|
DataMuseum.dkPresents historical artifacts from the history of: DKUUG/EUUG Conference tapes |
This is an automatic "excavation" of a thematic subset of
See our Wiki for more about DKUUG/EUUG Conference tapes Excavated with: AutoArchaeologist - Free & Open Source Software. |
top - metrics - downloadIndex: T U
Length: 390442 (0x5f52a)
Types: TextFile
Notes: Uncompressed file
└─⟦4f9d7c866⟧ Bits:30007245 EUUGD6: Sikkerheds distributionen
└─⟦d6a18c1b8⟧ »./papers/Kerberos/V5DRAFT-RFC.PS.Z«
└─⟦d6a18c1b8⟧ »./papers/Kerberos/V5DRAFT2-RFC.PS.Z«
└─⟦this⟧
%!PS-Adobe-1.0
%%Creator: quicksilver:jtkohl (John T Kohl,,E40-351M,1510,7349625)
%%Title: stdin (ditroff)
%%CreationDate: Mon Nov 6 14:47:38 1989
%%EndComments
% Start of psdit.pro -- prolog for ditroff translator
% Copyright (c) 1985,1987 Adobe Systems Incorporated. All Rights Reserved.
% GOVERNMENT END USERS: See Notice file in TranScript library directory
% -- probably /usr/lib/ps/Notice
% RCS: $Header: psdit.pro,v 2.2 87/11/17 16:40:42 byron Rel $
/$DITroff 140 dict def $DITroff begin
/fontnum 1 def /fontsize 10 def /fontheight 10 def /fontslant 0 def
/xi {0 72 11 mul translate 72 resolution div dup neg scale 0 0 moveto
/fontnum 1 def /fontsize 10 def /fontheight 10 def /fontslant 0 def F
/pagesave save def}def
/PB{save /psv exch def currentpoint translate
resolution 72 div dup neg scale 0 0 moveto}def
/PE{psv restore}def
/m1 matrix def /m2 matrix def /m3 matrix def /oldmat matrix def
/tan{dup sin exch cos div}bind def
/point{resolution 72 div mul}bind def
/dround {transform round exch round exch itransform}bind def
/xT{/devname exch def}def
/xr{/mh exch def /my exch def /resolution exch def}def
/xp{}def
/xs{docsave restore end}def
/xt{}def
/xf{/fontname exch def /slotno exch def fontnames slotno get fontname eq not
{fonts slotno fontname findfont put fontnames slotno fontname put}if}def
/xH{/fontheight exch def F}bind def
/xS{/fontslant exch def F}bind def
/s{/fontsize exch def /fontheight fontsize def F}bind def
/f{/fontnum exch def F}bind def
/F{fontheight 0 le {/fontheight fontsize def}if
fonts fontnum get fontsize point 0 0 fontheight point neg 0 0 m1 astore
fontslant 0 ne{1 0 fontslant tan 1 0 0 m2 astore m3 concatmatrix}if
makefont setfont .04 fontsize point mul 0 dround pop setlinewidth}bind def
/X{exch currentpoint exch pop moveto show}bind def
/N{3 1 roll moveto show}bind def
/Y{exch currentpoint pop exch moveto show}bind def
/S /show load def
/ditpush{}def/ditpop{}def
/AX{3 -1 roll currentpoint exch pop moveto 0 exch ashow}bind def
/AN{4 2 roll moveto 0 exch ashow}bind def
/AY{3 -1 roll currentpoint pop exch moveto 0 exch ashow}bind def
/AS{0 exch ashow}bind def
/MX{currentpoint exch pop moveto}bind def
/MY{currentpoint pop exch moveto}bind def
/MXY /moveto load def
/cb{pop}def % action on unknown char -- nothing for now
/n{}def/w{}def
/p{pop showpage pagesave restore /pagesave save def}def
/abspoint{currentpoint exch pop add exch currentpoint pop add exch}def
/dstroke{currentpoint stroke moveto}bind def
/Dl{2 copy gsave rlineto stroke grestore rmoveto}bind def
/arcellipse{oldmat currentmatrix pop
currentpoint translate 1 diamv diamh div scale /rad diamh 2 div def
rad 0 rad -180 180 arc oldmat setmatrix}def
/Dc{gsave dup /diamv exch def /diamh exch def arcellipse dstroke
grestore diamh 0 rmoveto}def
/De{gsave /diamv exch def /diamh exch def arcellipse dstroke
grestore diamh 0 rmoveto}def
/Da{currentpoint /by exch def /bx exch def /fy exch def /fx exch def
/cy exch def /cx exch def /rad cx cx mul cy cy mul add sqrt def
/ang1 cy neg cx neg atan def /ang2 fy fx atan def cx bx add cy by add
2 copy rad ang1 ang2 arcn stroke exch fx add exch fy add moveto}def
/Barray 200 array def % 200 values in a wiggle
/D~{mark}def
/D~~{counttomark Barray exch 0 exch getinterval astore /Bcontrol exch def pop
/Blen Bcontrol length def Blen 4 ge Blen 2 mod 0 eq and
{Bcontrol 0 get Bcontrol 1 get abspoint /Ycont exch def /Xcont exch def
Bcontrol 0 2 copy get 2 mul put Bcontrol 1 2 copy get 2 mul put
Bcontrol Blen 2 sub 2 copy get 2 mul put
Bcontrol Blen 1 sub 2 copy get 2 mul put
/Ybi /Xbi currentpoint 3 1 roll def def 0 2 Blen 4 sub
{/i exch def
Bcontrol i get 3 div Bcontrol i 1 add get 3 div
Bcontrol i get 3 mul Bcontrol i 2 add get add 6 div
Bcontrol i 1 add get 3 mul Bcontrol i 3 add get add 6 div
/Xbi Xcont Bcontrol i 2 add get 2 div add def
/Ybi Ycont Bcontrol i 3 add get 2 div add def
/Xcont Xcont Bcontrol i 2 add get add def
/Ycont Ycont Bcontrol i 3 add get add def
Xbi currentpoint pop sub Ybi currentpoint exch pop sub rcurveto
}for dstroke}if}def
end
/ditstart{$DITroff begin
/nfonts 60 def % NFONTS makedev/ditroff dependent!
/fonts[nfonts{0}repeat]def
/fontnames[nfonts{()}repeat]def
/docsave save def
}def
% character outcalls
/oc {/pswid exch def /cc exch def /name exch def
/ditwid pswid fontsize mul resolution mul 72000 div def
/ditsiz fontsize resolution mul 72 div def
ocprocs name known{ocprocs name get exec}{name cb}
ifelse}def
/fractm [.65 0 0 .6 0 0] def
/fraction
{/fden exch def /fnum exch def gsave /cf currentfont def
cf fractm makefont setfont 0 .3 dm 2 copy neg rmoveto
fnum show rmoveto currentfont cf setfont(\244)show setfont fden show
grestore ditwid 0 rmoveto} def
/oce {grestore ditwid 0 rmoveto}def
/dm {ditsiz mul}def
/ocprocs 50 dict def ocprocs begin
(14){(1)(4)fraction}def
(12){(1)(2)fraction}def
(34){(3)(4)fraction}def
(13){(1)(3)fraction}def
(23){(2)(3)fraction}def
(18){(1)(8)fraction}def
(38){(3)(8)fraction}def
(58){(5)(8)fraction}def
(78){(7)(8)fraction}def
(sr){gsave .05 dm .16 dm rmoveto(\326)show oce}def
(is){gsave 0 .15 dm rmoveto(\362)show oce}def
(->){gsave 0 .02 dm rmoveto(\256)show oce}def
(<-){gsave 0 .02 dm rmoveto(\254)show oce}def
(==){gsave 0 .05 dm rmoveto(\272)show oce}def
end
% DIThacks fonts for some special chars
50 dict dup begin
/FontType 3 def
/FontName /DIThacks def
/FontMatrix [.001 0.0 0.0 .001 0.0 0.0] def
/FontBBox [-220 -280 900 900] def% a lie but ...
/Encoding 256 array def
0 1 255{Encoding exch /.notdef put}for
Encoding
dup 8#040/space put %space
dup 8#110/rc put %right ceil
dup 8#111/lt put %left top curl
dup 8#112/bv put %bold vert
dup 8#113/lk put %left mid curl
dup 8#114/lb put %left bot curl
dup 8#115/rt put %right top curl
dup 8#116/rk put %right mid curl
dup 8#117/rb put %right bot curl
dup 8#120/rf put %right floor
dup 8#121/lf put %left floor
dup 8#122/lc put %left ceil
dup 8#140/sq put %square
dup 8#141/bx put %box
dup 8#142/ci put %circle
dup 8#143/br put %box rule
dup 8#144/rn put %root extender
dup 8#145/vr put %vertical rule
dup 8#146/ob put %outline bullet
dup 8#147/bu put %bullet
dup 8#150/ru put %rule
dup 8#151/ul put %underline
pop
/DITfd 100 dict def
/BuildChar{0 begin
/cc exch def /fd exch def
/charname fd /Encoding get cc get def
/charwid fd /Metrics get charname get def
/charproc fd /CharProcs get charname get def
charwid 0 fd /FontBBox get aload pop setcachedevice
40 setlinewidth
newpath 0 0 moveto gsave charproc grestore
end}def
/BuildChar load 0 DITfd put
%/UniqueID 5 def
/CharProcs 50 dict def
CharProcs begin
/space{}def
/.notdef{}def
/ru{500 0 rls}def
/rn{0 750 moveto 500 0 rls}def
/vr{20 800 moveto 0 -770 rls}def
/bv{20 800 moveto 0 -1000 rls}def
/br{20 770 moveto 0 -1040 rls}def
/ul{0 -250 moveto 500 0 rls}def
/ob{200 250 rmoveto currentpoint newpath 200 0 360 arc closepath stroke}def
/bu{200 250 rmoveto currentpoint newpath 200 0 360 arc closepath fill}def
/sq{80 0 rmoveto currentpoint dround newpath moveto
640 0 rlineto 0 640 rlineto -640 0 rlineto closepath stroke}def
/bx{80 0 rmoveto currentpoint dround newpath moveto
640 0 rlineto 0 640 rlineto -640 0 rlineto closepath fill}def
/ci{355 333 rmoveto currentpoint newpath 333 0 360 arc
50 setlinewidth stroke}def
/lt{20 -200 moveto 0 550 rlineto currx 800 2cx s4 add exch s4 a4p stroke}def
/lb{20 800 moveto 0 -550 rlineto currx -200 2cx s4 add exch s4 a4p stroke}def
/rt{20 -200 moveto 0 550 rlineto currx 800 2cx s4 sub exch s4 a4p stroke}def
/rb{20 800 moveto 0 -500 rlineto currx -200 2cx s4 sub exch s4 a4p stroke}def
/lk{20 800 moveto 20 300 -280 300 s4 arcto pop pop 1000 sub
currentpoint stroke moveto
20 300 4 2 roll s4 a4p 20 -200 lineto stroke}def
/rk{20 800 moveto 20 300 320 300 s4 arcto pop pop 1000 sub
currentpoint stroke moveto
20 300 4 2 roll s4 a4p 20 -200 lineto stroke}def
/lf{20 800 moveto 0 -1000 rlineto s4 0 rls}def
/rf{20 800 moveto 0 -1000 rlineto s4 neg 0 rls}def
/lc{20 -200 moveto 0 1000 rlineto s4 0 rls}def
/rc{20 -200 moveto 0 1000 rlineto s4 neg 0 rls}def
end
/Metrics 50 dict def Metrics begin
/.notdef 0 def
/space 500 def
/ru 500 def
/br 0 def
/lt 250 def
/lb 250 def
/rt 250 def
/rb 250 def
/lk 250 def
/rk 250 def
/rc 250 def
/lc 250 def
/rf 250 def
/lf 250 def
/bv 250 def
/ob 350 def
/bu 350 def
/ci 750 def
/bx 750 def
/sq 750 def
/rn 500 def
/ul 500 def
/vr 0 def
end
DITfd begin
/s2 500 def /s4 250 def /s3 333 def
/a4p{arcto pop pop pop pop}def
/2cx{2 copy exch}def
/rls{rlineto stroke}def
/currx{currentpoint pop}def
/dround{transform round exch round exch itransform} def
end
end
/DIThacks exch definefont pop
ditstart
(psc)xT
576 1 1 xr
1(Times-Roman)xf 1 f
2(Times-Italic)xf 2 f
3(Times-Bold)xf 3 f
4(Times-BoldItalic)xf 4 f
5(Helvetica)xf 5 f
6(Helvetica-Bold)xf 6 f
7(Courier)xf 7 f
8(Courier-Bold)xf 8 f
9(Symbol)xf 9 f
10(DIThacks)xf 10 f
10 s
1 f
xi
%%EndProlog
%%Page: 1 1
10 s 0 xH 0 xS 1 f
32(--)Y
4323(--)X
555 672(Date:)N
749(6)X
809(November)X
1168(1989)X
555 768(From:)N
770(John)X
941(Kohl,)X
1141(Cliff)X
1312(Neuman,)X
1624(Jennifer)X
1903(Steiner)X
555 864(To:)N
686(RFC)X
856(readers)X
555 960(Re:)N
686(Kerberos)X
1001(Version)X
1275(5)X
1335(RFC,)X
1525(draft)X
1697(#2)X
555 1084(This)N
717(is)X
790(the)X
908(second)X
1151(draft)X
1323(of)X
1410(the)X
1528(proposed)X
1842(Kerberos)X
2157(Version)X
2431(5)X
2491(protocol)X
2778(speci\256cation)X
3203(RFC-style)X
3551(document.)X
555 1208(We)N
687(would)X
907(like)X
1047(the)X
1165(readers)X
1418(to)X
1500(note)X
1658(several)X
1906(things:)X
555 1332(We)N
690(are)X
811(interested)X
1145(in)X
1229(comments)X
1580(on)X
1682(whether)X
1963(it)X
2029(is)X
2104(appropriate)X
2492(to)X
2576(make)X
2772(further)X
3013(changes)X
3294(to)X
3378(the)X
3498(Kerberos)X
3815(proto-)X
555 1428(col)N
674(so)X
766(that)X
907(it)X
972(conforms)X
1296(with)X
1459(ISO's)X
1667(ASN.1.)X
1948(The)X
2094(X.500)X
2313(committee)X
2672(seems)X
2889(to)X
2972(be)X
3069(interested)X
3402(in)X
3485(allowing)X
3786(the)X
3904(use)X
555 1524(of)N
647(Kerberos)X
967(as)X
1059(an)X
1160("external")X
1510(mechanism)X
1900(for)X
2019(authentication)X
2498(in)X
2585(their)X
2757(directory)X
3072(service.)X
3365(For)X
3501(them)X
3686(to)X
3772(do)X
3876(this,)X
555 1620(they)N
724(would)X
955(want)X
1142(the)X
1271(Kerberos)X
1597(protocol)X
1895(to)X
1988(be)X
2095(ISO)X
2255(conformant.)X
2696(The)X
2852(advantage)X
3209(to)X
3302(us)X
3404(is)X
3487(that)X
3637(if)X
3716(Kerberos)X
555 1716(receives)N
842(speci\256c)X
1110(mention)X
1395(as)X
1484(an)X
1582(example)X
1876(of)X
1965(an)X
2063("external")X
2410(authentication)X
2886(service,)X
3156(it)X
3222(would)X
3444(certainly)X
3747(increase)X
555 1812(its)N
650(appeal)X
880(to)X
962(organizations)X
1414(that)X
1554(take)X
1708(standards)X
2031(seriously.)X
555 1936(Some)N
764(parts)X
947(of)X
1041(the)X
1166(V5)X
1291(protocol)X
1584(draft)X
1762(are)X
1887(already)X
2150(taken)X
2350(from)X
2532(ASN.1)X
2778(\(the)X
2929(byte)X
3093(ordering,)X
3411(and)X
3553(the)X
3677(format)X
3917(for)X
555 2032(some)N
748(of)X
839(the)X
961(\256eld)X
1127(lengths\).)X
1449(Other)X
1656(changes)X
1939(that)X
2083(would)X
2307(be)X
2407(required)X
2698(would)X
2921(increase)X
3208(the)X
3329(size)X
3477(of)X
3567(the)X
3688(messages,)X
555 2128(and)N
693(because)X
970(of)X
1059(encryption)X
1424(would)X
1646(probably)X
1953(affect)X
2159(ef\256ciency.)X
2538(If)X
2614(comments)X
2965(indicate)X
3241(it)X
3307(would)X
3529(be)X
3626(worthwhile,)X
555 2224(our)N
689(approach)X
1011(will)X
1162(probably)X
1474(be)X
1577(to)X
1666(work)X
1858(out)X
1987(an)X
2090(alternative)X
2456(V5)X
2581(proposal)X
2884(with)X
3052(an)X
3154(encoding)X
3474(that)X
3620(conforms)X
3949(to)X
555 2320(ASN.1.)N
555 2444(The)N
711(protocol)X
1008(version)X
1274(number)X
1549(\256elds)X
1752(in)X
1844(the)X
1972(messages)X
2305(used)X
2482(by)X
2592(Kerberos)X
2917(are)X
3046(preceded)X
3367(by)X
3477(ASN.1)X
3727(type)X
3895(and)X
555 2540(length)N
790(information;)X
1225(this)X
1375(is)X
1463(intended)X
1773(so)X
1878(that)X
2032(future)X
2258(ASN.1)X
2512(implementations)X
3079(can)X
3225(parse)X
3429(the)X
3561(\256rst)X
3719(\256eld)X
3895(and)X
555 2636(recognize)N
889(a)X
946(non-conformant)X
1484(encoding)X
1799(of)X
1887(the)X
2006(message.)X
2339(An)X
2457(alternative)X
2816(approach)X
3131(would)X
3351(make)X
3545(the)X
3663(initial)X
3869(\256eld)X
555 2732(an)N
659(integer)X
910(\(the)X
1063(ASN.1)X
1311(protocol)X
1606(version)X
1870(number\))X
2170(in)X
2260(the)X
2386(ASN.1)X
2634(version,)X
2918(and)X
3062(an)X
3166(octetstring)X
3532(of)X
3627(bytes)X
3824(in)X
3913(the)X
555 2828(non)N
699(ASN.1)X
943(version.)X
1243(If)X
1321(we)X
1439(use)X
1570(this)X
1709(approach,)X
2048(we)X
2166(need)X
2342(to)X
2428(make)X
2626(sure)X
2784(that)X
2928(such)X
3099(an)X
3198(approach)X
3516(would)X
3739(allow)X
3940(us)X
555 2924(to)N
640(interoperate)X
1047(\(in)X
1158(a)X
1216(limited)X
1464(sense\))X
1687(with)X
1851(future)X
2065(ASN.1)X
2307(encodings)X
2654(and)X
2792(implementations.)X
3387(Another)X
3672(alternative)X
555 3020(approach)N
877(would)X
1104(put)X
1233(the)X
1357(octetstring)X
1721(tag)X
1845(and)X
1987(the)X
2111(asn1)X
2284(length)X
2510(\256rst,)X
2680(and)X
2822(let)X
2928(the)X
3052(length)X
3278(include)X
3540(the)X
3664(integer)X
3913(tag)X
555 3116(and)N
695(the)X
817(\(1)X
908(byte\))X
1097(integer)X
1344(representing)X
1765(the)X
1887(encoding)X
2205(type.)X
2407(This)X
2573(way,)X
2750(the)X
2871(whole)X
3090(message)X
3385(\(or)X
3502(authenticator)X
3944(or)X
555 3212(ticket\))N
780(could)X
978(be)X
1074(treated)X
1313(as)X
1400(a)X
1456(single)X
1667(unit.)X
1851(With)X
2031(the)X
2149(existing)X
2422(encoding,)X
2756(it)X
2820(has)X
2947(to)X
3029(be)X
3125(treated)X
3364(as)X
3451(two)X
3591(units.)X
755 3336(We)N
892(would)X
1117(like)X
1262(comments)X
1616(on)X
1721(the)X
1844(encoding)X
2163(described)X
2496(in)X
2582(this)X
2721(document)X
3061(and)X
3201(the)X
3323(alternatives)X
3717(proposed)X
555 3432(here;)N
736(we)X
850(also)X
999(welcome)X
1309(comments)X
1658(or)X
1745(suggestions)X
2138(for)X
2252(a)X
2308(different)X
2605(encoding.)X
555 3556(This)N
725(draft)X
905(speci\256es)X
1209(some)X
1406(implementation)X
1936(restrictions)X
2320(on)X
2428(the)X
2554(required)X
2850(sizes)X
3033(allowed)X
3314(for)X
3435(certain)X
3681(string)X
3890(ele-)X
555 3652(ments)N
769(in)X
854(the)X
975(protocol)X
1265(messages)X
1591(\(See)X
1757(section)X
2007(5.1)X
2130(for)X
2247(details)X
2479(on)X
2582(how)X
2743(these)X
2930(limits)X
3133(are)X
3254(to)X
3338(be)X
3436(used\).)X
3672(If)X
3748(you)X
3890(feel)X
555 3748(any)N
691(of)X
778(these)X
963(limits)X
1164(are)X
1283(inappropriate)X
1731(\(too)X
1880(large)X
2061(or)X
2148(too)X
2270(small\),)X
2510(please)X
2731(send)X
2898(comments!.)X
555 3872(We)N
687(are)X
806(still)X
945(looking)X
1209(for)X
1323(a)X
1379(good,)X
1579(fast,)X
1735(secure)X
1961(cryptographic)X
2427(checksum)X
2768(for)X
2882(use)X
3009(in)X
3091(the)X
3209(KRB_SAFE)X
3628(exchange.)X
555 3996(We)N
688(are)X
808(unsure)X
1043(if)X
1113(2)X
1174(bytes)X
1364(of)X
1452(random)X
1718(data)X
1873(are)X
1992(suf\256cient)X
2310(for)X
2424(a)X
2480(confounder.)X
2906(We)X
3038(may)X
3196(use)X
3323(a)X
3379(longer)X
3604(random)X
3869(\256eld)X
555 4092(if)N
624(necessary.)X
555 4216(We)N
717(are)X
866(considering)X
1290(modifying)X
1673(the)X
1821(KRB_TGS_REP)X
2412(request)X
2694(to)X
2806(not)X
2958(encrypt)X
3249(the)X
3396(second)X
3668(ticket)X
3895(and)X
555 4312(authorization_data.)N
1223(However,)X
1569(we)X
1694(are)X
1824(concerned)X
2186(about)X
2395(the)X
2524(possible)X
2817(attacks)X
3071(on)X
3182(these)X
3377(and)X
3523(the)X
3651(response)X
3962(if)X
555 4408(they)N
718(are)X
842(only)X
1009(integrity-protected.)X
1650(If)X
1728(we)X
1846(choose)X
2093(not)X
2219(to)X
2305(protect)X
2552(these)X
2741(\256eld)X
2907(in)X
2993(the)X
3115(request,)X
3391(then)X
3553(we)X
3671(would)X
3895(add)X
555 4504(\256elds)N
749(to)X
832(the)X
951(response)X
1253(to)X
1336(allow)X
1535(the)X
1654(client)X
1853(to)X
1936(verify)X
2149(that)X
2290(the)X
2409(request)X
2662(was)X
2808(not)X
2930(modi\256ed.)X
3274(This)X
3436(is)X
3509(acceptable)X
3869(only)X
555 4600(if)N
628(the)X
750(response,)X
1075(as)X
1166(sent)X
1319(over)X
1486(the)X
1608(network,)X
1915(would)X
2139(not)X
2265(be)X
2365(useful)X
2585(to)X
2671(an)X
2771(attacker)X
3049(that)X
3192(had)X
3331(modi\256ed)X
3638(the)X
3759(request.)X
555 4696(We)N
692(seek)X
860(comments)X
1214(regarding)X
1547(the)X
1670(possible)X
1957(attacks)X
2205(and/or)X
2435(consequences)X
2902(of)X
2994(this)X
3134(approach,)X
3474(particularly)X
3869(with)X
555 4792(respect)N
804(to)X
887(interactions)X
1282(with)X
1445(some)X
1635(of)X
1723(the)X
1842(new)X
1997(options)X
2253(which)X
2470(are)X
2590(available.)X
2941(We)X
3073(seek)X
3236(comments)X
3585(regarding)X
3913(the)X
555 4888(possible)N
837(attacks)X
1080(and/or)X
1305(the)X
1423(consequences)X
1885(of)X
1972(only)X
2134(integrity-protecting)X
2777(these)X
2962(portions)X
3244(of)X
3331(the)X
3449(TGS_REP.)X
555 5012(The)N
709(pseudo-code)X
1144(provided)X
1458(in)X
1549(appendix)X
1872(A)X
1959(is)X
2041(a)X
2105("\256rst)X
2290(pass")X
2489(and)X
2633(not)X
2763(fully)X
2942("debugged".)X
3388(We)X
3528(welcome)X
3846(com-)X
555 5108(ments)N
766(on)X
866(errors)X
1074(and)X
1210(suggestions)X
1603(for)X
1717(more)X
1902(or)X
1989(less)X
2129(detail)X
2327(there.)X
555 5232(Please)N
780(send)X
947(any)X
1083(comments)X
1432(about)X
1630(this)X
1765(draft)X
1937(to)X
2019(the)X
2137(mailing)X
2401(list)X
7 f
2546(krb-protocol@athena.mit.edu.)X
1 f
555 5356(We)N
687(thank)X
885(you)X
1025(for)X
1139(your)X
1306(interest)X
1562(in)X
1644(Kerberos,)X
1979(and)X
2115(look)X
2277(forward)X
2552(to)X
2634(hearing)X
2895(your)X
3062(comments.)X
555 6144(Section)N
2216(-)X
2263(1)X
2323(-)X
2 p
%%Page: 2 2
10 s 0 xH 0 xS 1 f
0 32(--)N
4323(--)X
3 f
2115 416(DRAFT)N
2411(2)X
555 672(Major)N
794(changes)X
1085(since)X
1274(draft)X
1468(1)X
1 f
555 796(This)N
717(list)X
834(doesn't)X
1090(include)X
1346(rewordings,)X
1747(typos)X
1940(&)X
2022(such.)X
10 f
555 920(g)N
1 f
755(Principal)X
1064(names)X
1289(are)X
1408(arrays)X
1625(of)X
1712(strings,)X
1965(rather)X
2173(than)X
2331(a)X
2387(name,instance)X
2864(pair.)X
10 f
555 1044(g)N
1 f
755(Length)X
1002(restrictions)X
1378(placed)X
1608(on)X
1708(some)X
1897(\256elds.)X
10 f
555 1168(g)N
1 f
755(Integrity)X
1051(checksums)X
1423(are)X
1542(now)X
1700(considered)X
2068(part)X
2213(of)X
2300(the)X
2418(encryption)X
2781(function)X
10 f
555 1292(g)N
1 f
755(No)X
873(longer)X
1098(use)X
1225(timestamp+1)X
1663(in)X
1745(KRB_AP_REP.)X
10 f
555 1416(g)N
1 f
755(Drop)X
940(support)X
1200(or)X
1287(recommendation)X
1846(of)X
1933(modi\256ed)X
2237(Juenemann)X
2618(Checksum)X
2976(as)X
3063(a)X
3119(crypto)X
3344(checksum.)X
10 f
555 1540(g)N
1 f
755(Direction)X
1078(bit)X
1182(in)X
1264(KRB_SAFE)X
1683(and)X
1819(KRB_PRIV)X
2225(is)X
2298(now)X
2456(placed)X
2686(in)X
2768(the)X
2886(2-byte)X
3111(millisecond)X
3504(\256eld.)X
10 f
555 1664(g)N
1 f
755(Addition)X
1059(of)X
1146(pseudo-code)X
1572(in)X
1654(appendix.)X
555 6144(Section)N
2216(-)X
2263(2)X
2323(-)X
1 p
%%Page: 1 3
10 s 0 xH 0 xS 1 f
0 32(--)N
4323(--)X
555 672(Network)N
856(Working)X
1161(Group)X
3679(John)X
3850(Kohl)X
555 768(Request)N
833(for)X
947(Comments:)X
1335(DRAFT)X
1617(2)X
3367(B.)X
3460(Clifford)X
3738(Neuman)X
3504 864(Jennifer)N
3783(Steiner)X
3364 960(MIT)N
3531(Project)X
3778(Athena)X
3431 1056(6)N
3491(November)X
3850(1989)X
1534 1488(The)N
1679(Kerberos)X
1994(Network)X
2295(Authentication)X
2791(Service)X
2152 1680(DRAFT)N
3 f
555 1872(STATUS)N
885(OF)X
1016(THIS)X
1226(MEMO)X
1 f
755 1996(This)N
924(DRAFT)X
1213(document)X
1556(gives)X
1752(an)X
1855(overview)X
2181(and)X
2324(speci\256cation)X
2756(of)X
2850(the)X
2975(Version)X
3256(5)X
3323(protocol)X
3617(for)X
3738(the)X
3863(Ker-)X
555 2092(beros)N
755(network)X
1044(authentication)X
1523(system.)X
1810(Version)X
2089(4,)X
2174(described)X
2507(elsewhere,)X
8 s
2849 2067(1,)N
2908(2)X
10 s
2965 2092(is)N
3043(presently)X
3362(in)X
3449(production)X
3821(use)X
3953(at)X
555 2188(MIT's)N
780(Project)X
1027(Athena,)X
1299(and)X
1435(at)X
1513(other)X
1698(Internet)X
1968(sites.)X
2170(Distribution)X
2576(of)X
2663(this)X
2798(memo)X
3018(is)X
3091(unlimited.)X
3 f
555 2380(OVERVIEW)N
1 f
755 2504(This)N
924(DRAFT)X
1212(RFC)X
1388(describes)X
1713(the)X
1837(concepts)X
2144(and)X
2286(model)X
2512(upon)X
2698(which)X
2920(the)X
3044(Kerberos)X
3365(network)X
3654(authentica-)X
555 2600(tion)N
699(system)X
941(is)X
1014(based.)X
1257(It)X
1326(also)X
1475(speci\256es)X
1771(the)X
1889(present)X
2141(proposal)X
2437(for)X
2551(version)X
2807(5.)X
755 2724(The)N
901(motivations,)X
1319(goals,)X
1529(assumptions,)X
1965(and)X
2102(rationale)X
2403(behind)X
2641(design)X
2870(decisions)X
3188(are)X
3307(treated)X
3546(cursorily;)X
3873(they)X
555 2820(are)N
675(fully)X
846(described)X
1174(for)X
1288(the)X
1406(previous)X
1702(version)X
1958(in)X
2040(the)X
2158(Kerberos)X
2473(portion)X
2724(of)X
2811(the)X
2929(Athena)X
3181(Technical)X
3518(Plan.)X
8 s
3680 2795(1)N
10 s
3732 2820(The)N
3877(pro-)X
555 2916(tocols)N
788(are)X
929(under)X
1154(review,)X
1435(and)X
1593(are)X
1734(not)X
1878(proposed)X
2214(as)X
2323(an)X
2441(Internet)X
2733(standard)X
3047(at)X
3146(this)X
3302(time.)X
3525(Comments)X
3912(are)X
555 3012(encouraged.)N
1040(Requests)X
1403(for)X
1571(additions)X
1938(to)X
2074(an)X
2224(electronic)X
2615(mailing)X
2933(list)X
3104(on)X
3258(Kerberos)X
3627(discussions,)X
7 f
555 3108(kerberos@athena.mit.edu,)N
1 f
1737(may)X
1905(be)X
2010(addressed)X
2356(to)X
7 f
2475(kerberos)X
9 f
2861(-)X
7 f
2907(request@athena.mit.edu.)X
1 f
555 3204(This)N
720(mailing)X
987(list)X
1107(is)X
1183(gatewayed)X
1550(onto)X
1715(the)X
1836(Usenet)X
2082(as)X
2171(the)X
2291(group)X
7 f
2528(comp.protocols.kerberos.)X
1 f
3722(Requests)X
555 3300(for)N
744(further)X
1058(information,)X
1551(including)X
1948(documents)X
2390(and)X
2601(code)X
2848(availability,)X
3323(may)X
3556(be)X
3726(sent)X
3949(to)X
7 f
555 3396(info)N
9 f
749(-)X
7 f
795(kerberos@athena.mit.edu.)X
3 f
555 3684(ACKNOWLEDGEMENTS)N
1 f
755 3808(The)N
926(Kerberos)X
1267(model)X
1512(is)X
1610(based)X
1838(on)X
1963(Needham)X
2316(and)X
2477(Schroeder's)X
2906(trusted)X
3169(third-party)X
3557(authentication)X
555 3904(scheme)N
8 s
796 3879(3)N
10 s
853 3904(and)N
994(on)X
1099(modi\256cations)X
1559(suggested)X
1900(by)X
2005(Denning)X
2306(and)X
2446(Sacco.)X
8 s
2658 3879(4)N
10 s
2714 3904(The)N
2863(original)X
3136(design)X
3369(and)X
3509(implementation)X
555 4000(of)N
648(Kerberos)X
969(versions)X
1262(1)X
1328(through)X
1603(4)X
1669(are)X
1794(due)X
1936(to)X
2024(two)X
2170(former)X
2415(Project)X
2668(Athena)X
2926(members,)X
3266(Steve)X
3470(Miller)X
3696(of)X
3789(Digital)X
555 4096(Equipment)N
930(Corporation)X
1340(and)X
1479(Clifford)X
1760(Neuman)X
2055(of)X
2145(the)X
2266(University)X
2627(of)X
2717(Washington,)X
3147(along)X
3348(with)X
3513(Jerome)X
3768(Saltzer,)X
555 4192(Technical)N
899(Director)X
1194(of)X
1288(Project)X
1542(Athena,)X
1821(and)X
1964(Jeffrey)X
2215(Schiller,)X
2511(MIT)X
2685(Campus)X
2974(Network)X
3281(Manager.)X
3633(Many)X
3846(other)X
555 4288(members)N
869(of)X
956(Project)X
1203(Athena)X
1455(have)X
1627(also)X
1776(contributed)X
2161(to)X
2243(the)X
2361(work)X
2546(on)X
2646(Kerberos.)X
3 f
12 s
555 4480(1.)N
675(Introduction)X
1 f
10 s
755 4604(Kerberos)N
1075(provides)X
1376(a)X
1437(means)X
1667(of)X
1759(verifying)X
2078(the)X
2201(identities)X
2519(of)X
2611(principals,)X
2972(e.g,)X
3113(a)X
3174(workstation)X
3577(user)X
3735(or)X
3826(a)X
3886(net-)X
555 4700(work)N
746(server,)X
989(on)X
1095(an)X
1197(open)X
1379(\(i.e.)X
1550(unprotected\))X
1982(network.)X
2311(This)X
2479(is)X
2558(accomplished)X
3025(without)X
3295(relying)X
3548(on)X
3654(authentica-)X
555 4796(tion)N
701(by)X
803(the)X
923(host)X
1078(operating)X
1403(system,)X
1667(without)X
1933(basing)X
2164(trust)X
2328(on)X
2430(host)X
2584(addresses\262,)X
2973(without)X
3238(requiring)X
3553(physical)X
3841(secu-)X
555 4892(rity)N
690(of)X
781(all)X
885(the)X
1006(hosts)X
1193(on)X
1296(the)X
1417(network,)X
1723(and)X
1862(under)X
2068(the)X
2189(assumption)X
2576(that)X
2719(packets)X
2983(traveling)X
3291(along)X
3492(the)X
3613(network)X
3899(can)X
555 4988(be)N
667(read,)X
862(modi\256ed,)X
1202(and)X
1354(inserted)X
1644(at)X
1738(will.)X
1938(Kerberos)X
2269(performs)X
2595(authentication)X
3085(under)X
3304(these)X
3505(conditions)X
3873(as)X
3975(a)X
555 5084(trusted)N
793(third-party)X
1156(authentication)X
1630(service)X
1878(using)X
2071(conventional)X
2505(\(shared)X
2762(secret)X
2970(key\263\))X
3173(cryptography.)X
8 s
10 f
555 5184(hhhhhhhhhhhhhhhhhh)N
1 f
555 5264(\262)N
608(Note,)X
769(however,)X
1025(that)X
1142(many)X
1305(applications)X
1635(use)X
1740(Kerberos')X
2014(functions)X
2272(only)X
2406(upon)X
2554(the)X
2652(initiation)X
2904(of)X
2977(a)X
3025(stream-based)X
3381(network)X
3610(con-)X
555 5344(nection,)N
781(and)X
894(assume)X
1103(the)X
1202(absence)X
1424(of)X
1498(any)X
1611(``hijackers'')X
1946(who)X
2077(might)X
2248(subvert)X
2457(such)X
2595(a)X
2644(connection.)X
2977(Such)X
3126(use)X
3232(implictly)X
3485(trusts)X
3645(the)X
555 5424(host)N
678(addresses)X
938(involved.)X
555 5504(\263)N
2 f
(Secret)S
1 f
766(and)X
2 f
878(private)X
1 f
1079(are)X
1176(often)X
1327(used)X
1464(interchangeably)X
1891(in)X
1961(the)X
2059(literature.)X
2341(In)X
2414(our)X
2519(usage,)X
2700(it)X
2756(takes)X
2907(two)X
3023(\(or)X
3117(more\))X
3289(to)X
3359(share)X
3512(a)X
3559(secret,)X
555 5584(thus)N
680(a)X
726(shared)X
910(DES)X
1049(key)X
1159(is)X
1220(a)X
2 f
1266(secret)X
1 f
1436(key.)X
1578(Something)X
1874(is)X
1934(only)X
2065(private)X
2259(when)X
2414(no)X
2495(one)X
2604(but)X
2703(its)X
2781(owner)X
2957(knows)X
3141(it.)X
3226(Thus,)X
3387(in)X
3454(public)X
3631(key)X
555 5664(cryptosystems,)N
953(one)X
1061(has)X
1162(a)X
1206(public)X
1382(and)X
1490(a)X
2 f
1534(private)X
1 f
1731(key.)X
10 s
555 6144(Section)N
815(1.)X
2216(-)X
2263(1)X
2323(-)X
2 p
%%Page: 2 4
10 s 0 xH 0 xS 1 f
0 32(--)N
4323(--)X
3 f
2115 416(DRAFT)N
2411(2)X
1 f
755 672(The)N
904(authentication)X
1382(process)X
1647(proceeds)X
1957(as)X
2048(follows:)X
2334(A)X
2415(client)X
2616(sends)X
2817(a)X
2876(request)X
3131(to)X
3216(the)X
3337(authentication)X
3814(server)X
555 768(\(AS\))N
734(requesting)X
1091("credentials")X
1528(for)X
1645(a)X
1704(given)X
1905(server.)X
2165(The)X
2313(AS)X
2438(responds)X
2746(with)X
2911(these)X
3099(credentials,)X
3490(encrypted)X
3829(in)X
3913(the)X
555 864(client's)N
814(key.)X
993(The)X
1141(credentials)X
1512(consist)X
1757(of)X
1847(1\))X
1937(a)X
1996("ticket")X
2263(for)X
2380(the)X
2501(server)X
2721(and)X
2860(2\))X
2950(a)X
3009(temporary)X
3361(\(session\))X
3668(encryption)X
555 960(key.)N
736(The)X
886(client)X
1089(forwards)X
1400(the)X
1523(ticket)X
1726(\(which)X
1974(contains)X
2266(the)X
2389(client's)X
2650(identity)X
2919(and)X
3060(a)X
3121(copy)X
3302(of)X
3394(the)X
3516(session)X
3771(key,)X
3931(all)X
555 1056(encrypted)N
896(in)X
982(the)X
1104(server's)X
1383(key\))X
1549(to)X
1634(the)X
1755(server.)X
2015(The)X
2163(session)X
2417(key)X
2556(\(now)X
2744(shared)X
2977(by)X
3080(the)X
3201(client)X
3402(and)X
3541(server\))X
3788(is)X
3864(used)X
555 1152(to)N
648(authenticate)X
1067(the)X
1196(client,)X
1425(and)X
1572(optionally)X
1927(authenticate)X
2345(the)X
2473(server.)X
2740(It)X
2819(may)X
2987(also)X
3146(be)X
3252(used)X
3429(to)X
3521(encrypt)X
3792(further)X
555 1248(communication)N
1073(between)X
1361(the)X
1479(two)X
1619(parties.)X
755 1372(The)N
915(implementation)X
1452(consists)X
1740(of)X
1842(one)X
1993(or)X
2095(more)X
2295(authentication)X
2783(servers)X
3045(running)X
3328(on)X
3442(physically)X
3805(secure)X
555 1468(hosts.)N
782(The)X
930(authentication)X
1407(servers)X
1658(maintain)X
1961(a)X
2020(database)X
2320(of)X
2409(principals)X
2747(\(i.e.,)X
2914(users)X
3101(and)X
3239(servers\))X
3516(and)X
3654(their)X
3823(secret)X
555 1564(\(private\))N
854(keys.)X
1063(Libraries)X
1375(provide)X
1642(encryption)X
2007(and)X
2145(implement)X
2508(the)X
2627(Kerberos)X
2943(protocol.)X
3271(In)X
3359(order)X
3550(to)X
3633(add)X
3770(authen-)X
555 1660(tication)N
815(to)X
897(its)X
992(transactions,)X
1415(a)X
1471(typical)X
1709(network)X
1992(application)X
2368(adds)X
2535(one)X
2671(or)X
2758(two)X
2898(calls)X
3065(to)X
3147(the)X
3265(Kerberos)X
3580(library.)X
755 1784(The)N
906(Kerberos)X
1227(protocol)X
1520(consists)X
1799(of)X
1892(several)X
2146(sub-protocols)X
2607(\(or)X
2726(exchanges\).)X
3153(There)X
3366(are)X
3490(two)X
3635(methods)X
3931(by)X
555 1880(which)N
774(a)X
833(client)X
1034(can)X
1169(ask)X
1299(a)X
1358(Kerberos)X
1676(server)X
1896(for)X
2013(credentials.)X
2424(In)X
2514(the)X
2634(\256rst)X
2780(approach,)X
3117(the)X
3237(client)X
3437(sends)X
3637(a)X
3695(request)X
3949(in)X
555 1976(cleartext)N
856(to)X
942(the)X
1064(authentication)X
1542(server)X
1763(for)X
1881(the)X
2002(ticket)X
2203(to)X
2288(the)X
2409(desired)X
2664(server.)X
2924(The)X
3072(reply)X
3260(is)X
3336(sent)X
3488(encrypted)X
3828(in)X
3913(the)X
555 2072(client's)N
816(secret)X
1029(key.)X
1210(Usually)X
1484(this)X
1624(request)X
1881(is)X
1959(for)X
2078(a)X
2139(ticket-granting)X
2636(ticket)X
2839(\(TGT\))X
3074(which)X
3295(can)X
3431(later)X
3598(be)X
3698(used)X
3869(with)X
555 2168(the)N
678(ticket-granting)X
1175(server)X
1397(\(TGS\).)X
1667(In)X
1759(the)X
1882(second)X
2130(method,)X
2415(the)X
2538(client)X
2741(sends)X
2944(a)X
3005(request)X
3261(to)X
3347(the)X
3469(TGS.)X
3684(The)X
3833(client)X
555 2264(sends)N
758(the)X
881(TGT)X
1062(to)X
1149(the)X
1272(TGS)X
1448(in)X
1535(the)X
1658(same)X
1848(manner)X
2114(as)X
2205(if)X
2278(it)X
2346(were)X
2527(contacting)X
2885(any)X
3025(other)X
3214(application)X
3594(server)X
3815(which)X
555 2360(requires)N
834(Kerberos)X
1149(credentials.)X
1557(The)X
1702(reply)X
1887(is)X
1960(encrypted)X
2297(in)X
2379(the)X
2497(session)X
2748(key)X
2884(from)X
3060(the)X
3178(TGT.)X
755 2484(Once)N
946(a)X
1003(client)X
1202(has)X
1330(obtained)X
1627(credentials)X
1996(for)X
2111(a)X
2168(server)X
2386(\(using)X
2607(either)X
2811(of)X
2899(the)X
3018(two)X
3159(methods)X
3451(above\),)X
3711(it)X
3776(is)X
3849(up)X
3949(to)X
555 2580(the)N
685(speci\256c)X
962(application)X
1350(to)X
1444(decide)X
1686(how)X
1856(they)X
2026(are)X
2157(to)X
2251(be)X
2359(used.)X
2578(We)X
2722(have)X
2906(implemented)X
3356(several)X
3615(methods)X
3917(for)X
555 2676(using)N
751(the)X
872(credentials.)X
1283(In)X
1373(the)X
1494(\256rst,)X
1660(the)X
1780(client)X
1980(forwards)X
2288(the)X
2408(ticket)X
2608(to)X
2692(the)X
2812(server,)X
3051(along)X
3251(with)X
3415(information)X
3815(which)X
555 2772(helps)N
746(to)X
830(detect)X
1044(replays.)X
1338(Since)X
1538(the)X
1658(ticket)X
1858(is)X
1933(sent)X
2084(in)X
2168(the)X
2288(clear,)X
2487(and)X
2625(may)X
2785(be)X
2883(reused)X
3115(for)X
3231(a)X
3288(limited)X
3535(period)X
3761(of)X
3849(time,)X
555 2868(there)N
743(must)X
925(be)X
1028(some)X
1224(way)X
1385(for)X
1506(the)X
1631(server)X
1855(to)X
1944(know)X
2149(not)X
2277(only)X
2445(to)X
2533(whom)X
2759(the)X
2883(ticket)X
3087(was)X
3238(issued,)X
3484(but)X
3612(also)X
3767(that)X
3913(the)X
555 2964(principal)N
867(using)X
1067(the)X
1192(ticket)X
1397(is)X
1477(the)X
1602(same)X
1794(as)X
1888(the)X
2012(principal)X
2323(to)X
2411(whom)X
2637(it)X
2707(was)X
2858(issued.)X
3124(This)X
3292(can)X
3430(be)X
3532(done)X
3714(using)X
3913(the)X
555 3060(session)N
812(key,)X
974(since)X
1165(no)X
1271(one)X
1413(except)X
1649(the)X
1773(requesting)X
2133(principal)X
2444(and)X
2586(the)X
2710(server)X
2933(know)X
3137(it--it)X
3305(is)X
3384(never)X
3589(sent)X
3744(over)X
3913(the)X
555 3156(network)N
838(in)X
920(the)X
1038(clear.)X
755 3280(The)N
909(second)X
1161(method)X
1430(for)X
1553(using)X
1755(credentials)X
2132(affords)X
2389(detection)X
2712(not)X
2843(only)X
3013(of)X
3108(replay,)X
3357(but)X
3487(also)X
3644(of)X
3739(message)X
555 3376(stream)N
793(modi\256cation)X
1221(\(MSM\).)X
1525(This)X
1691(is)X
1768(done)X
1948(by)X
2052(including)X
2377(a)X
2436(cryptographic)X
2905(checksum)X
3249(of)X
3339(the)X
3460(client's)X
3719(message.)X
555 3472(The)N
700(checksum)X
1041(is)X
1114(computed)X
1450(using)X
1643(the)X
1761(session)X
2012(key.)X
755 3596(A)N
843(third)X
1024(method)X
1294(provides)X
1599(not)X
1730(only)X
1901(authentication,)X
2404(but)X
2535(also)X
2693(data)X
2856(encryption,)X
3248(again)X
3451(using)X
3653(the)X
3780(session)X
555 3692(key.)N
755 3816(The)N
909(authentication)X
1392(exchanges)X
1756(mentioned)X
2123(above)X
2344(require)X
2601(read-only)X
2938(access)X
3173(to)X
3264(the)X
3391(Kerberos)X
3714(database.)X
555 3912(Sometimes,)N
959(however,)X
1285(the)X
1412(data)X
1575(in)X
1666(the)X
1793(database)X
2099(must)X
2283(be)X
2388(modi\256ed,)X
2720(such)X
2895(as)X
2990(when)X
3192(adding)X
3438(new)X
3600(principals)X
3944(or)X
555 4008(changing)N
872(a)X
931(password.)X
1297(This)X
1462(is)X
1538(done)X
1717(using)X
1913(a)X
1972(protocol)X
2262(between)X
2553(a)X
2612(client)X
2813(and)X
2952(a)X
3011(third)X
3185(Kerberos)X
3503(server,)X
3743(the)X
3863(Ker-)X
555 4104(beros)N
