2905(old)X
3003(password)X
3260(\(the)X
3375(user's)X
3543(current)X
555 5584(secret)N
725(key\).)X
892(Otherwise,)X
1192(it)X
1249(would)X
1430(be)X
1511(possible)X
1742(for)X
1837(someone)X
2085(to)X
2156(walk)X
2301(up)X
2386(to)X
2457(an)X
2538(unattended)X
2839(session)X
3045(and)X
3158(change)X
3359(another)X
3571(user's)X
555 5664(password.)N
10 s
555 6144(Section)N
815(2.1.1.)X
2216(-)X
2263(5)X
2323(-)X
6 p
%%Page: 6 7
10 s 0 xH 0 xS 1 f
0 32(--)N
4323(--)X
3 f
2115 416(DRAFT)N
2411(3)X
555 672(2.1.2.)N
775(Receipt)X
1054(of)X
1141(KRB_AS_REQ)X
1689(message)X
1 f
755 796(If)N
833(all)X
937(goes)X
1108(well,)X
1290(processing)X
1657(the)X
1779(KRB_AS_REQ)X
2309(message)X
2605(will)X
2753(result)X
2955(in)X
3041(the)X
3163(creation)X
3446(of)X
3536(a)X
3595(ticket)X
3796(for)X
3913(the)X
555 892(client)N
758(to)X
845(present)X
1102(to)X
1189(the)X
1312(server.)X
1574(The)X
1724(format)X
1963(for)X
2082(the)X
2205(ticket)X
2408(is)X
2486(described)X
2819(in)X
2906(section)X
3158(6.2.1.)X
3382(The)X
3531(contents)X
3822(of)X
3913(the)X
555 988(ticket)N
753(are)X
872(determined)X
1253(as)X
1340(follows.)X
3 f
555 1180(2.1.3.)N
775(Generation)X
1182(of)X
1269(KRB_AS_REP)X
1804(message)X
1 f
755 1304(The)N
901(authentication)X
1376(server)X
1594(looks)X
1788(up)X
1889(the)X
2007(client)X
2205(and)X
2341(server)X
2558(principals)X
2894(named)X
3128(in)X
3210(the)X
3328(KRB_AS_REQ)X
3854(in)X
3936(its)X
555 1400(database,)N
873(extracting)X
1215(their)X
1382(respective)X
1728(keys.)X
1935(If)X
2009(the)X
2127(server)X
2344(cannot)X
2578(accommodate)X
3044(the)X
3162(requested)X
3490(encryption)X
3853(type,)X
555 1496(an)N
654(error)X
834(message)X
1129(with)X
1294(code)X
1469(KDC_ERR_ETYPE_NOSUPP)X
2491(is)X
2567(returned.)X
2898(Otherwise)X
3250(it)X
3316(generates)X
3642(a)X
3700("random")X
555 1592(session)N
806(key\262.)X
755 1716(If)N
832(the)X
953(requested)X
1283(start)X
1443(time)X
1607(is)X
1682(missing)X
1952(or)X
2041(indicates)X
2348(a)X
2406(time)X
2570(in)X
2654(the)X
2774(past,)X
2945(then)X
3105(the)X
3225(start)X
3385(time)X
3549(of)X
3638(the)X
3758(ticket)X
3958(is)X
555 1812(set)N
674(to)X
766(the)X
894(authentication)X
1378(server's)X
1663(current)X
1921(time.)X
2113(If)X
2197(it)X
2271(indicates)X
2586(a)X
2652(time)X
2824(in)X
2916(the)X
3044(future,)X
3286(but)X
3417(the)X
3544(POSTDATED)X
555 1908(option)N
788(has)X
924(not)X
1055(been)X
1236(speci\256ed,)X
1570(then)X
1737(the)X
1864(error)X
2049(KDC_ERR_CANNOT_POSTDATE)X
3264(is)X
3345(returned.)X
3681(Otherwise)X
555 2004(the)N
678(requested)X
1011(start)X
1174(time)X
1341(is)X
1419(checked)X
1708(against)X
1959(the)X
2081(policy)X
2305(of)X
2396(the)X
2518(local)X
2698(realm)X
2905(\(the)X
3054(administrator)X
3505(might)X
3715(decide)X
3949(to)X
555 2100(prohibit)N
841(certain)X
1093(types)X
1295(or)X
1395(ranges)X
1638(of)X
1738(postdated)X
2078(tickets\),)X
2367(and)X
2516(if)X
2598(acceptable,)X
2991(the)X
3122(ticket's)X
3391(start)X
3562(time)X
3737(is)X
3823(set)X
3944(as)X
555 2196(requested)N
884(and)X
1041(the)X
1160(INVALID)X
1516(\257ag)X
1657(is)X
1731(set)X
1841(in)X
1924(the)X
2043(new)X
2198(ticket.)X
2417(The)X
2563(postdated)X
2891(ticket)X
3090(must)X
3266(be)X
3363(validated)X
3678(before)X
3904(use)X
555 2292(by)N
655(presenting)X
1009(it)X
1073(to)X
1155(the)X
1273(KDC)X
1462(after)X
1630(the)X
1748(start)X
1906(time)X
2068(has)X
2195(been)X
2367(reached.)X
555 2416(The)N
700(expiration)X
1045(time)X
1207(of)X
1294(the)X
1412(Ticket)X
1637(will)X
1781(be)X
1877(set)X
1986(to)X
2068(the)X
2186(minimum)X
2516(of)X
2603(the)X
2721(following:)X
10 f
555 2540(g)N
1 f
595(The)X
740(expiration)X
1085(time)X
1247(requested)X
1575(in)X
1657(the)X
1775(KRB_AS_REQ)X
2301(message.)X
10 f
555 2664(g)N
1 f
595(The)X
754(ticket's)X
1024(start)X
1196(time)X
1372(plus)X
1539(the)X
1671(maximum)X
2029(allowable)X
2375(lifetime)X
2658(associated)X
3022(with)X
3198(the)X
3330(client)X
3541(principal)X
3859(\(The)X
595 2760(authentication)N
1076(server's)X
1358(database)X
1662(includes)X
1956(a)X
2019(maximum)X
2370(ticket)X
2575(lifetime)X
2851(\256eld)X
3020(in)X
3109(each)X
3284(principal's)X
3654(record;)X
3908(see)X
595 2856(section)N
842(4\).)X
10 f
555 2980(g)N
1 f
595(The)X
740(ticket's)X
996(start)X
1154(time)X
1316(plus)X
1469(the)X
1587(maximum)X
1931(allowable)X
2263(lifetime)X
2532(associated)X
2882(with)X
3044(the)X
3162(server)X
3379(principal.)X
10 f
555 3104(g)N
1 f
595(The)X
740(ticket's)X
996(start)X
1154(time)X
1316(plus)X
1469(the)X
1587(lifetime)X
1856(set)X
1965(by)X
2065(the)X
2183(policy)X
2403(of)X
2490(the)X
2608(local)X
2784(realm.)X
755 3228(If)N
847(the)X
983(requested)X
1329(expiration)X
1692(time)X
1872(minus)X
2104(the)X
2239(start)X
2414(time)X
2593(\(as)X
2724(determined)X
3122(above\))X
3378(is)X
3468(less)X
3625(than)X
3800(a)X
3873(site-)X
555 3324(determined)N
937(minimum)X
1268(lifetime,)X
1558(an)X
1654(error)X
1831(message)X
2123(with)X
2285(code)X
2457(KDC_ERR_NEVER_VALID)X
3438(is)X
3511(returned.)X
3839(If)X
3913(the)X
555 3420(requested)N
926(expiration)X
1314(time)X
1519(for)X
1676(the)X
1836(ticket)X
2076(exceeds)X
2393(what)X
2611(was)X
2798(determined)X
3221(as)X
3350(above,)X
3624(and)X
3802(if)X
3913(the)X
555 3516("RENEWABLE-OK")N
1281(option)X
1508(was)X
1655(requested,)X
2005(then)X
2165(the)X
2285("RENEWABLE")X
2867(\257ag)X
3009(is)X
3084(set)X
3195(in)X
3279(the)X
3399(new)X
3555(ticket,)X
3775(and)X
3913(the)X
3 f
555 3612(renew-till)N
1 f
915(value)X
1119(is)X
1202(set)X
1321(as)X
1418(if)X
1497(the)X
1625("RENEWABLE")X
2215(option)X
2449(were)X
2636(requested)X
2974(\(the)X
3129(\256eld)X
3300(and)X
3445(option)X
3678(names)X
3912(are)X
555 3708(described)N
883(fully)X
1054(in)X
1136(section)X
1383(5\).)X
755 3832(If)N
831(the)X
951(RENEWABLE)X
1467(option)X
1693(has)X
1822(been)X
1995(requested)X
2324(or)X
2412(if)X
2482(the)X
2601(RENEWABLE-OK)X
3259(option)X
3484(has)X
3612(been)X
3785(set)X
3895(and)X
555 3928(a)N
611(renewable)X
962(ticket)X
1160(is)X
1233(to)X
1315(be)X
1411(issued,)X
1651(then)X
1809(the)X
3 f
1927(renew-till)X
1 f
2277(\256eld)X
2439(is)X
2512(set)X
2621(to)X
2703(the)X
2821(minimum)X
3151(of:)X
10 f
555 4052(g)N
1 f
595(Its)X
695(requested)X
1023(value.)X
10 f
555 4176(g)N
1 f
595(The)X
748(start)X
914(time)X
1084(of)X
1178(the)X
1303(ticket)X
1508(plus)X
1668(the)X
1793(minimum)X
2130(of)X
2224(the)X
2349(two)X
2496(maximum)X
2847(renewable)X
3205(lifetimes)X
3512(associated)X
3869(with)X
595 4272(the)N
713(principals')X
1076(database)X
1373(entries.)X
10 f
555 4396(g)N
1 f
595(The)X
740(start)X
898(time)X
1060(of)X
1147(the)X
1265(ticket)X
1463(plus)X
1616(the)X
1734(maximum)X
2078(renewable)X
2429(lifetime)X
2698(set)X
2807(by)X
2907(the)X
3025(policy)X
3245(of)X
3332(the)X
3450(local)X
3626(realm.)X
755 4520(The)N
901(\257ags)X
1073(\256eld)X
1236(of)X
1324(the)X
1443(new)X
1598(ticket)X
1797(will)X
1942(have)X
2114(the)X
2232(following)X
2563(options)X
2818(set)X
2927(if)X
2996(they)X
3154(have)X
3326(been)X
3498(requested)X
3826(and)X
3962(if)X
555 4616(the)N
676(policy)X
899(of)X
989(the)X
1110(local)X
1289(realm)X
1495(allows:)X
1749(DUPLICATE-SKEY,)X
2473(FORWARDABLE,)X
3124(MAY-POSTDATE,)X
3789(POST-)X
555 4712(DATED,)N
874(PROXIABLE,)X
1370(RENEWABLE.)X
1911(If)X
1992(the)X
2117(new)X
2278(ticket)X
2483(is)X
2563(postdated)X
2897(\(the)X
3048(start)X
3212(time)X
3380(is)X
3459(in)X
3547(the)X
3671(future\),)X
3936(its)X
555 4808(INVALID)N
910(\257ag)X
1050(will)X
1194(also)X
1343(be)X
1439(set.)X
755 4932(If)N
834(all)X
939(of)X
1031(the)X
1154(above)X
1371(succeed,)X
1671(the)X
1794(server)X
2016(formats)X
2286(a)X
2347(KRB_AS_REP)X
2864(message)X
3161(\(see)X
3316(section)X
3568(6.3\),)X
3739(encrypts)X
555 5028(the)N
673(ciphertext)X
1014(part)X
1159(in)X
1241(the)X
1359(client's)X
1615(key)X
1751(using)X
1944(the)X
2062(requested)X
2390(encryption)X
2753(method,)X
3033(and)X
3169(sends)X
3367(it)X
3431(to)X
3513(the)X
3631(client.)X
8 s
10 f
555 5344(hhhhhhhhhhhhhhhhhh)N
1 f
555 5424(\262)N
606("Random")X
894(means)X
1076(that,)X
1207(among)X
1400(other)X
1550(things,)X
1742(it)X
1797(should)X
1987(be)X
2066(impossible)X
2362(to)X
2430(guess)X
2590(the)X
2686(next)X
2814(session)X
3017(key)X
3127(based)X
3290(on)X
3372(knowledge)X
3670(of)X
555 5504(past)N
678(session)X
883(keys.)X
1052(This)X
1186(can)X
1294(only)X
1428(be)X
1508(achieved)X
1753(in)X
1822(a)X
1869(pseudo-random)X
2285(number)X
2499(generator)X
2758(if)X
2816(it)X
2871(is)X
2933(based)X
3097(on)X
3180(cryptographic)X
3553(princi-)X
555 5584(ples.)N
710(It)X
769(would)X
949(be)X
1029(more)X
1180(desirable)X
1430(to)X
1500(use)X
1605(a)X
1653(truly)X
1794(random)X
2009(number)X
2224(generator,)X
2500(such)X
2637(as)X
2710(one)X
2822(based)X
2987(on)X
3071(measurements)X
3456(of)X
3528(random)X
555 5664(physical)N
784(phenomena.)X
10 s
555 6144(Section)N
815(2.1.3.)X
2216(-)X
2263(6)X
2323(-)X
7 p
%%Page: 7 8
10 s 0 xH 0 xS 1 f
0 32(--)N
4323(--)X
3 f
2115 416(DRAFT)N
2411(3)X
555 672(2.1.4.)N
775(Generation)X
1182(of)X
1269(KRB_ERROR)X
1791(message)X
1 f
755 796(Several)N
1030(errors)X
1252(can)X
1398(occur,)X
1630(and)X
1779(the)X
1910(Authentication)X
2419(Server)X
2662(responds)X
2980(by)X
3093(returning)X
3420(an)X
3529(error)X
3719(message,)X
555 892(KRB_ERROR,)N
1065(to)X
1147(the)X
1265(client.)X
1503(The)X
1648(error)X
1825(message)X
2117(contents)X
2404(and)X
2540(details)X
2769(are)X
2888(described)X
3216(in)X
3298(Section)X
3558(6.7.)X
3 f
555 1084(2.1.5.)N
775(Receipt)X
1054(of)X
1141(KRB_AS_REP)X
1676(message)X
1 f
755 1208(If)N
831(the)X
951(reply)X
1138(message)X
1432(type)X
1592(is)X
1667(KRB_AS_REP,)X
2201(then)X
2361(the)X
2481(client)X
2681(veri\256es)X
2939(that)X
3080(the)X
3 f
3199(cname)X
1 f
3443(and)X
3 f
3580(crealm)X
1 f
3838(\256elds)X
555 1304(in)N
640(the)X
761(cleartext)X
1061(portion)X
1315(of)X
1405(the)X
1526(reply)X
1714(match)X
1933(what)X
2112(it)X
2179(requested.)X
2550(It)X
2621(decrypts)X
2915(the)X
3035(encrypted)X
3374(part)X
3521(of)X
3610(the)X
3730(response)X
555 1400(using)N
754(its)X
855(secret)X
1069(key,)X
1231(veri\256es)X
1493(that)X
1639(the)X
3 f
1763(nonce)X
1 f
1989(in)X
2076(the)X
2199(resp_cipher)X
2599(matches)X
2887(the)X
3010(nonce)X
3227(it)X
3296(supplied)X
3592(in)X
3679(its)X
3779(request)X
555 1496(\(to)N
667(prevent)X
931(replays\).)X
1253(It)X
1325(also)X
1477(veri\256es)X
1736(that)X
1879(the)X
3 f
2000(sname)X
1 f
2241(and)X
3 f
2380(srealm)X
1 f
2635(in)X
2720(the)X
2841(response)X
3145(match)X
3364(those)X
3555(in)X
3639(the)X
3759(request,)X
555 1592(and)N
702(that)X
853(the)X
982(host)X
1146(address)X
1417(\256eld)X
1589(is)X
1672(also)X
1831(correct.)X
2125(It)X
2204(then)X
2372(stores)X
2589(the)X
2717(ticket,)X
2945(session)X
3206(key,)X
3372(start)X
3540(and)X
3686(expiration)X
555 1688(times,)N
782(and)X
932(other)X
1130(information)X
1541(for)X
1668(later)X
1844(use.)X
2024(The)X
3 f
2182(key-exp)X
1 f
2482(\256eld)X
2657(from)X
2846(the)X
2977(resp-cipher)X
3372(may)X
3543(be)X
3652(checked)X
3949(to)X
555 1784(notify)N
768(the)X
888(user)X
1044(of)X
1133(impending)X
1497(key)X
1634(expiration)X
1980(\(the)X
2126(client)X
2325(program)X
2618(could)X
2817(then)X
2976(suggest)X
3237(remedial)X
3539(action,)X
3776(such)X
3944(as)X
555 1880(a)N
611(password)X
934(change\).)X
3 f
555 2072(2.1.6.)N
775(Receipt)X
1054(of)X
1141(KRB_ERROR)X
1663(message)X
1 f
755 2196(If)N
842(the)X
973(reply)X
1171(message)X
1476(type)X
1647(is)X
1733(KRB_ERROR,)X
2256(then)X
2426(the)X
2556(client)X
2766(interprets)X
3101(it)X
3177(as)X
3276(an)X
3384(error)X
3573(and)X
3721(performs)X
555 2292(whatever)N
870(application-speci\256c)X
1518(tasks)X
1698(are)X
1817(necessary)X
2150(to)X
2232(recover.)X
3 f
12 s
555 2484(2.2.)N
747(The)X
931(Client/Server)X
1506(\(CS\))X
1716(Authentication)X
2353(Exchange)X
1 f
10 s
755 2608(This)N
920(exchange)X
1247(is)X
1323(used)X
1493(by)X
1596(network)X
1881(applications)X
2290(to)X
2374(authenticate)X
2784(the)X
2904(client)X
3104(to)X
3188(the)X
3308(server)X
3527(and)X
3665(vice)X
3821(versa.)X
555 2704(The)N
705(client)X
908(must)X
1088(have)X
1265(already)X
1527(acquired)X
1829(credentials)X
2201(for)X
2319(the)X
2441(server)X
2662(using)X
2859(the)X
2981(AS)X
3107(or)X
3198(TGS)X
3373(exchange.)X
3741(The)X
3890(for-)X
555 2800(mats)N
726(for)X
840(the)X
958(messages)X
1281(described)X
1609(in)X
1691(this)X
1826(section)X
2073(can)X
2205(be)X
2301(found)X
2508(in)X
2590(section)X
2837(6.4.)X
3 f
555 2992(2.2.1.)N
775(The)X
928(KRB_AP_REQ)X
1481(message)X
1 f
755 3116(The)N
903(KRB_AP_REQ)X
1432(contains)X
1722(authentication)X
2199(information)X
2600(which)X
2819(should)X
3055(be)X
3153(part)X
3300(of)X
3389(the)X
3509(\256rst)X
3655(message)X
3949(in)X
555 3212(an)N
654(authenticated)X
1105(transaction.)X
1520(It)X
1592(contains)X
1882(a)X
1941(ticket,)X
2162(an)X
2260(authenticator,)X
2721(and)X
2859(some)X
3050(additional)X
3392(bookkeeping)X
3828(infor-)X
555 3308(mation)N
801(\(see)X
955(section)X
1206(6.4)X
1330(for)X
1448(the)X
1569(exact)X
1762(format\).)X
2066(The)X
2214(KRB_AP_REQ)X
2743(message)X
3038(is)X
3114(referred)X
3393(to)X
3478(elsewhere)X
3823(as)X
3913(the)X
555 3404(authentication)N
1029(header.)X
3 f
555 3596(2.2.2.)N
775(Generation)X
1182(of)X
1269(a)X
1329(KRB_AP_REQ)X
1882(message)X
1 f
755 3720(When)N
972(a)X
1033(client)X
1236(wishes)X
1479(to)X
1566(initiate)X
1813(authentication)X
2292(to)X
2379(a)X
2440(server)X
2662(it)X
2731(obtains)X
2987(\(either)X
3222(through)X
3496(a)X
3557(cache,)X
3786(the)X
3909(AS)X
555 3816(exchange,)N
904(or)X
996(the)X
1118(TGS)X
1293(exchange\))X
1648(a)X
1708(ticket)X
1910(and)X
2050(session)X
2305(key)X
2445(for)X
2563(the)X
2685(desired)X
2941(service.)X
3233(It)X
3306(then)X
3468(constructs)X
3817(a)X
3877(new)X
555 3912(Authenticator)N
1022(from)X
1204(the)X
1328(the)X
1452(system)X
1700(time,)X
1887(its)X
1987(name,)X
2206(the)X
2329(network)X
2617(address)X
2883(in)X
2970(use,)X
3122(and)X
3263(possibly)X
3554(an)X
3655(application)X
555 4008(speci\256c)N
823(checksum.)X
1207(The)X
1355(Authenticator)X
1819(is)X
1895(then)X
2055(encrypted)X
2394(in)X
2478(the)X
2598(session)X
2851(key)X
2989(and)X
3127(combined)X
3465(with)X
3629(the)X
3749(ticket)X
3949(to)X
555 4104(form)N
732(the)X
851(KRB_AP_REQ)X
1378(message)X
1670(which)X
1886(is)X
1959(then)X
2117(sent)X
2266(to)X
2348(the)X
2466(end)X
2602(server)X
2819(along)X
3017(with)X
3179(any)X
3315(additional)X
3655(application)X
555 4200(speci\256c)N
820(information.)X
3 f
555 4392(2.2.3.)N
775(Receipt)X
1054(of)X
1141(KRB_AP_REQ)X
1694(message)X
1 f
755 4516(Authentication)N
1259(is)X
1340(based)X
1551(on)X
1659(the)X
1785(server's)X
2068(current)X
2324(time)X
2494(of)X
2589(day)X
2733(\(clocks)X
2993(must)X
3175(be)X
3278(loosely)X
3536(synchronized\),)X
555 4612(the)N
680(authenticator,)X
1146(and)X
1288(the)X
1412(ticket.)X
1656(Several)X
1923(errors)X
2137(are)X
2262(possible.)X
2590(If)X
2670(an)X
2772(error)X
2955(occurs,)X
3211(the)X
3335(server)X
3558(is)X
3637(expected)X
3949(to)X
555 4708(reply)N
748(to)X
838(the)X
964(client)X
1170(with)X
1340(a)X
1404(KRB_ERROR)X
1902(message.)X
2242(This)X
2412(message)X
2712(must)X
2895(be)X
2999(encapsulated)X
3441(in)X
3530(the)X
3655(application)X
555 4804(protocol)N
849(if)X
925(its)X
1027("raw")X
1240(form)X
1422(is)X
1501(not)X
1629(acceptable)X
1995(to)X
2083(the)X
2207(protocol.)X
2540(The)X
2691(format)X
2931(of)X
3024(error)X
3207(messages)X
3536(is)X
3615(described)X
3949(in)X
555 4900(section)N
802(6.7.)X
755 5024(The)N
915(algorithm)X
1261(for)X
1390(verifying)X
1719(authentication)X
2208(information)X
2621(is)X
2709(as)X
2810(follows.)X
3124(If)X
3212(the)X
3344(message)X
3650(type)X
3822(is)X
3909(not)X
555 5120(KRB_AP_REQ,)N
1105(the)X
1227(server)X
1448(returns)X
1695(the)X
1817(KRB_AP_ERR_MSG_TYPE)X
2795(error.)X
3016(If)X
3094(the)X
3216(key)X
3355(version)X
3614(indicated)X
3931(by)X
555 5216(the)N
684(Ticket)X
920(in)X
1013(the)X
1142(KRB_AP_REQ)X
1679(is)X
1763(not)X
1896(one)X
2042(the)X
2170(server)X
2397(can)X
2539(use)X
2676(\(e.g.,)X
2869(it)X
2943(is)X
3026(an)X
3132(old)X
3264(key,)X
3430(and)X
3576(the)X
3704(server)X
3931(no)X
555 5312(longer)N
783(possesses)X
1113(a)X
1172(copy)X
1351(of)X
1441(the)X
1562(old)X
1687(key\),)X
1873(the)X
1994(KRB_AP_ERR_BADKEYVER)X
3052(error)X
3232(is)X
3307(returned.)X
3637(If)X
3713(the)X
3833(USE-)X
555 5408(SESSION-KEY)N
1092(\257ag)X
1233(is)X
1307(set)X
1417(in)X
1500(the)X
3 f
1618(ap-options)X
1 f
1997(\256eld,)X
2179(it)X
2243(indicates)X
2548(to)X
2630(the)X
2748(server)X
2965(that)X
3105(the)X
3223(ticket)X
3421(is)X
3494(encrypted)X
3831(in)X
3913(the)X
555 5504(session)N
814(key)X
958(from)X
1142(the)X
1268(server's)X
1551(ticket-granting)X
2051(ticket)X
2257(rather)X
2473(than)X
2639(its)X
2742(secret)X
2958(key.)X
3142(Since)X
3348(it)X
3420(is)X
3501(possible)X
3791(for)X
3913(the)X
555 5600(server)N
777(to)X
864(be)X
965(registered)X
1307(in)X
1394(multiple)X
1685(realms,)X
1944(with)X
2111(different)X
2413(keys)X
2584(in)X
2670(each,)X
2862(the)X
3 f
2984(srealm)X
1 f
3240(\256eld)X
3406(in)X
3492(the)X
3614(unencrypted)X
555 5696(portion)N
817(of)X
915(the)X
1044(ticket)X
1253(in)X
1346(the)X
1474(KRB_AP_REQ)X
2010(is)X
2093(used)X
2270(to)X
2362(specify)X
2624(which)X
2850(secret)X
3068(key)X
3214(the)X
3342(server)X
3569(should)X
3812(use)X
3949(to)X
555 5792(decrypt)N
830(that)X
984(ticket.)X
1236(The)X
1395(KRB_AP_ERR_NOKEY)X
2251(error)X
2442(code)X
2628(is)X
2715(returned)X
3016(if)X
3098(the)X
3229(server)X
3459(doesn't)X
3728(have)X
3913(the)X
555 6144(Section)N
815(2.2.3.)X
2216(-)X
2263(7)X
2323(-)X
8 p
%%Page: 8 9
10 s 0 xH 0 xS 1 f
0 32(--)N
4323(--)X
3 f
2115 416(DRAFT)N
2411(3)X
1 f
555 672(proper)N
785(key)X
921(to)X
1003(decipher)X
1300(the)X
1418(ticket.)X
755 796(The)N
902(ticket)X
1102(is)X
1177(decrypted)X
1516(using)X
1711(the)X
1831(version)X
2089(of)X
2177(the)X
2296(server's)X
2572(key)X
2709(speci\256ed)X
3015(by)X
3116(the)X
3235(ticket.)X
3474(If)X
3549(the)X
3668(decryption)X
555 892(indicates)N
872(a)X
939(failed)X
1153(integrity)X
1455(check,)X
1694(the)X
1823(KRB_AP_BAD_INTEGRITY)X
2837(error)X
3025(is)X
3109(returned)X
3408(\(chances)X
3721(are)X
3851(good)X
555 988(that)N
695(different)X
992(keys)X
1159(were)X
1336(used)X
1503(to)X
1585(encrypt)X
1846(and)X
1982(decrypt\).)X
755 1112(The)N
905(authenticator)X
1349(is)X
1427(decrypted)X
1769(using)X
1967(the)X
2089(session)X
2344(key)X
2484(extracted)X
2803(from)X
2983(the)X
3105(decrypted)X
3446(ticket.)X
3688(The)X
3837(name)X
555 1208(and)N
699(realm)X
910(of)X
1005(the)X
1131(client)X
1337(from)X
1521(the)X
1646(ticket)X
1851(are)X
1977(compared)X
2321(against)X
2575(the)X
2700(same)X
2892(\256elds)X
3092(in)X
3181(the)X
3306(authenticator.)X
3792(If)X
3873(they)X
555 1304(don't)N
745(match,)X
982(the)X
1101(KRB_AP_ERR_BADMATCH)X
2121(error)X
2299(is)X
2373(returned)X
2662(\(they)X
2848(might)X
3055(not)X
3178(match,)X
3415(for)X
3530(example,)X
3843(if)X
3913(the)X
555 1400(wrong)N
791(session)X
1053(key)X
1200(was)X
1356(used)X
1534(to)X
1627(encrypt)X
1899(the)X
2028(authenticator\).)X
2544(The)X
2699(addresses)X
3037(in)X
3129(the)X
3257(ticket)X
3465(\(if)X
3571(any\))X
3744(are)X
3873(then)X
555 1496(searched)N
858(for)X
973(an)X
1070(address)X
1332(matching)X
1651(the)X
1770(operating-system)X
2343(reported)X
2632(address)X
2894(of)X
2982(the)X
3101(client.)X
3340(If)X
3415(no)X
3515(match)X
3731(is)X
3804(found,)X
555 1592(the)N
673(KRB_AP_ERR_BADADDR)X
1630(error)X
1807(is)X
1880(returned.)X
755 1716(If)N
837(the)X
963(local)X
1147(\(server\))X
1426(time)X
1596(and)X
1740(the)X
1866(client)X
2072(time)X
2242(in)X
2332(the)X
2458(authenticator)X
2904(differ)X
3110(by)X
3217(more)X
3409(than)X
3574(the)X
3699(allowable)X
555 1812(clock)N
754(skew)X
944(\(e.g.,)X
1132(5)X
1197(minutes\),)X
1522(the)X
1645(KRB_AP_ERR_SKEW)X
2438(error)X
2619(is)X
2696(returned.)X
3028(If)X
3106(the)X
3228(server)X
3449(name,)X
3667(along)X
3869(with)X
555 1908(the)N
681(client)X
887(name,)X
1109(time)X
1279(and)X
1423(millisecond)X
1824(\256elds)X
2025(from)X
2209(the)X
2335(Authenticator)X
2804(match)X
3027(any)X
3170(recently-seen)X
3626(such)X
3800(tuples,)X
555 2004(the)N
682(KRB_AP_ERR_REPEAT)X
1554(error)X
1740(is)X
1821(returned\262.)X
2197(The)X
2350(server)X
2575(must)X
2758(remember)X
3112(any)X
3256(authenticator)X
3703(presented)X
555 2100(within)N
780(the)X
899(allowable)X
1232(clock)X
1427(skew,)X
1633(so)X
1725(that)X
1866(a)X
1923(replay)X
2145(attempt)X
2405(is)X
2478(guaranteed)X
2851(to)X
2933(fail.)X
3100(If)X
3174(a)X
3230(server)X
3447(loses)X
3627(track)X
3808(of)X
3895(any)X
555 2196(authenticator)N
1005(presented)X
1344(within)X
1578(the)X
1706(allowable)X
2048(clock)X
2252(skew,)X
2467(it)X
2541(must)X
2726(reject)X
2935(all)X
3045(requests)X
3338(until)X
3514(the)X
3642(clock)X
3846(skew)X
555 2292(interval)N
829(has)X
965(passed.)X
1248(This)X
1419(assures)X
1680(that)X
1829(any)X
1974(lost)X
2118(or)X
2214(re-played)X
2547(authenticators)X
3026(will)X
3179(fall)X
3314(outside)X
3573(the)X
3699(allowable)X
555 2388(clock)N
755(skew)X
946(and)X
1088(can)X
1226(no)X
1332(longer)X
1563(be)X
1665(successfully)X
2083(replayed)X
2386(\(If)X
2493(this)X
2633(is)X
2711(not)X
2838(done,)X
3039(an)X
3140(attacker)X
3420(could)X
3623(conceivably)X
555 2484(record)N
785(the)X
907(ticket)X
1109(and)X
1249(authenticator)X
1692(sent)X
1845(over)X
2012(the)X
2134(network)X
2421(to)X
2507(a)X
2567(server,)X
2807(then)X
2968(disable)X
3218(the)X
3339(client's)X
3598(host,)X
3774(pose)X
3944(as)X
555 2580(the)N
673(disabled)X
960(host,)X
1133(and)X
1269(replay)X
1490(the)X
1608(ticket)X
1806(and)X
1942(authenticator)X
2381(to)X
2463(subvert)X
2719(the)X
2837(authentication.\).)X
755 2704(The)N
907(age)X
1046(of)X
1140(the)X
1265(ticket)X
1470(is)X
1550(computed:)X
1915(local)X
2098(\(server\))X
2376(time)X
2544(minus)X
2765(the)X
2889(start)X
3053(time)X
3221(inside)X
3438(the)X
3562(Ticket.)X
3833(If)X
3913(the)X
555 2800(start)N
768(time)X
985(is)X
1113(later)X
1331(than)X
1544(the)X
1717(current)X
2020(time)X
2237(by)X
2392(more)X
2632(than)X
2845(the)X
3018(allowable)X
3405(clock)X
3654(skew,)X
3913(the)X
555 2896(KRB_AP_ERR_TKT_NYV)N
1488(error)X
1667(is)X
1742(returned.)X
2072(Otherwise,)X
2444(if)X
2515(the)X
2635(current)X
2885(time)X
3048(is)X
3122(later)X
3286(than)X
3445(end)X
3582(time)X
3745(by)X
3846(more)X
555 2992(than)N
713(the)X
831(allowable)X
1163(clock)X
1357(skew,)X
1562(the)X
1680(KRB_AP_ERR_TKT_EXPIRED)X
2775(error)X
2952(is)X
3025(returned.)X
755 3116(If)N
830(all)X
931(these)X
1117(checks)X
1357(succeed)X
1633(without)X
1898(an)X
1995(error,)X
2193(the)X
2312(server)X
2530(is)X
2604(assured)X
2866(that)X
3007(the)X
3126(client)X
3324(possesses)X
3651(the)X
3769(creden-)X
555 3212(tials)N
708(of)X
795(the)X
913(principal)X
1218(named)X
1452(in)X
1534(the)X
1652(ticket)X
1850(and)X
1986(thus,)X
2159(the)X
2277(client)X
2475(has)X
2602(been)X
2774(authenticated)X
3222(to)X
3304(the)X
3422(server.)X
3 f
555 3432(2.2.4.)N
775(Generation)X
1182(of)X
1269(a)X
1329(KRB_AP_REP)X
1869(message)X
1 f
755 3556(Typically,)N
1105(a)X
1164(client's)X
1423(request)X
1678(will)X
1825(include)X
2084(both)X
2249(the)X
2370(authentication)X
2847(information)X
3248(and)X
3387(its)X
3485(initial)X
3694(request)X
3949(in)X
555 3652(the)N
685(same)X
882(message,)X
1206(and)X
1354(the)X
1484(server)X
1713(need)X
1897(not)X
2031(explicitly)X
2365(reply)X
2562(to)X
2656(the)X
2786(KRB_AP_REQ.)X
3363(However,)X
3709(if)X
3789(mutual)X
555 3748(authentication)N
1030(\(not)X
1180(only)X
1343(authenticating)X
1818(the)X
1937(client)X
2136(to)X
2219(the)X
2338(server,)X
2576(but)X
2699(also)X
2849(the)X
2968(server)X
3185(to)X
3267(the)X
3385(client\))X
3610(is)X
3683(being)X
3881(per-)X
555 3844(formed,)N
837(the)X
965(KRB_AP_REQ)X
1501(message)X
1803(will)X
1957(have)X
2139(MUTUAL-REQUIRED)X
2944(set)X
3063(in)X
3155(its)X
3259(ap_options)X
3639(\256eld,)X
3830(and)X
3975(a)X
555 3940(KRB_AP_REP)N
1068(message)X
1361(is)X
1435(required)X
1724(in)X
1807(response.)X
2149(As)X
2258(with)X
2420(the)X
2538(error)X
2715(message,)X
3027(this)X
3162(message)X
3454(must)X
3629(be)X
3725(encapsu-)X
555 4036(lated)N
733(in)X
817(the)X
937(application)X
1314(protocol)X
1602(if)X
1672(its)X
1768("raw")X
1976(form)X
2153(is)X
2227(not)X
2350(acceptable)X
2711(to)X
2794(the)X
2913(protocol.)X
3241(The)X
3387(timestamp)X
3741(and)X
3878(mil-)X
555 4132(lisecond)N
852(\256eld)X
1024(used)X
1201(in)X
1293(the)X
1421(reply)X
1616(must)X
1801(be)X
1907(the)X
2035(client's)X
2301(timestamp)X
2664(and)X
2810(millisecond)X
3213(\256eld)X
3385(\(as)X
3508(provided)X
3822(in)X
3913(the)X
555 4228(authenticator\)\263.)N
1116(The)X
1276(timestamp)X
1644(and)X
1795(millisecond)X
2203(\256eld)X
2379(of)X
2480(the)X
2612(message)X
2918(are)X
3051(encrypted)X
3402(in)X
3498(the)X
3630(session)X
3895(key)X
555 4324(extracted)N
870(from)X
1046(the)X
1164(ticket.)X
755 4448(With)N
940(both)X
1107(the)X
1230(one-way)X
1532(and)X
1673(mutual)X
1920(authentication)X
2399(exchanges,)X
2779(the)X
2902(peers)X
3097(should)X
3335(take)X
3493(care)X
3652(not)X
3778(to)X
3864(send)X
555 4544(sensitive)N
855(information)X
1253(to)X
1335(each)X
1503(other)X
1688(without)X
1952(proper)X
2182(protection)X
2527(\(e.g.)X
2690(encryption\).)X
3 f
555 4736(2.2.5.)N
775(Receipt)X
1054(of)X
1141(KRB_AP_REP)X
1681(message)X
1 f
755 4860(If)N
834(a)X
895(KRB_AP_REP)X
1412(message)X
1709(is)X
1787(returned,)X
2100(the)X
2223(client)X
2426(uses)X
2589(the)X
2711(session)X
2966(key)X
3106(to)X
3192(decrypt)X
3457(the)X
3579(message,)X
3895(and)X
555 4956(veri\256es)N
819(that)X
966(the)X
1091(timestamp)X
1451(and)X
1594(msec)X
1786(\256elds)X
1986(match)X
2209(those)X
2405(in)X
2494(the)X
2619(Authenticator)X
3087(it)X
3158(sent)X
3314(to)X
3403(the)X
3528(server.)X
3792(If)X
3873(they)X
555 5052(match,)N
791(then)X
949(the)X
1067(client)X
1265(is)X
1338(assured)X
1599(that)X
1739(the)X
1857(server)X
2074(is)X
2147(genuine.)X
8 s
10 f
555 5184(hhhhhhhhhhhhhhhhhh)N
1 f
555 5264(\262Note)N
730(that)X
845(the)X
942(rejection)X
1184(here)X
1312(is)X
1374(restricted)X
1630(to)X
1699(authenticators)X
2076(from)X
2219(the)X
2316(same)X
2466(principal)X
2712(to)X
2780(the)X
2876(same)X
3025(server.)X
3230(Other)X
3393(client)X
3553(princi-)X
555 5344(pals)N
682(communicating)X
1104(with)X
1242(the)X
1344(same)X
1499(server)X
1678(principal)X
1929(should)X
2124(not)X
2230(be)X
2313(have)X
2456(their)X
2596(authenticators)X
2977(rejected)X
3201(if)X
3263(the)X
3364(time)X
3501(and)X
3616(mil-)X
555 5424(lisecond)N
784(\256elds)X
939(happen)X
1139(to)X
1205(match)X
1377(some)X
1528(other)X
1675(client's)X
1879(authenticator.)X
555 5504(\263In)N
659(the)X
756(Kerberos)X
1008(version)X
1215(4)X
1266(protocol,)X
1514(the)X
1611(timestamp)X
1897(in)X
1966(the)X
2063(reply)X
2212(was)X
2329(the)X
2425(client's)X
2631(timestamp)X
2916(plus)X
3041(one.)X
3183(This)X
3315(is)X
3376(not)X
3476(necessary)X
555 5584(in)N
622(version)X
827(5)X
876(because)X
1094(version)X
1299(5)X
1348(messages)X
1606(are)X
1700(formatted)X
1965(in)X
2032(such)X
2166(a)X
2211(way)X
2334(that)X
2447(it)X
2500(is)X
2560(not)X
2658(possible)X
2884(to)X
2950(extract)X
3139(the)X
3233(timestamp)X
3516(\(even)X
3673(in)X
555 5664(encrypted)N
822(form\))X
983(without)X
1195(knowledge)X
1491(of)X
1560(the)X
1654(appropriate)X
1960(encryption)X
2249(keys.)X
10 s
555 6144(Section)N
815(2.2.5.)X
2216(-)X
2263(8)X
2323(-)X
9 p
%%Page: 9 10
10 s 0 xH 0 xS 1 f
0 32(--)N
4323(--)X
3 f
2115 416(DRAFT)N
2411(3)X
555 672(2.2.6.)N
775(Using)X
990(the)X
1117(encryption)X
1506(key)X
1 f
755 796(After)N
964(the)X
1101(KRB_AP_REQ/KRB_AP_REP)X
2159(exchange)X
2501(has)X
2646(occurred,)X
2986(the)X
3122(client)X
3338(and)X
3492(server)X
3727(share)X
3935(an)X
555 892(encryption)N
921(key)X
1060(which)X
1279(can)X
1414(be)X
1513(used)X
1683(by)X
1786(the)X
1907(application.)X
2326(In)X
2416(some)X
2608(cases,)X
2821(the)X
2942(use)X
3071(of)X
3160(this)X
3297(key)X
3435(will)X
3581(be)X
3679(implicit)X
3949(in)X
555 988(the)N
680(protocol;)X
996(in)X
1085(others)X
1308(the)X
1433(method)X
1700(of)X
1794(use)X
1927(must)X
2108(be)X
2210(chosen)X
2459(from)X
2641(a)X
2703(vast)X
2858(array)X
3050(of)X
3143(alternatives.)X
3579(We)X
3717(leave)X
3913(the)X
555 1084(protocol)N
844(negotiations)X
1257(of)X
1346(how)X
1506(to)X
1590(use)X
1719(the)X
1839(key)X
1977(\(e.g.)X
2162(selecting)X
2469(an)X
2567(encryption)X
2932(or)X
3021(checksum)X
3364(type\))X
3550(to)X
3633(the)X
3752(applica-)X
555 1180(tion)N
699(programmer;)X
1138(the)X
1256(Kerberos)X
1571(protocol)X
1858(does)X
2025(not)X
2147(constrain)X
2461(the)X
2579(implementation)X
3101(options.)X
3 f
12 s
555 1468(2.3.)N
747(The)X
931(Ticket-Granting)X
1628(Service)X
1952(\(TGS\))X
2232(Exchange)X
1 f
10 s
755 1592(The)N
904(TGS)X
1079(exchange)X
1407(between)X
1699(a)X
1758(client)X
1959(and)X
2098(the)X
2219(Kerberos)X
2537(Ticket-Granting)X
3077(Server)X
3310(is)X
3386(initiated)X
3671(by)X
3774(a)X
3833(client)X
555 1688(when)N
764(it)X
843(wishes)X
1096(to)X
1193(obtain)X
1428(authentication)X
1917(credentials)X
2300(for)X
2428(a)X
2498(given)X
2710(server)X
2941(\(which)X
3198(might)X
3418(be)X
3528(registered)X
3879(in)X
3975(a)X
555 1784(remote)N
803(realm\),)X
1058(when)X
1257(it)X
1326(wishes)X
1569(to)X
1656(renew)X
1878(or)X
1970(validate)X
2249(an)X
2350(existing)X
2628(ticket,)X
2851(or)X
2943(when)X
3142(it)X
3211(wishes)X
3454(to)X
3540(obtain)X
3764(a)X
3824(proxy)X
555 1880(ticket.)N
794(In)X
882(the)X
1001(\256rst)X
1146(case,)X
1326(the)X
1445(client)X
1644(must)X
1820(already)X
2078(have)X
2251(acquired)X
2549(a)X
2606(ticket)X
2805(for)X
2920(the)X
3039(Ticket-Granting)X
3577(Service)X
3838(using)X
555 1976(the)N
678(AS)X
805(exchange)X
1134(\(The)X
1311(ticket-granting)X
1808(ticket)X
2011(is)X
2089(usually)X
2345(obtained)X
2646(when)X
2845(a)X
2906(client)X
3109(initially)X
3382(authenticates)X
3826(to)X
3913(the)X
555 2072(system,)N
818(such)X
986(as)X
1074(when)X
1269(a)X
1326(user)X
1481(logs)X
1635(in.\).)X
1805(The)X
1951(message)X
2244(format)X
2479(for)X
2594(the)X
2712(TGS)X
2883(exchange)X
3207(is)X
3280(almost)X
3513(identical)X
3809(to)X
3891(that)X
555 2168(for)N
673(the)X
795(AS)X
921(exchange.)X
1289(The)X
1438(primary)X
1716(difference)X
2067(is)X
2143(that)X
2286(encryption)X
2652(and)X
2791(decryption)X
3157(in)X
3242(the)X
3363(TGS)X
3537(exchange)X
3864(does)X
555 2264(not)N
681(take)X
839(place)X
1033(under)X
1240(the)X
1362(client's)X
1622(key.)X
1802(Instead,)X
2078(the)X
2200(session)X
2455(key)X
2594(from)X
2773(the)X
2894(ticket-granting)X
3389(ticket)X
3590(or)X
3680(renewable)X
555 2360(ticket)N
762(is)X
844(used.)X
1060(Once)X
1259(the)X
1386(ticket-granting)X
1887(ticket)X
2094(or)X
2190(renewable)X
2550(ticket)X
2757(has)X
2893(expired)X
3163(the)X
3290(AS)X
3420(exchange)X
3752(must)X
3935(be)X
555 2456(repeated.)N
755 2580(The)N
910(TGS)X
1091(exchange)X
1425(consists)X
1708(of)X
1805(two)X
1955(messages:)X
2310(A)X
2398(request)X
2660(\(KRB_TGS_REQ\))X
3299(from)X
3485(the)X
3613(client)X
3821(to)X
3913(the)X
555 2676(Kerberos)N
888(Ticket-Granting)X
1443(Server,)X
1711(and)X
1865(a)X
1939(reply)X
2142(\(KRB_TGS_REP)X
2748(or)X
2853(KRB_ERROR\).)X
3428(The)X
3591(TGS)X
3779(request)X
555 2772(includes)N
843(information)X
1241(authenticating)X
1715(the)X
1833(client)X
2031(plus)X
2184(a)X
2240(request)X
2492(for)X
2606(credentials.)X
3014(The)X
3159(authentication)X
3633(information)X
555 2868(consists)N
845(of)X
949(the)X
1083(authentication)X
1573(header)X
1824(\(KRB_AP_REQ\))X
2420(which)X
2652(includes)X
2955(the)X
3089(client's)X
3361(previously)X
3735(obtained)X
555 2964(ticket-granting,)N
1071(renewable,)X
1446(or)X
1537(invalid)X
1783(ticket.)X
2025(In)X
2116(the)X
2238(ticket-granting)X
2734(ticket)X
2935(and)X
3074(proxy)X
3284(cases,)X
3497(the)X
3618(request)X
3873(may)X
555 3060(include)N
813(one)X
951(or)X
1040(more)X
1227(of:)X
1338(a)X
1396(list)X
1515(of)X
1604(network)X
1889(addresses,)X
2239(a)X
2297(free-form)X
2628(sequence)X
2945(of)X
3034(bytes)X
3225(to)X
3309(be)X
3407(sealed)X
3630(in)X
3714(the)X
3833(ticket)X
555 3156(for)N
674(authorization)X
1122(use)X
1254(by)X
1359(the)X
1482(application)X
1863(server,)X
2105(or)X
2197(additional)X
2542(tickets)X
2775(\(the)X
2924(use)X
3055(of)X
3146(which)X
3366(are)X
3489(described)X
3821(later\).)X
555 3252(The)N
702(TGS)X
875(reply)X
1062(\(KRB_TGS_REP\))X
1679(contains)X
1968(the)X
2088(requested)X
2418(credentials,)X
2807(encrypted)X
3145(in)X
3228(the)X
3347(session)X
3599(key)X
3736(from)X
3913(the)X
555 3348(ticket-granting)N
1061(ticket)X
1273(or)X
1374(renewable)X
1739(ticket.)X
1991(The)X
2150(KRB_ERROR)X
2653(message)X
2958(contains)X
3258(an)X
3367(error)X
3557(code)X
3742(and)X
3891(text)X
555 3444(explaining)N
914(what)X
1091(went)X
1268(wrong.)X
1534(The)X
1679(KRB_ERROR)X
2169(message)X
2461(is)X
2534(not)X
2656(encrypted.)X
3033(The)X
3178(KRB_TGS_REP)X
3739(message)X
555 3540(contains)N
847(information)X
1250(which)X
1471(can)X
1608(be)X
1709(used)X
1881(to)X
1968(detect)X
2185(replays,)X
2462(and)X
2603(to)X
2690(associate)X
3005(it)X
3074(with)X
3241(the)X
3364(message)X
3661(to)X
3747(which)X
3967(it)X
555 3636(replies.)N
836(The)X
988(KRB_ERROR)X
1485(message)X
1784(also)X
1939(contains)X
2232(information)X
2636(which)X
2858(can)X
2996(be)X
3098(used)X
3271(to)X
3359(associate)X
3675(it)X
3745(with)X
3913(the)X
555 3732(message)N
859(to)X
952(which)X
1179(it)X
1254(replies)X
1499(\(the)X
1655(lack)X
1820(of)X
1918(encryption)X
2292(in)X
2385(the)X
2514(KRB_ERROR)X
3015(message)X
3318(thwarts)X
3585(the)X
3714(ability)X
3949(to)X
555 3828(detect)N
767(replays\).)X
3 f
555 4020(2.3.1.)N
775(Generation)X
1182(of)X
1269(KRB_TGS_REQ)X
1874(message)X
1 f
755 4144(Before)N
998(sending)X
1271(a)X
1331(request)X
1587(to)X
1672(the)X
1793(ticket-granting)X
2288(service,)X
2559(the)X
2680(client)X
2881(must)X
3059(determine)X
3403(in)X
3488(which)X
3707(realm)X
3913(the)X
555 4240(application)N
946(server)X
1178(is)X
1266(registered\262.)X
1698(If)X
1787(the)X
1920(client)X
2133(does)X
2315(not)X
2452(already)X
2723(possess)X
2997(a)X
3067(ticket-granting)X
3573(ticket)X
3785(for)X
3913(the)X
555 4336(appropriate)N
945(realm,)X
1172(then)X
1334(one)X
1474(must)X
1653(be)X
1753(obtained.)X
2092(This)X
2257(is)X
2333(\256rst)X
2480(attempted)X
2819(by)X
2922(requesting)X
3279(a)X
3338(ticket-granting)X
3833(ticket)X
555 4432(for)N
671(the)X
791(destination)X
1164(realm)X
1369(from)X
1547(the)X
1667(local)X
1845(Kerberos)X
2162(server)X
2381(\(using)X
2603(the)X
2723(TGS)X
2895(request)X
3148(message)X
3441(recursively\).)X
3886(The)X
555 4528(Kerberos)N
872(server)X
1091(may)X
1251(return)X
1465(a)X
1523(TGT)X
1701(for)X
1817(the)X
1937(desired)X
2191(realm)X
2396(in)X
2480(which)X
2698(case)X
2859(one)X
2997(can)X
3131(proceed.)X
3448(Alternatively,)X
3913(the)X
555 4624(Kerberos)N
873(server)X
1093(may)X
1254(return)X
1469(a)X
1528(TGT)X
1707(for)X
1824(a)X
1883(realm)X
2089(which)X
2308(is)X
2384(closer)X
2599(to)X
2683(the)X
2803(desired)X
3057(realm,)X
3282(in)X
3366(which)X
3584(case)X
3745(this)X
3882(step)X
555 4720(must)N
731(be)X
828(repeated)X
1122(with)X
1285(a)X
1342(Kerberos)X
1658(server)X
1875(in)X
1957(the)X
2075(realm)X
2278(speci\256ed)X
2583(in)X
2665(the)X
2783(returned)X
3071(TGT.)X
3287(If)X
3361(neither)X
3604(are)X
3723(returned,)X
555 4816(then)N
715(the)X
835(request)X
1089(must)X
1266(be)X
1364(retried)X
1596(with)X
1760(a)X
1818(Kerberos)X
2135(server)X
2354(for)X
2470(realm)X
2675(higher)X
2902(in)X
2986(the)X
3106(hierarchy.)X
3471(This)X
3634(request)X
3887(will)X
555 4912(itself)N
741(require)X
995(a)X
1057(ticket-granting)X
1555(ticket)X
1759(for)X
1879(the)X
2003(higher)X
2233(realm)X
2441(which)X
2662(must)X
2842(be)X
2943(obtained)X
3244(by)X
3349(recursively)X
3731(applying)X
555 5008(these)N
740(directions.)X
755 5132(Once)N
948(the)X
1069(ticket-granting)X
1564(ticket)X
1765(for)X
1882(the)X
2003(appropriate)X
2392(realm)X
2598(has)X
2727(been)X
2901(obtained,)X
3219(the)X
3339(client)X
3539(determines)X
3913(the)X
555 5228(names)N
780(of)X
867(the)X
985(Kerberos)X
1300(servers)X
1548(for)X
1662(the)X
1780(given)X
1978(realm.)X
8 s
10 f
555 5308(hhhhhhhhhhhhhhhhhh)N
1 f
555 5388(\262This)N
718(can)X
823(be)X
900(accomplished)X
1268(in)X
1335(several)X
1532(ways.)X
1712(It)X
1767(might)X
1933(be)X
2009(known)X
2199(beforehand)X
2501(\(since)X
2669(the)X
2763(realm)X
2924(is)X
2983(part)X
3098(of)X
3167(the)X
3261(name\),)X
3452(or)X
3521(it)X
3573(might)X
555 5468(be)N
635(stored)X
811(in)X
881(a)X
928(nameserver.)X
1272(Presently,)X
1545(however,)X
1799(this)X
1911(information)X
2232(is)X
2294(obtained)X
2533(by)X
2616(looking)X
2831(in)X
2900(the)X
2997(krb.realms)X
3287(\256le.)X
3420(If)X
3481(the)X
3578(realm)X
555 5548(to)N
622(be)X
699(used)X
833(is)X
893(obtained)X
1130(from)X
1271(a)X
1316(nameserver,)X
1642(there)X
1786(is)X
1845(a)X
1889(danger)X
2078(of)X
2147(being)X
2305(spoofed)X
2523(if)X
2578(the)X
2672(nameservice)X
3006(providing)X
3271(the)X
3365(realm)X
3526(name)X
3680(is)X
555 5628(not)N
658(authenticated.)X
1051(This)X
1186(might)X
1357(result)X
1520(in)X
1591(the)X
1690(use)X
1796(of)X
1870(a)X
1919(realm)X
2085(which)X
2262(has)X
2368(been)X
2509(compromised,)X
2893(and)X
3005(would)X
3185(result)X
3347(in)X
3417(an)X
3497(attackers)X
555 5708(ability)N
735(to)X
801(compromise)X
1133(the)X
1227(authentication)X
1605(of)X
1674(the)X
1768(application)X
2068(server)X
2239(to)X
2305(the)X
2399(client.)X
10 s
555 6144(Section)N
815(2.3.1.)X
2216(-)X
2263(9)X
2323(-)X
10 p
%%Page: 10 11
10 s 0 xH 0 xS 1 f
0 32(--)N
4323(--)X
3 f
2115 416(DRAFT)N
2411(3)X
1 f
755 672(As)N
870(in)X
958(the)X
1082(AS)X
1210(exchange,)X
1560(the)X
1684(client)X
1888(may)X
2052(specify)X
2310(a)X
2372(number)X