749(Administration)X
1253(Server)X
1483(\(KADM\).)X
1842(This)X
2004(administration)X
2486(protocol)X
2773(is)X
2846(not)X
2968(described)X
3296(in)X
3378(this)X
3513(document.)X
3 f
555 4296(Inter-Realm)N
999(Operation)X
1 f
755 4516(The)N
910(Kerberos)X
1235(protocols)X
1563(are)X
1692(designed)X
2007(to)X
2099(operate)X
2366(across)X
2597(organizational)X
3086(boundaries.)X
3508(A)X
3596(client)X
3804(in)X
3895(one)X
555 4612(organization)N
989(can)X
1134(be)X
1243(authenticated)X
1704(to)X
1799(a)X
1868(server)X
2097(in)X
2191(another.)X
2504(Each)X
2697(organization)X
3130(wishing)X
3415(to)X
3509(run)X
3648(a)X
3716(Kerberos)X
555 4708(server)N
783(establishes)X
1161(its)X
1267(own)X
1436("realm".)X
1756(The)X
1912(name)X
2117(of)X
2215(the)X
2343(realm)X
2556(in)X
2648(which)X
2874(a)X
2940(client)X
3148(is)X
3231(registered)X
3578(is)X
3661(part)X
3816(of)X
3913(the)X
555 4804(client's)N
811(name,)X
1025(and)X
1161(can)X
1293(be)X
1389(used)X
1556(by)X
1656(the)X
1774(end)X
1910(service)X
2158(to)X
2240(decide)X
2470(whether)X
2749(to)X
2831(honor)X
3038(a)X
3094(request.)X
555 4996(By)N
676(exchanging)X
1074(an)X
1177("inter-realm")X
1627(key,)X
1790(the)X
1915(administrators)X
2400(of)X
2494(two)X
2641(realms)X
2882(can)X
3021(allow)X
3226(a)X
3289(client)X
3494(authenticated)X
3949(in)X
555 5092(the)N
677(local)X
857(realm)X
1064(to)X
1150(use)X
1281(its)X
1380(authentication)X
1858(remotely.)X
2207(The)X
2355(exchange)X
2682(of)X
2772(an)X
2871(inter-realm)X
3251(key)X
3390(registers)X
3685(the)X
3806(ticket-)X
555 5188(granting)N
851(service)X
1108(of)X
1204(each)X
1380(realm)X
1591(as)X
1686(a)X
1750(principal)X
2063(in)X
2153(the)X
2279(other)X
2472(realm.)X
2723(A)X
2809(client)X
3015(is)X
3096(then)X
3262(able)X
3424(to)X
3514(obtain)X
3742(a)X
3806(ticket-)X
555 5284(granting)N
860(ticket)X
1076(for)X
1208(the)X
1344(remote)X
1605(realm's)X
1884(ticket-granting)X
2394(service)X
2660(from)X
2854(its)X
2967(local)X
3160(realm.)X
3420(When)X
3649(that)X
3806(ticket-)X
555 5380(granting)N
853(ticket)X
1062(is)X
1146(used,)X
1344(the)X
1473(remote)X
1726(ticket-granting)X
2228(service)X
2486(uses)X
2654(the)X
2782(inter-realm)X
3169(key)X
3315(to)X
3407(decrypt)X
3678(the)X
3806(ticket-)X
555 5476(granting)N
848(ticket,)X
1072(and)X
1214(is)X
1293(thus)X
1452(certain)X
1697(that)X
1843(it)X
1913(was)X
2064(issued)X
2290(by)X
2396(the)X
2520(client's)X
2781(local)X
2962(Kerberos.)X
3322(Tickets)X
3583(issued)X
3808(by)X
3913(the)X
555 5572(remote)N
798(ticket-granting)X
1290(service)X
1538(will)X
1682(indicate)X
1956(that)X
2096(the)X
2214(client)X
2412(was)X
2557(authenticated)X
3005(in)X
3087(its)X
3182(local)X
3358(realm.)X
555 5764(A)N
642(realm)X
854(is)X
936(said)X
1094(to)X
1185(communicate)X
1646(with)X
1817(another)X
2086(realm)X
2297(if)X
2374(the)X
2500(two)X
2648(realms)X
2890(share)X
3088(an)X
3192(inter-realm)X
3577(key,)X
3741(or)X
3836(if)X
3913(the)X
555 6144(Section)N
815(1.)X
2216(-)X
2263(2)X
2323(-)X
3 p
%%Page: 3 5
10 s 0 xH 0 xS 1 f
0 32(--)N
4323(--)X
3 f
2115 416(DRAFT)N
2411(2)X
1 f
555 672(local)N
733(realm)X
937(shares)X
1159(an)X
1256(inter-realm)X
1634(key)X
1771(with)X
1934(an)X
2031(intermediate)X
2453(realm)X
2657(that)X
2798(communicates)X
3282(with)X
3445(the)X
3564(remote)X
3808(realm.)X
555 768(An)N
2 f
683(authentication)X
1175(path)X
1 f
1347(is)X
1430(the)X
1558(sequence)X
1883(of)X
1980(intermediate)X
2411(realms)X
2655(that)X
2804(are)X
2932(transited)X
3237(in)X
3328(communicating)X
3855(from)X
555 864(one)N
691(realm)X
894(to)X
976(another.)X
555 1056(Realms)N
819(are)X
942(typically)X
1246(organized)X
1587(hierarchically.)X
2093(Each)X
2278(realm)X
2485(shares)X
2710(a)X
2770(key)X
2910(with)X
3075(its)X
3173(parent)X
3397(and)X
3536(a)X
3595(different)X
3895(key)X
555 1152(with)N
725(each)X
901(child.)X
1129(If)X
1211(an)X
1315(inter-realm)X
1700(key)X
1844(is)X
1925(not)X
2054(directly)X
2326(shared)X
2563(by)X
2670(two)X
2817(realms,)X
3078(the)X
3203(hierarchical)X
3610(organization)X
555 1248(allows)N
784(an)X
880(authentication)X
1354(path)X
1512(to)X
1594(be)X
1690(easily)X
1897(constructed.)X
555 1440(Although)N
889(realms)X
1134(are)X
1264(typically)X
1575(hierarchical,)X
2006(intermediate)X
2438(realms)X
2683(may)X
2852(be)X
2959(bypassed)X
3284(to)X
3377(achieve)X
3654(inter-realm)X
555 1536(authentication)N
1040(through)X
1320(alternate)X
1628(authentication)X
2113(paths.)X
2353(It)X
2433(is)X
2517(important)X
2859(for)X
2983(the)X
3111(end)X
3257(service)X
3515(to)X
3607(know)X
3815(which)X
555 1632(realms)N
791(were)X
970(transited)X
1268(when)X
1464(deciding)X
1762(how)X
1922(much)X
2122(faith)X
2291(to)X
2375(put)X
2499(in)X
2583(the)X
2703(authentication)X
3179(process.)X
3482(To)X
3593(facilitate)X
3896(this)X
555 1728(decision,)N
874(a)X
942(\256eld)X
1116(in)X
1210(the)X
1340(ticket)X
1550(contains)X
1848(the)X
1977(names)X
2213(of)X
2311(the)X
2440(realms)X
2685(that)X
2836(were)X
3024(involved)X
3335(in)X
3428(authenticating)X
3913(the)X
555 1824(client.)N
793(The)X
938(encoding)X
1252(and)X
1388(use)X
1515(of)X
1602(this)X
1737(\256eld)X
1899(is)X
1972(described)X
2300(later)X
2463(in)X
2545(this)X
2680(document.)X
3 f
555 2112(Proxy)N
780(and)X
928(Authentication)X
1459(Forwarding)X
1 f
755 2236(At)N
858(times)X
1054(it)X
1121(may)X
1282(be)X
1381(necessary)X
1717(for)X
1834(a)X
1893(principal)X
2201(to)X
2286(allow)X
2487(a)X
2546(service)X
2797(to)X
2882(perform)X
3164(an)X
3263(operation)X
3589(on)X
3692(its)X
3790(behalf.)X
555 2332(The)N
702(service)X
952(must)X
1129(be)X
1227(able)X
1383(to)X
1467(take)X
1623(on)X
1725(the)X
1845(identity)X
2111(of)X
2200(the)X
2320(client,)X
2540(but)X
2664(only)X
2828(for)X
2944(a)X
3002(particular)X
3332(purpose.)X
3647(A)X
3726(principal)X
555 2428(can)N
687(allow)X
885(a)X
941(service)X
1189(to)X
1271(take)X
1425(on)X
1525(the)X
1643(principal's)X
2006(identity)X
2270(for)X
2384(a)X
2440(particular)X
2768(purpose)X
3042(by)X
3142(granting)X
3429(it)X
3493(a)X
3549(proxy.)X
555 2620(Authentication)N
1052(forwarding)X
1430(is)X
1504(an)X
1601(instance)X
1885(of)X
1973(the)X
2092(proxy)X
2299(problem)X
2586(where)X
2803(the)X
2921(service)X
3169(is)X
3242(granted)X
3503(complete)X
3817(use)X
3944(of)X
555 2716(the)N
682(client's)X
947(identity.)X
1260(An)X
1387(example)X
1688(where)X
1914(it)X
1987(might)X
2201(be)X
2305(used)X
2480(is)X
2561(when)X
2763(a)X
2827(user)X
2989(logs)X
3150(in)X
3240(to)X
3330(a)X
3394(remote)X
3645(system)X
3895(and)X
555 2812(wants)N
762(authentication)X
1236(to)X
1318(work)X
1503(from)X
1679(that)X
1819(system)X
2061(as)X
2148(if)X
2217(the)X
2335(login)X
2519(were)X
2696(local.)X
555 3004(In)N
651(order)X
850(to)X
941(complicate)X
1322(the)X
1449(use)X
1585(of)X
1681(stolen)X
1901(credentials,)X
2298(Kerberos)X
2622(tickets)X
2860(are)X
2988(typically)X
3297(valid)X
3486(from)X
3671(only)X
3842(those)X
555 3100(network)N
849(addresses)X
1188(speci\256cally)X
1584(included)X
1891(in)X
1984(the)X
2113(ticket.)X
2362(For)X
2504(this)X
2650(reason,)X
2911(a)X
2978(client)X
3187(wishing)X
3471(to)X
3563(grant)X
3758(a)X
3824(proxy)X
555 3196(must)N
730(request)X
982(a)X
1038(new)X
1192(ticket)X
1390(valid)X
1570(for)X
1684(the)X
1802(network)X
2085(address)X
2346(of)X
2433(the)X
2551(service)X
2799(to)X
2881(be)X
2977(granted)X
3238(the)X
3356(proxy.)X
555 3388(Kerberos)N
879(supports)X
1179(proxy)X
1395(and)X
1540(authentication)X
2022(forwarding)X
2407(through)X
2684(the)X
2810(combined)X
3154(effects)X
3397(of)X
3492(several)X
3748(\256elds)X
3949(in)X
555 3484(the)N
682(tickets)X
920(it)X
993(issues.)X
1253(The)X
1407(proxiable)X
1739(and)X
1884(forwardable)X
2302(\257ags)X
2482(in)X
2573(the)X
2700(ticket-granting)X
3200(ticket)X
3406(indicate)X
3688(whether)X
3975(a)X
555 3580(proxy)N
767(can)X
904(be)X
1005(granted)X
1271(without)X
1540(requiring)X
1859(the)X
1982(user)X
2141(to)X
2228(enter)X
2414(a)X
2475(password)X
2803(again.)X
3042(The)X
3192(host)X
3349(address)X
3614(\256eld)X
3780(option-)X
555 3676(ally)N
696(restricts)X
971(the)X
1090(proxy)X
1297(to)X
1379(being)X
1577(used)X
1744(from)X
1920(a)X
1976(particular)X
2304(network)X
2587(address.)X
2888(Finally,)X
3154(the)X
3272(authorization)X
3715(data)X
3869(\256eld)X
555 3772(allows)N
785(the)X
904(client)X
1103(to)X
1186(include)X
1443(information)X
1842(in)X
1925(the)X
2044(proxy)X
2252(restricting)X
2598(its)X
2694(use.)X
2862(The)X
3008(content)X
3265(and)X
3401(use)X
3528(of)X
3615(this)X
3750(\256eld)X
3912(are)X
555 3868(described)N
883(in)X
965(greater)X
1209(detail)X
1407(in)X
1489(sections)X
1767(2.3,)X
1907(6,)X
1987(and)X
2123(7.1.)X
3 f
12 s
555 4156(1.1.)N
747(Glossary)X
1134(of)X
1238(terms)X
1 f
10 s
555 4280(Below)N
784(is)X
857(a)X
913(list)X
1030(of)X
1117(terms)X
1315(used)X
1482(throughout)X
1853(this)X
1988(document.)X
3 f
555 4500(Authentication)N
1 f
1355(Verifying)X
1687(the)X
1805(claimed)X
2079(identity)X
2343(of)X
2430(a)X
2486(principal.)X
3 f
555 4720(Authentication)N
1093(header)X
1 f
1362(A)X
1447(record)X
1679(containing)X
2043(a)X
2105(Ticket)X
2336(and)X
2478(an)X
2580(Authenticator)X
3047(to)X
3135(be)X
3237(presented)X
3571(to)X
3659(a)X
3721(server)X
3944(as)X
1355 4816(part)N
1500(of)X
1587(the)X
1705(authentication)X
2179(process.)X
3 f
555 5036(Authentication)N
1097(path)X
1 f
1366(A)X
1455(sequence)X
1781(of)X
1879(intermediate)X
2311(realms)X
2556(transited)X
2862(in)X
2954(the)X
3082(authentication)X
3566(process)X
3837(when)X
1355 5132(communicating)N
1873(from)X
2049(one)X
2185(realm)X
2388(to)X
2470(another.)X
3 f
555 5352(Authenticator)N
1 f
1355(A)X
1446(record)X
1685(containing)X
2056(information)X
2467(that)X
2620(can)X
2765(be)X
2874(shown)X
3115(to)X
3209(have)X
3393(been)X
3577(recently)X
3868(gen-)X
1355 5448(erated)N
1572(using)X
1765(the)X
1883(session)X
2134(key)X
2270(known)X
2508(only)X
2670(by)X
2770(the)X
2888(client)X
3086(and)X
3222(server.)X
3 f
555 5668(Authorization)N
1 f
1355(The)X
1503(process)X
1767(of)X
1857(determining)X
2267(whether)X
2549(a)X
2608(client)X
2809(may)X
2969(use)X
3098(a)X
3156(service,)X
3446(which)X
3664(objects)X
3913(the)X
1355 5764(client)N
1553(is)X
1626(allowed)X
1900(to)X
1982(access,)X
2228(and)X
2364(the)X
2482(type)X
2640(of)X
2727(access)X
2953(allowed)X
3227(for)X
3341(each.)X
555 6144(Section)N
815(1.1.)X
2216(-)X
2263(3)X
2323(-)X
4 p
%%Page: 4 6
10 s 0 xH 0 xS 1 f
0 32(--)N
4323(--)X
3 f
2115 416(DRAFT)N
2411(2)X
555 672(Capability)N
1 f
1355(A)X
1433(token)X
1631(that)X
1771(grants)X
1987(the)X
2105(bearer)X
2327(permission)X
2698(to)X
2780(access)X
3006(an)X
3102(object)X
3318(or)X
3405(service.)X
3 f
555 892(Ciphertext)N
1 f
1355(The)X
1501(output)X
1726(of)X
1814(an)X
1910(encryption)X
2273(function.)X
2600(Encryption)X
2976(transforms)X
3339(plaintext)X
3639(into)X
3783(cipher-)X
1355 988(text.)N
3 f
555 1208(Client)N
1 f
1355(A)X
1439(process)X
1706(that)X
1852(makes)X
2083(use)X
2216(of)X
2309(a)X
2371(network)X
2660(service,)X
2934(on)X
3040(behalf)X
3267(of)X
3360(a)X
3422(user.)X
3622(Note)X
3804(that)X
3949(in)X
1355 1304(some)N
1546(cases)X
1738(a)X
3 f
1796(Server)X
1 f
2046(may)X
2205(itself)X
2386(be)X
2483(a)X
2540(client)X
2739(of)X
2827(some)X
3017(other)X
3203(server)X
3421(\(e.g.)X
3585(a)X
3642(print)X
3814(server)X
1355 1400(may)N
1513(be)X
1609(a)X
1665(client)X
1863(of)X
1950(a)X
2006(\256le)X
2128(server\).)X
3 f
555 1620(Credentials)N
1 f
1355(A)X
1438(ticket)X
1641(plus)X
1799(the)X
1922(secret)X
2135(session)X
2391(key)X
2532(necessary)X
2870(to)X
2956(successfully)X
3372(use)X
3503(that)X
3647(ticket)X
3849(in)X
3935(an)X
1355 1716(authentication)N
1829(exchange.)X
3 f
555 1936(Instance)N
1 f
1355(The)X
1505(name)X
1704(often)X
1894(given)X
2097(to)X
2184(the)X
2307(second)X
2555(component)X
2936(of)X
3028(a)X
3088(principal)X
3397(identi\256er,)X
3730(or)X
3821(a)X
3881(par-)X
1355 2032(ticular)N
1603(principal)X
1931(from)X
2130(a)X
2209(group)X
2439(of)X
2549(related)X
2811(principals.)X
3210(In)X
3320(the)X
3461(latter)X
3668(usage,)X
3913(the)X
1355 2128(instances)N
1670(are)X
1790(often)X
1976(created)X
2230(to)X
2313(partition)X
2605(permission)X
2977(for)X
3092(users)X
3278(\(e.g.)X
3442(a)X
3499(user)X
3653(might)X
3859(have)X
1355 2224(a)N
1420("normal")X
1742(instance,)X
2054(and)X
2199(a)X
2264("root")X
2488(instance)X
2779(which)X
3003(has)X
3138(different)X
3443(privileges\262\))X
3854(or)X
3949(to)X
1355 2320(impose)N
1614(a)X
1678(naming)X
1946(convention)X
2330(on)X
2438(service)X
2694(key)X
2838(names)X
3071(\(e.g.)X
3242(for)X
3364(a)X
3428(particular)X
3763(service,)X
1355 2416(the)N
1474(instance\(s\))X
1843(identi\256es)X
2157(the)X
2276(host)X
2430(machine\(s\))X
2808(on)X
2909(which)X
3126(that)X
3267(service)X
3516(is)X
3590(provided)X
3895(and)X
1355 2512(the)N
1473(principal)X
1778(identi\256er)X
2087(of)X
2174(the)X
2292(server\).)X
3 f
555 2732(Kerberos)N
1 f
1355(Aside)X
1580(from)X
1774(the)X
1910(3-headed)X
2243(dog)X
2401(guarding)X
2724(Hades,)X
2983(the)X
3119(name)X
3330(given)X
3545(to)X
3644(the)X
3779(Athena)X
1355 2828(authentication)N
1848(service,)X
2135(the)X
2272(protocol)X
2578(used)X
2764(by)X
2883(that)X
3042(service,)X
3329(or)X
3435(the)X
3572(code)X
3763(used)X
3949(to)X
1355 2924(implement)N
1717(the)X
1835(authentication)X
2309(service.)X
3 f
555 3144(KDC)N
1 f
1355(Key)X
1523(Distribution)X
1943(Center,)X
2211(a)X
2281(network)X
2578(service)X
2840(that)X
2994(supplies)X
3290(tickets)X
3532(and)X
3681(temporary)X
1355 3240(session)N
1608(keys;)X
1799(or)X
1888(an)X
1986(instance)X
2271(of)X
2360(that)X
2502(service)X
2752(or)X
2841(the)X
2960(host)X
3114(on)X
3215(which)X
3432(it)X
3497(runs.)X
3696(The)X
3842(KDC)X
1355 3336(services)N
1648(both)X
1824(initial)X
2044(ticket)X
2255(and)X
2404(ticket-granting)X
2909(ticket)X
3120(requests.)X
3456(The)X
3614(initial)X
3833(ticket)X
1355 3432(portion)N
1618(is)X
1703(sometimes)X
2077(referred)X
2365(to)X
2459(as)X
2558(the)X
2687(Authentication)X
3194(Server)X
3435(\(or)X
3560(service\).)X
3886(The)X
1355 3528(ticket-granting)N
1850(ticket)X
2051(portion)X
2305(is)X
2381(sometimes)X
2746(referred)X
3025(to)X
3110(as)X
3200(the)X
3320(ticket-granting)X
3814(server)X
1355 3624(\(or)N
1469(service\).)X
3 f
555 3844(Plaintext)N
1 f
1355(The)X
1524(input)X
1731(to)X
1836(an)X
1955(encryption)X
2341(function)X
2651(or)X
2761(the)X
2902(output)X
3149(of)X
3259(a)X
3338(decryption)X
3724(function.)X
1355 3940(Decryption)N
1736(transforms)X
2099(ciphertext)X
2440(into)X
2584(plaintext.)X
3 f
555 4160(Principal)N
1 f
1355(A)X
1434(uniquely)X
1734(named)X
1968(client)X
2166(or)X
2253(server)X
2470(instance)X
2753(that)X
2893(participates)X
3283(in)X
3365(a)X
3421(network)X
3704(commun-)X
1355 4256(ication.)N
3 f
555 4476(Principal)N
890(identi\256er)X
1 f
1355(The)X
1500(name)X
1694(used)X
1861(to)X
1943(uniquely)X
2243(identify)X
2512(each)X
2680(different)X
2977(principal.)X
3 f
555 4696(Secret)N
804(key)X
1 f
1369(An)X
1501(encryption)X
1878(key)X
2028(shared)X
2272(by)X
2385(a)X
2454(principal)X
2772(and)X
2921(the)X
3052(KDC,)X
3274(distributed)X
3649(outside)X
3913(the)X
1355 4792(bounds)N
1612(of)X
1705(the)X
1829(system,)X
2096(with)X
2263(a)X
2324(long)X
2491(lifetime.)X
2805(In)X
2897(the)X
3020(case)X
3184(of)X
3276(a)X
3337(human)X
3580(user's)X
3797(princi-)X
1355 4888(pal,)N
1493(the)X
1611(secret)X
1819(key)X
1955(is)X
2028(derived)X
2289(from)X
2465(a)X
2521(password.)X
3 f
555 5108(Seal)N
1 f
1355(To)X
1466(encipher)X
1765(a)X
1823(record)X
2051(containing)X
2411(several)X
2661(\256elds,)X
2876(in)X
2960(such)X
3129(a)X
3187(way)X
3343(that)X
3484(the)X
3603(\256elds)X
3797(cannot)X
1355 5204(be)N
1458(individually)X
1871(replaced)X
2171(without)X
2442(either)X
2651(knowledge)X
3029(of)X
3122(the)X
3246(encryption)X
3615(key)X
3757(or)X
3850(leav-)X
1355 5300(ing)N
1477(evidence)X
1783(of)X
1870(tampering.)X
8 s
10 f
555 5504(hhhhhhhhhhhhhhhhhh)N
1 f
555 5584(\262Note)N
728(that)X
841(these)X
989(privileges)X
1258(are)X
1352(determined)X
1656(by)X
1737(access)X
1916(controls)X
2139(applied)X
2344(by)X
2425(application)X
2726(servers;)X
2941(the)X
3036(instance)X
3262(\256eld)X
3393(does)X
3527(not)X
3625(car-)X
555 5664(ry)N
624(any)X
732(inherent)X
957(privileges.)X
10 s
555 6144(Section)N
815(1.1.)X
2216(-)X
2263(4)X
2323(-)X
5 p
%%Page: 5 7
10 s 0 xH 0 xS 1 f
0 32(--)N
4323(--)X
3 f
2115 416(DRAFT)N
2411(2)X
555 672(Server)N
1 f
1355(A)X
1433(particular)X
1761(Principal)X
2070(which)X
2286(provides)X
2582(a)X
2638(resource)X
2931(to)X
3013(network)X
3296(clients.)X
3 f
555 892(Service)N
1 f
1355(A)X
1442(resource)X
1744(provided)X
2057(to)X
2147(network)X
2438(clients;)X
2697(often)X
2890(provided)X
3203(by)X
3311(more)X
3504(than)X
3670(one)X
3814(server)X
1355 988(\(for)N
1496(example,)X
1808(remote)X
2051(\256le)X
2173(service\).)X
3 f
555 1208(Session)N
829(key)X
1 f
1361(A)X
1445(temporary)X
1801(encryption)X
2170(key)X
2312(used)X
2484(between)X
2777(two)X
2922(principals,)X
3283(with)X
3450(a)X
3511(lifetime)X
3785(limited)X
1355 1304(to)N
1437(the)X
1555(duration)X
1842(of)X
1929(a)X
1985(single)X
2196(communications)X
2745("session".)X
3 f
555 1524(Ticket)N
1 f
1355(A)X
1438(record)X
1669(that)X
1814(helps)X
2008(a)X
2069(client)X
2272(authenticate)X
2685(to)X
2771(a)X
2831(service;)X
3105(it)X
3173(contains)X
3464(the)X
3586(client's)X
3846(iden-)X
1355 1620(tity,)N
1524(a)X
1603(session)X
1877(key,)X
2055(a)X
2133(timestamp,)X
2528(and)X
2686(other)X
2893(information,)X
3333(all)X
3455(sealed)X
3698(using)X
3913(the)X
1355 1716(service's)N
1667(secret)X
1881(key.)X
2063(It)X
2138(only)X
2306(serves)X
2533(to)X
2621(authenticate)X
3035(a)X
3097(client)X
3301(when)X
3500(presented)X
3833(along)X
1355 1812(with)N
1517(a)X
1573(new)X
1727(Authenticator.)X
3 f
12 s
555 2100(2.)N
675(Message)X
1046(Exchanges)X
1 f
10 s
555 2224(The)N
703(following)X
1037(sections)X
1318(describe)X
1609(the)X
1729(various)X
1987(interactions)X
2383(between)X
2673(network)X
2958(clients)X
3189(and)X
3327(servers,)X
3597(and)X
3735(the)X
3855(mes-)X
555 2320(sages)N
749(involved)X
1049(in)X
1131(those)X
1320(exchanges.)X
3 f
12 s
555 2512(2.1.)N
747(The)X
931(Authentication)X
1568(Service)X
1892(\(AS\))X
2102(Exchange)X
1 f
10 s
755 2636(This)N
918(section)X
1166(describes)X
1486(one)X
1623(interaction)X
1987(between)X
2276(a)X
2333(client)X
2532(and)X
2669(the)X
2788(Kerberos)X
3103(Authentication)X
3599(Server.)X
3869(This)X
555 2732(exchange)N
891(is)X
976(usually)X
1239(initiated)X
1533(by)X
1645(a)X
1713(client)X
1923(when)X
2129(it)X
2204(wishes)X
2453(to)X
2546(obtain)X
2777(authentication)X
3262(credentials)X
3641(for)X
3766(a)X
3833(given)X
555 2828(server.)N
820(The)X
973(client's)X
1236(secret)X
1451(key)X
1594(is)X
1674(used)X
1848(for)X
1969(encryption)X
2339(and)X
2482(decryption.)X
2892(This)X
3061(exchange)X
3392(is)X
3472(typically)X
3779(used)X
3953(at)X
555 2924(the)N
675(initiation)X
985(of)X
1074(a)X
1132(login)X
1318(session,)X
1591(to)X
1675(obtain)X
1897(credentials)X
2267(for)X
2383(a)X
2441(Ticket-Granting)X
2980(Server,)X
3231(which)X
3448(will)X
3593(subsequently)X
555 3020(be)N
660(used)X
835(obtain)X
1063(credentials)X
1439(for)X
1561(other)X
1754(servers)X
2010(\(see)X
2168(section)X
2423(2.3\))X
2578(without)X
2850(requiring)X
3172(further)X
3419(use)X
3554(of)X
3649(the)X
3775(client's)X
555 3116(secret)N
768(key.)X
949(This)X
1116(exchange)X
1445(is)X
1523(used)X
1695(to)X
1782(request)X
2039(credentials)X
2412(for)X
2531(services)X
2815(which)X
3036(must)X
3216(not)X
3343(be)X
3444(mediated)X
3762(through)X
555 3212(the)N
675(Ticket-Granting)X
1214(Service,)X
1497(but)X
1621(rather)X
1831(require)X
2081(a)X
2139(principal's)X
2504(secret)X
2713(key,)X
2870(such)X
3038(as)X
3126(the)X
3245(password-changing)X
3890(ser-)X
555 3308(vice\262.)N
755 3432(The)N
933(exchange)X
1290(consists)X
1596(of)X
1716(two)X
1889(messages:)X
2267(KRB_AS_REQ)X
2826(from)X
3034(the)X
3184(client)X
3414(to)X
3528(Kerberos,)X
3895(and)X
555 3528(KRB_AS_REP)N
1067(or)X
1154(KRB_ERROR)X
1644(in)X
1726(reply.)X
1951(The)X
2096(formats)X
2361(for)X
2475(these)X
2660(messages)X
2983(are)X
3102(described)X
3430(in)X
3512(section)X
3759(7.2.)X
755 3652(In)N
843(the)X
961(request,)X
1233(the)X
1351(client)X
1549(sends)X
1747(\(in)X
1856(cleartext\))X
2180(its)X
2275(own)X
2433(identity)X
2697(and)X
2833(the)X
2951(identity)X
3215(of)X
3302(the)X
3420(server)X
3637(for)X
3751(which)X
3967(it)X
555 3748(is)N
638(requesting)X
1002(credentials.)X
1420(The)X
1574(response,)X
1904(KRB_AS_REP,)X
2445(contains)X
2741(a)X
2806(ticket)X
3013(for)X
3136(the)X
3263(client)X
3470(to)X
3561(present)X
3822(to)X
3913(the)X
555 3844(server,)N
799(and)X
941(a)X
1003(session)X
1260(key)X
1402(that)X
1548(will)X
1698(be)X
1800(shared)X
2036(by)X
2142(the)X
2266(client)X
2470(and)X
2612(the)X
2736(server.)X
2999(The)X
3150(session)X
3407(key)X
3549(and)X
3691(additional)X
555 3940(information)N
962(are)X
1090(encrypted)X
1436(in)X
1527(the)X
1654(client's)X
1918(secret)X
2134(key.)X
2318(Various)X
2600(errors)X
2816(can)X
2956(occur;)X
3185(these)X
3378(are)X
3505(indicated)X
3827(by)X
3935(an)X
555 4036(error)N
761(response)X
1091(\(KRB_ERROR\))X
1664(instead)X
1940(of)X
2055(the)X
2201(KRB_AS_REP)X
2741(response.)X
3110(The)X
3283(error)X
3488(message)X
3808(is)X
3909(not)X
555 4132(encrypted.)N
937(The)X
1087(KRB_AS_REP)X
1604(message)X
1901(contains)X
2193(information)X
2596(which)X
2817(can)X
2954(be)X
3055(used)X
3227(to)X
3314(detect)X
3531(replays,)X
3808(and)X
3949(to)X
555 4228(associate)N
875(it)X
949(with)X
1121(the)X
1249(message)X
1551(to)X
1643(which)X
1869(it)X
1942(replies.)X
2225(The)X
2379(KRB_ERROR)X
2878(message)X
3179(also)X
3337(contains)X
3633(information)X
555 4324(which)N
787(can)X
935(be)X
1047(used)X
1230(to)X
1328(associate)X
1654(it)X
1734(with)X
1911(the)X
2044(message)X
2351(to)X
2448(which)X
2679(it)X
2758(replies)X
3007(\(the)X
3167(lack)X
3336(of)X
3438(encryption)X
3816(in)X
3913(the)X
555 4420(KRB_ERROR)N
1045(message)X
1337(thwarts)X
1593(the)X
1711(ability)X
1935(to)X
2017(detect)X
2229(replays\).)X
755 4544(It)N
825(should)X
1059(be)X
1156(noted)X
1355(that)X
1496(the)X
1615(authentication)X
2090(server)X
2308(does)X
2475(not)X
2597(know)X
2795(whether)X
3074(the)X
3192(client)X
3390(is)X
3463(actually)X
3737(the)X
3855(prin-)X
555 4640(cipal)N
736(named)X
975(in)X
1062(the)X
1185(request.)X
1482(It)X
1556(simply)X
1797(sends)X
1999(a)X
2059(reply)X
2248(without)X
2516(knowing)X
2820(or)X
2911(caring)X
3136(whether)X
3419(they)X
3581(are)X
3704(the)X
3826(same.)X
555 4736(This)N
720(is)X
796(acceptable)X
1159(because)X
1437(nobody)X
1700(but)X
1824(the)X
1944(principal)X
2251(whose)X
2478(identity)X
2744(was)X
2891(given)X
3091(in)X
3175(the)X
3295(request)X
3549(will)X
3695(be)X
3793(able)X
3949(to)X
555 4832(use)N
682(the)X
800(reply.)X
1005(Its)X
1105(critical)X
1348(information)X
1746(is)X
1819(encrypted)X
2156(in)X
2238(that)X
2378(principal's)X
2741(key.)X
3 f
555 5024(2.1.1.)N
775(Generation)X
1182(of)X
1269(KRB_AS_REQ)X
1817(message)X
1 f
755 5148(The)N
904(client)X
1106(may)X
1268(specify)X
1524(a)X
1584(number)X
1853(of)X
1944(options)X
2203(in)X
2289(the)X
2411(initial)X
2621(request.)X
2917(Among)X
3181(these)X
3370(options)X
3629(are)X
3752(whether)X
555 5244(the)N
678(requested)X
1010(ticket)X
1212(is)X
1289(to)X
1375(be)X
1475(renewable,)X
1850(proxiable,)X
2197(or)X
2288(forwardable;)X
2723(whether)X
3006(it)X
3074(should)X
3311(be)X
3411(postdated)X
3742(or)X
3833(allow)X
555 5340(postdating)N
910(of)X
999(derivative)X
1342(tickets;)X
1594(and)X
1731(whether)X
2011(a)X
2068(renewable)X
2420(ticket)X
2619(will)X
2764(be)X
2861(accepted)X
3164(in)X
3247(lieu)X
3388(of)X
3476(a)X
3533(non-renewable)X
555 5436(ticket)N
777(if)X
870(the)X
1012(requested)X
1364(ticket)X
1586(expiration)X
1955(date)X
2133(cannot)X
2391(be)X
2511(satis\256ed)X
2817(by)X
2941(a)X
3021(non-renewable)X
3542(ticket)X
3763(\(due)X
3949(to)X
8 s
10 f
555 5516(hhhhhhhhhhhhhhhhhh)N
1 f
555 5596(\262)N
604(The)X
720(password-changing)X
1233(request)X
1434(must)X
1576(not)X
1675(be)X
1752(honored)X
1977(unless)X
2153(the)X
2247(requester)X
2496(can)X
2600(provide)X
2811(the)X
2905(old)X
3003(password)X
3260(\(the)X
3375(user's)X
3543(current)X
555 5676(secret)N
725(key\).)X
892(Otherwise,)X
1192(it)X
1249(would)X
1430(be)X
1511(possible)X
1742(for)X
1837(someone)X
2085(to)X
2156(walk)X
2301(up)X
2386(to)X
2457(an)X
2538(unattended)X
2839(session)X
3045(and)X
3158(change)X
3359(another)X
3571(user's)X
555 5756(password.)N
10 s
555 6144(Section)N
815(2.1.1.)X
2216(-)X
2263(5)X
2323(-)X
6 p
%%Page: 6 8
10 s 0 xH 0 xS 1 f
0 32(--)N
4323(--)X
3 f
2115 416(DRAFT)N
2411(2)X
1 f
555 672(con\256guration)N
1002(constraints;)X
1391(see)X
1514(section)X
1761(4\).)X
755 796(The)N
912(client)X
1121(prepares)X
1425(the)X
1554(KRB_AS_REQ)X
2091(message)X
2394(containing)X
2763(a)X
2830(\256eld)X
3003(of)X
3101(desired)X
3364(options,)X
3650(the)X
3779(desired)X
555 892(start)N
716(time)X
881(\(after)X
1078(which)X
1296(the)X
1416(ticket)X
1616(should)X
1851(be)X
1949(valid\),)X
2178(the)X
2298(desired)X
2552(expiration)X
2899(time)X
3063(\(after)X
3260(which)X
3478(the)X
3598(ticket)X
3798(should)X
555 988(be)N
651(invalid\),)X
940(the)X
1058(desired)X
1310(encryption)X
1673(type,)X
1851(the)X
1969(client's)X
2225(name,)X
2439(and)X
2575(the)X
2693(server's)X
2968(name,)X
3182(and)X
3318(sends)X
3516(it)X
3580(to)X
3662(the)X
3780(KDC.)X
3 f
555 1180(2.1.2.)N
775(Receipt)X
1054(of)X
1141(KRB_AS_REQ)X
1689(message)X
1 f
755 1304(If)N
833(all)X
937(goes)X
1108(well,)X
1290(processing)X
1657(the)X
1779(KRB_AS_REQ)X
2309(message)X
2605(will)X
2753(result)X
2955(in)X
3041(the)X
3163(creation)X
3446(of)X
3536(a)X
3595(ticket)X
3796(for)X
3913(the)X
555 1400(client)N
761(to)X
851(present)X
1111(to)X
1201(the)X
1327(server.)X
1592(The)X
1745(format)X
1987(for)X
2109(the)X
2235(ticket)X
2441(is)X
2522(described)X
2858(in)X
2948(section)X
3203(7.1.)X
3371(The)X
3524(contents)X
3819(of)X
3913(the)X
555 1496(ticket)N
753(are)X
872(determined)X
1253(as)X
1340(follows.)X
3 f
555 1688(2.1.3.)N
775(Generation)X
1182(of)X
1269(KRB_AS_REP)X
1804(message)X
1 f
755 1812(The)N
901(authentication)X
1376(server)X
1594(looks)X
1788(up)X
1889(the)X
2007(client)X
2205(and)X
2341(server)X
2558(principals)X
2894(named)X
3128(in)X
3210(the)X
3328(KRB_AS_REQ)X
3854(in)X
3936(its)X
555 1908(database,)N
877(extracting)X
1223(their)X
1395(respective)X
1746(keys.)X
1958(If)X
2037(the)X
2160(server)X
2382(cannot)X
2621(accomodate)X
3030(the)X
3153(requested)X
3486(encryption)X
3853(type,)X
555 2004(an)N
654(error)X
834(message)X
1129(with)X
1294(code)X
1469(KDC_ERR_ETYPE_NOSUPP)X
2491(is)X
2567(returned.)X
2898(Otherwise)X
3250(it)X
3316(generates)X
3642(a)X
3700("random")X
555 2100(session)N
806(key\262.)X
755 2224(If)N
832(the)X
953(requested)X
1284(start)X
1445(time)X
1610(is)X
1686(zero,)X
1868(then)X
2029(the)X
2150(start)X
2311(time)X
2476(of)X
2566(the)X
2687(ticket)X
2888(is)X
2964(set)X
3076(to)X
3160(the)X
3280(authentication)X
3756(server's)X
555 2320(current)N
804(time.)X
1007(If)X
1082(it)X
1147(is)X
1221(non-zero)X
1528(but)X
1651(indicates)X
1957(a)X
2014(time)X
2176(in)X
2258(the)X
2376(past,)X
2545(it)X
2609(is)X
2682(treated)X
2921(as)X
3008(zero.)X
3207(If)X
3281(it)X
3345(is)X
3418(non-zero)X
3724(and)X
3860(indi-)X
555 2416(cates)N
767(a)X
854(time)X
1047(in)X
1160(the)X
1309(future,)X
1572(but)X
1725(the)X
1874(POSTDATED)X
2392(option)X
2647(has)X
2805(not)X
2958(been)X
3161(speci\256ed,)X
3517(then)X
3706(the)X
3854(error)X
555 2512(KDC_ERR_CANNOT_POSTDATE)N
1765(is)X
1841(returned.)X
2172(Otherwise)X
2525(the)X
2646(requested)X
2977(start)X
3138(time)X
3303(is)X
3378(checked)X
3664(against)X
3913(the)X
555 2608(policy)N
784(of)X
880(the)X
1006(local)X
1190(realm)X
1401(\(the)X
1554(administrator)X
2009(might)X
2223(decide)X
2461(to)X
2551(prohibit)X
2832(certain)X
3079(types)X
3276(or)X
3371(ranges)X
3609(of)X
3704(postdated)X
555 2704(tickets\),)N
832(and)X
969(if)X
1039(acceptable,)X
1420(the)X
1539(ticket's)X
1796(start)X
1955(time)X
2118(is)X
2192(set)X
2302(as)X
2390(requested)X
2719(and)X
2876(the)X
2995(INVALID)X
3351(\257ag)X
3492(is)X
3566(set)X
3676(in)X
3759(the)X
3877(new)X
555 2800(ticket.)N
775(The)X
922(postdated)X
1251(ticket)X
1451(must)X
1628(be)X
1726(validated)X
2042(before)X
2270(use)X
2399(by)X
2501(presenting)X
2857(it)X
2923(to)X
3006(the)X
3125(KDC)X
3315(after)X
3484(the)X
3603(starttime)X
3904(has)X
555 2896(been)N
727(reached.)X
555 3020(The)N
700(expiration)X
1045(time)X
1207(of)X
1294(the)X
1412(Ticket)X
1637(will)X
1781(be)X
1877(set)X
1986(to)X
2068(the)X
2186(minimum)X
2516(of)X
2603(the)X
2721(following:)X
10 f
555 3144(g)N
1 f
595(The)X
740(expiration)X
1085(time)X
1247(requested)X
1575(in)X
1657(the)X
1775(KRB_AS_REQ)X
2301(message)X
10 f
555 3268(g)N
1 f
595(The)X
754(ticket's)X
1024(start)X
1196(time)X
1372(plus)X
1539(the)X
1671(maximum)X
2029(allowable)X
2375(lifetime)X
2658(associated)X
3022(with)X
3198(the)X
3330(client)X
3541(principal)X
3859(\(The)X
595 3364(authentication)N
1076(server's)X
1358(database)X
1662(includes)X
1956(a)X
2019(maximum)X
2370(ticket)X
2575(lifetime)X
2851(\256eld)X
3020(in)X
3109(each)X
3284(principal's)X
3654(record;)X
3908(see)X
595 3460(section)N
842(4\).)X
10 f
555 3584(g)N
1 f
595(The)X
740(ticket's)X
996(start)X
1154(time)X
1316(plus)X
1469(the)X
1587(maximum)X
1931(allowable)X
2263(lifetime)X
2532(associated)X
2882(with)X
3044(the)X
3162(server)X
3379(principal.)X
10 f
555 3708(g)N
1 f
595(The)X
740(ticket's)X
996(start)X
1154(time)X
1316(plus)X
1469(the)X
1587(lifetime)X
1856(set)X
1965(by)X
2065(the)X
2183(policy)X
2403(of)X
2490(the)X
2608(local)X
2784(realm.)X
755 3832(If)N
841(the)X
971(requested)X
1311(expiration)X
1668(time)X
1842(is)X
1927(less)X
2079(than)X
2249(a)X
2317(site-determined)X
2848(constant)X
3147(greater)X
3402(than)X
3571(the)X
3700(start)X
3869(time)X
555 3928(determined)N
945(as)X
1041(above,)X
1282(an)X
1387(error)X
1573(message)X
1874(with)X
2045(code)X
2225(KDC_ERR_NEVER_VALID)X
3214(is)X
3295(returned)X
3591(\(the)X
3744(constant)X
555 4024(should)N
791(re\257ect)X
1015(reasonable)X
1382(expectations)X
1806(of)X
1896(round-trip)X
2244(time)X
2409(to)X
2494(the)X
2614(KDC,)X
2825(encryption/decryption)X
3555(time,)X
3739(and)X
3877(pro-)X
555 4120(cessing)N
818(time)X
987(by)X
1094(the)X
1219(client)X
1424(and)X
1567(target)X
1777(server,)X
2021(and)X
2164(it)X
2235(should)X
2475(allow)X
2680(for)X
2801(a)X
2864(minimum)X
3201("useful")X
3490(lifetime\).)X
3833(If)X
3913(the)X
555 4216(requested)N
926(expiration)X
1314(time)X
1519(for)X
1676(the)X
1836(ticket)X
2076(exceeds)X
2393(what)X
2611(was)X
2798(determined)X
3221(as)X
3350(above,)X
3624(and)X
3802(if)X
3913(the)X
555 4312("RENEWABLE-OK")N
1281(option)X
1508(was)X
1655(requested,)X
2005(then)X
2165(the)X
2285("RENEWABLE")X
2867(\257ag)X
3009(is)X
3084(set)X
3195(in)X
3279(the)X
3399(new)X
3555(ticket,)X
3775(and)X
3913(the)X
555 4408("renew_till")N
972(value)X
1172(is)X
1251(set)X
1366(as)X
1459(if)X
1534(the)X
1658("RENEWABLE")X
2244(option)X
2474(were)X
2657(requested)X
2991(\(the)X
3142(\256eld)X
3310(and)X
3452(option)X
3682(names)X
3912(are)X
555 4504(described)N
883(fully)X
1054(in)X
1136(section)X
1383(7\).)X
755 4628(If)N
831(the)X
951(RENEWABLE)X
1467(option)X
1693(has)X
1822(been)X
1995(requested)X
2324(or)X
2412(if)X
2482(the)X
2601(RENEWABLE-OK)X
3259(option)X
3484(has)X
3612(been)X
3785(set)X
3895(and)X
555 4724(a)N
611(renewable)X
962(ticket)X
1160(is)X
1233(to)X
1315(be)X
1411(issued,)X
1651(then)X
1809(the)X
1927(renew_till)X
2272(\256eld)X
2434(is)X
2507(set)X
2616(to)X
2698(the)X
2816(minimum)X
3146(of:)X
10 f
555 4848(g)N
1 f
595(Its)X
695(requested)X
1023(value)X
10 f
555 4972(g)N
1 f
595(The)X
748(start)X
914(time)X
1084(of)X
1178(the)X
1303(ticket)X
1508(plus)X
1668(the)X
1793(minimum)X
2130(of)X
2224(the)X
2349(two)X
2496(maximum)X
2847(renewable)X
3205(lifetimes)X
3512(associated)X
3869(with)X
595 5068(the)N
713(principals')X
1076(database)X
1373(entries.)X
10 f
555 5192(g)N
1 f
595(The)X
740(start)X
898(time)X
1060(of)X
1147(the)X
1265(ticket)X
1463(plus)X
1616(the)X
1734(maximum)X
2078(renewable)X
2429(lifetime)X
2698(set)X
2807(by)X
2907(the)X
3025(policy)X
3245(of)X
3332(the)X
3450(local)X
3626(realm.)X
755 5316(The)N
912(\257ags)X
1095(\256eld)X
1269(of)X
1368(the)X
1497(new)X
1662(ticket)X
1871(will)X
2026(have)X
2209(the)X
2338(following)X
2680(options)X
2946(set)X
3066(if)X
3146(they)X
3315(have)X
3498(been)X
3681(requested:)X
8 s
10 f
555 5396(hhhhhhhhhhhhhhhhhh)N
1 f
555 5476(\262)N
606("Random")X
894(means)X
1076(that,)X
1207(among)X
1400(other)X
1550(things,)X
1742(it)X
1797(should)X
1987(be)X
2066(impossible)X
2362(to)X
2430(guess)X
2590(the)X
2686(next)X
2814(session)X
3017(key)X
3127(based)X
3290(on)X
3372(knowledge)X
3670(of)X
555 5556(past)N
678(session)X
883(keys.)X
1052(This)X
1186(can)X
1294(only)X
1428(be)X
1508(achieved)X
1753(in)X
1822(a)X
1869(pseudo-random)X
2285(number)X
2499(generator)X
2758(if)X
2816(it)X
2871(is)X
2933(based)X
3097(on)X
3180(cryptographic)X
3553(princi-)X
555 5636(ples.)N
710(It)X
769(would)X
949(be)X
1029(more)X
1180(desirable)X
1430(to)X
1500(use)X
1605(a)X
1653(truly)X
1794(random)X
2009(number)X
2224(generator,)X
2500(such)X
2637(as)X
2710(one)X
2822(based)X
2987(on)X
3071(measurements)X
3456(of)X
3528(random)X
555 5716(physical)N
784(phenomena.)X
10 s
555 6144(Section)N
815(2.1.3.)X
2216(-)X
2263(6)X
2323(-)X
7 p
%%Page: 7 9
10 s 0 xH 0 xS 1 f
0 32(--)N
4323(--)X
3 f
2115 416(DRAFT)N
2411(2)X
1 f
555 672(POSTDATED,)N
1091(FORWARDABLE,)X
1769(PROXIABLE,)X
2286(MAY-POSTDATE,)X
2977(RENEWABLE,)X
3539(DUPLICATE-)X
555 768(SKEY.)N
824(If)X
898(the)X
1016(new)X
1170(ticket)X
1368(is)X
1441(postdated)X
1768(\(the)X
1913(start)X
2071(time)X
2233(is)X
2306(in)X
2388(the)X
2506(future\),)X
2765(its)X
2860(POSTDATED)X
3347(\257ag)X
3487(will)X
3631(also)X
3780(be)X
3876(set.)X
755 892(If)N
834(all)X
939(of)X
1031(the)X
1154(above)X
1371(succeed,)X
1671(the)X
1794(server)X
2016(formats)X
2286(a)X
2347(KRB_AS_REP)X
2864(message)X
3161(\(see)X
3316(section)X
3568(7.2\),)X
3739(encrypts)X
555 988(the)N
673(ciphertext)X
1014(part)X
1159(in)X
1241(the)X
1359(client's)X
1615(key)X
1751(using)X
1944(the)X
2062(requested)X
2390(encryption)X
2753(method,)X
3033(and)X
3169(sends)X
3367(it)X
3431(to)X
3513(the)X
3631(client.)X
3 f
555 1180(2.1.4.)N
775(Generation)X
1182(of)X
1269(KRB_ERROR)X
1791(message)X
1 f
755 1304(Several)N
1030(errors)X
1252(can)X
1398(occur,)X
1630(and)X
1779(the)X
1910(Authentication)X
2419(Server)X
2662(responds)X
2980(by)X
3093(returning)X
3420(an)X
3529(error)X
3719(message,)X
555 1400(KRB_ERROR,)N
1065(to)X
1147(the)X
1265(client.)X
1503(The)X
1648(error)X
1825(message)X
2117(contents)X
2404(and)X
2540(details)X
2769(are)X
2888(described)X
3216(in)X
3298(Section)X
3558(7.7.)X
3 f
555 1592(2.1.5.)N
775(Receipt)X
1054(of)X
1141(KRB_AS_REP)X
1676(message)X
1 f
555 1716(If)N
632(the)X
753(reply)X
941(message)X
1236(type)X
1397(is)X
1473(KRB_AS_REP,)X
2008(then)X
2169(the)X
2290(client)X
2491(veri\256es)X
2749(that)X
2891(the)X
3011("cname")X
3309(and)X
3447("crealm")X
3754(\256elds)X
3949(in)X
555 1812(the)N
674(cleartext)X
972(portion)X
1224(of)X
1312(the)X
1431(reply)X
1617(match)X
1834(what)X
2011(it)X
2076(requested)X
2405(\(to)X
2515(prevent)X
2777(blatant)X
3016(attacks)X
3259(by)X
3359(an)X
3455(attacker)X
3730(respond-)X
555 1908(ing)N
680(with)X
845(a)X
904(response)X
1208(to)X
1293(a)X
1352(completely)X
1731(different)X
2031(request\).)X
2353(It)X
2425(decrypts)X
2720(the)X
2840(encrypted)X
3179(part)X
3326(of)X
3415(the)X
3535(response)X
3838(using)X
555 2004(its)N
657(secret)X
872(key,)X
1035(veri\256es)X
1298(that)X
1444(the)X
1568("ctime")X
1838(in)X
1926(the)X
2050(resp_cipher)X
2451(matches)X
2740(the)X
2864(timestamp)X
3223(it)X
3293(supplied)X
3590(in)X
3678(its)X
3779(request)X
555 2100(\(to)N
666(prevent)X
929(replays\).)X
1250(It)X
1321(also)X
1472(veri\256es)X
1730(that)X
1871(the)X
1990("sname")X
2282(and)X
2419("srealm")X
2720(in)X
2803(the)X
2922(response)X
3224(match)X
3441(those)X
3631(in)X
3714(the)X
3833(ticket)X
555 2196(\(to)N
672(help)X
838(prevent)X
1107(an)X
1211(attacker)X
1494(from)X
1678(easily)X
1893(substituting)X
2293(some)X
2490(other)X
2683(ticket)X
2889(in)X
2979(the)X
3105(response\),)X
3461(and)X
3605(that)X
3753(the)X
3878(host)X
555 2292(address)N
828(\256eld)X
1002(in)X
1096(the)X
1226(response)X
1539(matches)X
1834(the)X
1964(request)X
2227(\(to)X
2347(guard)X
2561(against)X
2819(modi\256cation)X
3254(of)X
3352(the)X
3481(addresses)X
3820(in)X
3913(the)X
555 2388(request\).)N
883(It)X
961(then)X
1128(stores)X
1344(the)X
1470(ticket,)X
1696(session)X
1955(key,)X
2119(start)X
2285(and)X
2429(expiration)X
2782(times,)X
3003(and)X
3147(other)X
3340(information)X
3746(for)X
3868(later)X
555 2484(use.)N
724(The)X
871("key_exp")X
1230(\256eld)X
1393(from)X
1570(the)X
1689(resp_cipher)X
2085(may)X
2244(be)X
2341(checked)X
2626(to)X
2709(notify)X
2921(the)X
3040(user)X
3195(of)X
3283(impending)X
3646(key)X
3783(expira-)X
555 2580(tion)N
699(\(the)X
844(client)X
1042(program)X
1334(could)X
1532(then)X
1690(suggest)X
1950(remedial)X
2251(action,)X
2487(such)X
2654(as)X
2741(a)X
2797(password)X
3120(change\).)X
3 f
555 2772(2.1.6.)N
775(Receipt)X
1054(of)X
1141(KRB_ERROR)X
1663(message)X
1 f
555 2896(If)N
634(the)X
757(reply)X
947(message)X
1244(type)X
1407(is)X
1485(KRB_ERROR,)X
2000(then)X
2163(the)X
2286(client)X
2489(interprets)X
2817(it)X
2886(as)X
2978(an)X
3079(error)X
3261(and)X
3402(performs)X
3716(whatever)X
555 2992(application-speci\256c)N
1203(tasks)X
1383(are)X
1502(necessary)X
1835(to)X
1917(recover.)X
3 f
12 s
555 3184(2.2.)N
747(The)X
931(Client/Server)X
1506(\(CS\))X
1716(Authentication)X
2353(Exchange)X
1 f
10 s
755 3308(This)N
920(exchange)X
1247(is)X
1323(used)X
1493(by)X
1596(network)X
1881(applications)X
2290(to)X
2374(authenticate)X
2784(the)X
2904(client)X
3104(to)X
3188(the)X
3308(server)X
3527(and)X
3665(vice)X
3821(versa.)X
555 3404(The)N
718(client)X
934(must)X
1127(have)X
1317(already)X
1592(acquired)X
1907(a)X
1981(ticket/session)X
2450(key)X
2604(pair)X
2767(for)X
2899(the)X
3035(server)X
3270(using)X
3481(the)X
3617(AS)X
3756(or)X
3860(TGS)X
555 3500(exchange.)N
919(The)X
1064(formats)X
1329(for)X
1443(the)X
1561(messages)X
1884(described)X
2212(in)X
2294(this)X
2429(section)X
2676(can)X
2808(be)X
2904(found)X
3111(in)X
3193(section)X
3440(7.3.)X
3 f
555 3692(2.2.1.)N
775(The)X
928(KRB_AP_REQ)X
1481(message)X
1 f
755 3816(The)N
907(KRB_AP_REQ)X
1439(contains)X
1732(authentication)X
2212(information)X
2616(which)X
2838(can)X
2976(be)X
3078(the)X
3202(\256rst)X
3352(message,)X
3670(or)X
3763(the)X
3887(\256rst)X
555 3912(part)N
702(of)X
791(a)X
849(message,)X
1163(in)X
1247(an)X
1345(authenticated)X
1795(transaction.)X
2209(It)X
2280(contains)X
2569(a)X
2626(ticket)X
2825(and)X
2962(an)X
3059(authenticator,)X
3519(and)X
3656(some)X
3846(addi-)X
555 4008(tional)N
770(bookkeeping)X
1217(information)X
1628(\(see)X
1791(section)X
2051(7.3)X
2184(for)X
2311(the)X
2442(exact)X
2645(format\).)X
2959(The)X
3116(KRB_AP_REQ)X
3654(message)X
3958(is)X
555 4104(referred)N
831(to)X
913(elsewhere)X
1255(as)X
1342(the)X
1460(authentication)X
1934(header.)X
3 f
555 4296(2.2.2.)N
775(Generation)X
1182(of)X
1269(a)X
1329(KRB_AP_REQ)X
1882(message)X
1 f
755 4420(When)N
975(a)X
1039(client)X
1245(wishes)X
1491(to)X
1581(initiate)X
1831(authentication)X
2313(to)X
2403(a)X
2467(server,)X
2712(it)X
2784(creates)X
3036(a)X
3099(KRB_AP_REQ)X
3632(message)X
3931(by)X
555 4516(obtaining)N
881(\(either)X
1114(through)X
1386(a)X
1445(cache,)X
1672(the)X
1793(AS)X
1918(exchange,)X
2265(or)X
2355(the)X
2476(TGS)X
2650(exchange\))X
3004(a)X
3063(ticket)X
3264(and)X
3403(session)X
3657(key)X
3796(for)X
3913(the)X
555 4612(desired)N
828(service.)X
1137(It)X
1227(then)X
1406(creates)X
1671(a)X
1748(new)X
1923(Authenticator)X
2405(\(taking)X
2673(the)X
2812(system)X
3075(time,)X
3278(its)X
3394(name,)X
3629(possibly)X
3935(an)X
555 4708(application-protocol)N
1236(speci\256c)X
1512(checksum,)X
1884(and)X
2031(the)X
2160(network)X
2454(layer)X
2646(address)X
2918(in)X
3011(use\),)X
3195(and)X
3341(bundles)X
3620(together)X
3913(the)X
555 4804(ticket,)N
773(authenticator,)X
1232(and)X
1368(associated)X
1718(information,)X
2136(and)X
2272(transmits)X
2585(the)X
2703(message)X
2995(to)X
3077(the)X
3195(server.)X
3 f
555 4996(2.2.3.)N
775(Receipt)X
1054(of)X
1141(KRB_AP_REQ)X
1694(message)X
1 f
755 5120(Authentication)N
1259(is)X
1340(based)X
1551(on)X
1659(the)X
1785(server's)X
2068(current)X
2324(time)X
2494(of)X
2589(day)X
2733(\(clocks)X
2993(must)X
3175(be)X
3278(loosely)X
3536(synchronized\),)X
555 5216(the)N
680(authenticator,)X
1146(and)X
1288(the)X
1412(ticket.)X
1656(Several)X
1923(errors)X
2137(are)X
2262(possible.)X
2590(If)X
2670(an)X
2772(error)X
2955(occurs,)X
3211(the)X
3335(server)X
3558(is)X
3637(expected)X
3949(to)X
555 5312(reply)N
748(to)X
838(the)X
964(client)X
1170(with)X
1340(a)X
1404(KRB_ERROR)X
1902(message.)X
2242(This)X
2412(message)X
2712(must)X
2895(be)X
2999(encapsulated)X
3441(in)X
3530(the)X
3655(application)X
555 5408(protocol)N
849(if)X
925(its)X
1027("raw")X
1240(form)X
1422(is)X
1501(not)X
1629(acceptable)X
1995(to)X
2083(the)X
2207(protocol.)X
2540(The)X
2691(format)X
2931(of)X
3024(error)X
3207(messages)X
3536(is)X
3615(described)X
3949(in)X
555 5504(section)N
802(7.7.)X
755 5628(The)N
915(algorithm)X
1261(for)X
1390(verifying)X
1719(authentication)X
2208(information)X
2621(is)X
2709(as)X
2810(follows.)X
3124(If)X
3212(the)X
3344(message)X
3650(type)X
3822(is)X
3909(not)X
555 5724(KRB_AP_REQ,)N
1105(the)X
1227(server)X
1448(returns)X
1695(the)X
1817(KRB_AP_ERR_MSG_TYPE)X
2795(error.)X
3016(If)X
3094(the)X
3216(key)X
3355(version)X
3614(indicated)X
3931(by)X
555 5820(the)N
684(Ticket)X
920(in)X
1013(the)X
1142(KRB_AP_REQ)X
1679(is)X
1763(not)X
1896(one)X
2042(the)X
2170(server)X
2397(can)X
2539(use)X
2676(\(e.g.,)X
2869(it)X
2943(is)X
3026(an)X
3132(old)X
3264(key,)X
3430(and)X
3576(the)X
3704(server)X
3931(no)X
555 6144(Section)N
815(2.2.3.)X
2216(-)X
2263(7)X
2323(-)X
8 p
%%Page: 8 10
10 s 0 xH 0 xS 1 f
0 32(--)N
4323(--)X
3 f
2115 416(DRAFT)N
2411(2)X
1 f
555 672(longer)N
783(possesses)X
1113(a)X
1172(copy)X
1351(of)X
1441(the)X
1562(old)X
1687(key\),)X
1873(the)X
1994(KRB_AP_ERR_BADKEYVER)X
3052(error)X
3232(is)X
3307(returned.)X
3637(If)X
3713(the)X
3833(USE-)X
555 768(SESSION-KEY)N
1092(\257ag)X
1233(is)X
1307(set)X
1417(in)X
1500(the)X
1619(ap_options)X
1991(\256eld,)X
2174(it)X
2239(indicates)X
2545(to)X
2628(the)X
2747(server)X
2965(that)X
3105(the)X
3223(ticket)X
3421(is)X
3494(encrypted)X
3831(in)X
3913(the)X
555 864(session)N
814(key)X
958(from)X
1142(the)X
1268(server's)X
1551(ticket-granting)X
2051(ticket)X
2257(rather)X
2473(than)X
2639(its)X
2742(secret)X
2958(key.)X
3142(Since)X
3348(it)X
3420(is)X
3501(possible)X
3791(for)X
3913(the)X
555 960(server)N
774(to)X
858(be)X
956(registered)X
1295(in)X
1379(multiple)X
1667(realms,)X
1923(with)X
2087(different)X
2386(keys)X
2555(in)X
2639(each,)X
2829(the)X
2948("srealm")X
3249(\256eld)X
3412(in)X
3495(the)X
3614(unencrypted)X
555 1056(portion)N
817(of)X
915(the)X
1044(ticket)X
1253(in)X
1346(the)X
1474(KRB_AP_REQ)X
2010(is)X
2093(used)X
2270(to)X
2362(specify)X
2624(which)X
2850(secret)X
3068(key)X
3214(the)X
3342(server)X
3569(should)X
3812(use)X
3949(to)X
555 1152(decrypt)N
830(that)X
984(ticket.)X
1236(The)X
1395(KRB_AP_ERR_NOKEY)X
2251(error)X
2442(code)X
2628(is)X
2715(returned)X
3016(if)X
3098(the)X
3229(server)X
3459(doesn't)X
3728(have)X
3913(the)X
555 1248(proper)N
785(key)X
921(to)X
1003(decipher)X
1300(the)X
1418(ticket.)X
755 1372(The)N
902(ticket)X
1102(is)X
1177(decrypted)X
1516(using)X
1711(the)X
1831(version)X
2089(of)X
2177(the)X
2296(server's)X
2572(key)X
2709(speci\256ed)X
3015(by)X
3116(the)X
3235(ticket.)X
3474(If)X
3549(the)X
3668(decryption)X
555 1468(indicates)N
872(a)X
939(failed)X
1153(integrity)X
1455(check,)X
1694(the)X
1823(KRB_AP_BAD_INTEGRITY)X
2837(error)X
3025(is)X
3109(returned)X
3408(\(chances)X
3721(are)X
3851(good)X
555 1564(that)N
695(different)X
992(keys)X
1159(were)X
1336(used)X
1503(to)X
1585(encrypt)X
1846(and)X
1982(decrypt\).)X
755 1688(The)N
905(authenticator)X
1349(is)X
1427(decrypted)X
1769(using)X
1967(the)X
2089(session)X
2344(key)X
2484(extracted)X
2803(from)X
2983(the)X
3105(decrypted)X
3446(ticket.)X
3688(The)X
3837(name)X
555 1784(and)N
699(realm)X
910(of)X
1005(the)X
1131(client)X
1337(from)X
1521(the)X
1646(ticket)X
1851(are)X
1977(compared)X
2321(against)X
2575(the)X
2700(same)X
2892(\256elds)X
3092(in)X
3181(the)X
3306(authenticator.)X
3792(If)X
3873(they)X
555 1880(don't)N
745(match,)X
982(the)X
1101(KRB_AP_ERR_BADMATCH)X
2121(error)X
2299(is)X
2373(returned)X
2662(\(they)X
2848(might)X
3055(not)X
3178(match,)X
3415(for)X
3530(example,)X
3843(if)X
3913(the)X
555 1976(wrong)N
793(session)X
1057(key)X
1206(was)X
1364(used)X
1544(to)X
1639(encrypt)X
1913(the)X
2044(authenticator\).)X
2563(The)X
2721(addresses)X
3062(in)X
3157(the)X
3288(ticket)X
3499(\(if)X
3607(any\))X
3782(are)X
3913(the)X
555 2072(searched)N
858(for)X
973(an)X
1070(address)X
1332(matching)X
1651(the)X
1770(operating-system)X
2343(reported)X
2632(address)X
2894(of)X
2982(the)X
3101(client.)X
3340(If)X
3415(no)X
3515(match)X
3731(is)X
3804(found,)X
555 2168(the)N
673(KRB_AP_ERR_BADADDR)X
1630(error)X
1807(is)X
1880(returned.)X
755 2292(If)N
837(the)X
963(local)X
1147(\(server\))X
1426(time)X
1596(and)X
1740(the)X
1866(client)X
2072(time)X
2242(in)X
2332(the)X
2458(authenticator)X
2904(differ)X
3110(by)X
3217(more)X
3409(than)X
3574(the)X
3699(allowable)X
555 2388(clock)N
755(skew)X
946(\(e.g.,)X
1135(5)X
1201(minutes\),)X
1527(the)X
1651(KRB_AP_ERR_SKEW)X
2445(error)X
2628(is)X
2707(returned.)X
3041(If)X
3121(the)X
3245(server)X
3467(name)X
3666(along)X
3869(with)X
555 2484(the)N
681(client)X
887(name,)X
1109(time)X
1279(and)X
1423(millisecond)X
1824(\256elds)X
2025(from)X
2209(the)X
2335(Authenticator)X
2804(match)X
3027(any)X
3170(recently-seen)X
3626(such)X
3800(tuples,)X
555 2580(the)N
682(KRB_AP_ERR_REPEAT)X
1554(error)X
1740(is)X
1821(returned\262.)X
2197(The)X
2350(server)X
2575(must)X
2758(remember)X
3112(any)X
3256(authenticator)X
3703(presented)X
555 2676(within)N
780(the)X
899(allowable)X
1232(clock)X
1427(skew,)X
1633(so)X
1725(that)X
1866(a)X
1923(replay)X
2145(attempt)X
2405(is)X
2478(guaranteed)X
2851(to)X
2933(fail.)X
3100(If)X
3174(a)X
3230(server)X
3447(loses)X
3627(track)X
3808(of)X
3895(any)X
555 2772(authenticator)N
1005(presented)X
1344(within)X
1578(the)X
1706(allowable)X
2048(clock)X
2252(skew,)X
2467(it)X
2541(must)X
2726(reject)X
2935(all)X
3045(requests)X
3338(until)X
3514(the)X
3642(clock)X
3846(skew)X
555 2868(interval)N
829(has)X
965(passed.)X
1248(This)X
1419(assures)X
1680(that)X
1829(any)X
1974(lost)X
2118(or)X
2214(re-played)X
2547(authenticators)X
3026(will)X
3179(fall)X
3314(outside)X
3573(the)X
3699(allowable)X
555 2964(clock)N
755(skew)X
946(and)X
1088(can)X
1226(no)X
1332(longer)X
1563(be)X
1665(successfully)X
2083(replayed)X
2386(\(If)X
2493(this)X
2633(is)X
2711(not)X
2838(done,)X
3039(an)X
3140(attacker)X
3420(could)X
3623(conceivably)X
555 3060(record)N
782(the)X
900(ticket)X
1098(&)X
1180(authenticator)X
1619(sent)X
1768(over)X
1931(the)X
2049(network)X
2332(to)X
2414(a)X
2470(server,)X
2707(then)X
2865(disable)X
3112(the)X
3230(client's)X
3486(host,)X
3659(pose)X
3826(as)X
3913(the)X
555 3156(disabled)N
842(host,)X
1015(and)X
1151(replay)X
1372(the)X
1490(ticket)X
1688(&)X
1770(authenticator)X
2209(to)X
2291(subvert)X
2547(the)X
2665(authentication.\).)X
755 3280(The)N
907(age)X
1046(of)X
1140(the)X
1265(ticket)X
1470(is)X
1550(computed:)X
1915(local)X
2098(\(server\))X
2376(time)X
2544(minus)X
2765(the)X
2889(start)X
3053(time)X
3221(inside)X
3438(the)X
3562(Ticket.)X
3833(If)X
3913(the)X
555 3376(start)N
768(time)X
985(is)X
1113(later)X
1331(than)X
1544(the)X
1717(current)X
2020(time)X
2237(by)X
2392(more)X
2632(than)X
2845(the)X
3018(allowable)X
3405(clock)X
3654(skew,)X
3913(the)X
555 3472(KRB_AP_ERR_TKT_NYV)N
1488(error)X
1667(is)X
1742(returned.)X
2072(Otherwise,)X
2444(if)X
2515(the)X
2635(current)X
2885(time)X
3048(is)X
3122(later)X
3286(than)X
3445(end)X
3582(time)X
3745(by)X
3846(more)X
555 3568(than)N
713(the)X
831(allowable)X
1163(clock)X
1357(skew,)X
1562(the)X
1680(KRB_AP_ERR_TKT_EXPIRED)X
2775(error)X
2952(is)X
3025(returned.)X
755 3692(If)N
830(all)X
931(these)X
1117(checks)X
1357(succeed)X
1633(without)X
1898(an)X
1995(error,)X
2193(the)X
2312(server)X
2530(is)X
2604(assured)X
2866(that)X
3007(the)X
3126(client)X
3324(possesses)X
3651(the)X
3769(creden-)X
555 3788(tials)N
708(of)X
795(the)X
913(principal)X
1218(named)X
1452(in)X
1534(the)X
1652(ticket)X
1850(and)X
1986(thus,)X
2159(the)X
2277(client)X
2475(has)X
2602(been)X
2774(authenticated)X
3222(to)X
3304(the)X
3422(server.)X
3 f
555 4008(2.2.4.)N
775(Generation)X
1182(of)X
1269(a)X
1329(KRB_AP_REP)X
1869(message)X
1 f
755 4132(Typically,)N
1105(a)X
1164(client's)X
1423(request)X
1678(will)X
1825(include)X
2084(both)X
2249(the)X
2370(authentication)X
2847(information)X
3248(and)X
3387(its)X
3485(initial)X
3694(request)X
3949(in)X
555 4228(the)N
685(same)X
882(message,)X
1206(and)X
1354(the)X
1484(server)X
1713(need)X
1897(not)X
2031(explicitly)X
2365(reply)X
2562(to)X
2656(the)X
2786(KRB_AP_REQ.)X
3363(However,)X
3709(if)X
3789(mutual)X
555 4324(authentication)N
1030(\(not)X
1180(only)X
1343(authenticating)X
1818(the)X
1937(client)X
2136(to)X
2219(the)X
2338(server,)X
2576(but)X
2699(also)X
2849(the)X
2968(server)X
3185(to)X
3267(the)X
3385(client\))X
3610(is)X
3683(being)X
3881(per-)X
555 4420(formed,)N
837(the)X
965(KRB_AP_REQ)X
1501(message)X
1803(will)X
1957(have)X
2139(MUTUAL-REQUIRED)X
2944(set)X
3063(in)X
3155(its)X
3259(ap_options)X
3639(\256eld,)X
3830(and)X
3975(a)X
555 4516(KRB_AP_REP)N
1068(message)X
1361(is)X
1435(required)X
1724(in)X
1807(response.)X
2149(As)X
2258(with)X
2420(the)X
2538(error)X
2715(message,)X
3027(this)X
3162(message)X
3454(must)X
3629(be)X
3725(encapsu-)X
555 4612(lated)N
733(in)X
817(the)X
937(application)X
1314(protocol)X
1602(if)X
1672(its)X
1768("raw")X
1976(form)X
2153(is)X
2227(not)X
2350(acceptable)X
2711(to)X
2794(the)X
2913(protocol.)X
3241(The)X
3387(timestamp)X
3741(and)X
3878(mil-)X
555 4708(lisecond)N
852(\256eld)X
1024(used)X
1201(in)X
1293(the)X
1421(reply)X
1616(must)X
1801(be)X
1907(the)X
2035(client's)X
2301(timestamp)X
2664(and)X
2810(millisecond)X
3213(\256eld)X
3385(\(as)X
3508(provided)X
3822(in)X
3913(the)X
555 4804(authenticator\)\263.)N
1116(The)X
1276(timestamp)X
1644(and)X
1795(millisecond)X
2203(\256eld)X
2379(of)X
2480(the)X
2612(message)X
2918(are)X
3051(encrypted)X
3402(in)X
3498(the)X
3630(session)X
3895(key)X
555 4900(extracted)N
870(from)X
1046(the)X
1164(ticket.)X
755 5024(In)N
853(both)X
1026(the)X
1155(one-way)X
1463(and)X
1610(mutual)X
1863(authentication)X
2348(exchanges,)X
2734(the)X
2863(peers)X
3064(should)X
3308(take)X
3473(care)X
3639(not)X
3772(to)X
3864(send)X
8 s
10 f
555 5104(hhhhhhhhhhhhhhhhhh)N
1 f
555 5184(\262Note)N
730(that)X
845(the)X
942(rejection)X
1184(here)X
1312(is)X
1374(restricted)X
1630(to)X
1699(authenticators)X
2076(from)X
2219(the)X
2316(same)X
2466(principal)X
2712(to)X
2780(the)X
2876(same)X
3025(server.)X
3230(Other)X
3393(client)X
3553(princi-)X
555 5264(pals)N
682(communicating)X
1104(with)X
1242(the)X
1344(same)X
1499(server)X
1678(principal)X
1929(should)X
2124(not)X
2230(be)X
2313(have)X
2456(their)X
2596(authenticators)X
2977(rejected)X
3201(if)X
3263(the)X
3364(time)X
3501(and)X
3616(mil-)X
555 5344(lisecond)N
784(\256elds)X
939(happen)X
1139(to)X
1205(match)X
1377(some)X
1528(other)X
1675(client's)X
1879(authenticator.)X
555 5424(\263In)N
661(the)X
760(Kerberos)X
1014(version)X
1223(4)X
1276(protocol,)X
1526(the)X
1625(timestamp)X
1913(in)X
1984(the)X
2083(reply)X
2235(was)X
2355(the)X
2454(client's)X
2663(timestamp)X
2950(plus)X
3077(one.)X
3221(This)X
3355(was)X
3474(originally)X
555 5504(thought)N
770(necessary)X
1036(since)X
1186(it)X
1241(was)X
1359(necessary)X
1625(in)X
1694(the)X
1791(Needham)X
2054(&)X
2123(Schroeder)X
2399(protocol.)X
2662(However,)X
2929(it)X
2983(was)X
3100(only)X
3232(necessary)X
3497(there)X
3642(be-)X
555 5584(cause)N
721(the)X
824(message)X
1065(formats)X
1284(were)X
1431(such)X
1572(that)X
1692(a)X
1744(reply)X
1899(with)X
2037(an)X
2121(identical)X
2365(timestamp)X
2656(could)X
2822(easily)X
2995(be)X
3079(generated)X
3350(by)X
3438(an)X
3522(attacker)X
555 5664(watching)N
811(the)X
911(exchange)X
1172(without)X
1389(knowledge)X
1690(of)X
1764(the)X
1863(proper)X
2050(encryption)X
2344(keys.)X
2514(The)X
2634(Kerberos)X
2888(version)X
3097(5)X
3150(protocol)X
3384(messages)X
3646(are)X
555 5744(constructed)N
865(in)X
931(such)X
1064(a)X
1108(way)X
1230(that)X
1342(such)X
1475(extraction)X
1746(is)X
1805(not)X
1903(possible)X
2129(without)X
2341(knowledge)X
2637(of)X
2706(the)X
2800(proper)X
2982(encryption)X
3271(keys.)X
10 s
555 6144(Section)N
815(2.2.4.)X
2216(-)X
2263(8)X
2323(-)X
9 p
%%Page: 9 11
10 s 0 xH 0 xS 1 f
0 32(--)N
4323(--)X
3 f
2115 416(DRAFT)N
2411(2)X
1 f
555 672(sensitive)N
855(information)X
1253(to)X
1335(each)X
1503(other)X
1688(without)X
1952(proper)X
2182(protection)X
2527(\(e.g.)X
2690(encryption\).)X
3 f
555 864(2.2.5.)N
775(Receipt)X
1054(of)X
1141(KRB_AP_REP)X
1681(message)X
1 f
755 988(If)N
834(a)X
895(KRB_AP_REP)X
1412(message)X
1709(is)X
1787(returned,)X
2100(the)X
2223(client)X
2426(uses)X
2589(the)X
2711(session)X
2966(key)X
3106(to)X
3192(decrypt)X
3457(the)X
3579(message,)X
3895(and)X
555 1084(veri\256es)N
812(that)X
953(the)X
1072(timestamp)X
1426(and)X
1562(msec)X
1747(\256elds)X
1940(match)X
2156(the)X
2274(Authenticator)X
2735(it)X
2799(sent)X
2948(to)X
3030(the)X
3148(server.)X
3405(If)X
3479(they)X
3637(match,)X
3873(then)X
555 1180(the)N
673(client)X
871(is)X
944(assured)X
1205(that)X
1345(the)X
1463(server)X
1680(is)X
1753(genuine.)X
3 f
555 1372(2.2.6.)N
775(Using)X
990(the)X
1117(encryption)X
1506(key)X
1 f
755 1496(After)N
964(the)X
1101(KRB_AP_REQ/KRB_AP_REP)X
2159(exchange)X
2501(has)X
2646(occurred,)X
2986(the)X
3122(client)X
3338(and)X
3492(server)X
3727(share)X
3935(an)X
555 1592(encryption)N
920(key,)X
1078(which)X
1296(can)X
1430(be)X
1528(used)X
1697(by)X
1799(the)X
1919(application.)X
2337(In)X
2426(some)X
2617(cases,)X
2829(the)X
2949(use)X
3077(of)X
3165(this)X
3301(key)X
3438(will)X
3583(be)X
3680(implicit)X
3949(in)X
555 1688(the)N
680(protocol;)X
996(in)X
1085(others)X
1308(the)X
1433(method)X
1700(of)X
1794(use)X
1927(must)X
2108(be)X
2210(chosen)X
2459(from)X
2641(a)X
2703(vast)X
2858(array)X
3050(of)X
3143(alternatives.)X
3579(We)X
3717(leave)X
3913(the)X
555 1784(protocol)N
844(negotiations)X
1257(of)X
1346(how)X
1506(to)X
1590(use)X
1719(the)X
1839(key)X
1977(\(e.g.)X
2162(selecting)X
2469(an)X
2567(encryption)X
2932(or)X
3021(checksum)X
3364(type\))X
3550(to)X
3633(the)X
3752(applica-)X
555 1880(tion)N
699(programmer;)X
1138(the)X
1256(Kerberos)X
1571(protocol)X
1858(does)X
2025(not)X
2147(constrain)X
2461(the)X
2579(implementation)X
3101(options.)X
3 f
12 s
555 2168(2.3.)N
747(The)X
931(Ticket-Granting)X
1628(Service)X
1952(\(TGS\))X
2232(Exchange)X
1 f
10 s
755 2292(The)N
904(TGS)X
1079(exchange)X
1407(between)X
1699(a)X
1758(client)X
1959(and)X
2098(the)X
2219(Kerberos)X
2537(Ticket-Granting)X
3077(Server)X
3310(is)X
3386(initiated)X
3671(by)X
3774(a)X
3833(client)X
555 2388(when)N
764(it)X
843(wishes)X
1096(to)X
1193(obtain)X
1428(authentication)X
1917(credentials)X
2300(for)X
2428(a)X
2498(given)X
2710(server)X
2941(\(which)X
3198(might)X
3418(be)X
3528(registered)X
3879(in)X
3975(a)X
555 2484(remote)N
803(realm\),)X
1058(when)X
1257(it)X
1326(wishes)X
1569(to)X
1656(renew)X
1878(or)X
1970(validate)X
2249(an)X
2350(existing)X
2628(ticket,)X
2851(or)X
2943(when)X
3142(it)X
3211(wishes)X
3454(to)X
3540(obtain)X
3764(a)X
3824(proxy)X
555 2580(ticket.)N
794(In)X
882(the)X
1001(\256rst)X
1146(case,)X
1326(the)X
1445(client)X
1644(must)X
1820(already)X
2078(have)X
2251(acquired)X
2549(a)X
2606(ticket)X
2805(for)X
2920(the)X
3039(Ticket-Granting)X
3577(Service)X
3838(using)X
555 2676(the)N
678(AS)X
805(exchange)X
1134(\(The)X
1311(ticket-granting)X
1808(ticket)X
2011(is)X
2089(usually)X
2345(obtained)X
2646(when)X
2845(a)X
2906(client)X
3109(initially)X
3382(authenticates)X
3826(to)X
3913(the)X
555 2772(system,)N
828(such)X
1006(as)X
1104(when)X
1309(a)X
1376(user)X
1541(logs)X
1705(in.\).)X
1885(Unlike)X
2134(the)X
2262(AS)X
2394(exchange,)X
2748(encryption)X
3121(and)X
3267(decryption)X
3640(in)X
3732(the)X
3860(TGS)X
555 2868(exchange)N
880(does)X
1048(not)X
1171(take)X
1326(place)X
1517(under)X
1720(the)X
1838(client's)X
2094(key.)X
2270(Instead,)X
2542(the)X
2660(session)X
2911(key)X
3047(from)X
3223(the)X
3341(ticket-granting)X
3833(ticket)X
555 2964(or)N
662(renewable)X
1033(ticket)X
1251(is)X
1344(used.)X
1571(Once)X
1781(the)X
1919(ticket-granting)X
2431(ticket)X
2649(or)X
2756(renewable)X
3127(ticket)X
3345(has)X
3492(expired)X
3772(the)X
3909(AS)X
555 3060(exchange)N
879(must)X
1054(be)X
1150(repeated.)X
755 3184(The)N
910(TGS)X
1091(exchange)X
1425(consists)X
1708(of)X
1805(two)X
1955(messages:)X
2310(A)X
2398(request)X
2660(\(KRB_TGS_REQ\))X
3299(from)X
3485(the)X
3613(client)X
3821(to)X
3913(the)X
555 3280(Kerberos)N
888(Ticket-Granting)X
1443(Server,)X
1711(and)X
1865(a)X
1939(reply)X
2142(\(KRB_TGS_REP)X
2748(or)X
2853(KRB_ERROR\).)X
3428(The)X
3591(TGS)X
3779(request)X
555 3376(includes)N
843(information)X
1241(authenticating)X
1715(the)X
1833(client)X
2031(plus)X
2184(a)X
2240(request)X
2492(for)X
2606(credentials.)X
3014(The)X
3159(authentication)X
3633(information)X
555 3472(consists)N
845(of)X
949(the)X
1083(authentication)X
1573(header)X
1824(\(KRB_AP_REQ\))X
2420(which)X
2652(includes)X
2955(the)X
3089(client's)X
3361(previously)X
3735(obtained)X
555 3568(ticket-granting,)N
1071(renewable,)X
1446(or)X
1537(invalid)X
1783(ticket.)X
2025(In)X
2116(the)X
2238(ticket-granting)X
2734(ticket)X
2935(and)X
3074(proxy)X
3284(cases,)X
3497(the)X
3618(request)X
3873(may)X
555 3664(include)N
813(one)X
951(or)X
1040(more)X
1227(of:)X
1338(a)X
1396(list)X
1515(of)X
1604(network)X
1889(addresses,)X
2239(a)X
2297(free-form)X
2628(sequence)X
2945(of)X
3034(bytes)X
3225(to)X
3309(be)X
3407(sealed)X
3630(in)X
3714(the)X
3833(ticket)X
555 3760(for)N
674(authorization)X
1122(use)X
1254(by)X
1359(the)X
1482(end)X
1623(server,)X
1865(or)X
1957(a)X
2018(second)X
2266(ticket)X
2469(\(the)X
2619(use)X
2751(of)X
2843(which)X
3064(is)X
3142(described)X
3475(later\).)X
3710(The)X
3860(TGS)X
555 3856(reply)N
749(\(KRB_TGS_REP\))X
1373(contains)X
1669(the)X
1796(requested)X
2133(credentials,)X
2530(encrypted)X
2876(in)X
2967(the)X
3093(session)X
3352(key)X
3496(from)X
3680(the)X
3806(ticket-)X
555 3952(granting)N
844(ticket)X
1044(or)X
1133(renewable)X
1486(ticket.)X
1726(The)X
1873(KRB_ERROR)X
2365(message)X
2659(contains)X
2947(an)X
3044(error)X
3222(code)X
3395(and)X
3532(text)X
3673(explaining)X
555 4048(what)N
738(went)X
921(wrong.)X
1193(The)X
1344(KRB_ERROR)X
1840(message)X
2138(is)X
2217(not)X
2345(encrypted.)X
2728(The)X
2879(KRB_TGS_REP)X
3446(message)X
3744(contains)X
555 4144(information)N
960(which)X
1183(can)X
1322(be)X
1425(used)X
1599(to)X
1688(detect)X
1907(replays,)X
2186(and)X
2329(to)X
2418(associate)X
2735(it)X
2806(with)X
2975(the)X
3099(message)X
3397(to)X
3485(which)X
3707(it)X
3777(replies.)X
555 4240(The)N
706(KRB_ERROR)X
1201(message)X
1498(also)X
1652(contains)X
1944(information)X
2347(which)X
2568(can)X
2705(be)X
2806(used)X
2978(to)X
3065(associate)X
3380(it)X
3449(with)X
3616(the)X
3739(message)X
555 4336(to)N
654(which)X
886(it)X
966(replies)X
1216(\(the)X
1377(lack)X
1547(of)X
1650(encryption)X
2029(in)X
2127(the)X
2261(KRB_ERROR)X
2767(message)X
3075(thwarts)X
3347(the)X
3481(ability)X
3721(to)X
3819(detect)X
555 4432(replays\).)N
3 f
555 4624(2.3.1.)N
775(Generation)X
1182(of)X
1269(KRB_TGS_REQ)X
1874(message)X
1 f
755 4748(Before)N
998(sending)X
1271(a)X
1331(request)X
1587(to)X
1673(the)X
1795(ticket)X
1997(granting)X
2288(service,)X
2559(the)X
2680(client)X
2881(must)X
3059(determine)X
3403(in)X
3488(which)X
3707(realm)X
3913(the)X
555 4844(end)N
696(server)X
918(is)X
996(registered\262.)X
1418(If)X
1497(the)X
1620(client)X
1823(does)X
1995(not)X
2122(already)X
2384(possess)X
2649(a)X
2710(ticket)X
2912(granting)X
3203(ticket)X
3405(for)X
3523(the)X
3645(appropriate)X
555 4940(realm,)N
779(then)X
938(one)X
1075(must)X
1251(be)X
1348(obtained.)X
1685(This)X
1848(is)X
1922(\256rst)X
2067(attempted)X
2404(by)X
2505(requesting)X
2860(a)X
2917(ticket)X
3116(granting)X
3403(ticket)X
3601(for)X
3715(the)X
3833(desti-)X
555 5036(nation)N
784(realm)X
996(from)X
1181(the)X
1307(local)X
1491(Kerberos)X
1814(server.)X
2079(If)X
2161(this)X
2304(does)X
2479(not)X
2609(work,)X
2822(the)X
2948(the)X
3074(request)X
3334(must)X
3517(be)X
3621(made)X
3823(to)X
3913(the)X
555 5132(Kerberos)N
874(server)X
1095(for)X
1213(a)X
1273(realm)X
1480(higher)X
1709(in)X
1794(the)X
1915(hierarchy.)X
2282(This)X
2447(request)X
2702(will)X
2849(itself)X
3032(require)X
3283(a)X
3342(ticket)X
3543(granting)X
3833(ticket)X
555 5228(for)N
669(the)X
787(intermediate)X
1208(realm)X
1411(which)X
1627(can)X
1759(be)X
1855(obtained)X
2151(by)X
2251(recursively)X
2628(applying)X
2928(these)X
3113(directions.)X
755 5352(Once)N
948(the)X
1069(ticket)X
1270(granting)X
1560(ticket)X
1761(for)X
1878(the)X
1999(appropriate)X
2388(realm)X
2594(has)X
2724(been)X
2899(obtained,)X
3218(the)X
3339(client)X
3539(determines)X
3913(the)X
8 s
10 f
555 5432(hhhhhhhhhhhhhhhhhh)N
1 f
555 5512(\262This)N
723(can)X
832(be)X
913(accomplished)X
1285(in)X
1356(several)X
1557(ways.)X
1741(Presently,)X
2016(this)X
2130(information)X
2453(is)X
2517(obtained)X
2758(by)X
2843(looking)X
3060(in)X
3131(the)X
3230(krb.realms)X
3522(\256le,)X
3641(but)X
555 5592(the)N
650(information)X
969(is)X
1029(better)X
1191(suited)X
1361(for)X
1452(storage)X
1653(in)X
1720(a)X
1765(nameserver.)X
2107(However,)X
2373(there)X
2517(is)X
2577(a)X
2622(danger)X
2811(of)X
2880(being)X
3038(spoofed)X
3256(if)X
3311(the)X
3405(nameservice)X
555 5672(providing)N
820(the)X
914(realm)X
1075(name)X
1229(is)X
1288(not)X
1386(authenticated.)X
10 s
555 6144(Section)N
815(2.3.1.)X
2216(-)X
2263(9)X
2323(-)X
10 p
%%Page: 10 12
10 s 0 xH 0 xS 1 f
0 32(--)N
4323(--)X
3 f
2115 416(DRAFT)N
2411(2)X
1 f
555 672(names)N
780(of)X
867(the)X
985(Kerberos)X
1300(servers)X
1548(for)X
1662(the)X
1780(given)X
1978(realm)X
2181(\(either)X
2411(through)X
2680(a)X
2736(nameserver,)X
3147(or)X
3234(using)X
3427(the)X
3545(krb.conf)X
3835(\256le\).)X
755 796(As)N
870(in)X
958(the)X
1082(AS)X
1210(exchange,)X
1560(the)X
1684(client)X
1888(may)X
2052(specify)X
2310(a)X
2372(number)X
2643(of)X
2736(options)X
2997(in)X
3085(the)X
3209(TGS)X
3386(request.)X
3683(The)X
3833(client)X
555 892(prepares)N
854(the)X
978(KRB_TGS_REQ)X
1559(message,)X
1877(providing)X
2214(an)X
2316(authentication)X
2796(header,)X
3057(and)X
3198(including)X
3525(the)X
3648(same)X
3838(\256elds)X
555 988(as)N
646(used)X
817(in)X
903(the)X
1025(KRB_AS_REQ)X
1554(message,)X
1869(along)X
2070(with)X
2235(two)X
2378(optional)X
2663(\256elds:)X
2881(the)X
3002(authorization_dat)X
3586(\256eld)X
3751(for)X
3868(end-)X
555 1084(server)N
775(use)X
905(and)X
1044(an)X
1143(additional)X
1485(ticket)X
1685(required)X
1975(by)X
2077(some)X
2268(options.)X
2565(Once)X
2757(prepared,)X
3081(the)X
3201(message)X
3495(is)X
3570(sent)X
3721(to)X
3805(a)X
3863(Ker-)X
555 1180(beros)N
749(server)X
966(for)X
1080(the)X
1198(destination)X
1569(realm.)X
3 f
555 1372(2.3.2.)N
775(Receipt)X
1054(of)X
1141(KRB_TGS_REQ)X
1746(message)X
1 f
555 1496(The)N
704(TGS)X
879(request)X
1135(is)X
1212(processed)X
1553(in)X
1639(a)X
1699(manner)X
1964(similar)X
2210(to)X
2296(the)X
2417(AS)X
2542(request,)X
2817(but)X
2942(there)X
3126(are)X
3248(many)X
3449(additional)X
3792(checks)X
555 1592(to)N
639(be)X
737(performed.)X
1114(The)X
1261(user-supplied)X
1715(checksum)X
2058(in)X
2142(the)X
2262(Authenticator)X
2725(provided)X
3031(in)X
3114(the)X
3233(authentication)X
3708(header)X
3944(of)X
555 1688(the)N
675(KRB_TGS_REQ)X
1252(message)X
1546(must)X
1723(be)X
1820(veri\256ed)X
2086(against)X
2334(the)X
2453(decrypted)X
2791(contents)X
3079(of)X
3167(the)X
3286(message,)X
3599(and)X
3736(the)X
3855(mes-)X
555 1784(sage)N
718(rejected)X
993(if)X
1062(the)X
1180(checksums)X
1552(do)X
1652(not)X
1774(match.)X
3 f
555 1976(2.3.3.)N
775(Generation)X
1182(of)X
1269(KRB_TGS_REP)X
1861(message)X
1 f
755 2100(The)N
917(KRB_TGS_REP)X
1494(message)X
1802(shares)X
2039(its)X
2150(format)X
2400(with)X
2578(the)X
2712(KRB_AS_REP)X
3240(\(KRB_KDC_REP\),)X
3909(but)X
555 2196(with)N
717(its)X
812(type)X
970(set)X
1079(to)X
1161(KRB_TGS_REP.)X
1762(The)X
1907(detailed)X
2181(speci\256cation)X
2606(is)X
2679(included)X
2975(in)X
3057(section)X
3304(7.2.)X
755 2320(By)N
871(default,)X
1137(the)X
1258(address)X
1522(\256eld,)X
1707(the)X
1828(client's)X
2086(name)X
2282(and)X
2420(realm,)X
2645(the)X
2765(list)X
2884(of)X
2973(transited)X
3271(realms,)X
3527(the)X
3647(time)X
3811(of)X
3900(ini-)X
555 2416(tial)N
680(authentication,)X
1177(the)X
1298(expiration)X
1646(time,)X
1831(and)X
1970(the)X
2091(authorization)X
2537(data)X
2694(of)X
2784(the)X
2905(newly-issued)X
3351(ticket)X
3552(will)X
3699(be)X
3797(copied)X
555 2512(from)N
731(the)X
849(ticket-granting)X
1341(ticket)X
1539(\(TGT\))X
1769(or)X
1856(renewable)X
2207(ticket.)X
755 2636(If)N
839(the)X
967(request)X
1229(speci\256es)X
1535(an)X
1641(endtime,)X
1949(then)X
2117(the)X
2245(endtime)X
2533(of)X
2630(the)X
2758(new)X
2921(ticket)X
3128(is)X
3210(the)X
3337(minimum)X
3676(of)X
3772(\(a\))X
3891(that)X
555 2732(request,)N
828(\(b\))X
943(the)X
1062(endtime)X
1341(from)X
1518(the)X
1637(TGT,)X
1834(and)X
1971(\(c\))X
2082(the)X
2200(starttime)X
2500(of)X
2587(the)X
2705(TGT)X
2881(plus)X
3034(the)X
3152(minimum)X
3482(of)X
3569(the)X
3687(maximum)X
555 2828(life)N
686(for)X
804(the)X
926(end)X
1066(server)X
1287(and)X
1427(the)X
1549(maximum)X
1897(life)X
2028(for)X
2146(the)X
2268(local)X
2448(realm.)X
2695(If)X
2773(the)X
2895(new)X
3053(ticket)X
3255(is)X
3332(to)X
3417(be)X
3516(a)X
3575(renewal,)X
3873(then)X
555 2924(the)N
677(endtime)X
959(above)X
1175(is)X
1252(replaced)X
1549(by)X
1653(the)X
1775(minimum)X
2109(of)X
2200(\(a\))X
2314(the)X
2436(value)X
2634(of)X
2725(the)X
2847(renew_till)X
3196(\256eld)X
3362(of)X
3453(the)X
3575(ticket)X
3777(and)X
3917(\(b\))X
555 3020(the)N
673(starttime)X
973(for)X
1087(the)X
1205(new)X
1359(ticket)X
1557(plus)X
1710(the)X
1828(life)X
1955(\(endtime-starttime\))X
2594(of)X
2681(the)X
2799(old)X
2921(ticket.)X
755 3144(If)N
833(the)X
955(FORWARDING)X
1522(option)X
1750(has)X
1881(been)X
2057(speci\256ed,)X
2386(then)X
2548(the)X
2670(resulting)X
2974(ticket)X
3176(will)X
3323(contain)X
3582(the)X
3703(addresses)X
555 3240(speci\256ed)N
867(by)X
974(the)X
1098(client.)X
1342(This)X
1510(option)X
1740(will)X
1890(only)X
2058(be)X
2160(honored)X
2449(if)X
2524(the)X
2648(FORWARDABLE)X
3283(\257ag)X
3429(is)X
3508(set)X
3623(in)X
3711(the)X
3835(TGT.)X
555 3336(The)N
702(PROXY)X
995(option)X
1221(is)X
1296(similar;)X
1582(the)X
1702(resulting)X
2003(ticket)X
2202(will)X
2347(contain)X
2604(the)X
2723(addresses)X
3052(speci\256ed)X
3358(by)X
3459(the)X
3578(client.)X
3817(It)X
3887(will)X
555 3432(be)N
659(honored)X
950(only)X
1120(if)X
1196(the)X
1321(PROXIABLE)X
1797(\257ag)X
1944(in)X
2033(the)X
2158(TGT)X
2341(is)X
2421(set.)X
2577(The)X
2729(PROXY)X
3027(option)X
3258(will)X
3409(not)X
3538(be)X
3641(honored)X
3931(on)X
555 3528(requests)N
838(for)X
952(additional)X
1292(ticket)X
1490(granting)X
1777(tickets.)X
755 3652(If)N