2643(of)X
2736(options)X
2997(in)X
3085(the)X
3209(TGS)X
3386(request.)X
3683(The)X
3833(client)X
555 768(prepares)N
854(the)X
978(KRB_TGS_REQ)X
1559(message,)X
1877(providing)X
2214(an)X
2316(authentication)X
2796(header,)X
3057(and)X
3198(including)X
3525(the)X
3648(same)X
3838(\256elds)X
555 864(as)N
644(used)X
813(in)X
897(the)X
1017(KRB_AS_REQ)X
1545(message,)X
1859(along)X
2059(with)X
2223(several)X
2473(optional)X
2757(\256elds:)X
2974(the)X
3 f
3093(authorization-data)X
1 f
3754(\256eld)X
3917(for)X
555 960(application)N
934(server)X
1154(use)X
1284(and)X
1423(additional)X
1766(tickets)X
1997(required)X
2287(by)X
2389(some)X
2580(options.)X
2877(Once)X
3069(prepared,)X
3393(the)X
3513(message)X
3807(is)X
3882(sent)X
555 1056(to)N
637(a)X
693(Kerberos)X
1008(server)X
1225(for)X
1339(the)X
1457(destination)X
1828(realm.)X
3 f
555 1248(2.3.2.)N
775(Receipt)X
1054(of)X
1141(KRB_TGS_REQ)X
1746(message)X
1 f
755 1372(The)N
907(TGS)X
1084(request)X
1342(is)X
1421(processed)X
1764(in)X
1852(a)X
1914(manner)X
2181(similar)X
2429(to)X
2517(the)X
2641(AS)X
2769(request,)X
3047(but)X
3175(there)X
3362(are)X
3487(many)X
3691(additional)X
555 1468(checks)N
796(to)X
880(be)X
978(performed.)X
1355(First,)X
1543(the)X
1663(Kerberos)X
1980(server)X
2198(must)X
2374(determine)X
2716(which)X
2933(server)X
3151(the)X
3270(accompanying)X
3759(ticket)X
3958(is)X
555 1564(for)N
674(and)X
815(it)X
883(must)X
1062(select)X
1269(the)X
1391(appropriate)X
1781(key)X
1921(to)X
2007(decrypt)X
2272(it.)X
2380(For)X
2515(a)X
2575(normal)X
2826(TGS)X
3001(request,)X
3277(it)X
3345(will)X
3493(be)X
3593(for)X
3711(the)X
3833(ticket)X
555 1660(granting)N
857(service,)X
1140(and)X
1291(the)X
1424(TGS's)X
1668(key)X
1819(will)X
1978(be)X
2089(used.)X
2311(If)X
2400(the)X
2532(TGT)X
2722(was)X
2881(issued)X
3115(by)X
3229(another)X
3504(realm,)X
3741(then)X
3913(the)X
555 1756(appropriate)N
946(inter-realm)X
1328(key)X
1469(must)X
1649(be)X
1749(used.)X
1960(If)X
2038(the)X
2160(accompanying)X
2652(ticket)X
2854(is)X
2931(not)X
3057(a)X
3117(ticket)X
3319(granting)X
3610(ticket,)X
3832(but)X
3958(is)X
555 1852(for)N
678(an)X
783(application)X
1168(server)X
1394(in)X
1485(the)X
1611(current)X
1867(realm)X
2078(\(which)X
2329(may)X
2495(be)X
2599(the)X
2725(case)X
2892(for)X
3014(a)X
3078(renewal,)X
3381(proxy)X
3596(or)X
3691(validation)X
555 1948(request\),)N
854(then)X
1012(the)X
1130(Kerberos)X
1445(server)X
1662(must)X
1837(look)X
1999(up)X
2099(the)X
2217(appropriate)X
2603(key)X
2739(and)X
2875(use)X
3002(that)X
3142(to)X
3224(decrypt)X
3485(the)X
3603(ticket.)X
755 2072(Once)N
950(the)X
1073(accompanying)X
1566(ticket)X
1769(has)X
1901(been)X
2078(decrypted,)X
2439(the)X
2561(user-supplied)X
3017(checksum)X
3362(in)X
3448(the)X
3570(Authenticator)X
555 2168(must)N
743(be)X
852(veri\256ed)X
1130(against)X
1390(the)X
1521(contents)X
1820(of)X
1919(the)X
2049(request,)X
2333(and)X
2481(the)X
2611(message)X
2915(rejected)X
3202(if)X
3283(the)X
3413(checksums)X
3797(do)X
3909(not)X
555 2264(match.)N
3 f
555 2456(2.3.3.)N
775(Generation)X
1182(of)X
1269(KRB_TGS_REP)X
1861(message)X
1 f
755 2580(The)N
917(KRB_TGS_REP)X
1494(message)X
1802(shares)X
2039(its)X
2150(format)X
2400(with)X
2578(the)X
2712(KRB_AS_REP)X
3240(\(KRB_KDC_REP\),)X
3909(but)X
555 2676(with)N
717(its)X
812(type)X
970(set)X
1079(to)X
1161(KRB_TGS_REP.)X
1762(The)X
1907(detailed)X
2181(speci\256cation)X
2606(is)X
2679(included)X
2975(in)X
3057(section)X
3304(6.3.)X
755 2800(The)N
913(response)X
1227(will)X
1384(include)X
1653(a)X
1722(ticket)X
1933(for)X
2059(the)X
2189(requested)X
2529(server.)X
2798(The)X
2955(Kerberos)X
3282(database)X
3591(is)X
3676(queried)X
3949(to)X
555 2896(retrieve)N
824(the)X
945(the)X
1066(record)X
1295(for)X
1412(the)X
1533(requested)X
1864(server)X
2084(\(including)X
2436(the)X
2557(key)X
2696(with)X
2861(which)X
3080(the)X
3201(ticket)X
3402(will)X
3549(be)X
3647(encrypted\).)X
555 2992(If)N
635(the)X
759(request)X
1017(is)X
1096(for)X
1216(a)X
1278(ticket)X
1482(granting)X
1775(ticket)X
1979(for)X
2099(a)X
2161(remote)X
2410(realm,)X
2639(and)X
2780(if)X
2854(no)X
2959(key)X
3100(is)X
3178(shared)X
3413(with)X
3580(the)X
3703(requested)X
555 3088(realm,)N
782(then)X
944(the)X
1066(Kerberos)X
1385(server)X
1606(will)X
1754(select)X
1961(the)X
2082(realm)X
2288(that)X
2431(is)X
2507(closest)X
2748(to)X
2833(the)X
2954(requested)X
3285(realm,)X
3511(and)X
3650(with)X
3815(which)X
555 3184(it)N
620(does)X
788(share)X
979(a)X
1036(key,)X
1193(and)X
1330(use)X
1458(that)X
1599(realm)X
1803(instead.)X
2091(This)X
2254(is)X
2328(the)X
2447(only)X
2609(case)X
2768(where)X
2985(the)X
3103(response)X
3404(from)X
3580(the)X
3698(KDC)X
3887(will)X
555 3280(be)N
651(for)X
765(a)X
821(different)X
1118(server)X
1335(than)X
1493(that)X
1633(requested)X
1961(by)X
2061(the)X
2179(client.)X
755 3404(By)N
871(default,)X
1137(the)X
1258(address)X
1522(\256eld,)X
1707(the)X
1828(client's)X
2086(name)X
2282(and)X
2420(realm,)X
2645(the)X
2765(list)X
2884(of)X
2973(transited)X
3271(realms,)X
3527(the)X
3647(time)X
3811(of)X
3900(ini-)X
555 3500(tial)N
680(authentication,)X
1177(the)X
1298(expiration)X
1646(time,)X
1831(and)X
1970(the)X
2091(authorization)X
2537(data)X
2694(of)X
2784(the)X
2905(newly-issued)X
3351(ticket)X
3552(will)X
3699(be)X
3797(copied)X
555 3596(from)N
731(the)X
849(ticket-granting)X
1341(ticket)X
1539(\(TGT\))X
1769(or)X
1856(renewable)X
2207(ticket.)X
755 3720(If)N
839(the)X
967(request)X
1229(speci\256es)X
1535(an)X
1641(endtime,)X
1949(then)X
2117(the)X
2245(endtime)X
2533(of)X
2630(the)X
2758(new)X
2921(ticket)X
3128(is)X
3210(the)X
3337(minimum)X
3676(of)X
3772(\(a\))X
3891(that)X
555 3816(request,)N
828(\(b\))X
943(the)X
1062(endtime)X
1341(from)X
1518(the)X
1637(TGT,)X
1834(and)X
1971(\(c\))X
2082(the)X
2200(starttime)X
2500(of)X
2587(the)X
2705(TGT)X
2881(plus)X
3034(the)X
3152(minimum)X
3482(of)X
3569(the)X
3687(maximum)X
555 3912(life)N
686(for)X
804(the)X
926(application)X
1306(server)X
1527(and)X
1667(the)X
1789(maximum)X
2136(life)X
2266(for)X
2383(the)X
2504(local)X
2683(realm)X
2889(\(the)X
3037(maximum)X
3384(life)X
3514(for)X
3631(the)X
3752(request-)X
555 4008(ing)N
680(principal)X
988(was)X
1136(already)X
1396(applied)X
1655(when)X
1852(the)X
1973(TGT)X
2152(was)X
2300(issued\).)X
2589(If)X
2665(the)X
2785(new)X
2941(ticket)X
3141(is)X
3216(to)X
3300(be)X
3398(a)X
3456(renewal,)X
3753(then)X
3913(the)X
555 4104(endtime)N
837(above)X
1053(is)X
1130(replaced)X
1427(by)X
1531(the)X
1653(minimum)X
1987(of)X
2078(\(a\))X
2192(the)X
2314(value)X
2512(of)X
2603(the)X
2725(renew_till)X
3074(\256eld)X
3240(of)X
3331(the)X
3453(ticket)X
3655(and)X
3795(\(b\))X
3913(the)X
555 4200(starttime)N
855(for)X
969(the)X
1087(new)X
1241(ticket)X
1439(plus)X
1592(the)X
1710(life)X
1837(\(endtime-starttime\))X
2476(of)X
2563(the)X
2681(old)X
2803(ticket.)X
755 4324(If)N
833(the)X
955(FORWARDING)X
1522(option)X
1750(has)X
1881(been)X
2057(speci\256ed,)X
2386(then)X
2548(the)X
2670(resulting)X
2974(ticket)X
3176(will)X
3323(contain)X
3582(the)X
3703(addresses)X
555 4420(speci\256ed)N
867(by)X
974(the)X
1098(client.)X
1342(This)X
1510(option)X
1740(will)X
1890(only)X
2058(be)X
2160(honored)X
2449(if)X
2524(the)X
2648(FORWARDABLE)X
3283(\257ag)X
3429(is)X
3508(set)X
3623(in)X
3711(the)X
3835(TGT.)X
555 4516(The)N
702(PROXY)X
995(option)X
1221(is)X
1296(similar;)X
1582(the)X
1702(resulting)X
2003(ticket)X
2202(will)X
2347(contain)X
2604(the)X
2723(addresses)X
3052(speci\256ed)X
3358(by)X
3459(the)X
3578(client.)X
3817(It)X
3887(will)X
555 4612(be)N
659(honored)X
950(only)X
1120(if)X
1196(the)X
1321(PROXIABLE)X
1797(\257ag)X
1944(in)X
2033(the)X
2158(TGT)X
2341(is)X
2421(set.)X
2577(The)X
2729(PROXY)X
3027(option)X
3258(will)X
3409(not)X
3538(be)X
3641(honored)X
3931(on)X
555 4708(requests)N
838(for)X
952(additional)X
1292(ticket-granting)X
1784(tickets.)X
755 4832(If)N
834(the)X
957(requested)X
1290(start)X
1452(time)X
1618(is)X
1695(absent)X
1924(or)X
2015(indicates)X
2324(a)X
2384(time)X
2550(in)X
2636(the)X
2758(past,)X
2931(then)X
3093(the)X
3215(start)X
3377(time)X
3543(of)X
3634(the)X
3756(ticket)X
3958(is)X
555 4928(set)N
673(to)X
764(the)X
891(authentication)X
1374(server's)X
1658(current)X
1915(time.)X
2126(If)X
2209(it)X
2282(indicates)X
2596(a)X
2661(time)X
2832(in)X
2922(the)X
3048(future,)X
3288(but)X
3418(the)X
3544(POSTDATED)X
555 5024(option)N
780(has)X
908(not)X
1031(been)X
1204(speci\256ed,)X
1530(then)X
1689(the)X
1807(error)X
1984(KDC_ERR_CANNOT_POSTDATE)X
3191(is)X
3264(returned.)X
3592(Otherwise,)X
3962(if)X
555 5120(the)N
676(ticket-granting)X
1171(ticket)X
1372(has)X
1502(the)X
1622(MAY-POSTDATE)X
2267(\257ag)X
2409(set,)X
2540(then)X
2700(the)X
2820(resulting)X
3122(ticket)X
3322(will)X
3468(be)X
3566(postdated)X
3895(and)X
555 5216(the)N
676(requested)X
1007(starttime)X
1309(is)X
1384(checked)X
1670(against)X
1919(the)X
2039(policy)X
2261(of)X
2350(the)X
2470(local)X
2648(realm.)X
2873(If)X
2949(acceptable,)X
3331(the)X
3451(ticket's)X
3709(start)X
3869(time)X
555 5312(is)N
638(set)X
757(as)X
854(requested,)X
1212(and)X
1358(the)X
1486(INVALID)X
1851(\257ag)X
2001(is)X
2084(set.)X
2243(The)X
2398(postdated)X
2735(ticket)X
2943(must)X
3128(be)X
3234(validated)X
3558(before)X
3794(use)X
3931(by)X
555 5408(presenting)N
909(it)X
973(to)X
1055(the)X
1173(KDC)X
1362(after)X
1530(the)X
1648(starttime)X
1948(has)X
2075(been)X
2247(reached.)X
755 5532(If)N
831(the)X
951(DUPLICATE-SKEY)X
1654(option)X
1880(has)X
2008(been)X
2181(speci\256ed,)X
2507(and)X
2644(if)X
2714(an)X
2811(additional)X
3152(ticket)X
3351(has)X
3479(been)X
3652(included)X
3949(in)X
555 5628(the)N
675(request,)X
949(and)X
1087(if)X
1158(the)X
1278(additional)X
1619(ticket)X
1818(has)X
1946(the)X
2065(DUPLICATE-SKEY)X
2767(\257ag)X
2908(set,)X
3038(then)X
3197(the)X
3316(KDC)X
3506(will)X
3651(decrypt)X
3913(the)X
555 5724(second)N
804(ticket)X
1008(using)X
1207(the)X
1331(key)X
1472(of)X
1564(the)X
1687(server)X
1909(for)X
2028(which)X
2249(it)X
2318(was)X
2468(issued,)X
2713(check)X
2926(to)X
3013(make)X
3212(sure)X
3371(that)X
3516(the)X
3639(principal)X
3949(to)X
555 5820(whom)N
778(the)X
899(additional)X
1242(ticket)X
1443(was)X
1591(issued)X
1814(matches)X
2100(the)X
2221(one)X
2360(making)X
2623(the)X
2743(request,)X
3017(and)X
3155(if)X
3226(so)X
3319(it)X
3385(will)X
3531(use)X
3660(the)X
3780(session)X
555 6144(Section)N
815(2.3.3.)X
2196(-)X
2243(10)X
2343(-)X
11 p
%%Page: 11 12
10 s 0 xH 0 xS 1 f
0 32(--)N
4323(--)X
3 f
2115 416(DRAFT)N
2411(3)X
1 f
555 672(key)N
697(from)X
879(the)X
1003(second)X
1252(ticket)X
1456(as)X
1549(the)X
1673(session)X
1930(key)X
2072(for)X
2191(the)X
2314(new)X
2473(ticket.)X
2716(It)X
2790(will)X
2939(also)X
3093(set)X
3207(the)X
3330(DUPLICATE-SKEY)X
555 768(\257ag)N
695(on)X
795(the)X
913(new)X
1067(ticket\262.)X
755 892(If)N
830(the)X
949(ENC-TKT-IN-SKEY)X
1661(option)X
1886(has)X
2014(been)X
2187(speci\256ed,)X
2513(and)X
2650(if)X
2720(an)X
2816(additional)X
3156(ticket)X
3354(has)X
3481(been)X
3653(included)X
3949(in)X
555 988(the)N
682(request,)X
963(then)X
1130(the)X
1257(KDC)X
1455(will)X
1607(decrypt)X
1876(the)X
2002(additional)X
2350(ticket)X
2556(using)X
2757(the)X
2883(key)X
3027(for)X
3149(the)X
3275(server)X
3500(to)X
3590(which)X
3814(it)X
3886(was)X
555 1084(issued,)N
798(verify)X
1013(that)X
1155(it)X
1221(is)X
1296(a)X
1354(ticket-granting)X
1848(ticket,)X
2068(and)X
2206(use)X
2335(the)X
2455(session)X
2708(key)X
2846(from)X
3024(the)X
3144(additional)X
3486(ticket)X
3686(to)X
3770(encrypt)X
555 1180(the)N
676(new)X
833(ticket)X
1033(it)X
1099(will)X
1245(issue)X
1427(instead)X
1676(of)X
1765(encrypting)X
2130(the)X
2250(new)X
2406(ticket)X
2606(in)X
2690(the)X
2810(key)X
2948(of)X
3037(the)X
3157(server)X
3376(for)X
3492(which)X
3710(it)X
3776(is)X
3851(to)X
3935(be)X
555 1276(issued\263.)N
755 1400(If)N
833(the)X
955(name)X
1153(of)X
1244(the)X
1366(server)X
1587(in)X
1672(the)X
1793(ticket)X
1994(that)X
2137(is)X
2213(presented)X
2544(to)X
2629(the)X
2750(KDC)X
2942(as)X
3032(part)X
3180(of)X
3270(the)X
3391(authenticator)X
3833(is)X
3909(not)X
555 1496(that)N
710(of)X
812(the)X
945(ticket-granting)X
1452(server)X
1684(itself,)X
1899(and)X
2050(the)X
2183(server)X
2415(is)X
2503(registered)X
2855(in)X
2952(the)X
3085(realm)X
3303(of)X
3405(the)X
3538(KDC,)X
3762(and)X
3913(the)X
555 1592(RENEW,)N
893(VALIDATE,)X
1352(or)X
1452(PROXY)X
1756(options)X
2024(are)X
2156(speci\256ed)X
2474(in)X
2569(the)X
2699(request,)X
2983(then)X
3153(the)X
3283(KDC)X
3484(will)X
3640(decrypt)X
3913(the)X
555 1688(ticket)N
756(in)X
841(the)X
962(authenticator)X
1404(using)X
1600(the)X
1721(key)X
1860(of)X
1949(the)X
2069(server)X
2288(to)X
2372(which)X
2590(it)X
2656(was)X
2803(issued,)X
3045(check)X
3255(that)X
3397(the)X
3517(RENEWABLE)X
555 1784(\257ag)N
711(is)X
800(set)X
925(or)X
1028(that)X
1184(the)X
1318(starttime)X
1634(has)X
1777(passed)X
2027(and)X
2179(the)X
2312(INVALID)X
2682(\257ag)X
2837(is)X
2925(set,)X
3069(check)X
3292(the)X
3425(renew_till)X
3785(\256eld)X
3962(if)X
555 1880(appropriate,)N
961(and)X
1097(issue)X
1277(a)X
1333(new)X
1487(ticket,)X
1705(either)X
1908(a)X
1964(renewal)X
2239(or)X
2326(a)X
2382(valid)X
2562(postdated)X
2889(ticket.)X
755 2004(Whenever)N
1114(a)X
1178(request)X
1438(is)X
1519(made)X
1721(to)X
1811(the)X
1937(ticket-granting)X
2437(server,)X
2682(the)X
2808(presented)X
3144(ticket)X
3350(is)X
3430(checked)X
3721(against)X
3975(a)X
555 2100(hot-list)N
803(of)X
892(tickets)X
1123(which)X
1341(have)X
1515(been)X
1689(canceled.)X
2033(In)X
2121(this)X
2257(way,)X
2432(a)X
2489(stolen)X
2701(ticket-granting)X
3194(ticket)X
3393(or)X
3481(renewable)X
3833(ticket)X
555 2196(can)N
695(not)X
825(be)X
929(used)X
1104(to)X
1194(gain)X
1360(additional)X
1708(tickets)X
1945(\(renewals)X
2286(or)X
2381(otherwise\))X
2747(once)X
2926(the)X
3051(theft)X
3225(has)X
3359(been)X
3538(reported.)X
3873(Any)X
555 2292(normal)N
807(ticket)X
1010(obtained)X
1311(before)X
1542(it)X
1611(was)X
1761(reported)X
2054(stolen)X
2269(will)X
2417(still)X
2560(be)X
2660(valid)X
2844(\(because)X
3150(they)X
3312(require)X
3564(no)X
3668(interaction)X
555 2388(with)N
717(the)X
835(KDC\),)X
1071(but)X
1193(only)X
1355(until)X
1521(their)X
1688(normal)X
1935(expiration)X
2280(time.)X
755 2512(If)N
839(the)X
967(identity)X
1241(of)X
1338(the)X
1466(server)X
1693(in)X
1785(the)X
1913(TGT)X
2099(that)X
2249(is)X
2331(presented)X
2668(to)X
2759(the)X
2886(KDC)X
3084(as)X
3180(part)X
3334(of)X
3430(the)X
3557(authentication)X
555 2608(header)N
791(is)X
865(that)X
1006(of)X
1094(the)X
1213(ticket-granting)X
1706(service,)X
1975(but)X
2098(the)X
2217(TGT)X
2393(was)X
2538(issued)X
2758(from)X
2934(another)X
3195(realm,)X
3418(the)X
3536(KDC)X
3725(will)X
3869(look)X
555 2704(up)N
661(the)X
785(inter-realm)X
1168(key)X
1310(shared)X
1546(with)X
1714(that)X
1860(realm)X
2069(and)X
2211(use)X
2343(that)X
2488(key)X
2629(to)X
2716(decrypt)X
2982(the)X
3105(ticket.)X
3348(If)X
3427(the)X
3550(ticket)X
3753(is)X
3831(valid,)X
555 2800(then)N
716(the)X
837(KDC)X
1029(will)X
1176(honor)X
1386(the)X
1507(request,)X
1782(subject)X
2032(to)X
2117(the)X
2237(constraints)X
2606(outlined)X
2890(above)X
3104(in)X
3188(the)X
3308(section)X
3557(describing)X
3913(the)X
555 2896(AS)N
688(exchange.)X
1063(The)X
1219(realm)X
1433(part)X
1589(of)X
1687(the)X
1816(client's)X
2083(identity)X
2358(will)X
2512(be)X
2618(taken)X
2822(from)X
3008(the)X
3136(ticket-granting)X
3638(ticket.)X
3886(The)X
555 2992(name)N
750(of)X
838(the)X
957(realm)X
1161(that)X
1302(issued)X
1523(the)X
1642(ticket-granting)X
2135(ticket)X
2334(will)X
2479(be)X
2576(added)X
2789(to)X
2872(the)X
2991(transited)X
3288(\256eld)X
3450(of)X
3537(the)X
3655(ticket)X
3853(to)X
3935(be)X
555 3088(issued.)N
820(This)X
987(is)X
1065(accomplished)X
1531(by)X
1636(reading)X
1902(the)X
2025(transited)X
2326(\256eld)X
2493(from)X
2673(the)X
2795(ticket-granting)X
3291(ticket,)X
3513(adding)X
3755(the)X
3877(new)X
555 3184(realm,)N
779(then)X
938(constructing)X
1355(and)X
1492(writing)X
1744(out)X
1867(its)X
1963(encoded)X
2252(\(shorthand\))X
2643(form)X
2820(\(this)X
2983(may)X
3142(involve)X
3403(a)X
3459 0.2604(rearrangement)AX
3944(of)X
555 3280(the)N
673(existing)X
946(encoding\).)X
755 3404(The)N
906(ciphertext)X
1253(part)X
1404(of)X
1497(the)X
1621(response)X
1928(in)X
2016(the)X
2140(KRB_TGS_REP)X
2707(message)X
3005(is)X
3084(encrypted)X
3427(in)X
3515(the)X
3639(session)X
3895(key)X
555 3500(from)N
735(the)X
857(ticket-granting)X
1353(ticket)X
1555(instead)X
1805(of)X
1895(the)X
2016(client's)X
2275(secret)X
2486(key.)X
2665(Furthermore,)X
3109(the)X
3230(client's)X
3489(key's)X
3686(expiration)X
555 3596(date)N
710(and)X
847(the)X
966(key)X
1103(version)X
1360(number)X
1625(\256elds)X
1818(are)X
1937(left)X
2064(out)X
2186(since)X
2371(these)X
2556(values)X
2781(are)X
2900(stored)X
3116(along)X
3314(with)X
3476(the)X
3594(client's)X
3850(data-)X
555 3692(base)N
718(record,)X
964(and)X
1100(that)X
1240(record)X
1466(is)X
1539(not)X
1661(needed)X
1909(to)X
1991(satisfy)X
2220(a)X
2276(request)X
2528(based)X
2731(on)X
2831(a)X
2887(ticket-granting)X
3379(ticket.)X
3 f
555 3884(2.3.4.)N
775(Receipt)X
1054(of)X
1141(KRB_TGS_REP)X
1733(message)X
1 f
555 4008(When)N
796(the)X
943(KRB_TGS_REP)X
1533(is)X
1635(received)X
1957(by)X
2086(the)X
2233(client,)X
2480(it)X
2573(is)X
2675(processed)X
3040(in)X
3150(the)X
3296(same)X
3509(manner)X
3798(as)X
3913(the)X
555 4104(KRB_AS_REP)N
1085(processing)X
1466(described)X
1812(above.)X
2082(The)X
2245(primary)X
2537(difference)X
2902(is)X
2993(that)X
3151(the)X
3287(ciphertext)X
3646(part)X
3809(of)X
3913(the)X
555 4200(response)N
866(must)X
1051(be)X
1157(decrypted)X
1504(using)X
1707(the)X
1835(session)X
2096(key)X
2242(from)X
2428(the)X
2556(ticket-granting)X
3057(ticket)X
3264(rather)X
3481(than)X
3648(the)X
3775(client's)X
555 4296(private)N
798(key.)X
3 f
12 s
555 4488(2.4.)N
747(The)X
931(KRB_SAFE)X
1456(Exchange)X
1 f
10 s
755 4612(The)N
901(KRB_SAFE)X
1321(message)X
1613(may)X
1771(be)X
1867(used)X
2034(by)X
2134(clients)X
2363(requiring)X
2677(the)X
2795(ability)X
3019(to)X
3101(detect)X
3313(modi\256cations)X
3768(of)X
3855(mes-)X
555 4708(sages)N
753(they)X
915(exchange.)X
1283(It)X
1355(achieves)X
1655(this)X
1793(by)X
1896(including)X
2221(a)X
2280(checksum)X
2624(of)X
2714(the)X
2835(user)X
2992(data)X
3149(and)X
3288(some)X
3480(control)X
3730(informa-)X
555 4804(tion.)N
739(The)X
884(checksum)X
1225(is)X
1298(cryptographically)X
1884(generated)X
2217(using)X
2410(the)X
2528(session)X
2779(key.)X
8 s
10 f
555 5024(hhhhhhhhhhhhhhhhhh)N
1 f
555 5104(\262One)N
714(of)X
788(the)X
887(purposes)X
1135(of)X
1209(the)X
1307(Kerberos)X
1560(protocol)X
1793(is)X
1856(to)X
1926(securely)X
2158(exchange)X
2418(encryption)X
2711(keys.)X
2880(While)X
3056(it)X
3112(is)X
3175(possible)X
3405(for)X
3499(a)X
3547(user)X
3673(to)X
555 5184(securely)N
794(exchange)X
1061(a)X
1116(single)X
1296(key)X
1415(with)X
1556(more)X
1714(than)X
1851(one)X
1969(other)X
2126(principal)X
2379(on)X
2469(top)X
2577(of)X
2656(the)X
2760(Kerberos)X
3019(protocol)X
3258(without)X
3480(using)X
3645(the)X
555 5264(DUPLICATE-SKEY)N
1119(feature,)X
1332(leaving)X
1541(the)X
1640(design)X
1828(of)X
1902(the)X
2001(mechanism)X
2313(to)X
2383(the)X
2481(application)X
2785(programmer)X
3120(can)X
3228(be)X
3308(error)X
3451(prone.)X
3648(By)X
555 5344(providing)N
825(this)X
938(functionality)X
1285(within)X
1469(Kerberos,)X
1738(we)X
1832(make)X
1990(sure)X
2116(it)X
2172(is)X
2235(done)X
2379(right,)X
2536(and)X
2648(we)X
2742(make)X
2900(it)X
2956(known)X
3150(which)X
3326(keys)X
3463(have)X
3603(been)X
555 5424(passed)N
742(on.)X
855(If)X
914(a)X
959(key)X
1068(issued)X
1245(by)X
1325(Kerberos)X
1574(is)X
1633(passed)X
1819(on)X
1899(by)X
1979(an)X
2055(application)X
2355(\(outside)X
2577(of)X
2646(the)X
2740(Kerberos)X
2989(protocol\),)X
3255(the)X
3349(fact)X
3460(that)X
3572(it)X
3624(was)X
555 5504(passed)N
741(on)X
821(might)X
987(not)X
1085(be)X
1161(known)X
1351(by)X
1431(other)X
1578(applications,)X
1919(and)X
2027(a)X
2071(breach)X
2256(of)X
2325(security)X
2543(might)X
2709(result.)X
555 5584(\263)N
611(This)X
749(allows)X
940(easy)X
1077(implementation)X
1503(of)X
1580(the)X
1682(Davis)X
1855(&)X
1929(Swick)X
2113(proposal)X
6 s
2333 5565(5)N
8 s
2381 5584(to)N
2455(use)X
2564(ticket-granting)X
2964(ticket)X
3130(session)X
3338(keys)X
3478(in)X
3551(lieu)X
3670(of)X
555 5664(secret)N
719(server)X
890(keys)X
1023(in)X
1089(situations)X
1351(where)X
1522(such)X
1655(secret)X
1819(keys)X
1952(could)X
2110(be)X
2186(easily)X
2351(compromised.)X
10 s
555 6144(Section)N
815(2.4.)X
2196(-)X
2243(11)X
2343(-)X
12 p
%%Page: 12 13
10 s 0 xH 0 xS 1 f
0 32(--)N
4323(--)X
3 f
2115 416(DRAFT)N
2411(3)X
555 672(2.4.1.)N
775(Generation)X
1182(of)X
1269(a)X
1329(KRB_SAFE)X
1766(message)X
1 f
555 796(When)N
771(an)X
871(application)X
1251(wishes)X
1493(to)X
1579(send)X
1749(a)X
1808(KRB_SAFE)X
2230(message,)X
2545(it)X
2612(collects)X
2880(its)X
2978(data)X
3135(and)X
3274(the)X
3395(appropriate)X
3784(control)X
555 892(information)N
961(and)X
1105(computes)X
1440(a)X
1504(checksum)X
1853(over)X
2024(them.)X
2251(The)X
2403(checksum)X
2751(algorithm)X
3089(will)X
3240(usually)X
3498(be)X
3601(some)X
3797(sort)X
3944(of)X
555 988(cryptographic)N
1022(one-way)X
1320(hash)X
1488(function)X
1776(\(such)X
1971(as)X
2058(the)X
2176(RSA-MD4-DES)X
2725(checksum)X
3066(algorithm)X
3397(speci\256ed)X
3702(in)X
3784(section)X
555 1084(7\),)N
666(generated)X
1003(using)X
1200(the)X
1322(session)X
1577(key.)X
1757(Different)X
2076(algorithms)X
2442(may)X
2604(be)X
2704(selected)X
2987(by)X
3091(changing)X
3408(the)X
3529(checksum)X
3873(type)X
555 1180(in)N
637(the)X
755(message.)X
1087(Note)X
1263(that)X
1403(any)X
1539(checksum)X
1880(used)X
2047(should)X
2280(be)X
2376(careful)X
2620(not)X
2742(to)X
2824(reveal)X
3041(the)X
3159(session)X
3410(key.)X
755 1304(After)N
952(computing)X
1321(the)X
1446(checksum,)X
1814(the)X
1939(client)X
2144(then)X
2309(transmits)X
2629(the)X
2754(information)X
3159(and)X
3302(checksum)X
3650(to)X
3739(the)X
3863(reci-)X
555 1400(pient)N
735(in)X
817(the)X
935(message)X
1227(format)X
1461(speci\256ed)X
1766(in)X
1848(section)X
2095(6.5.)X
3 f
555 1592(2.4.2.)N
775(Receipt)X
1054(of)X
1141(KRB_SAFE)X
1578(message)X
1 f
555 1716(When)N
770(an)X
869(application)X
1248(receives)X
1535(a)X
1594(KRB_SAFE)X
2016(message,)X
2330(it)X
2396(veri\256es)X
2654(it)X
2720(as)X
2809(follows.)X
3111(If)X
3187(any)X
3325(error)X
3504(occurs,)X
3756(an)X
3854(error)X
555 1812(code)N
727(is)X
800(reported)X
1088(for)X
1202(use)X
1329(by)X
1429(the)X
1547(application.)X
755 1936(The)N
904(message)X
1200(is)X
1277(\256rst)X
1425(checked)X
1713(by)X
1817(verifying)X
2134(that)X
2277(the)X
2398(protocol)X
2688(version)X
2947(and)X
3086(type)X
3247(\256elds)X
3443(match)X
3662(the)X
3783(current)X
555 2032(version)N
839(and)X
1002(KRB_SAFE,)X
1468(respectively.)X
1943(A)X
2048(mismatch)X
2406(generates)X
2757(a)X
2840(KRB_AP_ERR_BADVERSION)X
3944(or)X
555 2128(KRB_AP_ERR_MSG_TYPE)N
1534(error.)X
1756(Next)X
1937(the)X
2060(application)X
2441(veri\256es)X
2702(that)X
2847(the)X
2970(message)X
3267(length)X
3491(contained)X
3827(in)X
3913(the)X
555 2224(message)N
861(matches)X
1158(the)X
1289(operating)X
1625(system's)X
1938(report)X
2163(of)X
2263(the)X
2394(message)X
2699(size)X
2857(received.)X
3203(A)X
3294(mismatch)X
3638(generates)X
3975(a)X
555 2320(KRB_AP_ERR_MODIFIED)N
1517(error.)X
1742(The)X
1895(receiver's)X
2241(address)X
2510(in)X
2600(the)X
2726(message)X
3026(is)X
3107(searched)X
3417(for)X
3539(in)X
3629(a)X
3693(list)X
3818(of)X
3913(the)X
555 2416(local)N
735(host's)X
950(addresses;)X
1304(a)X
1364(failed)X
1571(search)X
1801(generates)X
2129(a)X
2189(KRB_AP_ERR_BADADDR)X
3149(error.)X
3369(Then)X
3557(the)X
3678(timestamp)X
555 2512(and)N
700(msec)X
894(\256elds)X
1096(in)X
1187(the)X
1314(message)X
1615(are)X
1743(checked)X
2036(to)X
2127(ensure)X
2366(they)X
2532(are)X
2659(current)X
2915(and)X
3059(not)X
3189(replayed.)X
3534(If)X
3616(they)X
3782(are)X
3909(not)X
555 2608(current,)N
838(a)X
909(KRB_AP_ERR_SKEW)X
1712(error)X
1904(is)X
1992(generated.)X
2380(If)X
2468(they)X
2640(are)X
2773(a)X
2843(replay,)X
3098(a)X
3168(KRB_AP_ERR_REPEAT)X
555 2704(error)N
739(is)X
819(generated.)X
1199(The)X
1351(most)X
1533(signi\256cant)X
1893(bit)X
2004(of)X
2098(the)X
2223(millisecond)X
2623(\256eld)X
2791(is)X
2870(used)X
3043(to)X
3131(encode)X
3385(the)X
3509(direction)X
3820(of)X
3913(the)X
555 2800(message)N
852(\(This)X
1046(bit)X
1155(is)X
1233(used)X
1405(because)X
1685(it)X
1754(can)X
1891(never)X
2095(be)X
2196(set)X
2309(as)X
2400(part)X
2549(of)X
2640(the)X
2762(encoding)X
3080(of)X
3171(a)X
3231(millisecond)X
3628(value,)X
3846(since)X
555 2896(such)N
736(values)X
975(are)X
1108(restricted)X
1441(to)X
1537(be)X
1647(less)X
1801(than)X
1973(1000.\).)X
2254(If)X
2342(the)X
2473(sender's)X
2774(address)X
3048(is)X
3134(greater)X
3391(than)X
3562(the)X
3693(receiver's)X
555 2992(address,)N
840(then)X
1002(the)X
1124(bit)X
1232(is)X
1309(set)X
1422(\(an)X
1549(ordering)X
1845(on)X
1949(the)X
2071(addresses)X
2403(is)X
2480(speci\256ed)X
2789(with)X
2955(the)X
3077(speci\256cation)X
3506(of)X
3596(the)X
3717(encoding)X
555 3088(of)N
644(the)X
764(addresses,)X
1114(in)X
1198(section)X
1447(5.3\),)X
1616(otherwise)X
1950(it)X
2016(is)X
2091(reset.)X
2305(If)X
2381(the)X
2501(direction)X
2808(bit)X
2914(is)X
2989(set)X
3099(incorrectly)X
3468(for)X
3583(this)X
3719(message,)X
555 3184(a)N
617(KRB_AP_ERR_BADDIRECTION)X
1785(error)X
1968(is)X
2047(generated.)X
2426(Finally,)X
2698(the)X
2821(checksum)X
3167(is)X
3245(computed)X
3586(over)X
3754(the)X
3877(data)X
555 3280(and)N
704(control)X
964(information,)X
1395(and)X
1544(if)X
1626(it)X
1703(doesn't)X
1972(match)X
2201(the)X
2332(received)X
2637(checksum,)X
3010(a)X
3078(KRB_AP_ERR_MODIFIED)X
555 3376(error)N
732(is)X
805(returned.)X
755 3500(If)N
832(all)X
935(the)X
1056(checks)X
1298(succeed,)X
1596(the)X
1717(application)X
2096(can)X
2231(assume)X
2490(that)X
2633(the)X
2754(message)X
3049(was)X
3197(generated)X
3533(by)X
3636(its)X
3734(peer)X
3895(and)X
555 3596(was)N
700(not)X
822(modi\256ed)X
1126(in)X
1208(transit.)X
3 f
12 s
555 3788(2.5.)N
747(The)X
931(KRB_PRIV)X
1445(Exchange)X
1 f
10 s
755 3912(The)N
909(KRB_PRIV)X
1324(message)X
1625(may)X
1791(be)X
1895(used)X
2070(by)X
2178(clients)X
2415(requiring)X
2737(con\256dentiality)X
3227(and)X
3371(the)X
3497(ability)X
3729(to)X
3819(detect)X
555 4008(modi\256cations)N
1024(of)X
1125(exchanged)X
1503(messages.)X
1880(It)X
1963(achieves)X
2274(this)X
2423(by)X
2537(encrypting)X
2914(the)X
3046(messages)X
3383(and)X
3533(adding)X
3784(control)X
555 4104(information.)N
3 f
555 4296(2.5.1.)N
775(Generation)X
1182(of)X
1269(a)X
1329(KRB_PRIV)X
1758(message)X
1 f
555 4420(When)N
772(an)X
873(application)X
1253(wishes)X
1495(to)X
1581(send)X
1752(a)X
1812(KRB_PRIV)X
2222(message,)X
2538(it)X
2606(collects)X
2875(its)X
2974(data)X
3132(and)X
3272(the)X
3394(appropriate)X
3784(control)X
555 4516(information)N
956(\(speci\256ed)X
1291(in)X
1376(section)X
1626(6.6\))X
1775(and)X
1913(encrypts)X
2207(them)X
2389(under)X
2594(an)X
2692(encryption)X
3057(key)X
3195(\(usually)X
3475(the)X
3595(session)X
3848(key\).)X
555 4612(It)N
624(then)X
782(transmits)X
1095(the)X
1213(information)X
1611(and)X
1747(some)X
1936("envelope")X
2312(information)X
2710(to)X
2792(the)X
2910(recipient.)X
3 f
555 4804(2.5.2.)N
775(Receipt)X
1054(of)X
1141(KRB_PRIV)X
1570(message)X
1 f
555 4928(When)N
771(an)X
871(application)X
1250(receives)X
1537(a)X
1596(KRB_PRIV)X
2005(message,)X
2320(it)X
2387(veri\256es)X
2646(it)X
2713(as)X
2803(follows.)X
3106(If)X
3183(any)X
3322(error)X
3502(occurs,)X
3755(an)X
3854(error)X
555 5024(code)N
727(is)X
800(reported)X
1088(for)X
1202(use)X
1329(by)X
1429(the)X
1547(application.)X
755 5148(The)N
904(message)X
1200(is)X
1277(\256rst)X
1425(checked)X
1713(by)X
1817(verifying)X
2134(that)X
2277(the)X
2398(protocol)X
2688(version)X
2947(and)X
3086(type)X
3247(\256elds)X
3443(match)X
3662(the)X
3783(current)X
555 5244(version)N
840(and)X
1005(KRB_PRIV,)X
1460(respectively.)X
1937(A)X
2044(mismatch)X
2403(generates)X
2755(a)X
2839(KRB_AP_ERR_BADVERSION)X
3944(or)X
555 5340(KRB_AP_ERR_MSG_TYPE)N
1534(error.)X
1756(Next)X
1937(the)X
2060(application)X
2441(veri\256es)X
2702(that)X
2847(the)X
2970(message)X
3267(length)X
3491(contained)X
3827(in)X
3913(the)X
555 5436(message)N
861(matches)X
1158(the)X
1289(operating)X
1625(system's)X
1938(report)X
2163(of)X
2263(the)X
2394(message)X
2699(size)X
2857(received.)X
3203(A)X
3294(mismatch)X
3638(generates)X
3975(a)X
555 5532(KRB_AP_ERR_MODIFIED)N
1514(error.)X
1737(The)X
1888(application)X
2270(then)X
2434(decrypts)X
2732(the)X
2856(encrypted)X
3198(data)X
3357(and)X
3498(processes)X
3831(them.)X
555 5628(If)N
636(the)X
761(length)X
988(encoded)X
1283(in)X
1372(the)X
1497(decrypted)X
1841(user)X
2002(data)X
2163(is)X
2243(greater)X
2494(than)X
2658(the)X
2782(remaining)X
3133(length)X
3359(of)X
3452(decrypted)X
3795(data,)X
3975(a)X
555 5724(KRB_AP_ERR_MODIFIED)N
1509(error)X
1687(is)X
1761(generated)X
2095(\(this)X
2258(usually)X
2510(indicates)X
2815(decryption)X
3178(with)X
3340(the)X
3458(wrong)X
3683(key\).)X
3886(The)X
555 5820(receiver's)N
905(address)X
1178(in)X
1272(the)X
1402(message)X
1706(is)X
1791(searched)X
2105(for)X
2231(in)X
2325(a)X
2393(list)X
2522(of)X
2621(the)X
2751(local)X
2939(host's)X
3162(addresses;)X
3524(a)X
3591(failed)X
3805(search)X
555 6144(Section)N
815(2.5.2.)X
2196(-)X
2243(12)X
2343(-)X
13 p
%%Page: 13 14
10 s 0 xH 0 xS 1 f
0 32(--)N
4323(--)X
3 f
2115 416(DRAFT)N
2411(3)X
1 f
555 672(generates)N
890(a)X
957(KRB_AP_ERR_BADADDR)X
1925(error.)X
2153(Then)X
2349(the)X
2478(timestamp)X
2842(and)X
2989(msec)X
3185(\256elds)X
3389(in)X
3482(the)X
3610(message)X
3912(are)X
555 768(checked)N
851(to)X
945(ensure)X
1187(they)X
1357(are)X
1488(current)X
1748(and)X
1896(not)X
2030(replayed.)X
2379(If)X
2465(they)X
2634(are)X
2764(not)X
2897(current,)X
3176(a)X
3243(KRB_AP_ERR_SKEW)X
555 864(error)N
757(is)X
855(generated.)X
1253(If)X
1352(they)X
1535(are)X
1679(a)X
1760(replay,)X
2025(a)X
2105(KRB_AP_ERR_REPEAT)X
2992(error)X
3193(is)X
3290(generated.)X
3687(The)X
3856(most)X
555 960(signi\256cant)N
915(bit)X
1026(of)X
1120(the)X
1245(msec)X
1437(\256eld)X
1606(is)X
1686(used)X
1860(to)X
1949(encode)X
2203(the)X
2327(direction)X
2638(of)X
2731(the)X
2855(message.)X
3193(If)X
3273(the)X
3397(sender's)X
3691(address)X
3958(is)X
555 1056(greater)N
808(than)X
975(the)X
1102(receiver's)X
1449(address,)X
1739(then)X
1906(the)X
2033(bit)X
2146(is)X
2228(set)X
2346(\(an)X
2478(ordering)X
2779(on)X
2887(the)X
3013(addresses)X
3349(is)X
3430(speci\256ed)X
3743(with)X
3913(the)X
555 1152(speci\256cation)N
981(of)X
1069(the)X
1188(encoding)X
1503(of)X
1591(the)X
1710(addresses,)X
2059(in)X
2142(section)X
2390(5.2\),)X
2558(otherwise)X
2891(it)X
2956(is)X
3030(reset.)X
3243(If)X
3318(the)X
3437(direction)X
3743(bit)X
3848(is)X
3922(set)X
555 1248(incorrectly)N
923(for)X
1037(this)X
1172(message,)X
1484(a)X
1540(KRB_AP_ERR_BADDIRECTION)X
2702(error)X
2879(is)X
2952(generated.)X
755 1372(If)N
831(all)X
933(the)X
1053(checks)X
1294(succeed,)X
1591(the)X
1711(application)X
2089(can)X
2223(assume)X
2480(the)X
2599(message)X
2892(was)X
3038(generated)X
3372(by)X
3473(its)X
3569(peer,)X
3749(and)X
3886(was)X
555 1468(securely)N
843(transmitted)X
1223(\(without)X
1514(intruders)X
1819(able)X
1973(to)X
2055(see)X
2178(the)X
2296(unencrypted)X
2713(contents\).)X
3 f
12 s
555 1660(3.)N
675(Encryption)X
1 f
10 s
555 1784(The)N
708(Kerberos)X
1030(protocols)X
1355(described)X
1690(in)X
1779(this)X
1921(document)X
2264(are)X
2390(designed)X
2702(to)X
2791(use)X
2925(stream)X
3166(encryption)X
3536(ciphers,)X
3815(which)X
555 1880(can)N
695(be)X
799(simulated)X
1138(using)X
1339(commonly)X
1709(available)X
2027(block)X
2233(encryption)X
2604(ciphers,)X
2884(such)X
3059(as)X
3154(the)X
3280(Data)X
3459(Encryption)X
3842(Stan-)X
555 1976(dard,)N
8 s
718 1951(6)N
10 s
774 1976(in)N
860(conjunction)X
1262(with)X
1428(block)X
1630(chaining)X
1930(and)X
2070(checksum)X
2415(methods.)X
8 s
2706 1951(7)N
10 s
2762 1976(Encryption)N
3142(is)X
3219(used)X
3390(to)X
3475(prove)X
3681(the)X
3802(identi-)X
555 2072(ties)N
700(of)X
801(the)X
933(network)X
1230(entities)X
1495(participating)X
1934(in)X
2030(message)X
2336(exchanges.)X
2745(The)X
2903(Key)X
3070(Distribution)X
3489(Center)X
3736(for)X
3863(each)X
555 2168(realm)N
771(is)X
857(trusted)X
1108(by)X
1221(all)X
1334(principals)X
1683(registered)X
2033(in)X
2128(that)X
2281(realm)X
2497(to)X
2592(store)X
2781(a)X
2850(secret)X
3071(key)X
3220(in)X
3314(con\256dence.)X
3734(Proof)X
3944(of)X
555 2264(knowledge)N
927(of)X
1014(this)X
1149(private)X
1392(key)X
1528(is)X
1601(used)X
1768(to)X
1850(verify)X
2062(the)X
2180(authenticity)X
2578(of)X
2665(a)X
2721(principal.)X
755 2388(The)N
906(KDC)X
1101(uses)X
1265(the)X
1389(principal's)X
1758(secret)X
1972(key)X
2114(\(in)X
2229(the)X
2353(AS)X
2481(exchange\))X
2838(or)X
2930(a)X
2991(shared)X
3226(session)X
3482(key)X
3623(\(in)X
3737(the)X
3860(TGS)X
555 2484(exchange\))N
908(to)X
992(encrypt)X
1255(responses)X
1589(to)X
1673(ticket)X
1873(requests;)X
2180(the)X
2300(ability)X
2526(to)X
2610(obtain)X
2832(the)X
2952(secret)X
3162(key)X
3299(or)X
3387(session)X
3639(key)X
3776(implies)X
555 2580(the)N
680(knowledge)X
1059(of)X
1153(the)X
1278(appropriate)X
1671(keys)X
1845(and)X
1988(the)X
2113(identity)X
2383(of)X
2476(the)X
2600(KDC.)X
2835(The)X
2986(ability)X
3216(of)X
3309(a)X
3371(principal)X
3682(to)X
3770(decrypt)X
555 2676(the)N
681(KDC)X
878(response)X
1187(and)X
1331(present)X
1591(a)X
1655(Ticket)X
1887(and)X
2030(a)X
2093(properly)X
2392(formed)X
2651(Authenticator)X
3119(\(generated)X
3486(with)X
3655(the)X
3780(session)X
555 2772(key)N
699(from)X
883(the)X
1009(KDC)X
1206(response\))X
1542(to)X
1632(a)X
1696(service)X
1952(veri\256es)X
2216(the)X
2342(identity)X
2614(of)X
2709(the)X
2835(principal;)X
3169(likewise)X
3463(the)X
3588(ability)X
3819(of)X
3913(the)X
555 2868(service)N
804(to)X
887(extract)X
1127(the)X
1246(session)X
1498(key)X
1635(from)X
1812(the)X
1931(Ticket)X
2157(and)X
2294(prove)X
2498(its)X
2594(knowledge)X
2967(thereof)X
3216(in)X
3299(a)X
3356(response)X
3657(veri\256es)X
3913(the)X
555 2964(identity)N
819(of)X
906(the)X
1024(service.)X
755 3088(The)N
901(Kerberos)X
1217(protocols)X
1536(generally)X
1856(assume)X
2113(that)X
2254(the)X
2373(encryption)X
2737(used)X
2905(is)X
2979(secure)X
3205(from)X
3381(cryptanalysis;)X
3846(how-)X
555 3184(ever,)N
738(in)X
824(some)X
1016(cases,)X
1229(the)X
1350(order)X
1543(of)X
1633(\256elds)X
1829(in)X
1914(the)X
2035(encrypted)X
2375(portions)X
2660(of)X
2750(messages)X
3076(are)X
3198(arranged)X
3503(to)X
3588(minimize)X
3913(the)X
555 3280(effects)N
796(of)X
889(poorly)X
1124(chosen)X
1373(keys.)X
1586(It)X
1661(is)X
1740(still)X
1885(important)X
2222(to)X
2310(choose)X
2559(good)X
2745(keys.)X
3 f
2958(If)X
3042(keys)X
3219(are)X
3357(derived)X
3641(from)X
3837(user-)X
555 3376(typed)N
770(passwords,)X
1169(those)X
1371(passwords)X
1750(need)X
1934(to)X
2025(be)X
2129(well)X
2291(chosen)X
2546(to)X
2637(make)X
2847(brute)X
3057(force)X
3255(attacks)X
3523(more)X
3725(dif\256cult.)X
1 f
555 3472(Poorly)N
788(chosen)X
1031(keys)X
1198(still)X
1337(make)X
1531(easy)X
1694(targets)X
1928(for)X
2042(intruders.)X
3 f
12 s
555 3664(4.)N
675(The)X
859(Kerberos)X
1268(Database)X
1 f
10 s
555 3788(The)N
705(Kerberos)X
1025(server)X
1247(must)X
1427(have)X
1604(access)X
1835(to)X
1921(a)X
1981(database)X
2282(containing)X
2644(the)X
2766(names)X
2995(and)X
3135(secret)X
3347(keys)X
3518(of)X
3609(principals)X
3949(to)X
555 3884(be)N
651(authenticated\262.)X
3 f
12 s
555 4172(4.1.)N
747(Database)X
1149(contents)X
1 f
10 s
555 4296(A)N
633(database)X
930(entry)X
1115(should)X
1348(contain)X
1604(at)X
1682(least)X
1849(the)X
1967(following)X
2298(\256elds:)X
2 f
555 4440(Field)N
1331(Value)X
1 f
555 4632(name)N
1331(Principal's)X
1698(identi\256er)X
555 4728(key)N
1331(Principal's)X
1698(secret)X
1906(key)X
555 4824(p_kvno)N
1331(Principal's)X
1698(key)X
1834(version)X
555 4920(max_life)N
1331(Maximum)X
1684(lifetime)X
1953(for)X
2067(Tickets)X
555 5016(max_renewable_life)N
1331(Maximum)X
1684(total)X
1846(lifetime)X
2115(for)X
2229(renewable)X
2580(Tickets)X
555 5160(The)N
709(\256rst)X
862(\256eld)X
1033(is)X
1115(a)X
1180(string)X
1390(array)X
1584(representing)X
2009(the)X
2135(principal's)X
2506(name.)X
2748(The)X
2901('key')X
3099(\256eld)X
3269(contains)X
3564(an)X
3668(encryption)X
555 5256(key.)N
740(This)X
911(key)X
1056(is)X
1137(the)X
1263(principal's)X
1634(secret)X
1850(key.)X
2034(\(The)X
2214(key)X
2358(can)X
2498(be)X
2602(encrypted)X
2947(before)X
3181(storage)X
3441(under)X
3652(a)X
3716(Kerberos)X
555 5352("master)N
828(key")X
1003(to)X
1091(protect)X
1340(it)X
1410(in)X
1498(case)X
1663(the)X
1787(database)X
2090(is)X
2169(compromised)X
2631(but)X
2759(the)X
2883(master)X
3123(key)X
3265(is)X
3344(not.)X
3512(In)X
3605(that)X
3751(case,)X
3935(an)X
8 s
10 f
555 5432(hhhhhhhhhhhhhhhhhh)N
1 f
555 5512(\262The)N
704(implementation)X
1124(of)X
1195(the)X
1291(Kerberos)X
1542(server)X
1714(need)X
1851(not)X
1950(combine)X
2187(the)X
2282(database)X
2518(and)X
2627(the)X
2722(server)X
2894(on)X
2975(the)X
3070(same)X
3218(machine;)X
3469(it)X
3522(is)X
3582(feasi-)X
555 5592(ble)N
653(to)X
723(store)X
867(the)X
965(principal)X
1212(database)X
1451(in,)X
1537(say,)X
1658(a)X
1706(network)X
1935(name)X
2093(service,)X
2309(as)X
2382(long)X
2516(as)X
2589(the)X
2687(entries)X
2876(stored)X
3051(therein)X
3247(are)X
3343(protected)X
3599(from)X
555 5672(disclosure)N
832(to)X
900(and)X
1010(modi\256cation)X
1352(by)X
1433(unauthorized)X
1783(parties.)X
2002(However,)X
2268(we)X
2359(recommend)X
2677(against)X