832(the)X
953(requested)X
1284(start)X
1445(time)X
1610(is)X
1686(zero,)X
1868(then)X
2029(the)X
2150(start)X
2311(time)X
2476(of)X
2566(the)X
2687(ticket)X
2888(is)X
2964(set)X
3076(to)X
3160(the)X
3280(authentication)X
3756(server's)X
555 3748(current)N
804(time.)X
1007(If)X
1082(it)X
1147(is)X
1221(non-zero)X
1528(but)X
1651(indicates)X
1957(a)X
2014(time)X
2176(in)X
2258(the)X
2376(past,)X
2545(it)X
2609(is)X
2682(treated)X
2921(as)X
3008(zero.)X
3207(If)X
3281(it)X
3345(is)X
3418(non-zero)X
3724(and)X
3860(indi-)X
555 3844(cates)N
767(a)X
854(time)X
1047(in)X
1160(the)X
1309(future,)X
1572(but)X
1725(the)X
1874(POSTDATED)X
2392(option)X
2647(has)X
2805(not)X
2958(been)X
3161(speci\256ed,)X
3517(then)X
3706(the)X
3854(error)X
555 3940(KDC_ERR_CANNOT_POSTDATE)N
1777(is)X
1865(returned.)X
2207(Otherwise,)X
2591(if)X
2674(the)X
2806(ticket-granting)X
3312(ticket)X
3524(has)X
3665(the)X
3797(MAY-)X
555 4036(POSTDATE)N
998(\257ag)X
1152(set,)X
1295(then)X
1466(the)X
1597(resulting)X
1910(ticket)X
2121(will)X
2278(be)X
2387(postdated)X
2727(and)X
2876(the)X
3007(requested)X
3348(starttime)X
3661(is)X
3747(checked)X
555 4132(against)N
817(the)X
950(policy)X
1185(of)X
1287(the)X
1420(local)X
1611(realm.)X
1849(If)X
1938(acceptable,)X
2333(the)X
2466(ticket's)X
2737(start)X
2910(time)X
3087(is)X
3175(set)X
3299(as)X
3401(requested,)X
3763(and)X
3913(the)X
555 4228(INVALID)N
915(\257ag)X
1060(is)X
1138(set.)X
1292(The)X
1441(postdated)X
1772(ticket)X
1974(must)X
2153(be)X
2253(validated)X
2571(before)X
2801(use)X
2932(by)X
3036(presenting)X
3394(it)X
3462(to)X
3548(the)X
3670(KDC)X
3863(after)X
555 4324(the)N
673(starttime)X
973(has)X
1100(been)X
1272(reached.)X
755 4448(If)N
832(the)X
953(DUPLICATE-SKEY)X
1657(option)X
1884(has)X
2014(been)X
2189(speci\256ed,)X
2516(and)X
2654(if)X
2725(a)X
2783(second)X
3028(ticket)X
3228(has)X
3357(been)X
3531(included)X
3829(in)X
3913(the)X
555 4544(request,)N
842(and)X
993(if)X
1077(the)X
1210(second)X
1468(ticket)X
1681(has)X
1823(the)X
1956(DUPLICATE-SKEY)X
2672(\257ag)X
2827(set,)X
2971(then)X
3144(the)X
3277(KDC)X
3480(will)X
3638(decrypt)X
3913(the)X
555 4640(second)N
804(ticket)X
1008(using)X
1207(the)X
1331(key)X
1472(of)X
1564(the)X
1687(server)X
1909(for)X
2028(which)X
2249(it)X
2318(was)X
2468(issued,)X
2713(check)X
2926(to)X
3013(make)X
3212(sure)X
3371(that)X
3516(the)X
3639(principal)X
3949(to)X
555 4736(whom)N
776(the)X
895(second)X
1139(ticket)X
1338(was)X
1484(issued)X
1705(matches)X
1989(the)X
2108(one)X
2245(making)X
2505(the)X
2623(request,)X
2895(and)X
3031(if)X
3100(so)X
3191(it)X
3255(will)X
3399(use)X
3526(the)X
3644(session)X
3895(key)X
555 4832(from)N
737(the)X
861(second)X
1110(ticket)X
1314(as)X
1407(the)X
1530(session)X
1786(key)X
1927(for)X
2046(the)X
2169(new)X
2328(ticket.)X
2571(It)X
2645(will)X
2794(also)X
2948(set)X
3062(the)X
3185(DUPLICATE-SKEY)X
3891(\257ag)X
555 4928(on)N
655(the)X
773(new)X
927(ticket\262.)X
755 5052(If)N
831(the)X
951(ENC-TKT-IN-SKEY)X
1664(option)X
1890(has)X
2019(been)X
2193(speci\256ed,)X
2520(and)X
2658(if)X
2729(a)X
2787(second)X
3032(ticket)X
3232(has)X
3360(been)X
3533(included)X
3830(in)X
3913(the)X
555 5148(request,)N
834(then)X
999(the)X
1124(KDC)X
1320(will)X
1471(decrypt)X
1739(the)X
1864(second)X
2114(ticket)X
2319(using)X
2519(the)X
2644(key)X
2787(for)X
2908(the)X
3033(server)X
3257(to)X
3346(which)X
3569(it)X
3640(was)X
3791(issued,)X
8 s
10 f
555 5228(hhhhhhhhhhhhhhhhhh)N
1 f
555 5308(\262One)N
714(of)X
788(the)X
887(purposes)X
1135(of)X
1209(the)X
1307(Kerberos)X
1560(protocol)X
1793(is)X
1856(to)X
1926(securely)X
2158(exchange)X
2418(encryption)X
2711(keys.)X
2880(While)X
3056(it)X
3112(is)X
3175(possible)X
3405(for)X
3499(a)X
3547(user)X
3673(to)X
555 5388(securely)N
794(exchange)X
1061(a)X
1116(single)X
1296(key)X
1415(with)X
1556(more)X
1714(than)X
1851(one)X
1969(other)X
2126(principal)X
2379(on)X
2469(top)X
2577(of)X
2656(the)X
2760(Kerberos)X
3019(protocol)X
3258(without)X
3480(using)X
3645(the)X
555 5468(DUPLICATE-SKEY)N
1119(feature,)X
1332(leaving)X
1541(the)X
1640(design)X
1828(of)X
1902(the)X
2001(mechanism)X
2313(to)X
2383(the)X
2481(application)X
2785(programmer)X
3120(can)X
3228(be)X
3308(error)X
3451(prone.)X
3648(By)X
555 5548(providing)N
824(this)X
937(functionaility)X
1302(within)X
1485(Kerberos,)X
1753(we)X
1846(make)X
2003(sure)X
2128(it)X
2183(is)X
2245(done)X
2388(right,)X
2544(and)X
2655(we)X
2748(make)X
2905(it)X
2960(known)X
3153(which)X
3328(keys)X
3464(have)X
3603(been)X
555 5628(passed)N
742(on.)X
855(If)X
914(a)X
959(key)X
1068(issued)X
1245(by)X
1325(Kerberos)X
1574(is)X
1633(passed)X
1819(on)X
1899(by)X
1979(an)X
2055(application)X
2355(\(outside)X
2577(of)X
2646(the)X
2740(Kerberos)X
2989(protocol\),)X
3255(the)X
3349(fact)X
3460(that)X
3572(it)X
3624(was)X
555 5708(passed)N
741(on)X
821(might)X
987(not)X
1085(be)X
1161(known)X
1351(by)X
1431(other)X
1578(apllications,)X
1905(and)X
2013(a)X
2057(breach)X
2242(of)X
2311(security)X
2529(might)X
2695(result.)X
10 s
555 6144(Section)N
815(2.3.3.)X
2196(-)X
2243(10)X
2343(-)X
11 p
%%Page: 11 13
10 s 0 xH 0 xS 1 f
0 32(--)N
4323(--)X
3 f
2115 416(DRAFT)N
2411(2)X
1 f
555 672(verify)N
773(that)X
919(it)X
989(is)X
1068(a)X
1130(ticket-granting)X
1628(ticket,)X
1852(and)X
1994(use)X
2126(the)X
2249(session)X
2505(key)X
2646(from)X
2827(the)X
2950(second)X
3198(ticket)X
3401(to)X
3488(encrypt)X
3754(the)X
3877(new)X
555 768(ticket)N
753(it)X
817(will)X
961(issue)X
1141(instead)X
1388(of)X
1475(encrypting)X
1838(the)X
1956(new)X
2110(ticket)X
2308(in)X
2390(the)X
2508(key)X
2644(of)X
2731(the)X
2849(server)X
3066(for)X
3180(which)X
3396(it)X
3460(is)X
3533(issued\263.)X
755 892(If)N
833(the)X
955(name)X
1153(of)X
1244(the)X
1366(server)X
1587(in)X
1672(the)X
1793(ticket)X
1994(that)X
2137(is)X
2213(presented)X
2544(to)X
2629(the)X
2750(KDC)X
2942(as)X
3032(part)X
3180(of)X
3270(the)X
3391(authenticator)X
3833(is)X
3909(not)X
555 988(that)N
710(of)X
812(the)X
945(ticket-granting)X
1452(server)X
1684(itself,)X
1899(and)X
2050(the)X
2183(server)X
2415(is)X
2503(registered)X
2855(in)X
2952(the)X
3085(realm)X
3303(of)X
3405(the)X
3538(KDC,)X
3762(and)X
3913(the)X
555 1084(RENEW,)N
893(VALIDATE,)X
1352(or)X
1452(PROXY)X
1756(options)X
2024(are)X
2156(speci\256ed)X
2474(in)X
2569(the)X
2699(request,)X
2983(then)X
3153(the)X
3283(KDC)X
3484(will)X
3640(decrypt)X
3913(the)X
555 1180(ticket)N
756(in)X
841(the)X
962(authenticator)X
1404(using)X
1600(the)X
1721(key)X
1860(of)X
1949(the)X
2069(server)X
2288(to)X
2372(which)X
2590(it)X
2656(was)X
2803(issued,)X
3045(check)X
3255(that)X
3397(the)X
3517(RENEWABLE)X
555 1276(\257ag)N
698(is)X
774(set)X
886(or)X
976(the)X
1097(starttime)X
1400(has)X
1529(passed)X
1765(and)X
1903(the)X
2023(INVALID)X
2380(\257ag)X
2522(is)X
2597(set)X
2708(\(respectively\),)X
3192(check)X
3402(the)X
3522(renew_till)X
3869(\256eld)X
555 1372(if)N
624(appropriate,)X
1030(and)X
1166(issue)X
1346(a)X
1402(new)X
1556(ticket,)X
1774(either)X
1977(a)X
2033(renewal)X
2308(or)X
2395(a)X
2451(valid)X
2631(postdated)X
2958(ticket.)X
755 1496(Whenever)N
1114(a)X
1178(request)X
1438(is)X
1519(made)X
1721(to)X
1811(the)X
1937(ticket-granting)X
2437(server,)X
2682(the)X
2808(presented)X
3144(ticket)X
3350(is)X
3430(checked)X
3721(against)X
3975(a)X
555 1592(hot-list)N
803(of)X
892(tickets)X
1123(which)X
1341(have)X
1515(been)X
1689(canceled.)X
2033(In)X
2121(this)X
2257(way,)X
2432(a)X
2489(stolen)X
2701(ticket-granting)X
3194(ticket)X
3393(or)X
3481(renewable)X
3833(ticket)X
555 1688(can)N
695(not)X
825(be)X
929(used)X
1104(to)X
1194(gain)X
1360(additional)X
1708(tickets)X
1945(\(renewals)X
2286(or)X
2381(otherwise\))X
2747(once)X
2926(the)X
3051(theft)X
3225(has)X
3359(been)X
3538(reported.)X
3873(Any)X
555 1784(normal)N
807(ticket)X
1010(obtained)X
1311(before)X
1542(it)X
1611(was)X
1761(reported)X
2054(stolen)X
2269(will)X
2417(still)X
2560(be)X
2660(valid)X
2844(\(because)X
3150(they)X
3312(require)X
3564(no)X
3668(interaction)X
555 1880(with)N
717(the)X
835(KDC\),)X
1071(but)X
1193(only)X
1355(until)X
1521(their)X
1688(normal)X
1935(expiration)X
2280(time.)X
755 2004(If)N
839(the)X
967(identity)X
1241(of)X
1338(the)X
1466(server)X
1693(in)X
1785(the)X
1913(TGT)X
2099(that)X
2249(is)X
2331(presented)X
2668(to)X
2759(the)X
2886(KDC)X
3084(as)X
3180(part)X
3334(of)X
3430(the)X
3557(authentication)X
555 2100(header)N
791(is)X
865(that)X
1006(of)X
1094(the)X
1213(ticket-granting)X
1706(service,)X
1975(but)X
2098(the)X
2217(TGT)X
2393(was)X
2538(issued)X
2758(from)X
2934(another)X
3195(realm,)X
3418(the)X
3536(KDC)X
3725(will)X
3869(look)X
555 2196(up)N
661(the)X
785(inter-realm)X
1168(key)X
1310(shared)X
1546(with)X
1714(that)X
1860(realm)X
2069(and)X
2211(use)X
2343(that)X
2488(key)X
2629(to)X
2716(decrypt)X
2982(the)X
3105(ticket.)X
3348(If)X
3427(the)X
3550(ticket)X
3753(is)X
3831(valid,)X
555 2292(then)N
716(the)X
837(KDC)X
1029(will)X
1176(honor)X
1386(the)X
1507(request,)X
1782(subject)X
2032(to)X
2117(the)X
2237(constraints)X
2606(outlined)X
2890(above)X
3104(in)X
3188(the)X
3308(section)X
3557(describing)X
3913(the)X
555 2388(AS)N
688(exchange.)X
1063(The)X
1219(realm)X
1433(part)X
1589(of)X
1687(the)X
1816(client's)X
2083(identity)X
2358(will)X
2512(be)X
2618(taken)X
2822(from)X
3008(the)X
3136(ticket-granting)X
3638(ticket.)X
3886(The)X
555 2484(name)N
751(of)X
839(the)X
958(realm)X
1162(that)X
1303(issued)X
1524(the)X
1643(ticket)X
1842(granting)X
2130(ticket)X
2329(will)X
2474(be)X
2571(added)X
2784(to)X
2867(the)X
2986(transited)X
3283(\256eld)X
3446(of)X
3534(the)X
3653(ticket)X
3852(to)X
3935(be)X
555 2580(issued.)N
820(This)X
987(is)X
1065(accomplished)X
1531(by)X
1636(reading)X
1902(the)X
2025(transited)X
2326(\256eld)X
2493(from)X
2674(the)X
2797(ticket)X
3000(granting)X
3291(ticket,)X
3513(adding)X
3755(the)X
3877(new)X
555 2676(realm,)N
779(then)X
938(constructing)X
1355(and)X
1492(writing)X
1744(out)X
1867(its)X
1963(encoded)X
2252(\(shorthand\))X
2643(form)X
2820(\(this)X
2983(may)X
3142(involve)X
3403(a)X
3459 0.2604(rearrangement)AX
3944(of)X
555 2772(the)N
673(existing)X
946(encoding\).)X
755 2896(The)N
906(ciphertext)X
1253(part)X
1404(of)X
1497(the)X
1621(response)X
1928(in)X
2016(the)X
2140(KRB_TGS_REP)X
2707(message)X
3005(is)X
3084(encrypted)X
3427(in)X
3515(the)X
3639(session)X
3895(key)X
555 2992(from)N
735(the)X
857(ticket-granting)X
1353(ticket)X
1555(instead)X
1805(of)X
1895(the)X
2016(client's)X
2275(secret)X
2486(key.)X
2665(Furthermore,)X
3109(the)X
3230(client's)X
3489(key's)X
3686(expiration)X
555 3088(date)N
711(and)X
848(the)X
967(key)X
1104(version)X
1361(number)X
1627(\256elds)X
1821(are)X
1941(zeroed)X
2177(since)X
2363(these)X
2549(values)X
2775(are)X
2895(stored)X
3112(along)X
3311(with)X
3474(the)X
3593(client's)X
3850(data-)X
555 3184(base)N
718(record,)X
964(and)X
1100(that)X
1240(record)X
1466(is)X
1539(not)X
1661(needed)X
1909(to)X
1991(satisfy)X
2220(a)X
2276(request)X
2528(based)X
2731(on)X
2831(a)X
2887(ticket-granting)X
3379(ticket.)X
3 f
555 3376(2.3.4.)N
775(Receipt)X
1054(of)X
1141(KRB_TGS_REP)X
1733(message)X
1 f
555 3500(When)N
796(the)X
943(KRB_TGS_REP)X
1533(is)X
1635(received)X
1957(by)X
2086(the)X
2233(client,)X
2480(it)X
2573(is)X
2675(processed)X
3040(in)X
3150(the)X
3296(same)X
3509(manner)X
3798(as)X
3913(the)X
555 3596(KRB_AS_REP)N
1085(processing)X
1466(described)X
1812(above.)X
2082(The)X
2245(primary)X
2537(difference)X
2902(is)X
2993(that)X
3151(the)X
3287(ciphertext)X
3646(part)X
3809(of)X
3913(the)X
555 3692(response)N
866(must)X
1051(be)X
1157(decrypted)X
1504(using)X
1707(the)X
1835(session)X
2096(key)X
2242(from)X
2427(the)X
2554(ticket)X
2761(granting)X
3057(ticket)X
3264(rather)X
3481(than)X
3648(the)X
3775(client's)X
555 3788(private)N
798(key.)X
3 f
12 s
555 3980(2.4.)N
747(The)X
931(KRB_SAFE)X
1456(Exchange)X
1 f
10 s
755 4104(The)N
901(KRB_SAFE)X
1321(message)X
1613(may)X
1771(be)X
1867(used)X
2034(by)X
2134(clients)X
2363(requiring)X
2677(the)X
2795(ability)X
3019(to)X
3101(detect)X
3313(modi\256cations)X
3768(of)X
3855(mes-)X
555 4200(sages)N
753(they)X
915(exchange.)X
1283(It)X
1355(achieves)X
1655(this)X
1793(by)X
1896(including)X
2221(a)X
2280(checksum)X
2624(of)X
2714(the)X
2835(user)X
2992(data)X
3149(and)X
3288(some)X
3480(control)X
3730(informa-)X
555 4296(tion.)N
739(The)X
884(checksum)X
1225(is)X
1298(cryptographically)X
1884(generated)X
2217(using)X
2410(the)X
2528(session)X
2779(key.)X
3 f
555 4488(2.4.1.)N
775(Generation)X
1182(of)X
1269(a)X
1329(KRB_SAFE)X
1766(message)X
1 f
555 4612(When)N
771(an)X
871(application)X
1251(wishes)X
1493(to)X
1579(send)X
1749(a)X
1808(KRB_SAFE)X
2230(message,)X
2545(it)X
2612(collects)X
2880(its)X
2978(data)X
3135(and)X
3274(the)X
3395(appropriate)X
3784(control)X
555 4708(information)N
961(and)X
1105(computes)X
1440(a)X
1504(checksum)X
1853(over)X
2024(them.)X
2251(The)X
2403(checksum)X
2751(algorithm)X
3089(will)X
3240(usually)X
3498(be)X
3601(some)X
3797(sort)X
3944(of)X
555 4804(cryptographic)N
1022(one-way)X
1320(hash)X
1488(function)X
1776(\(such)X
1971(as)X
2059(the)X
2178(XXX)X
2373(checksum)X
2715(algorithm)X
3047(speci\256ed)X
3353(in)X
3436(section)X
3684(3\),)X
3792(seeded)X
555 4900(with)N
726(an)X
831(encryption)X
1203(key)X
1348(\(usually)X
1635(the)X
1762(session)X
2022(key\).)X
2233(Different)X
2556(algorithms)X
2926(may)X
3092(be)X
3196(selected)X
3483(by)X
3591(changing)X
3913(the)X
555 4996(checksum)N
904(type)X
1070(in)X
1160(the)X
1285(message.)X
1624(Note)X
1807(that)X
1954(any)X
2097(checksum)X
2445(used)X
2619(should)X
2859(be)X
2962(careful)X
3213(not)X
3342(to)X
3431(reveal)X
3655(the)X
3780(session)X
555 5092(key.)N
755 5216(After)N
952(computing)X
1321(the)X
1446(checksum,)X
1814(the)X
1939(client)X
2144(then)X
2309(transmits)X
2629(the)X
2754(information)X
3159(and)X
3302(checksum)X
3650(to)X
3739(the)X
3863(reci-)X
555 5312(pient)N
735(in)X
817(the)X
935(message)X
1227(format)X
1461(speci\256ed)X
1766(in)X
1848(section)X
2095(7.5.)X
8 s
10 f
555 5504(hhhhhhhhhhhhhhhhhh)N
1 f
555 5584(\263)N
611(This)X
749(allows)X
940(easy)X
1077(implementation)X
1503(of)X
1580(the)X
1682(Davis)X
1855(&)X
1929(Swick)X
2113(proposal)X
6 s
2333 5565(5)N
8 s
2381 5584(to)N
2455(use)X
2564(ticket-granting)X
2964(ticket)X
3130(session)X
3338(keys)X
3478(in)X
3551(lieu)X
3670(of)X
555 5664(secret)N
719(server)X
890(keys)X
1023(in)X
1089(situations)X
1351(where)X
1522(such)X
1655(secret)X
1819(keys)X
1952(could)X
2110(be)X
2186(easily)X
2351(compromised.)X
10 s
555 6144(Section)N
815(2.4.1.)X
2196(-)X
2243(11)X
2343(-)X
12 p
%%Page: 12 14
10 s 0 xH 0 xS 1 f
0 32(--)N
4323(--)X
3 f
2115 416(DRAFT)N
2411(2)X
555 672(2.4.2.)N
775(Receipt)X
1054(of)X
1141(KRB_SAFE)X
1578(message)X
1 f
555 796(When)N
770(an)X
869(application)X
1248(receives)X
1535(a)X
1594(KRB_SAFE)X
2016(message,)X
2330(it)X
2396(veri\256es)X
2654(it)X
2720(as)X
2809(follows.)X
3111(If)X
3187(any)X
3325(error)X
3504(occurs,)X
3756(an)X
3854(error)X
555 892(code)N
727(is)X
800(reported)X
1088(for)X
1202(use)X
1329(by)X
1429(the)X
1547(application.)X
755 1016(The)N
904(message)X
1200(is)X
1277(\256rst)X
1425(checked)X
1713(by)X
1817(verifying)X
2134(that)X
2277(the)X
2398(protocol)X
2688(version)X
2947(and)X
3086(type)X
3247(\256elds)X
3443(match)X
3662(the)X
3783(current)X
555 1112(version)N
839(and)X
1002(KRB_SAFE,)X
1468(respectively.)X
1943(A)X
2048(mismatch)X
2406(generates)X
2757(a)X
2840(KRB_AP_ERR_BADVERSION)X
3944(or)X
555 1208(KRB_AP_ERR_MSG_TYPE)N
1534(error.)X
1756(Next)X
1937(the)X
2060(application)X
2441(veri\256es)X
2702(that)X
2847(the)X
2970(message)X
3267(length)X
3491(contained)X
3827(in)X
3913(the)X
555 1304(message)N
861(matches)X
1158(the)X
1289(operating)X
1625(system's)X
1938(report)X
2163(of)X
2263(the)X
2394(message)X
2699(size)X
2857(received.)X
3203(A)X
3294(mismatch)X
3638(generates)X
3975(a)X
555 1400(KRB_AP_ERR_MODIFIED)N
1518(error.)X
1745(The)X
1900(application's)X
2344(report)X
2566(of)X
2662(the)X
2789(sender's)X
3086(address)X
3356(is)X
3438(compared)X
3784(against)X
555 1496(the)N
685(address)X
958(in)X
1052(the)X
1182(message;)X
1508(a)X
1576(mismatch)X
1919(generates)X
2254(a)X
2321(KRB_AP_ERR_BADADDR)X
3289(error.)X
3517(Then)X
3713(the)X
3842(time-)X
555 1592(stamp)N
771(and)X
912(msec)X
1102(\256elds)X
1300(in)X
1387(the)X
1510(message)X
1807(are)X
1931(checked)X
2220(to)X
2307(insure)X
2528(they)X
2690(are)X
2813(current)X
3065(and)X
3205(not)X
3331(replayed.)X
3672(If)X
3750(they)X
3912(are)X
555 1688(not)N
681(current,)X
953(a)X
1013(KRB_AP_ERR_SKEW)X
1805(error)X
1986(is)X
2063(generated.)X
2440(If)X
2518(they)X
2680(are)X
2803(a)X
2863(replay,)X
3108(a)X
3168(KRB_AP_ERR_REPEAT)X
555 1784(error)N
739(is)X
819(generated.)X
1199(The)X
1351(most)X
1533(signi\256cant)X
1893(bit)X
2004(of)X
2098(the)X
2223(millisecond)X
2623(\256eld)X
2791(is)X
2870(used)X
3043(to)X
3131(encode)X
3385(the)X
3509(direction)X
3820(of)X
3913(the)X
555 1880(message)N
852(\(This)X
1046(bit)X
1155(is)X
1233(used)X
1405(because)X
1685(it)X
1754(can)X
1891(never)X
2095(be)X
2196(set)X
2309(as)X
2400(part)X
2549(of)X
2640(the)X
2762(encoding)X
3080(of)X
3171(a)X
3231(millisecond)X
3628(value,)X
3846(since)X
555 1976(such)N
728(values)X
959(are)X
1084(restricted)X
1409(to)X
1497(be)X
1599(less)X
1745(than)X
1909(1000.\).)X
2182(If)X
2262(the)X
2386(sender's)X
2680(network)X
2969(layer)X
3156(address)X
3423(is)X
3501(greater)X
3750(than)X
3913(the)X
555 2072(receiver's)N
896(address,)X
1180(then)X
1341(the)X
1462(bit)X
1569(is)X
1645(set)X
1757(\(an)X
1883(ordering)X
2178(on)X
2281(the)X
2401(addresses)X
2731(is)X
2806(speci\256ed)X
3113(with)X
3277(the)X
3397(speci\256cation)X
3824(of)X
3913(the)X
555 2168(encoding)N
871(of)X
960(the)X
1080(addresses,)X
1430(in)X
1514(section)X
1763(5.3\),)X
1932(otherwise)X
2266(it)X
2332(is)X
2407(reset.)X
2621(If)X
2697(the)X
2817(direction)X
3123(bit)X
3228(is)X
3302(set)X
3412(incorrectly)X
3781(for)X
3896(this)X
555 2264(message,)N
872(a)X
932(KRB_AP_ERR_REPEAT)X
1799(error)X
1980(is)X
2057(generated.)X
2434(Finally,)X
2704(the)X
2826(checksum)X
3171(is)X
3248(computed)X
3588(over)X
3755(the)X
3877(data)X
555 2360(and)N
704(control)X
964(information,)X
1395(and)X
1544(if)X
1626(it)X
1703(doesn't)X
1972(match)X
2201(the)X
2332(received)X
2637(checksum,)X
3010(a)X
3078(KRB_AP_ERR_MODIFIED)X
555 2456(error)N
732(is)X
805(returned.)X
755 2580(If)N
832(all)X
935(the)X
1056(checks)X
1298(succeed,)X
1596(the)X
1717(application)X
2096(can)X
2231(assume)X
2490(that)X
2633(the)X
2754(message)X
3049(was)X
3197(generated)X
3533(by)X
3636(its)X
3734(peer)X
3895(and)X
555 2676(was)N
700(not)X
822(modi\256ed)X
1126(in)X
1208(transit.)X
3 f
12 s
555 2868(2.5.)N
747(The)X
931(KRB_PRIV)X
1445(Exchange)X
1 f
10 s
755 2992(The)N
909(KRB_PRIV)X
1324(message)X
1625(may)X
1791(be)X
1895(used)X
2070(by)X
2178(clients)X
2415(requiring)X
2737(con\256dentiality)X
3227(and)X
3371(the)X
3497(ability)X
3729(to)X
3819(detect)X
555 3088(modi\256cations)N
1024(of)X
1125(exchanged)X
1503(messages.)X
1880(It)X
1963(achieves)X
2274(this)X
2423(by)X
2537(encrypting)X
2914(the)X
3046(messages)X
3383(and)X
3533(adding)X
3784(control)X
555 3184(information.)N
3 f
555 3376(2.5.1.)N
775(Generation)X
1182(of)X
1269(a)X
1329(KRB_PRIV)X
1758(message)X
1 f
555 3500(When)N
772(an)X
873(application)X
1253(wishes)X
1495(to)X
1581(send)X
1752(a)X
1812(KRB_PRIV)X
2222(message,)X
2538(it)X
2606(collects)X
2875(its)X
2974(data)X
3132(and)X
3272(the)X
3394(appropriate)X
3784(control)X
555 3596(information)N
956(\(speci\256ed)X
1291(in)X
1376(section)X
1626(7.6\))X
1775(and)X
1913(encrypts)X
2207(them)X
2389(under)X
2594(an)X
2692(encryption)X
3057(key)X
3195(\(usually)X
3475(the)X
3595(session)X
3848(key\).)X
555 3692(It)N
624(then)X
782(transmits)X
1095(the)X
1213(information)X
1611(and)X
1747(some)X
1936("envelope")X
2312(information)X
2710(to)X
2792(the)X
2910(recipient.)X
3 f
555 3884(2.5.2.)N
775(Receipt)X
1054(of)X
1141(KRB_PRIV)X
1570(message)X
1 f
555 4008(When)N
771(an)X
871(application)X
1250(receives)X
1537(a)X
1596(KRB_PRIV)X
2005(message,)X
2320(it)X
2387(veri\256es)X
2646(it)X
2713(as)X
2803(follows.)X
3106(If)X
3183(any)X
3322(error)X
3502(occurs,)X
3755(an)X
3854(error)X
555 4104(code)N
727(is)X
800(reported)X
1088(for)X
1202(use)X
1329(by)X
1429(the)X
1547(application.)X
755 4228(The)N
904(message)X
1200(is)X
1277(\256rst)X
1425(checked)X
1713(by)X
1817(verifying)X
2134(that)X
2277(the)X
2398(protocol)X
2688(version)X
2947(and)X
3086(type)X
3247(\256elds)X
3443(match)X
3662(the)X
3783(current)X
555 4324(version)N
840(and)X
1005(KRB_PRIV,)X
1460(respectively.)X
1937(A)X
2044(mismatch)X
2403(generates)X
2755(a)X
2839(KRB_AP_ERR_BADVERSION)X
3944(or)X
555 4420(KRB_AP_ERR_MSG_TYPE)N
1546(error,)X
1759(respectively.)X
2223(Next)X
2415(the)X
2549(application)X
2941(veri\256es)X
3213(that)X
3369(the)X
3503(message)X
3811(length)X
555 4516(contained)N
890(in)X
975(the)X
1095(message)X
1389(matches)X
1674(the)X
1794(operating)X
2119(system's)X
2421(report)X
2635(of)X
2724(the)X
2844(message)X
3138(size)X
3285(received.)X
3620(A)X
3700(mismatch)X
555 4612(generates)N
899(a)X
974(KRB_AP_ERR_MODIFIED)X
1946(error.)X
2182(The)X
2346(application)X
2741(then)X
2918(decrypts)X
3229(the)X
3366(encrypted)X
3722(data)X
3895(and)X
555 4708(processes)N
892(them.)X
1121(If)X
1203(the)X
1329(length)X
1557(encoded)X
1853(in)X
1943(the)X
2069(decrypted)X
2414(user)X
2576(data)X
2738(is)X
2819(greater)X
3071(than)X
3237(the)X
3363(remaining)X
3716(length)X
3944(of)X
555 4804(decrypted)N
901(data,)X
1084(a)X
1149(KRB_AP_ERR_MODIFIED)X
2111(error)X
2297(is)X
2379(generated)X
2721(\(this)X
2892(ususally)X
3183(indicates)X
3497(decryption)X
3869(with)X
555 4900(the)N
683(wrong)X
918(key\).)X
1131(The)X
1286(application's)X
1730(report)X
1951(of)X
2047(the)X
2174(sender's)X
2471(address)X
2741(is)X
2823(compared)X
3169(against)X
3425(the)X
3552(address)X
3822(in)X
3913(the)X
555 4996(message;)N
874(a)X
935(mismatch)X
1271(generates)X
1599(a)X
1659(KRB_AP_ERR_BADADDR)X
2620(error.)X
2841(Then)X
3030(the)X
3152(timestamp)X
3509(and)X
3649(msec)X
3838(\256elds)X
555 5092(in)N
658(the)X
797(message)X
1110(are)X
1250(checked)X
1555(to)X
1658(insure)X
1894(they)X
2072(are)X
2211(current)X
2479(and)X
2635(not)X
2777(replayed.)X
3134(If)X
3228(they)X
3406(are)X
3545(not)X
3687(current,)X
3975(a)X
555 5188(KRB_AP_ERR_SKEW)N
1354(error)X
1542(is)X
1626(generated.)X
2010(If)X
2095(they)X
2264(are)X
2394(a)X
2461(replay,)X
2713(a)X
2780(RD_AP_REPEAT)X
3406(error)X
3594(is)X
3678(generated.)X
555 5284(The)N
708(most)X
891(signi\256cant)X
1252(bit)X
1364(of)X
1458(the)X
1583(msec)X
1775(\256eld)X
1944(is)X
2024(used)X
2198(to)X
2287(encode)X
2542(the)X
2667(direction)X
2979(of)X
3073(the)X
3198(message.)X
3537(If)X
3618(the)X
3743(sender's)X
555 5380(network)N
839(layer)X
1021(address)X
1283(is)X
1357(greater)X
1602(than)X
1761(the)X
1880(receiver's)X
2219(address,)X
2501(then)X
2660(the)X
2779(bit)X
2884(is)X
2958(set)X
3068(\(an)X
3192(ordering)X
3485(on)X
3585(the)X
3703(addresses)X
555 5476(is)N
632(speci\256ed)X
941(with)X
1107(the)X
1229(speci\256cation)X
1658(of)X
1749(the)X
1871(encoding)X
2189(of)X
2280(the)X
2402(addresses,)X
2754(in)X
2840(section)X
3091(5.3\),)X
3262(otherwise)X
3598(it)X
3666(is)X
3742(reset.)X
3957(If)X
555 5572(the)N
673(direction)X
978(bit)X
1082(is)X
1155(set)X
1264(incorrectly)X
1632(for)X
1746(this)X
1881(message,)X
2193(a)X
2249(KRB_AP_ERR_REPEAT)X
3112(error)X
3289(is)X
3362(generated.)X
755 5696(If)N
831(all)X
933(the)X
1053(checks)X
1294(succeed,)X
1591(the)X
1711(application)X
2089(can)X
2223(assume)X
2480(the)X
2599(message)X
2892(was)X
3038(generated)X
3372(by)X
3473(its)X
3569(peer,)X
3749(and)X
3886(was)X
555 5792(securely)N
843(transmitted)X
1223(\(without)X
1514(intruders)X
1819(able)X
1973(to)X
2055(see)X
2178(the)X
2296(unencrypted)X
2713(contents\).)X
555 6144(Section)N
815(2.5.2.)X
2196(-)X
2243(12)X
2343(-)X
13 p
%%Page: 13 15
10 s 0 xH 0 xS 1 f
0 32(--)N
4323(--)X
3 f
2115 416(DRAFT)N
2411(2)X
12 s
555 672(3.)N
675(Encryption)X
1 f
10 s
555 796(The)N
708(Kerberos)X
1030(protocols)X
1355(described)X
1690(in)X
1779(this)X
1921(document)X
2264(are)X
2390(designed)X
2702(to)X
2791(use)X
2925(stream)X
3166(encryption)X
3536(ciphers,)X
3815(which)X
555 892(can)N
695(be)X
799(simulated)X
1138(using)X
1339(commonly)X
1709(available)X
2027(block)X
2233(encryption)X
2604(ciphers,)X
2884(such)X
3059(as)X
3154(the)X
3280(Data)X
3459(Encryption)X
3842(Stan-)X
555 988(dard,)N
8 s
718 963(6)N
10 s
774 988(in)N
860(conjunction)X
1262(with)X
1428(block)X
1630(chaining)X
1930(and)X
2070(checksum)X
2415(methods.)X
8 s
2706 963(7)N
10 s
2762 988(Encryption)N
3142(is)X
3219(used)X
3390(to)X
3475(prove)X
3681(the)X
3802(identi-)X
555 1084(ties)N
700(of)X
801(the)X
933(network)X
1230(entities)X
1495(participating)X
1934(in)X
2030(message)X
2336(exchanges.)X
2745(The)X
2903(Key)X
3070(Distribution)X
3489(Center)X
3736(for)X
3863(each)X
555 1180(realm)N
771(is)X
857(trusted)X
1108(by)X
1221(all)X
1334(principals)X
1683(registered)X
2033(in)X
2128(that)X
2281(realm)X
2497(to)X
2592(store)X
2781(a)X
2850(secret)X
3071(key)X
3220(in)X
3314(con\256dence.)X
3734(Proof)X
3944(of)X
555 1276(knowledge)N
927(of)X
1014(this)X
1149(private)X
1392(key)X
1528(is)X
1601(used)X
1768(to)X
1850(verify)X
2062(the)X
2180(authenticity)X
2578(of)X
2665(a)X
2721(principal.)X
755 1400(The)N
906(KDC)X
1101(uses)X
1265(the)X
1389(principal's)X
1758(secret)X
1972(key)X
2114(\(in)X
2229(the)X
2353(AS)X
2481(exchange\))X
2838(or)X
2930(a)X
2991(shared)X
3226(session)X
3482(key)X
3623(\(in)X
3737(the)X
3860(TGS)X
555 1496(exchange\))N
908(to)X
992(encrypt)X
1255(responses)X
1589(to)X
1673(ticket)X
1873(requests;)X
2180(the)X
2300(ability)X
2526(to)X
2610(obtain)X
2832(the)X
2952(secret)X
3162(key)X
3299(or)X
3387(session)X
3639(key)X
3776(implies)X
555 1592(the)N
680(knowledge)X
1059(of)X
1153(the)X
1278(appropriate)X
1671(keys)X
1845(and)X
1988(the)X
2113(identity)X
2383(of)X
2476(the)X
2600(KDC.)X
2835(The)X
2986(ability)X
3216(of)X
3309(a)X
3371(principal)X
3682(to)X
3770(decrypt)X
555 1688(the)N
681(KDC)X
878(response)X
1187(and)X
1331(present)X
1591(a)X
1655(Ticket)X
1887(and)X
2030(a)X
2093(properly)X
2392(formed)X
2651(Authenticator)X
3119(\(generated)X
3486(with)X
3655(the)X
3780(session)X
555 1784(key)N
699(from)X
883(the)X
1009(KDC)X
1206(response\))X
1542(to)X
1632(a)X
1696(service)X
1952(veri\256es)X
2216(the)X
2342(identity)X
2614(of)X
2709(the)X
2835(principal;)X
3169(likewise)X
3463(the)X
3588(ability)X
3819(of)X
3913(the)X
555 1880(service)N
804(to)X
887(extract)X
1127(the)X
1246(session)X
1498(key)X
1635(from)X
1812(the)X
1931(Ticket)X
2157(and)X
2294(prove)X
2498(its)X
2594(knowledge)X
2967(thereof)X
3216(in)X
3299(a)X
3356(response)X
3657(veri\256es)X
3913(the)X
555 1976(identity)N
819(of)X
906(the)X
1024(service.)X
755 2100(The)N
901(Kerberos)X
1217(protocols)X
1536(generally)X
1856(assume)X
2113(that)X
2254(the)X
2373(encryption)X
2737(used)X
2905(is)X
2979(secure)X
3205(from)X
3381(cryptanalysis;)X
3846(how-)X
555 2196(ever,)N
738(in)X
824(some)X
1016(cases,)X
1229(the)X
1350(order)X
1543(of)X
1633(\256elds)X
1829(in)X
1914(the)X
2035(encrypted)X
2375(portions)X
2660(of)X
2750(messages)X
3076(are)X
3198(arranged)X
3503(to)X
3588(minimize)X
3913(the)X
555 2292(effects)N
796(of)X
889(poorly)X
1124(chosen)X
1373(keys.)X
1586(It)X
1661(is)X
1740(still)X
1885(important)X
2222(to)X
2310(choose)X
2559(good)X
2745(keys.)X
3 f
2958(If)X
3042(keys)X
3219(are)X
3357(derived)X
3641(from)X
3837(user-)X
555 2388(typed)N
770(passwords,)X
1169(those)X
1371(passwords)X
1750(need)X
1934(to)X
2025(be)X
2129(well)X
2291(chosen)X
2546(to)X
2637(make)X
2847(brute)X
3057(force)X
3255(attacks)X
3523(more)X
3725(dif\256cult.)X
1 f
555 2484(Poorly)N
788(chosen)X
1031(keys)X
1198(still)X
1337(make)X
1531(easy)X
1694(targets)X
1928(for)X
2042(intruders.)X
3 f
12 s
555 2676(3.1.)N
747(Cryptographic)X
1379(checksums)X
1 f
10 s
755 2800(XXX)N
949(need)X
1121(some)X
1310(quick)X
1508(crypto)X
1733(cksum)X
1962(here.)X
755 2924(For)N
887(applications)X
1294(that)X
1434(require)X
1682(a)X
1738(more)X
1923(trustworthy)X
2312(cryptographic)X
2778(checksum)X
3119(\(at)X
3224(the)X
3342(cost)X
3491(of)X
3578(a)X
3634(serious)X
3881(per-)X
555 3020(formance)N
879(degradation\),)X
1325(the)X
1443(DES)X
1614(cipher)X
1835(block)X
2033(chain)X
2227(checksum)X
2568(should)X
2801(suf\256ce.)X
3 f
12 s
555 3212(3.2.)N
747(Checksums)X
1 f
10 s
755 3336(Some)N
960(encryption)X
1326(systems)X
1602(use)X
1732(a)X
1791(block-chaining)X
2294(method)X
2556(to)X
2640(improve)X
2929(the)X
3049(integrity)X
3342(characteristics)X
3824(of)X
3913(the)X
555 3432(ciphertext.)N
952(However,)X
1303(these)X
1504(chaining)X
1816(methods)X
2123(often)X
2324(don't)X
2529(provide)X
2810(an)X
2922(integrity)X
3229(check)X
3453(upon)X
3648(decryption.)X
555 3528(Such)N
737(systems)X
1012(\(such)X
1208(as)X
1297(DES)X
1470(in)X
1554(CBC)X
1735(mode\))X
1962(must)X
2139(be)X
2237(augmented)X
2611(with)X
2775(a)X
2832(checksum)X
3174(of)X
3262(the)X
3381(plaintext)X
3682(which)X
3899(can)X
555 3624(be)N
664(veri\256ed)X
942(at)X
1033(decryption)X
1409(and)X
1558(used)X
1738(to)X
1833(detect)X
2058(any)X
2207(tampering)X
2565(or)X
2665(damage.)X
2988(If)X
3075(any)X
3224(damage)X
3507(is)X
3593(detected,)X
3913(the)X
555 3720(decryption)N
918(routine)X
1165(is)X
1238(expected)X
1544(to)X
1626(return)X
1838(an)X
1934(error)X
2111(indicating)X
2451(the)X
2569(failure)X
2799(of)X
2886(an)X
2982(integrity)X
3273(check.)X
755 3844(The)N
908(protocol)X
1203(messages)X
1534(only)X
1704(specify)X
1964(what)X
2148(\256elds)X
2349(are)X
2476(to)X
2566(be)X
2670(encrypted,)X
3035(and)X
3179(make)X
3381(no)X
3489(explicit)X
3756(require-)X
555 3940(ments)N
775(of)X
871(a)X
935(checksum.)X
1324(Each)X
1513(encryption)X
1884(type)X
2050(is)X
2131(expected)X
2445(to)X
2535(provide)X
2808(and)X
2952(verify)X
3172(an)X
3276(appropriate)X
3670(checksum.)X
555 4036(This)N
726(checksum)X
1076(is)X
1158(to)X
1249(be)X
1354(encoded)X
1651(in)X
1742(the)X
1869("PAD")X
2124(area)X
2288(of)X
2384(the)X
2511(messages)X
2843(\(note:)X
3059(this)X
3203(may)X
3370(necessitate)X
3746(an)X
3850(extra)X
555 4132(PAD)N
741(block,)X
965(depending)X
1325(on)X
1431(the)X
1555(encryption)X
1923(blocksize,)X
2271(the)X
2394(checksum)X
2740(size,)X
2910(and)X
3051(the)X
3174(plaintext)X
3479(length\).)X
3771(Section)X
555 4228(5.2.3)N
741(speci\256es)X
1043(the)X
1167(currently)X
1483(de\256ned)X
1745(encryption)X
2114(types,)X
2329(their)X
2502(uses)X
2666(of)X
2759(checksums,)X
3157(and)X
3299(their)X
3472(padding)X
3756(require-)X
555 4324(ments.)N
3 f
12 s
555 4612(4.)N
675(The)X
859(Kerberos)X
1268(Database)X
1 f
10 s
555 4736(The)N
705(Kerberos)X
1025(server)X
1247(must)X
1427(have)X
1604(access)X
1835(to)X
1921(a)X
1981(database)X
2282(containing)X
2644(the)X
2766(names)X
2995(and)X
3135(secret)X
3347(keys)X
3518(of)X
3609(principals)X
3949(to)X
555 4832(be)N
651(authenticated\262.)X
8 s
10 f
555 5344(hhhhhhhhhhhhhhhhhh)N
1 f
555 5424(\262The)N
704(implementation)X
1124(of)X
1195(the)X
1291(Kerberos)X
1542(server)X
1714(need)X
1851(not)X
1950(combine)X
2187(the)X
2282(database)X
2518(and)X
2627(the)X
2722(server)X
2894(on)X
2975(the)X
3070(same)X
3218(machine;)X
3469(it)X
3522(is)X
3582(feasi-)X
555 5504(ble)N
653(to)X
723(store)X
867(the)X
965(principal)X
1212(database)X
1451(in,)X
1537(say,)X
1658(a)X
1706(network)X
1935(name)X
2093(service,)X
2309(as)X
2382(long)X
2516(as)X
2589(the)X
2687(entries)X
2876(stored)X
3051(therein)X
3247(are)X
3343(protected)X
3599(from)X
555 5584(disclosure)N
832(to)X
900(and)X
1010(modi\256cation)X
1352(by)X
1433(unauthorized)X
1783(parties.)X
2002(However,)X
2268(we)X
2359(recommend)X
2677(against)X
2875(such)X
3009(strategies,)X
3283(as)X
3353(they)X
3480(can)X
3585(make)X
555 5664(system)N
749(management)X
1091(and)X
1199(threat)X
1360(analysis)X
1582(quite)X
1726(complex.)X
12 s
555 6144(Section)N
868(4.)X
2179(-)X
2235(13)X
2355(-)X
14 p
%%Page: 14 16
12 s 0 xH 0 xS 1 f
10 s
0 32(--)N
4323(--)X
3 f
12 s
2082 432(DRAFT)N
2436(2)X
555 672(4.1.)N
747(Database)X
1149(contents)X
1 f
10 s
555 796(A)N
633(database)X
930(entry)X
1115(should)X
1348(contain)X
1604(at)X
1682(least)X
1849(the)X
1967(following)X
2298(\256elds:)X
2 f
555 940(Field)N
1331(Value)X
1 f
555 1132(name)N
1331(Principal's)X
1698(name)X
555 1228(key)N
1331(Principal's)X
1698(secret)X
1906(key)X
555 1324(p_kvno)N
1331(Principal's)X
1698(key)X
1834(version)X
555 1420(max_life)N
1331(Maximum)X
1684(lifetime)X
1953(for)X
2067(Tickets)X
555 1516(max_renewable_life)N
1331(Maximum)X
1684(total)X
1846(lifetime)X
2115(for)X
2229(renewable)X
2580(Tickets)X
555 1660(The)N
709(\256rst)X
862(\256eld)X
1033(is)X
1115(a)X
1180(string)X
1390(array)X
1584(representing)X
2009(the)X
2135(principal's)X
2506(name.)X
2748(The)X
2901('key')X
3099(\256eld)X
3269(contains)X
3564(an)X
3668(encryption)X
555 1756(key.)N
740(This)X
911(key)X
1056(is)X
1137(the)X
1263(principal's)X
1634(secret)X
1850(key.)X
2034(\(The)X
2214(key)X
2358(can)X
2498(be)X
2602(encrypted)X
2947(before)X
3181(storage)X
3441(under)X
3652(a)X
3716(Kerberos)X
555 1852("master)N
828(key")X
1003(to)X
1091(protect)X
1340(it)X
1410(in)X
1498(case)X
1663(the)X
1787(database)X
2090(is)X
2169(compromised)X
2631(but)X
2759(the)X
2883(master)X
3123(key)X
3265(is)X
3344(not.)X
3512(In)X
3605(that)X
3751(case,)X
3935(an)X
555 1948(extra)N
738(\256eld)X
902(must)X
1079(be)X
1177(added)X
1391(to)X
1475(indicate)X
1751(the)X
1871(master)X
2107(key)X
2245(version)X
2502(used,)X
2690(see)X
2814(below.\))X
3078(The)X
3224('p_kvno')X
3539(\256eld)X
3702(is)X
3776(the)X
3895(key)X
555 2044(version)N
819(number)X
1092(of)X
1187(the)X
1313(principal's)X
1683(secret)X
1898(key.)X
2081(The)X
2233('max_life')X
2599(\256eld)X
2768(contains)X
3062(the)X
3187(maximum)X
3538(allowable)X
3877(life-)X
555 2140(time)N
719(\(endtime)X
1026(-)X
1075(starttime\))X
1404(for)X
1520(any)X
1658(Ticket)X
1885(issued)X
2107(for)X
2222(this)X
2358(principal.)X
2704(The)X
2850 0.1974('max_renewable_life')AX
3581(\256eld)X
3744(contains)X
555 2236(the)N
679(maximum)X
1029(allowable)X
1367(total)X
1535(lifetime)X
1810(for)X
1930(any)X
2071(renewable)X
2427(Ticket)X
2657(issued)X
2882(for)X
3001(this)X
3141(principal.)X
3491(\(See)X
3659(section)X
3911(2.1)X
555 2332(for)N
669(a)X
725(description)X
1101(of)X
1188(how)X
1346(these)X
1531(lifetimes)X
1831(are)X
1950(used)X
2117(in)X
2199(determining)X
2606(the)X
2724(lifetime)X
2993(of)X
3080(a)X
3136(given)X
3334(Ticket.\))X
755 2456(If)N
831(a)X
889(server)X
1108(is)X
1183(to)X
1266(use)X
1394(a)X
1451(single)X
1663(database)X
1961(to)X
2044(serve)X
2235(several)X
2484(realms,)X
2739(the)X
2858(principal)X
3164(record)X
3391(should)X
3625(also)X
3775(include)X
555 2552(a)N
611(realm)X
814(\256eld.)X
755 2676(When)N
968(a)X
1025(server's)X
1301(key)X
1438(changes,)X
1738(if)X
1808(the)X
1927(change)X
2176(is)X
2250(routine)X
2498(\(i.e.)X
2644(not)X
2767(the)X
2886(result)X
3085(of)X
3173(disclosure)X
3519(of)X
3607(the)X
3726(old)X
3848(key\),)X
555 2772(the)N
687(old)X
823(key)X
973(should)X
1220(be)X
1330(retained)X
1623(by)X
1736(the)X
1867(server)X
2097(until)X
2276(all)X
2389(tickets)X
2631(that)X
2784(had)X
2933(been)X
3118(issued)X
3351(using)X
3557(that)X
3710(key)X
3859(have)X
555 2868(expired.)N
867(Because)X
1166(of)X
1264(this,)X
1430(it)X
1505(is)X
1589(possible)X
1882(for)X
2007(several)X
2266(keys)X
2444(to)X
2537(be)X
2643(active)X
2865(for)X
2989(a)X
3055(single)X
3276(principal.)X
3631(Text)X
3808(that)X
3958(is)X
555 2964(encrypted)N
892(in)X
974(a)X
1030(principal's)X
1393(key)X
1529(is)X
1602(always)X
1845(tagged)X
2079(with)X
2241(the)X
2359(version)X
2615(of)X
2702(the)X
2820(key)X
2956(that)X
3096(was)X
3241(used)X
3408(for)X
3522(encryption.)X
755 3088(When)N
975(more)X
1168(than)X
1334(one)X
1478(key)X
1621(is)X
1701(active)X
1920(for)X
2041(a)X
2104(particular)X
2439(principal,)X
2771(the)X
2896(principal)X
3208(will)X
3359(have)X
3538(more)X
3730(than)X
3895(one)X
555 3184(record)N
784(in)X
869(the)X
990(Kerberos)X
1307(database.)X
1646(The)X
1793(keys)X
1962(and)X
2100(key)X
2238(version)X
2496(numbers)X
2794(will)X
2940(differ)X
3141(between)X
3431(the)X
3551(records)X
3810(\(XXX)X
555 3280(the)N
678(rest)X
819(of)X
911(the)X
1034(\256elds)X
1232(are)X
1356(the)X
1478(same\).)X
1734(Whenever)X
2089(Kerberos)X
2408(issues)X
2623(a)X
2683(ticket,)X
2905(or)X
2996(responds)X
3305(to)X
3391(a)X
3451(request)X
3707(for)X
3825(initial)X
555 3376(authentication,)N
1050(the)X
1169(most)X
1345(recent)X
1563(key)X
1700(\(known)X
1966(by)X
2067(the)X
2186(Kerberos)X
2502(server\))X
2747(will)X
2892(be)X
2989(used)X
3157(for)X
3272(encryption.)X
3676(This)X
3839(is)X
3913(the)X
555 3472(key)N
694(with)X
858(the)X
978(highest)X
1231(key)X
1369(version)X
1627(number.)X
1934(The)X
2081(size)X
2228(of)X
2317(the)X
2437(version)X
2695(number)X
2962(\256eld)X
3126(in)X
3210(the)X
3330(database)X
3629(is)X
3704(an)X
3802(imple-)X
555 3568(mentation)N
905(issue,)X
1115(but)X
1247(only)X
1419(8)X
1489(bits)X
1634(are)X
1763(assigned)X
2069(to)X
2161(this)X
2306(\256eld)X
2478(in)X
2569(the)X
2696(protocol.)X
3032(As)X
3150(such,)X
3346(all)X
3455(active)X
3676(keys)X
3852(for)X
3975(a)X
555 3664(given)N
758(principal)X
1068(must)X
1248(have)X
1425(a)X
1486(key)X
1627(version)X
1888(number)X
2158(that)X
2302(falls)X
2464(into)X
2612(a)X
2672(contiguous)X
3047(range)X
3250(of)X
3341(256.)X
3525([One)X
3710(easy)X
3877(way)X
555 3760(to)N
638(achieve)X
905(this)X
1041(is)X
1115(to)X
1197(take)X
1351(the)X
1469(Kerberos)X
1784(database's)X
2139(key)X
2275(version)X
2531(number)X
2796(modulo)X
3060(256,)X
3220(and)X
3356(use)X
3483(the)X
3601(result)X
3799(for)X
3913(the)X
555 3856(key)N
691(version)X
947(number)X
1212(in)X
1294(the)X
1412(protocols].)X
3 f
12 s
555 4048(4.2.)N
747(Additional)X
1208(\256elds)X
1 f
10 s
555 4172(Project)N
802(Athena's)X
1112(KDC)X
1301(implementation)X
1823(uses)X
1981(additional)X
2321(\256elds)X
2514(in)X
2596(its)X
2691(database:)X
2 f
555 4316(Field)N
1031(Value)X
1 f
555 4508(K_kvno)N
1031(Kerberos')X
1373(key)X
1509(version)X
555 4604(expiration)N
1031(Expiration)X
1389(date)X
1543(for)X
1657(entry)X
555 4700(attributes)N
1031(Bit)X
1148(\256eld)X
1310(of)X
1397(attributes)X
555 4796(mod_date)N
1031(Timestamp)X
1411(of)X
1498(last)X
1629(modi\256cation)X
555 4892(mod_name)N
1031(Modifying)X
1393(principal's)X
1756(name)X
555 5064(The)N
702('K_kvno')X
1036(\256eld)X
1200(indicates)X
1507(the)X
1627(key)X
1765(version)X
2023(of)X
2112(the)X
2231(Kerberos)X
2547(master)X
2782(key)X
2919(under)X
3123(which)X
3340(the)X
3459(principal's)X
3823(secret)X
555 5160(key)N
691(is)X
764(encrypted.)X
755 5284(After)N
946(an)X
1043(entry's)X
1287('expiration')X
1687(date)X
1842(has)X
1970(passed,)X
2225(the)X
2344(KDC)X
2534(will)X
2679(return)X
2892(an)X
2989(error)X
3167(to)X
3250(any)X
3387(client)X
3586(attempting)X
3949(to)X
555 5380(gain)N
722(tickets)X
960(as)X
1056(or)X
1152(for)X
1275(the)X
1402(principal.)X
1756(\(A)X
1870(database)X
2176(may)X
2343(want)X
2528(to)X
2619(maintain)X
2928(two)X
3077(expiration)X
3431(dates:)X
3647(one)X
3791(for)X
3913(the)X
555 5476(principal,)N
881(and)X
1018(one)X
1154(for)X
1268(the)X
1386(principal's)X
1749(current)X
1997(key.)X
2173(This)X
2335(allows)X
2564(password)X
2887(aging)X
3085(to)X
3167(work)X
3352(independently)X
3826(of)X
3913(the)X
555 5572(principal's)N
919(expiration)X
1265(date.)X
1460(However,)X
1796(due)X
1933(to)X
2016(the)X
2135(limited)X
2382(space)X
2582(in)X
2665(the)X
2783(responses,)X
3135(the)X
3253(KDC)X
3442(must)X
3617(combine)X
3913(the)X
555 5668(key)N
693(expiration)X
1040(and)X
1178(principal)X
1485(expiration)X
1832(date)X
1988(into)X
2134(a)X
2192(single)X
2405(value)X
2601(called)X
2815("key_exp",)X
3195(which)X
3413(is)X
3488(used)X
3657(as)X
3746(a)X
3804(hint)X
3949(to)X
555 5764(the)N
673(user)X
827(to)X
909(take)X
1063(administrative)X
1541(action.\))X
555 6144(Section)N
815(4.2.)X
2196(-)X
2243(14)X
2343(-)X
15 p
%%Page: 15 17
10 s 0 xH 0 xS 1 f
0 32(--)N
4323(--)X
3 f
2115 416(DRAFT)N
2411(2)X
1 f
755 672(The)N
910('attributes')X
1292(\256eld)X
1464(is)X
1547(a)X
1613(bit\256eld)X
1869(used)X
2046(to)X
2138(govern)X
2391(the)X
2519(operations)X
2882(involving)X
3217(the)X
3344(principal.)X
3698(This)X
3869(\256eld)X
555 768(might)N
764(be)X
862(useful)X
1080(in)X
1164(conjunction)X
1564(with)X
1728(user)X
1884(registration)X
2271(procedures)X
2646(or)X
2735(for)X
2851(site-speci\256c)X
3256(policy)X
3478(implementations)X
555 864(\(Project)N
833(Athena)X
1089(currently)X
1403(uses)X
1565(it)X
1633(for)X
1751(their)X
1922(user)X
2080(registration)X
2469(process)X
2734(controlled)X
3082(by)X
3185(the)X
3306(system-wide)X
3734(database)X
555 960(service,)N
824(Moira.)X
8 s
1040 935(8)N
10 s
1093 960(\).)N
1181(Other)X
1385(bits)X
1521(are)X
1640(used)X
1807(to)X
1889(indicate)X
2163(that)X
2303(certain)X
2542(ticket)X
2740(options)X
2995(should)X
3228(not)X
3350(be)X
3446(allowed)X
3720(in)X
3802(tickets)X
555 1056(encrypted)N
897(under)X
1105(a)X
1166(principal's)X
1534(key)X
1675(\(one)X
1843(bit)X
1952(each\):)X
2194(Disallow)X
2508(issuing)X
2759(postdated)X
3091(tickets,)X
3345(disallow)X
3640(issuing)X
3890(for-)X
555 1152(wardable)N
873(tickets,)X
1125(disallow)X
1419(issuing)X
1668(tickets)X
1900(based)X
2106(on)X
2209(TGT)X
2388(authentication,)X
2885(disallow)X
3179(issuing)X
3428(renewable)X
3782(tickets,)X
555 1248(disallow)N
846(issuing)X
1092(proxiable)X
1415(tickets,)X
1664(disallow)X
1955(issuing)X
2201(duplicate)X
2515(session)X
2766(key)X
2902(tickets.)X
755 1372(The)N
908('mod_date')X
1306(\256eld)X
1476(contains)X
1771(the)X
1897(time)X
2067(of)X
2162(last)X
2301(modi\256cation)X
2733(of)X
2827(the)X
2952(entry,)X
3164(and)X
3307(the)X
3432('mod_name')X
3869(\256eld)X
555 1468(contains)N
842(the)X
960(name)X
1154(of)X
1241(the)X
1359(principal)X
1664(which)X
1880(last)X
2011(modi\256ed)X
2315(the)X
2433(entry.)X
3 f
12 s
555 1660(4.3.)N
747(Frequently)X
1225(Changing)X
1648(Fields)X
1 f
10 s
755 1784(Some)N
960(KDC)X
1152(implementations)X
1708(may)X
1868(wish)X
2041(to)X
2125(maintain)X
2427(the)X
2547(last)X
2680(time)X
2844(that)X
2986(a)X
3044(request)X
3298(was)X
3445(made)X
3641(by)X
3743(a)X
3801(partic-)X
555 1880(ular)N
707(principal.)X
1059(Information)X
1469(that)X
1615(might)X
1827(be)X
1929(maintained)X
2311(includes)X
2604(the)X
2728(time)X
2896(of)X
2989(the)X
3113(last)X
3250(request,)X
3528(the)X
3652(time)X
3820(of)X
3913(the)X
555 1976(last)N
694(request)X
954(for)X
1076(a)X
1140(ticket-granting)X
1640(ticket,)X
1866(the)X
1991(time)X
2160(of)X
2254(the)X
2379(last)X
2517(use)X
2651(of)X
2745(a)X
2808(ticket-granting)X
3307(ticket,)X
3532(or)X
3626(other)X
3818(times.)X
555 2072(This)N
722(information)X
1125(can)X
1261(then)X
1423(be)X
1523(returned)X
1815(to)X
1901(the)X
2023(user)X
2181(in)X
2267(the)X
2389(last_req)X
2667(\256eld)X
2833(\(more)X
3049(detail)X
3251(can)X
3387(be)X
3487(found)X
3698(in)X
3784(section)X
555 2168(6\).)N
755 2292(Other)N
968(frequently)X
1328(changing)X
1652(information)X
2060(that)X
2209(can)X
2350(be)X
2455(maintained)X
2840(is)X
2922(the)X
3049(latest)X
3247(expiration)X
3601(time)X
3772(for)X
3895(any)X
555 2388(tickets)N
788(that)X
932(have)X
1107(been)X
1282(issued)X
1505(using)X
1701(each)X
1872(key.)X
2051(This)X
2216(\256eld)X
2381(would)X
2604(be)X
2703(used)X
2873(to)X
2958(indicate)X
3235(how)X
3396(long)X
3561(old)X
3686(keys)X
3856(must)X
555 2484(remain)N
798(valid)X
978(to)X
1060(allow)X
1258(the)X
1376(continued)X
1712(use)X
1839(of)X
1926(outstanding)X
2319(tickets.)X
3 f
12 s
555 2676(4.4.)N
747(Site)X
926(Constants)X
1 f
10 s
755 2800(The)N
907(KDC)X
1103(implementation)X
1632(should)X
1872(have)X
2051(the)X
2176(following)X
2514(con\256gurable)X
2942(constants)X
3267(or)X
3361(options,)X
3643(to)X
3731(allow)X
3935(an)X
555 2896(administrator)N
1002(to)X
1084(make)X
1278(and)X
1414(enforce)X
1676(policy)X
1896(decisions)X
2214(related)X
2453(to)X
2535(them:)X
10 f
555 3020(g)N
1 f
675(The)X
831(minimum)X
1172(supported)X
1519(lifetime)X
1799(\(used)X
2003(to)X
2095(determine)X
2446(whether)X
2735(the)X
2863(KDC_ERR_NEVER_VALID)X
3854(error)X
675 3116(should)N
908(be)X
1004(returned\))X
10 f
555 3240(g)N
1 f
675(The)X
820(maximum)X
1164(allowable)X
1496(total)X
1658 0.3125(\(renewable\))AX
2063(lifetime)X
2332(of)X
2419(a)X
2475(ticket)X
2673(\(renew_till)X
3045(-)X
3092(starttime\))X
10 f
555 3364(g)N
1 f
675(The)X
820(maximum)X
1164(allowable)X
1496(lifetime)X
1765(of)X
1852(a)X
1908(ticket)X
2106(\(endtime)X
2411(-)X
2458(starttime\))X
10 f
555 3488(g)N
1 f
675(Whether)X
983(to)X
1076(allow)X
1285(the)X
1414(issue)X
1604(of)X
1701(tickets)X
1940(with)X
2112(empty)X
2342(address)X
2613(\256elds)X
2816(\(including)X
3175(the)X
3303(ability)X
3537(to)X
3629(specify)X
3891(that)X
675 3584(such)N
842(tickets)X
1071(may)X
1229(only)X
1391(be)X
1487(issued)X
1707(if)X
1776(the)X
1894(request)X
2146(speci\256es)X
2442(some)X
2631(authorization_data\))X
10 f
555 3708(g)N
1 f
675(XXX)X
3 f
12 s
555 3900(5.)N
675(Notation)X
1 f
10 s
555 4024(Numbers)N
869(are)X
988(given)X
1186(in)X
1268(decimal)X
1542(unless)X
1762(otherwise)X
2094(indicated.)X
555 4148(We)N
692(assume)X
953(8-bit)X
1129(bytes.)X
1363(The)X
1512(words)X
1732("byte")X
1960(and)X
2100("octet")X
2346(are)X
2469(used)X
2640(synonymously.)X
3170(An)X
3292(octet)X
3472(is)X
3549(represented)X
3944(as)X
555 4244(follows:)N
7 f
603 4340(01234567)N
555 4436(+--------+)N
9 f
571 4532(|)N
1003(|)X
7 f
555 4628(+--------+)N
555 4724(<-8)N
747(bits->)X
1 f
555 4896(The)N
700(most)X
875(signi\256cant)X
1228(bit)X
1332(\(msb\))X
1539(is)X
1612(bit)X
1716(0;)X
1798(the)X
1916(least)X
2083(signi\256cant)X
2436(bit)X
2540(is)X
2613(bit)X
2717(7.)X
3 f
555 5088(Byte)N
731(order)X
1 f
555 5212(Fields)N
776(which)X
998(span)X
1171(more)X
1362(than)X
1526(one)X
1668(octet)X
1850(and)X
1992(represent)X
2313(a)X
2374(single)X
2590(numerical)X
2936(value)X
3135(are)X
3259(always)X
3507(shown)X
3741(in)X
3828(``big-)X
555 5308(endian'')N
843(byte)X
1001(order)X
1191(\(the)X
1336(standard)X
1628(Internet)X
1898(and)X
2034(ISO)X
2183(ASN.1)X
2423(network)X
2706(byte)X
2864(order\):)X
555 6144(Section)N
815(5.)X
2196(-)X
2243(15)X
2343(-)X
16 p
%%Page: 16 18
10 s 0 xH 0 xS 1 f
7 f
1 f
0 32(--)N
4323(--)X
3 f
2115 416(DRAFT)N
2411(2)X
7 f
699 672(MSB)N
1995(LSB)X
555 768(+--------+--------+--------+--------+)N
9 f
571 864(|)N
7 f
651(Byte)X
891(0)X
9 f
1003(|)X
7 f
1083(Byte)X
1323(1)X
9 f
1435(|)X
7 f
1515(Byte)X
1755(2)X
9 f
1867(|)X
7 f
1947(Byte)X
2187(3)X
9 f
2299(|)X
7 f
555 960(+--------+--------+--------+--------+)N
555 1056(<-------------32)N
1371(bits--------------->)X
1 f
555 1228(The)N
700(most)X
875(signi\256cant)X
1228(byte)X
1386(\(MSB\))X
1628(is)X
1701(Byte)X
1872(0;)X
1954(the)X
2072(least)X
2239(signi\256cant)X
2592(byte)X
2750(\(LSB\))X
2970(in)X
3052(this)X
3187(diagram)X
3470(is)X
3543(Byte)X
3714(3.)X
3 f
555 1420(Optional)N
876(\256elds)X
1 f
755 1544(Some)N
961(of)X
1052(the)X
1174(protocol)X
1465(messages)X
1792(have)X
1968(optional)X
2254(\256elds;)X
2472(they)X
2633(are)X
2755(labeled)X
3010(with)X
3175(square)X
3408(brackets)X
3699(surround-)X
555 1640(ing)N
677(the)X
795(\256eld)X
957(name)X
1151(to)X
1233(indicate)X
1507(that)X
1647(they)X
1805(are)X
1924(optional:)X
7 f
555 1736(+-----------------------------------+)N
9 f
571 1832(|)N
7 f
1083([optional_field])X
9 f
2299(|)X
7 f
555 1928(+-----------------------------------+)N
3 f
555 2168(Octet)N
763(values)X
1 f
555 2292(Some)N
757(octet)X
933(values)X
1158(are)X
1277(speci\256ed)X
1582(in)X
1664(a)X
1720(diagram)X
2003(by)X
2103(showing)X
2394(all)X
2494(eight)X
2674(bits)X
2809(in)X
2891(MSB)X
3079(order.)X
755 2416(To)N
874(avoid)X
1082(tedious)X
1343(bit-wise)X
1631(speci\256cation)X
2066(of)X
2163(octets,)X
2400(some)X
2599(of)X
2696(the)X
2824(following)X
3165(examples)X
3498(will)X
3652(specify)X
3913(the)X
555 2512(value)N
750(of)X
838(an)X
935(octet)X
1112(in)X
1195(decimal)X
1470(\(no)X
1598(leading)X
1855(digits\))X
2080(or)X
2168(hexadecimal)X
2595(\(in)X
2705(the)X
2824(form)X
3001(0xYY,)X
3238(where)X
3456(YY)X
3593(are)X
3713(the)X
3832(hexa-)X
555 2608(decimal)N
836(digits\).)X
1107(In)X
1201(such)X
1375(cases,)X
1592(the)X
1717(value)X
1918(will)X
2069(be)X
2172(centered)X
2472(in)X
2561(the)X
2686(box)X
2833(around)X
3083(the)X
3207(octet.)X
3429(If)X
3509(the)X
3633(value)X
3833(being)X
555 2704(speci\256ed)N
862(spans)X
1062(multiple)X
1350(octets,)X
1579(it)X
1645(will)X
1791(be)X
1889(displayed)X
2218(with)X
2382(the)X
2501(appropriate)X
2888(number)X
3154(of)X
3242(hexadecimal)X
3669(or)X
3757(decimal)X
555 2800(digits)N
752(centered)X
1045(in)X
1127(those)X
1316(octets.)X
3 f
12 s
555 2992(5.1.)N
747(Field)X
980(types)X
1 f
10 s
555 3116(Each)N
743(packet)X
980(is)X
1060(described)X
1395(in)X
1484(terms)X
1689(of)X
1783(a)X
1846(table)X
2029(of)X
2122(its)X
2223(\256elds)X
2422(and)X
2564(a)X
2626(diagram.)X
2955(The)X
3106(table)X
3288(gives)X
3483(the)X
3607(length,)X
3853(type,)X
555 3212(label,)N
751(and)X
887(meaning)X
1183(of)X
1270(each)X
1438(\256eld,)X
1620(for)X
1734(example:)X
2 f
1274 3356(Length)N
1831(Type)X
2133(Label)X
2503(Value)X
1 f
1274 3548(1)N
1334(octet)X
1831(ui_1)X
2133(pvno)X
2503(protocol)X
2790(version)X
3046(number)X
1274 3644(1)N
1334(octet)X
1831(type)X
2133(type)X
2503(message)X
2795(type)X
1274 3740(4)N
1334(octets)X
1831(ui_4)X
2133(error)X
2503(error)X
2680(code)X
1274 3836(<=)N
1384(128)X
1524(octets)X
1831(string)X
2133(err_text)X
2503(error)X
2680(text)X
555 4076(The)N
706("Length")X
1025(column)X
1291(gives)X
1486(the)X
1610(number)X
1881(of)X
1974(octets)X
2186(in)X
2273(the)X
2396(\256eld.)X
2603(If)X
2682(a)X
2743(length)X
2968(is)X
3046(given)X
3249(as)X
3341("<=)X
3489('y')X
3608(octets",)X
3873(then)X
555 4172(the)N
675(length)X
897(of)X
986(the)X
1106(\256eld)X
1270(is)X
1344(variable,)X
1644(and)X
1781(the)X
1900(Kerberos)X
2216(version)X
2473(5)X
2534(protocol)X
2822(does)X
2990(not)X
3113(specify)X
3366(a)X
3423(limit)X
3594(on)X
3695(its)X
3791(length.)X
555 4268(However,)N
904(implementations)X
1471(may)X
1643(restrict)X
1900(the)X
2032(length,)X
2286(but)X
2422(such)X
2603(implementations)X
3170(are)X
3303(required)X
3605(to)X
3701(support)X
3975(a)X
555 4364(length)N
776(of)X
864(at)X
943(least)X
1111('y')X
1226(octets)X
1434(\(this)X
1597(length)X
1818(encompasses)X
2258(the)X
2377(entire)X
2581(encoding)X
2896(of)X
2984(the)X
3103(\256eld)X
3266(contents,)X
3573(including)X
3895(any)X
555 4460(length)N
780(indicators)X
1121(and)X
1262(type)X
1425(\256elds\).)X
1690(Implementors)X
2160(should)X
2398(note)X
2561(that)X
2706(if)X
2779(their)X
2950(implementations)X
3507(generate)X
3804(such)X
3975(a)X
555 4556(\256eld)N
730(with)X
905(length)X
1138(greater)X
1395(than)X
1566('y')X
1693(octets,)X
1933(then)X
2104(the)X
2235(protocol)X
2535(message)X
2840(containing)X
3210(such)X
3389(a)X
3457(\256eld)X
3631(may)X
3801(not)X
3935(be)X
555 4652(accepted)N
867(by)X
977(some)X
1176(implementations.)X
1779(If)X
1863(an)X
1969(implementation)X
2501(is)X
2584(rejecting)X
2894(a)X
2959(message)X
3260(because)X
3544(of)X
3640(\256eld)X
3811(length)X
555 4748(restrictions,)N
951(it)X
1015(should)X
1248(use)X
1375(the)X
1493(KRB_ERR_FIELD_TOOLONG)X
2567(error)X
2744(code.)X
555 4940(The)N
704(absolute)X
995(length)X
1219(of)X
1310(such)X
1481(a)X
1541(\256eld)X
1707(is)X
1784(the)X
1906(length)X
2130(of)X
2221(the)X
2343(data)X
2501(plus)X
2658(the)X
2780(number)X
3049(of)X
3139(octets)X
3349(needed)X
3600(to)X
3685(encode)X
3936(its)X
555 5036(length)N
775(as)X
862(speci\256ed)X
1167(for)X
1281(the)X
1399(type)X
1557(bytes_asn1)X
1933(\(described)X
2288(below\).)X
555 5228(The)N
700("Type")X
951(column)X
1211(refers)X
1415(to)X
1497(a)X
1553(type)X
1711(described)X
2039(in)X
2121(this)X
2256(section.)X
555 5420(The)N
700("Label")X
969(refers)X
1173(to)X
1255(the)X
1373(\256eld's)X
1593(label)X
1769(in)X
1851(the)X
1969(diagram.)X
555 5612(The)N
700("Value")X
978(gives)X
1167(the)X
1285(meaning)X
1581(of)X
1668(the)X
1786(\256eld.)X
555 5832(A)N
633(diagram)X
916(for)X
1030(the)X
1148(table)X
1324(above)X
1536(is:)X
555 6144(Section)N
815(5.1.)X
2196(-)X
2243(16)X
2343(-)X
17 p
%%Page: 17 19
10 s 0 xH 0 xS 1 f
0 32(--)N
4323(--)X
3 f
2115 416(DRAFT)N
2411(2)X
7 f
555 672(+--------+--------+--------+--------+--------+--------+)N
9 f
571 768(|)N
7 f
699(pvno)X
9 f
1003(|)X
7 f
1131(type)X
9 f
1435(|)X
7 f
2187(error)X
9 f
3163(|)X
7 f
555 864(+--------+--------+--------+--------+--------+--------+--------+)N
9 f
571 960(|)N
7 f
1899("err_text")X
9 f
3595(|)X
7 f
555 1056(+--------------------------------------------------------------+)N
1 f
555 1228(Since)N
755(many)X
955(\256elds)X
1150(in)X
1234(the)X
1354(Kerberos)X
1671(protocols)X
1991(are)X
2112(of)X
2200(variable)X
2480(length,)X
2721(the)X
2840(layout)X
3061(of)X
3149(the)X
3268(corresponding)X
3748(diagram)X
555 1324(is)N
642(somewhat)X
1001(arbitrary.)X
1352(For)X
1497(example,)X
1823(the)X
1955("err_text")X
2305(\256eld)X
2481(above)X
2707(is)X
2794(a)X
2864(variable-length)X
3384(string,)X
3620(so)X
3724(the)X
3855(table)X
555 1420(above)N
767(could)X
965(also)X
1114(be)X
1210(depicted)X
1502(as:)X
7 f
555 1516(+--------+--------+--------+--------+--------+--------+---------------+)N
9 f
571 1612(|)N
7 f
699(pvno)X
9 f
1003(|)X
7 f
1131(type)X
9 f
1435(|)X
7 f
2187(error)X
9 f
3163(|)X
7 f
3339("err_text")X
9 f
3931(|)X
7 f
555 1708(+--------+--------+--------+--------+--------+--------+---------------+)N
1 f
555 1852(Variable-length)N
1092(\256elds)X
1297(which)X
1525(are)X
1656(not)X
1790(strings)X
2035(are)X
2166(\(usually?)X
2492(XXX\))X
2725(shown)X
2966(in)X
3060(diagrams)X
3386(enclosed)X
3699(in)X
3793('single)X
555 1948(quotes'.)N
851(Strings)X
1097(are)X
1216(shown)X
1445(in)X
1527("double)X
1798(quotes".)X
3 f
555 2140(5.1.1.)N
775(NULL)X
1 f
555 2264(A)N
633(null)X
777(octet,)X
973(or)X
1060(NULL,)X
1314(is)X
1387(an)X
1483(octet)X
1659(with)X
1821(8)X
1881(zero)X
2040(bits:)X
7 f
555 2360(+--------+)N
9 f
571 2456(|)N
7 f
603(00000000)X
9 f
1003(|)X
7 f
555 2552(+--------+)N
555 2648(<--NULL-->)N
1 f
555 2792(It)N
624(is)X
697(used)X
864(to)X
946(pad)X
1082(\256elds)X
1275(to)X
1357(block)X
1555(boundaries)X
1927(for)X
2041(encryption.)X
3 f
555 2984(5.1.2.)N
775(PAD)X
1 f
555 3108(Some)N
760(messages)X
1086(include)X
1345(variable-length)X
1854(\256elds.)X
2090(Block)X
2303(encryption)X
2668(ciphers)X
2922(require)X
3172(that)X
3314(their)X
3483(input)X
3669(and)X
3807(output)X
555 3204(be)N
656(multiples)X
978(of)X
1070(some)X
1264(block)X
1467(size.)X
1657(In)X
1749(these)X
1939(cases,)X
2154(a)X
2215(\256eld)X
2382(of)X
2474(NULL)X
2713(octets)X
2925(is)X
3003(used)X
3175(to)X
3262(\256ll)X
3375(up)X
3480(sections)X
3763(of)X
3855(mes-)X
555 3300(sages)N
759(to)X
851(be)X
957(encrypted)X
1304(to)X
1396(the)X
1524(next)X
1692(multiple)X
1988(of)X
2085(the)X
2213(block)X
2421(size.)X
2615(This)X
2786(type)X
2953(of)X
3049(\256eld)X
3220(is)X
3302(called)X
3523(a)X
3588(PAD.)X
3817(In)X
3913(the)X
555 3396(diagram)N
838(representation,)X
1333(its)X
1428(label)X
1604(is)X
1677(placed)X
1907(in)X
1989(brackets)X
2277(to)X
2359(indicate)X
2633(that)X
2773(it)X
2837(may)X
2995(be)X
3091(of)X
3178(zero)X
3337(length.)X
7 f
555 3492(+-----------------------------------------------+---------------+)N
9 f
571 3588(|)N
7 f
1467("sinstance")X
9 f
2875(|)X
7 f
3147([PAD])X
9 f
3643(|)X
7 f
555 3684(+-----------------------------------------------+---------------+)N
3 f
555 3924(5.1.3.)N
775(Unsigned)X
1114(Integers)X
1 f
555 4048(Fields)N
770(of)X
857(unsigned)X
1166(integers)X
1440(of)X
1527(length)X
1747(1,)X
1827(2,)X
1907(and)X
2043(4)X
2103(octets)X
2310(are)X
2429(used.)X
3 f
555 4240(ui_1)N
1 f
555 4364(A)N
633(ui_1)X
795(\256eld)X
957(consists)X
1230(of)X
1317(one)X
1453(octet)X
1629(representing)X
2046(an)X
2142(unsigned)X
2451(integer:)X
7 f
555 4460(+--------+)N
9 f
571 4556(|)N
7 f
699(ui_1)X
9 f
1003(|)X
7 f
555 4652(+--------+)N
1 f
555 4824(This)N
720(type)X
881(of)X
971(\256eld)X
1136(is)X
1212(used)X
1381(for)X
1497(some)X
1688(protocol)X
1977(version)X
2235(numbers,)X
2553(key)X
2691(version)X
2949(numbers,)X
3267(some)X
3458(length)X
3680(\256elds,)X
3895(and)X
555 4920(the)N
673(millisecond)X
1066(\256eld)X
1228(of)X
1315(a)X
1371(timestamp.)X
3 f
555 5112(ui_2)N
1 f
555 5236(Some)N
757(data)X
911(lengths)X
1162(are)X
1281(given)X
1479(by)X
1579(two)X
1719(octets)X
1926(representing)X
2343(an)X
2439(unsigned)X
2748(integer:)X
7 f
555 5332(+--------+--------+)N
9 f
571 5428(|)N
7 f
891(ui_2)X
9 f
1435(|)X
7 f
555 5524(+--------+--------+)N
1 f
555 5696(The)N
700(ui_2)X
862(\256eld)X
1024(is)X
1097(used,)X
1284(for)X
1398(example,)X
1710(to)X
1792(indicate)X
2066(the)X
2184(encryption)X
2547(type)X
2705(in)X
2787(use)X
2914(in)X
2996(a)X
3052(KRB_KDC_REP)X
3631(message.)X
555 6144(Section)N
815(5.1.3.)X
2196(-)X
2243(17)X
2343(-)X
18 p
%%Page: 18 20
10 s 0 xH 0 xS 1 f
0 32(--)N
4323(--)X
3 f
2115 416(DRAFT)N
2411(2)X
555 672(ui_4)N
1 f
555 796(Some)N
757(\256elds)X
950(are)X
1069(represented)X
1460(by)X
1560(an)X
1656(unsigned)X
1965(integer)X
2208(of)X
2295(4)X
2355(octets:)X
7 f
555 892(+--------+--------+--------+--------+)N
9 f
571 988(|)N
7 f
1323(ui_4)X
9 f
2299(|)X
7 f
555 1084(+--------+--------+--------+--------+)N
1 f
555 1228(This)N
718(type)X
877(of)X
965(\256eld)X
1128(is)X
1202(used,)X
1390(for)X
1505(example,)X
1818(for)X
1933(the)X
2052('error')X
2284(\256eld)X
2446(in)X
2528(the)X
2646(KRB_ERROR)X
3136(message)X
3428(to)X
3510(encode)X
3758(an)X
3854(error)X
555 1324(code.)N
3 f
555 1516(timestamp)N
1 f
555 1640(A)N
636("timestamp")X
1058(is)X
1134(a)X
1193(special)X
1439(case)X
1601(of)X
1691(a)X
1750(ui_4)X
1915(\256eld,)X
2100(used)X
2270(to)X
2355(indicate)X
2632(the)X
2753(date)X
2910(and)X
3049(time.)X
3254(The)X
3401(time)X
3565(is)X
3640(represented)X
555 1736(as)N
642(Internet)X
912(time.)X
1114(\(Internet)X
1411(time)X
1573(is)X
1646(the)X
1764(number)X
2029(of)X
2116(seconds)X
2390(since)X
2575(00:00:00)X
2879(UTC,)X
3079(1)X
3139(January)X
3409(1900.\262\))X
7 f
555 1832(+--------+--------+--------+--------+)N
9 f
571 1928(|)N
7 f
1179(timestamp)X
9 f
2299(|)X
7 f
555 2024(+--------+--------+--------+--------+)N
3 f
555 2264(confounder)N
1 f
555 2388(A)N
649("confounder")X
1117(is)X
1206(a)X
1278(special)X
1537(case)X
1712(of)X
1815(a)X
1887(ui_2)X
2065(\256eld,)X
2262(used)X
2444(to)X
2541(introduce)X
2879(randomness)X
3297(into)X
3456(the)X
3589(beginning)X
3944(of)X
555 2484(encrypted)N
896(text.)X
1080(This)X
1246(randomness)X
1653(makes)X
1882(chosen-)X
2156(and)X
2296(known-plaintext)X
2845(attacks)X
3092(more)X
3281(computationally)X
3824(inten-)X
555 2580(sive)N
704(for)X
818(most)X
993(cryptosystems)X
1471(that)X
1611(will)X
1755(be)X
1851(used)X
2018(with)X
2180(Kerberos.)X
7 f
555 2676(+--------+--------+)N
9 f
571 2772(|)N
7 f
747(confounder)X
9 f
1435(|)X
7 f
555 2868(+--------+--------+)N
3 f
555 3108(type)N
1 f
555 3232(Message)N
858(types)X
1049(are)X
1170(encoded)X
1460(in)X
1544(a)X
1602(single)X
1815(unsigned)X
2125(octet,)X
2322("type".)X
2587(The)X
2733(least)X
2901(signi\256cant)X
3255(bit)X
3360(of)X
3448(all)X
3549(message)X
3842(types)X
555 3328(\(but)N
708(NOT)X
897(other)X
1086(types\))X
1306(is)X
1383(zero)X
1545(\(0\))X
1662([for)X
1806(historical)X
2127(compatibility].)X
2643(The)X
2791(message)X
3086(types)X
3278(are)X
3400(therefore)X
3714(multiples)X
555 3424(of)N
642(two.)X
7 f
555 3520(+--------+)N
9 f
571 3616(|)N
7 f
699(type)X
9 f
1003(|)X
7 f
555 3712(+--------+)N
3 f
555 3952(kvno)N
1 f
555 4076(Key)N
714(version)X
975(numbers)X
1276(are)X
1400(maintained)X
1781(at)X
1864(the)X
1987(KDC)X
2180(in)X
2266(the)X
2388(Kerberos)X
2707(database.)X
3048(The)X
3197(initial)X
3407(version)X
3667(of)X
3758(a)X
3818(key)X
3958(is)X
555 4172(1;)N
642(subsequent)X
1023(versions)X
1315(are)X
1439(incremented)X
1861(by)X
1966(1.)X
2071(For)X
2207(example,)X
2524(if)X
2598(a)X
2659(principal)X
2969(has)X
3101(changed)X
3394(its)X
3493(key)X
3633(three)X
3818(times,)X
555 4268(the)N
677(current)X
929(key)X
1069(will)X
1216(have)X
1391(a)X
1450(key)X
1589(version)X
1848(number)X
2116(of)X
2206(4.)X
2309(A)X
2390(key)X
2529(version)X
2788(number,)X
3076(or)X
3166("kvno")X
3415(is)X
3491(represented)X
3885(as)X
3975(a)X
555 4364(single)N
766(unsigned)X
1075(octet.)X
7 f
555 4460(+-------+)N
9 f
571 4556(|)N
7 f
651(kvno)X
9 f
955(|)X
7 f
555 4652(+-------+)N
3 f
555 4892(\257ags)N
1 f
555 5016(A)N
637(32-bit)X
852(\(4-octet\))X
1153(bit)X
1261(\256eld)X
1427(of)X
1518(\257ags)X
1693(\(also)X
1873(called)X
2089(options\))X
2375(is)X
2452(used)X
2623(in)X
2709(a)X
2769(Ticket)X
2998(and)X
3137(in)X
3222(KDC)X
3414(requests/responses)X
555 5112(to)N
637(indicate)X
911(various)X
1167(options)X
1422(or)X
1509(modes)X
1738(of)X
1825(operation.)X
8 s
10 f
555 5424(hhhhhhhhhhhhhhhhhh)N
1 f
555 5504(\262The)N
709(Internet)X
930(timestamp)X
1220(encoding)X
1477(used)X
1617(here)X
1749(encodes)X
1977(a)X
2028(given)X
2193(time)X
2330(with)X
2467(an)X
2550(integer)X
2749(2208988800)X
3091(seconds)X
3315(greater)X
3513(than)X
3645(the)X
555 5584(timestamps)N
872(used)X
1014(in)X
1088(Kerberos)X
1345(version)X
1557(4)X
1613(\(which)X
1814(were)X
1961(standard)X
2201(UNIX)X
2384(timestamps,)X
2716(the)X
2818(number)X
3037(of)X
3114(seconds)X
3340(since)X
3495(00:00:00)X
555 5664(UTC,)N
715(1)X
763(January)X
977(1970\).)X
10 s
555 6144(Section)N
815(5.1.3.)X
2196(-)X
2243(18)X
2343(-)X
19 p
%%Page: 19 21
10 s 0 xH 0 xS 1 f
7 f
1 f
0 32(--)N
4323(--)X
3 f
2115 416(DRAFT)N
2411(2)X
7 f
555 672(+--------+--------+--------+--------+)N
9 f
571 768(|)N
7 f
1323(flags)X
9 f
2299(|)X
7 f
555 864(+--------+--------+--------+--------+)N
3 f
555 1104(5.1.4.)N
775(ASN.1)X
1015(Byte)X
1191(vectors)X
1457(\(bytes_asn1\))X
1 f
555 1228(Some)N
767(\256elds)X
970(contain)X
1235(data)X
1398(which)X
1623(are)X
1751(octet)X
1936(strings)X
2178(encoded)X
2475(as)X
2571(a)X
2636(length)X
2865(sub-\256eld)X
3174(followed)X
3488(by)X
3597(the)X
3724(contents.)X
555 1324(The)N
701(length)X
922(sub-\256eld)X
1223(is)X
1297(encoded)X
1586(according)X
1923(to)X
2005(ASN.1)X
2245(de\256nite)X
2505(form)X
2681(\(ISO)X
2857(8825:1987\(E\),)X
3342(section)X
3589(6.3.3\))X
3796(\(this)X
3958(is)X
555 1420(an)N
651(excerpt)X
908(with)X
1070(the)X
1188(bit)X
1292(order)X
1482(changed)X
1770(to)X
1852(be)X
1948(consistent)X
2288(with)X
2450(our)X
2577(numbering,)X
2964(i.e.)X
3082(most)X
3257(signi\256cant)X
3610(bit)X
3714(is)X
3787(bit)X
3891(0\):)X
843 1660(If)N
924(the)X
1049(length)X
1276(of)X
1370(the)X
1495(contents)X
1789(is)X
1869(127)X
2016(or)X
2110(less,)X
2276(the)X
2400(length)X
2626(sub-\256eld)X
2932(is)X
3011(a)X
3073(single)X
3290(octet)X
3472(in)X
3560(which)X
3782(bit)X
3892(0)X
3958(is)X
843 1756(zero)N
1005(and)X
1144(bits)X
1282(1)X
1345(to)X
1430(7)X
1493(encode)X
1744(the)X
1865(number)X
2133(of)X
2223(octets)X
2433(in)X
2518(the)X
2639(contents)X
2929(sub-\256eld)X
3232(\(which)X
3478(may)X
3638(be)X
3736(zero\),)X
3944(as)X
843 1852(an)N
939(unsinged)X
1248(binary)X
1473(integer)X
1716(with)X
1878(bit)X
1982(1)X
2042(as)X
2129(the)X
2247(most)X
2422(signi\256cant)X
2775(bit.)X
843 2044(If)N
918(the)X
1037(length)X
1258(of)X
1346(the)X
1465(contents)X
1753(is)X
1827(greater)X
2072(than)X
2231(127,)X
2392(then)X
2551(the)X
2670(length)X
2891(sub-\256eld)X
3192(consists)X
3466(of)X
3553(an)X
3649(initial)X
3855(octet)X
843 2140(and)N
981(one)X
1119(or)X
1208(more)X
1395(subsequent)X
1773(octets.)X
2022(The)X
2169(initial)X
2377(octet)X
2555(shall)X
2728(be)X
2826(encoded)X
3116(as)X
3205(follows:)X
3509(a\))X
3594(bit)X
3700(0)X
3762(shall)X
3935(be)X
843 2236(one;)N
1006(b\))X
1098(bits)X
1238(1)X
1303(to)X
1390(7)X
1455(shall)X
1631(encode)X
1884(the)X
2006(number)X
2275(of)X
2366(subsequent)X
2746(octets)X
2957(in)X
3043(the)X
3165(length)X
3389(sub-\256eld,)X
3713(as)X
3804(an)X
3904(un-)X
843 2332(signed)N
1074(binary)X
1301(integer)X
1546(with)X
1710(bit)X
1815(1)X
1876(as)X
1964(the)X
2083(most)X
2259(signi\256cant)X
2613(bit;)X
2740(c\))X
2824(the)X
2943(value)X
3138(11111111\(base)X
3649(2\))X
3737(shall)X
3909(not)X
843 2428(be)N
942(used.)X
1152(Bits)X
1303(0)X
1366(to)X
1451(7)X
1514(of)X
1604(the)X
1725(\256rst)X
1871(subsequent)X
2249(octet,)X
2447(followed)X
2754(by)X
2856(bits)X
2993(0)X
3055(to)X
3139(7)X
3201(of)X
3290(the)X
3410(second)X
3655(subsequent)X
843 2524(octet,)N
1044(followed)X
1354(in)X
1441(turn)X
1595(by)X
1700(bits)X
1840(0)X
1905(to)X
1992(7)X
2056(of)X
2147(each)X
2319(further)X
2562(octet)X
2742(up)X
2846(to)X
2932(and)X
3072(including)X
3398(the)X
3520(last)X
3655(subsequent)X
843 2620(octet)N
1033(in)X
1129(the)X
1261(length)X
1495(sub-\256eld,)X
1829(shall)X
2014(be)X
2124(the)X
2256(encoding)X
2584(of)X
2685(an)X
2795(unsigned)X
3117(binary)X
3355(integer)X
3611(equal)X
3818(to)X
3913(the)X
843 2716(number)N
1108(of)X
1195(octets)X
1402(in)X
1484(the)X
1602(contents)X
1889(sub-\256eld.)X
555 2860(Such)N
742(\256elds)X
942(are)X
1068(referred)X
1351(to)X
1440(in)X
1529(tables)X
1743(as)X
1837(type)X
2002(bytes_asn1.)X
2425(In)X
2518(diagrams,)X
2858(\256elds)X
3057(of)X
3150(this)X
3291(type)X
3455(have)X
3633(their)X
3806(names)X
555 2956(enclosed)N
856(in)X
938('single)X
1176(quotes')X
1432(\(since)X
1644(they)X
1802(are)X
1921(of)X
2008(variable)X
2287(length\),)X
2554(and)X
2690(the)X
2808(octet)X
2984(delimiters)X
3324(`+')X
3443(are)X
3562(missing:)X
7 f
555 3052(+-----------------------------------------------------------------------+)N
9 f
571 3148(|)N
7 f
2043('bytes_asn1')X
9 f
4027(|)X
7 f
555 3244(+-----------------------------------------------------------------------+)N
3 f
555 3484(5.1.5.)N
775(ASN.1)X
1015(lengths)X
1 f
555 3608(Some)N
770(\256elds)X
976(use)X
1116(the)X
1247(ASN.1)X
1500(length)X
1733(encoding)X
2060(described)X
2400(above)X
2624(as)X
2723(a)X
2791(separate)X
3087(sub-\256eld)X
3399(to)X
3493(denote)X
3739(the)X
3869(total)X
555 3704(length)N
775(of)X
862(a)X
918(\256eld.)X
3 f
555 3896(5.1.6.)N
775(Strings)X
1 f
555 4020(Strings)N
808(are)X
934(\256elds)X
1134(of)X
1228(type)X
1392(bytes_asn1.)X
1794(Some)X
2002(implementations)X
2561(may)X
2725(restrict)X
2974(them)X
3160(to)X
3248(the)X
3372(short)X
3558(form)X
3740(\(i.e.)X
3891(127)X
555 4116(bytes)N
756(of)X
855(data\))X
1048(of)X
1147(encoding.)X
1513(The)X
1670(string)X
1884(contents)X
2183(are)X
2314(encoded)X
2614(in)X
2708(the)X
2838(ISO)X
2999(Latin)X
3200(1)X
3272(character)X
3600(set)X
3721(\(see)X
3882(ISO)X
555 4212(8859-1\)\262.)N
909(For)X
1040(example,)X
1352(the)X
1470(string)X
1672("SNAIL")X
1994(which)X
2210(has)X
2337(the)X
2455(encoding:)X
7 f
651 4308(Byte)N
891(0)X
2811(Byte)X
3051(5)X
555 4404(+--------+--------+--------+--------+--------+--------+)N
9 f
571 4500(|)N
7 f
699(0x5)X
9 f
1003(|)X
7 f
1131(0x53)X
9 f
1435(|)X
7 f
1563(0x4E)X
9 f
1867(|)X
7 f
1995(0x41)X
9 f
2299(|)X
7 f
2427(0x49)X
9 f
2731(|)X
7 f
2859(0x4C)X
9 f
3163(|)X
7 f
555 4596(+--------+--------+--------+--------+--------+--------+)N
555 4692(<----------------------6)N
1755(octets----------------------->)X
1 f
555 4836(A)N
633(string)X
835(of)X
922(unspeci\256ed)X
1307(length)X
1527(is)X
1600(represented)X
1991(in)X
2073(diagrams)X
2387(as:)X
7 f
555 4932(+-----------------------------------+)N
9 f
571 5028(|)N
7 f
1227("string")X
9 f
2299(|)X
7 f
555 5124(+-----------------------------------+)N
555 5220(<-------------?)N
1323(octets-------------->)X
1 f
555 5364(where)N
782("string")X
1060(is)X
1143(a)X
1209(descriptive)X
1591(label.)X
1817(Note)X
2003(that)X
2153(the)X
2281(label)X
2467(is)X
2549(placed)X
2788(in)X
2879("double)X
3159(quotation)X
3490(marks",)X
3768(and)X
3913(the)X
555 5460(octet)N
737(delimiters)X
1083(`+')X
1208(are)X
1333(missing.)X
1647(Strings)X