2875(such)X
3009(strategies,)X
3283(as)X
3353(they)X
3480(can)X
3585(make)X
555 5752(system)N
749(management)X
1091(and)X
1199(threat)X
1360(analysis)X
1582(quite)X
1726(complex.)X
10 s
555 6144(Section)N
815(4.1.)X
2196(-)X
2243(13)X
2343(-)X
14 p
%%Page: 14 15
10 s 0 xH 0 xS 1 f
0 32(--)N
4323(--)X
3 f
2115 416(DRAFT)N
2411(3)X
1 f
555 672(extra)N
738(\256eld)X
902(must)X
1079(be)X
1177(added)X
1391(to)X
1475(indicate)X
1751(the)X
1871(master)X
2107(key)X
2245(version)X
2502(used,)X
2690(see)X
2814(below.\))X
3078(The)X
3224('p_kvno')X
3539(\256eld)X
3702(is)X
3776(the)X
3895(key)X
555 768(version)N
819(number)X
1092(of)X
1187(the)X
1313(principal's)X
1683(secret)X
1898(key.)X
2081(The)X
2233('max_life')X
2599(\256eld)X
2768(contains)X
3062(the)X
3187(maximum)X
3538(allowable)X
3877(life-)X
555 864(time)N
719(\(endtime)X
1026(-)X
1075(starttime\))X
1404(for)X
1520(any)X
1658(Ticket)X
1885(issued)X
2107(for)X
2222(this)X
2358(principal.)X
2704(The)X
2850 0.1974('max_renewable_life')AX
3581(\256eld)X
3744(contains)X
555 960(the)N
679(maximum)X
1029(allowable)X
1367(total)X
1535(lifetime)X
1810(for)X
1930(any)X
2071(renewable)X
2427(Ticket)X
2657(issued)X
2882(for)X
3001(this)X
3141(principal.)X
3491(\(See)X
3659(section)X
3911(2.1)X
555 1056(for)N
669(a)X
725(description)X
1101(of)X
1188(how)X
1346(these)X
1531(lifetimes)X
1831(are)X
1950(used)X
2117(in)X
2199(determining)X
2606(the)X
2724(lifetime)X
2993(of)X
3080(a)X
3136(given)X
3334(Ticket.\))X
755 1180(A)N
834(server)X
1052(may)X
1211(provide)X
1477(KDC)X
1667(service)X
1916(to)X
1999(several)X
2248(realms,)X
2503(as)X
2591(long)X
2754(as)X
2842(the)X
2961(database)X
3259(representation)X
3735(provides)X
555 1276(a)N
611(mechanism)X
996(to)X
1078(distinguish)X
1448(between)X
1736(principal)X
2041(records)X
2298(with)X
2460(identi\256ers)X
2800(which)X
3016(differ)X
3215(only)X
3377(in)X
3459(the)X
3577(realm)X
3780(name.)X
755 1400(When)N
968(a)X
1025(server's)X
1301(key)X
1438(changes,)X
1738(if)X
1808(the)X
1927(change)X
2176(is)X
2250(routine)X
2498(\(i.e.)X
2644(not)X
2767(the)X
2886(result)X
3085(of)X
3173(disclosure)X
3519(of)X
3607(the)X
3726(old)X
3848(key\),)X
555 1496(the)N
687(old)X
823(key)X
973(should)X
1220(be)X
1330(retained)X
1623(by)X
1736(the)X
1867(server)X
2097(until)X
2276(all)X
2389(tickets)X
2631(that)X
2784(had)X
2933(been)X
3118(issued)X
3351(using)X
3557(that)X
3710(key)X
3859(have)X
555 1592(expired.)N
867(Because)X
1166(of)X
1264(this,)X
1430(it)X
1505(is)X
1589(possible)X
1882(for)X
2007(several)X
2266(keys)X
2444(to)X
2537(be)X
2643(active)X
2865(for)X
2989(a)X
3055(single)X
3276(principal.)X
3631(Text)X
3808(that)X
3958(is)X
555 1688(encrypted)N
892(in)X
974(a)X
1030(principal's)X
1393(key)X
1529(is)X
1602(always)X
1845(tagged)X
2079(with)X
2241(the)X
2359(version)X
2615(of)X
2702(the)X
2820(key)X
2956(that)X
3096(was)X
3241(used)X
3408(for)X
3522(encryption.)X
755 1812(When)N
975(more)X
1168(than)X
1334(one)X
1478(key)X
1621(is)X
1701(active)X
1920(for)X
2041(a)X
2104(particular)X
2439(principal,)X
2771(the)X
2896(principal)X
3208(will)X
3359(have)X
3538(more)X
3730(than)X
3895(one)X
555 1908(record)N
788(in)X
877(the)X
1002(Kerberos)X
1324(database.)X
1668(The)X
1820(keys)X
1994(and)X
2137(key)X
2280(version)X
2543(numbers)X
2846(will)X
2997(differ)X
3203(between)X
3498(the)X
3623(records)X
3886(\(the)X
555 2004(rest)N
693(of)X
782(the)X
902(\256elds)X
1097(may)X
1257(or)X
1346(may)X
1506(not)X
1630(be)X
1728(the)X
1848(same\).)X
2082(Whenever)X
2435(Kerberos)X
2752(issues)X
2965(a)X
3023(ticket,)X
3243(or)X
3332(responds)X
3639(to)X
3722(a)X
3779(request)X
555 2100(for)N
674(initial)X
885(authentication,)X
1384(the)X
1507(most)X
1687(recent)X
1909(key)X
2049(\(known)X
2318(by)X
2422(the)X
2544(Kerberos)X
2863(server\))X
3111(will)X
3259(be)X
3359(used)X
3530(for)X
3648(encryption.)X
555 2196(This)N
718(is)X
792(the)X
911(key)X
1048(with)X
1211(the)X
1330(highest)X
1582(key)X
1719(version)X
1976(number.)X
2282(The)X
2428(size)X
2573(of)X
2660(the)X
2778(version)X
3034(number)X
3299(\256eld)X
3461(in)X
3543(the)X
3661(database)X
3958(is)X
555 2292(an)N
656(implementation)X
1183(issue,)X
1388(but)X
1515(only)X
1682(8)X
1747(bits)X
1887(are)X
2010(assigned)X
2310(to)X
2396(this)X
2535(\256eld)X
2701(in)X
2787(the)X
2909(protocol.)X
3240(As)X
3353(such,)X
3544(all)X
3648(active)X
3864(keys)X
555 2388(for)N
673(a)X
733(given)X
935(principal)X
1244(must)X
1423(have)X
1599(a)X
1659(key)X
1798(version)X
2057(number)X
2325(that)X
2468(falls)X
2629(into)X
2776(a)X
2835(contiguous)X
3209(range)X
3411(of)X
3501(256.)X
3684([One)X
3868(easy)X
555 2484(way)N
714(to)X
801(achieve)X
1072(this)X
1212(is)X
1290(to)X
1377(take)X
1536(the)X
1659(Kerberos)X
1979(database's)X
2339(key)X
2479(version)X
2739(number)X
3008(modulo)X
3276(256,)X
3440(and)X
3580(use)X
3711(the)X
3833(result)X
555 2580(for)N
669(the)X
787(key)X
923(version)X
1179(number)X
1444(in)X
1526(the)X
1644(protocols].)X
3 f
12 s
555 2772(4.2.)N
747(Additional)X
1208(\256elds)X
1 f
10 s
555 2896(Project)N
802(Athena's)X
1112(KDC)X
1301(implementation)X
1823(uses)X
1981(additional)X
2321(\256elds)X
2514(in)X
2596(its)X
2691(database:)X
2 f
555 3040(Field)N
1031(Value)X
1 f
555 3232(K_kvno)N
1031(Kerberos')X
1373(key)X
1509(version)X
555 3328(expiration)N
1031(Expiration)X
1389(date)X
1543(for)X
1657(entry)X
555 3424(attributes)N
1031(Bit)X
1148(\256eld)X
1310(of)X
1397(attributes)X
555 3520(mod_date)N
1031(Timestamp)X
1411(of)X
1498(last)X
1629(modi\256cation)X
555 3616(mod_name)N
1031(Modifying)X
1393(principal's)X
1756(identi\256er)X
555 3788(The)N
702('K_kvno')X
1036(\256eld)X
1200(indicates)X
1507(the)X
1627(key)X
1765(version)X
2023(of)X
2112(the)X
2231(Kerberos)X
2547(master)X
2782(key)X
2919(under)X
3123(which)X
3340(the)X
3459(principal's)X
3823(secret)X
555 3884(key)N
691(is)X
764(encrypted.)X
755 4008(After)N
946(an)X
1043(entry's)X
1287('expiration')X
1687(date)X
1842(has)X
1970(passed,)X
2225(the)X
2344(KDC)X
2534(will)X
2679(return)X
2892(an)X
2989(error)X
3167(to)X
3250(any)X
3387(client)X
3586(attempting)X
3949(to)X
555 4104(gain)N
722(tickets)X
960(as)X
1056(or)X
1152(for)X
1275(the)X
1402(principal.)X
1756(\(A)X
1870(database)X
2176(may)X
2343(want)X
2528(to)X
2619(maintain)X
2928(two)X
3077(expiration)X
3431(dates:)X
3647(one)X
3791(for)X
3913(the)X
555 4200(principal,)N
881(and)X
1018(one)X
1154(for)X
1268(the)X
1386(principal's)X
1749(current)X
1997(key.)X
2173(This)X
2335(allows)X
2564(password)X
2887(aging)X
3085(to)X
3167(work)X
3352(independently)X
3826(of)X
3913(the)X
555 4296(principal's)N
919(expiration)X
1265(date.)X
1460(However,)X
1796(due)X
1933(to)X
2016(the)X
2135(limited)X
2382(space)X
2582(in)X
2665(the)X
2783(responses,)X
3135(the)X
3253(KDC)X
3442(must)X
3617(combine)X
3913(the)X
555 4392(key)N
693(expiration)X
1040(and)X
1178(principal)X
1485(expiration)X
1832(date)X
1988(into)X
2134(a)X
2192(single)X
2405(value)X
2601(called)X
2815("key_exp",)X
3195(which)X
3413(is)X
3488(used)X
3657(as)X
3746(a)X
3804(hint)X
3949(to)X
555 4488(the)N
673(user)X
827(to)X
909(take)X
1063(administrative)X
1541(action.\))X
755 4612(The)N
910('attributes')X
1292(\256eld)X
1464(is)X
1547(a)X
1613(bit\256eld)X
1869(used)X
2046(to)X
2138(govern)X
2391(the)X
2519(operations)X
2882(involving)X
3217(the)X
3344(principal.)X
3698(This)X
3869(\256eld)X
555 4708(might)N
764(be)X
862(useful)X
1080(in)X
1164(conjunction)X
1564(with)X
1728(user)X
1884(registration)X
2271(procedures)X
2646(or)X
2735(for)X
2851(site-speci\256c)X
3256(policy)X
3478(implementations)X
555 4804(\(Project)N
833(Athena)X
1089(currently)X
1403(uses)X
1565(it)X
1633(for)X
1751(their)X
1922(user)X
2080(registration)X
2469(process)X
2734(controlled)X
3082(by)X
3185(the)X
3306(system-wide)X
3734(database)X
555 4900(service,)N
824(Moira.)X
8 s
1040 4875(8)N
10 s
1093 4900(\).)N
1181(Other)X
1385(bits)X
1521(are)X
1640(used)X
1807(to)X
1889(indicate)X
2163(that)X
2303(certain)X
2542(ticket)X
2740(options)X
2995(should)X
3228(not)X
3350(be)X
3446(allowed)X
3720(in)X
3802(tickets)X
555 4996(encrypted)N
897(under)X
1105(a)X
1166(principal's)X
1534(key)X
1675(\(one)X
1843(bit)X
1952(each\):)X
2194(Disallow)X
2508(issuing)X
2759(postdated)X
3091(tickets,)X
3345(disallow)X
3640(issuing)X
3890(for-)X
555 5092(wardable)N
873(tickets,)X
1125(disallow)X
1419(issuing)X
1668(tickets)X
1900(based)X
2106(on)X
2209(TGT)X
2388(authentication,)X
2885(disallow)X
3179(issuing)X
3428(renewable)X
3782(tickets,)X
555 5188(disallow)N
846(issuing)X
1092(proxiable)X
1415(tickets,)X
1664(disallow)X
1955(issuing)X
2201(duplicate)X
2515(session)X
2766(key)X
2902(tickets.)X
755 5312(The)N
908('mod_date')X
1306(\256eld)X
1476(contains)X
1771(the)X
1897(time)X
2067(of)X
2162(last)X
2301(modi\256cation)X
2733(of)X
2827(the)X
2952(entry,)X
3164(and)X
3307(the)X
3432('mod_name')X
3869(\256eld)X
555 5408(contains)N
842(the)X
960(name)X
1154(of)X
1241(the)X
1359(principal)X
1664(which)X
1880(last)X
2011(modi\256ed)X
2315(the)X
2433(entry.)X
12 s
555 6144(Section)N
868(4.2.)X
2179(-)X
2235(14)X
2355(-)X
15 p
%%Page: 15 16
12 s 0 xH 0 xS 1 f
10 s
0 32(--)N
4323(--)X
3 f
12 s
2082 432(DRAFT)N
2436(3)X
555 672(4.3.)N
747(Frequently)X
1225(Changing)X
1648(Fields)X
1 f
10 s
755 796(Some)N
960(KDC)X
1152(implementations)X
1708(may)X
1868(wish)X
2041(to)X
2125(maintain)X
2427(the)X
2547(last)X
2680(time)X
2844(that)X
2986(a)X
3044(request)X
3298(was)X
3445(made)X
3641(by)X
3743(a)X
3801(partic-)X
555 892(ular)N
707(principal.)X
1059(Information)X
1469(that)X
1615(might)X
1827(be)X
1929(maintained)X
2311(includes)X
2604(the)X
2728(time)X
2896(of)X
2989(the)X
3113(last)X
3250(request,)X
3528(the)X
3652(time)X
3820(of)X
3913(the)X
555 988(last)N
694(request)X
954(for)X
1076(a)X
1140(ticket-granting)X
1640(ticket,)X
1866(the)X
1991(time)X
2160(of)X
2254(the)X
2379(last)X
2517(use)X
2651(of)X
2745(a)X
2808(ticket-granting)X
3307(ticket,)X
3532(or)X
3626(other)X
3818(times.)X
555 1084(This)N
721(information)X
1123(can)X
1259(then)X
1421(be)X
1521(returned)X
1813(to)X
1899(the)X
2021(user)X
2179(in)X
2265(the)X
3 f
2387(last-req)X
1 f
2674(\256eld)X
2839(\(more)X
3054(detail)X
3255(can)X
3390(be)X
3489(found)X
3699(in)X
3784(section)X
555 1180(5.1\).)N
755 1304(Other)N
968(frequently)X
1328(changing)X
1652(information)X
2060(that)X
2209(can)X
2350(be)X
2455(maintained)X
2840(is)X
2922(the)X
3049(latest)X
3247(expiration)X
3601(time)X
3772(for)X
3895(any)X
555 1400(tickets)N
788(that)X
932(have)X
1107(been)X
1282(issued)X
1505(using)X
1701(each)X
1872(key.)X
2051(This)X
2216(\256eld)X
2381(would)X
2604(be)X
2703(used)X
2873(to)X
2958(indicate)X
3235(how)X
3396(long)X
3561(old)X
3686(keys)X
3856(must)X
555 1496(remain)N
798(valid)X
978(to)X
1060(allow)X
1258(the)X
1376(continued)X
1712(use)X
1839(of)X
1926(outstanding)X
2319(tickets.)X
3 f
12 s
555 1688(4.4.)N
747(Site)X
926(Constants)X
1 f
10 s
755 1812(The)N
907(KDC)X
1103(implementation)X
1632(should)X
1872(have)X
2051(the)X
2176(following)X
2514(con\256gurable)X
2942(constants)X
3267(or)X
3361(options,)X
3643(to)X
3731(allow)X
3935(an)X
555 1908(administrator)N
1002(to)X
1084(make)X
1278(and)X
1414(enforce)X
1676(policy)X
1896(decisions:)X
10 f
555 2032(g)N
1 f
675(The)X
831(minimum)X
1172(supported)X
1519(lifetime)X
1799(\(used)X
2003(to)X
2095(determine)X
2446(whether)X
2735(the)X
2863(KDC_ERR_NEVER_VALID)X
3854(error)X
675 2128(should)N
923(be)X
1034(returned\).)X
1404(This)X
1581(constant)X
1883(should)X
2131(re\257ect)X
2367(reasonable)X
2746(expectations)X
3181(of)X
3282(round-trip)X
3641(time)X
3817(to)X
3913(the)X
675 2224(KDC,)N
895(encryption/decryption)X
1634(time,)X
1827(and)X
1974(processing)X
2348(time)X
2521(by)X
2632(the)X
2761(client)X
2970(and)X
3117(target)X
3331(server,)X
3578(and)X
3724(it)X
3798(should)X
675 2320(allow)N
873(for)X
987(a)X
1043(minimum)X
1373("useful")X
1655(lifetime.)X
10 f
555 2444(g)N
1 f
675(The)X
820(maximum)X
1164(allowable)X
1496(total)X
1658 0.3125(\(renewable\))AX
2063(lifetime)X
2332(of)X
2419(a)X
2475(ticket)X
2673(\(renew_till)X
3045(-)X
3092(starttime\))X
10 f
555 2568(g)N
1 f
675(The)X
820(maximum)X
1164(allowable)X
1496(lifetime)X
1765(of)X
1852(a)X
1908(ticket)X
2106(\(endtime)X
2411(-)X
2458(starttime\))X
10 f
555 2692(g)N
1 f
675(Whether)X
983(to)X
1076(allow)X
1285(the)X
1414(issue)X
1604(of)X
1701(tickets)X
1940(with)X
2112(empty)X
2342(address)X
2613(\256elds)X
2816(\(including)X
3175(the)X
3303(ability)X
3537(to)X
3629(specify)X
3891(that)X
675 2788(such)N
842(tickets)X
1071(may)X
1229(only)X
1391(be)X
1487(issued)X
1707(if)X
1776(the)X
1894(request)X
2146(speci\256es)X
2442(some)X
2631(authorization_data\))X
10 f
555 2912(g)N
1 f
675(Whether)X
972(proxiable,)X
1315(forwardable,)X
1744(renewable)X
2095(or)X
2182(post-datable)X
2594(tickets)X
2823(are)X
2942(to)X
3024(be)X
3120(issued.)X
3 f
12 s
555 3104(5.)N
675(Field)X
908(Descriptions)X
1444(and)X
1622(Encodings)X
1 f
10 s
755 3228(This)N
924(section)X
1178(describes)X
1504(the)X
1629(\256elds)X
1829(used)X
2002(in)X
2090(the)X
2214(protocol)X
2507(messages.)X
2876(The)X
3027(encodings)X
3378(of)X
3471(the)X
3595(\256elds,)X
3814(where)X
555 3324(de\256ned)N
820(for)X
943(the)X
1070(Kerberos)X
1394(protocol,)X
1710(are)X
1838(included)X
2143(with)X
2314(the)X
2441(\256eld)X
2612(description.)X
3037(Where)X
3281(parts)X
3465(of)X
3560(the)X
3686(encodings)X
555 3420(have)N
727(been)X
899(speci\256ed)X
1204(independent)X
1616(from)X
1792(the)X
1910(Kerberos)X
2225(protocol,)X
2532(these)X
2717(encodings)X
3062(are)X
3181(covered)X
3456(in)X
3538(section)X
3785(5.2.)X
3 f
12 s
555 3612(5.1.)N
747(Field)X
980(Descriptions)X
1 f
10 s
755 3736(Below)N
990(is)X
1069(an)X
1171(alphabetical)X
1585(summary)X
1909(of)X
2002(the)X
2126(labels)X
2338(and)X
2479(descriptions)X
2891(of)X
2983(\256elds)X
3181(used)X
3353(in)X
3440(the)X
3563(protocol)X
3855(mes-)X
555 3832(sages.)N
3 f
555 3984(additional-tickets)N
1 f
955 4080(Additional)N
1322(tickets)X
1556(may)X
1719(be)X
1820(optionally)X
2168(included)X
2468(in)X
2554(a)X
2614(request)X
2870(to)X
2956(the)X
3078(ticket-granting)X
3574(server.)X
3835(If)X
3913(the)X
955 4176(SAME-SKEY)N
1438(option)X
1667(has)X
1799(been)X
1976(speci\256ed,)X
2306(then)X
2469(the)X
2592(additional)X
2937(ticket)X
3140(contains)X
3432(the)X
3554(session)X
3809(key)X
3949(to)X
955 4272(be)N
1056(assigned)X
1357(to)X
1444(the)X
1567(new)X
1726(ticket.)X
1969(If)X
2048(the)X
2171(ENC-TKT-IN-SKEY)X
2887(option)X
3115(has)X
3246(been)X
3422(speci\256ed,)X
3751(then)X
3913(the)X
955 4368(session)N
1212(key)X
1354(from)X
1536(the)X
1660(additional)X
2006(ticket)X
2210(will)X
2360(be)X
2462(used)X
2635(in)X
2723(place)X
2919(of)X
3012(the)X
3136(server's)X
3417(key)X
3559(to)X
3647(encrypt)X
3913(the)X
955 4464(new)N
1114(ticket.)X
1357(If)X
1436(more)X
1626(than)X
1789(one)X
1930(option)X
2158(has)X
2289(been)X
2465(speci\256ed,)X
2794(then)X
2956(the)X
3078(additional)X
3422(tickets)X
3655(are)X
3778(used)X
3949(in)X
955 4560(the)N
1073(order)X
1263(speci\256ed)X
1568(by)X
1668(the)X
1786(ordering)X
2078(of)X
2165(the)X
2283(options)X
2538(bits)X
2673(\(see)X
2823(kdc-options\).)X
3 f
555 4780(addresses)N
1 f
955(This)X
1125(\256eld)X
1295(is)X
1375(included)X
1678(in)X
1767(the)X
1892(initial)X
2105(request)X
2364(for)X
2485(tickets,)X
2741(and)X
2884(optionally)X
3235(included)X
3538(in)X
3627(requests)X
3917(for)X
955 4876(additional)N
1307(tickets)X
1548(from)X
1736(the)X
1866(ticket-granting)X
2370(server.)X
2639(It)X
2720(speci\256es)X
3028(the)X
3158(addresses)X
3498(from)X
3686(which)X
3913(the)X
955 4972(requested)N
1287(ticket)X
1489(is)X
1566(to)X
1652(be)X
1752(valid.)X
1976(Normally)X
2307(it)X
2374(includes)X
2664(the)X
2785(addresses)X
3116(for)X
3233(the)X
3354(client's)X
3613(workstation.)X
955 5068(If)N
1038(a)X
1103(proxy)X
1319(is)X
1401(requested,)X
1758(this)X
1901(\256eld)X
2071(will)X
2223(contain)X
2487(other)X
2680(addresses.)X
3056(The)X
3209(contents)X
3504(of)X
3599(this)X
3742(\256eld)X
3912(are)X
955 5164(usually)N
1209(copied)X
1445(by)X
1547(the)X
1667(KDC)X
1858(into)X
2004(the)X
3 f
2124(caddr)X
1 f
2346(\256eld)X
2510(of)X
2599(the)X
2719(resulting)X
3021(ticket.)X
3261(The)X
3408(type)X
3568(of)X
3657(this)X
3794(\256eld)X
3958(is)X
955 5260(HostAddresses;)N
1505(its)X
1627(encoding)X
1968(is)X
2068(speci\256ed)X
2400(in)X
2509(section)X
2782(6.1.)X
2968(The)X
3139(encoding)X
3479(consists)X
3778(of)X
3891(two)X
955 5356(sub\256elds.)N
3 f
955 5548(addr-type)N
1 f
1319(speci\256es)X
1621(the)X
1745(type)X
1909(of)X
2002(address)X
2268(that)X
2413(follows.)X
2718(The)X
2868(encoding)X
3187(of)X
3279(this)X
3419(\256eld)X
3586(can)X
3723(be)X
3824(found)X
955 5644(in)N
1037(sections)X
1315(5.2)X
1435(and)X
1571(6.1.)X
3 f
955 5836(address)N
1 f
1237(speci\256es)X
1533(a)X
1589(single)X
1800(address)X
2061(of)X
2148(type)X
3 f
2306(addr-type)X
1 f
2644(.)X
555 6144(Section)N
815(5.1.)X
2196(-)X
2243(15)X
2343(-)X
16 p
%%Page: 16 17
10 s 0 xH 0 xS 1 f
0 32(--)N
4323(--)X
3 f
2115 416(DRAFT)N
2411(3)X
555 672(ap-options)N
1 f
955(This)X
1122(\256eld)X
1289(appears)X
1560(in)X
1647(the)X
1770(application)X
2151(request)X
2408(\(KRB_AP_REQ\))X
2993(and)X
3134(affects)X
3374(the)X
3497(way)X
3656(the)X
3779(request)X
955 768(is)N
1033(processed.)X
1415(It)X
1488(is)X
1565(a)X
1625(bit-\256eld,)X
1922(where)X
2143(the)X
2265(selected)X
2548(options)X
2807(are)X
2930(indicated)X
3248(by)X
3352(the)X
3474(bit)X
3582(being)X
3784(set)X
3897(\(1\),)X
955 864(and)N
1104(the)X
1235(unselected)X
1607(options)X
1875(and)X
2024(reserved)X
2330(\256elds)X
2536(being)X
2747(reset)X
2932(\(0\).)X
3099(The)X
3256(encoding)X
3582(of)X
3681(the)X
3811(bits)X
3958(is)X
955 960(speci\256ed)N
1260(in)X
1342(section)X
1589(6.1.)X
1749(The)X
1894(meanings)X
2221(of)X
2308(the)X
2426(options)X
2681(are:)X
2 f
955 1104(Bit\(s\))N
1232(Name)X
2106(Description)X
1 f
955 1296(0)N
1232(RESERVED)X
2106(Reserved)X
2425(for)X
2539(future)X
2751(expansion)X
3096(of)X
3183(this)X
3318(\256eld.)X
955 1488(1)N
1232(USE-SESSION-KEY)X
2106(The)X
2262(USE-SESSION-KEY)X
2986(option)X
3220(indicates)X
3535(that)X
3685(the)X
3813(ticket)X
4021(the)X
4149(client)X
4357(is)X
2106 1584(presenting)N
2465(to)X
2551(a)X
2611(server)X
2832(is)X
2909(encrypted)X
3250(in)X
3336(the)X
3458(session)X
3713(key)X
3853(from)X
4033(the)X
4155(server's)X
2106 1680(ticket-granting)N
2610(ticket.)X
2860(When)X
3084(this)X
3231(option)X
3466(is)X
3550(not)X
3683(speci\256ed,)X
4019(the)X
4148(ticket)X
4357(is)X
2106 1776(encrypted)N
2443(in)X
2525(the)X
2643(server's)X
2918(secret)X
3126(key.)X
955 1968(2)N
1232(MUTUAL-REQUIRED)X
2106(The)X
2278(MUTUAL-REQUIRED)X
3100(option)X
3351(tells)X
3531(the)X
3676(server)X
3920(that)X
4087(the)X
4232(client)X
2106 2064(requires)N
2419(mutual)X
2695(authentication,)X
3223(and)X
3393(that)X
3567(it)X
3664(must)X
3872(respond)X
4179(with)X
4374(a)X
2106 2160(KRB_AP_REP)N
2618(message.)X
955 2352(3-31)N
1232(RESERVED)X
2106(Reserved)X
2425(for)X
2539(future)X
2751(use.)X
3 f
555 2620(authenticator)N
1 f
955 2716(This)N
1120(\256eld)X
1285(appears)X
1554(in)X
1639(the)X
1760(KRB_AP_REQ)X
2289(message)X
2584(and)X
2723(contains)X
3013(the)X
3134(authenticator.)X
3615(Its)X
3717(encoding)X
955 2812(is)N
1028(described)X
1356(in)X
1438(section)X
1685(6.2.2.)X
3 f
555 3032(authenticator-vno)N
1 f
955 3128(This)N
1117(\256eld)X
1279(speci\256es)X
1575(the)X
1693(version)X
1949(number)X
2214(for)X
2328(the)X
2446(format)X
2680(of)X
2767(the)X
2885(authenticator.)X
3 f
555 3348(authorization-data)N
1 f
955 3444(The)N
3 f
1109(authorization-data)X
1 f
1778(\256eld)X
1949(is)X
2031(used)X
2206(to)X
2296(pass)X
2462(authorization)X
2913(data)X
3075(from)X
3259(the)X
3385(principal)X
3698(on)X
3806(whose)X
955 3540(behalf)N
1182(a)X
1244(ticket)X
1447(was)X
1597(issued)X
1822(to)X
1909(the)X
2032(application)X
2413(service.)X
2706(If)X
2785(no)X
2890(authorization)X
3338(data)X
3497(is)X
3575(included,)X
3896(this)X
955 3636(\256eld)N
1123(will)X
1273(be)X
1375(left)X
1508(out.)X
1676(The)X
1827(data)X
1987(in)X
2075(this)X
2216(\256eld)X
2384(are)X
2509(speci\256c)X
2780(to)X
2868(the)X
2992(end)X
3134(service.)X
3428(It)X
3502(is)X
3580(expected)X
3891(that)X
955 3732(the)N
1075(\256eld)X
1239(will)X
1385(contain)X
1643(the)X
1763(names)X
1990(of)X
2079(service)X
2329(speci\256c)X
2596(objects,)X
2865(and)X
3003(the)X
3122(rights)X
3325(to)X
3408(those)X
3598(objects.)X
3886(The)X
955 3828(format)N
1195(for)X
1315(this)X
1456(\256eld)X
1623(is)X
1701(described)X
2034(in)X
2121(section)X
2373(6.1.)X
2538(Although)X
2865(Kerberos)X
3185(is)X
3263(not)X
3390(concerned)X
3746(with)X
3913(the)X
955 3924(format)N
1189(of)X
1276(the)X
1394(contents)X
1681(of)X
1768(the)X
1886(sub\256elds,)X
2210(it)X
2274(does)X
2441(carry)X
2627(type)X
2785(information)X
3183(\()X
3 f
3210(ad-type)X
1 f
3468(\).)X
955 4116(By)N
1076(using)X
1277(the)X
3 f
1402(authorization_data)X
1 f
2082(\256eld,)X
2271(a)X
2334(principal)X
2646(is)X
2726(able)X
2887(to)X
2976(issue)X
3163(a)X
3226(proxy)X
3440(that)X
3587(is)X
3667(valid)X
3854(for)X
3975(a)X
955 4212(speci\256c)N
1224(purpose.)X
1542(For)X
1677(example,)X
1993(a)X
2053(client)X
2255(wishing)X
2532(to)X
2618(print)X
2793(a)X
2852(\256le)X
2977(can)X
3112(obtain)X
3335(a)X
3394(\256le)X
3519(server)X
3739(proxy)X
3949(to)X
955 4308(be)N
1061(passed)X
1305(to)X
1397(the)X
1525(print)X
1705(server.)X
1971(By)X
2093(specifying)X
2456(the)X
2583(name)X
2786(of)X
2882(the)X
3009(\256le)X
3140(in)X
3231(the)X
3 f
3358(authorization_data)X
1 f
955 4404(\256eld,)N
1140(the)X
1261(\256le)X
1386(server)X
1606(knows)X
1838(that)X
1981(the)X
2102(print)X
2276(server)X
2496(can)X
2631(only)X
2796(use)X
2925(the)X
3045(client's)X
3303(rights)X
3507(when)X
3703(accessing)X
955 4500(the)N
1073(particular)X
1401(\256le)X
1523(to)X
1605(be)X
1701(printed.)X
955 4692(It)N
1027(is)X
1103(interesting)X
1464(to)X
1549(note)X
1710(that)X
1853(if)X
1925(one)X
2064(speci\256es)X
2363(the)X
3 f
2484(authorization-data)X
1 f
3147(\256eld)X
3312(of)X
3402(a)X
3461(proxy)X
3671(and)X
3810(leaves)X
955 4788(the)N
1073(host)X
1226(addresses)X
1554(blank,)X
1772(the)X
1890(resulting)X
2190(ticket)X
2388(and)X
2524(session)X
2775(key)X
2911(can)X
3043(be)X
3139(treated)X
3378(as)X
3465(a)X
3521(capability.)X
3 f
955 4980(ad-data)N
1 f
1241(is)X
1318(a)X
1378(sub\256eld)X
1655(containing)X
2017(authorization)X
2464(data)X
2622(whose)X
2850(interpretation)X
3305(is)X
3381(speci\256ed)X
3689(elsewhere)X
955 5076(\(possibly)N
1268(by)X
1368(the)X
1486(service\).)X
3 f
955 5268(ad-type)N
1 f
1237(is)X
1314(a)X
1374(sub\256eld)X
1651(which)X
1871(speci\256es)X
2171(the)X
2293(format)X
2531(for)X
2648(the)X
2769(ad-data)X
3029(sub\256eld.)X
3345(The)X
3493(meanings)X
3823(of)X
3913(the)X
955 5364(bits)N
1090(in)X
1172(the)X
1290(sub\256eld)X
1563(are)X
1682(indicated)X
1996(below.)X
2252(Bit)X
2369(0)X
2429(is)X
2502(the)X
2620(most)X
2795(signi\256cant)X
3148(bit.)X
2 f
955 5508(Bit\(s\))N
1373(Name)X
2102(Description)X
1 f
955 5700(0)N
1373(RESERVED)X
2102(Reserved)X
2421(for)X
2535(future)X
2747(expansion.)X
3132(Must)X
3316(be)X
3412(reset)X
3584(\(0\).)X
555 6144(Section)N
815(5.1.)X
2196(-)X
2243(16)X
2343(-)X
17 p
%%Page: 17 18
10 s 0 xH 0 xS 1 f
0 32(--)N
4323(--)X
3 f
2115 416(DRAFT)N
2411(3)X
1 f
955 672(1)N
1373(EXTERNAL)X
2102(If)X
2178(this)X
2315(bit)X
2421(is)X
2496(reset)X
2670(\(0\),)X
2806(then)X
2965(the)X
3084(meaning)X
3381(of)X
3469(the)X
3588(ad-type)X
3850(\256eld)X
4013(is)X
4087(de\256ned)X
4344(in)X
2102 768(the)N
2226(Kerberos)X
2547(authorization)X
2996(proposal,)X
3318(and)X
3460(bits)X
3601(2-15)X
3773(encode)X
4026(a)X
4087(type)X
4250(from)X
2102 864(that)N
2243(proposal,)X
2560(with)X
2723(bit)X
2828(2)X
2889(as)X
2977(the)X
3096(most)X
3272(signi\256cant)X
3626(bit)X
3731(of)X
3818(an)X
3914(unsigned)X
4223(quan-)X
2102 960(tity.)N
2259(If)X
2344(this)X
2490(bit)X
2605(is)X
2688(set)X
2807(\(1\),)X
2951(then)X
3119(the)X
3247(meaning)X
3553(of)X
3650(the)X
3778(ad-type)X
4049(\256eld)X
4221(is)X
4304(not)X
2102 1056(de\256ned)N
2364(in)X
2452(the)X
2576(Kerberos)X
2897(authorization)X
3345(proposal,)X
3666(and)X
3807(bits)X
3947(3-15)X
4119(are)X
4243(to)X
4330(be)X
2102 1152(interpreted)N
2470(according)X
2807(to)X
2889(the)X
3007(value)X
3201(of)X
3288(bit)X
3392(2)X
3452(\(REGISTERED\).)X
955 1248(2)N
1373(REGISTERED)X
2102(If)X
2185(this)X
2329(bit)X
2442(is)X
2524(set)X
2642(\(1\),)X
2785(the)X
2912(\256eld)X
3083(type)X
3250(given)X
3457(by)X
3566(bits)X
3710(3-15)X
3886(is)X
3967(registered.)X
4352(If)X
2102 1344(this)N
2248(bit)X
2363(is)X
2446(reset)X
2628(\(0\),)X
2772(then)X
2940(the)X
3068(\256eld)X
3240(type)X
3408(is)X
3491(not)X
3623(registered,)X
3990(and)X
4136(the)X
4264(\256eld)X
2102 1440(type)N
2262(given)X
2462(by)X
2564(bits)X
2701(3-15)X
2870(has)X
2998(been)X
3171(arbitrarily)X
3513(chosen)X
3757(by)X
3858(the)X
3977(implementor,)X
2102 1536(and)N
2254(are)X
2389(not)X
2527(guaranteed)X
2916(to)X
3014(be)X
3126(unique)X
3400(\(They)X
3628(can)X
3776(be)X
3887(thought)X
4166(of)X
4268(as)X
4370(a)X
2102 1632(``magic)N
2372(number''\).)X
955 1728(3-15)N
1373(FIELD-TYPE)X
2102(These)X
2331(bits)X
2483(specify)X
2752(the)X
2887(\256eld)X
3065(type)X
3239(or)X
3342(the)X
3476(unregistered)X
3909(magic)X
4141(number.)X
2102 1824(They)N
2288(are)X
2408(to)X
2491(be)X
2588(interpreted)X
2957(as)X
3045(an)X
3142(unsigned)X
3452(integer,)X
3716(with)X
3879(bit)X
3984(3)X
4045(as)X
4133(the)X
4251(most)X
2102 1920(signi\256cant)N
2455(bit.)X
955 2064(The)N
3 f
1100(authorization-data)X
1 f
1760(\256eld)X
1922(is)X
1995(optional)X
2277(and)X
2413(does)X
2580(not)X
2702(have)X
2874(to)X
2956(be)X
3052(included)X
3348(in)X
3430(a)X
3486(ticket.)X
3 f
555 2284(authtime)N
1 f
955(This)X
1122(\256eld)X
1289(indicates)X
1599(the)X
1722(time)X
1889(of)X
1981(initial)X
2192(authentication)X
2671(for)X
2790(the)X
2913(named)X
3152(principal.)X
3502(It)X
3576(is)X
3654(the)X
3777(time)X
3944(of)X
955 2380(issue)N
1138(for)X
1255(the)X
1376(original)X
1648(ticket)X
1849(on)X
1952(which)X
2171(this)X
2309(ticket)X
2510(is)X
2586(based.)X
2832(It)X
2904(is)X
2980(included)X
3278(in)X
3362(the)X
3482(ticket)X
3682(to)X
3766(provide)X
955 2476(additional)N
1300(information)X
1703(to)X
1790(the)X
1913(end)X
2054(service,)X
2327(and)X
2468(to)X
2554(provide)X
2823(the)X
2945(necessary)X
3282(information)X
3684(for)X
3802(imple-)X
955 2572(mentation)N
1297(of)X
1386(a)X
1444(`hot)X
1595(list')X
1741(service)X
1991(at)X
2071(the)X
2190(KDC.)X
2420(An)X
2539(end)X
2676(service)X
2925(that)X
3066(is)X
3140(particularly)X
3531(paranoid)X
3833(could)X
955 2668(refuse)N
1181(to)X
1272(accept)X
1507(tickets)X
1745(for)X
1868(which)X
2093(the)X
2220(initial)X
2435(authentication)X
2918(occurred)X
3228(too)X
3358(far)X
3476(in)X
3566(the)X
3692(past.)X
3869(This)X
955 2764(\256eld)N
1117(is)X
1190(of)X
1277(type)X
1435(KerberosTime.)X
955 2956(This)N
1120(\256eld)X
1285(is)X
1361(also)X
1513(returned)X
1804(as)X
1894(part)X
2042(of)X
2132(the)X
2252(response)X
2555(from)X
2733(the)X
2853(KDC.)X
3084(When)X
3298(returned)X
3588(as)X
3677(part)X
3824(of)X
3913(the)X
955 3052(response)N
1270(to)X
1366(initial)X
1585(authentication)X
2072(\(KRB_AS_REP\),)X
2671(this)X
2819(is)X
2905(the)X
3036(current)X
3297(time)X
3472(on)X
3585(the)X
3716(Kerberos)X
955 3148(server)N
1172(and)X
1308(may)X
1466(be)X
1562(used)X
1729(\(at)X
1834(the)X
1952(workstations)X
2381(option\))X
2632(to)X
2714(adjust)X
2925(the)X
3043(workstation's)X
3499(clock.)X
3 f
555 3368(caddr)N
1 f
955(This)X
1118(\256eld)X
1281(in)X
1364(a)X
1421(ticket)X
1620(contains)X
1908(zero)X
2068(or)X
2156(more)X
2341(host)X
2494(addresses.)X
2862(These)X
3074(are)X
3193(the)X
3311(addresses)X
3639(from)X
3815(which)X
955 3464(the)N
1074(ticket)X
1273(can)X
1406(be)X
1503(used.)X
1711(If)X
1786(there)X
1968(are)X
2088(no)X
2189(addresses,)X
2538(the)X
2657(ticket)X
2856(can)X
2989(be)X
3086(used)X
3254(from)X
3431(any)X
3568(location.)X
3886(The)X
955 3560(decision)N
1247(to)X
1334(issue)X
1519(or)X
1611(accept)X
1842(zero-address)X
2274(tickets)X
2508(is)X
2585(a)X
2645(policy)X
2869(decision)X
3160(and)X
3300(is)X
3377(left)X
3508(to)X
3594(the)X
3716(Kerberos)X
955 3656(and)N
1092(end-service)X
1484(administrators.)X
2003(The)X
2149(suggested)X
2486(and)X
2622(default)X
2865(policy,)X
3105(however,)X
3422(is)X
3495(that)X
3635(such)X
3802(tickets)X
955 3752(will)N
1101(only)X
1265(be)X
1363(issued)X
1585(or)X
1674(accepted)X
1978(when)X
2174(additional)X
2516(information)X
2916(that)X
3058(can)X
3192(be)X
3290(used)X
3458(to)X
3541(restrict)X
3785(the)X
3904(use)X
955 3848(of)N
1042(the)X
1160(ticket)X
1358(is)X
1431(included)X
1727(in)X
1809(the)X
1927(authorization_data)X
2544(\256eld.)X
2746(Such)X
2926(a)X
2982(ticket)X
3180(is)X
3253(a)X
3309(capability.)X
955 4040(Network)N
1267(addresses)X
1606(are)X
1736(included)X
2042(in)X
2134(the)X
2262(ticket)X
2470(to)X
2562(make)X
2766(it)X
2840(harder)X
3076(for)X
3200(an)X
3306(attacker)X
3591(to)X
3683(use)X
3820(stolen)X
955 4136(credentials.)N
1365(Because)X
1655(the)X
1775(session)X
2028(key)X
2166(is)X
2240(not)X
2363(sent)X
2513(over)X
2677(the)X
2796(network)X
3080(in)X
3163(cleartext,)X
3481(credentials)X
3850(can't)X
955 4232(be)N
1056(stolen)X
1272(simply)X
1514(by)X
1619(listening)X
1919(to)X
2006(the)X
2129(network;)X
2439(an)X
2540(attacker)X
2820(has)X
2952(to)X
3039(gain)X
3202(access)X
3432(to)X
3518(the)X
3640(session)X
3895(key)X
955 4328(\(perhaps)N
1253(through)X
1523(operating)X
1847(system)X
2090(security)X
2365(breaches)X
2668(or)X
2756(a)X
2812(careless)X
3087(user's)X
3299(unattended)X
3671(session\))X
3949(to)X
955 4424(make)N
1149(use)X
1276(of)X
1363(stolen)X
1574(tickets.)X
955 4616(It)N
1027(is)X
1103(important)X
1437(to)X
1522(note)X
1683(that)X
1826(the)X
1947(network)X
2233(address)X
2497(from)X
2676(which)X
2895(a)X
2954(connection)X
3329(is)X
3404(received)X
3699(cannot)X
3935(be)X
955 4712(reliably)N
1223(determined.)X
1646(Even)X
1833(if)X
1904(it)X
1970(could)X
2170(be,)X
2288(an)X
2386(attacker)X
2663(who)X
2823(has)X
2952(compromised)X
3410(the)X
3530(client's)X
3788(works-)X
955 4808(tation)N
1170(could)X
1381(use)X
1521(the)X
1651(credentials)X
2031(from)X
2219(there.)X
2452(Including)X
2791(the)X
2921(network)X
3216(addresses)X
3556(only)X
3730(makes)X
3967(it)X
955 4904(more)N
1145(dif\256cult,)X
1443(not)X
1570(impossible,)X
1961(for)X
2080(an)X
2181(attacker)X
2461(to)X
2548(walk)X
2729(off)X
2848(with)X
3015(stolen)X
3230(credentials)X
3602(and)X
3742(then)X
3904(use)X
955 5000(them)N
1135(from)X
1311(a)X
1367("safe")X
1583(location.)X
955 5192(This)N
1117(\256eld)X
1279(if)X
1348(of)X
1435(type)X
1593(HostAddresses.)X
2134(For)X
2265(further)X
2504(information)X
2902(on)X
3002(the)X
3120(format)X
3354(of)X
3441(this)X
3576(\256eld,)X
3758(see)X
3881(sec-)X
955 5288(tion)N
1099(6.1)X
1219(and)X
1355(the)X
1473(\256eld)X
1635(description)X
2011(for)X
2125(the)X
3 f
2243(addresses)X
1 f
2592(\256eld.)X
3 f
555 5508(cksum)N
1 f
955(This)X
1122(\256eld)X
1288(appears)X
1558(in)X
1644(the)X
1766(KRB-SAFE)X
2176(message,)X
2492(and)X
2632(optionally)X
2980(in)X
3066(the)X
3188(authenticator.)X
3671(It)X
3744(contains)X
955 5604(the)N
1079(checksum)X
1426(of)X
1519(the)X
1643(the)X
1767(application)X
2149(data)X
2309(that)X
2455(accompanies)X
2896(it.)X
3006(This)X
3173(\256eld)X
3340(is)X
3418(of)X
3510(type)X
3673(Checksum)X
955 5700(and)N
1091(is)X
1164(described)X
1492(in)X
1574(section)X
1821(7.2.)X
1981(The)X
2126(\256eld)X
2288(contains)X
2575(two)X
2715(sub\256elds.)X
555 6144(Section)N
815(5.1.)X
2196(-)X
2243(17)X
2343(-)X
18 p
%%Page: 18 19
10 s 0 xH 0 xS 1 f
0 32(--)N
4323(--)X
3 f
2115 416(DRAFT)N
2411(3)X
955 672(cksumtype)N
1 f
1348(is)X
1425(a)X
1485(sub\256eld)X
1762(which)X
1982(speci\256es)X
2281(the)X
2402(algorithm)X
2736(used)X
2906(to)X
2991(generate)X
3287(the)X
3408(checksum)X
3752(that)X
3895(fol-)X
955 768(lows.)N
1166(A)X
1244(listing)X
1463(of)X
1550(the)X
1668(accepted)X
1970(values)X
2195(for)X
2309(this)X
2444(\256eld)X
2606(appears)X
2872(in)X
2954(section)X
3201(7.2.)X
3 f
955 960(checksum)N
1 f
1321(is)X
1402(a)X
1466(sub\256eld)X
1747(which)X
1971(contains)X
2266(the)X
2392(checksum)X
2741(itself.)X
2968(It)X
3044(is)X
3124(an)X
3227(octet)X
3410(string)X
3619(of)X
3713(suf\256cient)X
955 1056(length)N
1175(to)X
1257(hold)X
1419(the)X
1537(checksum)X
1878(of)X
1965(the)X
2083(type)X
2241(speci\256ed)X
2546(in)X
2628(the)X
3 f
2746(cksumtype)X
1 f
3135(\256eld.)X
3 f
555 1276(cmsec)N
1 f
955(This)X
1119(\256eld)X
1283(contains)X
1572(the)X
1692(millisecond)X
2087(part)X
2233(of)X
2321(the)X
2440(client's)X
2697(timestamp.)X
3091(Its)X
3192(value)X
3387(\(before)X
3641(encryption\))X
955 1372(ranges)N
1190(from)X
1371(0)X
1436(to)X
1523(999.)X
1708(It)X
1781(often)X
1970(appears)X
2240(along)X
2442(with)X
3 f
2608(ctime)X
1 f
2796(.)X
2860(The)X
3009(two)X
3153(\256elds)X
3350(are)X
3473(used)X
3644(in)X
3730(conjunc-)X
955 1468(tion)N
1099(to)X
1181(specify)X
1433(a)X
1489(reasonably)X
1857(accurate)X
2146(timestamp.)X
3 f
555 1688(cname)N
1 f
955(This)X
1122(\256eld)X
1289(contains)X
1581(the)X
1704(name)X
1903(part)X
2053(of)X
2145(the)X
2268(client's)X
2529(identity.)X
2838(It)X
2912(is)X
2990(a)X
3051(string)X
3258(array.)X
3489(It)X
3563(typically)X
3868(con-)X
955 1784(sists)N
1112(of)X
1199(one)X
1335(or)X
1422(two)X
1562(components,)X
1989(but)X
2111(may)X
2269(be)X
2365(longer.)X
3 f
555 2004(crealm)N
1 f
955(This)X
1121(\256eld)X
1287(contains)X
1578(the)X
1700(name)X
1898(of)X
1989(the)X
2111(realm)X
2318(in)X
2404(which)X
2624(the)X
2745(client)X
2946(is)X
3022(registered,)X
3382(and)X
3521(in)X
3606(which)X
3825(initial)X
955 2100(authentication)N
1435(took)X
1603(place.)X
1838(It)X
1912(is)X
1990(of)X
2082(type)X
2245(string.)X
2492(The)X
2642(string)X
2849(will)X
2998(usually)X
3254(consist)X
3501(of)X
3593(several)X
3846(com-)X
955 2196(ponents)N
1224(separated)X
1548(by)X
1648(periods)X
1904(\(.\).)X
3 f
555 2416(ctime)N
1 f
955(This)X
1117(\256eld)X
1279(contains)X
1566(the)X
1684(current)X
1932(time)X
2094(on)X
2194(the)X
2312(client's)X
2568(workstation.)X
3006(It)X
3075(is)X
3148(of)X
3235(type)X
3393(KerberosTime.)X
3 f
555 2636(confounder)N
1 f
955 2732(This)N
1121(\256eld)X
1287(contains)X
1578(random)X
1847(data)X
2005(and)X
2145(appears)X
2415(at)X
2497(the)X
2619(beginning)X
2963(of)X
3053(data)X
3210(to)X
3295(be)X
3394(encrypted.)X
3774(Its)X
3877(pur-)X
955 2828(pose)N
1123(is)X
1197(to)X
1280(make)X
1475(chosen-)X
1746(and)X
1883(known-plaintext)X
2429(attacks)X
2673(more)X
2859(dif\256cult.)X
3173(It)X
3243(is)X
3317(important)X
3649(to)X
3732(note)X
3891(that)X
955 2924(the)N
1076(existence)X
1397(of)X
1486(this)X
1623(\256eld)X
1787(does)X
1956(not)X
2080(prevent)X
2343(a)X
2401(veri\256able)X
2726(plaintext)X
3028(attack.)X
3282(It)X
3353(just)X
3490(prevents)X
3784(the)X
3904(use)X
955 3020(of)N
1044(a)X
1102(precomputed)X
1543(ciphertext)X
1886(dictionary)X
2233(to)X
2317(\256nd)X
2463(the)X
2582(corresponding)X
3062(plaintext.)X
3403(The)X
3549(ef\256cacy)X
3825(of)X
3913(the)X
955 3116(confounder)N
1345(depends)X
1632(on)X
1736(the)X
1858(ability)X
2086(of)X
2177(the)X
2299(cryptosystem)X
2750(to)X
2836(propagate)X
3177(changes)X
3460(at)X
3541(the)X
3662(start)X
3823(of)X
3913(the)X
955 3212(encrypted)N
1306(plaintext)X
1620(through)X
1903(the)X
2035(remainder)X
2395(of)X
2496(the)X
2627(ciphertext.)X
3021(The)X
3179(\256eld)X
3354(is)X
3440(a)X
3509(string)X
3724(of)X
3824(octets)X
955 3308(without)N
1219(any)X
1355(leading)X
1611(tag)X
1729(information.)X
3 f
555 3528(endtime)N
1 f
955(This)X
1128(\256eld)X
1301(contains)X
1599(the)X
1728(time)X
1901(after)X
2080(which)X
2307(the)X
2436(ticket)X
2645(will)X
2800(not)X
2933(be)X
3040(honored)X
3334(\(its)X
3467(expiration)X
3822(time\).)X
955 3624(Together)N
1268(with)X
3 f
1433(starttime)X
1 f
1746(,)X
1789(this)X
1926(\256eld)X
2090(speci\256es)X
2388(the)X
2508(life)X
2637(of)X
2726(the)X
2846(ticket.)X
3086(Note)X
3264(that)X
3406(individual)X
3752(services)X
955 3720(may)N
1123(place)X
1323(their)X
1500(own)X
1668(limits)X
1878(on)X
1987(the)X
2114(life)X
2250(of)X
2346(a)X
2411(ticket)X
2618(and)X
2763(may)X
2930(reject)X
3138(tickets)X
3376(which)X
3601(have)X
3782(not)X
3913(yet)X
955 3816(expired.)N
1258(As)X
1369(such,)X
1558(this)X
1695(is)X
1770(really)X
1975(an)X
2073(upper)X
2278(bound)X
2500(on)X
2602(the)X
2722(expiration)X
3069(time)X
3233(for)X
3348(the)X
3467(ticket.)X
3706(This)X
3869(\256eld)X
955 3912(is)N
1028(of)X
1115(type)X
1273(KerberosTime.)X
3 f
555 4132(error-code)N
1 f
955(This)X
1121(\256eld)X
1287(contains)X
1578(the)X
1700(error)X
1881(code)X
2057(returned)X
2349(by)X
2453(Kerberos)X
2772(or)X
2863(the)X
2985(server)X
3206(when)X
3404(a)X
3464(request)X
3720(fails.)X
3922(To)X
955 4228(interpret)N
1257(the)X
1385(value)X
1589(of)X
1686(this)X
1831(\256eld)X
2003(see)X
2136(the)X
2264(list)X
2391(of)X
2488(error)X
2675(codes)X
2888(in)X
2980(section)X
3236(8.)X
3345(Implementations)X
3912(are)X
955 4324(encouraged)N
1346(to)X
1428(provide)X
1693(for)X
1807(national)X
2085(language)X
2395(support)X
2655(in)X
2737(the)X
2855(display)X
3106(of)X
3193(error)X
3370(messages.)X
3 f
555 4544(e-data)N
1 f
955(This)X
1117(\256eld)X
1279(contains)X
1566(additional)X
1906(data)X
2060(for)X
2174(use)X
2301(by)X
2401(the)X
2519(application)X
2895(to)X
2977(help)X
3135(it)X
3199(recover)X
3461(from)X
3637(the)X
3755(error.)X
3 f
555 4764(e-text)N
1 f
955(This)X
1131(\256eld)X
1307(contains)X
1608(additional)X
1962(text)X
2116(to)X
2212(help)X
2384(explain)X
2653(the)X
2784(error)X
2974(code)X
3159(associated)X
3522(with)X
3697(the)X
3828(failed)X
955 4860(request)N
1207(\(for)X
1348(example,)X
1660(it)X
1724(might)X
1930(include)X
2186(a)X
2242(principal)X
2547(name)X
2741(which)X
2957(was)X
3102(unknown\).)X
3 f
555 5080(enc-part)N
1 f
955(This)X