1899(are)X
2024(used)X
2197(to)X
2285(represent)X
2606(the)X
2730(name,)X
2950(instance,)X
3259(or)X
3352(realm)X
3561(of)X
3654(a)X
3716(Kerberos)X
555 5556(principal)N
860(and)X
996(error)X
1173(messages.)X
8 s
10 f
555 5636(hhhhhhhhhhhhhhhhhh)N
1 f
555 5716(\262The)N
702(\256rst)X
818(128)X
930(characters)X
1203(in)X
1269(this)X
1378(encoding)X
1628(are)X
1721(identical)X
1957(to)X
2023(the)X
2117(7-bit)X
2254(ASCII)X
2437(encoding.)X
10 s
555 6144(Section)N
815(5.1.6.)X
2196(-)X
2243(19)X
2343(-)X
20 p
%%Page: 20 22
10 s 0 xH 0 xS 1 f
0 32(--)N
4323(--)X
3 f
2115 416(DRAFT)N
2411(2)X
555 672(5.1.7.)N
775(String)X
1008(Arrays)X
1 f
555 796(String)N
774(arrays)X
995(are)X
1118(encoded)X
1410(using)X
1607(a)X
1667(total)X
1832(length)X
2055(\(which)X
2301(includes)X
2591(the)X
2712(length)X
2935(of)X
3025(all)X
3128(the)X
3249(strings)X
3485(plus)X
3641(their)X
3811(length)X
555 892(encodings\))N
929(followed)X
1236(by)X
1338(the)X
1458(string)X
1662(encodings)X
2009(in)X
2093(successive)X
2454(octets.)X
2703(For)X
2836(example,)X
3149(the)X
3268(array)X
3455("FOO","NO")X
3904(has)X
555 988(the)N
673(encoding:)X
7 f
555 1084(+--------+--------+--------+--------+--------+--------+--------+--------+)N
9 f
571 1180(|)N
7 f
747(0x7)X
9 f
1003(|)X
7 f
1131(0x3)X
9 f
1435(|)X
7 f
1563(0x46)X
9 f
1867(|)X
7 f
1995(0x4F)X
9 f
2299(|)X
7 f
2427(0x4F)X
9 f
2731(|)X
7 f
2907(0x2)X
9 f
3163(|)X
7 f
3291(0x4E)X
9 f
3595(|)X
7 f
3723(0x4F)X
9 f
4027(|)X
7 f
555 1276(+--------+--------+--------+--------+--------+--------+--------+--------+)N
651 1372(total)N
1083(length)X
1563(F)X
2043(O)X
2475(O)X
2811(length)X
3339(N)X
3771(O)X
651 1468(length)N
1 f
555 1612(A)N
633(string)X
835(array)X
1021(is)X
1094(represented)X
1485(in)X
1567(diagrams)X
1881(with)X
2043(slanted)X
2290(braces)X
2516(around)X
2759(the)X
2877(name:)X
7 f
555 1708(+-----------------------------------+)N
9 f
571 1804(|)N
7 f
1083(<string)X
1467(array>)X
9 f
2299(|)X
7 f
555 1900(+-----------------------------------+)N
3 f
555 2140(5.1.8.)N
775(Host)X
955(Addresses)X
1 f
755 2264(Host)N
929(address)X
1193(\256elds)X
1389(contain)X
1648(zero)X
1810(or)X
1900(more)X
2088(network)X
2373(layer)X
2556(addresses)X
2886(for)X
3002(those)X
3193(hosts)X
3379(from)X
3557(which)X
3775(a)X
3833(ticket)X
555 2360(may)N
724(be)X
831(used.)X
1049(It)X
1129(is)X
1213(a)X
1280(compound)X
1649(\256eld,)X
1841(consisting)X
2195(of)X
2292(the)X
2420(total)X
2592(length)X
2822(of)X
2919(the)X
3047(addresses')X
3412(encodings)X
3767(and)X
3913(the)X
555 2456(addresses)N
897(themselves.)X
1327(Each)X
1522(address)X
1797(is)X
1884(preceded)X
2209(by)X
2323(a)X
2392(type.)X
2603(This)X
2778(encoding)X
3105(is)X
3191(referred)X
3480(to)X
3575(as)X
3675(type)X
3846('hos-)X
555 2552(taddrs'.)N
2 f
1045 2696(Length)N
1424(Type)X
1931(Label)X
2433(Value)X
1 f
1045 2888(variable)N
1424(asn1_length)X
1931(total_length)X
2433(Total)X
2622(length)X
2842(of)X
2929(network)X
3212(addresses)X
1045 2984(2)N
1105(octets)X
1424(ui_2)X
1931(addr_type)X
2433(Type)X
2618(of)X
2705(this)X
2840(address)X
1045 3080(variable)N
1424(bytes_asn1)X
1931(address)X
2433(The)X
2578(address)X
2839(itself)X
555 3224(The)N
701(last)X
833(two)X
974(\256elds)X
1168(are)X
1288(repeated)X
1582(until)X
1749(the)X
1868(length)X
2089(is)X
2163(consumed)X
2509(\(note)X
2695(that)X
2836(they)X
2995(may)X
3154(not)X
3276(be)X
3372(present)X
3624(if)X
3693(the)X
3811(length)X
555 3320(encodes)N
834(zero)X
993(\(0\)\).)X
7 f
555 3416(+--------------------------+)N
9 f
571 3512(|)N
7 f
939(total_length)X
9 f
1867(|)X
7 f
555 3608(+--------+--------+--------+-----------------+)N
9 f
571 3704(|)N
7 f
795(addr_type)X
9 f
1435(|)X
7 f
1851('address')X
9 f
2731(|)X
7 f
555 3800(+--------+--------+-----------------------------------------+)N
9 f
571 3896(|)N
7 f
795(addr_type)X
9 f
1435(|)X
7 f
2187('address')X
9 f
3451(|)X
7 f
555 3992(+--------+--------+-----------------------------------------+)N
1851 4088(.)N
1947(.)X
2043(.)X
1 f
555 4232(The)N
700(following)X
1031(diagram)X
1314(is)X
1387(shorthand)X
1723(for)X
1837(the)X
1955(host)X
2108(addresses:)X
7 f
555 4328(+-----------------------------------------------------------------------+)N
555 4424(/)N
1899(host)X
2139(addresses)X
4011(/)X
555 4520(+-----------------------------------------------------------------------+)N
3 f
12 s
555 4760(5.2.)N
747(Prede\256ned)X
1214(Data)X
1435(Types)X
1 f
10 s
555 4884(This)N
724(section)X
977(speci\256es)X
1279(the)X
1403(encodings)X
1754(and)X
1896(types)X
2091(for)X
2211(encryption)X
2580(keys,)X
2773(host)X
2932(addresses,)X
3286(and)X
3428(other)X
3619(types)X
3814(where)X
555 4980(part)N
700(of)X
787(the)X
905(encoding)X
1219(has)X
1346(been)X
1518(speci\256ed)X
1823(independently)X
2297(from)X
2473(the)X
2591(Kerberos)X
2906(protocol.)X
3 f
555 5172(5.2.1.)N
775(Host)X
955(address)X
1237(types)X
1 f
755 5296(All)N
879(the)X
999(values)X
1226(for)X
1342(the)X
1461(host)X
1615(address)X
1877(type)X
2036(with)X
2199(the)X
2318(most)X
2494(signi\256cant)X
2848(bit)X
2953(set)X
3063(\(1\))X
3178(are)X
3298(reserved)X
3592(for)X
3707(local)X
3884(use.)X
555 5392(All)N
689(the)X
819(values)X
1056(with)X
1230(the)X
1360(most)X
1547(signi\256cant)X
1912(bit)X
2028(reset)X
2211(\(0\))X
2336(are)X
2466(reserved)X
2770(for)X
2895(of\256cially)X
3215(assigned)X
3522(type)X
3691(\256elds)X
3895(and)X
555 5488(interpretations.)N
755 5612(The)N
907(values)X
1138(of)X
1231(the)X
1355(types)X
1550(for)X
1670(the)X
1794(following)X
2131(addresses)X
2465(are)X
2590(chosen)X
2839(to)X
2927(match)X
3149(the)X
3273(de\256ned)X
3535(address)X
3802(family)X
555 5708(constants)N
879(in)X
967(the)X
1091(Berkeley)X
1407(Standard)X
1718(Distribution)X
2130(of)X
2223(Unix.)X
2449(They)X
2640(can)X
2778(be)X
2880(found)X
3093(in)X
3180(<sys/socket.h>)X
3684(with)X
3851(sym-)X
555 5804(bolic)N
735(names)X
960(AF_xxx)X
1242(\(where)X
1486(xxx)X
1626(is)X
1699(an)X
1795(abbreviation)X
2216(of)X
2303(the)X
2421(address)X
2682(family)X
2911(name\).)X
555 6144(Section)N
815(5.2.1.)X
2196(-)X
2243(20)X
2343(-)X
21 p
%%Page: 21 23
10 s 0 xH 0 xS 1 f
0 32(--)N
4323(--)X
3 f
2115 416(DRAFT)N
2411(2)X
1 f
755 672(The)N
905(example)X
1201(diagrams)X
1519(below)X
1739(show)X
1932(the)X
2054(encoding)X
2372(of)X
2463(the)X
2585(entire)X
2792(address)X
3057(\256eld,)X
3243(which)X
3463(\(as)X
3581(the)X
3703(addresses)X
555 768(are)N
674(encoded)X
962(as)X
1049(type)X
1207(bytes_asn1\))X
1610(includes)X
1897(the)X
2015(length)X
2235(encoding)X
2549(as)X
2636(well)X
2794(as)X
2881(the)X
2999(address)X
3260(encoding.)X
3 f
555 960(Internet)N
856(addresses)X
1 f
755 1084(Internet)N
1045(addresses)X
1393(are)X
1532(32-bit)X
1763(\(4-octet\))X
2080(quantities,)X
2451(encoded)X
2759(in)X
2861(MSB)X
3069(order.)X
3319(The)X
3483(type)X
3660(of)X
3766(internet)X
555 1180(addresses)N
906(is)X
1002(two)X
1165(\(2\).)X
1341(Example:)X
1710(the)X
1850(following)X
2203(encodes)X
2504(the)X
2644(address)X
2927("18.72.0.1")X
3355([This)X
3566(`dot-notation')X
555 1276(speci\256es)N
851(each)X
1019(octet)X
1195(of)X
1282(the)X
1400(address,)X
1681(from)X
1857(most)X
2032(signi\256cant)X
2385(to)X
2467(least)X
2634(signi\256cant,)X
3007(in)X
3089(decimal]:)X
7 f
555 1372(+--------+--------+--------+)N
9 f
571 1468(|)N
7 f
843(0x0002)X
9 f
1435(|)X
7 f
1659(4)X
9 f
1867(|)X
7 f
555 1564(+--------+--------+--------+--------+)N
9 f
571 1660(|)N
7 f
699(0x12)X
9 f
1003(|)X
7 f
1131(0x48)X
9 f
1435(|)X
7 f
1563(0x00)X
9 f
1867(|)X
7 f
1995(0x01)X
9 f
2299(|)X
7 f
555 1756(+--------+--------+--------+--------+)N
1 f
555 1900(The)N
716(ordering)X
1024(relation)X
1305(between)X
1609(Internet)X
1894(addresses)X
2237(is)X
2325(determined)X
2721(by)X
2836(treating)X
3116(the)X
3249(addresses)X
3592(as)X
3694(four-octet)X
555 1996(unsigned)N
874(integers)X
1157(with)X
1328(the)X
1455(MSB)X
1652(of)X
1748(the)X
1875(integer)X
2127(equal)X
2330(to)X
2421(the)X
2548(MSB)X
2745(of)X
2841(the)X
2968(address)X
3238(and)X
3383(comparing)X
3755(them)X
3944(as)X
555 2092(integers)N
836(\(e.g.)X
1006(18.72.0.1)X
1333(is)X
1413(treated)X
1659(as)X
1753(0x12480001\).)X
2247(If)X
2328(the)X
2453(addresses)X
2788(are)X
2914(equal,)X
3135(then)X
3300(if)X
3376(either)X
3586(UDP)X
3772(or)X
3865(TCP)X
555 2188(ports)N
747(are)X
878(in)X
972(use,)X
1131(the)X
1261(port)X
1422(numbers)X
1730(should)X
1975(be)X
2083(treated)X
2334(as)X
2433(two-octet)X
2768(unsigned)X
3089(integers,)X
3395(and)X
3543(compared;)X
3913(the)X
555 2284(result)N
753(of)X
840(that)X
980(comparison)X
1374(is)X
1447(then)X
1605(used)X
1772(as)X
1859(the)X
1977(result)X
2175(of)X
2262(the)X
2380(comparison)X
2774(of)X
2861(the)X
2979(addresses.)X
3 f
555 2476(CHAOSnet)N
966(addresses)X
1 f
755 2600(CHAOSnet)N
1146(addresses)X
1475(are)X
1595(16-bit)X
1807(\(2-octet\))X
2105(quantities,)X
2457(encoded)X
2746(in)X
2829(MSB)X
3018(order.)X
3249(The)X
3395(type)X
3554(of)X
3642(CHAOSnet)X
555 2696(addresses)N
893(is)X
975(\256ve)X
1124(\(5\).)X
1287(Example:)X
1643(the)X
1770(following)X
2110(encodes)X
2398(the)X
2525(address)X
2795("044215")X
3150([CHAOSnet)X
3575(addresses)X
3912(are)X
555 2792(usually)N
806(denoted)X
1080(in)X
1162(octal]:)X
7 f
555 2888(+--------+--------+--------+--------+--------+)N
9 f
571 2984(|)N
7 f
843(0x0005)X
9 f
1435(|)X
7 f
1659(2)X
9 f
1867(|)X
7 f
1899(01001000)X
9 f
2299(|)X
7 f
2331(10001101)X
9 f
2731(|)X
7 f
555 3080(+--------+--------+--------+--------+--------+)N
1 f
555 3224(The)N
708(ordering)X
1008(relation)X
1281(between)X
1576(CHAOSnet)X
1972(addresses)X
2307(is)X
2387(determined)X
2775(by)X
2882(treating)X
3154(the)X
3279(addresses)X
3614(as)X
3708(two-octet)X
555 3320(unsigned)N
872(integers)X
1154(with)X
1324(the)X
1450(MSB)X
1646(of)X
1741(the)X
1867(integer)X
2118(equal)X
2320(to)X
2410(the)X
2536(MSB)X
2732(of)X
2827(the)X
2953(address,)X
3242(and)X
3386(comparing)X
3757(them)X
3944(as)X
555 3416(integers)N
829(\(e.g.)X
992(044215)X
1252(would)X
1472(be)X
1568(less)X
1708(than)X
1866(055161\).)X
3 f
555 3608(ISO)N
712(addresses)X
1 f
755 3732(ISO)N
904(addresses)X
1232(are)X
1351(variable-length.)X
1897(The)X
2042(type)X
2200(of)X
2287(ISO)X
2436(addresses)X
2764(is)X
2837(seven)X
3040(\(7\).)X
3194(Example:)X
3521(XXX)X
7 f
555 3828(+--------+--------+-----------------+-----------------+)N
9 f
571 3924(|)N
7 f
843(0x0007)X
9 f
1435(|)X
7 f
1515(length)X
1851(encoding)X
9 f
2299(|)X
7 f
2571(address)X
9 f
3163(|)X
7 f
555 4020(+--------+--------+-----------------+-----------------+)N
1 f
555 4164(The)N
712(ordering)X
1016(relation)X
1293(between)X
1593(ISO)X
1754(addresses)X
2094(is)X
2179(determined)X
2572(by)X
2684(comparing)X
3059(each)X
3239(octet)X
3427(of)X
3526(the)X
3656(address,)X
3949(in)X
555 4260(encoding)N
877(order,)X
1095(until)X
1269(a)X
1333(difference)X
1688(is)X
1769(encountered.)X
2230(The)X
2383(result)X
2589(of)X
2684(the)X
2810(comparison)X
3212(is)X
3293(the)X
3419(result)X
3625(of)X
3720(the)X
3846(com-)X
555 4356(parison)N
811(of)X
898(the)X
1016(last)X
1147(octets)X
1354(or)X
1441(the)X
1559(\256rst)X
1703(pair)X
1848(of)X
1935(differing)X
2236(octets,)X
2463(whichever)X
2818(comes)X
3043(\256rst.)X
3 f
555 4548(Xerox)N
785(Network)X
1104(Services)X
1405(\(XNS\))X
1639(addresses)X
1 f
755 4672(XNS)N
938(addresses)X
1268(are)X
1389(48-bit)X
1602(\(6-octet\))X
1901(quantities,)X
2254(encoded)X
2544(in)X
2628(MSB)X
2818(order.)X
3050(The)X
3197(type)X
3357(of)X
3446(XNS)X
3628(addresses)X
3958(is)X
555 4768(six)N
671(\(6\).)X
828(Example:)X
1178(the)X
1299(following)X
1633(encodes)X
1915(the)X
2036(address)X
2300("08:00:2b:00:01:02")X
2999([This)X
3191(`colon-notation')X
3735(speci\256es)X
555 4864(each)N
723(octet,)X
919(from)X
1095(most)X
1270(signi\256cant)X
1623(to)X
1705(least)X
1872(signi\256cant,)X
2245(in)X
2327(hexadecimal]:)X
7 f
555 4960(+--------+--------+--------+)N
9 f
571 5056(|)N
7 f
843(0x0008)X
9 f
1435(|)X
7 f
1659(6)X
9 f
1867(|)X
7 f
555 5152(+--------+--------+--------+--------+--------+--------+)N
9 f
571 5248(|)N
7 f
699(0x08)X
9 f
1003(|)X
7 f
1131(0x00)X
9 f
1435(|)X
7 f
1563(0x2b)X
9 f
1867(|)X
7 f
1995(0x00)X
9 f
2299(|)X
7 f
2427(0x01)X
9 f
2731(|)X
7 f
2859(0x02)X
9 f
3163(|)X
7 f
555 5344(+--------+--------+--------+--------+--------+--------+)N
1 f
555 5488(The)N
710(ordering)X
1012(relation)X
1287(between)X
1585(XNS)X
1775(addresses)X
2113(is)X
2196(determined)X
2587(by)X
2697(comparing)X
3070(each)X
3248(octet)X
3434(of)X
3531(the)X
3659(address,)X
3949(in)X
555 5584(encoding)N
877(order,)X
1095(until)X
1269(a)X
1333(difference)X
1688(is)X
1769(encountered.)X
2230(The)X
2383(result)X
2589(of)X
2684(the)X
2810(comparison)X
3212(is)X
3293(the)X
3419(result)X
3625(of)X
3720(the)X
3846(com-)X
555 5680(parison)N
811(of)X
898(the)X
1016(last)X
1147(octets)X
1354(or)X
1441(the)X
1559(\256rst)X
1703(pair)X
1848(of)X
1935(differing)X
2236(octets,)X
2463(whichever)X
2818(comes)X
3043(\256rst.)X
555 6144(Section)N
815(5.2.1.)X
2196(-)X
2243(21)X
2343(-)X
22 p
%%Page: 22 24
10 s 0 xH 0 xS 1 f
0 32(--)N
4323(--)X
3 f
2115 416(DRAFT)N
2411(2)X
555 672(AppleTalk)N
938(Datagram)X
1306(Delivery)X
1616(Protocol)X
1926(\(DDP\))X
2165(addresses)X
1 f
755 796(AppleTalk)N
1124(DDP)X
1310(addresses)X
1644(consist)X
1892(of)X
1985(an)X
2087(8-bit)X
2264(node)X
2446(number)X
2717(and)X
2859(a)X
2921(16-bit)X
3138(network)X
3427(number.)X
3737(The)X
3887(\256rst)X
555 892(octet)N
742(of)X
840(the)X
969(address)X
1241(is)X
1325(the)X
1454(node)X
1641(number;)X
1939(the)X
2068(remaining)X
2424(two)X
2575(octets)X
2793(encode)X
3052(the)X
3181(network)X
3475(number)X
3751(in)X
3843(MSB)X
555 988(order.)N
792(The)X
944(type)X
1109(of)X
1203(AppleTalk)X
1573(DDP)X
1760(addresses)X
2095(is)X
2175(sixteen)X
2429(\(16\).)X
2630(Example:)X
2983(the)X
3107(following)X
3444(encodes)X
3729(node)X
3911(33,)X
555 1084(network)N
838(1320:)X
7 f
555 1180(+--------+--------+--------+)N
9 f
571 1276(|)N
7 f
843(0x0010)X
9 f
1435(|)X
7 f
1659(3)X
9 f
1867(|)X
7 f
555 1372(+--------+--------+--------+)N
9 f
571 1468(|)N
7 f
699(0x21)X
9 f
1003(|)X
7 f
1131(0x05)X
9 f
1435(|)X
7 f
1563(0x28)X
9 f
1867(|)X
7 f
555 1564(+--------+--------+--------+)N
1 f
555 1708(The)N
710(ordering)X
1012(relation)X
1287(between)X
1585(DDP)X
1775(addresses)X
2113(is)X
2196(determined)X
2587(by)X
2697(comparing)X
3070(each)X
3248(octet)X
3434(of)X
3531(the)X
3659(address,)X
3949(in)X
555 1804(encoding)N
877(order,)X
1095(until)X
1269(a)X
1333(difference)X
1688(is)X
1769(encountered.)X
2230(The)X
2383(result)X
2589(of)X
2684(the)X
2810(comparison)X
3212(is)X
3293(the)X
3419(result)X
3625(of)X
3720(the)X
3846(com-)X
555 1900(parison)N
811(of)X
898(the)X
1016(last)X
1147(octets)X
1354(or)X
1441(the)X
1559(\256rst)X
1703(pair)X
1848(of)X
1935(differing)X
2236(octets,)X
2463(whichever)X
2818(comes)X
3043(\256rst.)X
3 f
555 2188(5.2.2.)N
775(Encryption)X
1181(key)X
1321(types)X
1 f
755 2312(All)N
882(the)X
1005(values)X
1235(for)X
1354(the)X
1477(encryption)X
1845(key)X
1986(type)X
2149(with)X
2316(the)X
2439(most)X
2619(signi\256cant)X
2977(bit)X
3086(set)X
3199(\(1\))X
3317(are)X
3440(reserved)X
3737(for)X
3855(local)X
555 2408(use.)N
724(All)X
848(the)X
968(values)X
1195(with)X
1359(the)X
1479(most)X
1656(signi\256cant)X
2011(bit)X
2117(reset)X
2291(\(0\))X
2406(are)X
2526(reserved)X
2820(for)X
2935(of\256cially)X
3245(assigned)X
3542(type)X
3701(\256elds)X
3895(and)X
555 2504(interpretations.)N
755 2628(The)N
911(example)X
1213(diagrams)X
1537(below)X
1763(show)X
1962(the)X
2090(encoding)X
2414(of)X
2511(the)X
2639(entire)X
2852(encryption)X
3225(key)X
3371(\256eld,)X
3563(which)X
3789(\(as)X
3913(the)X
555 2724(keys)N
722(are)X
841(encoded)X
1129(as)X
1216(type)X
1374(bytes_asn1\))X
1777(includes)X
2064(the)X
2182(length)X
2402(encoding)X
2716(as)X
2803(well)X
2961(as)X
3048(the)X
3166(key)X
3302(encoding.)X
3 f
555 2916(NULL)N
797(Key)X
1 f
555 3040(If)N
631(no)X
733(encryption)X
1098(is)X
1173(in)X
1257(use,)X
1406(the)X
1526(encryption)X
1891(system)X
2135(is)X
2210(said)X
2361(to)X
2445(be)X
2543(the)X
2663(NULL)X
2899(encryption)X
3264(system.)X
3548(An)X
3668(encryption)X
555 3136(key)N
706(in)X
803(the)X
936(NULL)X
1185(encryption)X
1563(system)X
1820(has)X
1962(type)X
2135(zero)X
2309(\(0\),)X
2458(and)X
2609(length)X
2844(zero)X
3017(\(0\).)X
3185(Example)X
3504(\(remember)X
3891(that)X
555 3232(encryption)N
918(key)X
1054(encodings)X
1399(are)X
1518(of)X
1605(type)X
1763(bytes_asn1,)X
2159(so)X
2250(they)X
2408(encode)X
2656(their)X
2823(own)X
2981(length\):)X
7 f
555 3328(+--------+--------+--------+)N
9 f
571 3424(|)N
7 f
843(0x0000)X
9 f
1435(|)X
7 f
1659(0)X
9 f
1867(|)X
7 f
555 3520(+--------+--------+--------+)N
3 f
555 3760(DES)N
730(Key)X
1 f
555 3884(A)N
640(DES)X
818(encryption)X
1188(key)X
1331(is)X
1411(8)X
1478(octets)X
1692(of)X
1786(data)X
1947(\(56)X
2081(bits)X
2223(of)X
2317(key,)X
2480(plus)X
2640(8)X
2707(parity)X
2921(bits\).)X
3130(A)X
3215(DES)X
3393(encryption)X
3762(key)X
3904(has)X
555 3980(type)N
713(one)X
849(\(1\).)X
1003(Example:)X
7 f
555 4076(+--------+--------+--------+)N
9 f
571 4172(|)N
7 f
843(0x0001)X
9 f
1435(|)X
7 f
1659(8)X
9 f
1867(|)X
7 f
555 4268(+--------+--------+--------+--------+--------+--------+--------+--------+)N
9 f
571 4364(|)N
7 f
1515(DES)X
1707(key)X
1899(\(64)X
2091(bits/8)X
2427(octets)X
2763(total\))X
9 f
4027(|)X
7 f
555 4460(+--------+--------+--------+--------+--------+--------+--------+--------+)N
3 f
555 4700(Lucifer)N
829(Key)X
1 f
555 4824(A)N
646(Lucifer)X
8 s
883 4799(9)N
10 s
948 4824(encryption)N
1324(key)X
1473(is)X
1559(128)X
1712(bits)X
1860(\(16)X
2000(octets\))X
2247(of)X
2347(data.)X
2554(A)X
2644(Lucifer)X
2913(encryption)X
3288(key)X
3436(has)X
3575(type)X
3745(two)X
3897(\(2\).)X
555 4920(Example:)N
7 f
555 5016(+--------+--------+--------+)N
9 f
571 5112(|)N
7 f
843(0x0002)X
9 f
1435(|)X
7 f
1611(16)X
9 f
1867(|)X
7 f
555 5208(+--------+--------+--------+--------+--------+--------+--------+--------+)N
9 f
571 5304(|)N
7 f
2043(Lucifer)X
2427(key)X
9 f
4027(|)X
571 5400(|)N
7 f
1659(\(128)X
1899(bits/16)X
2283(octets)X
2619(total\))X
9 f
4027(|)X
7 f
555 5496(+--------+--------+--------+--------+--------+--------+--------+--------+)N
1 f
555 6144(Section)N
815(5.2.2.)X
2196(-)X
2243(22)X
2343(-)X
23 p
%%Page: 23 25
10 s 0 xH 0 xS 1 f
0 32(--)N
4323(--)X
3 f
2115 416(DRAFT)N
2411(2)X
555 672(5.2.3.)N
775(Encryption)X
1181(system)X
1433(types)X
1 f
755 796(All)N
887(the)X
1015(values)X
1249(for)X
1372(the)X
1499(encryption)X
1871(system)X
2122(type)X
2289(with)X
2460(the)X
2587(most)X
2771(signi\256cant)X
3133(bit)X
3246(set)X
3364(\(1\))X
3487(are)X
3615(reserved)X
3917(for)X
555 892(local)N
742(use.)X
920(All)X
1053(the)X
1182(values)X
1418(with)X
1591(the)X
1720(most)X
1906(signi\256cant)X
2270(bit)X
2385(reset)X
2568(\(0\))X
2692(are)X
2821(reserved)X
3124(for)X
3248(of\256cially)X
3567(assigned)X
3873(type)X
555 988(\256elds)N
748(and)X
884(interpretations.)X
3 f
555 1180(NULL)N
797(system)X
1 f
755 1304(If)N
840(no)X
951(encryption)X
1324(is)X
1407(in)X
1499(use,)X
1656(the)X
1784(encryption)X
2157(system)X
2409(is)X
2492(said)X
2651(to)X
2743(be)X
2849(the)X
2977(NULL)X
3221(encryption)X
3594(system.)X
3886(The)X
555 1400(NULL)N
789(encryption)X
1152(system)X
1394(does)X
1561(not)X
1683(embed)X
1917(a)X
1973(checksum)X
2314(in)X
2396(the)X
2514(pad)X
2650(bytes.)X
755 1524(The)N
900(NULL)X
1134(encryption)X
1497(system)X
1739(has)X
1866(type)X
2024(zero)X
2183(\(0\).)X
2337(The)X
2482(blocksize)X
2805(of)X
2892(this)X
3027(cryptosystem)X
3474(is)X
3547(one)X
3683(\(1\))X
3797(octet.)X
3 f
555 1716(DES)N
730(in)X
816(CBC)X
1005(mode)X
1212(with)X
1383(CRC-32)X
1684(checksum)X
1 f
755 1840(When)N
971(the)X
1093(DES)X
1268(is)X
1345(used)X
1516(in)X
1602(CBC)X
1785(mode)X
1987(with)X
2153(a)X
2213(CRC-32)X
2503(checksum)X
2848(\(described)X
3207(in)X
3293(ISO)X
3446(3309)X
8 s
1815(10)Y
10 s
3694 1840(and)N
3833(many)X
555 1936(other)N
751(places\))X
1010(of)X
1108(the)X
1237(plaintext)X
1548(embedded)X
1909(in)X
2002(the)X
2131(last)X
2273(four)X
2438(octets)X
2656(of)X
2754(the)X
2883(pad)X
3030(bytes)X
3230(\(before)X
3493(encryption\),)X
3913(the)X
555 2032(encryption)N
918(type)X
1076(is)X
1149(one)X
1285(\(1\).)X
755 2156(The)N
907(CRC-32)X
1200(checksum)X
1548(is)X
1628(computed)X
1971(over)X
2141(the)X
2266(plaintext,)X
2593(including)X
2922(the)X
3047(checksum)X
3395(or)X
3489(pad)X
3632(octets.)X
3886(The)X
555 2252(checksum)N
896(octets)X
1103(are)X
1222(to)X
1304(be)X
1400(treated)X
1639(as)X
1726(zeroes)X
1952(\(0\))X
2066(when)X
2260(computing)X
2622(the)X
2740(checksum.)X
755 2376(The)N
901(blocksize)X
1225(of)X
1313(this)X
1449(cryptosystem)X
1897(is)X
1971(eight)X
2152(\(8\))X
2267(octets.)X
2515(The)X
2661(checksum)X
3003(requires)X
3283(a)X
3340(pad)X
3477(length)X
3698(of)X
3786(at)X
3864(least)X
555 2472(four)N
709(\(4\))X
823(octets)X
1030(\(i.e.)X
1175(acceptable)X
1535(pad)X
1671(\256eld)X
1833(lengths)X
2084(are)X
2203(between)X
2491(4)X
2551(and)X
2687(11)X
2787(bytes,)X
2996(inclusive\).)X
3 f
555 2664(Lucifer)N
829(system)X
1081(with)X
1252(CRC-32)X
1553(checksum)X
1 f
755 2788(When)N
974(the)X
1099(Lucifer)X
1363(encryption)X
1732(system)X
1980(is)X
2059(used)X
2232(in)X
2320(XXX)X
2520(mode)X
2724(with)X
2892(a)X
2954(CRC-32)X
3246(checksum)X
3593(embedded)X
3949(in)X
555 2884(the)N
673(last)X
804(four)X
958(octets)X
1165(of)X
1252(the)X
1370(pad)X
1506(bytes)X
1695(\(before)X
1948(encryption\),)X
2358(the)X
2476(encryption)X
2839(type)X
2997(is)X
3070(two)X
3210(\(2\).)X
755 3008(The)N
905(blocksize)X
1233(of)X
1325(this)X
1465(cryptosystem)X
1917(is)X
1995(sixteen)X
2247(\(16\))X
2406(octets.)X
2658(The)X
2808(checksum)X
3154(requires)X
3438(a)X
3498(pad)X
3638(length)X
3862(of)X
3953(at)X
555 3104(least)N
722(four)X
876(\(4\))X
990(octets)X
1217(\(i.e.)X
1362(acceptable)X
1722(pad)X
1858(\256eld)X
2020(lengths)X
2271(are)X
2390(between)X
2678(4)X
2738(and)X
2874(19)X
2974(bytes,)X
3183(inclusive\).)X
755 3228(The)N
907(CRC-32)X
1200(checksum)X
1548(is)X
1628(computed)X
1971(over)X
2141(the)X
2266(plaintext,)X
2593(including)X
2922(the)X
3047(checksum)X
3395(or)X
3489(pad)X
3632(octets.)X
3886(The)X
555 3324(checksum)N
896(octets)X
1103(are)X
1222(to)X
1304(be)X
1400(treated)X
1639(as)X
1726(zeroes)X
1952(\(0\))X
2066(when)X
2260(computing)X
2622(the)X
2740(checksum.)X
3 f
555 3516(5.2.4.)N
775(Checksum)X
1155(types)X
1 f
755 3640(All)N
883(the)X
1007(values)X
1238(for)X
1358(the)X
1482(checksum)X
1829(type)X
1992(with)X
2159(the)X
2282(most)X
2462(signi\256cant)X
2820(bit)X
2929(set)X
3043(\(1\))X
3162(are)X
3286(reserved)X
3584(for)X
3703(local)X
3884(use.)X
555 3736(All)N
689(the)X
819(values)X
1056(with)X
1230(the)X
1360(most)X
1547(signi\256cant)X
1912(bit)X
2028(reset)X
2211(\(0\))X
2336(are)X
2466(reserved)X
2770(for)X
2895(of\256cially)X
3215(assigned)X
3522(type)X
3691(\256elds)X
3895(and)X
555 3832(interpretations.)N
755 3956(The)N
906(checksum)X
1253(types)X
1448(specify)X
1706(only)X
1874(the)X
1998(type)X
2162(of)X
2255(checksum;)X
2624(the)X
2748(length)X
2974(of)X
3067(the)X
3191(checksum)X
3538(is)X
3616(either)X
3824(expli-)X
555 4052(citly)N
724(stated)X
938(in)X
1027(the)X
1152(use)X
1286(of)X
1380(the)X
1505(checksum)X
1853(\(e.g.)X
2023(as)X
2117(part)X
2269(of)X
2363(an)X
2466(encryption)X
2836(system)X
3085(type\))X
3277(or)X
3371(is)X
3451(encoded)X
3745(with)X
3913(the)X
555 4148(checksum)N
896(itself)X
1076(in)X
1158(a)X
1214(bytes_asn1)X
1590(encoding.)X
3 f
555 4340(CRC-32)N
1 f
755 4464(The)N
900(CRC-32)X
1186(checksum)X
1527(has)X
1654(checksum)X
1995(type)X
2153(one)X
2289(\(1\).)X
3 f
555 4656(XXX)N
749(Checksum)X
1 f
755 4780(The)N
900(XXX)X
1094(Checksum)X
1452(\(described)X
1807(in)X
1889(section)X
2136(3\))X
2223(has)X
2350(checksum)X
2691(type)X
2849(two)X
2989(\(2\).)X
3 f
555 4972(Xerox)N
785(Secure)X
1037(Hash)X
1234(Function)X
1 f
755 5096(The)N
900(Xerox)X
1121(Secure)X
1360(Hash)X
1545(Function)X
8 s
1829 5071(11)N
10 s
1913 5096(has)N
2040(checksum)X
2381(type)X
2539(three)X
2720(\(3\).)X
3 f
555 5288(DES)N
730(cipher-block-chaining)X
1500(checksum)X
1858(\(MAC\))X
1 f
755 5412(The)N
912(DES)X
1095(cipher-block-chaining)X
1836(checksum)X
2189(operation,)X
2544(known)X
2794(as)X
2893(the)X
3023(Message)X
3335(Authentication)X
3842(Code)X
555 5508(\(MAC\),)N
831(has)X
958(checksum)X
1299(type)X
1457(four)X
1611(\(4\).)X
12 s
555 6144(Section)N
868(5.2.4.)X
2179(-)X
2235(23)X
2355(-)X
24 p
%%Page: 24 26
12 s 0 xH 0 xS 1 f
10 s
0 32(--)N
4323(--)X
3 f
12 s
2082 432(DRAFT)N
2436(2)X
555 672(6.)N
675(Field)X
908(Descriptions)X
1 f
10 s
755 796(Below)N
990(is)X
1069(an)X
1171(alphabetical)X
1585(summary)X
1909(of)X
2002(the)X
2126(labels)X
2338(and)X
2479(descriptions)X
2891(of)X
2983(\256elds)X
3181(used)X
3353(in)X
3440(the)X
3563(protocol)X
3855(mes-)X
555 892(sages.)N
3 f
555 1140(addresses)N
1 f
955(This)X
1119(\256eld)X
1283(is)X
1358(included)X
1656(in)X
1740(the)X
1859(initial)X
2066(request)X
2319(for)X
2434(tickets,)X
2684(and)X
2821(optionally)X
3166(included)X
3463(in)X
3546(requests)X
3830(to)X
3913(the)X
955 1236(ticket-granting)N
1450(server.)X
1709(It)X
1780(speci\256es)X
2078(the)X
2198(addresses)X
2528(from)X
2706(which)X
2924(the)X
3044(requested)X
3374(ticket)X
3574(is)X
3649(to)X
3733(be)X
3831(valid.)X
955 1332(Normally)N
1292(it)X
1366(includes)X
1663(the)X
1791(addresses)X
2129(for)X
2253(the)X
2381(client's)X
2646(workstation.)X
3093(If)X
3176(a)X
3241(proxy)X
3457(is)X
3539(requested,)X
3896(this)X
955 1428(\256eld)N
1126(will)X
1279(contain)X
1544(other)X
1738(addresses.)X
2115(The)X
2269(contents)X
2565(of)X
2661(this)X
2805(\256eld)X
2976(are)X
3104(usually)X
3364(copied)X
3607(by)X
3716(the)X
3842(KDC)X
955 1524(into)N
1105(the)X
3 f
1229(caddr)X
1 f
1455(\256eld)X
1623(of)X
1716(the)X
1840(resulting)X
2146(ticket.)X
2390(The)X
2541(type)X
2705(of)X
2798(this)X
2939(\256eld)X
3107(is)X
3185(hostaddrs;)X
3539(its)X
3639(encoding)X
3958(is)X
955 1620(speci\256ed)N
1260(in)X
1342(section)X
1589(5.1.8.)X
3 f
555 1840(ap_options)N
1 f
955(This)X
1128(\256eld,)X
1321(of)X
1419(type)X
1587(\257ags,)X
1788(appears)X
2064(in)X
2156(the)X
2284(application)X
2670(request)X
2932(\(KRB_AP_REQ\))X
3522(and)X
3668(affects)X
3913(the)X
955 1936(way)N
1115(the)X
1239(request)X
1497(is)X
1576(processed.)X
1959(It)X
2034(is)X
2113(a)X
2175(bit-\256eld,)X
2474(where)X
2697(the)X
2821(selected)X
3105(options)X
3365(are)X
3489(indicated)X
3808(by)X
3913(the)X
955 2032(bit)N
1068(being)X
1275(set)X
1393(\(1\),)X
1536(and)X
1681(the)X
1808(unselected)X
2176(options)X
2440(and)X
2585(reserved)X
2887(\256elds)X
3089(being)X
3296(reset)X
3477(\(0\).)X
3639(Bit)X
3764(0)X
3832(is)X
3913(the)X
955 2128(most)N
1130(signi\256cant)X
1483(bit.)X
2 f
955 2272(Bit\(s\))N
1232(Name)X
2106(Description)X
7 f
955 2464(0)N
1232(RESERVED)X
1 f
2106(Reserved)X
2425(for)X
2539(future)X
2751(expansion)X
3096(of)X
3183(this)X
3318(\256eld.)X
955 2656(1)N
1232(USE-SESSION-KEY)X
2106(The)X
2262(USE-SESSION-KEY)X
2986(option)X
3220(indicates)X
3535(that)X
3685(the)X
3813(ticket)X
4021(the)X
4149(client)X
4357(is)X
2106 2752(presenting)N
2465(to)X
2551(a)X
2611(server)X
2832(is)X
2909(encrypted)X
3250(in)X
3336(the)X
3458(session)X
3713(key)X
3853(from)X
4033(the)X
4155(server's)X
2106 2848(ticket-granting)N
2610(ticket.)X
2860(When)X
3084(this)X
3231(option)X
3466(is)X
3550(not)X
3683(speci\256ed,)X
4019(the)X
4148(ticket)X
4357(is)X
2106 2944(encrypted)N
2443(in)X
2525(the)X
2643(server's)X
2918(secret)X
3126(key.)X
955 3136(2)N
1232(MUTUAL-REQUIRED)X
2106(The)X
2278(MUTUAL-REQUIRED)X
3100(option)X
3351(tells)X
3531(the)X
3676(server)X
3920(that)X
4087(the)X
4232(client)X
2106 3232(requires)N
2419(mutual)X
2695(authentication,)X
3223(and)X
3393(that)X
3567(it)X
3664(must)X
3872(respond)X
4179(with)X
4374(a)X
2106 3328(KRB_AP_REP)N
2618(message.)X
955 3520(3-31)N
1232(RESERVED)X
2106(Reserved)X
2425(for)X
2539(future)X
2751(use.)X
3 f
555 3692(asn1_header)N
1 f
955 3788(The)N
1106(asn1_header)X
1534(\256eld)X
1702(is)X
1781(used)X
1954(to)X
2042(allow)X
2246(compatibility)X
2698(with)X
2866(future)X
3084(implementations)X
3643(using)X
3841(alter-)X
955 3884(nate)N
1120(\(ASN.1\))X
1425(encodings)X
1781(of)X
1879(the)X
2008(protocol)X
2306(messages.)X
2680(For)X
2822(the)X
2951(encoding)X
3276(speci\256ed)X
3591(in)X
3683(this)X
3828(docu-)X
955 3980(ment,)N
1155(its)X
1250(\256rst)X
1394(four)X
1548(bytes)X
1737(will)X
1881(always)X
2124(be)X
2220(\(hexadecimal\))X
2700(0x02,)X
2900(0x01,)X
3100(0x00,)X
3300(0x04:)X
7 f
955 4076(+--------+--------+--------+--------+-----------------------------------+)N
9 f
971 4172(|)N
7 f
1099(0x02)X
9 f
1403(|)X
7 f
1531(0x01)X
9 f
1835(|)X
7 f
1963(0x00)X
9 f
2267(|)X
7 f
2395(0x04)X
9 f
2699(|)X
7 f
3019(ASN.1)X
3307(Length)X
3643(encoding)X
9 f
4427(|)X
7 f
955 4268(+--------+--------+--------+--------+-----------------------------------+)N
1051 4364(tag:)N
1483(length)X
1867(contents)X
2347(tag:)X
2827(length)X
3163(according)X
3643(to)X
3787(ISO)X
3979(8825:1987\(E\))X
955 4460(integer)N
1435(\(1)X
1579(byte\))X
1915(\(zero\))X
2299(octetstring)X
3163(clause)X
3499(6.3.3)X
1 f
955 4604(The)N
1106(remaining)X
1457(octets)X
1670(of)X
1763(the)X
1887(asn1_header)X
2315(will)X
2465(specify)X
2723(the)X
2847(length)X
3073(of)X
3166(the)X
3289(remainder)X
3640(of)X
3732(the)X
3855(mes-)X
955 4700(sage)N
1127(using)X
1329(the)X
1456(de\256nite)X
1725(form)X
1910(of)X
2006(the)X
2132(ASN.1)X
2380(length)X
2608(octets)X
2823(encoding)X
3145(\(see)X
3303(below,)X
3547(under)X
3758("ASN.1)X
955 4796(Byte)N
1126(vectors"\).)X
3 f
555 5016(authenticator)N
1 f
955 5112(This)N
1120(\256eld)X
1285(appears)X
1554(in)X
1639(the)X
1760(KRB_AP_REQ)X
2289(message)X
2584(and)X
2723(contains)X
3013(the)X
3134(authenticator.)X
3615(Its)X
3717(encoding)X
955 5208(is)N
1028(described)X
1356(in)X
1438(section)X
1685(7.1.2.)X
3 f
555 5428(authenticator_vno)N
1 f
955 5524(This)N
1119(\256eld)X
1283(speci\256es)X
1581(the)X
1701(version)X
1959(number)X
2226(for)X
2342(the)X
2462(format)X
2698(of)X
2786(the)X
2905(authenticator.)X
3385(This)X
3548(\256eld)X
3711(is)X
3785(of)X
3873(type)X
955 5620(ui_1.)N
3 f
555 5840(authorization_data)N
1 f
555 6144(Section)N
815(6.)X
2196(-)X
2243(24)X
2343(-)X
25 p
%%Page: 25 27
10 s 0 xH 0 xS 1 f
0 32(--)N
4323(--)X
3 f
2115 416(DRAFT)N
2411(2)X
1 f
955 672(The)N
1112(authorization_data)X
1741(\256eld)X
1915(is)X
2000(used)X
2179(to)X
2273(pass)X
2443(authorization)X
2898(data)X
3063(from)X
3250(the)X
3379(principal)X
3695(on)X
3806(whose)X
955 768(behalf)N
1177(a)X
1234(ticket)X
1433(was)X
1579(issued)X
1800(to)X
1883(the)X
2002(end)X
2139(service.)X
2428(If)X
2503(no)X
2604(authorization)X
3047(data)X
3201(is)X
3274(included,)X
3590(this)X
3725(\256eld)X
3887(will)X
955 864(be)N
1064(empty)X
1297(\(i.e.)X
1455(it)X
1532(will)X
1689(have)X
1874(a)X
1943(length)X
2176(\256eld)X
2351(indicating)X
2704(zero)X
2875(length\).)X
3174(The)X
3331(data)X
3497(in)X
3591(this)X
3738(\256eld)X
3912(are)X
955 960(speci\256c)N
1236(to)X
1333(the)X
1466(end)X
1617(service.)X
1920(It)X
2004(is)X
2092(expected)X
2413(that)X
2568(the)X
2701(\256eld)X
2878(will)X
3037(contain)X
3308(the)X
3441(names)X
3681(of)X
3783(service)X
955 1056(speci\256c)N
1227(objects,)X
1501(and)X
1644(the)X
1769(rights)X
1978(to)X
2067(those)X
2263(objects.)X
2557(This)X
2726(\256eld)X
2895(is)X
2975(composed)X
3327(of)X
3421(a)X
3484(total)X
3652(length)X
3878(plus)X
955 1152(several)N
1207(sub\256elds,)X
1535(each)X
1707(of)X
1798(type)X
1960(bytes_asn1.)X
2379(The)X
2527(total)X
2692(length,)X
2935(encoded)X
3226(in)X
3311(ASN.1)X
3554(length)X
3777(format,)X
955 1248(includes)N
1245(the)X
1366(length)X
1589(of)X
1679(all)X
1782(the)X
1903(sub\256elds)X
2209(and)X
2347(their)X
2516(length)X
2738(encodings)X
3085(\(as)X
3201(for)X
3317(string)X
3521(arrays)X
3740(and)X
3878(host)X
955 1344(addresses\).)N
1355(When)X
1572(the)X
1695(total)X
1861(length)X
2085(has)X
2216(been)X
2392(exhausted,)X
2757(there)X
2942(are)X
3065(no)X
3169(more)X
3358(sub\256elds)X
3666(of)X
3757(authori-)X
955 1440(zation)N
1191(data.)X
1405(Although)X
1747(Kerberos)X
2082(is)X
2175(not)X
2317(concerned)X
2687(with)X
2868(the)X
3005(format)X
3258(of)X
3364(the)X
3501(contents)X
3807(of)X
3913(the)X
955 1536(sub\256elds,)N
1285(it)X
1355(does)X
1528(carry)X
1720(type)X
1884(information)X
2288(\(ad_type\))X
2622(in)X
2709(a)X
2770(sub\256eld)X
3048(of)X
3140(type)X
3303(ui_2)X
3470(immediately)X
3895(fol-)X
955 1632(lowing)N
1217(each)X
1405(length)X
1645(sub\256eld.)X
1978(The)X
2143(length)X
2383(of)X
2490(each)X
2678(authorization_data)X
3315(sub\256eld)X
3607(includes)X
3913(the)X
955 1728(length)N
1175(of)X
1262(the)X
1380(data)X
1534(and)X
1670(the)X
1788(two)X
1928(bytes)X
2117(from)X
2293(the)X
2411(type)X
2569(sub\256eld.)X
7 f
955 1824(+--------------------------+)N
9 f
971 1920(|)N
7 f
1291(total_length)X
9 f
2267(|)X
7 f
955 2016(+-----------------+--------+--------+-----------------------------------+)N
9 f
971 2112(|)N
7 f
1099(ASN.1)X
1387(Length1)X
9 f
1835(|)X
7 f
2107(ad_type)X
9 f
2699(|)X
7 f
3355(ad_data)X
9 f
4427(|)X
7 f
955 2208(+-----------------+--------+--------+-----------------------------------+)N
1819 2304(<------------------)N
2779(ASN.1)X
3067(Length1)X
3451(-------------------->)X
955 2400(+-----------------+--------+--------+--------------------------+)N
9 f
971 2496(|)N
7 f
1099(ASN.1)X
1387(Length2)X
9 f
1835(|)X
7 f
2107(ad_type)X
9 f
2699(|)X
7 f
3163(ad_data)X
9 f
3995(|)X
7 f
955 2592(+-----------------+--------+--------+--------------------------+)N
1819 2688(<--------------)N
2587(ASN.1)X
2875(Length2)X
3259(--------------->)X
1 f
955 2832(By)N
1072(using)X
1269(this)X
1408(\256eld,)X
1594(a)X
1654(principal)X
1963(is)X
2040(able)X
2198(to)X
2284(issue)X
2468(a)X
2527(proxy)X
2737(that)X
2880(is)X
2956(valid)X
3139(for)X
3256(a)X
3315(speci\256c)X
3583(purpose.)X
3900(For)X
955 2928(example,)N
1271(a)X
1331(client)X
1533(wishing)X