1121(\256eld)X
1287(is)X
1364(a)X
1424(place)X
1618(holder)X
1847(for)X
1965(the)X
2087(ciphertext)X
2432(and)X
2572(related)X
2815(information)X
3217(that)X
3361(forms)X
3572(the)X
3694(encrypted)X
955 5176(part)N
1105(of)X
1196(a)X
1256(message.)X
1592(The)X
1741(description)X
2121(of)X
2212(the)X
2334(encrypted)X
2675(part)X
2824(of)X
2915(the)X
3037(message)X
3333(follows)X
3597(each)X
3769(appear-)X
955 5272(ance)N
1123(of)X
1210(this)X
1345(\256eld.)X
1547(The)X
1692(encrypted)X
2029(part)X
2174(is)X
2247(encoded)X
2535(as)X
2622(described)X
2950(in)X
3032(section)X
3279(7.1.)X
3 f
555 5492(etype)N
1 f
955(This)X
1126(\256eld)X
1297(is)X
1379(found)X
1595(in)X
1686(the)X
1813(EncryptedData)X
2324(datatype)X
2625(and)X
2770(speci\256es)X
3075(the)X
3201(type)X
3367(of)X
3462(encryption)X
3833(being)X
955 5588(used)N
1124(to)X
1208(generate)X
1503(the)X
1623(subsequent)X
2001(ciphertext.)X
2364(This)X
2528(\256eld)X
2692(is)X
2767(also)X
2918(found)X
3126(in)X
3209(the)X
3328(KRB_AS_REQ)X
3855(mes-)X
955 5684(sage)N
1118(where)X
1335(it)X
1399(speci\256es)X
1695(the)X
1813(encryption)X
2176(algorithm)X
2507(to)X
2589(be)X
2685(used)X
2852(in)X
2934(the)X
3052(response.)X
555 6144(Section)N
815(5.1.)X
2196(-)X
2243(18)X
2343(-)X
19 p
%%Page: 19 20
10 s 0 xH 0 xS 1 f
0 32(--)N
4323(--)X
3 f
2115 416(DRAFT)N
2411(3)X
555 672(\257ags)N
1 f
955(This)X
1133(\256eld)X
1311(indicates)X
1632(which)X
1864(of)X
1967(various)X
2239(options)X
2510(were)X
2703(used)X
2886(or)X
2988(requested)X
3331(when)X
3540(the)X
3673(ticket)X
3886(was)X
955 768(issued.)N
1216(It)X
1286(is)X
1360(a)X
1417(bit-\256eld,)X
1711(where)X
1929(the)X
2047(selected)X
2326(options)X
2581(are)X
2700(indicated)X
3014(by)X
3114(the)X
3232(bit)X
3336(being)X
3534(set)X
3643(\(1\),)X
3777(and)X
3913(the)X
955 864(unselected)N
1323(options)X
1587(and)X
1732(reserved)X
2034(\256elds)X
2236(being)X
2443(reset)X
2624(\(0\).)X
2787(Bit)X
2913(0)X
2982(is)X
3064(the)X
3190(most)X
3373(signi\256cant)X
3734(bit.)X
3886(The)X
955 960(encoding)N
1269(of)X
1356(the)X
1474(bits)X
1609(is)X
1682(speci\256ed)X
1987(in)X
2069(section)X
2316(6.1.)X
2476(The)X
2621(meanings)X
2948(of)X
3035(the)X
3153(options)X
3408(are:)X
2 f
955 1200(Bit\(s\))N
1283(Name)X
2105(Description)X
1 f
955 1392(0)N
1283(RESERVED)X
2105(Reserved)X
2424(for)X
2538(future)X
2750(expansion)X
3095(of)X
3182(this)X
3317(\256eld.)X
955 1584(1)N
1283(FORWARDABLE)X
2105(The)X
2260(FORWARDABLE)X
2899(\257ag)X
3049(is)X
3132(normally)X
3451(only)X
3623(interpreted)X
4001(by)X
4111(the)X
4238(TGS,)X
2105 1680(and)N
2246(can)X
2383(be)X
2484(ignored)X
2754(by)X
2859(end)X
3000(servers.)X
3293(When)X
3509(set,)X
3642(this)X
3781(\257ag)X
3925(tells)X
4082(the)X
4204(ticket-)X
2105 1776(granting)N
2395(server)X
2614(that)X
2756(it)X
2822(is)X
2897(OK)X
3035(to)X
3119(issue)X
3301(a)X
3359(new)X
3515(ticket-granting)X
4009(ticket)X
4209(with)X
4373(a)X
2105 1872(different)N
2415(network)X
2711(address)X
2985(based)X
3201(on)X
3313(the)X
3443(present)X
3707(ticket-granting)X
4211(ticket.)X
2105 1968(This)N
2274(\257ag)X
2421(is)X
2501(reset)X
2680(by)X
2787(default,)X
3057(but)X
3186(users)X
3378(may)X
3543(request)X
3802(that)X
3948(it)X
4018(be)X
4120(set)X
4235(when)X
2105 2064(they)N
2282(request)X
2553(their)X
2739(initial)X
2964(ticket-granting)X
3474(ticket.)X
3730(This)X
3910(\257ag)X
4068(allows)X
4315(for)X
2105 2160(authentication)N
2593(forwarding)X
2984(without)X
3261(requiring)X
3588(the)X
3719(user)X
3886(to)X
3981(enter)X
4175(a)X
4244(pass-)X
2105 2256(word)N
2294(again.)X
2532(If)X
2610(the)X
2732(\257ag)X
2876(is)X
2953(not)X
3079(set,)X
3212(then)X
3374(authentication)X
3851(forwarding)X
4231(is)X
4307(not)X
2105 2352(permitted)N
2449(\(however,)X
2810(the)X
2945(end)X
3098(result)X
3313(can)X
3462(still)X
3618(be)X
3731(achieved)X
4054(if)X
4140(the)X
4275(user)X
2105 2448(engages)N
2384(in)X
2466(the)X
2584(AS)X
2706(exchange)X
3030(from)X
3206(the)X
3324(local)X
3500(or)X
3587(remote)X
3830(host\).)X
955 2640(2)N
1283(FORWARDED)X
2105(When)X
2324(set,)X
2460(this)X
2602(\257ag)X
2749(indicates)X
3061(that)X
3208(the)X
3333(ticket)X
3538(has)X
3671(either)X
3880(been)X
4058(forwarded,)X
2105 2736(or)N
2208(was)X
2369(issued)X
2604(based)X
2822(on)X
2937(authentication)X
3426(involving)X
3767(a)X
3838(forwarded)X
4204(ticket-)X
2105 2832(granting)N
2392(ticket.)X
955 3024(3)N
1283(PROXIABLE)X
2105(The)X
2262(PROXIABLE)X
2743(\257ag)X
2895(is)X
2979(normally)X
3299(only)X
3472(interpreted)X
3851(by)X
3962(the)X
4091(TGS,)X
4293(and)X
2105 3120(can)N
2240(be)X
2339(ignored)X
2607(by)X
2710(end)X
2849(servers.)X
3140(The)X
3288(PROXIABLE)X
3760(\257ag)X
3903(has)X
4033(an)X
4132(interpre-)X
2105 3216(tation)N
2320(identical)X
2629(to)X
2723(that)X
2875(of)X
2974(the)X
3104(FORWARDABLE)X
3745(\257ag,)X
3917(except)X
4159(that)X
4311(the)X
2105 3312(PROXIABLE)N
2582(\257ag)X
2730(tells)X
2891(the)X
3017(ticket-granting)X
3517(server)X
3741(that)X
3888(only)X
4057(non-ticket-)X
2105 3408(granting)N
2399(tickets)X
2635(may)X
2800(be)X
2903(issued)X
3130(with)X
3299(different)X
3603(network)X
3893(addresses.)X
4267(This)X
2105 3504(\257ag)N
2247(is)X
2322(set)X
2433(by)X
2534(default.)X
2818(It)X
2888(allows)X
3118(proxies)X
3375(for)X
3490(speci\256c)X
3756(services.)X
4076(For)X
4208(exam-)X
2105 3600(ple,)N
2248(it)X
2317(allows)X
2551(a)X
2612(print)X
2788(server)X
3010(to)X
3097(access)X
3328(a)X
3389(client's)X
3650(\256les)X
3808(on)X
3913(a)X
3974(particular)X
4307(\256le)X
2105 3696(server)N
2322(in)X
2404(order)X
2594(to)X
2676(satisfy)X
2905(a)X
2961(print)X
3132(request.)X
955 3888(4)N
1283(PROXY)X
2105(When)X
2319(set,)X
2449(this)X
2585(\257ag)X
2726(indicates)X
3032(that)X
3173(a)X
3230(ticket)X
3429(is)X
3503(a)X
3560(proxy.)X
3808(It)X
3878(tells)X
4032(the)X
4151(end)X
4288(ser-)X
2105 3984(vice)N
2265(that)X
2410(the)X
2533(client)X
2736(is)X
2814(acting)X
3035(on)X
3140(behalf)X
3366(of)X
3458(the)X
3581(principal,)X
3911(but)X
4038(may)X
4201(in)X
4288(fact)X
2105 4080(be)N
2214(a)X
2283(different)X
2593(principal.)X
2950(A)X
3040(service)X
3300(might)X
3518(check)X
3738(this,)X
3905(and)X
4053(if)X
4134(a)X
4202(proxy,)X
2105 4176(require)N
2362(additional)X
2711(authentication)X
3194(from)X
3379(the)X
3506(agent)X
3709(itself)X
3897(in)X
3987(order)X
4185(to)X
4275(pro-)X
2105 4272(vide)N
2263(an)X
2359(audit)X
2539(trail.)X
955 4464(5)N
1283(MAY-POSTDATE)X
2105(The)X
2259(MAY-POSTDATE)X
2911(\257ag)X
3060(is)X
3141(normally)X
3458(only)X
3628(interpreted)X
4004(by)X
4112(the)X
4238(TGS,)X
2105 4560(and)N
2251(can)X
2393(be)X
2499(ignored)X
2774(by)X
2884(end)X
3030(servers.)X
3328(This)X
3500(\257ag)X
3650(must)X
3834(be)X
3939(set)X
4057(in)X
4148(order)X
4347(to)X
2105 4656(issue)N
2287(a)X
2345(postdated)X
2674(ticket)X
2874(based)X
3079(on)X
3181(the)X
3301(present)X
3554(ticket-granting)X
4047(ticket.)X
4286(It)X
4356(is)X
2105 4752(reset)N
2291(by)X
2405(default.)X
2702(This)X
2877(\257ag)X
3030(does)X
3210(not)X
3345(allow)X
3556(one)X
3705(to)X
3800(obtain)X
4033(a)X
4102(postdated)X
2105 4848(ticket-granting)N
2619(ticket.)X
2878(Postdated)X
3230(ticket-granting)X
3743(tickets)X
3993(can)X
4146(only)X
4329(by)X
2105 4944(obtained)N
2410(by)X
2518(requesting)X
2880(the)X
3006(postdating)X
3367(in)X
3457(the)X
3583(KRB_AS_REQ)X
4117(message.)X
2105 5040(The)N
2257(life)X
2391(\()X
3 f
2418(endtime)X
1 f
2694(-)X
3 f
2721(starttime)X
1 f
3034(\))X
3088(of)X
3182(a)X
3245(postdated)X
3579(ticket)X
3783(will)X
3933(be)X
4035(the)X
4159(remain-)X
2105 5136(ing)N
2228(life)X
2356(of)X
2444(the)X
2563(ticket-granting)X
3056(ticket)X
3255(at)X
3334(the)X
3452(time)X
3614(of)X
3701(the)X
3819(request,)X
4091(unless)X
4311(the)X
2105 5232(RENEWABLE)N
2620(option)X
2845(is)X
2919(also)X
3068(set,)X
3197(in)X
3279(which)X
3495(case,)X
3674(it)X
3738(can)X
3870(be)X
3966(the)X
4084(full)X
4215(life)X
4342(of)X
2105 5328(the)N
2230(ticket-granting)X
2729(ticket.)X
2974(The)X
3126(KDC)X
3322(may)X
3487(limit)X
3663(how)X
3827(far)X
3943(in)X
4031(the)X
4155(future)X
4373(a)X
2105 5424(ticket)N
2303(may)X
2461(be)X
2557(postdated.)X
555 6144(Section)N
815(5.1.)X
2196(-)X
2243(19)X
2343(-)X
20 p
%%Page: 20 21
10 s 0 xH 0 xS 1 f
0 32(--)N
4323(--)X
3 f
2115 416(DRAFT)N
2411(3)X
1 f
955 672(6)N
1283(POSTDATED)X
2105(This)X
2272(\257ag)X
2417(indicates)X
2726(that)X
2870(this)X
3009(ticket)X
3211(has)X
3342(been)X
3518(postdated.)X
3889(The)X
4038(end-service)X
2105 768(can)N
2249(check)X
2469(the)X
3 f
2599(authtime)X
1 f
2938(\256eld)X
3112(to)X
3206(see)X
3341(when)X
3546(the)X
3675(original)X
3955(authentication)X
2105 864(occurred.)N
2462(Some)X
2679(services)X
2973(may)X
3145(choose)X
3402(to)X
3498(reject)X
3711(post-dated)X
4079(tickets,)X
4342(or)X
2105 960(they)N
2276(may)X
2447(only)X
2622(accept)X
2861(them)X
3054(within)X
3291(a)X
3360(certain)X
3612(period)X
3850(after)X
4030(the)X
4160(original)X
2105 1056(authentication.)N
955 1248(7)N
1283(INVALID)X
2105(This)X
2273(\257ag)X
2419(indicates)X
2730(that)X
2875(a)X
2936(ticket)X
3139(is)X
3217(invalid.)X
3504(A)X
3587(postdated)X
3919(ticket)X
4122(will)X
4271(usu-)X
2105 1344(ally)N
2248(be)X
2347(issued)X
2570(in)X
2655(this)X
2793(form,)X
2992(and)X
3131(it)X
3198(must)X
3376(be)X
3474(validated)X
3790(by)X
3892(the)X
4012(KDC)X
4203(before)X
2105 1440(it)N
2170(can)X
2303(be)X
2400(used,)X
2588(but)X
2711(after)X
2880(its)X
3 f
2976(starttime)X
1 f
3289(.)X
3350(The)X
3496(validation)X
3837(is)X
3910(required)X
4198(so)X
4289(that)X
2105 1536(postdated)N
2437(tickets)X
2671(which)X
2892(have)X
3068(been)X
3244(stolen)X
3459(before)X
3689(their)X
3 f
3860(starttime)X
1 f
4197(can)X
4333(be)X
2105 1632(rendered)N
2407(permanently)X
2828(invalid)X
3070(\(through)X
3366(the)X
3484(hot-list)X
3730(mechanism\).)X
955 1824(8)N
1283(RENEWABLE)X
2105(The)X
2257(RENEWABLE)X
2778(\257ag)X
2925(is)X
3005(normally)X
3321(only)X
3490(interpreted)X
3865(by)X
3972(the)X
4096(TGS,)X
4293(and)X
2105 1920(can)N
2265(usually)X
2544(be)X
2668(ignored)X
2960(by)X
3087(end)X
3250(servers)X
3525(\(some)X
3768(particularly)X
4185(careful)X
2105 2016(servers)N
2365(may)X
2534(wish)X
2716(to)X
2809(disallow)X
3111(renewable)X
3473(tickets\).)X
3780(A)X
3869(renewable)X
4231(ticket)X
2105 2112(can)N
2250(be)X
2359(used)X
2539(to)X
2634(obtain)X
2867(a)X
2936(new)X
3102(ticket)X
3312(that)X
3464(expires)X
3728(at)X
3818(a)X
3886(later)X
4061(date.)X
4267(This)X
2105 2208(allows)N
2336(the)X
2455(life)X
2583(of)X
2671(a)X
2728(ticket)X
2927(to)X
3010(be)X
3107(extended)X
3418(without)X
3683(having)X
3922(to)X
4005(enter)X
4187(a)X
4244(pass-)X
2105 2304(word)N
2301(again,)X
2526(while)X
2735(providing)X
3077(some)X
3277(mechanism)X
3672(for)X
3796(cancellation)X
4214(of)X
4311(the)X
2105 2400(right)N
2276(to)X
2358(use)X
2485(the)X
2603(ticket)X
2801(at)X
2879(renewal)X
3154(time.)X
3356(If)X
3430(the)X
3548(ticket)X
3746(is)X
3819(not)X
3941(renewed)X
4234(by)X
4334(its)X
2105 2496(expiration)N
2454(time,)X
2640(then)X
2801(renewal)X
3079(will)X
3226(not)X
3351(be)X
3450(allowed.)X
3767(The)X
3915(RENEWABLE)X
2105 2592(\257ag)N
2250(is)X
2328(reset)X
2505(by)X
2610(default.)X
2898(If)X
2977(set,)X
3111(then)X
3274(the)X
3 f
3396(renew-till)X
1 f
3750(\256eld)X
3916(contains)X
4207(a)X
4267(time)X
2105 2688(after)N
2273(which)X
2489(the)X
2607(ticket)X
2805(may)X
2963(not)X
3085(be)X
3181(renewed.)X
955 2880(9)N
1283(INITIAL)X
2105(This)X
2277(\257ag)X
2427(indicates)X
2742(that)X
2892(this)X
3037(ticket)X
3245(was)X
3400(issued)X
3630(using)X
3833(the)X
3961(initial)X
4177(request)X
2105 2976(protocol.)N
2441(It)X
2519(was)X
2673(returned)X
2970(to)X
3061(the)X
3188(client)X
3395(encrypted)X
3741(in)X
3831(the)X
3957(client's)X
4221(secret)X
2105 3072(key,)N
2262(and)X
2399(the)X
2518(request)X
2771(was)X
2917(not)X
3039(based)X
3242(on)X
3342(a)X
3398(ticket-granting)X
3890(ticket.)X
4128(Applica-)X
2105 3168(tions)N
2287(that)X
2434(want)X
2617(to)X
2706(require)X
2961(the)X
3086(entering)X
3376(of)X
3470(a)X
3533(password)X
3863(can)X
4002(check)X
4217(to)X
4306(see)X
2105 3264(that)N
2255(this)X
2400(\257ag)X
2550(is)X
2633(set.)X
2792(An)X
2920(example)X
3222(of)X
3319(an)X
3425(application)X
3811(that)X
3961(would)X
4191(bene\256t)X
2105 3360(from)N
2288(such)X
2462(a)X
2525(restriction)X
2877(is)X
2957(a)X
3019(password-changing)X
3669(program,)X
3987(which)X
4209(would)X
2105 3456(traditionally)N
2537(require)X
2806(timely)X
3051(presentation)X
3483(of)X
3590(both)X
3772(old)X
3914(and)X
4070(new)X
4244(pass-)X
2105 3552(words.)N
955 3744(10)N
1283(DUPLICATE-SKEY)X
2105(This)X
2279(\257ag)X
2431(indicates)X
2748(that)X
2900(the)X
3030(session)X
3293(key)X
3441(in)X
3535(this)X
3682(ticket)X
3892(may)X
4062(be)X
4169(used)X
4347(in)X
2105 3840(other)N
2292(tickets)X
2523(as)X
2612(well.)X
2812(Other)X
3017(principals)X
3354(besides)X
3611(the)X
3730(named)X
3965(principal)X
4271(may)X
2105 3936(know)N
2307(the)X
2429(session)X
2684(key.)X
2864(The)X
3013(ability)X
3241(to)X
3327(use)X
3457(the)X
3578(same)X
3766(session)X
4020(key)X
4159(in)X
4244(more)X
2105 4032(than)N
2264(one)X
2400(ticket)X
2598(allows)X
2827(a)X
2883(key)X
3019(to)X
3101(be)X
3197(shared)X
3427(with)X
3589(more)X
3774(than)X
3932(one)X
4068(other)X
4253(prin-)X
2105 4128(cipal.)N
2324(This)X
2489(is)X
2565(useful)X
2784(for)X
2901(implementing)X
3368(protocols)X
3689(in)X
3773(which)X
3991(all)X
4093(principals)X
2105 4224(are)N
2229(trusted,)X
2492(and)X
2633(where)X
2855(information)X
3258(is)X
3335(broadcast)X
3667(to)X
3753(more)X
3942(than)X
4104(one)X
4244(other)X
2105 4320(principal.)N
2448(Normal)X
2731(servers)X
2997(will)X
3159(not)X
3299(accept)X
3543(authentication)X
4035(based)X
4256(on)X
4373(a)X
2105 4416(ticket)N
2308(that)X
2453(has)X
2585(this)X
2725(\257ag)X
2870(set)X
2984(\(see)X
3139(the)X
3262(discussion)X
3620(of)X
3712(REUSE-SKEY)X
4226(under)X
3 f
2105 4512(kdc_options)N
1 f
2517(,)X
2557(below\).)X
955 4704(11-31)N
1283(RESERVED)X
2105(Reserved)X
2424(for)X
2538(future)X
2750(use.)X
3 f
555 4972(from)N
1 f
955(This)X
1130(\256eld)X
1305(is)X
1391(included)X
1700(in)X
1795(the)X
1926(KRB_AS_REQ)X
2465(and)X
2614(KRB_TGS_REQ)X
3202(ticket)X
3412(requests)X
3707(when)X
3913(the)X
955 5068(requested)N
1291(ticket)X
1497(is)X
1578(to)X
1668(be)X
1772(postdated.)X
2127(It)X
2204(speci\256es)X
2508(the)X
2634(desired)X
2894(start)X
3060(time)X
3230(for)X
3352(the)X
3478(requested)X
3813(ticket.)X
955 5164(This)N
1117(\256eld)X
1279(is)X
1352(of)X
1439(type)X
1597(KerberosTime.)X
3 f
555 5384(kdc_options)N
1 f
955 5480(This)N
1123(\256eld)X
1291(appears)X
1563(in)X
1651(the)X
1775(KRB_AS_REQ)X
2306(and)X
2447(KRB_TGS_REQ)X
3027(requests)X
3315(to)X
3402(the)X
3525(KDC)X
3719(and)X
3860(indi-)X
955 5576(cates)N
1146(the)X
1274(\257ags)X
1455(that)X
1605(the)X
1733(client)X
1941(wants)X
2158(set)X
2277(on)X
2387(the)X
2515(tickets)X
2754(as)X
2851(well)X
3019(as)X
3116(other)X
3311(information)X
3718(that)X
3867(is)X
3949(to)X
955 5672(modify)N
1210(the)X
1332(behavior)X
1637(of)X
1728(the)X
1850(KDC.)X
2083(Where)X
2322(appropriate,)X
2731(the)X
2852(name)X
3049(of)X
3139(an)X
3238(option)X
3465(may)X
3626(be)X
3725(the)X
3846(same)X
955 5768(as)N
1046(the)X
1168(\257ag)X
1312(that)X
1456(is)X
1533(set)X
1646(by)X
1750(that)X
1894(option.)X
2161(Although)X
2486(in)X
2571(most)X
2749(case,)X
2931(the)X
3052(bit)X
3159(in)X
3244(the)X
3365(options)X
3623(\256eld)X
3788(will)X
3935(be)X
555 6144(Section)N
815(5.1.)X
2196(-)X
2243(20)X
2343(-)X
21 p
%%Page: 21 22
10 s 0 xH 0 xS 1 f
0 32(--)N
4323(--)X
3 f
2115 416(DRAFT)N
2411(3)X
1 f
955 672(the)N
1077(same)X
1266(as)X
1357(that)X
1501(in)X
1587(the)X
1709(\257ags)X
1884(\256eld,)X
2070(this)X
2208(is)X
2284(not)X
2409(guaranteed,)X
2805(so)X
2899(it)X
2966(is)X
3042(not)X
3167(acceptable)X
3530(to)X
3615(simply)X
3855(copy)X
955 768(the)N
1074(options)X
1330(\256eld)X
1493(to)X
1576(the)X
1695(\257ags)X
1867(\256eld.)X
2069(There)X
2277(are)X
2396(various)X
2652(checks)X
2891(that)X
3031(must)X
3206(be)X
3302(made)X
3496(before)X
3722(honoring)X
955 864(an)N
1051(option)X
1275(anyway.)X
955 1056(The)N
1101(kdc_options)X
1513(\256eld)X
1676(is)X
1750(a)X
1807(bit-\256eld,)X
2100(where)X
2317(the)X
2435(selected)X
2714(options)X
2969(are)X
3088(indicated)X
3402(by)X
3502(the)X
3620(bit)X
3724(being)X
3922(set)X
955 1152(\(1\),)N
1091(and)X
1229(the)X
1349(unselected)X
1710(options)X
1967(and)X
2105(reserved)X
2400(\256elds)X
2595(being)X
2795(reset)X
2969(\(0\).)X
3125(Bit)X
3244(0)X
3306(is)X
3381(the)X
3501(most)X
3678(signi\256cant)X
955 1248(bit.)N
1099(The)X
1244(encoding)X
1558(of)X
1645(the)X
1763(bits)X
1898(is)X
1971(speci\256ed)X
2276(in)X
2358(section)X
2605(6.1.)X
2765(The)X
2910(meanings)X
3237(of)X
3324(the)X
3442(options)X
3697(are:)X
2 f
955 1392(Bit\(s\))N
1259(Name)X
2102(Description)X
1 f
955 1584(0)N
1259(RESERVED)X
2102(Reserved)X
2421(for)X
2535(future)X
2747(expansion)X
3092(of)X
3179(this)X
3314(\256eld.)X
955 1776(1)N
1259(FORWARDABLE)X
2102(The)X
2249(FORWARDABLE)X
2879(option)X
3104(indicates)X
3410(that)X
3551(the)X
3670(ticket)X
3869(to)X
3952(be)X
4049(issued)X
4270(is)X
4344(to)X
2102 1872(have)N
2280(its)X
2381(forwardable)X
2796(\257ag)X
2942(set.)X
3096(It)X
3170(may)X
3333(only)X
3500(be)X
3601(set)X
3715(on)X
3820(the)X
3943(initial)X
4154(request,)X
2102 1968(or)N
2201(in)X
2295(a)X
2363(subsequent)X
2751(request)X
3015(if)X
3096(the)X
3226(ticket-granting)X
3730(ticket)X
3940(on)X
4051(which)X
4278(it)X
4353(is)X
2102 2064(based)N
2305(is)X
2378(also)X
2527(forwardable.)X
955 2256(2)N
1259(FORWARDED)X
2102(The)X
2254(FORWARDED)X
2788(option)X
3019(is)X
3099(only)X
3268(speci\256ed)X
3580(in)X
3669(a)X
3731(request)X
3989(to)X
4077(the)X
4201(ticket-)X
2102 2352(granting)N
2391(server)X
2610(and)X
2748(will)X
2894(only)X
3058(be)X
3156(honored)X
3441(if)X
3512(the)X
3632(ticket-granting)X
4126(ticket)X
4326(on)X
2102 2448(which)N
2331(it)X
2408(is)X
2494(based)X
2710(is)X
2796(forwardable.)X
3258(This)X
3433(option)X
3669(indicates)X
3986(that)X
4138(this)X
4285(is)X
4370(a)X
2102 2544(request)N
2369(for)X
2498(forwarding.)X
2930(The)X
3090(address\(es\))X
3487(of)X
3589(the)X
3721(host)X
3888(from)X
4078(which)X
4308(the)X
2102 2640(resulting)N
2409(ticket)X
2614(is)X
2694(to)X
2783(be)X
2886(valid)X
3073(are)X
3199(included)X
3501(in)X
3589(the)X
3713(addresses)X
4047(\256eld)X
4215(of)X
4308(the)X
2102 2736(request.)N
955 2928(3)N
1259(PROXIABLE)X
2102(The)X
2247(PROXIABLE)X
2716(option)X
2940(indicates)X
3245(that)X
3385(the)X
3503(ticket)X
3701(to)X
3783(be)X
3879(issued)X
4099(is)X
4172(to)X
4254(have)X
2102 3024(its)N
2204(proxiable)X
2534(\257ag)X
2681(set.)X
2837(It)X
2913(may)X
3078(only)X
3247(be)X
3350(set)X
3466(on)X
3573(the)X
3698(initial)X
3911(request,)X
4189(or)X
4282(in)X
4370(a)X
2102 3120(subsequent)N
2487(request)X
2748(if)X
2825(the)X
2951(ticket-granting)X
3451(ticket)X
3657(on)X
3765(which)X
3989(it)X
4061(is)X
4142(based)X
4353(is)X
2102 3216(also)N
2251(proxiable.)X
955 3408(4)N
1259(PROXY)X
2102(The)X
2258(PROXY)X
2560(option)X
2795(indicates)X
3111(that)X
3261(this)X
3406(is)X
3489(a)X
3555(request)X
3817(for)X
3941(a)X
4007(proxy.)X
4264(This)X
2102 3504(option)N
2334(will)X
2485(only)X
2654(be)X
2757(honored)X
3047(if)X
3123(the)X
3248(ticket-granting)X
3747(ticket)X
3952(on)X
4059(which)X
4282(it)X
4353(is)X
2102 3600(based)N
2311(is)X
2390(proxiable.)X
2759(The)X
2910(address\(es\))X
3298(of)X
3391(the)X
3515(host)X
3674(from)X
3856(which)X
4078(the)X
4201(result-)X
2102 3696(ing)N
2245(ticket)X
2464(is)X
2558(to)X
2660(be)X
2776(valid)X
2976(are)X
3115(included)X
3431(in)X
3533(the)X
3671(addresses)X
4019(\256eld)X
4201(of)X
4308(the)X
2102 3792(request.)N
955 3984(5)N
1259(ALLOW-POSTDATE)X
2102(The)X
2253(ALLOW-POSTDATE)X
3005(option)X
3235(indicates)X
3546(that)X
3692(the)X
3815(ticket)X
4018(to)X
4105(be)X
4206(issued)X
2102 4080(is)N
2177(to)X
2261(have)X
2435(its)X
2532(MAY-POSTDATE)X
3177(\257ag)X
3319(set.)X
3470(It)X
3541(may)X
3701(only)X
3865(be)X
3963(set)X
4074(on)X
4176(the)X
4295(ini-)X
2102 4176(tial)N
2234(request,)X
2515(or)X
2611(in)X
2702(a)X
2767(subsequent)X
3152(request)X
3413(if)X
3491(the)X
3618(ticket-granting)X
4119(ticket)X
4326(on)X
2102 4272(which)N
2318(it)X
2382(is)X
2455(based)X
2658(also)X
2807(has)X
2934(its)X
3029(MAY-POSTDATE)X
3672(\257ag)X
3812(set.)X
955 4464(6)N
1259(POSTDATED)X
2102(The)X
2248(POSTDATED)X
2736(option)X
2961(indicates)X
3267(that)X
3408(this)X
3544(is)X
3618(a)X
3675(request)X
3928(for)X
4043(a)X
4099(postdated)X
2102 4560(ticket.)N
2344(This)X
2510(option)X
2738(will)X
2886(only)X
3052(be)X
3151(honored)X
3437(if)X
3509(the)X
3630(ticket-granting)X
4125(ticket)X
4326(on)X
2102 4656(which)N
2335(it)X
2416(is)X
2506(based)X
2726(has)X
2870(its)X
2982(MAY-POSTDATE)X
3642(\257ag)X
3799(set.)X
3965(The)X
4126(resulting)X
2102 4752(ticket)N
2300(will)X
2444(also)X
2593(have)X
2765(its)X
2860(INVALID)X
3215(\257ag)X
3355(set,)X
3484(and)X
3620(that)X
3760(\257ag)X
3900(may)X
4058(be)X
4154(reset)X
4326(by)X
2102 4848(a)N
2170(subsequent)X
2558(request)X
2822(to)X
2916(the)X
3046(KDC)X
3247(after)X
3427(the)X
3557(starttime)X
3868(in)X
3961(the)X
4090(ticket)X
4299(has)X
2102 4944(been)N
2274(reached.)X
955 5136(7)N
1259(UNUSED)X
2102(This)X
2264(option)X
2488(is)X
2561(presently)X
2875(unused.)X
955 5328(8)N
1259(RENEWABLE)X
2102(The)X
2259(RENEWABLE)X
2785(option)X
3021(indicates)X
3338(that)X
3490(the)X
3620(ticket)X
3829(to)X
3922(be)X
4029(issued)X
4260(is)X
4344(to)X
2102 5424(have)N
2294(its)X
2409(RENEWABLE)X
2943(\257ag)X
3103(set.)X
3272(It)X
3361(may)X
3539(only)X
3721(be)X
3836(set)X
3964(on)X
4083(the)X
4220(initial)X
2102 5520(request,)N
2375(or)X
2462(when)X
2656(the)X
2774(ticket-granting)X
3266(ticket)X
3464(on)X
3564(which)X
3780(the)X
3898(request)X
4150(is)X
4223(based)X
2102 5616(is)N
2182(also)X
2338(renewable.)X
2736(If)X
2816(this)X
2957(option)X
3187(is)X
3266(requested,)X
3620(then)X
3784(the)X
3 f
3908(renew-till)X
1 f
4264(\256eld)X
2102 5712(contains)N
2389(the)X
2507(desired)X
2759(absolute)X
3046(expiration)X
3391(time)X
3553(for)X
3667(the)X
3785(ticket.)X
555 6144(Section)N
815(5.1.)X
2196(-)X
2243(21)X
2343(-)X
22 p
%%Page: 22 23
10 s 0 xH 0 xS 1 f
0 32(--)N
4323(--)X
3 f
2115 416(DRAFT)N
2411(3)X
1 f
955 672(9)N
1259(UNUSED)X
2102(This)X
2264(option)X
2488(is)X
2561(presently)X
2875(unused.)X
955 864(10)N
1259(DUPLICATE-SKEY)X
2102(The)X
2250(DUPLICATE-SKEY)X
2954(option)X
3180(indicates)X
3487(that)X
3629(the)X
3749(ticket)X
3949(to)X
4033(be)X
4131(issued)X
4353(is)X
2102 960(to)N
2186(have)X
2360(its)X
2457(DUPLICATE-SKEY)X
3160(\257ag)X
3302(set.)X
3453(This)X
3617(option)X
3842(may)X
4001(be)X
4098(requested)X
2102 1056(at)N
2184(any)X
2324(time.)X
2529(This)X
2694(option)X
2921(does)X
3091(not)X
3216(duplicate)X
3533(the)X
3654(session)X
3908(key.)X
4087(Instead,)X
4362(it)X
2102 1152(simply)N
2341(sets)X
2483(the)X
2603(\257ag)X
2745(in)X
2828(the)X
2947(ticket)X
3146(so)X
3238(that)X
3379(the)X
3498(session)X
3750(key)X
3887(can)X
4020(be)X
4117(reused)X
4348(at)X
2102 1248(a)N
2158(later)X
2321(time.)X
955 1440(11-26)N
1259(RESERVED)X
2102(Reserved)X
2421(for)X
2535(future)X
2747(use.)X
955 1632(27)N
1259(RENEWABLE-OK)X
2102(The)X
2248(RENEWABLE-OK)X
2906(option)X
3131(indicates)X
3437(that)X
3578(a)X
3635(renewable)X
3987(ticket)X
4186(will)X
4330(be)X
2102 1728(acceptable)N
2468(if)X
2543(a)X
2605(ticket)X
2809(with)X
2977(the)X
3101(requested)X
3435(life)X
3568(can)X
3706(not)X
3834(otherwise)X
4171(be)X
4272(pro-)X
2102 1824(vided.)N
2351(If)X
2436(a)X
2503(ticket)X
2712(with)X
2884(the)X
3012(requested)X
3350(life)X
3487(can)X
3629(not)X
3761(be)X
3867(provided,)X
4202(then)X
4370(a)X
2102 1920(renewable)N
2474(ticket)X
2693(may)X
2872(be)X
2989(issued)X
3230(with)X
3413(a)X
3489(renew_till)X
3854(equal)X
4068(to)X
4170(the)X
4308(the)X
2102 2016(requested)N
2438(endtime.)X
2764(The)X
2917(value)X
3119(of)X
3213(the)X
3338(renew_till)X
3690(\256eld)X
3859(may)X
4024(still)X
4170(be)X
4273(lim-)X
2102 2112(ited)N
2258(by)X
2373(local)X
2564(limits,)X
2800(or)X
2902(limits)X
3118(selected)X
3412(by)X
3527(the)X
3660(individual)X
4019(principal)X
4339(or)X
2102 2208(server.)N
955 2400(28)N
1259(ENC-TKT-IN-SKEY)X
2102(This)X
2283(option)X
2526(is)X
2618(used)X
2804(only)X
2985(by)X
3104(the)X
3240(ticket-granting)X
3750(service.)X
4056(The)X
4219(ENC-)X
2102 2496(TKT-IN-SKEY)N
2633(option)X
2864(indicates)X
3176(that)X
3323(the)X
3448(ticket)X
3653(for)X
3774(the)X
3899(end)X
4042(server)X
4265(is)X
4344(to)X
2102 2592(be)N
2218(encrypted)X
2575(in)X
2677(the)X
2815(session)X
3086(key)X
3242(from)X
3438(the)X
3575(additional)X
3934(ticket-granting)X
2102 2688(ticket)N
2300(provided.)X
955 2880(29)N
1259(REUSE-SKEY)X
2102(This)X
2274(option)X
2508(is)X
2591(used)X
2767(only)X
2938(by)X
3047(the)X
3174(ticket-granting)X
3675(service.)X
3972(The)X
4126(REUSE-)X
2102 2976(SKEY)N
2339(option)X
2571(indicates)X
2884(that)X
3032(the)X
3158(session)X
3417(key)X
3561(to)X
3651(be)X
3755(assigned)X
4058(to)X
4147(the)X
4272(new)X
2102 3072(ticket)N
2306(is)X
2385(to)X
2473(be)X
2575(taken)X
2775(from)X
2957(the)X
3081(second)X
3330(ticket)X
3534(provided.)X
3885(This)X
4053(option)X
4282(will)X
2102 3168(only)N
2271(be)X
2374(honored)X
2664(if)X
2740(the)X
2865(second)X
3115(ticket)X
3320(has)X
3454(the)X
3579(DUPLICATE-SKEY)X
4286(\257ag)X
2102 3264(set.)N
955 3456(30)N
1259(RENEW)X
2102(This)X
2273(option)X
2506(is)X
2588(used)X
2764(only)X
2935(by)X
3044(the)X
3171(ticket-granting)X
3672(service.)X
3968(The)X
4121(RENEW)X
2102 3552(option)N
2338(indicates)X
2655(that)X
2807(the)X
2937(present)X
3201(request)X
3465(is)X
3550(for)X
3676(a)X
3744(renewal.)X
4071(The)X
4228(ticket)X
2102 3648(provided)N
2420(is)X
2506(encrypted)X
2856(in)X
2951(the)X
3082(secret)X
3303(key)X
3452(for)X
3578(the)X
3708(server)X
3937(on)X
4049(which)X
4277(it)X
4353(is)X
2102 3744(valid.)N
2326(This)X
2492(option)X
2720(will)X
2868(only)X
3034(be)X
3134(honored)X
3421(if)X
3494(the)X
3616(ticket)X
3818(to)X
3904(be)X
4003(renewed)X
4299(has)X
2102 3840(its)N
2199(RENEWABLE)X
2715(\257ag)X
2857(set)X
2968(and)X
3106(if)X
3177(the)X
3297(time)X
3461(in)X
3545(the)X
3665(renew_till)X
4012(\256eld)X
4176(has)X
4304(not)X
2102 3936(passed.)N
2383(The)X
2535(ticket)X
2739(to)X
2827(be)X
2929(renewed)X
3228(is)X
3307(passed)X
3547(in)X
3635(the)X
3 f
3759(padata)X
1 f
4020(\256eld)X
4188(as)X
4281(part)X
2102 4032(of)N
2189(the)X
2307(authentication)X
2781(header.)X
955 4224(31)N
1259(VALIDATE)X
2102(This)X
2280(option)X
2520(is)X
2609(used)X
2792(only)X
2969(by)X
3084(the)X
3217(ticket-granting)X
3724(service.)X
4027(The)X
4187(VALI-)X
2102 4320(DATE)N
2349(option)X
2586(indicates)X
2903(that)X
3055(the)X
3185(present)X
3449(request)X
3713(is)X
3798(to)X
3892(validate)X
4178(a)X
4246(post-)X
2102 4416(dated)N
2297(ticket.)X
2536(It)X
2606(will)X
2751(only)X
2914(be)X
3010(honored)X
3293(if)X
3362(the)X
3480(ticket)X
3678(presented)X
4006(is)X
4079(postdated,)X
2102 4512(presently)N
2423(has)X
2557(its)X
2659(INVALID)X
3021(\257ag)X
3168(set,)X
3304(and)X
3447(would)X
3674(be)X
3777(otherwise)X
4116(usable)X
4348(at)X
2102 4608(this)N
2239(time.)X
2443(A)X
2523(ticket)X
2723(can)X
2857(not)X
2981(be)X
3079(validated)X
3395(before)X
3623(its)X
3720(start)X
3879(time.)X
4082(The)X
4228(ticket)X
2102 4704(presented)N
2434(for)X
2552(validation)X
2896(is)X
2973(encrypted)X
3314(in)X
3400(the)X
3522(key)X
3662(of)X
3752(the)X
3873(server)X
4093(for)X
4210(which)X
2102 4800(it)N
2169(is)X
2245(valid)X
2428(and)X
2567(is)X
2643(passed)X
2880(in)X
2965(the)X
3 f
3086(padata)X
1 f
3343(\256eld)X
3507(as)X
3596(part)X
3743(of)X
3832(the)X
3952(authentication)X
2102 4896(header.)N
3 f
555 5164(key)N
1 f
955(This)X
1124(\256eld)X
1293(exists)X
1502(in)X
1590(the)X
1714(ticket)X
1918(and)X
2060(the)X
2184(KDC)X
2379(response)X
2686(and)X
2828(is)X
2907(used)X
3080(to)X
3168(pass)X
3332(the)X
3456(session)X
3713(key)X
3855(from)X
955 5260(Kerberos)N
1279(to)X
1370(the)X
1497(application)X
1882(server)X
2108(and)X
2253(the)X
2380(client.)X
2627(The)X
2781(\256eld)X
2952(is)X
3034(of)X
3130(type)X
3296(EncryptionKey)X
3814(and)X
3958(is)X
955 5356(described)N
1283(in)X
1365(section)X
1612(7.1.)X
1772(The)X
1917(\256eld)X
2079(has)X
2206(two)X
2346(sub\256elds.)X
3 f
955 5548(keytype)N
1 f
1250(is)X
1331(part)X
1484(of)X
1579(the)X
1705(EncryptionKey)X
2222(data)X
2383(type)X
2548(and)X
2691(speci\256es)X
2994(the)X
3119(type)X
3284(of)X
3378(encryption)X
3748(key)X
3891(that)X
955 5644(follows)N
1226(in)X
1319(the)X
3 f
1448(key-data)X
1 f
1777(\256eld.)X
1990(It)X
2070(will)X
2224(almost)X
2467(always)X
2720(correspond)X
3107(to)X
3199(the)X
3327(encryption)X
3700(algorithm)X
955 5740(used)N
1123(to)X
1206(generate)X
1500(the)X
1619(EncryptedData,)X
2142(though)X
2385(more)X
2571(than)X
2730(one)X
2867(algorithm)X
3198(may)X
3356(use)X
3483(the)X
3601(same)X
3786(type)X
3944(of)X
955 5836(key)N
1115(\(the)X
1283(mapping)X
1606(is)X
1702(many)X
1923(to)X
2028(one\).)X
2254(This)X
2439(might)X
2668(happen,)X
2963(for)X
3100(example,)X
3435(if)X
3527(the)X
3668(encryption)X
555 6144(Section)N
815(5.1.)X
2196(-)X
2243(22)X
2343(-)X
23 p
%%Page: 23 24
10 s 0 xH 0 xS 1 f
0 32(--)N
4323(--)X
3 f
2115 416(DRAFT)N
2411(3)X
1 f
955 672(algorithm)N
1291(uses)X
1454(an)X
1555(alternate)X
1857(checksum)X
2203(algorithm)X
2538(for)X
2656(an)X
2756(integrity)X
3051(check,)X
3283(or)X
3374(a)X
3434(different)X
3735(chaining)X
955 768(mechanism.)N
1380(A)X
1458(list)X
1575(of)X
1662(the)X
1780(pre-de\256ned)X
2166(values)X
2391(for)X
2505(this)X
2640(\256eld)X
2802(appears)X
3068(in)X
3150(section)X
3397(7.1.)X
3 f
955 960(keyvalue)N
1 f
1278(is)X
1352(also)X
1502(part)X
1648(of)X
1736(the)X
1855(EncryptionKey)X
2366(data)X
2521(type)X
2679(and)X
2815(it)X
2879(contains)X
3166(the)X
3284(key)X
3420(itself.)X
3 f
3640(key-data)X
1 f
3958(is)X
955 1056(an)N
1051(octet)X
1227(string)X
1429(of)X
1516(suf\256cient)X
1834(length)X
2054(to)X
2136(hold)X
2298(a)X
2354(key)X
2490(of)X
2577(the)X
2695(type)X
2853(speci\256ed.)X
3 f
555 1276(key-expiration)N
1 f
955 1372(The)N
3 f
1105(key-expiration)X
1 f
1628(\256eld)X
1795(is)X
1873(part)X
2023(of)X
2115(the)X
2238(response)X
2544(from)X
2725(the)X
2848(KDC)X
3041(and)X
3181(speci\256es)X
3481(the)X
3603(time)X
3769(that)X
3913(the)X
955 1468(client's)N
1218(secret)X
1433(key)X
1576(is)X
1656(due)X
1799(to)X
1887(expire.)X
2154(The)X
2305(expiration)X
2656(might)X
2868(be)X
2970(the)X
3094(result)X
3298(of)X
3391(password)X
3720(aging,)X
3944(or)X
955 1564(the)N
1076(time)X
1241(that)X
1384(the)X
1505(principal)X
1813(is)X
1889(to)X
1974(be)X
2073(completely)X
2452(removed)X
2756(from)X
2935(the)X
3056(database.)X
3396(This)X
3561(\256eld)X
3726(will)X
3873(usu-)X
955 1660(ally)N
1096(be)X
1193(left)X
1321(out)X
1444(of)X
1531(the)X
1649(TGS)X
1820(reply)X
2005(since)X
2190(the)X
2308(response)X
2609(to)X
2691(the)X
2809(TGS)X
2980(request)X
3232(is)X
3305(encrypted)X
3642(in)X
3724(a)X
3780(session)X
955 1756(key.)N
1141(It)X
1220(is)X
1303(up)X
1413(to)X
1505(the)X
1633(application)X
2019(client)X
2227(\(usually)X
2515(the)X
2643(login)X
2837(program\))X
3166(to)X
3257(take)X
3420(appropriate)X
3815(action)X
955 1852(\(such)N
1149(as)X
1236(notifying)X
1549(the)X
1667(user\))X
1848(if)X
1917(the)X
2035(expiration)X
2380(time)X
2542(is)X
2615(imminent.)X
3 f
555 2072(kvno)N
1 f
955(This)X
1126(\256eld)X
1297(contains)X
1593(the)X
1720(version)X
1985(number)X
2259(for)X
2382(the)X
2509(key)X
2654(under)X
2866(which)X
3091(data)X
3254(is)X
3336(encrypted.)X
3722(It)X
3800(is)X
3881(pre-)X
955 2168(cedes)N
1164(data)X
1328(encrypted)X
1675(as)X
1772(part)X
1927(of)X
2023(the)X
2150(EncryptedData)X
2661(data)X
2824(type.)X
3031(It)X
3109(applies)X
3365(only)X
3536(to)X
3627(long)X
3798(lasting)X
955 2264(keys)N
1126(such)X
1297(as)X
1388(those)X
1581(assigned)X
1881(to)X
1967(principals.)X
2347(The)X
2496(\256eld)X
2662(is)X
2739(left)X
2870(out)X
2996(when)X
3194(data)X
3352(is)X
3429(encrypted)X
3769(under)X
3975(a)X
955 2360(short)N
1135(lived)X
1315("session")X
1632(key.)X
3 f
555 2580(last-req)N
1 f
955(This)X
1124(\256eld)X
1293(is)X
1373(returned)X
1668(by)X
1775(the)X
1900(KDC)X
2096(and)X
2239(speci\256es)X
2542(the)X
2667(time\(s\))X
2921(of)X
3015(the)X
3140(last)X
3278(request)X
3537(by)X
3644(a)X
3706(principal.)X
955 2676(Depending)N
1338(on)X
1448(what)X
1634(information)X
2042(is)X
2125(available,)X
2465(this)X
2610(might)X
2826(be)X
2932(the)X
3060(last)X
3201(time)X
3373(that)X
3523(a)X
3589(request)X
3851(for)X
3975(a)X
955 2772(ticket-granting)N
1450(ticket)X
1651(was)X
1798(made,)X
2014(or)X
2103(the)X
2223(last)X
2356(time)X
2520(that)X
2662(a)X
2720(request)X
2974(based)X
3179(on)X
3281(a)X
3339(ticket-granting)X
3833(ticket)X
955 2868(was)N
1104(successful.)X
1498(It)X
1570(also)X
1722(might)X
1931(cover)X
2133(all)X
2236(servers)X
2487(for)X
2604(a)X
2663(realm,)X
2889(or)X
2979(just)X
3117(the)X
3238(particular)X
3569(server.)X
3829(Some)X
955 2964(implementations)N
1518(may)X
1686(display)X
1947(this)X
2092(information)X
2499(to)X
2590(the)X
2717(user)X
2880(to)X
2971(aid)X
3098(in)X
3189(discovering)X
3592(unauthorized)X
955 3060(use)N
1089(of)X
1183(one's)X
1384(identity.)X
1695(It)X
1771(is)X
1851(similar)X
2099(in)X
2187(spirit)X
2377(to)X
2465(the)X
2589(last)X
2726(login)X
2916(time)X
3084(displayed)X
3417(when)X
3617(logging)X
3887(into)X
955 3156(timesharing)N
1353(systems.)X
955 3348(The)N
1100(format)X
1334(for)X
1448(this)X
1583(\256eld)X
1745(is)X
1818(described)X
2146(in)X
2228(section)X
2475(6.1.)X
2635(The)X
2780(\256eld)X
2942(contains)X
3229(two)X
3369(repeated)X
3662(sub\256elds:)X
3 f
955 3540(lr-type)N
1 f
1212(indicates)X
1522(the)X
1645(way)X
1804(that)X
1949(the)X
2072(following)X
3 f
2408(lr-value)X
1 f
2699(sub\256eld)X
2976(is)X
3053(to)X
3139(be)X
3239(interpreted.)X
3651(Bit)X
3772(0)X
3836(is)X
3913(the)X
955 3636(most)N
1134(signi\256cant)X
1491(bit.)X
1639(The)X
1788(encoding)X
2106(of)X
2197(the)X
2319(bits)X
2458(is)X
2535(speci\256ed)X
2844(in)X
2930(section)X
3181(6.1.)X
3345(The)X
3493(meanings)X
3823(of)X
3913(the)X
955 3732(bits)N
1090(are:)X
2 f
955 3876(Bit\(s\))N
1238(Name)X
2104(Description)X
1 f
955 4068(0)N
1238(THIS-SERVER-ONLY)X
2104(If)X
2183(set,)X
2317(the)X
2440(time)X
2607(refers)X
2816(to)X
2903(the)X
3026(responding)X
3407(server)X
3629(only.)X
3836(If)X
3915(reset,)X
4112(it)X
4181(applies)X
2104 4164(to)N
2186(all)X
2286(servers)X
2534(for)X
2648(the)X
2766(realm.)X
955 4260(1-7)N
1238(INTERPRETATION)X
2104(These)X
2330(bits)X
2479(are)X
2612(interpreted)X
2994(as)X
3095(an)X
3205(unsigned)X
3528(quantity,)X
3844(with)X
4020(bit)X
4137(7)X
4210(as)X
4310(the)X
2104 4356(least)N
2293(signi\256cant)X
2668(bit.)X
2834(If)X
2930(this)X
3087(quantity)X
3391(is)X
3486(zero)X
3667(\(0\),)X
3823(then)X
4002(the)X
3 f
4141(lr-value)X
1 f
2104 4452(sub\256eld)N
2388(is)X
2472(the)X
2601(time)X
2774(of)X
2872(last)X
3013(initial)X
3229(request)X
3491(for)X
3615(a)X
3681(TGT.)X
3907(If)X
3991(it)X
4065(is)X
4148(one)X
4294(\(1\),)X
2104 4548(then)N
2267(the)X
3 f
2390(lr-value)X
1 f
2682(sub\256eld)X
2960(is)X
3038(the)X
3161(time)X
3328(of)X
3420(last)X
3556(initial)X
3767(request.)X
4064(If)X
4143(it)X
4211(is)X
4288(two)X
2104 4644(\(2\),)N
2241(then)X
2402(the)X
3 f
2523(lr-value)X
1 f
2813(sub\256eld)X
3089(is)X
3165(the)X
3286(time)X
3451(of)X
3540(issue)X
3722(for)X
3838(the)X
3958(newest)X
4203(ticket-)X
2104 4740(granting)N
2398(ticket)X
2602(used.)X
2815(If)X
2895(it)X
2965(is)X
3044(three)X
3231(\(3\),)X
3371(then)X
3535(the)X
3 f
3659(lr-value)X
1 f
3952(sub\256eld)X
4231(is)X
4310(the)X
2104 4836(time)N
2274(of)X
2369(the)X
2495(last)X
2634(renewal.)X
2957(If)X
3038(it)X
3109(is)X
3189(four)X
3350(\(4\),)X
3491(then)X
3656(the)X
3 f
3781(lr-value)X
1 f
4075(sub\256eld)X
4355(is)X
2104 4932(the)N
2222(time)X
2384(of)X
2471(last)X
2602(request)X
2854(\(of)X
2968(any)X
3104(type\).)X
3 f
955 5172(lr-value)N
1 f
1246(is)X
1323(a)X
1383(\256eld)X
1548(of)X
1638(type)X
1799(KerberosTime)X
2286(which)X
2505(contains)X
2795(the)X
2916(time)X
3081(of)X
3171(the)X
3292(last)X
3426(request.)X
3721(The)X
3869(time)X
955 5268(must)N
1130(be)X
1226(interpreted)X
1594(according)X
1931(to)X
2013(the)X
2131(contents)X
2418(of)X
2505(the)X
2623(accompanying)X
3 f
3111(lr-type)X
1 f
3363(sub\256eld.)X
3 f
555 5488(msec)N
1 f
955(This)X
1121(\256eld)X
1287(is)X
1364(part)X
1513(of)X
1604(the)X
1726(KRB_SAFE)X
2149(and)X
2289(KRB_PRIV)X
2698(headers.)X
3007(It)X
3079(contains)X
3369(the)X
3490(millisecond)X
3886(part)X
955 5584(of)N
1042(the)X
1160(timestamp.)X
3 f
555 5804(msg-type)N
1 f
955(This)X
1124(\256eld)X
1293(indicates)X
1605(the)X
1730(type)X
1895(of)X
1989(a)X
2052(protocol)X
2346(message.)X
2685(It)X
2761(will)X
2912(almost)X
3152(always)X
3402(be)X
3505(the)X
3629(same)X
3820(as)X
3913(the)X
555 6144(Section)N
815(5.1.)X
2196(-)X
2243(23)X
2343(-)X
24 p
%%Page: 24 25
10 s 0 xH 0 xS 1 f
0 32(--)N
4323(--)X
3 f
2115 416(DRAFT)N
2411(3)X
1 f
955 672(application)N
1344(identi\256er)X
1666(associated)X
2029(with)X
2204(a)X
2273(message.)X
2618(It)X
2700(is)X
2786(included)X
3095(to)X
3189(make)X
3395(the)X
3525(identi\256er)X
3846(more)X
955 768(readily)N
1198(accessible)X
1544(to)X
1626(the)X
1744(application.)X
3 f
555 988(nonce)N
1 f
955(This)X
1126(\256eld)X
1297(is)X
1379(part)X
1533(of)X
1629(the)X
1756(KDC)X
1954(request)X
2215(and)X
2360(response.)X
2710(It)X
2788(it)X
2861(intended)X
3166(to)X
3257(hold)X
3428(a)X
3493(random)X
3766(number)X
955 1084(generated)N
1298(by)X
1408(the)X
1536(client.)X
1784(If)X
1868(the)X
1996(same)X
2191(number)X
2466(is)X
2549(included)X
2854(in)X
2945(the)X
3072(encrypted)X
3418(response)X
3728(from)X
3913(the)X
955 1180(KDC,)N
1164(it)X
1228(provides)X
1524(evidence)X
1830(that)X
1970(the)X
2088(response)X
2389(is)X