1810(to)X
1896(print)X
2071(a)X
2131(\256le)X
2257(can)X
2393(obtain)X
2617(a)X
2677(\256le)X
2803(server)X
3023(proxy)X
3233(to)X
3318(be)X
3417(passed)X
3654(to)X
3739(the)X
3860(print)X
955 3024(server.)N
1214(By)X
1329(specifying)X
1685(the)X
1805(name)X
2001(of)X
2090(the)X
2210(\256le)X
2334(in)X
2418(the)X
2538(authorization_data)X
3157(\256eld,)X
3341(the)X
3461(\256le)X
3584(server)X
3802(knows)X
955 3120(that)N
1106(the)X
1235(print)X
1417(server)X
1645(can)X
1788(only)X
1960(use)X
2097(the)X
2225(client's)X
2491(rights)X
2703(when)X
2907(accessing)X
3245(the)X
3373(particular)X
3711(\256le)X
3843(to)X
3935(be)X
955 3216(printed.)N
955 3408(It)N
1031(is)X
1111(interesting)X
1476(to)X
1565(note)X
1730(that)X
1877(by)X
1984(specifying)X
2345(the)X
2470(authorization_data)X
3094(\256eld)X
3263(of)X
3357(a)X
3420(proxy)X
3633(and)X
3775(leaving)X
955 3504(the)N
1073(host)X
1226(addresses)X
1554(blank,)X
1772(one)X
1908(is)X
1981(able)X
2135(to)X
2217(create)X
2430(a)X
2486(capability.)X
3 f
955 3696(ad_type)N
1 f
1257(is)X
1341(a)X
1407(sub\256eld)X
1690(of)X
1787(type)X
1955(ui_2)X
2127(which)X
2353(speci\256es)X
2659(the)X
2787(format)X
3031(for)X
3155(the)X
3283(ad_data)X
3563(sub\256eld.)X
3886(The)X
955 3792(meanings)N
1282(of)X
1369(the)X
1487(bits)X
1622(in)X
1704(the)X
1822(sub\256eld)X
2095(are)X
2214(indicated)X
2528(below.)X
2784(Bit)X
2901(0)X
2961(is)X
3034(the)X
3152(most)X
3327(signi\256cant)X
3680(bit.)X
2 f
955 3936(Bit\(s\))N
1373(Name)X
2102(Description)X
7 f
955 4128(0)N
1373(RESERVED)X
1 f
2102(Reserved)X
2421(for)X
2535(future)X
2747(expansion.)X
3132(Must)X
3316(be)X
3412(reset)X
3584(\(0\).)X
955 4320(1)N
1373(EXTERNAL)X
2102(If)X
2177(this)X
2313(bit)X
2418(is)X
2492(reset)X
2665(\(0\),)X
2800(then)X
2959(the)X
3078(meaning)X
3374(of)X
3461(the)X
3579(ad_type)X
3853(\256eld)X
4015(is)X
4088(de\256ned)X
4344(in)X
2102 4416(the)N
2226(Kerberos)X
2547(authorization)X
2996(proposal,)X
3318(and)X
3460(bits)X
3601(2-15)X
3773(encode)X
4026(a)X
4087(type)X
4250(from)X
2102 4512(that)N
2243(proposal,)X
2560(with)X
2723(bit)X
2828(2)X
2889(as)X
2977(the)X
3096(most)X
3272(signi\256cant)X
3626(bit)X
3731(of)X
3818(an)X
3914(unsigned)X
4223(quan-)X
2102 4608(tity.)N
2258(If)X
2342(this)X
2487(bit)X
2601(is)X
2684(set)X
2803(\(1\),)X
2946(then)X
3113(the)X
3240(meaning)X
3545(of)X
3641(the)X
3768(ad_type)X
4051(\256eld)X
4222(is)X
4304(not)X
2102 4704(de\256ned)N
2364(in)X
2452(the)X
2576(Kerberos)X
2897(authorization)X
3345(proposal,)X
3666(and)X
3807(bits)X
3947(3-15)X
4119(are)X
4243(to)X
4330(be)X
2102 4800(interpreted)N
2470(according)X
2807(to)X
2889(the)X
3007(value)X
3201(of)X
3288(bit)X
3392(2)X
3452(\(REGISTERED\).)X
955 4896(2)N
1373(REGISTERED)X
2102(If)X
2185(this)X
2329(bit)X
2442(is)X
2524(set)X
2642(\(1\),)X
2785(the)X
2912(\256eld)X
3083(type)X
3250(given)X
3457(by)X
3566(bits)X
3710(3-15)X
3886(is)X
3967(registered.)X
4352(If)X
2102 4992(this)N
2248(bit)X
2363(is)X
2446(reset)X
2628(\(0\),)X
2772(then)X
2940(the)X
3068(\256eld)X
3240(type)X
3408(is)X
3491(not)X
3623(registered,)X
3990(and)X
4136(the)X
4264(\256eld)X
2102 5088(type)N
2262(given)X
2462(by)X
2564(bits)X
2701(3-15)X
2870(has)X
2998(been)X
3171(arbitrarily)X
3513(chosen)X
3757(by)X
3858(the)X
3977(implementor,)X
2102 5184(and)N
2254(are)X
2389(not)X
2527(guaranteed)X
2916(to)X
3014(be)X
3126(unique)X
3400(\(They)X
3628(can)X
3776(be)X
3887(thought)X
4166(of)X
4268(as)X
4370(a)X
2102 5280(``magic)N
2372(number''\).)X
955 5376(3-15)N
1373(FIELD-TYPE)X
2102(These)X
2331(bits)X
2483(specify)X
2752(the)X
2887(\256eld)X
3065(type)X
3239(or)X
3342(the)X
3476(unregistered)X
3909(magic)X
4141(number.)X
2102 5472(They)N
2288(are)X
2408(to)X
2491(be)X
2588(interpreted)X
2957(as)X
3045(an)X
3142(unsigned)X
3452(integer,)X
3716(with)X
3879(bit)X
3984(3)X
4045(as)X
4133(the)X
4251(most)X
2102 5568(signi\256cant)N
2455(bit.)X
955 5808(An)N
1079(empty)X
1305(authorization)X
1754(data)X
1914(\256eld)X
2082(\(length)X
2335(zero)X
2500(in)X
2588(the)X
2712(total_length)X
3120(\256eld\))X
3315(indicates)X
3626(that)X
3772(there)X
3958(is)X
555 6144(Section)N
815(6.)X
2196(-)X
2243(25)X
2343(-)X
26 p
%%Page: 26 28
10 s 0 xH 0 xS 1 f
0 32(--)N
4323(--)X
3 f
2115 416(DRAFT)N
2411(2)X
1 f
955 672(no)N
1055(authorization)X
1498(data.)X
3 f
555 892(authtime)N
1 f
955(This)X
1122(\256eld)X
1289(indicates)X
1599(the)X
1722(time)X
1889(of)X
1981(initial)X
2192(authentication)X
2671(for)X
2790(the)X
2913(named)X
3152(principal.)X
3502(It)X
3576(is)X
3654(the)X
3777(time)X
3944(of)X
955 988(issue)N
1138(for)X
1255(the)X
1376(original)X
1648(ticket)X
1849(on)X
1952(which)X
2171(this)X
2309(ticket)X
2510(is)X
2586(based.)X
2832(It)X
2904(is)X
2980(included)X
3278(in)X
3362(the)X
3482(ticket)X
3682(to)X
3766(provide)X
955 1084(additional)N
1300(information)X
1703(to)X
1790(the)X
1913(end)X
2054(service,)X
2327(and)X
2468(to)X
2554(provide)X
2823(the)X
2945(necessary)X
3282(information)X
3684(for)X
3802(imple-)X
955 1180(mentation)N
1297(of)X
1386(a)X
1444(`hot)X
1595(list')X
1741(service)X
1991(at)X
2071(the)X
2190(KDC.)X
2420(An)X
2539(end)X
2676(service)X
2925(that)X
3066(is)X
3140(particularly)X
3531(paranoid)X
3833(could)X
955 1276(refuse)N
1180(to)X
1270(accept)X
1504(tickets)X
1741(for)X
1862(which)X
2085(the)X
2210(initial)X
2423(authentication)X
2904(occurred)X
3213(too)X
3342(far)X
3459(in)X
3548(the)X
3673(past.)X
3869(This)X
955 1372(\256eld)N
1117(is)X
1190(of)X
1277(type)X
1435(timestamp.)X
3 f
555 1592(caddr)N
1 f
955(This)X
1118(\256eld)X
1281(in)X
1364(a)X
1421(ticket)X
1620(contains)X
1908(zero)X
2068(or)X
2156(more)X
2341(host)X
2494(addresses.)X
2862(These)X
3074(are)X
3193(the)X
3311(addresses)X
3639(from)X
3815(which)X
955 1688(the)N
1074(ticket)X
1273(can)X
1406(be)X
1503(used.)X
1711(If)X
1786(there)X
1968(are)X
2088(no)X
2189(addresses,)X
2538(the)X
2657(ticket)X
2856(can)X
2989(be)X
3086(used)X
3254(from)X
3431(any)X
3568(location.)X
3886(The)X
955 1784(decision)N
1247(to)X
1334(issue)X
1519(or)X
1611(accept)X
1842(zero-address)X
2274(tickets)X
2508(is)X
2585(a)X
2645(policy)X
2869(decision)X
3160(and)X
3300(is)X
3377(left)X
3508(to)X
3594(the)X
3716(Kerberos)X
955 1880(and)N
1092(end-service)X
1484(administrators.)X
2003(The)X
2149(suggested)X
2486(and)X
2622(default)X
2865(policy,)X
3105(however,)X
3422(is)X
3495(that)X
3635(such)X
3802(tickets)X
955 1976(will)N
1101(only)X
1265(be)X
1363(issued)X
1585(or)X
1674(accepted)X
1978(when)X
2174(additional)X
2516(information)X
2916(that)X
3058(can)X
3192(be)X
3290(used)X
3458(to)X
3541(restrict)X
3785(the)X
3904(use)X
955 2072(of)N
1042(the)X
1160(ticket)X
1358(is)X
1431(included)X
1727(in)X
1809(the)X
1927(authorization_data)X
2544(\256eld.)X
955 2264(Network)N
1267(addresses)X
1606(are)X
1736(included)X
2042(in)X
2134(the)X
2262(ticket)X
2470(to)X
2562(make)X
2766(it)X
2840(harder)X
3076(for)X
3200(an)X
3306(attacker)X
3591(to)X
3683(use)X
3820(stolen)X
955 2360(credentials.)N
1365(Because)X
1655(the)X
1775(session)X
2028(key)X
2166(is)X
2240(not)X
2363(sent)X
2513(over)X
2677(the)X
2796(network)X
3080(in)X
3163(cleartext,)X
3481(credentials)X
3850(can't)X
955 2456(be)N
1056(stolen)X
1272(simply)X
1514(by)X
1619(listening)X
1919(to)X
2006(the)X
2129(network;)X
2439(an)X
2540(attacker)X
2820(has)X
2952(to)X
3039(gain)X
3202(access)X
3432(to)X
3518(the)X
3640(session)X
3895(key)X
955 2552(\(perhaps)N
1253(through)X
1523(operating)X
1847(system)X
2090(security)X
2365(breaches)X
2668(or)X
2756(a)X
2812(careless)X
3087(user's)X
3299(unattended)X
3671(session\))X
3949(to)X
955 2648(make)N
1149(use)X
1276(of)X
1363(stolen)X
1574(tickets.)X
955 2840(It)N
1027(is)X
1103(important)X
1437(to)X
1522(note)X
1683(that)X
1826(the)X
1947(network)X
2233(address)X
2497(from)X
2676(which)X
2895(a)X
2954(connection)X
3329(is)X
3404(received)X
3699(cannot)X
3935(be)X
955 2936(reliably)N
1223(determined.)X
1646(Even)X
1833(if)X
1904(it)X
1970(could)X
2170(be,)X
2288(an)X
2386(attacker)X
2663(who)X
2823(has)X
2952(compromised)X
3410(the)X
3530(client's)X
3788(works-)X
955 3032(tation)N
1170(could)X
1381(use)X
1521(the)X
1651(credentials)X
2031(from)X
2219(there.)X
2452(Including)X
2791(the)X
2921(network)X
3216(addresses)X
3556(only)X
3730(makes)X
3967(it)X
955 3128(more)N
1145(dif\256cult,)X
1443(not)X
1570(impossible,)X
1961(for)X
2080(an)X
2181(attacker)X
2461(to)X
2548(walk)X
2729(off)X
2848(with)X
3015(stolen)X
3230(credentials)X
3602(and)X
3742(then)X
3904(use)X
955 3224(them)N
1135(from)X
1311(a)X
1367("safe")X
1583(location.)X
955 3416(This)N
1117(\256eld)X
1279(is)X
1352(of)X
1439(type)X
1597(hostaddrs;)X
1946(its)X
2041(encoding)X
2355(is)X
2428(speci\256ed)X
2733(in)X
2815(section)X
3062(5.1.8.)X
3 f
555 3636(checksum_type)N
1 f
955 3732(This)N
1127(\256eld)X
1299(appears)X
1575(in)X
1667(the)X
1795(authenticator)X
2244(and)X
2390(the)X
2518(KRB_SAFE)X
2947(message,)X
3269(and)X
3414(speci\256es)X
3719(the)X
3846(algo-)X
955 3828(rithm)N
1148(used)X
1315(to)X
1397(generate)X
1690(the)X
1808(data)X
1962(checksum.)X
2343(A)X
2421(list)X
2538(of)X
2625(the)X
2743(pre-de\256ned)X
3129(values)X
3354(for)X
3468(this)X
3603(\256eld)X
3765(appears)X
955 3924(in)N
1037(section)X
1284(5.2.)X
1444(This)X
1606(\256eld)X
1768(is)X
1841(of)X
1928(type)X
2086(ui_2.)X
3 f
555 4144(checksum)N
1 f
955(This)X
1127(\256eld)X
1299(appears)X
1575(in)X
1667(the)X
1795(authenticator)X
2244(and)X
2390(contains)X
2686(an)X
2791(optional)X
3082(checksum)X
3432(of)X
3528(the)X
3655(application)X
955 4240(data)N
1109(that)X
1249(is)X
1322(to)X
1404(follow.)X
1673(This)X
1835(\256eld)X
1997(is)X
2070(of)X
2157(type)X
2315(bytes_asn1.)X
3 f
555 4460(ckvno)N
1 f
955(This)X
1145(\256eld)X
1335(contains)X
1650(the)X
1796(client's)X
2080(key)X
2244(version)X
2528(number.)X
2861(It)X
2958(precedes)X
3288(the)X
3434(ciphertext)X
3803(in)X
3913(the)X
955 4556(KRB_AS_REP)N
1473(message,)X
1791(specifying)X
2151(which)X
2373(version)X
2635(of)X
2728(the)X
2852(client's)X
3114(secret)X
3328(key)X
3470(was)X
3621(used)X
3794(for)X
3913(the)X
955 4652(encrypted)N
1292(portion)X
1543(of)X
1630(the)X
1748(message.)X
2080(This)X
2242(\256eld)X
2404(is)X
2477(of)X
2564(type)X
2722(ui_1.)X
3 f
555 4872(cmsec)N
1 f
955(This)X
1119(\256eld)X
1283(contains)X
1572(the)X
1692(millisecond)X
2087(part)X
2233(of)X
2321(the)X
2440(client's)X
2697(timestamp.)X
3091(Its)X
3192(value)X
3387(\(before)X
3641(encryption\))X
955 4968(ranges)N
1190(from)X
1371(0)X
1436(to)X
1523(999.)X
1708(It)X
1781(often)X
1970(appears)X
2240(along)X
2442(with)X
3 f
2608(ctime)X
1 f
2796(.)X
2860(The)X
3009(two)X
3153(\256elds)X
3350(are)X
3473(used)X
3644(in)X
3730(conjunc-)X
955 5064(tion)N
1099(to)X
1181(specify)X
1433(a)X
1489(reasonably)X
1857(accurate)X
2146(timestamp.)X
2539(This)X
2701(\256eld)X
2863(is)X
2936(of)X
3023(type)X
3181(ui_2.)X
3 f
555 5284(cname)N
1 f
955(This)X
1117(\256eld)X
1279(contains)X
1566(the)X
1684(name)X
1878(part)X
2023(of)X
2110(the)X
2228(client's)X
2484(identity.)X
2788(It)X
2857(is)X
2930(of)X
3017(type)X
3175(string)X
3377(array.)X
3 f
555 5504(crealm)N
1 f
955(This)X
1121(\256eld)X
1287(contains)X
1577(the)X
1698(name)X
1895(of)X
1985(the)X
2106(realm)X
2312(in)X
2397(which)X
2616(the)X
2737(client)X
2938(is)X
3014(attempting)X
3379(to)X
3464(be)X
3563(authenticated.)X
955 5600(It)N
1024(is)X
1097(of)X
1184(type)X
1342(string.)X
3 f
555 5820(ctime)N
1 f
955(This)X
1117(\256eld)X
1279(contains)X
1566(the)X
1684(current)X
1932(time)X
2094(on)X
2194(the)X
2312(client's)X
2568(workstation.)X
3006(It)X
3075(is)X
3148(of)X
3235(type)X
3393(timestamp.)X
555 6144(Section)N
815(6.)X
2196(-)X
2243(26)X
2343(-)X
27 p
%%Page: 27 29
10 s 0 xH 0 xS 1 f
0 32(--)N
4323(--)X
3 f
2115 416(DRAFT)N
2411(2)X
555 672(confounder)N
1 f
955 768(This)N
1120(\256eld)X
1285(contains)X
1575(random)X
1843(data)X
2000(and)X
2139(appears)X
2408(at)X
2489(the)X
2610(beginning)X
2953(of)X
3043(text)X
3186(encrypted)X
3526(in)X
3610(a)X
3668(principal's)X
955 864(secret)N
1173(key.)X
1359(Its)X
1469(purpose)X
1753(is)X
1836(to)X
1928(make)X
2132(chosen-)X
2412(and)X
2558(known-plaintext)X
3112(attacks)X
3364(more)X
3558(dif\256cult.)X
3880(It)X
3958(is)X
955 960(important)N
1292(to)X
1380(note)X
1544(that)X
1690(the)X
1814(existence)X
2139(of)X
2232(this)X
2373(\256eld)X
2540(does)X
2712(not)X
2839(prevent)X
3105(a)X
3166(veri\256able)X
3494(plaintext)X
3799(attack.)X
955 1056(It)N
1027(just)X
1165(prevents)X
1460(the)X
1581(use)X
1711(of)X
1801(a)X
1860(precomputed)X
2302(ciphertext)X
2646(dictionary)X
2993(to)X
3077(\256nd)X
3223(the)X
3343(corresponding)X
3824(plain-)X
955 1152(text.)N
1142(The)X
1294(ef\256cacy)X
1576(of)X
1670(the)X
1795(confounder)X
2187(depends)X
2476(on)X
2582(the)X
2706(ability)X
2936(of)X
3029(the)X
3153(cryptosystem)X
3606(to)X
3694(propagate)X
955 1248(changes)N
1243(at)X
1330(the)X
1457(start)X
1624(of)X
1720(the)X
1847(encrypted)X
2193(plaintext)X
2502(through)X
2779(the)X
2905(remainder)X
3259(of)X
3354(the)X
3480(ciphertext.)X
3869(This)X
955 1344(\256eld)N
1117(is)X
1190(of)X
1277(type)X
1435(ui_2.)X
1617(XXX)X
1811(longer?)X
2072(XXX)X
3 f
555 1564(endtime)N
1 f
955(This)X
1128(\256eld)X
1301(contains)X
1599(the)X
1728(time)X
1901(after)X
2080(which)X
2307(the)X
2436(ticket)X
2645(will)X
2800(not)X
2933(be)X
3040(honored)X
3334(\(its)X
3467(expiration)X
3822(time\).)X
955 1660(Together)N
1266(with)X
1429('starttime',)X
1804(this)X
1940(\256eld)X
2103(speci\256es)X
2400(the)X
2519(life)X
2647(of)X
2735(the)X
2854(ticket.)X
3092(Note)X
3268(that)X
3408(individual)X
3752(services)X
955 1756(may)N
1123(place)X
1323(their)X
1500(own)X
1668(limits)X
1878(on)X
1987(the)X
2114(life)X
2250(of)X
2346(a)X
2411(ticket)X
2618(and)X
2763(may)X
2930(reject)X
3138(tickets)X
3376(which)X
3601(have)X
3782(not)X
3913(yet)X
955 1852(expired.)N
1258(As)X
1369(such,)X
1558(this)X
1695(is)X
1770(really)X
1975(an)X
2073(upper)X
2278(bound)X
2500(on)X
2602(the)X
2722(expiration)X
3069(time)X
3233(for)X
3348(the)X
3467(ticket.)X
3706(This)X
3869(\256eld)X
955 1948(is)N
1028(of)X
1115(type)X
1273(timestamp.)X
3 f
555 2168(error)N
1 f
955(This)X
1121(\256eld)X
1287(contains)X
1578(the)X
1700(error)X
1881(code)X
2057(returned)X
2349(by)X
2453(Kerberos)X
2772(or)X
2863(the)X
2985(server)X
3206(when)X
3404(a)X
3464(request)X
3720(fails.)X
3922(To)X
955 2264(interpret)N
1257(the)X
1385(value)X
1589(of)X
1686(this)X
1831(\256eld)X
2003(see)X
2136(the)X
2264(list)X
2391(of)X
2488(error)X
2675(codes)X
2888(in)X
2980(section)X
3236(8.)X
3345(Implementations)X
3912(are)X
955 2360(encouraged)N
1351(to)X
1438(provide)X
1708(for)X
1826(national)X
2108(language)X
2422(support)X
2686(in)X
2772(the)X
2894(interpretation)X
3350(of)X
3441(error)X
3622(codes.)X
3869(This)X
955 2456(\256eld)N
1117(is)X
1190(of)X
1277(type)X
1435(ui_4.)X
3 f
555 2676(e_text)N
1 f
955(This)X
1131(\256eld)X
1307(contains)X
1608(additional)X
1962(text)X
2116(to)X
2212(help)X
2384(explain)X
2653(the)X
2784(error)X
2974(code)X
3159(associated)X
3522(with)X
3697(the)X
3828(failed)X
955 2772(request)N
1218(\(for)X
1370(example,)X
1693(it)X
1768(might)X
1985(include)X
2252(a)X
2319(principal)X
2634(name)X
2838(which)X
3064(was)X
3219(unknown\).)X
3614(It)X
3693(is)X
3776(of)X
3873(type)X
955 2868(string.)N
3 f
555 3088(etype)N
1 f
955(This)X
1122(\256eld)X
1289(speci\256es)X
1590(the)X
1713(type)X
1876(of)X
1968(encryption)X
2336(being)X
2539(used)X
2711(to)X
2798(encrypt)X
3064(the)X
3187(ciphertext)X
3533(part)X
3682(of)X
3773(a)X
3833(ticket)X
955 3184(or)N
1047(message.)X
1384(A)X
1467(list)X
1589(of)X
1681(the)X
1804(pre-de\256ned)X
2195(values)X
2425(for)X
2544(this)X
2684(\256eld)X
2851(appears)X
3122(in)X
3209(section)X
3461(5.2.)X
3626(This)X
3792(\256eld)X
3958(is)X
955 3280(of)N
1042(type)X
1200(ui_2.)X
3 f
555 3500(\257ags)N
1 f
955(This)X
1125(\256eld,)X
1314(of)X
1408(type)X
1573(\257ags,)X
1771(indicates)X
2083(which)X
2306(of)X
2400(various)X
2663(options)X
2925(were)X
3109(used)X
3283(or)X
3377(requested)X
3712(when)X
3913(the)X
955 3596(ticket)N
1156(was)X
1304(issued.)X
1567(It)X
1639(is)X
1715(a)X
1774(bit-\256eld,)X
2070(where)X
2290(the)X
2411(selected)X
2693(options)X
2951(are)X
3073(indicated)X
3390(by)X
3493(the)X
3614(bit)X
3721(being)X
3922(set)X
955 3692(\(1\),)N
1091(and)X
1229(the)X
1349(unselected)X
1710(options)X
1967(and)X
2105(reserved)X
2400(\256elds)X
2595(being)X
2795(reset)X
2969(\(0\).)X
3125(Bit)X
3244(0)X
3306(is)X
3381(the)X
3501(most)X
3678(signi\256cant)X
955 3788(bit.)N
2 f
955 3932(Bit\(s\))N
1283(Name)X
2105(Description)X
7 f
955 4124(0)N
1283(RESERVED)X
1 f
2105(Reserved)X
2424(for)X
2538(future)X
2750(expansion)X
3095(of)X
3182(this)X
3317(\256eld.)X
955 4316(1)N
1283(FORWARDABLE)X
2105(The)X
2260(FORWARDABLE)X
2899(\257ag)X
3049(is)X
3132(normally)X
3451(only)X
3623(interpreted)X
4001(by)X
4111(the)X
4238(TGS,)X
2105 4412(and)N
2246(can)X
2383(be)X
2484(ignored)X
2754(by)X
2859(end)X
3000(servers.)X
3293(When)X
3509(set,)X
3642(this)X
3781(\257ag)X
3925(tells)X
4082(the)X
4204(ticket-)X
2105 4508(granting)N
2395(server)X
2615(that)X
2758(it)X
2825(is)X
2901(OK)X
3040(to)X
3124(issue)X
3306(a)X
3364(new)X
3520(ticket)X
3720(granting)X
4009(ticket)X
4209(with)X
4373(a)X
2105 4604(different)N
2415(network)X
2711(address)X
2985(based)X
3201(on)X
3313(the)X
3443(present)X
3707(ticket-granting)X
4211(ticket.)X
2105 4700(This)N
2274(\257ag)X
2421(is)X
2501(reset)X
2680(by)X
2787(default,)X
3057(but)X
3186(users)X
3378(may)X
3543(request)X
3802(that)X
3948(it)X
4018(be)X
4120(set)X
4235(when)X
2105 4796(they)N
2282(request)X
2553(their)X
2739(initial)X
2964(ticket-granting)X
3474(ticket.)X
3730(This)X
3910(\257ag)X
4068(allows)X
4315(for)X
2105 4892(authentication)N
2593(forwarding)X
2984(without)X
3261(requiring)X
3588(the)X
3719(user)X
3886(to)X
3981(enter)X
4175(a)X
4244(pass-)X
2105 4988(word)N
2294(again.)X
2532(If)X
2610(the)X
2732(\257ag)X
2876(is)X
2953(not)X
3079(set,)X
3212(then)X
3374(authentication)X
3851(forwarding)X
4231(is)X
4307(not)X
2105 5084(permitted)N
2449(\(however,)X
2810(the)X
2945(end)X
3098(result)X
3313(can)X
3462(still)X
3618(be)X
3731(achieved)X
4054(if)X
4140(the)X
4275(user)X
2105 5180(engages)N
2384(in)X
2466(the)X
2584(AS)X
2706(exchange)X
3030(from)X
3206(a)X
3262(remote)X
3505(host\).)X
955 5372(2)N
1283(FORWARDED)X
2105(When)X
2324(set,)X
2460(this)X
2602(\257ag)X
2749(indicates)X
3061(that)X
3208(the)X
3333(ticket)X
3538(has)X
3671(either)X
3880(been)X
4058(forwarded,)X
2105 5468(or)N
2211(was)X
2375(issued)X
2613(based)X
2834(on)X
2952(authentication)X
3444(involving)X
3788(a)X
3862(forwarded)X
4231(ticket)X
2105 5564(granting)N
2392(ticket.)X
555 6144(Section)N
815(6.)X
2196(-)X
2243(27)X
2343(-)X
28 p
%%Page: 28 30
10 s 0 xH 0 xS 1 f
0 32(--)N
4323(--)X
3 f
2115 416(DRAFT)N
2411(2)X
1 f
955 672(3)N
1283(PROXIABLE)X
2105(The)X
2262(PROXIABLE)X
2743(\257ag)X
2895(is)X
2979(normally)X
3299(only)X
3472(interpreted)X
3851(by)X
3962(the)X
4091(TGS,)X
4293(and)X
2105 768(can)N
2240(be)X
2339(ignored)X
2607(by)X
2710(end)X
2849(servers.)X
3140(The)X
3288(PROXIABLE)X
3760(\257ag)X
3903(has)X
4033(an)X
4132(interpre-)X
2105 864(tation)N
2320(identical)X
2629(to)X
2723(that)X
2875(of)X
2974(the)X
3104(FORWARDABLE)X
3745(\257ag,)X
3917(except)X
4159(that)X
4311(the)X
2105 960(PROXIABLE)N
2582(\257ag)X
2730(tells)X
2891(the)X
3017(ticket)X
3223(granting)X
3517(server)X
3741(that)X
3888(only)X
4057(non-ticket-)X
2105 1056(granting)N
2399(tickets)X
2635(may)X
2800(be)X
2903(issued)X
3130(with)X
3299(different)X
3603(network)X
3893(addresses.)X
4267(This)X
2105 1152(\257ag)N
2247(is)X
2322(set)X
2433(by)X
2534(default.)X
2818(It)X
2888(allows)X
3118(proxies)X
3375(for)X
3490(speci\256c)X
3756(services.)X
4076(For)X
4208(exam-)X
2105 1248(ple,)N
2248(it)X
2317(allows)X
2551(a)X
2612(print)X
2788(server)X
3010(to)X
3097(access)X
3328(a)X
3389(client's)X
3650(\256les)X
3808(on)X
3913(a)X
3974(particular)X
4307(\256le)X
2105 1344(server)N
2322(in)X
2404(order)X
2594(to)X
2676(satisfy)X
2905(a)X
2961(print)X
3132(request.)X
955 1536(4)N
1283(PROXY)X
2105(When)X
2319(set,)X
2449(this)X
2585(\257ag)X
2726(indicates)X
3032(that)X
3173(a)X
3230(ticket)X
3429(is)X
3503(a)X
3560(proxy.)X
3808(It)X
3878(tells)X
4032(the)X
4151(end)X
4288(ser-)X
2105 1632(vice)N
2265(that)X
2410(the)X
2533(client)X
2736(is)X
2814(acting)X
3035(on)X
3140(behalf)X
3366(of)X
3458(the)X
3581(principal,)X
3911(but)X
4038(may)X
4201(in)X
4288(fact)X
2105 1728(be)N
2214(a)X
2283(different)X
2593(principal.)X
2950(A)X
3040(service)X
3300(might)X
3518(check)X
3738(this,)X
3905(and)X
4053(if)X
4134(a)X
4202(proxy,)X
2105 1824(require)N
2362(additional)X
2711(authentication)X
3194(from)X
3379(the)X
3506(agent)X
3709(itself)X
3897(in)X
3987(order)X
4185(to)X
4275(pro-)X
2105 1920(vide)N
2263(an)X
2359(audit)X
2539(trail.)X
955 2112(5)N
1283(MAY-POSTDATE)X
2105(The)X
2259(MAY-POSTDATE)X
2911(\257ag)X
3060(is)X
3141(normally)X
3458(only)X
3628(interpreted)X
4004(by)X
4112(the)X
4238(TGS,)X
2105 2208(and)N
2251(can)X
2393(be)X
2499(ignored)X
2774(by)X
2884(end)X
3030(servers.)X
3328(This)X
3500(\257ag)X
3650(must)X
3834(be)X
3939(set)X
4057(in)X
4148(order)X
4347(to)X
2105 2304(issue)N
2287(a)X
2345(postdated)X
2674(ticket)X
2874(based)X
3079(on)X
3181(the)X
3301(present)X
3554(ticket-granting)X
4047(ticket.)X
4286(It)X
4356(is)X
2105 2400(reset)N
2291(by)X
2405(default.)X
2702(This)X
2877(\257ag)X
3030(does)X
3210(not)X
3345(allow)X
3556(one)X
3705(to)X
3800(obtain)X
4033(a)X
4102(postdated)X
2105 2496(ticket-granting)N
2612(ticket.)X
2865(Post)X
3037(dated)X
3246(ticket)X
3459(granting)X
3761(tickets)X
4005(can)X
4152(only)X
4329(by)X
2105 2592(obtained)N
2410(by)X
2518(requesting)X
2880(the)X
3006(postdating)X
3367(in)X
3457(the)X
3583(KRB_AS_REQ)X
4117(message.)X
2105 2688(The)N
2251(life)X
2379(\(`endtime'-`starttime'\))X
3127(of)X
3215(a)X
3272(postdated)X
3600(ticket)X
3799(will)X
3944(be)X
4041(the)X
4159(remain-)X
2105 2784(ing)N
2228(life)X
2356(of)X
2444(the)X
2563(ticket-granting)X
3056(ticket)X
3255(at)X
3334(the)X
3452(time)X
3614(of)X
3701(the)X
3819(request,)X
4091(unless)X
4311(the)X
2105 2880(RENEWABLE)N
2620(option)X
2845(is)X
2919(also)X
3068(set,)X
3197(in)X
3279(which)X
3495(case,)X
3674(it)X
3738(can)X
3870(be)X
3966(the)X
4084(full)X
4215(life)X
4342(of)X
2105 2976(the)N
2230(ticket-granting)X
2729(ticket.)X
2974(The)X
3126(KDC)X
3322(may)X
3487(limit)X
3663(how)X
3827(far)X
3943(in)X
4031(the)X
4155(future)X
4373(a)X
2105 3072(ticket)N
2303(may)X
2461(be)X
2557(postdated.)X
955 3264(6)N
1283(POSTDATED)X
2105(This)X
2272(\257ag)X
2417(indicates)X
2726(that)X
2870(this)X
3009(ticket)X
3211(has)X
3342(been)X
3518(postdated.)X
3889(The)X
4038(end-service)X
2105 3360(can)N
2246(check)X
2463(the)X
2590(`authtime')X
2953(\256eld)X
3124(to)X
3215(see)X
3347(when)X
3550(the)X
3677(original)X
3955(authentication)X
2105 3456(occurred.)N
2462(Some)X
2679(services)X
2973(may)X
3145(choose)X
3402(to)X
3498(reject)X
3711(post-dated)X
4079(tickets,)X
4342(or)X
2105 3552(they)N
2276(may)X
2447(only)X
2622(accept)X
2861(them)X
3054(within)X
3291(a)X
3360(certain)X
3612(period)X
3850(after)X
4030(the)X
4160(original)X
2105 3648(authentication.)N
955 3840(7)N
1283(INVALID)X
2105(This)X
2273(\257ag)X
2419(indicates)X
2730(that)X
2875(a)X
2936(ticket)X
3139(is)X
3217(invalid.)X
3504(A)X
3587(postdated)X
3919(ticket)X
4122(will)X
4271(usu-)X
2105 3936(ally)N
2248(be)X
2347(issued)X
2570(in)X
2655(this)X
2793(form,)X
2992(and)X
3131(it)X
3198(must)X
3376(be)X
3474(validated)X
3790(by)X
3892(the)X
4012(KDC)X
4203(before)X
2105 4032(it)N
2180(can)X
2323(be)X
2430(used,)X
2628(but)X
2761(after)X
2940(its)X
3046('starttime'.)X
3451(The)X
3607(validation)X
3957(is)X
4040(required)X
4338(so)X
2105 4128(that)N
2258(postdated)X
2598(tickets)X
2839(which)X
3067(have)X
3251(been)X
3435(stolen)X
3658(before)X
3896(their)X
4075('starttime')X
2105 4224(can)N
2237(be)X
2333(rendered)X
2635(permanently)X
3056(invalid)X
3298(\(through)X
3594(the)X
3712(hot-list)X
3958(mechanism\).)X
955 4416(8)N
1283(RENEWABLE)X
2105(The)X
2257(RENEWABLE)X
2778(\257ag)X
2925(is)X
3005(normally)X
3321(only)X
3490(interpreted)X
3865(by)X
3972(the)X
4096(TGS,)X
4293(and)X
2105 4512(can)N
2265(usually)X
2544(be)X
2668(ignored)X
2960(by)X
3087(end)X
3250(servers)X
3525(\(some)X
3768(particularly)X
4185(careful)X
2105 4608(servers)N
2365(may)X
2534(wish)X
2716(to)X
2809(disallow)X
3111(renewable)X
3473(tickets\).)X
3780(A)X
3869(renewable)X
4231(ticket)X
2105 4704(can)N
2250(be)X
2359(used)X
2539(to)X
2634(obtain)X
2867(a)X
2936(new)X
3102(ticket)X
3312(that)X
3464(expires)X
3728(at)X
3818(a)X
3886(later)X
4061(date.)X
4267(This)X
2105 4800(allows)N
2336(the)X
2455(life)X
2583(of)X
2671(a)X
2728(ticket)X
2927(to)X
3010(be)X
3107(extended)X
3418(without)X
3683(having)X
3922(to)X
4005(enter)X
4187(a)X
4244(pass-)X
2105 4896(word)N
2301(again,)X
2526(while)X
2735(providing)X
3077(some)X
3277(mechanism)X
3672(for)X
3796(cancellation)X
4214(of)X
4311(the)X
2105 4992(right)N
2276(to)X
2358(use)X
2485(the)X
2603(ticket)X
2801(at)X
2879(renewal)X
3154(time.)X
3356(If)X
3430(the)X
3548(ticket)X
3746(is)X
3819(not)X
3941(renewed)X
4234(by)X
4334(its)X
2105 5088(expiration)N
2454(time,)X
2640(then)X
2801(renewal)X
3079(will)X
3226(not)X
3351(be)X
3450(allowed.)X
3767(The)X
3915(RENEWABLE)X
2105 5184(\257ag)N
2246(is)X
2320(reset)X
2493(by)X
2594(default.)X
2878(If)X
2953(set,)X
3083(then)X
3242(the)X
3361(`renew_till')X
3761(\256eld)X
3924(contains)X
4211(a)X
4267(time)X
2105 5280(after)N
2273(which)X
2489(the)X
2607(ticket)X
2805(may)X
2963(not)X
3085(be)X
3181(renewed.)X
555 6144(Section)N
815(6.)X
2196(-)X
2243(28)X
2343(-)X
29 p
%%Page: 29 31
10 s 0 xH 0 xS 1 f
0 32(--)N
4323(--)X
3 f
2115 416(DRAFT)N
2411(2)X
1 f
955 672(9)N
1283(INITIAL)X
2105(This)X
2277(\257ag)X
2427(indicates)X
2742(that)X
2892(this)X
3037(ticket)X
3245(was)X
3400(issued)X
3630(using)X
3833(the)X
3961(initial)X
4177(request)X
2105 768(protocol.)N
2441(It)X
2519(was)X
2673(returned)X
2970(to)X
3061(the)X
3188(client)X
3395(encrypted)X
3741(in)X
3831(the)X
3957(client's)X
4221(secret)X
2105 864(key,)N
2262(and)X
2399(the)X
2518(request)X
2771(was)X
2917(not)X
3039(based)X
3242(on)X
3342(a)X
3398(ticket-granting)X
3890(ticket.)X
4128(Applica-)X
2105 960(tions)N
2287(that)X
2434(want)X
2617(to)X
2706(require)X
2961(the)X
3086(entering)X
3376(of)X
3470(a)X
3533(password)X
3863(can)X
4002(check)X
4217(to)X
4306(see)X
2105 1056(that)N
2255(this)X
2400(\257ag)X
2550(is)X
2633(set.)X
2792(An)X
2920(example)X
3222(of)X
3319(an)X
3425(application)X
3811(that)X
3961(would)X
4191(bene\256t)X
2105 1152(from)N
2288(such)X
2462(a)X
2525(restriction)X
2877(is)X
2957(a)X
3019(password-changing)X
3669(program,)X
3987(which)X
4209(would)X
2105 1248(traditionally)N
2537(require)X
2806(timely)X
3051(presentation)X
3483(of)X
3590(both)X
3772(old)X
3914(and)X
4070(new)X
4244(pass-)X
2105 1344(words.)N
955 1536(10)N
1283(DUPLICATE-SKEY)X
2105(This)X
2279(\257ag)X
2431(indicates)X
2748(that)X
2900(the)X
3030(session)X
3293(key)X
3441(in)X
3535(this)X
3682(ticket)X
3892(may)X
4062(be)X
4169(used)X
4347(in)X
2105 1632(other)N
2292(tickets)X
2523(as)X
2612(well.)X
2812(Other)X
3017(principals)X
3354(besides)X
3611(the)X
3730(named)X
3965(principal)X
4271(may)X
2105 1728(know)N
2307(the)X
2429(session)X
2684(key.)X
2864(The)X
3013(ability)X
3241(to)X
3327(use)X
3457(the)X
3578(same)X
3766(session)X
4020(key)X
4159(in)X
4244(more)X
2105 1824(than)N
2264(one)X
2400(ticket)X
2598(allows)X
2827(a)X
2883(key)X
3019(to)X
3101(be)X
3197(shared)X
3427(with)X
3589(more)X
3774(than)X
3932(one)X
4068(other)X
4253(prin-)X
2105 1920(cipal.)N
2324(This)X
2489(is)X
2565(useful)X
2784(for)X
2901(implementing)X
3368(protocols)X
3689(in)X
3773(which)X
3991(all)X
4093(principals)X
2105 2016(are)N
2229(trusted,)X
2492(and)X
2633(where)X
2855(information)X
3258(is)X
3335(broadcast)X
3667(to)X
3753(more)X
3942(than)X
4104(one)X
4244(other)X
2105 2112(principal.)N
2448(Normal)X
2731(servers)X
2997(will)X
3159(not)X
3299(accept)X
3543(authentication)X
4035(based)X
4256(on)X
4373(a)X
2105 2208(ticket)N
2308(that)X
2453(has)X
2585(this)X
2725(\257ag)X
2870(set)X
2984(\(see)X
3139(the)X
3262(discussion)X
3620(of)X
3712(REUSE-SKEY)X
4226(under)X
3 f
2105 2304(kdc_options)N
1 f
2517(,)X
2557(below\).)X
955 2496(11-31)N
1283(RESERVED)X
2105(Reserved)X
2424(for)X
2538(future)X
2750(use.)X
3 f
555 2764(from)N
1 f
955(This)X
1135(\256eld)X
1315(is)X
1406(included)X
1720(in)X
1820(both)X
2000(the)X
2136(KRB_AS_REQ)X
2680(and)X
2834(KRB_TGS_REQ)X
3427(ticket)X
3642(requests.)X
3962(It)X
955 2860(speci\256es)N
1259(the)X
1385(desired)X
1645(start)X
1811(time)X
1981(for)X
2103(the)X
2229(requested)X
2565(ticket.)X
2811(Unless)X
3056(the)X
3181(request)X
3440(is)X
3520(for)X
3641(a)X
3704(postdated)X
955 2956(ticket,)N
1173(this)X
1308(\256eld)X
1470(must)X
1645(be)X
1741(\256lled)X
1925(with)X
2087(zeros.)X
2317(This)X
2479(\256eld)X
2641(is)X
2714(of)X
2801(type)X
2959(timestamp.)X
3 f
555 3176(kdc_options)N
1 f
955 3272(This)N
1126(\256eld,)X
1317(of)X
1413(type)X
1580(\257ags,)X
1780(appears)X
2055(in)X
2145(the)X
2271(KRB_AS_REQ)X
2805(and)X
2949(KRB_TGS_REQ)X
3532(requests)X
3823(to)X
3913(the)X
955 3368(KDC)N
1146(and)X
1284(indicates)X
1591(the)X
1711(\257ags)X
1884(that)X
2026(the)X
2145(client)X
2344(wants)X
2552(set)X
2662(on)X
2763(the)X
2882(tickets)X
3112(as)X
3200(well)X
3359(as)X
3447(other)X
3633(information)X
955 3464(that)N
1099(is)X
1176(to)X
1262(modify)X
1517(the)X
1639(behavior)X
1944(of)X
2035(the)X
2157(KDC.)X
2390(Where)X
2629(appropriate,)X
3039(the)X
3161(name)X
3358(of)X
3448(an)X
3547(option)X
3774(may)X
3935(be)X
955 3560(the)N
1074(same)X
1260(as)X
1348(the)X
1467(\257ag)X
1608(that)X
1748(is)X
1821(set)X
1930(by)X
2030(that)X
2170(option.)X
2434(Although)X
2756(in)X
2838(most)X
3013(case,)X
3192(the)X
3310(bit)X
3414(in)X
3496(the)X
3614(options)X
3869(\256eld)X
955 3656(will)N
1100(be)X
1196(the)X
1314(same)X
1499(as)X
1586(that)X
1726(in)X
1808(the)X
1926(\257ags)X
2097(\256eld,)X
2279(this)X
2414(is)X
2487(not)X
2609(guaranteed,)X
3002(so)X
3093(it)X
3157(is)X
3230(not)X
3352(acceptable)X
3712(to)X
3794(simply)X
955 3752(copy)N
1140(the)X
1267(options)X
1531(\256eld)X
1702(to)X
1793(the)X
1920(\257ags)X
2100(\256eld.)X
2311(There)X
2528(are)X
2656(various)X
2921(checks)X
3168(that)X
3316(must)X
3499(be)X
3603(made)X
3805(before)X
955 3848(honoring)N
1264(an)X
1360(option)X
1584(anyway.)X
955 4040(The)N
1101(kdc_options)X
1513(\256eld)X
1676(is)X
1750(a)X
1807(bit-\256eld,)X
2100(where)X
2317(the)X
2435(selected)X
2714(options)X
2969(are)X
3088(indicated)X
3402(by)X
3502(the)X
3620(bit)X
3724(being)X
3922(set)X
955 4136(\(1\),)N
1091(and)X
1229(the)X
1349(unselected)X
1710(options)X
1967(and)X
2105(reserved)X
2400(\256elds)X
2595(being)X
2795(reset)X
2969(\(0\).)X
3125(Bit)X
3244(0)X
3306(is)X
3381(the)X
3501(most)X
3678(signi\256cant)X
955 4232(bit.)N
2 f
955 4376(Bit\(s\))N
1259(Name)X
2102(Description)X
7 f
955 4568(0)N
1259(RESERVED)X
1 f
2102(Reserved)X
2421(for)X
2535(future)X
2747(expansion)X
3092(of)X
3179(this)X
3314(\256eld.)X
955 4760(1)N
1259(FORWARDABLE)X
2102(The)X
2249(FORWARDABLE)X
2879(option)X
3104(indicates)X
3410(that)X
3551(the)X
3670(ticket)X
3869(to)X
3952(be)X
4049(issued)X
4270(is)X
4344(to)X
2102 4856(have)N
2280(its)X
2381(forwardable)X
2796(\257ag)X
2942(set.)X
3096(It)X
3170(may)X
3333(only)X
3500(be)X
3601(set)X
3715(on)X
3820(the)X
3943(initial)X
4154(request,)X
2102 4952(or)N
2201(in)X
2295(a)X
2363(subsequent)X
2751(request)X
3015(if)X
3096(the)X
3226(ticket-granting)X
3730(ticket)X
3940(on)X
4051(which)X
4278(it)X
4353(is)X
2102 5048(based)N
2305(is)X
2378(also)X
2527(forwardable.)X
955 5240(2)N
1259(FORWARDED)X
2102(The)X
2253(FORWARDED)X
2785(option)X
3014(indicates)X
3324(that)X
3469(this)X
3609(is)X
3687(a)X
3748(request)X
4005(for)X
4124(forward-)X
2102 5336(ing.)N
2278(This)X
2454(option)X
2692(is)X
2779(only)X
2955(speci\256ed)X
3274(in)X
3370(a)X
3440(request)X
3706(to)X
3802(the)X
3934(ticket-granting)X
2102 5432(server)N
2322(and)X
2461(will)X
2608(only)X
2773(be)X
2872(honored)X
3157(if)X
3228(the)X
3348(ticket-granting)X
3842(ticket)X
4042(on)X
4144(which)X
4362(it)X
2102 5528(is)N
2187(based)X
2402(is)X
2487(forwardable.)X
2948(The)X
3105(address\(es\))X
3499(of)X
3598(the)X
3728(host)X
3893(from)X
4081(which)X
4308(the)X
2102 5624(resulting)N
2409(ticket)X
2614(is)X
2694(to)X
2783(be)X
2886(valid)X
3073(are)X
3199(included)X
3501(in)X
3589(the)X
3713(addresses)X
4047(\256eld)X
4215(of)X
4308(the)X
2102 5720(request.)N
555 6144(Section)N
815(6.)X
2196(-)X
2243(29)X
2343(-)X
30 p
%%Page: 30 32
10 s 0 xH 0 xS 1 f
0 32(--)N
4323(--)X
3 f
2115 416(DRAFT)N
2411(2)X
1 f
955 672(3)N
1259(PROXIABLE)X
2102(The)X
2247(PROXIABLE)X
2716(option)X
2940(indicates)X
3245(that)X
3385(the)X
3503(ticket)X
3701(to)X
3783(be)X
3879(issued)X
4099(is)X
4172(to)X
4254(have)X
2102 768(its)N
2204(proxiable)X
2534(\257ag)X
2681(set.)X
2837(It)X
2913(may)X
3078(only)X
3247(be)X
3350(set)X
3466(on)X
3573(the)X
3698(initial)X
3911(request,)X
4189(or)X
4282(in)X
4370(a)X
2102 864(subsequent)N
2487(request)X
2748(if)X
2825(the)X
2951(ticket-granting)X
3451(ticket)X
3657(on)X
3765(which)X
3989(it)X
4061(is)X
4142(based)X
4353(is)X
2102 960(also)N
2251(proxiable.)X
955 1152(4)N
1259(PROXY)X
2102(The)X
2258(PROXY)X
2560(option)X
2795(indicates)X
3111(that)X
3261(this)X
3406(is)X
3489(a)X
3555(request)X
3817(for)X
3941(a)X
4007(proxy.)X
4264(This)X
2102 1248(option)N
2334(will)X
2485(only)X
2654(be)X
2757(honored)X
3047(if)X
3123(the)X
3248(ticket-granting)X
3747(ticket)X
3952(on)X
4059(which)X
4282(it)X
4353(is)X
2102 1344(based)N
2311(is)X
2390(proxiable.)X
2759(The)X
2910(address\(es\))X
3298(of)X
3391(the)X
3515(host)X
3674(from)X
3856(which)X
4078(the)X
4201(result-)X
2102 1440(ing)N
2245(ticket)X
2464(is)X
2558(to)X
2660(be)X
2776(valid)X
2976(are)X
3115(included)X
3431(in)X
3533(the)X
3671(addresses)X
4019(\256eld)X
4201(of)X
4308(the)X