2462(fresh,)X
2663(and)X
2799(has)X
2926(not)X
3048(been)X
3220(replayed)X
3517(by)X
3617(an)X
3713(attacker.)X
3 f
555 1400(pad)N
1 f
955(This)X
1119(\256eld)X
1283(\256lls)X
1424(the)X
1544(data)X
1700(in)X
1784(a)X
1842(message)X
2136(to)X
2220(a)X
2278(boundary)X
2603(speci\256ed)X
2910(by)X
3011(the)X
3130(cryptosystem)X
3578(in)X
3661(use.)X
3829(Some)X
955 1496(cryptosystems)N
1439(may)X
1603(use)X
1736(part)X
1887(of)X
1979(the)X
2102(pad)X
2243(to)X
2330(include)X
2591(an)X
2692(integrity)X
2988(checksum)X
3334(of)X
3426(the)X
3549(message.)X
3886(The)X
955 1592(\256eld)N
1117(is)X
1190(de\256ned)X
1446(as)X
1533(part)X
1678(of)X
1765(the)X
1883(description)X
2259(of)X
2346(individual)X
2690(cryptosystems.)X
3 f
555 1812(pvno)N
1 f
955(This)X
1122(\256eld)X
1289(is)X
1366(included)X
1666(in)X
1752(each)X
1924(message,)X
2240(and)X
2380(speci\256es)X
2680(the)X
2802(protocol)X
3093(version)X
3353(number.)X
3662(This)X
3828(docu-)X
955 1908(ment)N
1135(speci\256es)X
1431(protocol)X
1718(version)X
1974(5.)X
3 f
555 2128(padata)N
1 f
955(The)X
1111(padata)X
1352(\(pre-authentication)X
1994(data\))X
2186(\256eld)X
2358(contains)X
2655(authentication)X
3139(information)X
3547(needed)X
3805(before)X
955 2224(credentials)N
1325(can)X
1459(be)X
1557(issued.)X
1819(In)X
1908(the)X
2028(case)X
2188(of)X
2276(requests)X
2560(for)X
2675(additional)X
3016(tickets)X
3246(\(KRB_TGS_REQ\),)X
3896(this)X
955 2320(\256eld)N
1127(will)X
1281(contain)X
1547(the)X
1675(authentication)X
2159(header)X
2404(used)X
2581(to)X
2672(authenticate)X
3089(the)X
3216(client)X
3423(to)X
3514(the)X
3641(KDC.)X
3879(In)X
3975(a)X
955 2416(request)N
1219(for)X
1344(initial)X
1561(authentication)X
2046(\(KRB_AS_REQ\),)X
2657(this)X
2803(\256eld)X
2976(will)X
3131(normally)X
3451(be)X
3558(left)X
3696(out.)X
3869(This)X
955 2512(\256eld)N
1120(may)X
1281(also)X
1433(contain)X
1692(information)X
2093(needed)X
2344(by)X
2447(certain)X
2689(extensions)X
3050(to)X
3134(the)X
3254(Kerberos)X
3571(protocol.)X
3900(For)X
955 2608(example,)N
1281(it)X
1359(might)X
1578(be)X
1687(used)X
1867(to)X
1962(initially)X
2243(verify)X
2468(the)X
2599(identity)X
2876(of)X
2976(a)X
3045(client)X
3256(before)X
3495(any)X
3644(response)X
3958(is)X
955 2704(returned,)N
1270(or)X
1364(it)X
1435(might)X
1648(contain)X
1911(information)X
2316(needed)X
2571(to)X
2660(help)X
2825(the)X
2950(KDC)X
3146(choose)X
3396(the)X
3521(key)X
3663(needed)X
3917(for)X
955 2800(the)N
1081(response.)X
1430(The)X
1583(latter)X
1776(would)X
2004(be)X
2108(useful)X
2332(for)X
2454(supporting)X
2824(the)X
2950(use)X
3085(of)X
3180(certain)X
3427("smartcards")X
3869(with)X
955 2896(Kerberos.)N
1310(The)X
1455(details)X
1684(of)X
1771(such)X
1938(extensions)X
2296(are)X
2415(not)X
2537(presently)X
2851(speci\256ed.)X
3 f
555 3116(padata-type)N
1 f
955 3212(The)N
3 f
1101(padata-type)X
1 f
1531(indicates)X
1837(the)X
1956(way)X
2111(that)X
2252(the)X
2371(following)X
3 f
2703(padata)X
1 f
2959(\256eld)X
3122(is)X
3195(to)X
3277(be)X
3373(interpreted.)X
3781(Bit)X
3898(0)X
3958(is)X
955 3308(the)N
1085(most)X
1272(signi\256cant)X
1636(bit.)X
1791(If)X
1876(the)X
2005(bit)X
2120(is)X
2204(clear)X
2392(\(0\))X
2517(it)X
2592(indicates)X
2908(that)X
3059(the)X
3188(remaining)X
3544(bits)X
3690(indicate)X
3975(a)X
955 3404(registered)N
1312(interpretation.)X
1824(If)X
1918(set)X
2047(\(1\),)X
2201(the)X
2339(interpretation)X
2811(of)X
2917(the)X
3054(remaining)X
3418(bits)X
3572(has)X
3718(not)X
3859(been)X
955 3500(registered.)N
1336(Among)X
1600(the)X
1722(registered)X
2063(interpretations)X
2550(of)X
2641(the)X
2763(remaining)X
3112(bits)X
3251(are)X
3374(the)X
3496(integer)X
3743(values)X
3971(0)X
955 3596(for)N
1072(empty)X
1295(\(this)X
1460(will)X
1607(be)X
1706(the)X
1827(usual)X
2019(value)X
2216(for)X
2333(the)X
2454(KRB_AS_REQ\),)X
3030(and)X
3169(1)X
3232(for)X
3349(a)X
3408(Kerberos)X
3726(authenti-)X
955 3692(cation)N
1171(header)X
1406(\(this)X
1568(will)X
1712(be)X
1808(the)X
1926(usual)X
2115(value)X
2309(for)X
2423(the)X
2541(KRB_TGS_REQ\).)X
3183(Summarized:)X
2 f
955 3836(Bit\(s\))N
1277(Name)X
2102(Description)X
1 f
955 4028(0)N
1277(UNREGISTERED)X
2102(If)X
2187(set,)X
2327(the)X
2456(remaining)X
2811(bits)X
2956(indicate)X
3240(an)X
3346(unregistered)X
3773(value.)X
4017(If)X
4101(clear,)X
4308(the)X
2102 4124(interpretation)N
2554(of)X
2641(the)X
2759(remaining)X
3104(bits)X
3239(has)X
3366(been)X
3538(registered.)X
955 4220(1-7)N
1277(INTERPRETATION)X
2102(These)X
2328(bits)X
2477(are)X
2610(interpreted)X
2992(as)X
3093(an)X
3203(unsigned)X
3526(quantity,)X
3842(with)X
4018(bit)X
4135(7)X
4208(as)X
4308(the)X
2102 4316(least)N
2272(signi\256cant)X
2628(bit.)X
2775(If)X
2852(this)X
2990(quantity)X
3275(is)X
3351(zero)X
3513(\(0\),)X
3650(then)X
3811(the)X
3 f
3932(padata)X
1 f
4189(\256eld)X
4353(is)X
2102 4412(empty.)N
2382(If)X
2476(it)X
2560(is)X
2653(one)X
2808(\(1\),)X
2961(then)X
3138(the)X
3 f
3275(padata)X
1 f
3549(\256eld)X
3730(contains)X
4036(a)X
4111(Kerberos)X
2102 4508(authentication)N
2576(header.)X
3 f
555 4776(realm)N
1 f
955(This)X
1119(\256eld)X
1283(speci\256es)X
1580(the)X
1699(realm)X
1903(that)X
2044(issued)X
2265(a)X
2322(ticket.)X
2561(It)X
2631(also)X
2781(serves)X
3003(to)X
3086(identify)X
3356(the)X
3475(realm)X
3679(part)X
3825(of)X
3913(the)X
955 4872(server's)N
1238(identity.)X
1550(Since)X
1756(a)X
1820(Kerberos)X
2143(server)X
2368(can)X
2507(only)X
2676(issue)X
2863(tickets)X
3099(for)X
3220(servers)X
3475(within)X
3706(its)X
3808(realm,)X
955 4968(the)N
1073(two)X
1213(will)X
1357(always)X
1600(be)X
1696(identical.)X
3 f
555 5188(renew-till)N
1 f
955(This)X
1128(\256eld)X
1301(is)X
1385(included)X
1692(in)X
1785(tickets)X
2025(that)X
2176(are)X
2306(renewable.)X
2708(It)X
2788(indicates)X
3103(the)X
3231(maximum)X
3 f
3585(endtime)X
1 f
3891(that)X
955 5284(may)N
1125(be)X
1233(included)X
1541(in)X
1635(a)X
1703(renewal.)X
2030(It)X
2111(can)X
2254(be)X
2361(thought)X
2636(of)X
2734(as)X
2832(the)X
2961(absolute)X
3259(expiration)X
3615(time)X
3788(for)X
3913(the)X
955 5380(ticket)N
1153(including)X
1475(all)X
1575(renewals.)X
1921(This)X
2083(\256eld)X
2245(is)X
2318(of)X
2405(type)X
2563(KerberosTime.)X
3 f
555 5696(req-body)N
1 f
955(This)X
1119(\256eld)X
1283(is)X
1358(part)X
1505(of)X
1594(the)X
1714(KDC)X
1904(request.)X
2197(It)X
2267(is)X
2341(a)X
2398(placeholder)X
2794(delimiting)X
3143(the)X
3262(extent)X
3479(of)X
3567(the)X
3686(remaining)X
955 5792(\256elds.)N
1194(If)X
1274(a)X
1336(checksum)X
1683(is)X
1762(to)X
1850(be)X
1952(calculated)X
2304(over)X
2473(the)X
2597(request,)X
2875(it)X
2945(is)X
3024(calculated)X
3376(over)X
3545(the)X
3669(part)X
3820(of)X
3913(the)X
555 6144(Section)N
815(5.1.)X
2196(-)X
2243(24)X
2343(-)X
25 p
%%Page: 25 26
10 s 0 xH 0 xS 1 f
0 32(--)N
4323(--)X
3 f
2115 416(DRAFT)N
2411(3)X
1 f
955 672(request)N
1207(enclosed)X
1508(within)X
1732(the)X
3 f
1850(req-body)X
1 f
2181(\256eld.)X
3 f
555 892(r-address)N
1 f
955(This)X
1121(\256eld)X
1287(is)X
1364(part)X
1513(of)X
1604(the)X
1726(KRB_SAFE)X
2149(and)X
2288(KRB_PRIV)X
2697(messages.)X
3063(It)X
3135(speci\256es)X
3434(the)X
3555(address)X
3819(in)X
3904(use)X
955 988(by)N
1055(the)X
1173(recipient)X
1474(of)X
1561(the)X
1679(message.)X
2011(It)X
2080(is)X
2153(of)X
2240(type)X
2398(HostAddress.)X
3 f
555 1208(rtime)N
1 f
955(This)X
1121(\256eld)X
1287(is)X
1363(the)X
1484(requested)X
3 f
1815(renew-till)X
1 f
2168(time)X
2333(sent)X
2485(from)X
2664(a)X
2723(client)X
2924(to)X
3009(the)X
3130(KDC)X
3322(in)X
3407(a)X
3466(ticket)X
3667(request.)X
3962(It)X
955 1304(is)N
1028(optional.)X
1350(This)X
1512(\256eld)X
1674(is)X
1747(of)X
1834(type)X
1992(KerberosTime.)X
3 f
555 1524(s-address)N
1 f
955(This)X
1121(\256eld)X
1287(is)X
1364(part)X
1513(of)X
1604(the)X
1726(KRB_SAFE)X
2149(and)X
2288(KRB_PRIV)X
2697(messages.)X
3063(It)X
3135(speci\256es)X
3434(the)X
3555(address)X
3819(in)X
3904(use)X
955 1620(by)N
1055(the)X
1173(sender)X
1403(of)X
1490(the)X
1608(message.)X
1940(It)X
2009(is)X
2082(of)X
2169(type)X
2327(HostAddress.)X
3 f
555 1840(smsec)N
1 f
955(This)X
1124(\256eld)X
1293(contains)X
1587(the)X
1712(millisecond)X
2111(part)X
2262(of)X
2355(the)X
2479(server's)X
2760(timestamp.)X
3159(Its)X
3265(value)X
3465(ranges)X
3701(from)X
3883(0)X
3949(to)X
955 1936(999.)N
1141(It)X
1216(appears)X
1488(along)X
1692(with)X
3 f
1860(stime)X
1 f
2043(.)X
2089(The)X
2240(two)X
2385(\256elds)X
2583(are)X
2707(used)X
2879(in)X
2966(conjunction)X
3369(to)X
3456(specify)X
3713(a)X
3774(reason-)X
955 2032(ably)N
1113(accurate)X
1402(timestamp.)X
3 f
555 2252(sname)N
1 f
955(This)X
1117(\256eld)X
1279(speci\256es)X
1575(the)X
1693(name)X
1887(part)X
2032(of)X
2119(the)X
2237(server's)X
2512(identity.)X
2816(It)X
2885(is)X
2958(of)X
3045(type)X
3203(string)X
3405(array.)X
3 f
555 2472(starttime)N
1 f
955(This)X
1126(\256eld)X
1297(in)X
1388(the)X
1515(ticket)X
1722(speci\256es)X
2027(the)X
2154(time)X
2325(after)X
2502(which)X
2727(the)X
2854(ticket)X
3061(is)X
3143(valid.)X
3372(Together)X
3690(with)X
3 f
3860(end-)X
955 2568(time)N
1 f
1107(,)X
1147(this)X
1282(\256eld)X
1444(speci\256es)X
1740(the)X
1858(life)X
1985(of)X
2072(the)X
2190(ticket.)X
2428(This)X
2590(\256eld)X
2752(is)X
2825(of)X
2912(type)X
3070(KerberosTime.)X
3 f
555 2788(stime)N
1 f
955(This)X
1117(\256eld)X
1279(contains)X
1566(the)X
1684(current)X
1932(time)X
2094(on)X
2194(the)X
2312(server.)X
2569(It)X
2638(is)X
2711(of)X
2798(type)X
2956(KerberosTime.)X
3 f
555 3008(till)N
1 f
955(This)X
1122(\256eld)X
1289(contains)X
1581(the)X
1704(expiration)X
2054(date)X
2213(requested)X
2546(by)X
2651(the)X
2774(client)X
2977(in)X
3064(a)X
3125(ticket)X
3328(request.)X
3625(This)X
3792(\256eld)X
3958(is)X
955 3104(of)N
1042(type)X
1200(KerberosTime.)X
3 f
555 3324(ticket)N
1 f
955(This)X
1117(\256eld)X
1279(contains)X
1566(a)X
1622(complete)X
1936(ticket.)X
2174(Its)X
2274(encoding)X
2588(is)X
2661(speci\256ed)X
2966(in)X
3048(section)X
3295(7.1.1.)X
3 f
555 3544(tkt_vno)N
1 f
955(This)X
1117(\256eld)X
1279(speci\256es)X
1575(the)X
1693(version)X
1949(number)X
2214(for)X
2328(the)X
2446(ticket)X
2644(format.)X
3 f
555 3764(timestamp)N
1 f
955(This)X
1127(\256eld)X
1299(is)X
1382(part)X
1537(of)X
1634(the)X
1762(KRB_SAFE)X
2191(and)X
2336(KRB_PRIV)X
2751(messages.)X
3123(Its)X
3232(contents)X
3528(are)X
3656(the)X
3783(current)X
955 3860(time)N
1122(as)X
1214(known)X
1456(by)X
1560(the)X
1682(sender)X
1916(of)X
2007(the)X
2129(message.)X
2465(By)X
2582(checking)X
2896(the)X
3018(timestamp,)X
3395(the)X
3517(recipient)X
3822(of)X
3913(the)X
955 3956(message)N
1247(is)X
1320(able)X
1474(to)X
1556(make)X
1750(sure)X
1904(that)X
2044(it)X
2108(was)X
2253(recently)X
2532(generated,)X
2885(and)X
3021(is)X
3094(not)X
3216(a)X
3272(replay.)X
3 f
555 4176(transited)N
1 f
955(This)X
1127(\256eld)X
1299(lists)X
1457(the)X
1585(names)X
1820(of)X
1917(the)X
2044(Kerberos)X
2368(realms)X
2611(that)X
2760(took)X
2931(part)X
3085(in)X
3176(authenticating)X
3659(the)X
3786(user)X
3949(to)X
955 4272(whom)N
1175(this)X
1310(ticket)X
1508(was)X
1653(issued.)X
1913(It)X
1982(does)X
2149(not)X
2271(specify)X
2523(the)X
2641(order)X
2831(in)X
2913(which)X
3129(the)X
3247(realms)X
3481(were)X
3658(transited.)X
955 4464(If)N
1034(a)X
1095(ticket)X
1298(is)X
1376(issued)X
1601(based)X
1809(on)X
1914(a)X
1975(ticket-granting)X
2472(ticket)X
2675(\(TGT\))X
2910(issued)X
3135(by)X
3240(the)X
3363(local)X
3544(realm)X
3751(then)X
3913(the)X
955 4560(transited)N
1257(\256eld)X
1425(should)X
1664(be)X
1766(passed)X
2006(through)X
2281(unchanged.)X
2695(When)X
2913(a)X
2975(ticket)X
3178(is)X
3256(issued)X
3481(based)X
3689(on)X
3794(a)X
3855(TGT)X
955 4656(issued)N
1177(by)X
1278(another)X
1540(realm)X
1744(then)X
1903(the)X
2022(name)X
2217(of)X
2305(the)X
2424(realm)X
2628(that)X
2769(issued)X
2990(the)X
3109(TGT)X
3286(should)X
3520(be)X
3617(added)X
3830(to)X
3913(the)X
955 4752(transited)N
1258(\256eld.)X
1467(Note)X
1650(that)X
1797(the)X
1922(ticket-granting)X
2421(service)X
2676(does)X
2850(not)X
2979(add)X
3122(the)X
3247(name)X
3448(of)X
3542(its)X
3644(own)X
3808(realm.)X
955 4848(Instead,)N
1232(its)X
1332(responsibility)X
1792(is)X
1870(to)X
1957(add)X
2098(the)X
2220(name)X
2418(of)X
2509(the)X
2631(previous)X
2931(realm.)X
3178(This)X
3344(prevents)X
3640(a)X
3700(malicious)X
955 4944(Kerberos)N
1270(from)X
1446(intentionally)X
1870(leaving)X
2126(out)X
2248(its)X
2343(own)X
2501(name.)X
955 5136(Because)N
1253(the)X
1381(name)X
1585(of)X
1681(each)X
1858(realm)X
2070(transited)X
2375(is)X
2457(added)X
2678(to)X
2769(this)X
2913(\256eld,)X
3104(it)X
3177(might)X
3392(potentially)X
3763(be)X
3868(very)X
955 5232(long.)N
1163(To)X
1278(decrease)X
1582(the)X
1706(length)X
1932(of)X
2025(this)X
2165(\256eld,)X
2352(its)X
2452(contents)X
2744(are)X
2868(encoded)X
3161(in)X
3248(a)X
3309(manner)X
3575(that)X
3720(is)X
3798(optim-)X
955 5328(ized)N
1109(for)X
1223(the)X
1341(normal)X
1588(case)X
1747(of)X
1834(inter-realm)X
2211(communication.)X
955 5520(The)N
1105(names)X
1335(of)X
1427(neither)X
1675(the)X
1798(local)X
1979(realm,)X
2207(nor)X
2339(the)X
2462(principal's)X
2830(realm)X
3038(are)X
3162(to)X
3249(be)X
3350(included)X
3651(in)X
3737(the)X
3859(tran-)X
955 5616(sited)N
1140(\256eld.)X
1356(They)X
1555(appear)X
1804(elsewhere)X
2160(in)X
2255(the)X
2386(ticket)X
2597(and)X
2746(both)X
2921(are)X
3053(known)X
3304(to)X
3399(have)X
3584(taken)X
3791(part)X
3949(in)X
955 5712(authenticating)N
1438(the)X
1565(principal.)X
1919(Since)X
2126(the)X
2253(endpoints)X
2593(are)X
2721(not)X
2851(included,)X
3175(both)X
3345(local)X
3529(and)X
3673(single-hop)X
955 5808(inter-realm)N
1332(authentication)X
1806(result)X
2004(in)X
2086(a)X
2142(transited)X
2438(\256eld)X
2600(that)X
2740(is)X
2813(empty.)X
555 6144(Section)N
815(5.1.)X
2196(-)X
2243(25)X
2343(-)X
26 p
%%Page: 26 27
10 s 0 xH 0 xS 1 f
0 32(--)N
4323(--)X
3 f
2115 416(DRAFT)N
2411(3)X
1 f
955 672(Realm)N
1191(names)X
1422(in)X
1510(the)X
1634(transited)X
1936(\256eld)X
2104(are)X
2229(separated)X
2559(by)X
2665(a)X
2727(",".)X
2879(A)X
2963(realm)X
3172(name)X
3372(ending)X
3616(with)X
3784(a)X
3846(".")X
3958(is)X
955 768(interpreted)N
1324(as)X
1412(being)X
1611(prepended)X
1967(to)X
2050(the)X
2169(previous)X
2466(realm.)X
2710(For)X
2841(example,)X
3153(we)X
3267(can)X
3399(encode)X
3647(traversal)X
3944(of)X
955 864(EDU,)N
1162(MIT.EDU,)X
1535(ATHENA.MIT.EDU,)X
2258(WASHINGTON.EDU,)X
3028(and)X
3165(CS.WASHINGTON.EDU)X
955 960(as:)N
1243 1056 0.1284("EDU,MIT.,ATHENA.,WASHINGTON.EDU,CS.".)AN
955 1248(Note)N
1153(that)X
1314(if)X
1404(ATHENA.MIT.EDU,)X
2147(or)X
2255(CS.WASHINGTON.EDU)X
3142(were)X
3340(endpoints,)X
3712(that)X
3873(they)X
955 1344(would)N
1175(not)X
1297(be)X
1393(included)X
1689(in)X
1771(this)X
1906(\256eld,)X
2088(and)X
2224(we)X
2338(would)X
2558(have:)X
1243 1536 0.1823("EDU,MIT.,WASHINGTON.EDU")AN
955 1728(A)N
1047(null)X
1204(sub\256eld)X
1490(preceding)X
1840(or)X
1940(following)X
2284(a)X
2353(",")X
2472(indicates)X
2790(that)X
2943(all)X
3056(realms)X
3303(between)X
3604(the)X
3735(previous)X
955 1824(realm)N
1166(and)X
1310(the)X
1435(next)X
1600(realm)X
1810(have)X
1989(been)X
2168(traversed.)X
2530(Thus,)X
2737(",")X
2850(means)X
3082(that)X
3229(the)X
3354(whole)X
3577(tree)X
3725(has)X
3859(been)X
955 1920(traversed,)N
1307(but)X
1446 0.1750(",MIT.EDU,WASHINGTON.EDU,")AX
2669(means)X
2910(that)X
3066(everything)X
3445(up)X
3561(to)X
3659(MIT.EDU,)X
955 2016(and)N
1101(everything)X
1474(below)X
1700(WASHINGTON.EDU)X
2459(\(inclusive\))X
2831(have)X
3012(been)X
3193(traversed,)X
3537(but)X
3668(everything)X
955 2112(between)N
1243(them)X
1423(has)X
1550(been)X
1722(bypassed.)X
3 f
555 2332(user-data)N
1 f
955(This)X
1130(\256eld)X
1305(is)X
1391(part)X
1548(of)X
1647(the)X
1777(KRB_SAFE)X
2208(and)X
2356(KRB_PRIV)X
2774(messages)X
3109(and)X
3257(contain)X
3525(the)X
3655(application)X
955 2428(speci\256c)N
1220(data)X
1374(that)X
1514(is)X
1587(being)X
1785(passed)X
2019(from)X
2195(the)X
2313(sender)X
2543(to)X
2625(the)X
2743(recipient.)X
3 f
12 s
555 2716(5.2.)N
747(Prede\256ned)X
1214(Data)X
1435(Types)X
1 f
10 s
555 2840(This)N
721(section)X
971(speci\256es)X
1270(the)X
1391(encodings)X
1739(and)X
1878(types)X
2070(for)X
2187(host)X
2343(addresses,)X
2694(and)X
2833(other)X
3021(types)X
3213(where)X
3433(part)X
3581(of)X
3671(the)X
3792(encod-)X
555 2936(ing)N
677(has)X
804(been)X
976(speci\256ed)X
1281(independently)X
1755(from)X
1931(the)X
2049(Kerberos)X
2364(protocol.)X
3 f
555 3128(5.2.1.)N
775(Host)X
955(address)X
1237(types)X
1 f
755 3252(All)N
879(the)X
999(values)X
1226(for)X
1342(the)X
1461(host)X
1615(address)X
1877(type)X
2036(with)X
2199(the)X
2318(most)X
2494(signi\256cant)X
2848(bit)X
2953(set)X
3063(\(1\))X
3178(are)X
3298(reserved)X
3592(for)X
3707(local)X
3884(use.)X
555 3348(All)N
689(the)X
819(values)X
1056(with)X
1230(the)X
1360(most)X
1547(signi\256cant)X
1912(bit)X
2028(reset)X
2211(\(0\))X
2336(are)X
2466(reserved)X
2770(for)X
2895(of\256cially)X
3215(assigned)X
3522(type)X
3691(\256elds)X
3895(and)X
555 3444(interpretations.)N
755 3568(The)N
907(values)X
1138(of)X
1231(the)X
1355(types)X
1550(for)X
1670(the)X
1794(following)X
2131(addresses)X
2465(are)X
2590(chosen)X
2839(to)X
2927(match)X
3149(the)X
3273(de\256ned)X
3535(address)X
3802(family)X
555 3664(constants)N
879(in)X
967(the)X
1091(Berkeley)X
1407(Standard)X
1718(Distribution)X
2130(of)X
2223(Unix.)X
2449(They)X
2640(can)X
2778(be)X
2880(found)X
3093(in)X
3180(<sys/socket.h>)X
3684(with)X
3851(sym-)X
555 3760(bolic)N
735(names)X
960(AF_xxx)X
1242(\(where)X
1486(xxx)X
1626(is)X
1699(an)X
1795(abbreviation)X
2216(of)X
2303(the)X
2421(address)X
2682(family)X
2911(name\).)X
755 3884(The)N
910(ordering)X
1212(relation)X
1487(between)X
1784(addresses)X
2121(is)X
2203(determined)X
2593(by)X
2702(comparing)X
3074(each)X
3251(octet)X
3436(of)X
3532(the)X
3659(address,)X
3949(in)X
555 3980(encoding)N
875(order,)X
1091(until)X
1263(a)X
1325(difference)X
1678(is)X
1757(encountered.)X
2216(The)X
2367(ordering)X
2665(is)X
2744(the)X
2868(result)X
3071(of)X
3163(the)X
3286(comparison)X
3685(of)X
3777(the)X
3900(last)X
555 4076(octets)N
762(or)X
849(the)X
967(\256rst)X
1111(pair)X
1256(of)X
1343(differing)X
1644(octets,)X
1871(whichever)X
2226(comes)X
2451(\256rst.)X
3 f
555 4268(Internet)N
856(addresses)X
1 f
755 4392(Internet)N
1045(addresses)X
1393(are)X
1532(32-bit)X
1763(\(4-octet\))X
2080(quantities,)X
2451(encoded)X
2759(in)X
2861(MSB)X
3069(order.)X
3319(The)X
3483(type)X
3660(of)X
3766(internet)X
555 4488(addresses)N
883(is)X
956(two)X
1096(\(2\).)X
555 4632(When)N
769(determining)X
1178(address)X
1441(orderings)X
1765(and)X
1902(the)X
2021(addresses)X
2350(are)X
2470(equal)X
2665(when)X
2860(either)X
3064(UDP)X
3245(or)X
3333(TCP)X
3500(ports)X
3681(are)X
3801(in)X
3884(use,)X
555 4728(the)N
680(port)X
836(numbers)X
1139(should)X
1379(be)X
1482(treated)X
1728(as)X
1822(two-octet)X
2152(unsigned)X
2468(integers,)X
2769(and)X
2912(compared;)X
3278(the)X
3403(result)X
3607(of)X
3700(that)X
3846(com-)X
555 4824(parison)N
811(is)X
884(then)X
1042(used)X
1209(as)X
1296(the)X
1414(result)X
1612(of)X
1699(the)X
1817(comparison)X
2211(of)X
2298(the)X
2416(addresses.)X
3 f
555 5016(CHAOSnet)N
966(addresses)X
1 f
755 5140(CHAOSnet)N
1146(addresses)X
1475(are)X
1595(16-bit)X
1807(\(2-octet\))X
2105(quantities,)X
2457(encoded)X
2746(in)X
2829(MSB)X
3018(order.)X
3249(The)X
3395(type)X
3554(of)X
3642(CHAOSnet)X
555 5236(addresses)N
883(is)X
956(\256ve)X
1096(\(5\).)X
3 f
555 5428(ISO)N
712(addresses)X
1 f
755 5552(ISO)N
904(addresses)X
1232(are)X
1351(variable-length.)X
1897(The)X
2042(type)X
2200(of)X
2287(ISO)X
2436(addresses)X
2764(is)X
2837(seven)X
3040(\(7\).)X
555 6144(Section)N
815(5.2.1.)X
2196(-)X
2243(26)X
2343(-)X
27 p
%%Page: 27 28
10 s 0 xH 0 xS 1 f
0 32(--)N
4323(--)X
3 f
2115 416(DRAFT)N
2411(3)X
555 672(Xerox)N
785(Network)X
1104(Services)X
1405(\(XNS\))X
1639(addresses)X
1 f
755 796(XNS)N
938(addresses)X
1268(are)X
1389(48-bit)X
1602(\(6-octet\))X
1901(quantities,)X
2254(encoded)X
2544(in)X
2628(MSB)X
2818(order.)X
3050(The)X
3197(type)X
3357(of)X
3446(XNS)X
3628(addresses)X
3958(is)X
555 892(six)N
668(\(6\).)X
3 f
555 1084(AppleTalk)N
938(Datagram)X
1306(Delivery)X
1616(Protocol)X
1926(\(DDP\))X
2165(addresses)X
1 f
755 1208(AppleTalk)N
1124(DDP)X
1310(addresses)X
1644(consist)X
1892(of)X
1985(an)X
2087(8-bit)X
2264(node)X
2446(number)X
2717(and)X
2859(a)X
2921(16-bit)X
3138(network)X
3427(number.)X
3737(The)X
3887(\256rst)X
555 1304(octet)N
742(of)X
840(the)X
969(address)X
1241(is)X
1325(the)X
1454(node)X
1641(number;)X
1939(the)X
2068(remaining)X
2424(two)X
2575(octets)X
2793(encode)X
3052(the)X
3181(network)X
3475(number)X
3751(in)X
3843(MSB)X
555 1400(order.)N
785(The)X
930(type)X
1088(of)X
1175(AppleTalk)X
1538(DDP)X
1718(addresses)X
2046(is)X
2119(sixteen)X
2366(\(16\).)X
3 f
555 1592(DECnet)N
851(Phase)X
1071(IV)X
1180(addresses)X
1 f
755 1716(DECnet)N
1036(Phase)X
1246(IV)X
1354(addresses)X
1685(are)X
1807(16-bit)X
2021(addresses,)X
2372(encoded)X
2663(in)X
2748(LSB)X
2916(order.)X
3148(The)X
3295(type)X
3455(of)X
3544(DECnet)X
3824(Phase)X
555 1812(IV)N
660(addresses)X
988(is)X
1061(twelve)X
1295(\(12\).)X
3 f
12 s
555 2004(6.)N
675(Message)X
1046(Speci\256cations)X
1 f
10 s
755 2128(The)N
907(following)X
1245(sections)X
1530(describe)X
1825(the)X
1950(exact)X
2147(contents)X
2441(and)X
2584(encoding)X
2905(of)X
2999(protocol)X
3293(messages)X
3622(and)X
3764(objects.)X
555 2224(The)N
704(ASN.1)X
948(base)X
1115(de\256nitions)X
1476(are)X
1599(presented)X
1931(in)X
2016(subsection)X
2377(1.)X
2480(The)X
2628(remaining)X
2976(subsections)X
3368(specify)X
3623(the)X
3744(protocol)X
555 2320(objects)N
811(\(tickets)X
1076(and)X
1221(authenticators\))X
1727(and)X
1872(messages.)X
2243(Speci\256cation)X
2689(of)X
2784(encryption)X
3155(and)X
3299(checksum)X
3648(techniques,)X
555 2416(and)N
692(the)X
811(\256elds)X
1005(related)X
1245(to)X
1327(them,)X
1527(appear)X
1762(in)X
1844(section)X
2091(7.)X
2191(Textual)X
2456(descriptions)X
2863(of)X
2950(the)X
3068(individual)X
3412(\256elds)X
3605(in)X
3687(each)X
3855(mes-)X
555 2512(sage)N
718(are)X
837(described)X
1165(earlier)X
1391(\(in)X
1500(section)X
1747(5\).)X
3 f
12 s
555 2732(6.1.)N
747(ASN.1)X
1034(Base)X
1250(De\256nitions)X
1 f
10 s
755 2856(The)N
900(following)X
1231(ASN.1)X
1471(base)X
1634(de\256nitions)X
1991(are)X
2110(used)X
2277(in)X
2359(the)X
2477(rest)X
2613(of)X
2700(this)X
2835(section:)X
555 3000(Realm)N
784(::=)X
1381(GeneralString)X
555 3096(PrincipalName)N
1056(::=)X
1381(SEQUENCE)X
1819(OF)X
1941(GeneralString)X
555 3288(MessageType)N
1021(::=)X
1381(INTEGER)X
1744({)X
1381 3384(Ticket\(1\),)N
1381 3480(Authenticator\(2\),)N
1381 3576(asReq\(10\),)N
1381 3672(asRep\(11\),)N
1381 3768(tgsReq\(12\),)N
1381 3864(tgsRep\(13\),)N
1381 3960(apReq\(14\),)N
1381 4056(apRep\(15\),)N
1381 4152(safe\(20\),)N
1381 4248(priv\(21\),)N
1381 4344(error\(30\))N
555 4440(})N
555 4632(AddressType)N
1003(::=)X
1381(INTEGER)X
1744({)X
1381 4728(internet\(2\),)N
1381 4824(chaosnet\(5\),)N
1381 4920(xns\(6\),)N
1381 5016(iso\(7\),)N
1381 5112(appletalk)N
9 f
1675(-)X
1 f
1719(ddp\(16\))X
555 5208(})N
555 5400(HostAddresses)N
1056(::=)X
1381(SEQUENCE)X
1819(OF)X
1941(SEQUENCE)X
2379({)X
1381 5496(addr-type[0])N
3137(INTEGER,)X
3520(--)X
3594(AddressType)X
1381 5592(address[1])N
3137(OCTET)X
3415(STRING)X
555 5688(})N
555 6144(Section)N
815(6.1.)X
2196(-)X
2243(27)X
2343(-)X
28 p
%%Page: 28 29
10 s 0 xH 0 xS 1 f
0 32(--)N
4323(--)X
3 f
2115 416(DRAFT)N
2411(3)X
1 f
555 672(AdType)N
838(::=)X
1381(BIT)X
1530(STRING)X
1839({)X
1897(--)X
1971(AuthorizationData)X
2588(Type)X
1381 768(reserved\(0\),)N
1381 864(external\(1\),)N
1381 960(registered\(2\),)N
1381 1056(\256eld-type\(3-15\)\262)N
555 1152(})N
555 1344(AuthorizationData)N
1172(::=)X
1381(SEQUENCE)X
1819(OF)X
1941(SEQUENCE)X
2379({)X
1381 1440(ad-type[0])N
3137(AdType,)X
1381 1536(ad-data[1])N
3137(GeneralString)X
555 1632(})N
555 1824(ApOptions)N
926(::=)X
1381(BIT)X
1530(STRING)X
1839({)X
1381 1920(reserved\(0\),)N
1381 2016(use-session-key\(1\),)N
1381 2112(mutual-required\(2\))N
555 2208(})N
555 2400(KDCOptions)N
997(::=)X
1381(BIT)X
1530(STRING)X
1839({)X
1381 2496(reserved\(0\),)N
1381 2592 0.2411(forwardable\(1\),)AN
1381 2688 0.2604(forwarded\(2\),)AN
1381 2784(proxiable\(3\),)N
1381 2880(proxy\(4\),)N
1381 2976(allow-postdate\(5\),)N
1381 3072(postdated\(6\),)N
1381 3168(unused7\(7\),)N
1381 3264 0.2604(renewable\(8\),)AN
1381 3360(unused9\(9\),)N
1381 3456(duplicate-skey\(10\),)N
1381 3552 0.2188(renewable-ok\(27\),)AN
1381 3648(enc-tkt-in-skey\(28\),)N
1381 3744(reuse-skey\(29\),)N
1381 3840(renew\(30\),)N
1381 3936(validate\(31\))N
555 4032(})N
555 4224(LastReqType)N
1007(::=)X
1381(BIT)X
1530(STRING)X
1839({)X
1381 4320(this-server-only\(0\),)N
1381 4416(interpretation\(1-7\)\262)N
555 4512(})N
555 4704(LastReq)N
842(::=)X
1381(SEQUENCE)X
1819(OF)X
1941(SEQUENCE)X
2379({)X
1381 4800(lr-type[0])N
3137(INTEGER,)X
9 f
3520(--)X
1 f
3628(LastReqType)X
1381 4896(lr-value[1])N
3137(KerberosTime,)X
555 4992(})N
555 5184(KerberosTime)N
1039(::=)X
1381(GeneralizedTime)X
1959(--)X
2033(Specifying)X
2400(UTC)X
2580(time)X
2742(zone)X
2914(\(Z\))X
555 5328(See)N
701(section)X
958(6)X
1028(for)X
1152(the)X
1280(de\256nitions)X
1647(of)X
1743(Checksum,)X
2130(ChecksumType,)X
2682(EncryptedData,)X
3213(EncryptionKey,)X
3752(Encryp-)X
555 5424(tionType,)N
884(and)X
1020(KeyType.)X
8 s
10 f
555 5584(hhhhhhhhhhhhhhhhhh)N
1 f
555 5664(\262)N
603(Note:)X
761(This)X
891(is)X
950(not)X
1048(of\256cial)X
1245(ASN.1)X
1437(notation)X
1663(for)X
1753(a)X
1797(multi-bit)X
2038(\256eld)X
2168(in)X
2234(a)X
2278(bit)X
2362(vector.)X
12 s
555 6144(Section)N
868(6.1.)X
2179(-)X
2235(28)X
2355(-)X
29 p
%%Page: 29 30
12 s 0 xH 0 xS 1 f
10 s
0 32(--)N
4323(--)X
3 f
12 s
2082 432(DRAFT)N
2436(3)X
555 672(6.2.)N
747(Tickets)X
1070(and)X
1248(Authenticators)X
1 f
10 s
755 796(This)N
923(section)X
1176(describes)X
1500(the)X
1623(format)X
1862(and)X
2003(encryption)X
2371(parameters)X
2749(for)X
2868(tickets)X
3102(and)X
3243(authenticators.)X
3758(When)X
3975(a)X
555 892(ticket)N
753(or)X
840(authenticator)X
1279(is)X
1352(included)X
1648(in)X
1730(a)X
1786(protocol)X
2073(message)X
2365(it)X
2429(is)X
2502(treated)X
2741(as)X
2828(an)X
2924(opaque)X
3176(object.)X
3 f
555 1084(6.2.1.)N
775(Tickets)X
1 f
755 1208(A)N
845(ticket)X
1055(is)X
1139(a)X
1206(record)X
1443(that)X
1594(helps)X
1794(a)X
1861(client)X
2070(authenticate)X
2489(to)X
2582(a)X
2649(service.)X
2948(A)X
3037(Ticket)X
3273(contains)X
3571(the)X
3700(following)X
555 1304(information:)N
669 1448(Ticket)N
894(::=)X
1623([APPLICATION)X
2195(1])X
2282(SEQUENCE)X
2720({)X
1623 1544(tkt-vno[0])N
2878(INTEGER,)X
1623 1640(realm[1])N
2878(Realm,)X
1623 1736(sname[2])N
2878(PrincipalName,)X
1623 1832(enc-part[3])N
2878(EncryptedData)X
669 1928(})N
669 2024(--)N
743(Encrypted)X
1093(part)X
1238(of)X
1325(ticket)X
669 2120(EncTicketPart)N
1148(::=)X
1623(SEQUENCE)X
2061({)X
1623 2216(\257ags[0])N
2878(TicketFlags,)X
1623 2312(key[1])N
2878(EncryptionKey,)X
1623 2408(crealm[2])N
2878(Realm,)X
1623 2504(cname[3])N
2878(PrincipalName,)X
1623 2600(transited[4])N
2878(GeneralString,)X
1623 2696(authtime[5])N
2878(KerberosTime,)X
1623 2792(starttime[6])N
2878(KerberosTime,)X
1623 2888(endtime[7])N
2878(KerberosTime,)X
1623 2984(renew-till[8])N
2878(KerberosTime)X
3362(OPTIONAL,)X
1623 3080(caddr[9])N
2878(HostAddresses,)X
1623 3176(authorization-data[10])N
2878(AuthorizationData)X
3495(OPTIONAL)X
669 3272(})N
555 3416(The)N
717(encoding)X
1048(of)X
3 f
1152(EncTicketPart)X
1 f
1692(is)X
1782(encrypted)X
2136(in)X
2235(the)X
2370(key)X
2522(shared)X
2768(by)X
2884(Kerberos)X
3215(and)X
3367(the)X
3501(end)X
3653(server)X
3886(\(the)X
555 3512(server's)N
838(secret)X
1054(key\).)X
1264(See)X
1407(section)X
1661(7)X
1728(for)X
1849(the)X
1974(format)X
2215(of)X
2309(the)X
2434(ciphertext.)X
2822(The)X
2974(optional)X
3 f
3263(renew-till)X
1 f
3620(\256eld)X
3789(is)X
3869(only)X
555 3608(present)N
807(if)X
876(the)X
994(RENEWABLE)X
1508(\257ag)X
1648(is)X
1721(set)X
1830(in)X
1912(the)X
3 f
2030(\257ags)X
1 f
2205(\256eld.)X
3 f
555 3800(6.2.2.)N
775(Authenticators)X
1 f
755 3924(An)N
884(authenticator)X
1333(is)X
1416(a)X
1482(record)X
1718(sent)X
1877(with)X
2049(a)X
2115(ticket)X
2323(to)X
2415(a)X
2481(server)X
2708(to)X
2800(certify)X
3040(the)X
3168(client's)X
3434(knowledge)X
3816(of)X
3913(the)X
555 4020(encryption)N
923(key)X
1064(in)X
1151(the)X
1274(ticket)X
1477(and)X
1618(to)X
1705(help)X
1867(the)X
1989(server)X
2210(detect)X
2426(replays.)X
2722(An)X
2844(authenticator)X
3287(contains)X
3578(the)X
3700(following)X
555 4116(\256elds.)N
773(The)X
923(encoding)X
1242(is)X
1320(encrypted)X
1662(in)X
1749(the)X
1872(session)X
2128(key)X
2268(shared)X
2502(by)X
2606(the)X
2728(client)X
2930(and)X
3070(the)X
3192(server:)X
3435(\(See)X
3602(section)X
3853(7)X
3917(for)X
555 4212(the)N
673(format)X
907(of)X
994(the)X
1112(ciphertext\))X
764 4356(--)N
838(Unencrypted)X
1273(authenticator)X
764 4452(Authenticator)N
1225(::=)X
1812([APPLICATION)X
2384(2])X
2471(SEQUENCE)X
2929({)X
1812 4548(authenticator-vno[0])N
3087(AuthenticatorVersion,)X
1812 4644(crealm[1])N
3087(Realm,)X
1812 4740(cname[2])N
3087(PrincipalName,)X
1812 4836(cksum[3])N
3087(Checksum,)X
1812 4932(cmsec[4])N
3087(INTEGER,)X
1812 5028(ctime[5])N
3087(KerberosTime)X
764 5124(})N
764 5316(AuthenticatorVersion)N
1479(::=)X
1812(INTEGER)X
2175({krb5\(5\)})X
3 f
12 s
555 5556(6.3.)N
747(Speci\256cations)X
1331(for)X
1478(messages)X
1875(between)X
2235(the)X
2387(client)X
2636(and)X
2814(the)X
2966(Kerberos)X
3375(server)X
1 f
10 s
755 5680(This)N
923(section)X
1176(speci\256es)X
1478(the)X
1602(format)X
1842(of)X
1935(the)X
2059(messages)X
2388(used)X
2561(in)X
2649(exchange)X
2979(between)X
3273(the)X
3396(client)X
3599(and)X
3740(the)X
3863(Ker-)X
555 5776(beros)N
749(server.)X
1006(The)X
1151(format)X
1385(of)X
1472(possible)X
1754(error)X
1931(messages)X
2254(appears)X
2520(in)X
2602(section)X
2849(5.7.)X
555 6144(Section)N
815(6.3.)X
2196(-)X
2243(29)X
2343(-)X
30 p
%%Page: 30 31
10 s 0 xH 0 xS 1 f
0 32(--)N
4323(--)X
3 f
2115 416(DRAFT)N
2411(3)X
555 672(6.3.1.)N
775(KRB_KDC_REQ)X
1399(de\256nition)X
1 f
755 796(The)N
902(KRB_KDC_REQ)X
1497(message)X
1791(has)X
1920(no)X
2021(type)X
2180(of)X
2268(its)X
2364(own.)X
2563(Instead,)X
2836(it's)X
2959(type)X
3118(is)X
3192(one)X
3329(of)X
3417(KRB_AS_REQ)X
3944(or)X
555 892(KRB_TGS_REQ)N
1133(depending)X
1490(on)X
1593(whether)X
1875(the)X
1996(request)X
2251(is)X
2327(for)X
2444(an)X
2542(initial)X
2750(ticket,)X
2970(or)X
3059(an)X
3157(additional)X
3499(ticket.)X
3739(In)X
3828(either)X
555 988(case,)N
734(the)X
852(message)X
1144(is)X
1217(sent)X
1366(from)X
1542(the)X
1660(client)X
1858(to)X
1940(the)X
2058(Authentication)X
2554(Server)X
2784(to)X
2866(request)X
3118(credentials)X
3486(for)X
3600(a)X
3656(service.)X
755 1112(The)N
900(message)X
1192(\256elds)X
1385(are:)X
555 1256(KDC-REQ)N
931(::=)X
1140([APPLICATION)X
1712(10)X
1812(or)X
1899(12\262])X
2066(SEQUENCE)X
2504({)X
1140 1352(pvno[1])N
2662(INTEGER,)X
1140 1448(msg-type[2])N
2662(INTEGER,)X
1140 1544(padata-type[3])N
2662(INTEGER,)X
1140 1640(padata[4])N
2662(OCTET)X
2940(STRING,)X
3269(--)X
3343(encoded)X
3631(AP-REQ)X
1140 1736(req-body[5])N
2662(SEQUENCE)X
3100({)X
1160 1832(kdc-options[0])N
2662(KDCOptions,)X
1160 1928(cname[1])N
2662(ClientName)X
3069(OPTIONAL,)X
3510(--)X
3584(Used)X
3769(only)X
3931(in)X
4013(AS-REQ)X
1160 2024(realm[2])N
2662(Realm,)X
2911(--)X
2985(Server's)X
3273(realm)X
3496(Also)X
3667(client's)X
3923(in)X
4005(AS-REQ)X
1160 2120(sname[3])N
2662(PrincipalName,)X
1160 2216(from[4])N
2662(KerberosTime)X
3146(OPTIONAL,)X
1160 2312(till[5])N
2662(KerberosTime,)X
1160 2408(rtime[6])N
2662(KerberosTime)X
3146(OPTIONAL,)X
1160 2504(ctime[7])N
2662(KerberosTime,)X
1160 2600(nonce[8])N
2662(INTEGER,)X
1160 2696(etype[9])N
2662(INTEGER,)X
3045(--)X
3119(EncryptionType)X
1160 2792(addresses[10])N
2662(HostAddresses)X
3163(OPTIONAL,)X
1160 2888(authorization-data[11])N
2662(AuthorizationData)X
3279(OPTIONAL,)X
1160 2984(additional-tickets[12])N
2662(SEQUENCE)X
3100(OF)X
3222(Ticket)X
3447(OPTIONAL)X
1140 3080(})N
555 3176(})N
555 3320(The)N
701(application)X
1077(code)X
1249(will)X
1393(be)X
1489(either)X
1692(ten)X
1810(\(10\))X
1964(or)X
2051(twelve)X
2285(\(12\))X
2439(depending)X
2793(on)X
2893(whether)X
3172(the)X
3290(request)X
3542(is)X
3615(for)X
3729(an)X
3825(initial)X
555 3416(ticket)N
761(\(AS-REQ\))X
1132(or)X
1227(for)X
1349(an)X
1453(additional)X
1801(ticket)X
2006(\(TGS-REQ\).)X
2465(In)X
2559(a)X
2622(request)X
2881(for)X
3002(an)X
3105(initial)X
3318(ticket)X
3523(\(AS-REQ\),)X
3913(the)X
555 3512(type)N
719(of)X
812(pre-authentication)X
1422(\()X
3 f
1449(padata-type)X
1 f
1858(\))X
1911(will)X
2061(usually)X
2318(be)X
2420(null,)X
2590(and)X
3 f
2732(padata)X
1 f
2992(will)X
3141(be)X
3242(empty.)X
3507(In)X
3599(a)X
3660(request)X
3917(for)X
555 3608(additional)N
899(tickets,)X
1152(the)X
1274(pre-authentication)X
1882(type)X
2044(will)X
2192(be)X
2292(Kerberos,)X
2631(and)X
3 f
2771(padata)X
1 f
3030(will)X
3177(contain)X
3436(the)X
3557(authentication)X
555 3704(header)N
802(\(ticket-granting-ticket)X
1538(and)X
1686(authenticator\).)X
3 f
2204(req-body)X
1 f
2547(delimits)X
2836(the)X
2966(body)X
3158(of)X
3257(the)X
3387(KDC)X
3587(request.)X
3890(If)X
3975(a)X
555 3800(checksum)N
904(is)X
985(included)X
1289(in)X
3 f
1379(padata)X
1 f
1614(,)X
1662(as)X
1757(is)X
1838(the)X
1964(case)X
2131(when)X
2332(it)X
2403(contains)X
2697(the)X
2822(authentication-header,)X
3565(the)X
3690(checksum)X
555 3896(will)N
699(be)X
795(calculated)X
1141(over)X
1304(the)X
1422(\256elds)X
1615(delimited)X
1937(by)X
3 f
2037(req-body)X
1 f
2348(.)X
755 4020(The)N
3 f
908(nonce)X
1 f
1136(is)X
1217(included)X
1521(to)X
1611(allow)X
1817(the)X
1943(client)X
2149(to)X
2239(verify)X
2458(the)X
2583(freshness)X
2909(of)X
3003(a)X
3066(KDC)X
3262(response)X
3570(when)X
3771(its)X
3873(own)X
555 4116(clock)N
749(is)X
822(potentially)X
1184(out)X
1306(of)X
1393(sync.)X
1600(It)X
1669(should)X
1902(be)X
1998(non-repeating.)X
2504(Ideally,)X
2767(it)X
2831(should)X
3064(be)X
3160(generated)X
3493(randomly,)X
3840(but)X
3962(if)X
555 4212(the)N
673(correct)X
917(time)X
1079(is)X
1152(known,)X
1410(it)X
1474(may)X
1632(suf\256ce.\263)X
755 4336(The)N
3 f
900(etype)X
1 f
1103(\256eld)X
1265(speci\256es)X
1561(the)X
1679(desired)X
1931(encryption)X
2294(algorithm)X
2625(to)X
2707(be)X
2803(used)X
2970(in)X
3052(the)X
3170(response.)X
755 4460(The)N
914(optional)X
1210(\256elds)X
1417(are)X
1550(only)X
1725(included)X
2034(if)X
2116(necessary)X
2462(to)X
2557(perform)X
2849(the)X
2980(operation)X
3316(speci\256ed)X
3634(in)X
3729(the)X
3 f
3860(kdc-)X
555 4556(options)N
1 f
823(\256eld.)X
1025(If)X
1099(more)X
1284(than)X
1442(one)X
1578(additional)X
1918(ticket)X
2116(is)X
2189(included,)X
2505(the)X
2623(additional)X
2963(tickets)X
3192(are)X
3311(paired)X
3532(with)X
3694(options)X
3949(in)X
555 4652(the)N
673(order)X
863(the)X
981(options)X
1236(appear)X
1471(in)X
1553(the)X
1671(bit)X
1775(vector)X
1996(\(see)X
3 f
2146(kdc-options)X
1 f
2565(in)X
2647(section)X
2894(5.1)X
3014(and)X
3150(KDCOptions)X
3592(in)X
3674(6.1\).)X
755 4776(It)N
829(should)X
1067(be)X
1168(noted)X
1371(that)X
1516(in)X
1602(KRB_TGS_REQ,)X
2201(the)X
2323(protocol)X
2614(version)X
2874(number)X
3143(appears)X
3413(twice)X
3611(and)X
3751(two)X
3895(dif-)X
555 4872(ferent)N
765(message)X
1058(types)X
1248(appear:)X
1526(the)X
1645(KRB_TGS_REQ)X
2221(message)X
2514(contains)X
2802(these)X
2988(\256elds)X
3182(as)X
3270(does)X
3438(the)X
3557(authentication)X
555 4968(header)N
790(\(KRB_AP_REQ\))X
1370(that)X
1510(is)X
1583(passed)X
1817(in)X
1899(the)X
3 f
2017(padata)X
1 f
2272(\256eld.)X
8 s
10 f
555 5344(hhhhhhhhhhhhhhhhhh)N
1 f
555 5424(\262)N
607([APPLICATION)X
1067(10)X
1151(or)X
1224(12])X
1329(is)X
1392(not)X
1494(valid)X
1641(ASN.1)X
1836(notation.)X
2081(The)X
2199(two)X
2314(types)X
2468(of)X
2540(messages)X
2800(\(AS-REQ)X
3071(and)X
3182(TGS-REQ\))X
3492(have)X
3631(dif-)X
555 5504(ferent)N
719(application)X
1019(codes,)X
1196(but)X
1294(the)X
1388(format)X
1574(for)X
1664(the)X
1758(remainder)X
2032(of)X
2101(the)X
2195(message)X
2427(is)X
2486(identical.)X
555 5584(\263)N
607(Note,)X
767(however,)X
1022(that)X
1138(if)X
1197(the)X
1295(time)X
1429(is)X
1492(used)X
1629(as)X
1702(the)X
1800(nonce,)X
1988(one)X
2100(must)X
2245(make)X
2403(sure)X
2529(that)X
2645(the)X
2743(workstation)X
3065(time)X
3199(is)X
3262(monotonically)X
3652(in-)X
555 5664(creasing.)N
815(If)X
873(the)X
967(time)X
1097(is)X
1156(ever)X
1281(reset)X
1417(backwards,)X
1721(there)X
1864(is)X
1923(a)X
1967(small,)X
2138(but)X
2236(\256nite,)X
2400(probability)X
2697(that)X
2809(a)X
2853(nonce)X
3021(will)X
3137(be)X
3213(reused.)X
10 s
555 6144(Section)N
815(6.3.1.)X
2196(-)X
2243(30)X
2343(-)X
31 p
%%Page: 31 32
10 s 0 xH 0 xS 1 f
0 32(--)N
4323(--)X
3 f
2115 416(DRAFT)N
2411(3)X
555 672(6.3.2.)N
775(KRB_KDC_REP)X
1386(de\256nition)X
1 f
755 796(The)N
906(KRB_KDC_REP)X
1491(message)X
1789(format)X
2029(is)X
2108(used)X
2281(for)X
2401(the)X
2525(reply)X
2716(from)X
2898(the)X
3022(KDC)X
3216(for)X
3335(either)X
3543(an)X
3644(initial)X
3855(\(AS\))X
555 892(request,)N
831(or)X
922(a)X
982(subsequent)X
1362(\(TGS\))X
1591(request.)X
1887(There)X
2099(is)X
2176(no)X
2280(message)X
2576(type)X
2738(for)X
2855(KRB_KDC_REP.)X
3477(Instead,)X
3752(the)X
3873(type)X
555 988(will)N
700(be)X
797(one)X
934(of)X
1022(KRB_AS_REP,)X
1555(or)X
1643(KRB_TGS_REP.)X
2245(The)X
2391(key)X
2527(used)X
2694(to)X
2776(encrypt)X
3037(the)X
3155(ciphertext)X
3496(part)X
3641(of)X
3728(the)X
3846(reply)X
555 1084(depends)N
847(on)X
956(the)X
1083(message)X
1384(type.)X
1591(For)X
1731(KRB_AS_REP,)X
2272(the)X
2399(ciphertext)X
2749(is)X
2831(encrypted)X
3177(in)X
3268(the)X
3395(client's)X
3659(secret)X
3875(key,)X
555 1180(and)N
703(the)X
833(client's)X
1100(key)X
1247(version)X
1514(number)X
1790(is)X
1874(included)X
2181(in)X
2274(the)X
2403(key)X
2550(version)X
2817(number)X
3093(for)X
3218(the)X
3347(encrypted)X
3695(data.)X
3900(For)X
555 1276(KRB_TGS_REP,)N
1142(the)X
1266(ciphertext)X
1613(is)X
1692(encrypted)X
2035(in)X
2123(the)X
2247(session)X
2504(key)X
2646(from)X
2828(the)X
2952(ticket-granting)X
3450(ticket)X
3654(used)X
3826(in)X
3913(the)X
555 1372(request.)N
847(In)X
934(that)X
1074(case,)X
1253(version)X
1509(number)X
1774(will)X
1918(be)X
2014(absent.)X
755 1496(The)N
900(KRB_KDC_REP)X
1479(message)X
1771(contains)X
2058(the)X
2176(following)X
2507(\256elds:)X
659 1640(KDC-REP)N
1021(::=)X
1440([APPLICATION)X
2012(11)X
2112(or)X
2199(13\262])X
2366(SEQUENCE)X
2804({)X
1440 1736(pvno[0])N
3002(INTEGER,)X
1440 1832(msg-type[1])N
3002(INTEGER,)X
3385(--)X
3459(MessageType)X
1440 1928(crealm[2])N
3002(Realm,)X
1440 2024(cname[3])N
3002(PrincipalName,)X
1440 2120(ticket[4])N
3002(Ticket,)X
1440 2216(enc-part[5])N
3002(EncryptedData)X
659 2312(})N
659 2504(EncKDCRepPart)N
1231(::=)X
1440([APPLICATION)X
2012(25)X
2112(or)X
2199(26\262\263])X
2406(SEQUENCE)X
2844({)X
1440 2600(key[0])N
3002(EncryptionKey,)X
1440 2696(last-req[1])N
3002(LastReq,)X
1440 2792(nonce[2])N
3002(INTEGER,)X
1440 2888(key-expiration[3])N
3002(KerberosTime)X
3486(OPTIONAL,)X
1440 2984(\257ags[4])N
3002(TicketFlags,)X
1440 3080(authtime[5])N
3002(KerberosTime,)X
1440 3176(starttime[6])N
3002(KerberosTime)X
3486(OPTIONAL,)X
1440 3272(endtime[7])N
3002(KerberosTime,)X
1440 3368(renew-till[8])N
3002(KerberosTime)X
3486(OPTIONAL,)X
1440 3464(realm[9])N
3002(Realm,)X
1440 3560(sname[10])N
3002(PrincipalName,)X
1440 3656(caddr[11])N
3002(HostAddresses)X
659 3752(})N
555 3924(If)N
651(the)X
791(message)X
1105(is)X
1200(of)X
1309(type)X
1489(KRB_AS_REP,)X
2043(the)X
3 f
2183(caddr)X
1 f
2425(\256eld)X
2609(will)X
2775(contain)X
3053(the)X
3192(requested)X
3541(addresses)X
3890(\(for)X
555 4020(modi\256cation)N
985(detection\).)X
1372(If)X
1452(the)X
1576(message)X
1874(is)X
1953(of)X
2046(type)X
2210(KRB_TGS_REP,)X
2797(then)X
2961(this)X
3102(\256eld)X
3269(will)X
3418(only)X
3585(be)X
3686(\256lled)X
3875(in)X
3962(if)X
555 4116(the)N
677(request)X
932(was)X
1080(for)X
1197(a)X
1256(proxy,)X
1486(a)X
1545(forwarded)X
1899(ticket,)X
2120(or)X
2210(if)X
2282(the)X
2403(user)X
2560(is)X
2636(substituting)X
3031(a)X
3090(subset)X
3313(of)X
3403(the)X
3524(addresses)X
3855(from)X
555 4212(the)N
678(ticket)X
881(granting)X
1173(ticket.)X
1416(If)X
1494(not,)X
1640(then)X
1802(the)X
1924(addresses)X
2256(contained)X
2592(in)X
2678(the)X
2800(ticket)X
3002(are)X
3125(the)X
3247(same)X
3436(as)X
3527(included)X
3827(in)X
3913(the)X
555 4308(ticket-granting)N
1047(ticket.)X
3 f
12 s
555 4596(6.4.)N
747(Client/Server)X
1322(\(CS\))X
1532(message)X
1892(speci\256cations)X
1 f
10 s
755 4720(This)N
918(section)X
1166(speci\256es)X
1463(the)X
1582(format)X
1817(of)X
1905(the)X
2024(messages)X
2348(used)X
2515(for)X
2629(the)X
2747(authentication)X
3221(of)X
3308(the)X
3426(client)X
3624(to)X
3706(the)X
3824(appli-)X
555 4816(cation)N
771(server.)X
8 s
10 f
555 5264(hhhhhhhhhhhhhhhhhh)N
1 f
555 5344(\262)N
607([APPLICATION)X
1067(11)X
1151(or)X
1224(13])X
1329(is)X
1392(not)X
1494(valid)X
1641(ASN.1)X
1836(notation.)X
2081(The)X
2199(two)X
2314(types)X
2468(of)X
2540(messages)X
2800(\(AS-REQ)X
3071(and)X
3182(TGS-REQ\))X
3492(have)X
3631(dif-)X
555 5424(ferent)N
726(application)X
1033(codes,)X
1217(but)X
1322(the)X
1423(format)X
1616(of)X
1692(the)X
1793(remainder)X
2074(of)X
2150(the)X
2251(message)X
2490(is)X
2555(identical)X
2797(\(before)X
3002(encryption)X
3297(of)X
3372(the)X
3472(encrypted)X
555 5504(part\).)N
555 5584(\263)N
611(An)X
713(application)X
1021(code)X
1165(in)X
1239(the)X
1341(encrypted)X
1616(part)X
1739(of)X
1816(a)X
1868(message)X
2108(provides)X
2352(an)X
2436(additional)X
2716(check)X
2888(that)X
3008(the)X
3110(message)X
3350(was)X
3472(decrypted)X
555 5664(properly.)N
10 s
555 6144(Section)N
815(6.4.)X
2196(-)X
2243(31)X
2343(-)X
32 p
%%Page: 32 33
10 s 0 xH 0 xS 1 f
0 32(--)N
4323(--)X
3 f
2115 416(DRAFT)N
2411(3)X
555 672(6.4.1.)N
775(KRB_AP_REQ)X
1328(de\256nition)X
1 f
755 796(The)N
918(KRB_AP_REQ)X
1462(message)X
1772(contains)X
2077(the)X
2213(Kerberos)X
2546(protocol)X
2851(version)X
3125(number,)X
3428(the)X
3564(message)X
3873(type)X
555 892(KRB_AP_REQ,)N
1103(an)X
1201(options)X
1458(\256eld)X
1621(to)X
1704(indicate)X
1979(any)X
2116(options)X
2372(in)X
2455(use,)X
2603(and)X
2740(the)X
2859(ticket)X
3058(and)X
3195(authenticator)X
3635(themselves.)X
555 988(The)N
700(KRB_AP_REQ)X
1226(message)X
1518(is)X
1591(often)X
1776(referred)X
2052(to)X
2134(as)X
2221(the)X
2339("authentication)X
2846(header".)X
1102 1132(AP-REQ)N
1411(::=)X
1686([APPLICATION)X
2258(14])X
2385(SEQUENCE)X
2823({)X
1686 1228(pvno[0])N
2981(INTEGER,)X
1686 1324(msg-type[1])N
2981(INTEGER,)X
1686 1420(ap-options[2])N
2981(APOptions,)X
1686 1516(ticket[3])N
2981(Ticket,)X
1686 1612(authenticator[4])N
2981(EncryptedData)X
1102 1708(})N
1102 1900(APOptions)N
1477(::=)X
1686(BIT)X
1835(STRING)X
2144({)X
1686 1996(reserved\(0\),)N
1686 2092(use-session-key\(1\),)N
1686 2188(mutual-required\(2\))N
1102 2284(})N
3 f
555 2620(6.4.2.)N
775(KRB_AP_REP)X
1315(de\256nition)X
1 f
755 2744(The)N
905(KRB_AP_REP)X
1422(message)X
1719(contains)X
2011(the)X
2134(Kerberos)X
2454(protocol)X
2746(version)X
3006(number,)X
3295(the)X
3417(message)X
3713(type,)X
3895(and)X
555 2840(an)N
661(encrypted)X
1008(timestamp.)X
1411(The)X
1566(message)X
1868(is)X
1951(sent)X
2110(in)X
2202(in)X
2294(response)X
2605(to)X
2697(an)X
2803(application)X
3189(request)X
3451(\(KRB_AP_REQ\))X
555 2936(where)N
772(the)X
890(mutual)X
1132(authentication)X
1606(option)X
1830(has)X
1957(been)X
2129(selected)X
2408(in)X
2490(the)X
3 f
2608(ap-options)X
1 f
2987(\256eld.)X
1016 3080(AP-REP)N
1311(::=)X
1730([APPLICATION)X
2302(15])X
2429(SEQUENCE)X
2867({)X
1730 3176(pvno[0])N
3065(INTEGER,)X
1730 3272(msg-type[1])N
3065(INTEGER,)X
1730 3368(enc-part[2])N
3065(EncryptedData)X
1016 3464(})N
1016 3656(EncAPRepPart)N
1521(::=)X
1730([APPLICATION)X
2302(27\262])X
2469(SEQUENCE)X
2907({)X
1730 3752(ctime[0])N
3065(KerberosTime,)X
1730 3848(cmsec[1])N
3065(INTEGER)X
1016 3944(})N
555 4088(The)N
710(encoded)X
1008(EncAPRepPart)X
1523(is)X
1606(encrypted)X
1952(in)X
2043(the)X
2170(shared)X
2409(session)X
2669(key.)X
2854(See)X
2999(section)X
3255(7)X
3324(for)X
3447(the)X
3574(format)X
3817(of)X
3913(the)X
555 4184(ciphertext.)N
3 f
555 4376(6.4.3.)N
775(Error)X
996(message)X
1297(reply)X
1 f
755 4500(If)N
830(an)X
926(error)X
1103(occurs)X
1333(while)X
1531(processing)X
1894(the)X
2012(application)X
2388(request,)X
2660(the)X
2778(KRB_ERROR)X
3268(message)X
3560(will)X
3704(be)X
3800(sent)X
3949(in)X
555 4596(response.)N
902(See)X
1044(section)X
1297(6.7)X
1423(for)X
1543(the)X
1667(format)X
1907(of)X
1999(the)X
2122(error)X
2304(message.)X
2641(The)X
3 f
2791(cname)X
1 f
3039(and)X
3 f
3180(crealm)X
1 f
3442(\256elds)X
3640(may)X
3803(be)X
3904(left)X
555 4692(out)N
687(if)X
766(the)X
894(server)X
1121(cannot)X
1365(determine)X
1715(their)X
1891(appropriate)X
2286(values)X
2520(from)X
2705(the)X
2832(corresponding)X
3320(KRB_AP_REQ)X
3855(mes-)X
555 4788(sage.)N
761(The)X
3 f
909(ctime)X
1 f
1120(and)X
3 f
1259(cmsec)X
1 f
1487(\256elds)X
1682(will)X
1828(contain)X
2086(the)X
2206(values)X
2433(read)X
2594(from)X
2772(the)X
2892(authenticator)X
3333(if)X
3404(they)X
3564(were)X
3743(success-)X
555 4884(fully)N
726(read.)X
3 f
12 s
555 5076(6.5.)N
747(KRB_SAFE)X
1272(message)X
1632(speci\256cation)X
1 f
10 s
755 5200(This)N
921(section)X
1171(speci\256es)X
1470(the)X
1591(format)X
1828(of)X
1918(a)X
1977(message)X
2272(that)X
2415(can)X
2550(be)X
2649(used)X
2819(by)X
2922(either)X
3128(side)X
3280(\(client)X
3508(or)X
3598(server\))X
3845(of)X
3935(an)X
555 5296(application)N
934(to)X
1019(send)X
1189(a)X
1248(tamper-proof)X
1695(message)X
1990(to)X
2075(its)X
2173(peer.)X
2375(It)X
2447(presumes)X
2773(that)X
2916(a)X
2975(session)X
3229(key)X
3368(has)X
3498(previously)X
3859(been)X
555 5392(exchanged)N
919(\(for)X
1060(example,)X
1372(by)X
1472(using)X
1665(the)X
1783(KRB_AP_REQ)X
2309(message\).)X
8 s
10 f
555 5504(hhhhhhhhhhhhhhhhhh)N
1 f
555 5584(\262)N
611(An)X
713(application)X
1021(code)X
1165(in)X
1239(the)X
1341(encrypted)X
1616(part)X
1739(of)X
1816(a)X
1868(message)X
2108(provides)X
2352(an)X
2436(additional)X
2716(check)X
2888(that)X
3008(the)X
3110(message)X
3350(was)X
3472(decrypted)X
555 5664(properly.)N
10 s
555 6144(Section)N
815(6.5.)X
2196(-)X
2243(32)X
2343(-)X
33 p
%%Page: 33 34
10 s 0 xH 0 xS 1 f
0 32(--)N
4323(--)X
3 f
2115 416(DRAFT)N
2411(3)X
555 672(6.5.1.)N
775(KRB_SAFE)X
1212(de\256nition)X
1 f
755 796(The)N
903(KRB_SAFE)X
1325(message)X
1620(contains)X
1910(user)X
2067(data)X
2224(along)X
2425(with)X
2590(a)X
2648(cryptographic)X
3116(checksum)X
3459(based)X
3664(on)X
3766(the)X
3886(ses-)X
555 892(sion)N
708(key.)X
884(The)X
1029(message)X
1321(\256elds)X
1514(are:)X
1034 1036(KRB-SAFE)N
1440(::=)X
1649([APPLICATION)X
2221(20])X
2348(SEQUENCE)X
2786({)X
1649 1132(pvno[0])N
2944(INTEGER,)X
1649 1228(msg-type[1])N
2944(INTEGER,)X
1649 1324(user-data[2])N
2944(OCTET)X
3222(STRING,)X
1649 1420(timestamp[3])N
2944(KerberosTime,)X
1649 1516(msec[4])N
2944(INTEGER,)X
1649 1612(s-address[5])N
2944(HostAddress,)X
1649 1708(r-address[6])N
2944(HostAddress,)X
1649 1804(cksum[7])N
2944(Checksum)X
1034 1900(})N
555 2140(The)N
703(checksum)X
1047(is)X
1123(computed)X
1462(over)X
1628(the)X
1749(encoding)X
2066(of)X
2156(a)X
2215(KRB-SAFE)X
2624(message)X
2919(with)X
3084(a)X
3143(zero)X
3304(length)X
3526(checksum)X
3869(with)X
555 2236(type)N
713(zero,)X
892(and)X
1028(then)X
1186(inserted)X
1460(into)X
1604(the)X
1722(encoding.)X
3 f
12 s
555 2428(6.6.)N
747(KRB_PRIV)X
1261(message)X
1621(speci\256cation)X
1 f
10 s
755 2552(This)N
921(section)X
1171(speci\256es)X
1470(the)X
1591(format)X
1828(of)X
1918(a)X
1977(message)X
2272(that)X
2415(can)X
2550(be)X
2649(used)X
2819(by)X
2922(either)X
3128(side)X
3280(\(client)X
3508(or)X
3598(server\))X
3845(of)X
3935(an)X
555 2648(application)N
936(to)X
1023(securely)X
1316(and)X
1457(privately)X
1767(send)X
1939(a)X
2000(message)X
2297(to)X
2384(its)X
2484(peer.)X
2688(It)X
2762(presumes)X
3089(that)X
3233(a)X
3293(session)X
3548(key)X
3688(has)X
3819(previ-)X
555 2744(ously)N
748(been)X
920(exchanged)X
1284(\(for)X
1425(example,)X
1737(by)X
1837(using)X
2030(the)X
2148(KRB_AP_REQ)X
2674(message\).)X
3 f
555 2936(6.6.1.)N
775(KRB_PRIV)X
1204(de\256nition)X
1 f
755 3060(The)N
900(KRB_PRIV)X
1306(message)X
1598(contains)X
1885(user)X
2039(data)X
2193(encrypted)X
2530(in)X
2612(the)X
2730(Session)X
2994(Key.)X
3188(The)X
3333(message)X
3625(\256elds)X
3818(are:)X
951 3204(KRB-PRIV)N
1344(::=)X
1692([APPLICATION)X
2264(21])X
2391(SEQUENCE)X
2829({)X
1692 3300(pvno[0])N
3027(INTEGER,)X
1692 3396(msg-type[1])N
3027(INTEGER,)X
1692 3492(enc-part[3])N
3027(EncryptedData)X
951 3588(})N
951 3780(EncKrbPrivPart)N
1483(::=)X
1692([APPLICATION)X
2264(28\262])X
2431(SEQUENCE)X
2869({)X
1692 3876(user-data[0])N
3027(OCTET)X
3305(STRING,)X
1692 3972(timestamp[1])N
3027(KerberosTime,)X
1692 4068(msec[2])N
3027(INTEGER,)X
1692 4164(s-address[3])N
3027(HostAddress,)X
1692 4260(r-address[4])N
3027(HostAddress)X
951 4356(})N
755 4528(The)N
917(encoding)X
1248(of)X
1352(the)X
1486(EncKrbPrivPart)X
2034(is)X
2123(encrypted)X
2476(in)X
2574(the)X
2708(session)X
2975(key)X
3127(before)X
3369(transmission.\263)X
3869(This)X
555 4624(encrypted)N
895(encoding)X
1212(is)X
1288(used)X
1458(for)X
1575(the)X
3 f
1696(enc-part)X
1 f
2009(\256eld)X
2174(of)X
2263(the)X
2383(KRB-PRIV)X
2778(message.)X
3112(See)X
3250(section)X
3499(7)X
3561(for)X
3677(the)X
3797(format)X
555 4720(of)N
642(the)X
760(ciphertext.)X
8 s
10 f
555 5264(hhhhhhhhhhhhhhhhhh)N
1 f
555 5344(\262)N
611(An)X
713(application)X
1021(code)X
1165(in)X
1239(the)X
1341(encrypted)X
1616(part)X
1739(of)X
1816(a)X
1868(message)X
2108(provides)X
2352(an)X
2436(additional)X
2716(check)X
2888(that)X
3008(the)X
3110(message)X
3350(was)X
3472(decrypted)X
555 5424(properly.)N
555 5504(\263)N
604(If)X
663(supported)X
932(by)X
1013(the)X
1108(encryption)X
1398(method)X
1606(in)X
1672(use,)X
1789(an)X
1865(initialization)X
2205(vector)X
2380(may)X
2506(be)X
2582(passed)X
2768(to)X
2834(the)X
2928(encryption)X
3217(procedure.)X
3519(The)X
3634(ini-)X
555 5584(tialization)N
828(vector)X
1004(might)X
1171(come)X
1326(from)X
1467(the)X
1562(last)X
1668(block)X
1827(of)X
1897(the)X
1992(ciphertext)X
2264(from)X
2405(the)X
2500(previous)X
2737(message,)X
2986(but)X
3085(it)X
3138(is)X
3198(up)X
3279(to)X
3345(the)X
3439(application)X
555 5664(to)N
621(decide.)X
835(If)X
893(left)X
994(out,)X
1108(the)X
1202(default)X
1395(initialization)X
1735(vector)X
1910(for)X
2000(the)X
2094(encryption)X
2383(algorithm)X
2648(will)X
2764(be)X
2840(used.)X
12 s
555 6144(Section)N
868(6.6.1.)X
2179(-)X
2235(33)X
2355(-)X
34 p
%%Page: 34 35
12 s 0 xH 0 xS 1 f
10 s
0 32(--)N
4323(--)X
3 f
12 s
2082 432(DRAFT)N
2436(3)X
555 672(6.7.)N
747(Error)X
1012(message)X
1372(speci\256cation)X
1 f
10 s
755 796(This)N
920(section)X
1170(speci\256es)X
1469(the)X
1590(format)X
1827(for)X
1944(the)X
2065(KRB_ERROR)X
2558(message.)X
2893(The)X
3041(\256elds)X
3237(included)X
3535(in)X
3619(the)X
3739(message)X
555 892(are)N
678(intended)X
978(to)X
1064(return)X
1280(as)X
1371(much)X
1573(information)X
1975(as)X
2066(possible)X
2352(about)X
2554(an)X
2654(error.)X
2875(It)X
2948(is)X
3025(not)X
3151(expected)X
3461(that)X
3604(all)X
3707(the)X
3828(infor-)X
555 988(mation)N
805(required)X
1101(by)X
1209(the)X
1335(\256elds)X
1536(will)X
1688(be)X
1791(available)X
2108(for)X
2229(all)X
2336(types)X
2532(of)X
2626(errors.)X
2881(If)X
2962(information)X
3367(is)X
3447(not)X
3576(available,)X
3913(the)X
555 1084(corresponding)N
1036(\256eld)X
1200(will)X
1346(be)X
1444(left)X
1573(out)X
1697(of)X
1786(the)X
1906(message.)X
2240(The)X
2387(e-text)X
2592(\256eld)X
2756(contains)X
3045(a)X
3103(description)X
3481(of)X
3570(the)X
3690(error)X
3869(suit-)X
555 1180(able)N
717(for)X
839(display)X
1098(to)X
1188(the)X
1314(user.)X
1516(The)X
1669(optional)X
1959(e-data)X
2184(\256eld)X
2354(includes)X
2649(additional)X
2997(information)X
3403(about)X
3608(the)X
3733(error)X
3917(for)X
555 1276(use)N
682(by)X
782(the)X
900(application.)X
1316(To)X
1425(interpret)X
1717(the)X
1835(error)X
2012(code,)X
2204(see)X
2327(section)X
2574(8.)X
3 f
555 1468(6.7.1.)N
775(KRB_ERROR)X
1297(de\256nition)X
1 f
755 1592(The)N
900(KRB_ERROR)X
1390(message)X
1682(consists)X
1955(of)X
2042(the)X
2160(following)X
2491(\256elds:)X
777 1736(KRB-ERROR)N
1254(::=)X
1463([APPLICATION)X
2035(30])X
2162(SEQUENCE)X
2600({)X
1463 1832(pvno[0])N
2758(INTEGER,)X
1463 1928(msg-type[1])N
2758(INTEGER,)X
1463 2024(ctime[2])N
2758(KerberosTime)X
3242(OPTIONAL,)X
1463 2120(cmsec[3])N
2758(INTEGER)X
3121(OPTIONAL,)X
1463 2216(stime[4])N
2758(KerberosTime,)X
1463 2312(smsec[5])N
2758(INTEGER,)X
1463 2408 0.3125(error-code[6])AN
2758(INTEGER,)X
1463 2504(crealm[7])N
2758(Realm)X
2987(OPTIONAL,)X
1463 2600(cname[8])N
2758(PrincipalName)X
3259(OPTIONAL,)X
1463 2696(realm[9])N
2758(Realm,)X
3007(--)X
3081(Correct)X
3342(realm)X
1463 2792(sname[10])N
2758(PrincipalName,)X
3279(--)X
3353(Correct)X
3614(name)X
1463 2888(e-text[11])N
2758(GeneralString,)X
1463 2984(e-data[12])N
2758(OCTET)X
3036(STRING)X
3345(OPTIONAL)X
777 3080(})N
3 f
12 s
555 3320(7.)N
675(Encryption)X
1163(and)X
1341(Checksum)X
1796(Speci\256cations)X
1 f
10 s
755 3444(The)N
904(following)X
1239(sections)X
1521(specify)X
1777(the)X
1899(encryption)X
2266(and)X
2406(checksum)X
2751(mechanisms)X
3171(currently)X
3485(de\256ned)X
3745(for)X
3863(Ker-)X
555 3540(beros.)N
814(The)X
984(encodings,)X
1374(chaining,)X
1715(and)X
1876(padding)X
2179(requirements)X
2643(for)X
2782(each)X
2975(are)X
3119(described.)X
3512(For)X
3668(encryption)X
555 3636(methods,)N
869(it)X
936(is)X
1012(often)X
1200(desirable)X
1513(to)X
1598(place)X
1791(random)X
2059(information)X
2460(\(later)X
2653(referred)X
2932(to)X
3017(as)X
3107(a)X
2 f
3166(confounder)X
1 f
3531(\))X
3581(at)X
3662(the)X
3783(start)X
3944(of)X
555 3732(the)N
673(message.)X
1005(The)X
1150(requirements)X
1589(for)X
1703(a)X
1759(confounder)X
2145(are)X
2264(speci\256ed)X
2569(with)X
2731(each)X
2899(encryption)X
3262(mechanism.)X
755 3856(Some)N
961(encryption)X
1328(systems)X
1605(use)X
1736(a)X
1796(block-chaining)X
2301(method)X
2565(to)X
2651(improve)X
2942(the)X
3063(the)X
3184(security)X
3461(characteristics)X
3944(of)X
555 3952(the)N
679(ciphertext.)X
1066(However,)X
1407(these)X
1598(chaining)X
1900(methods)X
2197(often)X
2388(don't)X
2583(provide)X
2853(an)X
2954(integrity)X
3250(check)X
3463(upon)X
3648(decryption.)X
555 4048(Such)N
737(systems)X
1012(\(such)X
1208(as)X
1297(DES)X
1470(in)X
1554(CBC)X
1735(mode\))X
1962(must)X
2139(be)X
2237(augmented)X
2611(with)X
2775(a)X
2832(checksum)X
3174(of)X
3262(the)X
3381(plaintext)X
3682(which)X
3899(can)X
555 4144(be)N
664(veri\256ed)X
942(at)X
1033(decryption)X
1409(and)X
1558(used)X
1738(to)X
1833(detect)X
2058(any)X
2207(tampering)X
2565(or)X
2665(damage.)X
2988(If)X
3075(any)X
3224(damage)X
3507(is)X
3593(detected,)X
3913(the)X
555 4240(decryption)N
918(routine)X
1165(is)X
1238(expected)X
1544(to)X
1626(return)X
1838(an)X
1934(error)X
2111(indicating)X
2451(the)X
2569(failure)X
2799(of)X
2886(an)X
2982(integrity)X
3273(check.)X
755 4364(The)N
908(protocol)X
1203(messages)X
1534(only)X
1704(specify)X
1964(what)X
2148(\256elds)X
2349(are)X
2476(to)X
2566(be)X
2670(encrypted,)X
3035(and)X
3179(make)X
3381(no)X
3489(explicit)X
3756(require-)X
555 4460(ments)N
775(of)X
871(a)X
935(checksum.)X
1324(Each)X
1513(encryption)X
1884(type)X
2050(is)X
2131(expected)X
2445(to)X
2535(provide)X
2808(and)X
2952(verify)X
3172(an)X
3276(appropriate)X
3670(checksum.)X
555 4556(The)N
700(speci\256cation)X
1125(of)X
1212(each)X
1380(encryption)X
1743(method)X
2003(sets)X
2143(out)X
2265(its)X
2360(checksum)X
2701(requirements.)X
755 4680(Finally,)N
1027(where)X
1250(a)X
1312(key)X
1454(is)X
1533(to)X
1621(be)X
1723(derived)X
1990(from)X
2172(a)X
2234(user's)X
2451(password,)X
2799(an)X
2900(algorithm)X
3236(for)X
3355(converting)X
3723(the)X
3846(pass-)X
555 4776(word)N
747(to)X
835(a)X
897(key)X
1039(of)X
1132(the)X
1256(appropriate)X
1648(type)X
1812(is)X
1891(included.)X
2233(It)X
2308(is)X
2387(desirable)X
2703(for)X
2823(the)X
2947(string)X
3155(to)X
3243(key)X
3385(function)X
3678(to)X
3766(be)X
3868(one-)X
555 4872(way,)N
743(and)X
893(for)X
1021(the)X
1153(mapping)X
1467(to)X
1563(be)X
1673(different)X
1984(in)X
2080(different)X
2391(realms.)X
2679(This)X
2855(is)X
2942(important)X
3286(because)X
3574(user)X
3741(who)X
3912(are)X
555 4968(registered)N
903(in)X
996(more)X
1192(than)X
1361(one)X
1508(realm)X
1722(will)X
1877(often)X
2073(use)X
2211(the)X
2340(same)X
2536(password)X
2870(in)X
2963(each,)X
3162(and)X
3308(it)X
3382(is)X
3465(desirable)X
3785(that)X
3935(an)X
555 5064(attacker)N
830(compromising)X
1312(the)X
1430(Kerberos)X
1745(server)X
1962(in)X
2044(one)X
2180(realm)X
2383(not)X
2505(obtain)X
2725(or)X
2812(derive)X
3033(the)X
3151(user's)X
3363(key)X
3499(in)X
3581(another.)X
3 f
12 s
555 5256(7.1.)N
747(Encryption)X
1235(Speci\256cations)X
1 f
10 s
755 5380(The)N
902(following)X
1235(ASN.1)X
1477(de\256nition)X
1805(describes)X
2125(all)X
2226(encrypted)X
2564(messages.)X
2928(The)X
3 f
3074(enc-part)X
1 f
3385(\256eld)X
3548(which)X
3765(appears)X
555 5476(in)N
639(the)X
759(unencrypted)X
1178(part)X
1325(of)X
1414(messages)X
1739(in)X
1823(section)X
2071(6)X
2132(is)X
2206(a)X
2263(sequence)X
2579(consisting)X
2924(of)X
3012(an)X
3109(encryption)X
3473(type,)X
3652(an)X
3749(optional)X
555 5572(key)N
691(version)X
947(number,)X
1232(and)X
1368(the)X
1486(CipherText.)X
1099 5744(EncryptedData)N
1601(::=)X
1810(SEQUENCE)X
2248({)X
1810 5840(etype[0])N
2406(INTEGER,)X
9 f
2789(--)X
1 f
2897(EncryptionType)X
555 6144(Section)N
815(7.1.)X
2196(-)X
2243(34)X
2343(-)X
35 p
%%Page: 35 36
10 s 0 xH 0 xS 1 f
0 32(--)N
4323(--)X
3 f
2115 416(DRAFT)N
2411(3)X
1 f
1810 672(kvno[1])N
2406(INTEGER)X
2769(OPTIONAL,)X
1810 768(cipher[2])N
2406(OCTET)X
2684(STRING)X
9 f
2993(--)X
1 f
3101(CipherText)X
1099 864(})N
555 1008(Detailed)N
862(speci\256cations)X
1333(for)X
1461(selected)X
1754(encryption)X
2131(types)X
2334(appear)X
2583(later)X
2760(in)X
2856(this)X
3005(section.)X
3306(The)X
3465(encryption)X
3842(types)X
555 1104(which)N
771(are)X
890(presently)X
1204(de\256ned)X
1460(\(though)X
1729(not)X
1851(necessarily)X
2228(speci\256ed\))X
2560(for)X
2674(Kerberos)X
2989(are:)X
1555 1248(EncryptionType)N
2096(::=)X
2305(INTEGER)X
2668({)X
2305 1344(null\(0\),)N
2305 1440(des)N
9 f
2412(-)X
1 f
2456 0.3500(cbc-crc\(1\),)AX
2305 1536(lucifer)N
9 f
2515(-)X
1 f
2559 0.3889(cbc-crc\(2\))AX
1555 1632(})N
755 1804(The)N
3 f
906(cipher)X
1 f
1150(\256eld)X
1318(\(an)X
1447(OCTET)X
1731(STRING\))X
2073(is)X
2151(generated)X
2489(by)X
2594(applying)X
2899(the)X
3022(speci\256ed)X
3332(encryption)X
3700(algorithm)X
555 1900(to)N
639(data)X
795(speci\256c)X
1062(to)X
1146(the)X
1266(encryption)X
1631(type.)X
1831(It)X
1902(is)X
1977(strongly)X
2261(recommended)X
2738(that)X
2879(encryption)X
3243(mechanisms)X
3660(de\256ned)X
3917(for)X
555 1996(use)N
684(with)X
848(Kerberos)X
1165(take)X
1321(suf\256cient)X
1641(measures)X
1962(to)X
2046(guarantee)X
2381(the)X
2501(integrity)X
2794(of)X
2883(the)X
3003(message,)X
3317(and)X
3455(to)X
3539(protect)X
3784(against)X
555 2092(precomputed)N
1002(dictionary)X
1355(attacks.)X
1646(If)X
1728(the)X
1854(encryption)X
2225(algorithm)X
2564(is)X
2645(not)X
2775(itself)X
2963(capable)X
3237(of)X
3331(doing)X
3540(so,)X
3658(the)X
3783(protec-)X
555 2188(tions)N
730(can)X
862(often)X
1047(be)X
1143(enhanced)X
1467(by)X
1567(adding)X
1805(a)X
1861(checksum)X
2202(and)X
2338(a)X
2394(confounder.)X
755 2312(The)N
901(suggested)X
1238(format)X
1473(for)X
1588(the)X
1707(data)X
1862(to)X
1945(be)X
2042(encrypted)X
2380(includes)X
2668(a)X
2725(confounder,)X
3132(the)X
3250(MsgSequence,)X
3740(a)X
3796(check-)X
555 2408(sum,)N
731(and)X
869(any)X
1007(necessary)X
1342(padding.)X
1662(The)X
3 f
1809(msg-seq)X
1 f
2107(\256eld)X
2271(contains)X
2560(the)X
2680(part)X
2827(of)X
2916(the)X
3036(protocol)X
3325(message)X
3619(described)X
3949(in)X
555 2504(section)N
804(6)X
866(which)X
1084(is)X
1159(to)X
1243(be)X
1341(encrypted.)X
1720(The)X
1867(confounder,)X
2275(checksum,)X
2638(and)X
2776(padding)X
3056(are)X
3177(all)X
3279(untagged)X
3595(and)X
3733(untyped,)X
555 2600(and)N
695(their)X
866(length)X
1090(is)X
1167(suf\256cient)X
1489(to)X
1575(hold)X
1741(the)X
1863(appropriate)X
2253(item.)X
2459(The)X
2608(type)X
2770(and)X
2910(length)X
3134(is)X
3211(implicit)X
3483(and)X
3623(speci\256ed)X
3931(by)X
555 2696(the)N
678(particular)X
1011(encryption)X
1379(type)X
1542(being)X
1745(used)X
1917(\()X
3 f
1944(etype)X
1 f
2127(\).)X
2219(The)X
2369(format)X
2608(for)X
2727(the)X
2850(data)X
3009(to)X
3096(be)X
3197(encrypted)X
3539(is)X
3617(described)X
3949(in)X
555 2792(the)N
673(following)X
1004(diagram:)X
7 f
843 2984(+-----------+-------------+----------+-----+)N
9 f
859 3080(|)N
7 f
891(confounder)X
9 f
1435(|)X
7 f
1611(msg-seq)X
9 f
2107(|)X
7 f
2283(check)X
9 f
2635(|)X
7 f
2715(pad)X
9 f
2923(|)X
7 f
843 3176(+-----------+-------------+----------+-----+)N
1 f
555 3368(The)N
700(format)X
934(can)X
1066(not)X
1188(be)X
1284(described)X
1612(in)X
1694(ASN.1,)X
1954(but)X
2076(for)X
2190(those)X
2379(who)X
2537(prefer)X
2750(an)X
2846(ASN.1)X
2 f
3086(like)X
1 f
3222(notation:)X
555 3512(CipherText)N
940(::=)X
1149(ENCRYPTED)X
1640(SEQUENCE)X
2078({)X
1149 3608(confounder[0])N
2236(UNTAGGED\262)X
2742(OCTET)X
3020(STRING\(conf_length\))X
3766(OPTIONAL,)X
1149 3704(msg-seq[1])N
2236(MsgSequence,)X
1149 3800(check[2])N
2236(UNTAGGED\262)X
2742(OCTET)X
3020(STRING\(checksum_length\))X
3944(OPTIONAL,)X
1149 3896(pad)N
2236(UNTAGGED\262)X
2742(OCTET)X
3020(STRING\(pad_length\))X
3739(OPTIONAL)X
555 3992(})N
755 4164(One)N
910(calculates)X
1248(the)X
1367(appropriate)X
1754(checksum)X
2096(over)X
3 f
2260(msg-seq)X
1 f
2536(,)X
2576(placing)X
2832(the)X
2950(result)X
3148(in)X
3 f
3230(check)X
1 f
3426(,)X
3466(generating)X
3825(a)X
3881(ran-)X
555 4260(dom)N
726(confounder)X
1121(of)X
1217(the)X
1344(appropriate)X
1739(length,)X
1988(placing)X
2253(it)X
2325(in)X
3 f
2415(confounder)X
1 f
2806(,)X
2854(adding)X
3100(the)X
3226(necessary)X
3567(padding,)X
3873(then)X
555 4356(encrypting)N
935(using)X
1144(the)X
1278(speci\256ed)X
1599(encryption)X
1978(type)X
2152(and)X
2304(the)X
2438(appropriate)X
2840(key.)X
3032(Unless)X
3286(otherwise)X
3634(speci\256ed,)X
3975(a)X
555 4452(de\256nition)N
892(of)X
989(an)X
1095(encryption)X
1468(algorithm)X
1809(that)X
1959(speci\256es)X
2265(a)X
2331(checksum,)X
2702(a)X
2768(length)X
2998(for)X
3122(the)X
3250(confounder)X
3646(\256eld,)X
3838(or)X
3935(an)X
555 4548(octet)N
734(boundary)X
1060(for)X
1177(padding,)X
1478(uses)X
1639(the)X
1760(ciphertext)X
2104(format)X
2341(just)X
2479(described.)X
2850(Those)X
3068(\256elds)X
3263(which)X
3481(are)X
3602(not)X
3726(speci\256ed)X
555 4644(will)N
699(be)X
795(left)X
922(out.)X
755 4768(In)N
853(the)X
982(interest)X
1249(of)X
1347(allowing)X
1658(all)X
1769(implementations)X
2333(using)X
2537(a)X
2604(particular)X
2943(encryption)X
3317(type)X
3486(to)X
3579(communicate)X
555 4864(with)N
721(all)X
825(others)X
1045(using)X
1242(that)X
1385(type,)X
1566(the)X
1687(speci\256cation)X
2115(of)X
2205(an)X
2304(encryption)X
2670(type)X
2831(de\256nes)X
3081(any)X
3220(checksum)X
3564(that)X
3707(is)X
3783(needed)X
555 4960(as)N
646(part)X
795(of)X
886(the)X
1008(encryption)X
1375(process.)X
1680(If)X
1758(an)X
1858(alternative)X
2220(checksum)X
2564(is)X
2640(to)X
2725(be)X
2824(used,)X
3014(a)X
3073(new)X
3230(encryption)X
3596(type)X
3757(must)X
3935(be)X
555 5056(de\256ned.)N
755 5180(Some)N
958(cryptosystems)X
1437(require)X
1686(additional)X
2027(information)X
2426(beyond)X
2683(the)X
2801(key)X
2937(and)X
3073(the)X
3191(data)X
3345(to)X
3427(be)X
3523(encrypted.)X
3900(For)X
555 5276(example,)N
869(DES,)X
1062(when)X
1258(used)X
1427(in)X
1511(cipher-block-chaining)X
2242(mode,)X
2462(requires)X
2743(an)X
2841(initialization)X
3267(vector.)X
3529(If)X
3604(required,)X
3913(the)X
8 s
10 f
555 5356(hhhhhhhhhhhhhhhhhh)N
1 f
555 5436(\262)N
607(In)X
680(the)X
778(above)X
950(speci\256cation,)X
1309(UNTAGGED)X
1683(OCTET)X
1909(STRING\(length\))X
2362(is)X
2425(notation)X
2655(for)X
2749(an)X
2829(octet)X
2973(string)X
3139(with)X
3273(its)X
3354(tag)X
3452(and)X
3563(length)X
555 5516(removed.)N
830(It)X
889(is)X
952(not)X
1054(a)X
1102(valid)X
1250(ASN.1)X
1446(type.)X
1608(The)X
1727(tag)X
1825(bits)X
1938(and)X
2049(length)X
3 f
2228(must)X
1 f
2382(be)X
2461(removed)X
2703(for)X
2796(the)X
2893(confounder)X
3202(since)X
3352(the)X
3449(purpose)X
3670(of)X
555 5596(the)N
656(confounder)X
969(is)X
1035(so)X
1115(that)X
1234(the)X
1335(message)X
1574(starts)X
1732(with)X
1869(random)X
2087(data,)X
2232(but)X
2337(the)X
2438(tag)X
2539(and)X
2654(its)X
2738(length)X
2921(are)X
3021(\256xed.)X
3204(For)X
3315(other)X
3468(\256elds,)X
3645(the)X
555 5676(length)N
731(and)X
839(tag)X
933(would)X
1109(be)X
1185(redundant)X
1456(if)X
1511(they)X
1637(were)X
1776(included)X
2012(because)X
2229(they)X
2355(are)X
2448(speci\256ed)X
2691(by)X
2771(the)X
2865(encryption)X
3154(type.)X
10 s
555 6144(Section)N
815(7.1.)X
2196(-)X
2243(35)X
2343(-)X
36 p
%%Page: 36 37
10 s 0 xH 0 xS 1 f
0 32(--)N
4323(--)X
3 f
2115 416(DRAFT)N
2411(3)X
1 f
555 672(description)N
931(for)X
1045(each)X
1213(encryption)X
1576(type)X
1734(must)X
1909(specify)X
2161(the)X
2279(source)X
2509(of)X
2596(such)X
2763(additional)X
3103(information.)X
755 796(The)N
900(sequence)X
1215(below)X
1431(shows)X
1651(the)X
1769(encoding)X
2083(of)X
2170(an)X
2266(encryption)X
2629(key:)X
1230 940(EncryptionKey)N
1740(::=)X
1949(SEQUENCE)X
2387({)X
1949 1036(keytype[0])N
2545(INTEGER,)X
9 f
2928(--)X
1 f
3036(KeyType)X
1949 1132(keyvalue[1])N
2545(OCTET)X
2823(STRING)X
1230 1228(})N
555 1372(The)N
707(encoding)X
1028(of)X
1122(the)X
1247(key)X
1390(type)X
1555(is)X
1635(similar)X
1884(to)X
1973(that)X
2120(for)X
2241(the)X
2366(encryption)X
2736(type,)X
2921(but)X
3049(a)X
3111(single)X
3328(key)X
3470(type)X
3634(might)X
3846(work)X
555 1468(with)N
735(more)X
938(than)X
1114(one)X
1268(encryption)X
1649(method)X
1927(\(especially)X
2312(if)X
2398(several)X
2663(methods)X
2971(are)X
3107(only)X
3286(slight)X
3500(variants)X
3791(of)X
3895(one)X
555 1564(another\).)N
886(The)X
1034(values)X
1262(for)X
1379(the)X
1500(encryption)X
1866(key)X
2005(type)X
2166(with)X
2331(the)X
2452(most)X
2630(signi\256cant)X
2986(bit)X
3093(set)X
3205(\(1\))X
3322(are)X
3444(reserved)X
3739(for)X
3855(local)X
555 1660(use.)N
724(All)X
848(the)X
968(values)X
1195(with)X
1359(the)X
1479(most)X
1656(signi\256cant)X
2011(bit)X
2117(reset)X
2291(\(0\))X
2406(are)X
2526(reserved)X
2820(for)X
2935(of\256cially)X
3245(assigned)X
3542(type)X
3701(\256elds)X
3895(and)X
555 1756(interpretations.)N
1758 1900(KeyType)N
2077(::=)X
2286(INTEGER)X
2649({)X
2286 1996(null\(0\),)N
2286 2092(des\(1\),)N
2286 2188(lucifer\(2\))N
1758 2284(})N
555 2428(The)N
701(NULL)X
936(Key)X
1091(is)X
1165(used)X
1333(by)X
1434(the)X
1553(null)X
1697(encryption)X
2060(system)X
2302(and)X
2438(is)X
2511(zero)X
2670(octets)X
2877(in)X
2959(length.)X
3219(A)X
3297(DES)X
3468(key)X
3604(is)X
3677(8)X
3737(octets)X
3944(of)X
555 2524(data.)N
750(This)X
913(consists)X
1187(of)X
1275(56)X
1376(bits)X
1512(of)X
1600(key,)X
1757(and)X
1894(8)X
1955(parity)X
2163(bits)X
2299(\(one)X
2462(per)X
2585(octet\).)X
2828(A)X
2906(lucifer)X
8 s
3132 2499(9)N
10 s
3184 2524(encryption)N
3547(key)X
3683(is)X
3756(128)X
3896(bits)X
555 2620(\(16)N
682(octets\))X
916(of)X
1003(data.)X
3 f
555 2908(7.1.1.)N
775(The)X
928(NULL)X
1170(Encryption)X
1576(System)X
1841(\(null\))X
1 f
755 3032(If)N
836(no)X
943(encryption)X
1313(is)X
1393(in)X
1481(use,)X
1634(the)X
1758(encryption)X
2127(system)X
2375(is)X
2454(said)X
2609(to)X
2697(be)X
2799(the)X
2923(NULL)X
3163(encryption)X
3532(system.)X
3820(In)X
3913(the)X
555 3128(NULL)N
795(encryption)X
1164(system,)X
1432(no)X
1538(checksum)X
1885(used,)X
2078(their)X
2251(is)X
2330(no)X
2436(confounder,)X
2848(and)X
2990(no)X
3095(padding.)X
3418(The)X
3568(CipherText)X
3958(is)X
555 3224(simply)N
792(the)X
910(data)X
1064(to)X
1146(be)X
1242(encrypted.)X
3 f
555 3512(7.1.2.)N
775(DES)X
950(in)X
1036(CBC)X
1225(mode)X
1432(with)X
1603(a)X
1663(CRC-32)X
1964(checksum)X
2322 0.2813(\(des-cbc-crc\))AX
1 f
755 3636(The)N
3 f
906(des-cbc-crc)X
1 f
1321(encryption)X
1690(mode)X
1894(encrypts)X
2192(information)X
2596(using)X
2794(the)X
2917(Data)X
3094(Encryption)X
3475(Standard)X
8 s
3781 3611(6)N
10 s
3838 3636(using)N
555 3732(the)N
696(cipher)X
939(block)X
1159(chaining)X
1477(mode.)X
8 s
1675 3707(7)N
10 s
1749 3732(This)N
1933(mode)X
2153(requires)X
2454(an)X
2572(8)X
2654(byte)X
2834(confounder.)X
3282(A)X
3382(CRC-32)X
3690(checksum)X
555 3828(\(described)N
947(in)X
1066(ISO)X
1252(3309)X
8 s
3803(10)Y
10 s
1533 3828(\))N
1617(is)X
1727(applied)X
2020(to)X
2138(the)X
2292(message)X
2620(sequence)X
2971(\()X
3 f
2998(msg-seq)X
1 f
3274(\))X
3357(and)X
3529(placed)X
3795(in)X
3913(the)X
555 3924(checksum\()N
3 f
903(cksum)X
1 f
1125(\))X
1175(\256eld.)X
1380(The)X
1528(length)X
1751(of)X
1841(DES)X
2015(blocks)X
2247(are)X
2369(8)X
2432(bytes.)X
2664(As)X
2776(a)X
2835(result,)X
3056(the)X
3177(data)X
3334(to)X
3419(be)X
3517(encrypted)X
3856(must)X
555 4020(be)N
660(padded)X
921(to)X
1011(an)X
1115(8)X
1183(byte)X
1349(boundary)X
1680(before)X
1914(encryption.)X
2325(Encryption)X
2709(under)X
2920(DES)X
3099(using)X
3300(cipher)X
3529(block)X
3735(chaining)X
555 4116(requires)N
842(additional)X
1190(data)X
1352(in)X
1442(the)X
1568(form)X
1752(of)X
1847(an)X
1951(initialization)X
2383(vector.)X
2652(Unless)X
2898(otherwise)X
3238(speci\256ed,)X
3571(a)X
3635(copy)X
3819(of)X
3913(the)X
555 4212(key)N
691(should)X
924(be)X
1020(used)X
1187(as)X
1274(the)X
1392(initialization)X
1816(vector.)X
755 4336(To)N
870(generate)X
1169(a)X
1231(DES)X
1408(key)X
1550(from)X
1732(a)X
1794(text)X
1940(string)X
2148(\(password\),)X
2551(the)X
2675(text)X
2821(string)X
3029(must)X
3210(have)X
3388(the)X
3512(realm)X
3721(and)X
3863(each)X
555 4432(component)N
934(of)X
1024(the)X
1145(principal's)X
1511(name)X
1708(appended,)X
2059(then)X
2220(padded)X
2475(with)X
2640(nulls)X
2818(to)X
2903(an)X
3002(8)X
3065(byte)X
3225(boundary.)X
3590(This)X
3754(string)X
3958(is)X
555 4528(then)N
716(fan-folded)X
1074(and)X
1212(xored)X
1417(with)X
1581(itself)X
1763(to)X
1847(form)X
2025(an)X
2123(8)X
2185(byte)X
2345(DES)X
2518(key.)X
2696(The)X
2843(parity)X
3052(is)X
3127(corrected)X
3449(on)X
3551(the)X
3671(key,)X
3829(and)X
3967(it)X
555 4624(is)N
645(used)X
828(to)X
926(generate)X
1235(a)X
1307(DES)X
1494(CBC)X
1689(checksum)X
2046(on)X
2162(the)X
2296(initial)X
2518(string)X
2736(\(with)X
2941(the)X
3075(realm)X
3294(and)X
3446(name)X
3656(appended\).)X
555 4720(Finally,)N
821(parity)X
1028(is)X
1101(corrected)X
1421(on)X
1521(the)X
1639(CBC)X
1818(checksum)X
2159(and)X
2295(it)X
2359(is)X
2432(returned)X
2720(as)X
2807(the)X
2925(key.)X
3101(Pseudocode)X
3504(follows:)X
7 f
755 4912(string_to_key\(string,realm,name\))N
2339({)X
955 5008(odd)N
1147(=)X
1243(1;)X
955 5104(s)N
1051(=)X
1147(string)X
1483(+)X
1579(realm;)X
955 5200(for\(each)N
1387(component)X
1867(in)X
2011(name\))X
2299({)X
1155 5296(s)N
1251(=)X
1347(s)X
1443(+)X
1539(component;)X
955 5392(})N
955 5488(tempkey)N
1339(=)X
1435(NULL;)X
955 5584(pad\(s\);)N
1339(/*)X
1483(with)X
1723(nulls)X
2011(to)X
2155(8)X
2251(byte)X
2491(boundary)X
2923(*/)X
955 5680(for\(8byteblock)N
1675(in)X
1819(s\))X
1963({)X
1155 5776(if\(odd)N
1491(==)X
1635(0\))X
1827({)X
1 f
555 6144(Section)N
815(7.1.2.)X
2196(-)X
2243(36)X
2343(-)X
37 p
%%Page: 37 38
10 s 0 xH 0 xS 1 f
7 f
1 f
0 32(--)N
4323(--)X
3 f
2115 416(DRAFT)N
2411(3)X
7 f
1347 672(odd)N
1539(=)X
1635(1;)X
1347 768(reverse\(8byteblock\))N
1155 864(})N
1155 960(else)N
1395(odd)X
1587(=)X
1683(0;)X
1155 1056(tempkey)N
1539(=)X
1635(tempkey)X
2019(xor)X
2211(8byteblock;)X
955 1152(})N
955 1248(fixparity\(tempkey\);)N
955 1344(key)N
1147(=)X
1243(DES-CBC-check\(s,tempkey\);)X
955 1440(fixparity\(key\);)N
955 1536(return\(key\);)N
755 1632(})N
3 f
12 s
555 1824(7.2.)N
747(Checksums)X
1 f
10 s
755 1948(The)N
900(following)X
1231(is)X
1304(the)X
1422(ASN.1)X
1662(de\256nition)X
1988(for)X
2102(a)X
2158(checksum:)X
1204 2092(Checksum)N
1562(::=)X
1771(SEQUENCE)X
2209({)X
1771 2188(cksumtype[0])N
2367(INTEGER,)X
9 f
2750(--)X
1 f
2858(ChecksumType)X
1771 2284(checksum[1])N
2367(OCTET)X
2645(STRING)X
1204 2380(})N
755 2552(Detailed)N
1059(speci\256cation)X
1496(of)X
1595(selected)X
1886(checksum)X
2239(types)X
2439(appear)X
2685(later)X
2859(in)X
2952(this)X
3098(section.)X
3396(The)X
3552(values)X
3788(for)X
3913(the)X
555 2648(checksum)N
905(type)X
1072(with)X
1243(the)X
1370(most)X
1553(signi\256cant)X
1914(bit)X
2026(set)X
2143(\(1\))X
2265(are)X
2392(reserved)X
2693(for)X
2815(local)X
2999(use.)X
3174(The)X
3327(values)X
3560(with)X
3730(the)X
3856(most)X
555 2744(signi\256cant)N
916(bit)X
1028(reset)X
1208(\(0\))X
1330(are)X
1457(reserved)X
1758(for)X
1880(of\256cially)X
2197(assigned)X
2500(type)X
2665(\256elds)X
2865(and)X
3008(interpretations.)X
3538(The)X
3690(checksum)X
555 2840(types)N
744(which)X
960(are)X
1079(presently)X
1393(de\256ned)X
1649(\(though)X
1918(not)X
2040(necessarily)X
2417(speci\256ed\))X
2749(for)X
2863(Kerberos)X
3178(are:)X
1584 2984(ChecksumType)N
2107(::=)X
2316(INTEGER)X
2679({)X
2316 3080(crc32\(1\),)N
2316 3176(rsa)N
9 f
2410(-)X
1 f
2454(md4\(2\),)X
2316 3272(rsa)N
9 f
2410(-)X
1 f
2454(md4)X
9 f
2596(-)X
1 f
2640(des\(3\),)X
2316 3368(snefru\(4\),)N
2316 3464(des)N
9 f
2423(-)X
1 f
2467(mac\(5\))X
1584 3560(})N
555 3704(These)N
771(checksums)X
1147(fall)X
1278(into)X
1426(two)X
1570(categories.)X
1960(Non-cryptographic)X
2595(checksums)X
2971(such)X
3142(as)X
3232(CRC-32)X
3521(and)X
3660(RSA-MD4)X
555 3800(do)N
657(not)X
781(require)X
1031(a)X
1089(key)X
1227(to)X
1311(generate)X
1605(\(but)X
1755(they)X
1914(may)X
2073(still)X
2213(be)X
2310(based)X
2514(on)X
2615(cryptographic)X
3082(principals\).)X
3486(A)X
3565(cryptographic)X
555 3896(checksum,)N
919(on)X
1022(the)X
1143(other)X
1331(hand,)X
1530(can)X
1664(only)X
1828(be)X
1926(generated)X
2261(with)X
2425(knowledge)X
2799(of)X
2888(a)X
2946(key.)X
3124(To)X
3235(prevent)X
3498(message-stream)X
555 3992(modi\256cation)N
984(by)X
1088(an)X
1188(active)X
1404(attacker,)X
1703(non-cryptographic)X
2320(checksums)X
2696(should)X
2933(only)X
3099(be)X
3199(used)X
3370(when)X
3568(the)X
3690(checksum)X
555 4088(will)N
708(be)X
813(subsequently)X
1260(encrypted)X
1605(\(e.g.)X
1776(the)X
1902(checksums)X
2282(de\256ned)X
2546(as)X
2641(part)X
2794(of)X
2889(the)X
3015(encryption)X
3386(algorithms)X
3756(covered)X
555 4184(earlier)N
787(in)X
875(this)X
1016(section\).)X
1335(A)X
1418(non-cryptographic)X
2036(checksum)X
2382(can)X
2519(often)X
2709(be)X
2810(made)X
3009(into)X
3158(a)X
3219(cryptographic)X
3690(checksum)X
555 4280(by)N
657(encrypting)X
1022(the)X
1142(checksum)X
1485(once)X
1659(it)X
1725(has)X
1854(been)X
2028(generated.)X
2402(In)X
2490(that)X
2631(case,)X
2811(the)X
2930(composition)X
3346(of)X
3434(the)X
3553(checksum)X
3895(and)X
555 4376(the)N
685(encryption)X
1060(algorithm)X
1403(must)X
1590(be)X
1698(considered)X
2078(a)X
2146(separate)X
2442(checksum)X
2795(algorithm)X
3138(\(e.g.)X
3312(RSA-MD4)X
3694(encrypted)X
555 4472(using)N
748(DES)X
919(is)X
992(a)X
1048(new)X
1202(checksum)X
1543(algorithm)X
1874(of)X
1961(type)X
2119(RSA-MD4-DES\).)X
3 f
555 4760(7.2.1.)N
775(The)X
928(CRC-32)X
1229(Checksum)X
1609(\(crc32\))X
1 f
755 4884(The)N
3 f
906(CRC-32)X
1 f
1213(checksum)X
1560(calculates)X
1903(a)X
1965(checksum)X
2312(based)X
2521(on)X
2627(a)X
2689(cyclic)X
2907(redundancy)X
3308(check)X
3522(as)X
3615(described)X
3949(in)X
555 4980(ISO)N
704(3309.)X
8 s
4955(10)Y
10 s
968 4980(The)N
1113(resulting)X
1413(checksum)X
1754(is)X
1827(four)X
1981(\(4\))X
2095(octets)X
2302(in)X
2384(length.)X
3 f
555 5172(7.2.2.)N
775(The)X
928(RSA)X
1108(MD4)X
1302(Checksum)X
1682(\(rsa-md4\))X
1 f
755 5296(The)N
3 f
915(RSA-MD4)X
1 f
1311(checksum)X
1666(calculates)X
2017(a)X
2087(checksum)X
2442(using)X
2649(the)X
2781(RSA)X
2970(MD4)X
3173(algorithm)X
3518(\(citation\).)X
3886(The)X
555 5392(algorithm)N
886(takes)X
1071(as)X
1158(input)X
1342(an)X
1438(input)X
1622(message)X
1914(of)X
2001(arbitrary)X
2298(length)X
2518(and)X
2654(produces)X
2964(as)X
3051(output)X
3275(a)X
3331(128-bit)X
3582(checksum.)X
555 6144(Section)N
815(7.2.2.)X
2196(-)X
2243(37)X
2343(-)X
38 p
%%Page: 38 39
10 s 0 xH 0 xS 1 f
0 32(--)N
4323(--)X
3 f
2115 416(DRAFT)N
2411(3)X
555 672(7.2.3.)N
775(RSA)X
955(MD4)X
1149(Cryptographic)X
1676(Checksum)X
2056(Using)X
2271(DES)X
2446(\(rsa-md4-des\))X
1 f
755 796(The)N
3 f
914(RSA-MD4-DES)X
1 f
1491(checksum)X
1845(calculates)X
2195(a)X
2264(cryptographic)X
2743(checksum)X
3097(by)X
3210(applying)X
3523(the)X
3654(RSA)X
3842(MD4)X
555 892(checksum)N
899(algorithm)X
1232(described)X
1562(above,)X
1796(and)X
1934(encrypting)X
2299(the)X
2419(results)X
2650(using)X
2845(DES)X
3018(in)X
3102(cipher-block-chaining)X
3833(mode)X
555 988(using)N
748(a)X
804(DES)X
975(key)X
1111(as)X
1198(key)X
1334(and)X
1470(initialization)X
1894(vector.)X
3 f
12 s
555 1180(8.)N
675(Constants)X
1 f
10 s
755 1304(The)N
900(following)X
1231(table)X
1407(lists)X
1555(the)X
1673(constants)X
1991(used)X
2158(in)X
2240(the)X
2358(protocol)X
2645(and)X
2781(de\256nes)X
3028(their)X
3195(meanings.)X
2 f
555 1448(Label)N
2054(Value)X
2361(Meaning)X
2666(or)X
2757(MIT)X
2915(code)X
1 f
555 1640(pvno)N
2201(5)X
2361(current)X
2609(Kerberos)X
2924(protocol)X
3211(version)X
3467(number)X
555 1832(message)N
847(types)X
555 2024(KRB_AS_REQ)N
2161(10)X
2361(Request)X
2639(for)X
2753(initial)X
2959(authentication)X
555 2120(KRB_AS_REP)N
2161(11)X
2361(Response)X
2688(to)X
2770(KRB_AS_REQ)X
3296(request)X
555 2216(KRB_TGS_REQ)N
2161(12)X
2361(Request)X
2639(for)X
2753(authentication)X
3227(based)X
3430(on)X
3530(TGT)X
555 2312(KRB_TGS_REP)N
2161(13)X
2361(Response)X
2688(to)X
2770(KRB_TGS_REQ)X
3345(request)X
555 2408(KRB_AP_REQ)N
2161(14)X
2361(application)X
2737(request)X
2989(to)X
3071(server)X
555 2504(KRB_AP_REP)N
2161(15)X
2361(Response)X
2688(to)X
2770(KRB_AP_REQ_MUTUAL)X
555 2600(KRB_SAFE)N
2161(20)X
2361(Safe)X
2524(\(checksummed\))X
3057(application)X
3433(message)X
555 2696(KRB_PRIV)N
2161(21)X
2361(Private)X
2608(\(encrypted\))X
2999(application)X
3375(message)X
555 2888(KRB_ERROR)N
2161(30)X
2361(Error)X
2551(response)X
555 3080(error)N
732(codes)X
555 3272(KDC_ERR_NONE)N
2201(0)X
2361(No)X
2479(error)X
555 3368(KDC_ERR_NAME_EXP)N
2201(1)X
2361(Client's)X
2634(entry)X
2819(in)X
2901(database)X
3198(has)X
3325(expired)X
555 3464(KDC_ERR_SERVICE_EXP)N
2201(2)X
2361(Server's)X
2649(entry)X
2834(in)X
2916(database)X
3213(has)X
3340(expired)X
555 3560(KDC_ERR_BAD_PVNO)N
2201(3)X
2361(Requested)X
2715(protocol)X
3002(version)X
3258(number)X
2361 3656(not)N
2483(supported)X
555 3752(KDC_ERR_C_OLD_MAST_KVNO)N
2201(4)X
2361(Client's)X
2634(key)X
2770(encrypted)X
3107(in)X
2361 3848(old)N
2483(master)X
2717(key)X
555 3944(KDC_ERR_S_OLD_MAST_KVNO)N
2201(5)X
2361(Server's)X
2649(key)X
2785(encrypted)X
3122(in)X
2361 4040(old)N
2483(master)X
2717(key)X
555 4136(KDC_ERR_C_PRINCIPAL_UNKNOWN)N
2201(6)X
2361(Client)X
2576(not)X
2698(found)X
2905(in)X
2987(Kerberos)X
3302(database)X
555 4232(KDC_ERR_S_PRINCIPAL_UNKNOWN)N
2201(7)X
2361(Server)X
2591(not)X
2713(found)X
2920(in)X
3002(Kerberos)X
3317(database)X
555 4328(KDC_ERR_PRINCIPAL_NOT_UNIQUE)N
2201(8)X
2361(Multiple)X
2656(entries)X
2890(for)X
3004(principal)X
2361 4424(in)N
2443(Kerberos)X
2758(database)X
555 4520(KDC_ERR_NULL_KEY)N
2201(9)X
2361(The)X
2506(client)X
2704(or)X
2791(server)X
3008(has)X
3135(a)X
3191(null)X
3335(key)X
555 4616(KDC_ERR_CANNOT_POSTDATE)N
2161(10)X
2361(Ticket)X
2586(not)X
2708(eligible)X
2968(for)X
3082(postdating)X
555 4712(KDC_ERR_NEVER_VALID)N
2161(11)X
2361(Requested)X
2715(start)X
2873(time)X
3035(is)X
3108(later)X
3271(than)X
3429(end)X
3565(time)X
555 4808(KDC_ERR_POLICY)N
2161(12)X
2361(KDC)X
2550(policy)X
2770(rejects)X
3000(request)X
555 4904(KDC_ERR_BADOPTION)N
2161(13)X
2361(KDC)X
2550(cannot)X
2784(accommodate)X
3250(requested)X
3578(option)X
555 5000(KDC_ERR_ETYPE_NOSUPP)N
2161(14)X
2361(No)X
2479(support)X
2739(for)X
2853(encryption)X
3216(type)X
555 5192(KRB_AP_ERR_BAD_INTEGRITY)N
2161(31)X
2361(Integrity)X
2657(check)X
2865(on)X
2965(decrypted)X
3302(\256eld)X
3464(failed)X
555 5288(KRB_AP_ERR_TKT_EXPIRED)N
2161(32)X
2361(Ticket)X
2586(expired)X
555 5384(KRB_AP_ERR_TKT_NYV)N
2161(33)X
2361(Ticket)X
2586(not)X
2708(yet)X
2826(valid)X
555 5480(KRB_AP_ERR_REPEAT)N
2161(34)X
2361(Request)X
2639(is)X
2712(a)X
2768(replay)X
555 5576(KRB_AP_ERR_NOT_US)N
2161(35)X
2361(The)X
2506(ticket)X
2704(isn't)X
2866(for)X
2980(us)X
555 5672(KRB_AP_ERR_BADMATCH)N
2161(36)X
2361(Ticket)X
2586(and)X
2722(authenticator)X
3161(don't)X
3350(match)X
555 5768(KRB_AP_ERR_SKEW)N
2161(37)X
2361(Clock)X
2572(skew)X
2757(too)X
2879(great)X
555 6144(Section)N
815(8.)X
2196(-)X
2243(38)X
2343(-)X
39 p
%%Page: 39 40
10 s 0 xH 0 xS 1 f
0 32(--)N
4323(--)X
3 f
2115 416(DRAFT)N
2411(3)X
1 f
555 672(KRB_AP_ERR_BADADDR)N
2161(38)X
2361(Incorrect)X
2672(net)X
2790(address)X
555 768(KRB_AP_ERR_BADVERSION)N
2161(39)X
2361(Protocol)X
2652(version)X
2908(mismatch)X
555 864(KRB_AP_ERR_MSG_TYPE)N
2161(40)X
2361(Invalid)X
2608(msg)X
2761(type)X
555 960(KRB_AP_ERR_MODIFIED)N
2161(41)X
2361(Message)X
2662(stream)X
2896(modi\256ed)X
555 1056(KRB_AP_ERR_BADORDER)N
2161(42)X
2361(Message)X
2662(out)X
2784(of)X
2871(order)X
555 1152(KRB_AP_ERR_BADKEYVER)N
2161(44)X
2361(Speci\256ed)X
2679(version)X
2935(of)X
3022(key)X
3158(is)X
3231(not)X
3353(available)X
555 1248(KRB_AP_ERR_NOKEY)N
2161(45)X
2361(Service)X
2622(key)X
2758(not)X
2880(available)X
555 1344(KRB_AP_ERR_MUT_FAIL)N
2161(46)X
2361(Mutual)X
2612(authentication)X
3086(failed)X
555 1440(KRB_AP_ERR_BADDIRECTION)N
2161(47)X
2361(Incorrect)X
2672(message)X
2964(direction)X
555 1536(KRB_AP_ERR_METHOD)N
2161(48)X
2361(Alternative)X
2742(authentication)X
3216(method)X
3476(required)X
3764(\262)X
555 1728(KRB_ERR_GENERIC)N
2161(60)X
2361(Generic)X
2636(error)X
2813(\(description)X
3216(in)X
3 f
3298(e-text)X
1 f
3491(\))X
555 1824(KRB_ERR_FIELD_TOOLONG)N
2161(61)X
2361(Field)X
2545(is)X
2618(too)X
2740(long)X
2902(for)X
3016(this)X
3151(implementation)X
8 s
10 f
555 5504(hhhhhhhhhhhhhhhhhh)N
1 f
555 5584(\262)N
605(This)X
737(error)X
878(carries)X
1065(additional)X
1339(information)X
1659(in)X
1727(the)X
1822(e-data)X
1994(\256eld.)X
2157(The)X
2273(contents)X
2503(of)X
2573(the)X
2668(e-data)X
2840(\256led)X
2971(will)X
3088(consist)X
3283(of)X
3353(the)X
3448(type)X
3575(of)X
3645(the)X
555 5664(required)N
783(authentication)X
1161(method,)X
1385(and)X
1493(any)X
1601(data)X
1723(that)X
1835(it)X
1887(might)X
2053(use.)X
10 s
555 6144(Section)N
815(8.)X
2196(-)X
2243(39)X
2343(-)X
40 p
%%Page: 40 41
10 s 0 xH 0 xS 1 f
0 32(--)N
4323(--)X
3 f
2115 416(DRAFT)N
2411(3)X
12 s
555 672(A.)N
696(Pseudo-code)X
1232(for)X
1379(protocol)X
1745(processing)X
1 f
10 s
755 796(This)N
926(appendix)X
1249(provides)X
1554(pseudo-code)X
1989(describing)X
2351(how)X
2517(the)X
2643(messages)X
2974(are)X
3101(to)X
3191(be)X
3295(constructed)X
3693(and)X
3837(inter-)X
555 892(preted)N
776(by)X
876(clients)X
1105(and)X
1241(servers.)X
3 f
12 s
555 1180(A.1.)N
768(KRB_AS_REQ)X
1426(generation)X
7 f
10 s
939 1276(req.pvno)N
1371(=)X
1467(5;)X
939 1372(req.msg-type)N
1563(=)X
1659(KRB_AS_REQ;)X
939 1468(req.padata-type)N
1707(=)X
1803(PADATA_EMPTY;)X
939 1564(req.padata)N
1467(=)X
1563(NULL;)X
939 1660(req.kdc_options)N
1707(=)X
1803(\(set)X
2043(according)X
2523(to)X
2667(user's)X
3003(preferences\);)X
939 1756(req.cname)N
1419(=)X
1515(name;)X
2091(/*)X
2235(passed)X
2571(in)X
2715(by)X
2859(user)X
3099(*/)X
939 1852(req.realm)N
1419(=)X
1515(realm;)X
2091(/*)X
2235(passed)X
2571(in)X
2715(by)X
2859(user)X
3099(*/)X
939 1948(req.sname)N
1419(=)X
1515(\(service-name\))X
2235(/*)X
2379(usually)X
2763("krbtgt",)X
3291("localrealm")X
3915(*/)X
939 2044(req.from)N
1371(=)X
1467(NULL;)X
1755(/*)X
1899(unless)X
2235(user)X
2475(specifies)X
2955(a)X
3051(specific)X
3483(start)X
3771(time)X
4011(*/)X
939 2140(req.till)N
1371(=)X
1467(NULL;)X
1755(/*)X
1899(unless)X
2235(user)X
2475(specifies)X
2955(a)X
3051(specific)X
3483(end)X
3675(time)X
3915(*/)X
939 2236(if)N
1083(renewable)X
1563(then)X
1323 2332(/*)N
1467(user)X
1707(wants)X
1995(renewable)X
2475(*/)X
1323 2428(req.rtime)N
1803(=)X
1899(\(time)X
2187(specified)X
2667(by)X
2811(user\);)X
939 2524(endif)N
939 2620(get)N
1131(system_time;)X
939 2716(req.ctime)N
1419(=)X
1515(system_time.seconds;)X
939 2812(req.nonce)N
1419(=)X
1515(random\(\);)X
939 2908(req.etype)N
1419(=)X
1515(ETYPE_DES_CBC_CRC)X
939 3004(req.addresses)N
1611(=)X
1707(\(host-address\);)X
939 3196(kerberos)N
1371(=)X
1467(lookup\(name)X
2043(of)X
2187(local)X
2475(kerberose)X
2955(server)X
3291(\(or)X
3483(servers\)\);)X
939 3292(send\(packet,kerberos\);)N
939 3484(wait\(for)N
1371(response\);)X
939 3580(if)N
1083(\(timed_out\))X
1659(then)X
1323 3676(retry)N
1611(or)X
1755(use)X
1947(alternate)X
2427(server;)X
939 3772(endif)N
3 f
12 s
555 3964(A.2.)N
768(KRB_AS_REQ)X
1426(veri\256cation)X
1915(and)X
2093(KRB_AS_REP)X
2735(generation)X
7 f
10 s
939 4060(parse)N
1227(request)X
1611(into)X
1851(req;)X
939 4252(client)N
1275(=)X
1371(lookup\(req.cname,req.realm\);)X
939 4348(server)N
1275(=)X
1371(lookup\(req.sname,req.realm\);)X
939 4540(get)N
1131(system_time;)X
939 4636(kdc_time)N
1371(=)X
1467(system_time.seconds;)X
939 4828(if)N
1083(\(!client\))X
1563(then)X
1323 4924(/*)N
1467(no)X
1611(client)X
1947(in)X
2091(Database)X
2523(*/)X
1323 5020(return)N
1659(KRB_ERROR)X
2139(message)X
2523(with)X
1707 5116(code)N
1947(==)X
2091(KDC_ERR_C_PRINCIPAL_UNKNOWN;)X
939 5212(endif)N
939 5308(if)N
1083(\(!server\))X
1563(then)X
1323 5404(/*)N
1467(no)X
1611(server)X
1947(in)X
2091(Database)X
2523(*/)X
1323 5500(return)N
1659(KRB_ERROR)X
2139(message)X
2523(with)X
1707 5596(code)N
1947(==)X
2091(KDC_ERR_S_PRINCIPAL_UNKNOWN;)X
939 5692(endif)N
1 f
555 6144(Section)N
815(A.2.)X
2196(-)X
2243(40)X
2343(-)X
41 p
%%Page: 41 42
10 s 0 xH 0 xS 1 f
7 f
1 f
0 32(--)N
4323(--)X
3 f
2115 416(DRAFT)N
2411(3)X
7 f
939 672(session)N
1323(=)X
1419(generate_random_session_key\(\);)X
939 864(tkt.vno)N
1323(=)X
1419(5;)X
939 960(tkt.sname)N
1419(=)X
1515(req.sname;)X
939 1056(tkt.realm)N
1419(=)X
1515(req.realm;)X
939 1248(tkt.flags)N
1419(=)X
1515(0;)X
939 1440(/*)N
1083(It)X
1227(should)X
1563(be)X
1707(noted)X
1995(that)X
2235(local)X
2523(policy)X
2859(may)X
3051(affect)X
3387(the)X
3627(*/)X
939 1536(/*)N
1083(processing)X
1611(of)X
1755(any)X
1947(of)X
2091(these)X
2379(flags.)X
2763(For)X
2955(example,)X
3387(some)X
3627(*/)X
939 1632(/*)N
1083(realms)X
1419(may)X
1611(refuse)X
1947(to)X
2091(issue)X
2379(renewable)X
2859(tickets)X
3627(*/)X
939 1824(if)N
1083(\(req.kdc_options.FORWARDABLE\))X
2523(then)X
1323 1920(set\(tkt.flags.FORWARDABLE\);)N
939 2016(endif)N
939 2112(if)N
1083(\(req.kdc_options.FORWARDED\))X
2427(then)X
1323 2208(return)N
1659(KRB_ERROR,)X
2187(code)X
2427(KDC_ERR_BADOPTION;)X
939 2304(endif)N
939 2400(if)N
1083(\(req.kdc_options.PROXIABLE\))X
2427(then)X
1323 2496(set\(tkt.flags.PROXIABLE\);)N
939 2592(endif)N
939 2688(if)N
1083(\(req.kdc_options.PROXY\))X
2235(then)X
1323 2784(return)N
1659(KRB_ERROR,)X
2187(code)X
2427(KDC_ERR_BADOPTION;)X
939 2880(endif)N
939 2976(if)N
1083(\(req.kdc_options.ALLOW-POSTDATE\))X
2667(then)X
1323 3072(set\(tkt.flags.ALLOW-POSTDATE\);)N
939 3168(endif)N
939 3360(if)N
1083(\(req.kdc_options.DUPLICATE-SKEY\))X
2667(then)X
1323 3456(set\(tkt.flags.DUPLICATE-SKEY\);)N
939 3552(endif)N
939 3648(if)N
1083(\(req.kdc_options.RENEW)X
2187(or)X
2331(req.kdc_options.VALIDATE)X
3531(or)X
1083 3744(req.kdc_options.REUSE-SKEY)N
2379(or)X
1083 3840(req.kdc_options.ENC-TKT-IN-SKEY\))N
2667(then)X
1323 3936(return)N
1659(KRB_ERROR,)X
2187(code)X
2427(KDC_ERR_BADOPTION;)X
939 4032(endif)N
939 4224(tkt.session)N
1515(=)X
1611(session;)X
939 4320(tkt.cname)N
1419(=)X
1515(req.cname;)X
939 4416(tkt.crealm)N
1467(=)X
1563(req.realm;)X
939 4512(tkt.transited)N
1611(=)X
1707("";)X
939 4704(tkt.authtime)N
1563(=)X
1659(kdc_time;)X
939 4896(if)N
1083(\(req.kdc_options.POSTDATED\))X
2427(then)X
1083 4992(set\(tkt.flags.INVALID\);)N
1083 5088(if)N
1227(\(against_postdate_policy\(req.from\)\))X
2955(then)X
1323 5184(return)N
1659(KRB_ERROR,)X
2187(code)X
2427(KDC_ERR_POLICY;)X
1083 5280(endif)N
1083 5376(tkt.starttime)N
1755(=)X
1851(req.from;)X
939 5472(else)N
1323 5568(tkt.starttime)N
1995(=)X
2091(kdc_time;)X
939 5664(endif)N
939 5760(if)N
1083(\(req.till)X
1563(=)X
1659(0\))X
1803(then)X
1 f
555 6144(Section)N
815(A.2.)X
2196(-)X
2243(41)X
2343(-)X
42 p
%%Page: 42 43
10 s 0 xH 0 xS 1 f
7 f
1 f
0 32(--)N
4323(--)X
3 f
2115 416(DRAFT)N
2411(3)X
7 f
1323 672(till)N
1563(=)X
1659(infinity;)X
939 768(else)N
1323 864(till)N
1563(=)X
1659(req.till;)X
939 960(endif)N
939 1152(tkt.endtime)N
1515(=)X
1611(min\(till,tkt.starttime+client.max_life,)X
1803 1248(tkt.starttime+server.max_life,)N
2091 1344(tkt.starttime+max_life_for_realm\);)N
939 1536(if)N
1083(\(req.kdc_options.RENEWABLE-OK)X
2523(and)X
2715(\(tkt.endtime)X
3339(<)X
3435(req.till\)\))X
3963(then)X
1323 1632(/*)N
1467(we)X
1611(set)X
1803(the)X
1995(RENEWABLE)X
2475(option)X
2811(for)X
3003(later)X
3291(processing)X
3819(*/)X
1323 1728(set\(req.kdc_options.RENEWABLE\);)N
1323 1824(req.rtime)N
1803(=)X
1899(req.till;)X
939 1920(endif)N
939 2112(if)N
1083(\(req.rtime)X
1611(=)X
1707(0\))X
1851(then)X
1323 2208(rtime)N
1611(=)X
1707(infinity;)X
939 2304(else)N
1323 2400(rtime)N
1611(=)X
1707(req.rtime;)X
939 2496(endif)N
939 2688(if)N
1083(\(req.kdc_options.RENEWABLE\))X
2427(then)X
1323 2784(set\(tkt.flags.RENEWABLE\);)N
1323 2880(tkt.renew_till)N
2043(=)X
2139(min\(rtime,starttime+client.max_rlife,)X
2331 2976(tkt.starttime+server.max_rlife,)N
2331 3072(tkt.starttime+max_rlife_for_realm\);)N
939 3168(else)N
1323 3264(tkt.renew_till)N
2043(=)X
2139(OMIT;)X
2427(/*)X
2571(leave)X
2859(the)X
3051(renew_till)X
3579(field)X
3867(out)X
4059(*/)X
939 3360(endif)N
939 3552(tkt.caddr)N
1419(=)X
1515(req.addresses;)X
939 3648(tkt.authorization_data)N
2043(=)X
2139("";)X
939 3840(encrypt\(tkt.enc-part,req.etype,server.key,server.p_kvno\);)N
939 4032(/*)N
1083(Start)X
1371(processing)X
1899(the)X
2091(response)X
2523(*/)X
939 4224(resp.pvno)N
1419(=)X
1515(5;)X
939 4320(resp.msg_type)N
1611(=)X
1707(KRB_AS_REP;)X
939 4416(resp.cname)N
1467(=)X
1563(req.cname;)X
939 4512(resp.crealm)N
1515(=)X
1611(req.realm;)X
939 4608(resp.ticket)N
1515(=)X
1611(ticket;)X
939 4800(resp.key)N
1371(=)X
1467(session;)X
939 4896(resp.last-req)N
1611(=)X
1707(client.last_req;)X
939 4992(resp.nonce)N
1467(=)X
1563(req.nonce;)X
939 5088(resp.key-expitation)N
1899(=)X
1995(client.expitation;)X
939 5184(resp.flags)N
1467(=)X
1563(tkt.flags;)X
939 5376(resp.authtime)N
1611(=)X
1707(tkt.authtime;)X
939 5472(resp.starttime)N
1659(=)X
1755(tkt.starttime;)X
939 5568(resp.endtime)N
1563(=)X
1659(tkt.endtime;)X
939 5760(if)N
1083(\(tkt.flags.RENEWABLE\))X
2139(then)X
1 f
555 6144(Section)N
815(A.2.)X
2196(-)X
2243(42)X
2343(-)X
43 p
%%Page: 43 44
10 s 0 xH 0 xS 1 f
7 f
1 f
0 32(--)N
4323(--)X
3 f
2115 416(DRAFT)N
2411(3)X
7 f
1323 672(resp.renew_till)N
2091(=)X
2187(tkt.renew_till;)X
939 768(endif)N
939 960(resp.realm)N
1467(=)X
1563(tkt.realm;)X
939 1056(resp.sname)N
1467(=)X
1563(tkt.sname;)X
939 1248(resp.caddr)N
1467(=)X
1563(tkt.caddr;)X
939 1440(encrypt\(resp.enc-part,req.etype,client.key,client.p_kvno\);)N
939 1632(send\(resp\);)N
3 f
12 s
555 1824(A.3.)N
768(KRB_AS_REP)X
1410(veri\256cation)X
7 f
10 s
939 2016(if)N
1083(\(resp.msg_type)X
1803(==)X
1947(KRB_ERROR\))X
2475(then)X
1323 2112(process_error\(resp\);)N
1323 2208(return;)N
939 2304(endif)N
939 2496(/*)N
1083(On)X
1227(error,)X
1563(discard)X
1947(the)X
2139(response,)X
2619(and)X
2811(zero)X
3051(the)X
3243(session)X
3627(key)X
3819(*/)X
939 2592(/*)N
1083(from)X
1323(the)X
1515(response)X
1947(immediately)X
2523(*/)X
939 2784(prompt_user_for\(key\);)N
939 2880(decrypt\(resp.enc-part,resp.enc-part.etype,key\);)N
939 2976(zero\(key\);)N
939 3168(if)N
1083(\(!integrity_ok\(resp\)\))X
2139(then)X
1323 3264(destroy)N
1707(session)X
2091(key)X
2283(in)X
2427(resp;)X
1323 3360(return)N
1659(KRB_AP_ERR_MODIFIED;)X
939 3456(endif)N
939 3648(if)N
1083(\(req.cname)X
1611(!=)X
1755(resp.cname\))X
2331(then)X
1323 3744(destroy)N
1707(session)X
2091(key)X
2283(in)X
2427(resp;)X
1323 3840(return)N
1659(KRB_AP_ERR_MODIFIED;)X
939 3936(endif)N
939 4032(if)N
1083(\(req.realm)X
1611(!=)X
1755(resp.crealm\))X
2379(then)X
1323 4128(destroy)N
1707(session)X
2091(key)X
2283(in)X
2427(resp;)X
1323 4224(return)N
1659(KRB_AP_ERR_MODIFIED;)X
939 4320(endif)N
939 4416(if)N
1083(\(req.sname)X
1611(!=)X
1755(resp.sname\))X
2331(then)X
1323 4512(destroy)N
1707(session)X
2091(key)X
2283(in)X
2427(resp;)X
1323 4608(return)N
1659(KRB_AP_ERR_MODIFIED;)X
939 4704(endif)N
939 4800(if)N
1083(\(req.realm)X
1611(!=)X
1755(resp.realm\))X
2331(then)X
1323 4896(destroy)N
1707(session)X
2091(key)X
2283(in)X
2427(resp;)X
1323 4992(return)N
1659(KRB_AP_ERR_MODIFIED;)X
939 5088(endif)N
939 5184(if)N
1083(\(req.nonce)X
1611(!=)X
1755(resp.nonce\))X
2331(then)X
1323 5280(destroy)N
1707(session)X
2091(key)X
2283(in)X
2427(resp;)X
1323 5376(return)N
1659(KRB_AP_ERR_MODIFIED;)X
939 5472(endif)N
939 5568(if)N
1083(\(req.addresses)X
1803(!=)X
1947(resp.caddr\))X
2523(then)X
1323 5664(destroy)N
1707(session)X
2091(key)X
2283(in)X
2427(resp;)X
1323 5760(return)N
1659(KRB_AP_ERR_MODIFIED;)X
1 f
555 6144(Section)N
815(A.3.)X
2196(-)X
2243(43)X
2343(-)X
44 p
%%Page: 44 45
10 s 0 xH 0 xS 1 f
7 f
1 f
0 32(--)N
4323(--)X
3 f
2115 416(DRAFT)N
2411(3)X
7 f
939 672(endif)N
939 864(/*)N
1083(make)X
1323(sure)X
1563(no)X
1707(flags)X
1995(are)X
2187(set)X
2379(that)X
2619(shouldn't)X
3099(be,)X
3291(and)X
3483(that)X
3723(all)X
3915(that)X
4155(*/)X
939 960(/*)N
1083(should)X
1419(be)X
1563(are)X
1755(set)X
4155(*/)X
939 1056(if)N
1083(\(!check_flags_for_compatability\(req.kdc-options,resp.flags\)\))X
4011(then)X
1323 1152(destroy)N
1707(session)X
2091(key)X
2283(in)X
2427(resp;)X
1323 1248(return)N
1659(KRB_AP_ERR_MODIFIED;)X
939 1344(endif)N
939 1536(if)N
1083(\(\(req.from)X
1611(=)X
1707(0\))X
1851(and)X
1131 1632(\(resp.starttime)N
1899(is)X
2043(not)X
2235(within)X
2571(allowable)X
3051(skew\)\))X
3387(then)X
1323 1728(destroy)N
1707(session)X
2091(key)X
2283(in)X
2427(resp;)X
1323 1824(return)N
1659(KRB_AP_ERR_SKEW;)X
939 1920(endif)N
939 2016(if)N
1083(\(\(req.from)X
1611(!=)X
1755(0\))X
1899(and)X
2091(\(req.from)X
2571(!=)X
2715(resp.starttime\)\))X
3531(then)X
1323 2112(destroy)N
1707(session)X
2091(key)X
2283(in)X
2427(resp;)X
1323 2208(return)N
1659(KRB_AP_ERR_MODIFIED;)X
939 2304(endif)N
939 2400(if)N
1083(\(\(req.till)X
1611(!=)X
1755(0\))X
1899(and)X
2091(\(resp.endtime)X
2763(>)X
2859(req.till\)\))X
3387(then)X
1323 2496(destroy)N
1707(session)X
2091(key)X
2283(in)X
2427(resp;)X
1323 2592(return)N
1659(KRB_AP_ERR_MODIFIED;)X
939 2688(endif)N
939 2880(if)N
1083(\(\(req.kdc_options.RENEWABLE\))X
2475(and)X
1131 2976(\(req.rtime)N
1659(!=)X
1803(0\))X
1947(and)X
2139(\(resp.renew_till)X
2955(>)X
3051(req.rtime\)\))X
3627(then)X
1323 3072(destroy)N
1707(session)X
2091(key)X
2283(in)X
2427(resp;)X
1323 3168(return)N
1659(KRB_AP_ERR_MODIFIED;)X
939 3264(endif)N
939 3456(if)N
1083(\(\(req.kdc_options.RENEWABLE-OK\))X
2619(and)X
1131 3552(\(resp.flags.RENEWABLE\))N
2235(and)X
1131 3648(\(req.till)N
1611(!=)X
1755(0\))X
1899(and)X
1131 3744(\(resp.renew_till)N
1947(>)X
2043(req.till\)\))X
2571(then)X
1323 3840(destroy)N
1707(session)X
2091(key)X
2283(in)X
2427(resp;)X
1323 3936(return)N
1659(KRB_AP_ERR_MODIFIED;)X
939 4032(endif)N
939 4224(if)N
1083(near\(resp.princ_exp\))X
2091(then)X
1323 4320(print\(warning)N
1995(message\);)X
939 4416(endif)N
939 4512(save_for_later\(ticket,session,client,server,times,flags\);)N
3 f
12 s
555 4704(A.4.)N
768(KRB_TGS_REQ)X
1496(generation)X
7 f
10 s
939 4800(/*)N
1083(Note)X
1323(that)X
1563(make_application_request)X
2763(might)X
3051(have)X
3291(to)X
3435(recursivly)X
4155(*/)X
939 4896(/*)N
1083(call)X
1323(this)X
1563(routine)X
1947(to)X
2091(get)X
2283(the)X
2475(appropriate)X
3051(ticket-granting)X
3819(ticket)X
4155(*/)X
939 5088(req.pvno)N
1371(=)X
1467(5;)X
939 5184(req.msg_type)N
1563(=)X
1659(KRB_TGS_REQ;)X
939 5376(req.kdc_options)N
1707(=)X
1803(\(set)X
2043(according)X
2523(to)X
2667(user's)X
3003(preferences\);)X
939 5472(req.sname)N
1419(=)X
1515(\(the)X
1755(name)X
1995(of)X
2139(the)X
2331(desired)X
2715(service\);)X
939 5568(req.from)N
1371(=)X
1467(0;)X
1611(/*)X
1755(unless)X
2091(this)X
2331(is)X
2475(a)X
2571(request)X
2955(for)X
3147(a)X
3243(postdated)X
3723(ticket)X
4059(*/)X
939 5664(req.till)N
1371(=)X
1467(0;)X
1611(/*)X
1755(unless)X
2091(user)X
2331(specifies)X
2811(a)X
2907(specific)X
3339(life)X
3579(*/)X
1 f
555 6144(Section)N
815(A.4.)X
2196(-)X
2243(44)X
2343(-)X
45 p
%%Page: 45 46
10 s 0 xH 0 xS 1 f
7 f
1 f
0 32(--)N
4323(--)X
3 f
2115 416(DRAFT)N
2411(3)X
7 f
939 672(if)N
1083(\(renewable\))X
1659(then)X
1323 768(req.rtime)N
1803(=)X
1899(\(time)X
2187(specified)X
2667(by)X
2811(user\);)X
939 864(endif)N
939 1056(get)N
1131(system_time;)X
939 1152(req.ctime)N
1419(=)X
1515(system_time;)X
939 1344(req.nonce)N
1419(=)X
1515(random\(\);)X
939 1440(req.etype)N
1419(=)X
1515(ETYPE_DES_CBC_CRC)X
939 1632(req.addresses)N
1611(=)X
1707(0;)X
1851(/*)X
1995(Unless)X
2331(we)X
2475(are)X
2667(changing)X
3099(them)X
3339(*/)X
939 1728(req.authorization-data)N
2043(=)X
2139(\(as)X
2331(set)X
2523(by)X
2667(the)X
2859(user,)X
3147(null)X
3387(by)X
3531(default\);)X
939 1824(req.additional-tickets_ticket)N
2379(=)X
2475(\(second)X
2859(ticket)X
3195(if)X
3339(needed,)X
3723(null)X
3963(by)X
4107(default\);)X
939 1920(check)N
1227(=)X
1323(generate_checksum)X
2187(\(req-body,checksumtype\);)X
939 2112(req.padata-type)N
1707(=)X
1803(PADATA_KERBEROS;)X
939 2208(req.padata)N
1467(=)X
1563(make_application_request\(krbtgt,srealm,check\);)X
939 2400(kerberos)N
1371(=)X
1467(lookup\(name)X
2043(of)X
2187(local)X
2475(kerberose)X
2955(server)X
3291(\(or)X
3483(servers\)\);)X
939 2496(send\(packet,kerberos\);)N
939 2688(wait\(for)N
1371(response\);)X
939 2784(if)N
1083(\(timed_out\))X
1659(then)X
1323 2880(retry)N
1611(or)X
1755(use)X
1947(alternate)X
2427(server;)X
939 2976(endif)N
3 f
12 s
555 3168(A.5.)N
768(KRB_TGS_REQ)X
1496(veri\256cation)X
1985(and)X
2163(KRB_TGS_REP)X
2875(generation)X
7 f
10 s
939 3264(/*)N
1083(note)X
1323(that)X
1563(reading)X
1947(the)X
2139(application)X
2715(request)X
3099(requires)X
3531(first)X
939 3360(determining)N
1515(the)X
1707(server)X
2043(for)X
2235(which)X
2523(a)X
2619(ticket)X
2955(was)X
3147(issued,)X
3531(and)X
3723(choosing)X
4155(the)X
939 3456(correct)N
1323(key)X
1515(for)X
1707(decryption.)X
2331(The)X
2523(name)X
2763(of)X
2907(the)X
3099(server)X
3435(appears)X
3819(in)X
3963(the)X
939 3552(plaintext)N
1419(part)X
1659(of)X
1803(the)X
1995(ticket.)X
2379(*/)X
939 3744(read_application_request\(req.padata\);)N
939 3936(/*)N
1083(Note)X
1323(that)X
1563(the)X
1755(realm)X
2043(in)X
2187(which)X
2475(the)X
2667(Kerberos)X
3099(server)X
3435(is)X
3579(operating)X
4059(is)X
939 4032(determined)N
1467(by)X
1611(the)X
1803(instance)X
2235(from)X
2475(the)X
2667(ticket-granting)X
3435(ticket.)X
3867(The)X
4059(realm)X
939 4128(in)N
1083(the)X
1275(ticket-granting)X
2043(ticket)X
2379(is)X
2523(the)X
2715(realm)X
3003(under)X
3291(which)X
3579(the)X
3771(ticket)X
939 4224(granting)N
1371(ticket)X
1707(was)X
1899(issued.)X
2331(It)X
2475(is)X
2619(possible)X
3051(for)X
3243(a)X
3339(single)X
3675(Kerberos)X
939 4320(server)N
1275(to)X
1419(support)X
1803(more)X
2043(than)X
2283(one)X
2475(realm.)X
2811(*/)X
939 4512(realm)N
1227(=)X
1323(realm_of_tgt\(req.padata.ticket\);)X
939 4704(parse)N
1227(remainder)X
1707(of)X
1851(request;)X
939 4896(server)N
1275(=)X
1371(lookup\(req.sname,realm\);)X
939 5088(if)N
1083(\(!server\))X
1563(then)X
1323 5184(/*)N
1467(no)X
1611(server)X
1947(in)X
2091(Database)X
2523(*/)X
1323 5280(return)N
1659(KRB_ERROR)X
2139(message)X
2523(with)X
1707 5376(code)N
1947(==)X
2091(KDC_ERR_S_PRINCIPAL_UNKNOWN;)X
939 5472(endif)N
939 5664(if)N
1083(\(req.kdc_options.REUSE-SKEY\))X
2475(then)X
1323 5760(decrypt\(req.second_ticket\);)N
1 f
555 6144(Section)N
815(A.5.)X
2196(-)X
2243(45)X
2343(-)X
46 p
%%Page: 46 47
10 s 0 xH 0 xS 1 f
7 f
1 f
0 32(--)N
4323(--)X
3 f
2115 416(DRAFT)N
2411(3)X
7 f
1323 672(if)N
1467(\(!req.second_ticket.flags.DUPLICATE-SKEY\))X
3483(then)X
1707 768(return)N
2043(KRB_ERROR,)X
2571(code)X
2811(KDC_ERR_BADOPTION;)X
1323 864(endif)N
1323 960(session)N
1707(=)X
1803(req.second_ticket.session;)X
939 1056(else)N
1323 1152(session)N
1707(=)X
1803(generate_random_session_key\(\);)X
939 1248(endif)N
939 1440(tkt.vno)N
1323(=)X
1419(5;)X
939 1632(tkt.sname)N
1419(=)X
1515(req.sname;)X
939 1728(tkt.realm)N
1419(=)X
1515(realm;)X
939 1920(tkt.flags)N
1419(=)X
1515(0;)X
939 2016(tkt.starttime)N
1611(=)X
1707(0;)X
939 2208(/*)N
1083(It)X
1227(should)X
1563(be)X
1707(noted)X
1995(that)X
2235(local)X
2523(policy)X
2859(may)X
3051(affect)X
3387(the)X
3627(*/)X
939 2304(/*)N
1083(processing)X
1611(of)X
1755(any)X
1947(of)X
2091(these)X
2379(flags.)X
2763(For)X
2955(example,)X
3387(some)X
3627(*/)X
939 2400(/*)N
1083(realms)X
1419(may)X
1611(refuse)X
1947(to)X
2091(issue)X
2379(renewable)X
2859(tickets)X
3627(*/)X
939 2592(tkt.caddr)N
1419(=)X
1515(req.padata.ticket.caddr;)X
939 2688(resp.caddr)N
1467(=)X
1563(NULL;)X
1851(/*)X
1995(We)X
2139(only)X
2379(include)X
2763(this)X
3003(if)X
3147(they)X
3387(change)X
3723(*/)X
939 2784(if)N
1083(\(req.kdc_options.FORWARDABLE\))X
2523(then)X
1323 2880(if)N
1467(\(!req.padata.ticket.flags.FORWARDABLE\))X
3339(then)X
1707 2976(return)N
2043(KRB_ERROR,)X
2571(code)X
2811(KDC_ERR_BADOPTION;)X
1323 3072(endif)N
1323 3168(set\(tkt.flags.FORWARDABLE\);)N
939 3264(endif)N
939 3360(if)N
1083(\(req.kdc_options.FORWARDED\))X
2427(then)X
1323 3456(if)N
1467(\(!req.padata.ticket.flags.FORWARDABLE\))X
1707 3552(return)N
2043(KRB_ERROR,)X
2571(code)X
2811(KDC_ERR_BADOPTION;)X
1323 3648(endif)N
1323 3744(set\(tkt.flags.FORWARDED\);)N
1323 3840(tkt.caddr)N
1803(=)X
1899(req.addresses;)X
1323 3936(resp.caddr)N
1851(=)X
1947(req.addresses;)X
939 4032(endif)N
939 4224(if)N
1083(\(req.kdc_options.PROXIABLE\))X
2427(then)X
1323 4320(if)N
1467(\(!req.padata.ticket.flags.PROXIABLE\))X
1707 4416(return)N
2043(KRB_ERROR,)X
2571(code)X
2811(KDC_ERR_BADOPTION;)X
1323 4512(endif)N
1323 4608(set\(tkt.flags.PROXIABLE\);)N
939 4704(endif)N
939 4800(if)N
1083(\(req.kdc_options.PROXY\))X
2235(then)X
1323 4896(if)N
1467(\(!req.padata.ticket.flags.PROXIABLE\))X
1707 4992(return)N
2043(KRB_ERROR,)X
2571(code)X
2811(KDC_ERR_BADOPTION;)X
1323 5088(endif)N
1323 5184(set\(tkt.flags.PROXY\);)N
1323 5280(tkt.caddr)N
1803(=)X
1899(req.addresses;)X
1323 5376(resp.caddr)N
1851(=)X
1947(req.addresses;)X
939 5472(endif)N
939 5664(if)N
1083(\(req.kdc_options.POSTDATE\))X
2379(then)X
1323 5760(if)N
1467(\(!req.padata.ticket.flags.POSTDATE\))X
1 f
555 6144(Section)N
815(A.5.)X
2196(-)X
2243(46)X
2343(-)X
47 p
%%Page: 47 48
10 s 0 xH 0 xS 1 f
7 f
1 f
0 32(--)N
4323(--)X
3 f
2115 416(DRAFT)N
2411(3)X
7 f
1707 672(return)N
2043(KRB_ERROR,)X
2571(code)X
2811(KDC_ERR_BADOPTION;)X
1323 768(endif)N
1323 864(set\(tkt.flags.POSTDATE\);)N
939 960(endif)N
939 1056(if)N
1083(\(req.kdc_options.POSTDATED\))X
2427(then)X
1323 1152(if)N
1467(\(!req.padata.ticket.flags.POSTDATE\))X
3195(then)X
1707 1248(return)N
2043(KRB_ERROR,)X
2571(code)X
2811(KDC_ERR_BADOPTION;)X
1323 1344(endif)N
1323 1440(set\(tkt.flags.POSTDATED\);)N
1323 1536(set\(tkt.flags.INVALID\);)N
1323 1632(if)N
1467(\(against_postdate_policy\(req.from\)\))X
3195(then)X
1707 1728(return)N
2043(KRB_ERROR,)X
2571(code)X
2811(KDC_ERR_POLICY;)X
1323 1824(endif)N
1323 1920(tkt.starttime)N
1995(=)X
2091(req.from;)X
1035 2016(endif)N
939 2208(if)N
1083(\(\(req.kdc_options.DUPLICATE-SKEY\))X
2715(or)X
1131 2304(\(req.kdc_options.REUSE-SKEY\)\))N
2571(then)X
1323 2400(set\(tkt.flags.DUPLICATE-SKEY\);)N
939 2496(endif)N
939 2688(if)N
1083(\(req.kdc_options.VALIDATE\))X
2379(then)X
1323 2784(if)N
1467(\(!req.padata.ticket.flags.INVALID\))X
3147(then)X
1707 2880(return)N
2043(KRB_ERROR,)X
2571(code)X
2811(KDC_ERR_POLICY;)X
1323 2976(endif)N
1323 3072(if)N
1467(\(req.padata.ticket.starttime)X
2859(>)X
2955(kdc_time\))X
3435(then)X
1707 3168(return)N
2043(KRB_ERROR,)X
2571(code)X
2811(KRB_AP_ERR_NYV;)X
1323 3264(endif)N
1323 3360(if)N
1467(\(check_hot_list\(req.padata.ticket\)\))X
3195(then)X
1707 3456(return)N
2043(KRB_ERROR,)X
2571(code)X
2811(KRB_AP_ERR_REPEAT;)X
1323 3552(endif)N
1323 3648(tkt)N
1515(=)X
1611(req.padata.ticket;)X
1323 3744(clear\(tkt.flags.INVALID\);)N
939 3840(endif)N
939 4032(if)N
1083(\(req.kdc_options.\(any)X
2139(flag)X
2379(except)X
2715(ENC-TKT-IN-SKEY,)X
3531(RENEW,)X
1947 4128(and)N
2139(those)X
2427(already)X
2811(processed\))X
3339(then)X
1323 4224(return)N
1659(KRB_ERROR,)X
2187(code)X
2427(KDC_ERR_BADOPTION;)X
939 4320(endif)N
939 4512(tkt.authtime)N
1563(=)X
1659(req.padata.ticket.authtime;)X
939 4704(if)N
1083(\(req.kdc_options.RENEW\))X
2235(then)X
1035 4800(/*)N
1179(Note)X
1419(that)X
1659(if)X
1803(the)X
1995(endtime)X
2379(has)X
2571(already)X
2955(passed,)X
3339(the)X
3531(ticket)X
3867(would)X
4203(*/)X
1035 4896(/*)N
1179(have)X
1419(been)X
1659(rejected)X
2091(in)X
2235(the)X
2427(initial)X
2811(authentication)X
3531(stage,)X
3867(so)X
4203(*/)X
1035 4992(/*)N
1179(there)X
1467(is)X
1611(no)X
1755(need)X
1995(to)X
2139(check)X
2427(again)X
2715(here)X
4203(*/)X
1323 5088(if)N
1467(\(!req.padata.ticket.flags.RENEWABLE\))X
3243(then)X
1707 5184(return)N
2043(KRB_ERROR,)X
2571(code)X
2811(KDC_ERR_BADOPTION;)X
1323 5280(endif)N
1323 5376(if)N
1467(\(!req.padata.ticket.renew_till)X
2955(<)X
3051(kdc_time\))X
3531(then)X
1707 5472(return)N
2043(KRB_ERROR,)X
2571(code)X
2811(KRB_AP_ERR_TKT_EXPIRED;)X
1323 5568(endif)N
1323 5664(tkt)N
1515(=)X
1611(req.padata.ticket;)X
1323 5760(tkt.starttime)N
1995(=)X
2091(kdc_time;)X
1 f
555 6144(Section)N
815(A.5.)X
2196(-)X
2243(47)X
2343(-)X
48 p
%%Page: 48 49
10 s 0 xH 0 xS 1 f
7 f
1 f
0 32(--)N
4323(--)X
3 f
2115 416(DRAFT)N
2411(3)X
7 f
1323 672(old_life)N
1755(=)X
1851(req.padata.ticket.endttime)X
3147(-)X
1851 768(req.padata.ticket.starttime;)N
1323 864(tkt.endtime)N
1899(=)X
1995(min\(req.auth_hdr.ticket.renew_till,)X
2187 960(tkt.starttime)N
2859(+)X
2955(old_life\);)X
939 1056(else)N
1323 1152(tkt.starttime)N
1995(=)X
2091(kdc_time;)X
1323 1248(if)N
1467(\(req.till)X
1947(=)X
2043(0\))X
2187(then)X
1707 1344(till)N
1947(=)X
2043(infinity;)X
1323 1440(else)N
1707 1536(till)N
1947(=)X
2043(req.till;)X
1323 1632(endif)N
1323 1728(tkt.endtime)N
1899(=)X
1995(min\(till,tkt.starttime+client.max_life,)X
2187 1824(tkt.starttime+server.max_life,)N
2187 1920(tkt.starttime+max_life_for_realm,)N
2187 2016(req.padata.ticket.endtime\);)N
1323 2208(if)N
1467(\(req.kdc_options.RENEWABLE-OK)X
2907(and)X
1515 2304(\(tkt.endtime)N
2139(<)X
2235(req.till\))X
2715(and)X
1515 2400(req.padata.ticket.flags.RENEWABLE\))N
3195(then)X
1707 2496(/*)N
1851(we)X
1995(set)X
2187(the)X
2379(RENEWABLE)X
2859(option)X
3195(for)X
3387(later)X
3675(processing)X
4203(*/)X
1707 2592(set\(req.kdc_options.RENEWABLE\);)N
1707 2688(req.rtime)N
2187(=)X
2283(min\(req.till,)X
2475 2784(req.padata.ticket.renew_till\);)N
1323 2880(endif)N
939 2976(endif)N
939 3168(if)N
1083(\(req.rtime)X
1611(=)X
1707(0\))X
1851(then)X
1323 3264(rtime)N
1611(=)X
1707(infinity;)X
939 3360(else)N
1323 3456(rtime)N
1611(=)X
1707(req.rtime;)X
939 3552(endif)N
939 3744(if)N
1083(\(req.kdc_options.RENEWABLE)X
2379(and)X
1131 3840(req.padata.ticket.flags.RENEWABLE\))N
2811(then)X
1323 3936(set\(tkt.flags.RENEWABLE\);)N
1323 4032(tkt.renew_till)N
2043(=)X
2139(min\(rtime,starttime+client.max_rlife,)X
2331 4128(tkt.starttime+server.max_rlife,)N
2331 4224(tkt.starttime+max_rlife_for_realm,)N
2331 4320(tkt.padata.ticket.renew_till\);)N
939 4416(else)N
1323 4512(tkt.renew_till)N
2043(=)X
2139(OMIT;)X
2427(/*)X
2571(leave)X
2859(the)X
3051(renew_till)X
3579(field)X
3867(out)X
4059(*/)X
939 4608(endif)N
939 4704(tkt.authorization_data)N
2043(=)X
2139(req.auth_hdr.ticket.authorization_data)X
4011(+)X
2139 4800(req.authorization_data;)N
939 4992(tkt.key)N
1323(=)X
1419(session;)X
939 5088(tkt.crealm)N
1467(=)X
1563(req.padata.ticket.crealm;)X
939 5184(tkt.cname)N
1419(=)X
1515(req.auth_hdr.ticket.cname;)X
939 5376(if)N
1083(\(realm_of_tgt\(req.padata.ticket\))X
2667(=)X
2763(req.padata.ticket.realm\))X
3963(then)X
1323 5472(/*)N
1467(tgt)X
1659(issued)X
1995(by)X
2139(local)X
2427(realm)X
2715(*/)X
1323 5568(tkt.transited)N
1995(=)X
2091(req.padata.ticket.transited.)X
939 5664(else)N
1323 5760(tkt.transited)N
1995(=)X
1 f
555 6144(Section)N
815(A.5.)X
2196(-)X
2243(48)X
2343(-)X
49 p
%%Page: 49 50
10 s 0 xH 0 xS 1 f
7 f
1 f
0 32(--)N
4323(--)X
3 f
2115 416(DRAFT)N
2411(3)X
7 f
1323 672(compress_transited\(req.padata.ticket.transited)N
3579(+)X
2235 768(req.padata.ticket.realm\))N
939 864(endif)N
939 1056(if)N
1083(\(req.kdc_options.ENC-TKT-IN-SKEY\))X
2715(then)X
1323 1152(decrypt\(req.additional-tickets\);)N
1323 1248(encrypt\(tkt.enc-part,req.etype,req.second_ticket.session\);)N
939 1344(else)N
1323 1440(encrypt\(tkt.enc-part,req.etype,server.key,server.p_kvno\);)N
939 1536(endif)N
939 1728(resp.pvno)N
1419(=)X
1515(5;)X
939 1824(resp.msg_type)N
1611(=)X
1707(KRB_TGS_REP;)X
939 1920(resp.crealm)N
1515(=)X
1611(req.auth_hdr.ticket.crealm;)X
939 2016(resp.cname)N
1467(=)X
1563(req.auth_hdr.ticket.cname;)X
939 2208(resp.ticket)N
1515(=)X
1611(ticket;)X
939 2400(resp.key)N
1371(=)X
1467(session;)X
939 2496(resp.nonce)N
1467(=)X
1563(req.nonce;)X
939 2592(resp.last_req)N
1611(=)X
1707(fetch_last_request_info\(client\);)X
939 2784(resp.authtime)N
1611(=)X
1707(tkt.authtime;)X
939 2976(resp.princ_exp)N
1659(=)X
1755(OMIT;)X
939 3072(resp.flags)N
1467(=)X
1563(tkt.flags;)X
939 3168(resp.sname)N
1467(=)X
1563(service.name;)X
939 3264(resp.realm)N
1467(=)X
1563(realm;)X
939 3456(resp.starttime)N
1659(=)X
1755(tkt.starttime;)X
939 3552(resp.endtime)N
1563(=)X
1659(tkt.endtime;)X
939 3744(if)N
1083(\(tkt.flags.RENEWABLE\))X
2139(then)X
1323 3840(resp.renew_till)N
2091(=)X
2187(tkt.renew_till;)X
939 3936(endif)N
939 4128(encrypt\(resp.enc-part,req.etype,req.padata.ticket.session\);)N
939 4224(send\(resp\);)N
3 f
12 s
555 4416(A.6.)N
768(KRB_TGS_REP)X
1480(veri\256cation)X
7 f
10 s
939 4512(if)N
1083(\(resp.msg_type)X
1803(==)X
1947(KRB_ERROR\))X
2475(then)X
1323 4608(process_error\(resp\);)N
1323 4704(return;)N
939 4800(endif)N
939 4992(/*)N
1083(On)X
1227(error,)X
1563(discard)X
1947(the)X
2139(response,)X
2619(and)X
2811(zero)X
3051(the)X
3243(session)X
3627(key)X
3819(from)X
939 5088(the)N
1131(response)X
1563(immediately)X
2139(*/)X
939 5280(decrypt\(resp.enc-part,resp.enc-part.etype,session_from_tgt\);)N
939 5472(if)N
1083(\(!integrity_ok\(resp\)\))X
2139(then)X
1323 5568(return)N
1659(KRB_AP_ERR_MODIFIED;)X
939 5664(endif)N
939 5760(if)N
1083(\(req.cname)X
1611(!=)X
1755(resp.cname\))X
2331(then)X
1 f
555 6144(Section)N
815(A.6.)X
2196(-)X
2243(49)X
2343(-)X
50 p
%%Page: 50 51
10 s 0 xH 0 xS 1 f
7 f
1 f
0 32(--)N
4323(--)X
3 f
2115 416(DRAFT)N
2411(3)X
7 f
1323 672(return)N
1659(KRB_AP_ERR_MODIFIED;)X
939 768(endif)N
939 864(if)N
1083(\(req.realm)X
1611(!=)X
1755(resp.crealm\))X
2379(then)X
1323 960(return)N
1659(KRB_AP_ERR_MODIFIED;)X
939 1056(endif)N
939 1152(if)N
1083(\(req.sname)X
1611(!=)X
1755(resp.sname\))X
2331(then)X
1323 1248(return)N
1659(KRB_AP_ERR_MODIFIED;)X
939 1344(endif)N
939 1440(if)N
1083(\(req.realm)X
1611(!=)X
1755(resp.realm\))X
2331(then)X
1323 1536(return)N
1659(KRB_AP_ERR_MODIFIED;)X
939 1632(endif)N
939 1728(if)N
1083(\(req.nonce)X
1611(!=)X
1755(resp.nonce\))X
2331(then)X
1323 1824(return)N
1659(KRB_AP_ERR_MODIFIED;)X
939 1920(endif)N
939 2016(if)N
1083(\(req.addresses)X
1803(!=)X
1947(resp.caddr\))X
2523(then)X
1323 2112(return)N
1659(KRB_AP_ERR_MODIFIED;)X
939 2208(endif)N
939 2400(/*)N
1083(make)X
1323(sure)X
1563(no)X
1707(flags)X
1995(are)X
2187(set)X
2379(that)X
2619(shouldn't)X
3099(be,)X
3291(and)X
3483(that)X
3723(all)X
3915(that)X
4155(*/)X
939 2496(/*)N
1083(should)X
1419(be)X
1563(are)X
1755(set)X
4155(*/)X
939 2592(if)N
1083(\(!check_flags_for_compatability\(req.kdc_options,resp.flags\)\))X
1323 2688(return)N
1659(KRB_AP_ERR_MODIFIED;)X
939 2784(endif)N
939 2976(if)N
1083(\(\(req.from)X
1611(=)X
1707(0\))X
1851(and)X
1131 3072(\(resp.starttime)N
1899(is)X
2043(not)X
2235(within)X
2571(allowable)X
3051(skew\)\))X
3387(then)X
1323 3168(return)N
1659(KRB_AP_ERR_SKEW;)X
939 3264(endif)N
939 3360(if)N
1083(\(\(req.from)X
1611(!=)X
1755(0\))X
1899(and)X
2091(\(req.from)X
2571(!=)X
2715(resp.starttime\)\))X
3531(then)X
1323 3456(return)N
1659(KRB_AP_ERR_MODIFIED;)X
939 3552(endif)N
939 3648(if)N
1083(\(\(req.till)X
1611(!=)X
1755(0\))X
1899(and)X
2091(\(resp.endtime)X
2763(>)X
2859(req.till\)\))X
3387(then)X
1323 3744(return)N
1659(KRB_AP_ERR_MODIFIED;)X
939 3840(endif)N
939 4032(if)N
1083(\(\(req.kdc_options.RENEWABLE\))X
2475(and)X
1131 4128(\(req.rtime)N
1659(!=)X
1803(0\))X
1947(and)X
2139(\(resp.renew_till)X
2955(>)X
3051(req.rtime\)\))X
3627(then)X
1323 4224(return)N
1659(KRB_AP_ERR_MODIFIED;)X
939 4320(endif)N
939 4416(if)N
1083(\(\(req.kdc_options.RENEWABLE-OK\))X
2619(and)X
1131 4512(\(resp.flags.RENEWABLE\))N
2235(and)X
1131 4608(\(req.till)N
1611(!=)X
1755(0\))X
1899(and)X
1131 4704(\(resp.renew_till)N
1947(>)X
2043(req.till\)\))X
2571(then)X
1323 4800(return)N
1659(KRB_AP_ERR_MODIFIED;)X
939 4896(endif)N
939 5088(save_for_later\(ticket,session,client,server,times,flags\);)N
939 5280(check)N
1227(authorization_data)X
2139(as)X
2283(necessary;)X
3 f
12 s
555 5472(A.7.)N
768(Authenticator)X
1368(generation)X
7 f
10 s
939 5568(store)N
1227(authenticator_vno)X
2091(in)X
2235(staging)X
2619(area;)X
2907(/*)X
3051(authenticator_vno)X
3915(=)X
4011(5)X
4107(*/)X
939 5664(store)N
1227(client)X
1563(name)X
1803(in)X
1947(staging)X
2331(area;)X
2619(/*)X
2763(cname,)X
3099(crealm)X
3435(*/)X
939 5760(store)N
1227(checksum_type)X
1899(in)X
2043(staging)X
2427(area;)X
2715(/*)X
2859(checksum_type)X
3531(*/)X
1 f
555 6144(Section)N
815(A.7.)X
2196(-)X
2243(50)X
2343(-)X
51 p
%%Page: 51 52
10 s 0 xH 0 xS 1 f
7 f
1 f
0 32(--)N
4323(--)X
3 f
2115 416(DRAFT)N
2411(3)X
7 f
939 672(store)N
1227(checksum)X
1659(in)X
1803(staging)X
2187(area;)X
2475(/*)X
2619(checksum)X
3051(*/)X
939 768(get)N
1131(system_time;)X
939 864(store)N
1227(system_time.milliseconds)X
2427(in)X
2571(staging)X
2955(area;)X
3243(/*)X
3387(cmsec)X
3675(*/)X
939 960(store)N
1227(system_time.seconds)X
2187(in)X
2331(staging)X
2715(area;)X
3003(/*)X
3147(ctime)X
3435(*/)X
939 1152(encrypt)N
1323(staging)X
1707(area;)X
939 1248(store)N
1227(encrypted)X
1707(data)X
1947(in)X
2091(authenticator;)X
3 f
12 s
555 1440(A.8.)N
768(KRB_AP_REQ)X
1432(generation)X
7 f
10 s
939 1536(obtain)N
1275(ticket)X
1611(and)X
1803(session_key;)X
939 1728(store)N
1227(asn1_header)X
1803(in)X
1947(packet;)X
2331(/*)X
2475(constant)X
2907(except)X
3243(for)X
3435(length)X
3771(encoding)X
4203(*/)X
939 1824(store)N
1227(message)X
1611(type)X
1851(in)X
1995(packet;)X
2379(/*)X
2523(type)X
2763(=)X
2859(KRB_AP_REQ)X
3387(*/)X
939 2016(if)N
1083(desired\(MUTUAL_AUTHENTICATION\))X
2571(then)X
1323 2112(set)N
1515(options.MUTUAL-REQUIRED;)X
939 2208(else)N
1323 2304(reset)N
1611(options.MUTUAL-REQUIRED;)X
939 2400(endif)N
939 2496(if)N
1083(using_session_key)X
1947(then)X
1323 2592(set)N
1515(options.USE-SESSION-KEY;)X
939 2688(else)N
1323 2784(reset)N
1611(options.USE-SESSION-KEY;)X
939 2880(endif)N
939 2976(store)N
1227(options)X
1611(in)X
1755(packet;)X
2139(/*)X
2283(ap_options)X
2811(*/)X
939 3072(store)N
1227(ticket)X
1563(in)X
1707(packet;)X
2091(/*)X
2235(ticket)X
2571(*/)X
939 3168(generate)N
1371(authenticator)X
2043(using)X
2331(session_key;)X
939 3264(store)N
1227(authenticator)X
1899(in)X
2043(packet;)X
2427(/*)X
2571(authenticator)X
3243(*/)X
3 f
12 s
555 3456(A.9.)N
768(KRB_AP_REQ)X
1432(veri\256cation)X
7 f
10 s
939 3552(receive)N
1323(packet;)X
939 3648(if)N
1083(packet.pvno)X
1659(!=)X
1803(5)X
1899(then)X
1323 3744(either)N
1659(process)X
2043(using)X
2331(other)X
2619(protocol)X
3051(spec)X
1323 3840(or)N
1467(error_out\(KRB_APP_ERR_BADVERSION\);)X
939 3936(endif)N
939 4032(if)N
1083(packet.msg_type)X
1851(!=)X
1995(KRB_AP_REQ)X
2523(then)X
1323 4128(error_out\(KRB_APP_ERR_MSG_TYPE\);)N
939 4224(endif)N
939 4320(if)N
1083(packet.ticket.tkt_vno)X
2139(!=)X
2283(5)X
2379(then)X
1323 4416(either)N
1659(process)X
2043(using)X
2331(other)X
2619(protocol)X
3051(spec)X
1323 4512(or)N
1467(error_out\(KRB_APP_ERR_BADVERSION\);)X
939 4608(endif)N
939 4704(if)N
1083(packet.ap_options.USE-SESSION-KEY)X
2715(is)X
2859(set)X
3051(then)X
1323 4800(retrieve)N
1755(session)X
2139(key)X
2331(from)X
2571(ticket-granting)X
3339(ticket)X
3675(for)X
1371 4896(packet.ticket.{sname,srealm,etype,skvno})N
939 4992(else)N
1323 5088(retrieve)N
1755(service)X
2139(key)X
2331(for)X
1371 5184(packet.ticket.{sname,srealm,etype,skvno})N
939 5280(endif)N
939 5376(if)N
1083(no_key_available)X
1899(then)X
1323 5472(if)N
1467(cant_find_specified_skvno)X
2715(then)X
1707 5568(error_out\(KRB_AP_ERR_BADKEYVER\);)N
1323 5664(else)N
1707 5760(error_out\(KRB_AP_ERR_NOKEY\);)N
1 f
555 6144(Section)N
815(A.9.)X
2196(-)X
2243(51)X
2343(-)X
52 p
%%Page: 52 53
10 s 0 xH 0 xS 1 f
7 f
1 f
0 32(--)N
4323(--)X
3 f
2115 416(DRAFT)N
2411(3)X
7 f
1323 672(endif)N
939 768(endif)N
939 864(decrypt)N
1323(packet.ticket)X
1995(into)X
2235(decr_ticket)X
2811(using)X
3099(key;)X
939 960(if)N
1083(integrity_error)X
1851(then)X
1323 1056(error_out\(KRB_AP_BAD_INTEGRITY\);)N
939 1152(endif)N
939 1248(decrypt)N
1323(packet.authenticator)X
2331(into)X
2571(decr_authenticator)X
3483(using)X
987 1344(decr_ticket.session)N
1947(and)X
2139(decr_ticket.keytype)X
939 1440(if)N
1083(integrity_error)X
1851(then)X
1323 1536(error_out\(KRB_AP_BAD_INTEGRITY\);)N
939 1632(endif)N
939 1728(if)N
1083(decr_authenticator.{cname,crealm})X
2715(!=)X
987 1824(decr_ticket.{cname,cinst,crealm})N
2571(then)X
1323 1920(error_out\(KRB_AP_ERR_BADMATCH\);)N
939 2016(endif)N
939 2112(if)N
1083(sender_address\(packet\))X
2187(is)X
2331(not)X
2523(in)X
2667(decr_ticket.caddr)X
3531(then)X
1323 2208(error_out\(KRB_AP_ERR_BADADDR\);)N
939 2304(endif)N
939 2400(if)N
1083(not)X
1275(in_clock_skew\(decr_authenticator.ctime\))X
3195(then)X
1323 2496(error_out\(KRB_AP_ERR_SKEW\);)N
939 2592(endif)N
939 2688(if)N
1083(repeated\(decr_authenticator.ctime,decr_authenticator.cmsec,)X
1515 2784(sender_address\(packet\),{cname,crealm}\))N
3387(then)X
1323 2880(error_out\(KRB_AP_ERR_REPEAT\);)N
939 2976(endif)N
939 3072(save_identifier\(decr_authenticator.timestamp,)N
1707 3168(decr_authenticator.cmsec,sender_address\(packet\),)N
1707 3264(sender_principal\(packet\)\);)N
939 3360(get)N
1131(system_time;)X
939 3456(if)N
1083(decr_ticket.starttime-system_time)X
2715(>)X
2811(CLOCK_SKEW)X
3339(then)X
1323 3552(/*)N
1467(it)X
1611(hasn't)X
1947(yet)X
2139(become)X
2475(valid)X
2763(*/)X
1323 3648(error_out\(KRB_AP_ERR_TKT_NYV\);)N
939 3744(endif)N
939 3840(if)N
1083(system_time-decr_ticket.endtime)X
2619(>)X
2715(CLOCK_SKEW)X
3243(then)X
1323 3936(error_out\(KRB_AP_ERR_TKT_EXPIRED\);)N
939 4032(endif)N
939 4128(/*)N
1083(caller)X
1419(must)X
1659(check)X
1947(decr_ticket.flags)X
2811(for)X
3003(any)X
3195(pertinent)X
3675(details)X
4059(*/)X
939 4224(return\(OK,)N
1467(decr_ticket,)X
2091(packet.ap_options.MUTUAL-REQUIRED\);)X
3 f
12 s
555 4416(A.10.)N
816(KRB_AP_REP)X
1464(generation)X
7 f
10 s
939 4512(store)N
1227(protocol)X
1659(version)X
2043(in)X
2187(packet;)X
2571(/*)X
2715(pvno)X
2955(=)X
3051(5)X
3147(*/)X
939 4608(store)N
1227(message)X
1611(type)X
1851(in)X
1995(packet;)X
2379(/*)X
2523(type)X
2763(=)X
2859(KRB_AP_REP)X
3387(*/)X
939 4704(store)N
1227(packet.ctime)X
1851(in)X
1995(staging)X
2379(area;)X
939 4800(store)N
1227(packet.cmsec)X
1851(in)X
1995(staging)X
2379(area;)X
939 4896(encrypt)N
1323(staging)X
1707(area)X
1947(using)X
2235(ticket.session;)X
939 4992(store)N
1227(encrypted)X
1707(data)X
1947(in)X
2091(packet;)X
939 5184(return)N
1275(packet;)X
3 f
12 s
555 5376(A.11.)N
816(KRB_AP_REP)X
1464(veri\256cation)X
7 f
10 s
939 5472(receive)N
1323(packet;)X
939 5568(if)N
1083(packet.pvno)X
1659(!=)X
1803(5)X
1899(then)X
1323 5664(either)N
1659(process)X
2043(using)X
2331(other)X
2619(protocol)X
3051(spec)X
1323 5760(or)N
1467(error_out\(KRB_APP_ERR_BADVERSION\);)X
1 f
555 6144(Section)N
815(A.11.)X
2196(-)X
2243(52)X
2343(-)X
53 p
%%Page: 53 54
10 s 0 xH 0 xS 1 f
7 f
1 f
0 32(--)N
4323(--)X
3 f
2115 416(DRAFT)N
2411(3)X
7 f
939 672(endif)N
939 768(if)N
1083(packet.msg_type)X
1851(!=)X
1995(KRB_AP_REQ)X
2523(then)X
1323 864(error_out\(KRB_APP_ERR_MSG_TYPE\);)N
939 960(endif)N
939 1056(decrypted_portion)N
1803(=)X
1899(decrypt\(remainder\(packet\)\);)X
939 1152(if)N
1083(integrity_error)X
1851(then)X
1323 1248(error_out\(KRB_AP_BAD_INTEGRITY\);)N
939 1344(endif)N
939 1440(if)N
1083(decrypted_portion.ctime)X
2235(!=)X
2379(authenticator.system_time.ctime)X
3915(then)X
1323 1536(error_out\(KRB_AP_ERR_MUT_FAIL\);)N
939 1632(endif)N
939 1728(if)N
1083(decrypted_portion.cmsec)X
2235(!=)X
2379(authenticator.system_time.cmsec)X
3915(then)X
1323 1824(error_out\(KRB_AP_ERR_MUT_FAIL\);)N
939 1920(endif)N
939 2016(return\(AUTHENTICATION_SUCCEEDED\);)N
3 f
12 s
555 2208(A.12.)N
816(KRB_SAFE)X
1341(generation)X
7 f
10 s
939 2304(collect)N
1323(user)X
1563(data)X
1803(in)X
1947(buffer;)X
939 2400(get)N
1131(system)X
1467(time;)X
939 2496(if)N
1083(sender_address)X
1803(>)X
1899(receiver_address)X
2715(then)X
1323 2592(set)N
1515(direction)X
1995(bit;)X
939 2688(else)N
1323 2784(reset)N
1611(direction)X
2091(bit;)X
939 2880(endif)N
939 2976(encode)N
1275(host)X
1515(addresses)X
1995(as)X
2139(hostaddr;)X
939 3072(/*)N
1083(assemble)X
1515(packet:)X
1899(*/)X
939 3168(store)N
1227(protocol)X
1659(version)X
2043(in)X
2187(packet;)X
2571(/*)X
2715(pvno)X
2955(=)X
3051(5)X
3147(*/)X
939 3264(store)N
1227(message)X
1611(type)X
1851(in)X
1995(packet;)X
2379(/*)X
2523(type)X
2763(=)X
2859(KRB_SAFE)X
3291(*/)X
939 3360(store)N
1227(buffer)X
1563(in)X
1707(packet;)X
2091(/*)X
2235(DATA)X
2475(*/)X
939 3456(store)N
1227(milliseconds)X
1851(and)X
2043(direction)X
2523(bit)X
2715(in)X
2859(packet;)X
3243(/*)X
3387(msec+D)X
3723(*/)X
939 3552(store)N
1227(host)X
1467(addresses)X
1947(in)X
2091(packet;)X
2475(/*)X
2619(haddr)X
2907(*/)X
939 3648(store)N
1227(timestamp)X
1707(in)X
1851(packet;)X
2235(/*)X
2379(timestamp)X
2859(*/)X
939 3744(store)N
1227(checksum)X
1659(type)X
1899(in)X
2043(packet;)X
2427(/*)X
2571(checksum_type)X
3243(*/)X
939 3840(compute)N
1323(checksum)X
1755(over)X
1995(packet;)X
2379(/*)X
2523(DATA)X
2763(to)X
2907(checksum_type,)X
3627(inclusive)X
4107(*/)X
939 3936(store)N
1227(checksum)X
1659(in)X
1803(packet;)X
2187(/*)X
2331(checksum)X
2763(*/)X
3 f
12 s
555 4128(A.13.)N
816(KRB_SAFE)X
1341(veri\256cation)X
7 f
10 s
939 4224(receive)N
1323(packet;)X
939 4320(if)N
1083(packet.pvno)X
1659(!=)X
1803(5)X
1899(then)X
1323 4416(either)N
1659(process)X
2043(using)X
2331(other)X
2619(protocol)X
3051(spec)X
1323 4512(or)N
1467(error_out\(KRB_APP_ERR_BADVERSION\);)X
939 4608(endif)N
939 4704(if)N
1083(packet.msg_type)X
1851(!=)X
1995(KRB_SAFE)X
2427(then)X
1323 4800(error_out\(KRB_APP_ERR_MSG_TYPE\);)N
939 4896(endif)N
939 4992(if)N
1083(length\(packet.DATA\)+length\(packet.hostaddr\)+)X
1323 5088(length\(packet.checksum\)+10)N
2619(!=)X
2763(O/S_length\(packet\))X
3675(then)X
1323 5184(/*)N
1467(the)X
1659(length)X
1995(didn't)X
2331(match)X
2619(what)X
2859(the)X
3051(operating)X
3531(system)X
1467 5280(reported)N
1899(*/)X
1323 5376(error_out\(KRB_APP_ERR_MODIFIED\);)N
939 5472(endif)N
939 5568(if)N
1083(sender_address\(packet\))X
2187(is)X
2331(not)X
2523(in)X
2667(packet.hostaddr)X
3435(then)X
1323 5664(/*)N
1467(O/S)X
1659(report)X
1995(of)X
2139(sender)X
2475(not)X
2667(in)X
2811(the)X
3003(list)X
3243(*/)X
1323 5760(error_out\(KRB_APP_ERR_BADADDR\);)N
1 f
555 6144(Section)N
815(A.13.)X
2196(-)X
2243(53)X
2343(-)X
54 p
%%Page: 54 55
10 s 0 xH 0 xS 1 f
7 f
1 f
0 32(--)N
4323(--)X
3 f
2115 416(DRAFT)N
2411(3)X
7 f
939 672(endif)N
939 768(if)N
1083(not)X
1275(in_clock_skew\(packet.timestamp\))X
2811(then)X
1323 864(error_out\(KRB_APP_ERR_SKEW\);)N
939 960(endif)N
939 1056(if)N
1083(repeated\(packet.timestamp,packet.msec,sender_address\(packet\),)X
1515 1152(sender_principal\(packet\)\))N
2763(then)X
1323 1248(error_out\(KRB_APP_ERR_REPEAT\);)N
939 1344(endif)N
939 1440(save_identifier\(packet.timestamp,packet.msec,sender_address\(packet\),)N
1707 1536(sender_principal\(packet\)\);)N
939 1632(if)N
1083(sender_address\(packet\))X
2187(>)X
2283(receiver_address\(packet\))X
3483(then)X
1323 1728(set)N
1515(computed_direction;)X
939 1824(else)N
1323 1920(reset)N
1611(computed_direction;)X
939 2016(endif)N
939 2208(if)N
1083(computed_direction)X
1995(!=)X
2139(packet.direction_bit)X
3147(then)X
1323 2304(error_out\(KRB_APP_ERR_REPEAT\);)N
2811(/*)X
2955(XXX)X
3147(*/)X
939 2400(endif)N
939 2496(/*)N
1083(run)X
1275(checksum)X
1707(from)X
1947(DATA)X
2187(to)X
2331(checksum_type,)X
3051(inclusive)X
3531(*/)X
939 2592(set)N
1131(computed_checksum)X
1995(=)X
2091(checksum\(packet\);)X
939 2688(if)N
1083(computed_checksum)X
1947(!=)X
2091(packet.checksum)X
2859(then)X
1323 2784(error_out\(KRB_AP_ERR_MODIFIED\);)N
939 2880(endif)N
939 2976(return\(packet.DATA,)N
1899(PACKET_IS_GENUINE\);)X
3 f
12 s
555 3168(A.14.)N
816(KRB_PRIV)X
1330(generation)X
7 f
10 s
939 3264(collect)N
1323(user)X
1563(data)X
1803(in)X
1947(buffer;)X
939 3360(get)N
1131(system)X
1467(time;)X
939 3456(if)N
1083(sender_address)X
1803(>)X
1899(receiver_address)X
2715(then)X
1323 3552(set)N
1515(direction)X
1995(bit;)X
939 3648(else)N
1323 3744(clear)N
1611(direction)X
2091(bit;)X
939 3840(endif)N
939 3936(encode)N
1275(host)X
1515(addresses)X
1995(as)X
2139(hostaddr;)X
939 4032(/*)N
1083(compute)X
1467(length)X
1803(of)X
1947(encrypted)X
2427(portion)X
2811(*/)X
939 4128(select)N
1275(encryption)X
1803(type;)X
939 4224(add)N
1131(length)X
1467(of)X
1611(data)X
1851(buffer)X
2187(encoding,)X
2667(host)X
2907(address)X
3291(encoding,)X
3771(and)X
1323 4320(6,)N
1467(rounding)X
1899(up)X
2043(to)X
2187(nearest)X
2571(blocksize;)X
939 4416(/*)N
1083(assemble)X
1515(packet:)X
1899(*/)X
939 4512(store)N
1227(protocol)X
1659(version)X
2043(in)X
2187(packet;)X
2571(/*)X
2715(pvno)X
2955(=)X
3051(5)X
3147(*/)X
939 4608(store)N
1227(message)X
1611(type)X
1851(in)X
1995(packet;)X
2379(/*)X
2523(type)X
2763(=)X
2859(KRB_PRIV)X
3291(*/)X
939 4704(store)N
1227(encryption)X
1755(type)X
1995(in)X
2139(packet;)X
2523(/*)X
2667(etype)X
2955(*/)X
939 4800(store)N
1227(computed)X
1659(length)X
1995(of)X
2139(encrypted)X
2619(portion)X
3003(in)X
3147(packet;)X
939 4896(store)N
1227(buffer)X
1563(in)X
1707(encryption)X
2235(area;)X
2859(/*)X
3003(DATA)X
3243(*/)X
939 4992(store)N
1227(milliseconds)X
1851(and)X
2043(direction)X
2523(bit)X
2715(in)X
2859(encryption)X
3387(area;)X
3675(/*)X
3819(msec+D)X
4155(*/)X
939 5088(store)N
1227(host)X
1467(addresses)X
1947(in)X
2091(encryption)X
2619(area;)X
2907(/*)X
3051(haddr)X
3339(*/)X
939 5184(store)N
1227(timestamp)X
1707(in)X
1851(encryption)X
2379(area;)X
2667(/*)X
2811(timestamp)X
3291(*/)X
939 5280(encrypt)N
1323(data)X
1563(in)X
1707(encryption)X
2235(area;)X
939 5376(store)N
1227(encrypted)X
1707(output)X
2043(in)X
2187(packet;)X
1 f
12 s
555 6144(Section)N
868(A.14.)X
2179(-)X
2235(54)X
2355(-)X
55 p
%%Page: 55 56
12 s 0 xH 0 xS 1 f
10 s
0 32(--)N
4323(--)X
3 f
12 s
2082 432(DRAFT)N
2436(3)X
555 672(A.15.)N
816(KRB_PRIV)X
1330(veri\256cation)X
7 f
10 s
939 768(receive)N
1323(packet;)X
939 864(if)N
1083(packet.pvno)X
1659(!=)X
1803(5)X
1899(then)X
1323 960(either)N
1659(process)X
2043(using)X
2331(other)X
2619(protocol)X
3051(spec)X
1323 1056(or)N
1467(error_out\(KRB_APP_ERR_BADVERSION\);)X
939 1152(endif)N
939 1248(if)N
1083(packet.msg_type)X
1851(!=)X
1995(KRB_PRIV)X
2427(then)X
1323 1344(error_out\(KRB_APP_ERR_MSG_TYPE\);)N
939 1440(endif)N
939 1536(if)N
1083(packet.len_E)X
1707(+)X
1803(4)X
1899(!=)X
2043(O/S_length\(packet\))X
2955(then)X
1323 1632(error_out\(KRB_APP_ERR_MODIFIED\);)N
939 1728(endif)N
939 1824(cleartext)N
1419(=)X
1515(decrypt\(packet\);)X
939 1920(/*)N
1083(14)X
1227(is)X
1371(for)X
1563(pvno,)X
1851(type,)X
2139(etype,)X
2475(len_E,)X
2811(msec,)X
3099(timestamp)X
3579(*/)X
939 2016(if)N
1083(length\(cleartext.DATA\))X
2187(>)X
2283(O/S_length\(packet\)-14)X
3339(then)X
1323 2112(error_out\(KRB_APP_ERR_MODIFIED\);)N
939 2208(endif)N
939 2304(/*)N
1083(14)X
1227(is)X
1371(for)X
1563(pvno,)X
1851(type,)X
2139(etype,)X
2475(len_E,)X
2811(msec,)X
3099(timestamp)X
3579(*/)X
939 2400(if)N
1083(length\(cleartext.haddr\))X
2235(>)X
2331(O/S_length\(packet\)-14)X
3387(then)X
1323 2496(error_out\(KRB_APP_ERR_MODIFIED\);)N
939 2592(endif)N
939 2688(if)N
1083(length\(cleartext.DATA\)+length\(cleartext.haddr\)+)X
1323 2784(length\(packet.checksum\)+14)N
2619(+)X
2715(length\(cleartext.PAD\))X
1323 2880(!=)N
1467(length\(packet\))X
2187(then)X
1323 2976(/*)N
1467(the)X
1659(length)X
1995(didn't)X
2331(match)X
2619(what)X
2859(the)X
3051(operating)X
3531(system)X
1467 3072(reported)N
1899(*/)X
1323 3168(error_out\(KRB_APP_ERR_MODIFIED\);)N
939 3264(endif)N
939 3360(if)N
1083(sender_address\(packet\))X
2187(is)X
2331(not)X
2523(in)X
2667(cleartext.haddr)X
3435(then)X
1323 3456(/*)N
1467(O/S)X
1659(report)X
1995(of)X
2139(sender)X
2475(not)X
2667(in)X
2811(the)X
3003(list)X
3243(*/)X
1323 3552(error_out\(KRB_APP_ERR_BADADDR\);)N
939 3648(endif)N
939 3744(if)N
1083(not)X
1275(in_clock_skew\(cleartext.timestamp\))X
2955(then)X
1323 3840(error_out\(KRB_APP_ERR_SKEW\);)N
939 3936(endif)N
939 4032(if)N
1083(repeated\(cleartext.timestamp,cleartext.msec,sender_address\(packet\),)X
1515 4128(sender_principal\(packet\)\))N
2763(then)X
1323 4224(error_out\(KRB_APP_ERR_REPEAT\);)N
939 4320(endif)N
939 4416(save_identifier\(cleartext.timestamp,cleartext.msec,)N
1707 4512(sender_address\(packet\),sender_principal\(packet\)\);)N
939 4608(if)N
1083(sender_address\(packet\))X
2187(>)X
2283(receiver_address\(packet\))X
3483(then)X
1323 4704(set)N
1515(computed_direction;)X
939 4800(else)N
1323 4896(reset)N
1611(computed_direction;)X
939 4992(endif)N
939 5184(if)N
1083(computed_direction)X
1995(!=)X
2139(cleartext.direction_bit)X
3291(then)X
1323 5280(error_out\(KRB_APP_ERR_REPEAT\);)N
2811(/*)X
2955(XXX)X
3147(*/)X
939 5376(endif)N
939 5472(return\(cleartext.DATA,)N
2043(PACKET_IS_GENUINE_AND_UNMODIFIED\);)X
1 f
555 6144(Section)N
815(A.15.)X
2196(-)X
2243(55)X
2343(-)X
56 p
%%Page: 56 57
10 s 0 xH 0 xS 1 f
0 32(--)N
4323(--)X
3 f
2115 416(DRAFT)N
2411(3)X
12 s
555 672(B.)N
691(REFERENCES)X
1 f
10 s
555 852(1.)N
755(S.)X
845(P.)X
935(Miller,)X
1181(B.)X
1280(C.)X
1379(Neuman,)X
1697(J.)X
1774(I.)X
1847(Schiller,)X
2142(and)X
2284(J.)X
2361(H.)X
2465(Saltzer,)X
2 f
2734(Section)X
2996(E.2.1:)X
3217(Kerberos)X
3540(Authentication)X
755 948(and)N
895(Authorization)X
1354(System,)X
1 f
1617(M.I.T.)X
1844(Project)X
2091(Athena,)X
2363(Cambridge,)X
2759(Massachusetts)X
3242(\(December)X
3620(21,)X
3740(1987\).)X
555 1072(2.)N
755(J.)X
829(G.)X
930(Steiner,)X
1200(B.)X
1296(C.)X
1392(Neuman,)X
1707(and)X
1846(J.)X
1920(I.)X
1990(Schiller,)X
2282(``Kerberos:)X
2675(An)X
2795(Authentication)X
3293(Service)X
3556(for)X
3672(Open)X
3868(Net-)X
755 1168(work)N
940(Systems,'')X
1300(pp.)X
1420(191-202)X
1707(in)X
2 f
1789(Usenix)X
2032(Conference)X
2422(Proceedings)X
1 f
2823(,)X
2863(Dallas,)X
3108(Texas)X
3320(\(February,)X
3677(1988\).)X
555 1292(3.)N
755(R.)X
854(M.)X
971(Needham)X
1305(and)X
1446(M.)X
1562(D.)X
1665(Schroeder,)X
2036(``Using)X
2306(Encryption)X
2687(for)X
2806(Authentication)X
3307(in)X
3394(Large)X
3607(Networks)X
3944(of)X
755 1388(Computers,'')N
2 f
1200(Communications)X
1762(of)X
1844(the)X
1962(ACM)X
3 f
2151(21)X
1 f
(\(12\),)S
2405(pp.)X
2525(993-999)X
2812(\(December,)X
3210(1978\).)X
555 1512(4.)N
755(Dorothy)X
1043(E.)X
1133(Denning)X
1430(and)X
1567(Giovanni)X
1886(Maria)X
2098(Sacco,)X
2330(``Timestamps)X
2795(in)X
2877(Key)X
3031(Distribution)X
3437(Protocols,'')X
2 f
3833(Com-)X
755 1608(munications)N
1166(of)X
1248(the)X
1366(ACM)X
3 f
1555(24)X
1 f
(\(8\),)S
1769(pp.)X
1889(533-536)X
2176(\(August)X
2454(1981\).)X
555 1732(5.)N
755(Don)X
919(Davis)X
1132(and)X
1274(Ralph)X
1491(Swick,)X
2 f
1737(Workstation)X
2154(Services)X
2448(and)X
2594(Kerberos)X
2918(Authentication)X
3415(at)X
3503(Project)X
3764(Athena,)X
1 f
755 1828(MIT)N
922(Project)X
1169(Athena)X
1421(\(March)X
1678(3,)X
1758(1989\).)X
555 1952(6.)N
755(National)X
1060(Bureau)X
1321(of)X
1417(Standards,)X
1782(``Data)X
2016(Encryption)X
2400(Standard,'')X
2787(Federal)X
3056(Information)X
3467(Processing)X
3842(Stan-)X
755 2048(dards)N
949(Publication)X
1333(46,)X
1473(Washington,)X
1900(D.C.)X
2071(\(1977\).)X
555 2172(7.)N
755(National)X
1061(Bureau)X
1322(of)X
1418(Standards,)X
1783(``DES)X
2017(Modes)X
2264(of)X
2360(Operation,'')X
2784(Federal)X
3054(Information)X
3466(Processing)X
3842(Stan-)X
755 2268(dards)N
949(Publication)X
1333(81,)X
1473(Spring\256eld,)X
1868(VA)X
2004(\(1980\).)X
555 2392(8.)N
755(P.)X
842(J.)X
916(Levine,)X
1182(M.)X
1296(R.)X
1392(Gretzinger,)X
1779(J.)X
1852(M.)X
1965(Diaz,)X
2159(W.)X
2277(E.)X
2368(Sommerfeld,)X
2806(and)X
2944(K.)X
3044(Raeburn,)X
2 f
3358(Section)X
3616(E.1:)X
3774(Service)X
755 2488(Management)N
1194(System,)X
1 f
1457(M.I.T.)X
1684(Project)X
1931(Athena,)X
2203(Cambridge,)X
2599(Massachusetts)X
3082(\(1987\).)X
555 2612(9.)N
755(J.)X
834(L.)X
931(Smith,)X
1169(``The)X
1376(design)X
1613(of)X
1708(Lucifer,)X
1993(a)X
2056(cryptographic)X
2529(device)X
2766(for)X
2887(data)X
3048(communications.,'')X
3698(RC)X
3831(3326,)X
755 2708(IBM)N
926(T.J.)X
1066(Watson)X
1331(Research)X
1646(Center,)X
1920(Yorktown)X
2265(Heights,)X
2554(NY)X
2690(\(April)X
2906(15,)X
3026(1971\).)X
555 2832(10.)N
755(International)X
1192(Organization)X
1638(for)X
1759(Standardization,)X
2309(``ISO)X
2519(Information)X
2929(Processing)X
3303(Systems)X
3596(-)X
3650(Data)X
3829(Com-)X
755 2928(munication)N
1150(-)X
1212(High-Level)X
1617(Data)X
1803(Link)X
1988(Control)X
2266(Procedure)X
2626(-)X
2687(Frame)X
2926(Structure,'')X
3328(3309,)X
3562(ISO)X
3725(\(October)X
755 3024(1984\).)N
1002(3rd)X
1129(Edition.)X
555 6144(Section)N
815(B.)X
2194(-)X
2241(lvi)X
2345(-)X
1 p
%%Page: 1 58
10 s 0 xH 0 xS 1 f
0 32(--)N
4323(--)X
3 f
12 s
1918 960(Table)N
2177(of)X
2281(Contents)X
1 f
10 s
555 1372(Overview)N
911(.................................................................................................................................................)X
3971(1)X
555 1496(Acknowledgments)N
1191(...................................................................................................................................)X
3971(1)X
555 1620(1.)N
3 f
635(Introduction)X
1 f
1091(........................................................................................................................................)X
3971(1)X
555 1744(1.1.)N
3 f
695(Glossary)X
1017(of)X
1104(terms)X
1 f
1331(............................................................................................................................)X
3971(3)X
555 1868(2.)N
3 f
635(Message)X
945(Exchanges)X
1 f
1331(............................................................................................................................)X
3971(5)X
555 1992(2.1.)N
3 f
695(The)X
848(Authentication)X
1379(Service)X
1649(\(AS\))X
1825(Exchange)X
1 f
2191(.................................................................................)X
3971(5)X
555 2116(2.1.1.)N
755(Generation)X
1132(of)X
1219(KRB_AS_REQ)X
1745(message)X
2051(........................................................................................)X
3971(5)X
555 2240(2.1.2.)N
755(Receipt)X
1020(of)X
1107(KRB_AS_REQ)X
1633(message)X
1931(..............................................................................................)X
3971(6)X
555 2364(2.1.3.)N
755(Generation)X
1132(of)X
1219(KRB_AS_REP)X
1731(message)X
2031(.........................................................................................)X
3971(6)X
555 2488(2.1.4.)N
755(Generation)X
1132(of)X
1219(KRB_ERROR)X
1709(message)X
2011(..........................................................................................)X
3971(7)X
555 2612(2.1.5.)N
755(Receipt)X
1020(of)X
1107(KRB_AS_REP)X
1619(message)X
1911(...............................................................................................)X
3971(7)X
555 2736(2.1.6.)N
755(Receipt)X
1020(of)X
1107(KRB_ERROR)X
1597(message)X
1891(................................................................................................)X
3971(7)X
555 2860(2.2.)N
3 f
695(The)X
848(Client/Server)X
1327(\(CS\))X
1503(Authentication)X
2034(Exchange)X
1 f
2391(.......................................................................)X
3971(7)X
555 2984(2.2.1.)N
755(The)X
900(KRB_AP_REQ)X
1426(message)X
1731(........................................................................................................)X
3971(7)X
555 3108(2.2.2.)N
755(Generation)X
1132(of)X
1219(a)X
1275(KRB_AP_REQ)X
1801(message)X
2111(.....................................................................................)X
3971(7)X
555 3232(2.2.3.)N
755(Receipt)X
1020(of)X
1107(KRB_AP_REQ)X
1633(message)X
1931(..............................................................................................)X
3971(7)X
555 3356(2.2.4.)N
755(Generation)X
1132(of)X
1219(a)X
1275(KRB_AP_REP)X
1787(message)X
2091(......................................................................................)X
3971(8)X
555 3480(2.2.5.)N
755(Receipt)X
1020(of)X
1107(KRB_AP_REP)X
1619(message)X
1911(...............................................................................................)X
3971(8)X
555 3604(2.2.6.)N
755(Using)X
966(the)X
1084(encryption)X
1447(key)X
1591(...............................................................................................................)X
3971(9)X
555 3728(2.3.)N
3 f
695(The)X
848(Ticket-Granting)X
1428(Service)X
1698(\(TGS\))X
1931(Exchange)X
1 f
2291(............................................................................)X
3971(9)X
555 3852(2.3.1.)N
755(Generation)X
1132(of)X
1219(KRB_TGS_REQ)X
1794(message)X
2091(......................................................................................)X
3971(9)X
555 3976(2.3.2.)N
755(Receipt)X
1020(of)X
1107(KRB_TGS_REQ)X
1682(message)X
1991(...........................................................................................)X
3931(10)X
555 4100(2.3.3.)N
755(Generation)X
1132(of)X
1219(KRB_TGS_REP)X
1780(message)X
2091(......................................................................................)X
3931(10)X
555 4224(2.3.4.)N
755(Receipt)X
1020(of)X
1107(KRB_TGS_REP)X
1668(message)X
1971(............................................................................................)X
3931(11)X
555 4348(2.4.)N
3 f
695(The)X
848(KRB_SAFE)X
1285(Exchange)X
1 f
1651(............................................................................................................)X
3931(11)X
555 4472(2.4.1.)N
755(Generation)X
1132(of)X
1219(a)X
1275(KRB_SAFE)X
1694(message)X
1991(...........................................................................................)X
3931(12)X
555 4596(2.4.2.)N
755(Receipt)X
1020(of)X
1107(KRB_SAFE)X
1526(message)X
1831(...................................................................................................)X
3931(12)X
555 4720(2.5.)N
3 f
695(The)X
848(KRB_PRIV)X
1277(Exchange)X
1 f
1631(.............................................................................................................)X
3931(12)X
555 4844(2.5.1.)N
755(Generation)X
1132(of)X
1219(a)X
1275(KRB_PRIV)X
1681(message)X
1991(...........................................................................................)X
3931(12)X
555 4968(2.5.2.)N
755(Receipt)X
1020(of)X
1107(KRB_PRIV)X
1513(message)X
1811(....................................................................................................)X
3931(12)X
555 5092(3.)N
3 f
635(Encryption)X
1 f
1051(..........................................................................................................................................)X
3931(13)X
555 5216(4.)N
3 f
635(The)X
788(Kerberos)X
1129(Database)X
1 f
1471(.....................................................................................................................)X
3931(13)X
555 5340(4.1.)N
3 f
695(Database)X
1031(contents)X
1 f
1351(...........................................................................................................................)X
3931(13)X
555 5464(4.2.)N
3 f
695(Additional)X
1078(\256elds)X
1 f
1291(..............................................................................................................................)X
3931(14)X
555 5588(4.3.)N
3 f
695(Frequently)X
1093(Changing)X
1445(Fields)X
1 f
1671(...........................................................................................................)X
3931(15)X
555 5712(4.4.)N
3 f
695(Site)X
844(Constants)X
1 f
1211(..................................................................................................................................)X
3931(15)X
555 5836(5.)N
3 f
635(Field)X
828(Descriptions)X
1275(and)X
1423(Encodings)X
1 f
1811(....................................................................................................)X
3931(15)X
555 6144(Section)N
815(B.)X
2225(-)X
2272(i)X
2314(-)X
2 p
%%Page: 2 59
10 s 0 xH 0 xS 1 f
0 32(--)N
4323(--)X
3 f
2115 416(DRAFT)N
2411(3)X
1 f
555 672(5.1.)N
3 f
695(Field)X
888(Descriptions)X
1 f
1351(...........................................................................................................................)X
3931(15)X
555 796(5.2.)N
3 f
695(Prede\256ned)X
1084(Data)X
1269(Types)X
1 f
1511(...................................................................................................................)X
3931(26)X
555 920(5.2.1.)N
755(Host)X
926(address)X
1187(types)X
1391(.........................................................................................................................)X
3931(26)X
555 1044(6.)N
3 f
635(Message)X
945(Speci\256cations)X
1 f
1431(.......................................................................................................................)X
3931(27)X
555 1168(6.1.)N
3 f
695(ASN.1)X
935(Base)X
1115(De\256nitions)X
1 f
1511(...................................................................................................................)X
3931(27)X
555 1292(6.2.)N
3 f
695(Tickets)X
964(and)X
1112(Authenticators)X
1 f
1651(............................................................................................................)X
3931(29)X
555 1416(6.2.1.)N
755(Tickets)X
1011(............................................................................................................................................)X
3931(29)X
555 1540(6.2.2.)N
755(Authenticators)X
1251(................................................................................................................................)X
3931(29)X
555 1664(6.3.)N
3 f
695(Speci\256cations)X
1181(for)X
1304(messages)X
1636(between)X
1937(the)X
2064(client)X
2271(and)X
2419(the)X
2546(Kerberos)X
2887(server)X
1 f
3131(..................................)X
3931(29)X
555 1788(6.3.1.)N
755(KRB_KDC_REQ)X
1348(de\256nition)X
1691(..........................................................................................................)X
3931(30)X
555 1912(6.3.2.)N
755(KRB_KDC_REP)X
1334(de\256nition)X
1671(...........................................................................................................)X
3931(31)X
555 2036(6.4.)N
3 f
695(Client/Server)X
1174(\(CS\))X
1350(message)X
1651(speci\256cations)X
1 f
2131(....................................................................................)X
3931(31)X
555 2160(6.4.1.)N
755(KRB_AP_REQ)X
1281(de\256nition)X
1611(..............................................................................................................)X
3931(32)X
555 2284(6.4.2.)N
755(KRB_AP_REP)X
1267(de\256nition)X
1611(..............................................................................................................)X
3931(32)X
555 2408(6.4.3.)N
755(Error)X
945(message)X
1237(reply)X
1431(.......................................................................................................................)X
3931(32)X
555 2532(6.5.)N
3 f
695(KRB_SAFE)X
1132(message)X
1433(speci\256cation)X
1 f
1891(................................................................................................)X
3931(32)X
555 2656(6.5.1.)N
755(KRB_SAFE)X
1174(de\256nition)X
1511(...................................................................................................................)X
3931(33)X
555 2780(6.6.)N
3 f
695(KRB_PRIV)X
1124(message)X
1425(speci\256cation)X
1 f
1871(.................................................................................................)X
3931(33)X
555 2904(6.6.1.)N
755(KRB_PRIV)X
1161(de\256nition)X
1491(....................................................................................................................)X
3931(33)X
555 3028(6.7.)N
3 f
695(Error)X
916(message)X
1217(speci\256cation)X
1 f
1671(...........................................................................................................)X
3931(34)X
555 3152(6.7.1.)N
755(KRB_ERROR)X
1245(de\256nition)X
1571(................................................................................................................)X
3931(34)X
555 3276(7.)N
3 f
635(Encryption)X
1041(and)X
1189(Checksum)X
1569(Speci\256cations)X
1 f
2071(.......................................................................................)X
3931(34)X
555 3400(7.1.)N
3 f
695(Encryption)X
1101(Speci\256cations)X
1 f
1591(...............................................................................................................)X
3931(34)X
555 3524(7.1.1.)N
755(The)X
900(NULL)X
1134(Encryption)X
1510(System)X
1765(\(null\))X
1971(............................................................................................)X
3931(36)X
555 3648(7.1.2.)N
755(DES)X
926(in)X
1008(CBC)X
1187(mode)X
1385(with)X
1547(a)X
1603(CRC-32)X
1889(checksum)X
2230 0.3542(\(des-cbc-crc\))AX
2691(........................................................)X
3931(36)X
555 3772(7.2.)N
3 f
695(Checksums)X
1 f
1111(.......................................................................................................................................)X
3931(37)X
555 3896(7.2.1.)N
755(The)X
900(CRC-32)X
1186(Checksum)X
1544(\(crc32\))X
1811(....................................................................................................)X
3931(37)X
555 4020(7.2.2.)N
755(The)X
900(RSA)X
1075(MD4)X
1264(Checksum)X
1622(\(rsa-md4\))X
1971(............................................................................................)X
3931(37)X
555 4144(7.2.3.)N
755(RSA)X
930(MD4)X
1119(Cryptographic)X
1602(Checksum)X
1960(Using)X
2171(DES)X
2342(\(rsa-md4-des\))X
2831(.................................................)X
3931(38)X
555 4268(8.)N
3 f
635(Constants)X
1 f
1011(............................................................................................................................................)X
3931(38)X
555 4392(A.)N
3 f
653(Pseudo-code)X
1100(for)X
1223(protocol)X
1528(processing)X
1 f
1911(...............................................................................................)X
3931(40)X
555 4516(A.1.)N
3 f
713(KRB_AS_REQ)X
1261(generation)X
1 f
1651(............................................................................................................)X
3931(40)X
555 4640(A.2.)N
3 f
713(KRB_AS_REQ)X
1261(veri\256cation)X
1668(and)X
1816(KRB_AS_REP)X
2351(generation)X
1 f
2751(.....................................................)X
3931(40)X
555 4764(A.3.)N
3 f
713(KRB_AS_REP)X
1248(veri\256cation)X
1 f
1671(...........................................................................................................)X
3931(43)X
555 4888(A.4.)N
3 f
713(KRB_TGS_REQ)X
1318(generation)X
1 f
1711(.........................................................................................................)X
3931(44)X
555 5012(A.5.)N
3 f
713(KRB_TGS_REQ)X
1318(veri\256cation)X
1725(and)X
1873(KRB_TGS_REP)X
2465(generation)X
1 f
2851(................................................)X
3931(45)X
555 5136(A.6.)N
3 f
713(KRB_TGS_REP)X
1305(veri\256cation)X
1 f
1731(........................................................................................................)X
3931(49)X
555 5260(A.7.)N
3 f
713(Authenticator)X
1214(generation)X
1 f
1611(..............................................................................................................)X
3931(50)X
555 5384(A.8.)N
3 f
713(KRB_AP_REQ)X
1266(generation)X
1 f
1651(............................................................................................................)X
3931(51)X
555 5508(A.9.)N
3 f
713(KRB_AP_REQ)X
1266(veri\256cation)X
1 f
1691(..........................................................................................................)X
3931(51)X
555 5632(A.10.)N
3 f
753(KRB_AP_REP)X
1293(generation)X
1 f
1691(..........................................................................................................)X
3931(52)X
555 5756(A.11.)N
3 f
753(KRB_AP_REP)X
1293(veri\256cation)X
1 f
1711(.........................................................................................................)X
3931(52)X
555 6144(Section)N
815(B.)X
2214(-)X
2261(ii)X
2325(-)X
3 p
%%Page: 3 60
10 s 0 xH 0 xS 1 f
0 32(--)N
4323(--)X
3 f
2115 416(DRAFT)N
2411(3)X
1 f
555 672(A.12.)N
3 f
753(KRB_SAFE)X
1190(generation)X
1 f
1591(...............................................................................................................)X
3931(53)X
555 796(A.13.)N
3 f
753(KRB_SAFE)X
1190(veri\256cation)X
1 f
1611(..............................................................................................................)X
3931(53)X
555 920(A.14.)N
3 f
753(KRB_PRIV)X
1182(generation)X
1 f
1571(................................................................................................................)X
3931(54)X
555 1044(A.15.)N
3 f
753(KRB_PRIV)X
1182(veri\256cation)X
1 f
1591(...............................................................................................................)X
3931(55)X
555 1168(B.)N
3 f
648(REFERENCES)X
1 f
1211(..................................................................................................................................)X
3931(56)X
555 6144(Section)N
815(B.)X
2203(-)X
2250(iii)X
2336(-)X
0 6360(--)N
4323(--)X
60 p
%%Trailer
xt
xs