2102 1536(request.)N
955 1728(5)N
1259(ALLOW-POSTDATE)X
2102(The)X
2253(ALLOW-POSTDATE)X
3005(option)X
3235(indicates)X
3546(that)X
3692(the)X
3815(ticket)X
4018(to)X
4105(be)X
4206(issued)X
2102 1824(is)N
2177(to)X
2261(have)X
2435(its)X
2532(MAY-POSTDATE)X
3177(\257ag)X
3319(set.)X
3470(It)X
3541(may)X
3701(only)X
3865(be)X
3963(set)X
4074(on)X
4176(the)X
4295(ini-)X
2102 1920(tial)N
2234(request,)X
2515(or)X
2611(in)X
2702(a)X
2767(subsequent)X
3152(request)X
3413(if)X
3491(the)X
3618(ticket-granting)X
4119(ticket)X
4326(on)X
2102 2016(which)N
2318(it)X
2382(is)X
2455(based)X
2658(also)X
2807(has)X
2934(its)X
3029(MAY-POSTDATE)X
3672(\257ag)X
3812(set.)X
955 2208(6)N
1259(POSTDATED)X
2102(The)X
2248(POSTDATED)X
2736(option)X
2961(indicates)X
3267(that)X
3408(this)X
3544(is)X
3618(a)X
3675(request)X
3928(for)X
4043(a)X
4099(postdated)X
2102 2304(ticket.)N
2344(This)X
2510(option)X
2738(will)X
2886(only)X
3052(be)X
3151(honored)X
3437(if)X
3509(the)X
3630(ticket-granting)X
4125(ticket)X
4326(on)X
2102 2400(which)N
2335(it)X
2416(is)X
2506(based)X
2726(has)X
2870(its)X
2982(MAY-POSTDATE)X
3642(\257ag)X
3799(set.)X
3965(The)X
4126(resulting)X
2102 2496(ticket)N
2300(will)X
2444(also)X
2593(have)X
2765(its)X
2860(INVALID)X
3215(\257ag)X
3355(set,)X
3484(and)X
3620(that)X
3760(\257ag)X
3900(may)X
4058(be)X
4154(reset)X
4326(by)X
2102 2592(a)N
2170(subsequent)X
2558(request)X
2822(to)X
2916(the)X
3046(KDC)X
3247(after)X
3427(the)X
3557(starttime)X
3868(in)X
3961(the)X
4090(ticket)X
4299(has)X
2102 2688(been)N
2274(reached.)X
955 2880(7)N
1259(UNUSED)X
2102(This)X
2264(option)X
2488(is)X
2561(presently)X
2875(unused.)X
955 3072(8)N
1259(RENEWABLE)X
2102(The)X
2259(RENEWABLE)X
2785(option)X
3021(indicates)X
3338(that)X
3490(the)X
3620(ticket)X
3829(to)X
3922(be)X
4029(issued)X
4260(is)X
4344(to)X
2102 3168(have)N
2294(its)X
2409(RENEWABLE)X
2943(\257ag)X
3103(set.)X
3272(It)X
3361(may)X
3539(only)X
3721(be)X
3836(set)X
3964(on)X
4083(the)X
4220(initial)X
2102 3264(request,)N
2375(or)X
2462(when)X
2656(the)X
2774(ticket-granting)X
3266(ticket)X
3464(on)X
3564(which)X
3780(the)X
3898(request)X
4150(is)X
4223(based)X
2102 3360(is)N
2177(also)X
2328(renewable.)X
2721(If)X
2797(this)X
2934(option)X
3160(is)X
3235(requested,)X
3585(then)X
3745(the)X
3864('renew_till')X
4264(\256eld)X
2102 3456(contains)N
2389(the)X
2507(desired)X
2759(absolute)X
3046(expiration)X
3391(time)X
3553(for)X
3667(the)X
3785(ticket.)X
955 3648(9)N
1259(UNUSED)X
2102(This)X
2264(option)X
2488(is)X
2561(presently)X
2875(unused.)X
955 3840(10)N
1259(DUPLICATE-SKEY)X
2102(The)X
2250(DUPLICATE-SKEY)X
2954(option)X
3180(indicates)X
3487(that)X
3629(the)X
3749(ticket)X
3949(to)X
4033(be)X
4131(issued)X
4353(is)X
2102 3936(to)N
2186(have)X
2360(its)X
2457(DUPLICATE-SKEY)X
3160(\257ag)X
3302(set.)X
3453(This)X
3617(option)X
3842(may)X
4001(be)X
4098(requested)X
2102 4032(at)N
2184(any)X
2324(time.)X
2529(This)X
2694(option)X
2921(does)X
3091(not)X
3216(duplicate)X
3533(the)X
3654(session)X
3908(key.)X
4087(Instead,)X
4362(it)X
2102 4128(simply)N
2341(sets)X
2483(the)X
2603(\257ag)X
2745(in)X
2828(the)X
2947(ticket)X
3146(so)X
3238(that)X
3379(the)X
3498(session)X
3750(key)X
3887(can)X
4020(be)X
4117(reused)X
4348(at)X
2102 4224(a)N
2158(later)X
2321(time.)X
955 4416(11-26)N
1259(RESERVED)X
2102(Reserved)X
2421(for)X
2535(future)X
2747(use.)X
955 4608(27)N
1259(RENEWABLE-OK)X
2102(The)X
2248(RENEWABLE-OK)X
2906(option)X
3131(indicates)X
3437(that)X
3578(a)X
3635(renewable)X
3987(ticket)X
4186(will)X
4330(be)X
2102 4704(acceptable)N
2468(if)X
2543(a)X
2605(ticket)X
2809(with)X
2977(the)X
3101(requested)X
3435(life)X
3568(can)X
3706(not)X
3834(otherwise)X
4171(be)X
4272(pro-)X
2102 4800(vided.)N
2351(If)X
2436(a)X
2503(ticket)X
2712(with)X
2884(the)X
3012(requested)X
3350(life)X
3487(can)X
3629(not)X
3761(be)X
3867(provided,)X
4202(then)X
4370(a)X
2102 4896(renewable)N
2474(ticket)X
2693(may)X
2872(be)X
2989(issued)X
3230(with)X
3413(a)X
3489(renew_till)X
3854(equal)X
4068(to)X
4170(the)X
4308(the)X
2102 4992(requested)N
2438(endtime.)X
2764(The)X
2917(value)X
3119(of)X
3213(the)X
3338(renew_till)X
3690(\256eld)X
3859(may)X
4024(still)X
4170(be)X
4273(lim-)X
2102 5088(ited)N
2258(by)X
2373(local)X
2564(limits,)X
2800(or)X
2902(limits)X
3118(selected)X
3412(by)X
3527(the)X
3660(individual)X
4019(principal)X
4339(or)X
2102 5184(server.)N
955 5376(28)N
1259(ENC-TKT-IN-SKEY)X
2102(This)X
2283(option)X
2526(is)X
2618(used)X
2804(only)X
2985(by)X
3104(the)X
3240(ticket-granting)X
3750(service.)X
4056(The)X
4219(ENC-)X
2102 5472(TKT-IN-SKEY)N
2633(option)X
2864(indicates)X
3176(that)X
3323(the)X
3448(ticket)X
3653(for)X
3774(the)X
3899(end)X
4042(server)X
4265(is)X
4344(to)X
2102 5568(be)N
2206(encrypted)X
2551(in)X
2641(the)X
2767(session)X
3026(key)X
3170(from)X
3354(the)X
3479(second)X
3729(ticket)X
3934(granting)X
4228(ticket)X
2102 5664(provided.)N
555 6144(Section)N
815(6.)X
2196(-)X
2243(30)X
2343(-)X
31 p
%%Page: 31 33
10 s 0 xH 0 xS 1 f
0 32(--)N
4323(--)X
3 f
2115 416(DRAFT)N
2411(2)X
1 f
955 672(29)N
1259(REUSE-SKEY)X
2102(This)X
2274(option)X
2508(is)X
2591(used)X
2767(only)X
2938(by)X
3047(the)X
3174(ticket-granting)X
3675(service.)X
3972(The)X
4126(REUSE-)X
2102 768(SKEY)N
2339(option)X
2571(indicates)X
2884(that)X
3032(the)X
3158(session)X
3417(key)X
3561(to)X
3651(be)X
3755(assigned)X
4058(to)X
4147(the)X
4272(new)X
2102 864(ticket)N
2306(is)X
2385(to)X
2473(be)X
2575(taken)X
2775(from)X
2957(the)X
3081(second)X
3330(ticket)X
3534(provided.)X
3885(This)X
4053(option)X
4282(will)X
2102 960(only)N
2271(be)X
2374(honored)X
2664(if)X
2740(the)X
2865(second)X
3115(ticket)X
3320(has)X
3454(the)X
3579(DUPLICATE-SKEY)X
4286(\257ag)X
2102 1056(set.)N
955 1248(30)N
1259(RENEW)X
2102(This)X
2273(option)X
2506(is)X
2588(used)X
2764(only)X
2935(by)X
3044(the)X
3171(ticket-granting)X
3672(service.)X
3968(The)X
4121(RENEW)X
2102 1344(option)N
2338(indicates)X
2655(that)X
2807(the)X
2937(present)X
3201(request)X
3465(is)X
3550(for)X
3676(a)X
3744(renewal.)X
4071(The)X
4228(ticket)X
2102 1440(provided)N
2420(is)X
2506(encrypted)X
2856(in)X
2951(the)X
3082(secret)X
3303(key)X
3452(for)X
3578(the)X
3708(server)X
3937(on)X
4049(which)X
4277(it)X
4353(is)X
2102 1536(valid.)N
2326(This)X
2492(option)X
2720(will)X
2868(only)X
3034(be)X
3134(honored)X
3421(if)X
3494(the)X
3616(ticket)X
3818(to)X
3904(be)X
4003(renewed)X
4299(has)X
2102 1632(its)N
2199(RENEWABLE)X
2715(\257ag)X
2857(set)X
2968(and)X
3106(if)X
3177(the)X
3297(time)X
3461(in)X
3545(the)X
3665(renew_till)X
4012(\256eld)X
4176(has)X
4304(not)X
2102 1728(passed.)N
2381(\(XXX)X
2607(Question:)X
2943(Should)X
3194(the)X
3316(ticket)X
3518(to)X
3604(be)X
3704(renewed)X
4001(be)X
4101(passed)X
4339(as)X
2102 1824(a)N
2158(second)X
2401(ticket,)X
2619(or)X
2706(in)X
2788(the)X
2906(authenticator?\).)X
955 2016(31)N
1259(VALIDATE)X
2102(This)X
2280(option)X
2520(is)X
2609(used)X
2792(only)X
2969(by)X
3084(the)X
3217(ticket-granting)X
3724(service.)X
4027(The)X
4187(VALI-)X
2102 2112(DATE)N
2349(option)X
2586(indicates)X
2903(that)X
3055(the)X
3185(present)X
3449(request)X
3713(is)X
3798(to)X
3892(validate)X
4178(a)X
4246(post-)X
2102 2208(dated)N
2297(ticket.)X
2536(It)X
2606(will)X
2751(only)X
2914(be)X
3010(honored)X
3293(if)X
3362(the)X
3480(ticket)X
3678(presented)X
4006(is)X
4079(postdated,)X
2102 2304(presently)N
2423(has)X
2557(its)X
2659(INVALID)X
3021(\257ag)X
3168(set,)X
3304(and)X
3447(would)X
3674(be)X
3777(otherwise)X
4116(usable)X
4348(at)X
2102 2400(this)N
2239(time.)X
2443(A)X
2523(ticket)X
2723(can)X
2857(not)X
2981(be)X
3079(validated)X
3395(before)X
3623(its)X
3720(start)X
3879(time.)X
4082(The)X
4228(ticket)X
2102 2496(presented)N
2434(for)X
2552(validation)X
2896(is)X
2973(encrypted)X
3314(in)X
3400(the)X
3522(key)X
3662(of)X
3752(the)X
3873(server)X
4093(for)X
4210(which)X
2102 2592(it)N
2171(is)X
2249(valid.)X
2474(\(XXX)X
2700(Question:)X
3035(Should)X
3285(the)X
3407(ticket)X
3609(to)X
3695(be)X
3795(renewed)X
4092(be)X
4192(passed)X
2102 2688(as)N
2199(a)X
2265(second)X
2518(ticket,)X
2746(or)X
2843(in)X
2935(the)X
3063(authenticator.)X
3552(Also,)X
3752(might)X
3967(it)X
4040(be)X
4145(better)X
4357(if)X
2102 2784(invalid)N
2375(tickets)X
2635(were)X
2843(encrypted)X
3211(in)X
3324(the)X
3473(key)X
3640(for)X
3785(the)X
3934(ticket-granting)X
2102 2880(server?\))N
3 f
555 3148(keytype)N
1 f
955(This)X
1128(\256eld)X
1301(speci\256es)X
1608(the)X
1737(type)X
1906(of)X
2003(the)X
2131(session)X
2392(key)X
2538(included)X
2844(in)X
2936(the)X
3064(ticket.)X
3312(It)X
3391(will)X
3545(almost)X
3788(always)X
955 3244(correspond)N
1336(to)X
1422(the)X
1544(type)X
1706(of)X
1797(encryption)X
2164(speci\256ed)X
2473(by)X
2577(etype)X
2774(\(it)X
2868(might)X
3077(not)X
3202(correspond,)X
3602(for)X
3719(example,)X
955 3340(if)N
1034(the)X
1162(etype)X
1365(uses)X
1532(an)X
1637(alternate)X
1943(checksum)X
2293(algorithm)X
2633(for)X
2756(an)X
2861(integrity)X
3161(check\).)X
3445(A)X
3532(list)X
3658(of)X
3754(the)X
3881(pre-)X
955 3436(de\256ned)N
1211(values)X
1436(for)X
1550(this)X
1685(\256eld)X
1847(appears)X
2113(in)X
2195(section)X
2442(5.2.)X
2602(This)X
2764(\256eld)X
2926(is)X
2999(of)X
3086(type)X
3244(ui_2.)X
3 f
555 3656(ktime)N
1 f
955(This)X
1121(\256eld)X
1287(contains)X
1578(the)X
1700(current)X
1952(time)X
2118(on)X
2222(the)X
2344(Kerberos)X
2663(server.)X
2924(It)X
2997(may)X
3159(be)X
3259(used)X
3430(\(optionally\))X
3832(by)X
3935(an)X
955 3752(application)N
1348(to)X
1447(synchronize)X
1872(the)X
2007(clock)X
2218(of)X
2322(the)X
2457(client's)X
2730(workstation)X
3145(with)X
3323(that)X
3479(of)X
3582(the)X
3716(Kerberos)X
955 3848(server.)N
1212(This)X
1374(\256eld)X
1536(is)X
1609(of)X
1696(type)X
1854(timestamp.)X
3 f
555 4068(last_req)N
1 f
955(This)X
1124(\256eld)X
1293(is)X
1373(returned)X
1668(by)X
1775(the)X
1900(KDC)X
2096(and)X
2239(speci\256es)X
2542(the)X
2667(time\(s\))X
2921(of)X
3015(the)X
3140(last)X
3278(request)X
3537(by)X
3644(a)X
3706(principal.)X
955 4164(Depending)N
1338(on)X
1448(what)X
1634(information)X
2042(is)X
2125(available,)X
2465(this)X
2610(might)X
2826(be)X
2932(the)X
3060(last)X
3201(time)X
3373(that)X
3523(a)X
3589(request)X
3851(for)X
3975(a)X
955 4260(ticket-granting)N
1450(ticket)X
1651(was)X
1798(made,)X
2014(or)X
2103(the)X
2223(last)X
2356(time)X
2520(that)X
2662(a)X
2720(request)X
2974(based)X
3179(on)X
3281(a)X
3339(ticket-granting)X
3833(ticket)X
955 4356(was)N
1104(successful.)X
1498(It)X
1570(also)X
1722(might)X
1931(cover)X
2133(all)X
2236(servers)X
2487(for)X
2604(a)X
2663(realm,)X
2889(or)X
2979(just)X
3117(the)X
3238(particular)X
3569(server.)X
3829(Some)X
955 4452(implementations)N
1518(may)X
1686(display)X
1947(this)X
2092(information)X
2499(to)X
2590(the)X
2717(user)X
2880(to)X
2971(aid)X
3098(in)X
3189(discovering)X
3592(unauthorized)X
955 4548(use)N
1089(of)X
1183(one's)X
1384(identity.)X
1695(It)X
1771(is)X
1851(similar)X
2099(in)X
2187(spirit)X
2377(to)X
2465(the)X
2589(last)X
2726(login)X
2916(time)X
3084(displayed)X
3417(when)X
3617(logging)X
3887(into)X
955 4644(timesharing)N
1353(systems.)X
955 4836(This)N
1124(\256eld)X
1292(is)X
1371(of)X
1464(type)X
1628(bytes_asn1.)X
2050(The)X
2201(contents)X
2494(must)X
2675(be)X
2777(a)X
2839(multiple)X
3131(of)X
3224(\256ve)X
3370(\(5\))X
3490(octets)X
3703(in)X
3791(length.)X
955 4932(Each)N
1156(\256ve-octet)X
1499(portion)X
1770(\(aligned)X
2073(with)X
2255(the)X
2393(start)X
2571(of)X
2678(the)X
2816(\256eld)X
2998(contents\))X
3331(contains)X
3637(a)X
3712(one-octet)X
3 f
955 5028(lr_type)N
1 f
1226(sub\256eld,)X
1525(followed)X
1836(by)X
1942(a)X
2004(ui_4)X
3 f
2172(lr_value)X
1 f
2478(sub\256eld.)X
2797(There)X
3011(may)X
3174(be)X
3275(several)X
3528(such)X
3700(sub-\256elds)X
955 5124(in)N
1039(a)X
1097(given)X
1297(last_req)X
1573(\256eld.)X
1777(If)X
1852(the)X
1971(encoding)X
2286(indicates)X
2592(a)X
2649(zero)X
2809(\(0\))X
2924(length,)X
3165(then)X
3324(there)X
3506(are)X
3626(no)X
3727(sub\256elds)X
955 5220(or)N
1042(values)X
1267(to)X
1349(be)X
1445(examined.)X
3 f
555 5440(lr_type)N
1 f
955(This)X
1120(sub-\256eld)X
1423(indicates)X
1731(the)X
1852(way)X
2009(that)X
2152(the)X
2273(following)X
3 f
2607(lr_value)X
1 f
2910(sub\256eld)X
3185(is)X
3260(to)X
3344(be)X
3442(interpreted.)X
3852(Bit)X
3971(0)X
955 5536(is)N
1028(the)X
1146(most)X
1321(signi\256cant)X
1674(bit.)X
1818(The)X
1963(meanings)X
2290(of)X
2377(the)X
2495(bits)X
2630(are)X
2749(as)X
2836(follows:)X
555 6144(Section)N
815(6.)X
2196(-)X
2243(31)X
2343(-)X
32 p
%%Page: 32 34
10 s 0 xH 0 xS 1 f
7 f
1 f
0 32(--)N
4323(--)X
3 f
2115 416(DRAFT)N
2411(2)X
2 f
955 672(Bit\(s\))N
1238(Name)X
2104(Description)X
7 f
955 864(0)N
1238(THIS-SERVER-ONLY)X
1 f
2104(If)X
2183(set,)X
2317(the)X
2440(time)X
2607(refers)X
2816(to)X
2903(the)X
3026(responding)X
3407(server)X
3629(only.)X
3836(If)X
3915(reset,)X
4112(it)X
4181(applies)X
2104 960(to)N
2186(all)X
2286(servers)X
2534(for)X
2648(the)X
2766(realm.)X
955 1056(1-7)N
1238(INTERPRETATION)X
2104(These)X
2330(bits)X
2479(are)X
2612(interpreted)X
2994(as)X
3095(an)X
3205(unsigned)X
3528(quantity,)X
3844(with)X
4020(bit)X
4137(7)X
4210(as)X
4310(the)X
2104 1152(least)N
2294(signi\256cant)X
2670(bit.)X
2836(If)X
2932(this)X
3089(quantity)X
3393(is)X
3488(zero)X
3669(\(0\),)X
3825(then)X
4005(the)X
4145(lr_value)X
2104 1248(sub\256eld)N
2388(is)X
2472(the)X
2601(time)X
2774(of)X
2872(last)X
3013(initial)X
3229(request)X
3491(for)X
3615(a)X
3681(TGT.)X
3907(If)X
3991(it)X
4065(is)X
4148(one)X
4294(\(1\),)X
2104 1344(then)N
2268(the)X
2392(lr_value)X
2680(sub\256eld)X
2958(is)X
3036(the)X
3159(time)X
3326(of)X
3418(last)X
3554(initial)X
3765(request.)X
4062(If)X
4141(it)X
4210(is)X
4288(two)X
2104 1440(\(2\),)N
2243(then)X
2406(the)X
2529(lr_value)X
2817(sub\256eld)X
3095(is)X
3173(the)X
3296(time)X
3463(of)X
3555(issue)X
3740(for)X
3859(the)X
3982(newest)X
4230(ticket)X
2104 1536(granting)N
2398(ticket)X
2603(used.)X
2817(If)X
2898(it)X
2969(is)X
3048(three)X
3235(\(3\),)X
3375(then)X
3539(the)X
3663(lr_value)X
3952(sub\256eld)X
4231(is)X
4310(the)X
2104 1632(time)N
2274(of)X
2369(the)X
2495(last)X
2634(renewal.)X
2957(If)X
3039(it)X
3111(is)X
3192(four)X
3354(\(4\),)X
3495(then)X
3660(the)X
3785(lr_value)X
4075(sub\256eld)X
4355(is)X
2104 1728(the)N
2222(time)X
2384(of)X
2471(last)X
2602(request)X
2854(\(of)X
2968(any)X
3104(type\).)X
3 f
555 1996(msg_type)N
1 f
955(This)X
1117(\256eld)X
1279(indicates)X
1584(the)X
1702(type)X
1860(of)X
1947(a)X
2003(protocol)X
2290(message.)X
2622(It)X
2691(is)X
2764(of)X
2851(type)X
3009(ui_1.)X
3 f
555 2216(pad)N
1 f
955(This)X
1119(\256eld)X
1283(\256lls)X
1424(the)X
1544(data)X
1700(in)X
1784(a)X
1842(message)X
2136(to)X
2220(a)X
2278(boundary)X
2603(speci\256ed)X
2910(by)X
3011(the)X
3130(cryptosystem)X
3578(in)X
3661(use.)X
3829(Some)X
955 2312(cryptosystems)N
1433(may)X
1591(use)X
1718(part)X
1863(of)X
1950(the)X
2068(pad)X
2204(to)X
2286(include)X
2542(an)X
2638(integrity)X
2929(checksum)X
3270(of)X
3357(the)X
3475(message.)X
3 f
555 2532(key_exp)N
1 f
955(This)X
1127(\256eld)X
1299(speci\256es)X
1605(the)X
1733(time)X
1905(and)X
2051(date)X
2214(on)X
2323(which)X
2548(the)X
2675(principal's)X
3047(key)X
3192(in)X
3283(the)X
3410(Kerberos)X
3734(database)X
955 2628(expires.)N
1247(If)X
1321(imminent,)X
1667(the)X
1785(user)X
1939(should)X
2172(be)X
2268(warned.)X
2565(This)X
2727(\256eld)X
2889(is)X
2962(of)X
3049(type)X
3207(timestamp.)X
3 f
555 2848(pvno)N
1 f
955(This)X
1122(\256eld)X
1289(is)X
1366(included)X
1666(in)X
1752(each)X
1924(message,)X
2240(and)X
2380(speci\256es)X
2680(the)X
2802(protocol)X
3093(version)X
3353(number.)X
3662(This)X
3828(docu-)X
955 2944(ment)N
1135(speci\256es)X
1431(protocol)X
1718(version)X
1974(5.)X
2074(This)X
2236(\256eld)X
2398(is)X
2471(of)X
2558(type)X
2716(ui_1.)X
3 f
555 3164(renew_till)N
1 f
955(This)X
1118(\256eld)X
1281(is)X
1355(included)X
1652(in)X
1735(tickets)X
1965(that)X
2106(are)X
2226(renewable.)X
2618(It)X
2688(indicates)X
2993(the)X
3111(maximum)X
3455(endtime)X
3733(that)X
3873(may)X
955 3260(be)N
1061(included)X
1366(in)X
1457(a)X
1522(renewal.)X
1846(It)X
1924(can)X
2065(be)X
2170(thought)X
2443(of)X
2539(as)X
2635(the)X
2762(absolute)X
3058(expiration)X
3412(time)X
3583(for)X
3706(the)X
3833(ticket)X
955 3356(including)N
1277(all)X
1377(renewals.)X
1723(This)X
1885(\256eld)X
2047(is)X
2120(of)X
2207(type)X
2365(timestamp.)X
3 f
555 3576(rtime)N
1 f
955(This)X
1121(\256eld)X
1287(is)X
1364(the)X
1486(requested)X
1818(renew_till)X
2167(time)X
2333(sent)X
2485(from)X
2664(a)X
2723(client)X
2924(to)X
3009(the)X
3130(KDC)X
3322(in)X
3407(a)X
3466(ticket)X
3667(request.)X
3962(It)X
955 3672(is)N
1028(optional.)X
1350(This)X
1512(\256eld)X
1674(is)X
1747(of)X
1834(type)X
1992(timestamp.)X
3 f
555 3892(second_ticket)N
1 f
955 3988(A)N
1042(second)X
1294(ticket)X
1501(may)X
1668(be)X
1773(optionally)X
2126(included)X
2431(in)X
2522(a)X
2587(request)X
2848(to)X
2939(the)X
3066(ticket-granting)X
3566(server.)X
3831(If)X
3913(the)X
955 4084(SAME-SKEY)N
1438(option)X
1667(has)X
1799(been)X
1976(speci\256ed,)X
2306(then)X
2469(the)X
2592(second)X
2839(ticket)X
3041(contains)X
3332(the)X
3454(session)X
3709(key)X
3849(to)X
3935(be)X
955 4180(assigned)N
1253(to)X
1337(the)X
1456(new)X
1611(ticket.)X
1850(If)X
1925(the)X
2044(ENC-TKT-IN-SKEY)X
2756(option)X
2981(has)X
3109(been)X
3282(speci\256ed,)X
3608(then)X
3767(the)X
3886(ses-)X
955 4276(sion)N
1116(key)X
1260(from)X
1444(the)X
1570(second)X
1821(ticket)X
2027(will)X
2179(be)X
2283(used)X
2458(in)X
2548(place)X
2746(of)X
2841(the)X
2967(server's)X
3250(key)X
3394(to)X
3484(encrypt)X
3752(the)X
3877(new)X
955 4372(ticket.)N
1193(This)X
1355(\256eld)X
1517(is)X
1590(of)X
1677(type)X
1835(bytes_asn1.)X
3 f
555 4592(session)N
1 f
955(This)X
1119(\256eld)X
1283(contains)X
1572(the)X
1692(session)X
1945(key)X
2083(assigned)X
2381(by)X
2483(the)X
2603(KDC,)X
2814(to)X
2898(be)X
2996(used)X
3165(between)X
3455(the)X
3575(client)X
3775(and)X
3913(the)X
955 4688(server)N
1172(speci\256ed)X
1477(in)X
1559(the)X
1677(ticket.)X
1915(The)X
2060(type)X
2218(of)X
2305(this)X
2440(\256eld)X
2602(is)X
2675(bytes_asn1.)X
3 f
555 4908(skvno)N
1 f
955(This)X
1117(\256eld)X
1279(speci\256es)X
1575(the)X
1693(version)X
1949(number)X
2214(for)X
2328(the)X
2446(server's)X
2721(secret)X
2929(key.)X
3105(It)X
3174(is)X
3247(of)X
3334(type)X
3492(ui_1.)X
3 f
555 5128(smsec)N
1 f
955(This)X
1122(\256eld)X
1289(contains)X
1581(the)X
1704(millisecond)X
2102(part)X
2252(of)X
2344(the)X
2466(server's)X
2745(timestamp.)X
3142(It's)X
3273(value)X
3471(ranges)X
3705(from)X
3885(0)X
3949(to)X
955 5224(999.)N
1141(It)X
1216(appears)X
1488(along)X
1692(with)X
3 f
1860(stime)X
1 f
2043(.)X
2089(The)X
2240(two)X
2385(\256elds)X
2583(are)X
2707(used)X
2879(in)X
2966(conjunction)X
3369(to)X
3456(specify)X
3713(a)X
3774(reason-)X
955 5320(ably)N
1113(accurate)X
1402(timestamp.)X
1795(This)X
1957(\256eld)X
2119(is)X
2192(of)X
2279(type)X
2437(ui_2.)X
3 f
555 5540(sname)N
1 f
955(This)X
1117(\256eld)X
1279(speci\256es)X
1575(the)X
1693(name)X
1887(part)X
2032(of)X
2119(the)X
2237(server's)X
2512(identity.)X
2816(It)X
2885(is)X
2958(of)X
3045(type)X
3203(string)X
3405(array.)X
3 f
555 5760(srealm)N
1 f
955(This)X
1123(\256eld)X
1291(speci\256es)X
1593(the)X
1717(realm)X
1926(part)X
2077(of)X
2170(the)X
2294(server's)X
2575(identity.)X
2885(It)X
2960(also)X
3115(serves)X
3342(to)X
3430(identify)X
3705(the)X
3828(realm)X
555 6144(Section)N
815(6.)X
2196(-)X
2243(32)X
2343(-)X
33 p
%%Page: 33 35
10 s 0 xH 0 xS 1 f
0 32(--)N
4323(--)X
3 f
2115 416(DRAFT)N
2411(2)X
1 f
955 672(that)N
1095(issued)X
1315(the)X
1433(ticket.)X
1671(This)X
1833(\256eld)X
1995(is)X
2068(of)X
2155(type)X
2313(string.)X
3 f
555 892(starttime)N
1 f
955(This)X
1125(\256eld)X
1295(in)X
1385(the)X
1511(ticket)X
1717(speci\256es)X
2021(the)X
2147(time)X
2317(after)X
2493(which)X
2717(the)X
2843(ticket)X
3048(is)X
3128(valid.)X
3355(Together)X
3672(with)X
3841('end-)X
955 988(time',)N
1164(this)X
1299(\256eld)X
1461(speci\256es)X
1757(the)X
1875(life)X
2002(of)X
2089(the)X
2207(ticket.)X
2445(This)X
2607(\256eld)X
2769(is)X
2842(of)X
2929(type)X
3087(timestamp.)X
3 f
555 1208(stime)N
1 f
955(This)X
1117(\256eld)X
1279(contains)X
1566(the)X
1684(current)X
1932(time)X
2094(on)X
2194(the)X
2312(server.)X
2569(It)X
2638(is)X
2711(of)X
2798(type)X
2956(timestamp.)X
3 f
555 1428(till)N
1 f
955(This)X
1122(\256eld)X
1289(contains)X
1581(the)X
1704(expiration)X
2054(date)X
2213(requested)X
2546(by)X
2651(the)X
2774(client)X
2977(in)X
3064(a)X
3125(ticket)X
3328(request.)X
3625(This)X
3792(\256eld)X
3958(is)X
955 1524(of)N
1042(type)X
1200(timestamp.)X
3 f
555 1744(tkt_vno)N
1 f
955(This)X
1117(\256eld)X
1279(speci\256es)X
1575(the)X
1693(version)X
1949(number)X
2214(for)X
2328(the)X
2446(ticket)X
2644(format.)X
2918(It)X
2987(is)X
3060(of)X
3147(type)X
3305(ui_1.)X
3 f
555 1964(transited)N
1 f
955(This)X
1128(\256eld,)X
1321(of)X
1419(type)X
1588(bytes_asn1,)X
1995(indicates)X
2311(the)X
2440(names)X
2676(of)X
2774(the)X
2903(Kerberos)X
3228(realms)X
3472(that)X
3622(took)X
3794(part)X
3949(in)X
955 2060(authenticating)N
1434(the)X
1557(user)X
1716(to)X
1803(whom)X
2028(this)X
2168(ticket)X
2371(was)X
2521(issued.)X
2786(It)X
2860(does)X
3031(not)X
3157(specify)X
3413(the)X
3535(order)X
3729(in)X
3815(which)X
955 2156(the)N
1073(realms)X
1307(were)X
1484(transited.)X
955 2348(If)N
1034(a)X
1095(ticket)X
1298(is)X
1376(issued)X
1601(based)X
1809(on)X
1914(a)X
1975(ticket-granting)X
2472(ticket)X
2675(\(TGT\))X
2910(issued)X
3135(by)X
3240(the)X
3363(local)X
3544(realm)X
3751(then)X
3913(the)X
955 2444(transited)N
1257(\256eld)X
1425(should)X
1664(be)X
1766(passed)X
2006(through)X
2281(unchanged.)X
2695(When)X
2913(a)X
2975(ticket)X
3178(is)X
3256(issued)X
3481(based)X
3689(on)X
3794(a)X
3855(TGT)X
955 2540(issued)N
1177(by)X
1278(another)X
1540(realm)X
1744(then)X
1903(the)X
2022(name)X
2217(of)X
2305(the)X
2424(realm)X
2628(that)X
2769(issued)X
2990(the)X
3109(TGT)X
3286(should)X
3520(be)X
3617(added)X
3830(to)X
3913(the)X
955 2636(transited)N
1258(\256eld.)X
1467(Note)X
1650(that)X
1797(the)X
1922(ticket-granting)X
2421(service)X
2676(does)X
2850(not)X
2979(add)X
3122(the)X
3247(name)X
3448(of)X
3542(its)X
3644(own)X
3808(realm.)X
955 2732(Instead,)N
1232(its)X
1332(responsibility)X
1792(is)X
1870(to)X
1957(add)X
2098(the)X
2220(name)X
2418(of)X
2509(the)X
2631(previous)X
2931(realm.)X
3178(This)X
3344(prevents)X
3640(a)X
3700(malicious)X
955 2828(Kerberos)N
1270(from)X
1446(intentionally)X
1870(leaving)X
2126(out)X
2248(its)X
2343(own)X
2501(name.)X
955 3020(Because)N
1253(the)X
1381(name)X
1585(of)X
1681(each)X
1858(realm)X
2070(transited)X
2375(is)X
2457(added)X
2678(to)X
2769(this)X
2913(\256eld,)X
3104(it)X
3177(might)X
3392(potentially)X
3763(be)X
3868(very)X
955 3116(long.)N
1163(To)X
1278(decrease)X
1582(the)X
1706(length)X
1932(of)X
2025(this)X
2165(\256eld,)X
2352(its)X
2452(contents)X
2744(are)X
2868(encoded)X
3161(in)X
3248(a)X
3309(manner)X
3575(that)X
3720(is)X
3798(optim-)X
955 3212(ized)N
1109(for)X
1223(the)X
1341(normal)X
1588(case)X
1747(of)X
1834(inter-realm)X
2211(communication.)X
955 3404(The)N
1105(names)X
1335(of)X
1427(neither)X
1675(the)X
1798(local)X
1979(realm,)X
2207(nor)X
2339(the)X
2462(principal's)X
2830(realm)X
3038(are)X
3162(to)X
3249(be)X
3350(included)X
3651(in)X
3737(the)X
3859(tran-)X
955 3500(sited)N
1140(\256eld.)X
1356(They)X
1555(appear)X
1804(elsewhere)X
2160(in)X
2255(the)X
2386(ticket)X
2597(and)X
2746(both)X
2921(are)X
3053(known)X
3304(to)X
3399(have)X
3584(taken)X
3791(part)X
3949(in)X
955 3596(authenticating)N
1438(the)X
1565(principal.)X
1919(Since)X
2126(the)X
2253(endpoints)X
2593(are)X
2721(not)X
2851(included,)X
3175(both)X
3345(local)X
3529(and)X
3673(single-hop)X
955 3692(inter-realm)N
1332(authentication)X
1806(result)X
2004(in)X
2086(a)X
2142(transited)X
2438(\256eld)X
2600(that)X
2740(is)X
2813(empty.)X
955 3884(Realm)N
1191(names)X
1422(in)X
1510(the)X
1634(transited)X
1936(\256eld)X
2104(are)X
2229(separated)X
2559(by)X
2665(a)X
2727(",".)X
2879(A)X
2963(realm)X
3172(name)X
3372(ending)X
3616(with)X
3784(a)X
3846(".")X
3958(is)X
955 3980(interpreted)N
1324(as)X
1412(being)X
1611(prepended)X
1967(to)X
2050(the)X
2169(previous)X
2466(realm.)X
2710(For)X
2841(example,)X
3153(we)X
3267(can)X
3399(encode)X
3647(traversal)X
3944(of)X
955 4076(EDU,)N
1162(MIT.EDU,)X
1535(ATHENA.MIT.EDU,)X
2258(WASHINGTON.EDU,)X
3028(and)X
3165(CS.WASHINGTON.EDU)X
955 4172(as:)N
1243 4268 0.1284("EDU,MIT.,ATHENA.,WASHINGTON.EDU,CS.".)AN
955 4460(Note)N
1153(that)X
1314(if)X
1404(ATHENA.MIT.EDU,)X
2147(or)X
2255(CS.WASHINGTON.EDU)X
3142(were)X
3340(endpoints,)X
3712(that)X
3873(they)X
955 4556(would)N
1175(not)X
1297(be)X
1393(included)X
1689(in)X
1771(this)X
1906(\256eld,)X
2088(and)X
2224(we)X
2338(would)X
2558(have:)X
1243 4748 0.1823("EDU,MIT.,WASHINGTON.EDU")AN
955 4940(A)N
1047(null)X
1204(sub\256eld)X
1490(preceding)X
1840(or)X
1940(following)X
2284(a)X
2353(",")X
2472(indicates)X
2790(that)X
2943(all)X
3056(realms)X
3303(between)X
3604(the)X
3735(previous)X
955 5036(realm)N
1166(and)X
1310(the)X
1435(next)X
1600(realm)X
1810(have)X
1989(been)X
2168(traversed.)X
2530(Thus,)X
2737(",")X
2850(means)X
3082(that)X
3229(the)X
3354(whole)X
3577(tree)X
3725(has)X
3859(been)X
955 5132(traversed,)N
1307(but)X
1446 0.1750(",MIT.EDU,WASHINGTON.EDU,")AX
2669(means)X
2910(that)X
3066(everything)X
3445(up)X
3561(to)X
3659(MIT.EDU,)X
955 5228(and)N
1101(everything)X
1474(below)X
1700(WASHINGTON.EDU)X
2459(\(inclusive\))X
2831(have)X
3012(been)X
3193(traversed,)X
3537(but)X
3668(everything)X
955 5324(between)N
1243(them)X
1423(has)X
1550(been)X
1722(bypassed.)X
12 s
555 6144(Section)N
868(6.)X
2179(-)X
2235(33)X
2355(-)X
34 p
%%Page: 34 36
12 s 0 xH 0 xS 1 f
10 s
0 32(--)N
4323(--)X
3 f
12 s
2082 432(DRAFT)N
2436(2)X
555 672(7.)N
675(Message)X
1046(Speci\256cations)X
1 f
10 s
755 796(The)N
907(following)X
1245(sections)X
1530(describe)X
1825(the)X
1950(exact)X
2147(contents)X
2441(and)X
2584(encoding)X
2905(of)X
2999(protocol)X
3293(messages)X
3622(and)X
3764(objects.)X
555 892(Descriptions)N
980(of)X
1067(the)X
1185(individual)X
1529(\256elds)X
1722(are)X
1841(described)X
2169(above)X
2381(in)X
2463(section)X
2710(6.)X
3 f
12 s
555 1084(7.1.)N
747(Tickets)X
1070(and)X
1248(Authenticators)X
1 f
10 s
755 1208(This)N
923(section)X
1176(describes)X
1500(the)X
1623(format)X
1862(and)X
2003(encryption)X
2371(parameters)X
2749(for)X
2868(tickets)X
3102(and)X
3243(authenticators.)X
3758(When)X
3975(a)X
555 1304(ticket)N
754(or)X
842(authenticator)X
1282(is)X
1356(included)X
1653(in)X
1736(a)X
1792(protocol)X
2079(message)X
2371(it)X
2435(is)X
2508(treated)X
2747(as)X
2834(an)X
2930(opaque)X
3182(object.)X
3438(The)X
3583(length)X
3803(can)X
3935(be)X
555 1400(determined)N
936(from)X
1112(the)X
1230(ASN.1)X
1470(header)X
1705(that)X
1845(appears)X
2111(at)X
2189(its)X
2284(start.)X
3 f
555 1592(7.1.1.)N
775(Tickets)X
1 f
755 1716(A)N
845(ticket)X
1055(is)X
1139(a)X
1206(record)X
1443(that)X
1594(helps)X
1794(a)X
1861(client)X
2070(authenticate)X
2489(to)X
2582(a)X
2649(service.)X
2948(A)X
3037(Ticket)X
3273(contains)X
3571(the)X
3700(following)X
555 1812(information:)N
2 f
586 1956(Length)N
1143(Type)X
1629(Label)X
2346(Value)X
1 f
586 2148(variable)N
1629(asn1_header)X
2346(ASN.1)X
2586(compatibility)X
3032(header)X
586 2244(1)N
646(octet)X
1143(ui_1)X
1629(tkt_vno)X
2346(ticket)X
2544(format)X
2778(version)X
3034(number)X
3299(\(=)X
3391(5\))X
586 2340(<=)N
696(128)X
836(octets)X
1143(string)X
1629(srealm)X
2346(service's)X
2652(realm)X
586 2436(<=)N
696(128)X
836(octets)X
1143(stringarray)X
1629(sname)X
2346(service's)X
2652(name)X
586 2532(2)N
646(octets)X
1143(ui_2)X
1629(etype)X
2346(encryption)X
2709(type)X
586 2628(1)N
646(octet)X
1143(ui_1)X
1629(skvno)X
2346(service)X
2594(key)X
2730(version)X
2986(number)X
586 2724(variable)N
1143(PAD)X
1629(pad)X
2346(null)X
2490(pad)X
2626(to)X
2708(blocksize-octet)X
3214(multiple)X
586 2820(=======)N
586 2916(2)N
646(octets)X
1143(confounder)X
1629(confounder)X
2346(random)X
2611(data)X
586 3012(4)N
646(octets)X
1143(\257ags)X
1629(\257ags)X
2346(bit)X
2450(\256eld)X
2612(of)X
2699(\257ags)X
586 3108(2)N
646(octets)X
1143(ui_2)X
1629(keytype)X
2346(encryption)X
2709(key)X
2845(type)X
3003(of)X
3090(session)X
3341(key)X
586 3204(variable)N
1143(bytes_asn1)X
1629(session)X
2346(session)X
2597(key)X
586 3300(<=)N
696(128)X
836(octets)X
1143(string)X
1629(crealm)X
2346(client's)X
2602(realm)X
586 3396(<=)N
696(128)X
836(octets)X
1143(string)X
1629(<cname>)X
2346(client's)X
2602(name)X
586 3492(<=)N
696(256)X
836(octets)X
1143(bytes_asn1)X
1629(transited)X
2346(list)X
2463(of)X
2550(transited)X
2846(realms)X
586 3588(4)N
646(octets)X
1143(timestamp)X
1629(authtime)X
2346(time)X
2508(of)X
2595(client's)X
2851(initial)X
3057(authentication)X
586 3684(4)N
646(octets)X
1143(timestamp)X
1629(starttime)X
2346(beginning)X
2686(of)X
2773(valid)X
2953(period)X
3178(for)X
3292(this)X
3427(ticket)X
586 3780(4)N
646(octets)X
1143(timestamp)X
1629(endtime)X
2346(end)X
2482(of)X
2569(valid)X
2749(period)X
586 3876(4)N
646(octets)X
1143(timestamp)X
1629(renew_till)X
2346(OPTIONAL:)X
2789(end)X
2925(of)X
3012(renewable)X
3363(life)X
586 3972(<=)N
696(256)X
836(octets)X
1143(hostaddr)X
1629(caddr)X
2346(client's)X
2602(host)X
2755(address\(es\))X
586 4068(<=)N
696(512)X
836(octets)X
1143(bytes_asn1)X
1629(authorization_data)X
2346(client-supplied)X
2842(authorization)X
3285(data)X
3439(\(possibly)X
3752(empty\))X
586 4164(variable)N
1143(PAD)X
1629(pad)X
2346(null)X
2490(pad)X
2626(to)X
2708(blocksize-octet)X
3214(multiple)X
586 4260(=======)N
555 4404(The)N
712(data)X
878(between)X
1178(double)X
1428(dashed)X
1683(lines)X
1866(above)X
2090(are)X
2221(encrypted)X
2570(in)X
2664(the)X
2794(key)X
2941(shared)X
3182(by)X
3293(Kerberos)X
3619(and)X
3766(the)X
3895(end)X
555 4500(server)N
772(\(the)X
917(server's)X
1192(secret)X
1400(key\).)X
555 6144(Section)N
815(7.1.1.)X
2196(-)X
2243(34)X
2343(-)X
35 p
%%Page: 35 37
10 s 0 xH 0 xS 1 f
7 f
1 f
0 32(--)N
4323(--)X
3 f
2115 416(DRAFT)N
2411(2)X
7 f
555 672(+-----------------+--------+--------------------------------------------+)N
9 f
571 768(|)N
7 f
747(asn1_header)X
9 f
1435(|)X
7 f
1467(tkt_vno)X
9 f
1867(|)X
7 f
2763("srealm")X
9 f
4027(|)X
7 f
555 864(+-----------------+--------+--------+--------+--------+--------+--------+)N
9 f
571 960(|)N
7 f
1275(<sname>)X
9 f
2299(|)X
7 f
2619(etype)X
9 f
3163(|)X
7 f
3243(skvno)X
9 f
3595(|)X
7 f
3723([PAD])X
9 f
4027(|)X
7 f
555 1056(+========+========+========+========+========+========+========+========+)N
9 f
571 1152(|)N
7 f
747(confounder)X
9 f
1435(|)X
7 f
2187(flags)X
9 f
3163(|)X
7 f
3435(keytype)X
9 f
4027(|)X
7 f
555 1248(+--------+--------+--------+--------+--------+--------+--------+--------+)N
9 f
571 1344(|)N
7 f
2091('session')X
9 f
4027(|)X
7 f
555 1440(+-----------------------------------------------------------------------+)N
9 f
571 1536(|)N
7 f
2139("crealm")X
9 f
4027(|)X
7 f
555 1632(+-----------------------------------------------------------------------+)N
9 f
571 1728(|)N
7 f
2139(<cname>)X
9 f
4027(|)X
7 f
555 1824(+-----------------------------------------------------------------------+)N
9 f
571 1920(|)N
7 f
2043('transited')X
9 f
4027(|)X
7 f
555 2016(+--------+--------+--------+--------+--------+--------+--------+--------+)N
9 f
571 2112(|)N
7 f
1227(authtime)X
9 f
2299(|)X
7 f
2907(starttime)X
9 f
4027(|)X
7 f
555 2208(+--------+--------+--------+--------+--------+--------+--------+--------+)N
9 f
571 2304(|)N
7 f
1275(endtime)X
9 f
2299(|)X
7 f
2859([renew_till])X
9 f
4027(|)X
7 f
555 2400(+--------+--------+--------+--------+--------+--------+--------+--------+)N
9 f
571 2496(|)N
7 f
1035('caddr')X
9 f
1867(|)X
7 f
2043('authorization_data')X
9 f
3163(|)X
7 f
3483([PAD])X
9 f
4027(|)X
7 f
555 2592(+==========================+==========================+=================+)N
1 f
555 2736(The)N
700(optional)X
3 f
982(renew_till)X
1 f
1345(\256eld)X
1507(is)X
1580(only)X
1742(present)X
1994(if)X
2063(the)X
2181(RENEWABLE)X
2695(\257ag)X
2835(is)X
2908(set)X
3017(in)X
3099(the)X
3 f
3217(\257ags)X
1 f
3392(\256eld.)X
3 f
555 2928(7.1.2.)N
775(Authenticators)X
1 f
755 3052(An)N
884(authenticator)X
1333(is)X
1416(a)X
1482(record)X
1718(sent)X
1877(with)X
2049(a)X
2115(ticket)X
2323(to)X
2415(a)X
2481(server)X
2708(to)X
2800(certify)X
3040(the)X
3168(client's)X
3434(knowledge)X
3816(of)X
3913(the)X
555 3148(encryption)N
923(key)X
1064(in)X
1151(the)X
1274(ticket)X
1477(and)X
1618(to)X
1705(help)X
1867(the)X
1989(server)X
2210(detect)X
2426(replays.)X
2722(An)X
2844(authenticator)X
3287(contains)X
3578(the)X
3700(following)X
555 3244(\256elds.)N
796(Those)X
1020(surrounded)X
1409(by)X
1517(double)X
1763(dashes)X
2005(are)X
2132(encrypted)X
2477(in)X
2567(the)X
2693(session)X
2952(key)X
3096(shared)X
3333(by)X
3440(the)X
3565(client)X
3770(and)X
3913(the)X
555 3340(server:)N
2 f
711 3484(Length)N
1326(Type)X
1802(Label)X
2501(Value)X
1 f
711 3676(variable)N
1802(asn1_header)X
2501(ASN.1)X
2741(compatibility)X
3187(header)X
711 3772(===========)N
711 3868(1)N
771(octet)X
1326(ui_1)X
1802(authenticator_vno)X
2501(authenticator)X
2940(format)X
3174(version)X
3430(number)X
3695(\(=)X
3787(5\))X
711 3964(<=)N
821(128)X
961(octets)X
1326(string)X
1802(crealm)X
2501(client's)X
2757(realm)X
711 4060(<=)N
821(128)X
961(octets)X
1326(stringarray)X
1802(cname)X
2501(client's)X
2757(name)X
711 4156(2)N
771(octets)X
1326(ui_2)X
1802(checksum_type)X
2501(Type)X
2686(of)X
2773(application)X
3149(speci\256c)X
3414(checksum)X
711 4252(variable)N
1326(bytes_asn1)X
1802(checksum)X
2501(Application)X
2899(speci\256c)X
3164(checksum)X
711 4348(2)N
771(octets)X
1326(ui_2)X
1802(cmsec)X
2501(client)X
2699(timestamp)X
3052(\(millisecond)X
3472(portion\))X
711 4444(4)N
771(octets)X
1326(timestamp)X
1802(ctime)X
2501(timestamp)X
2854(in)X
2936(seconds)X
711 4540(variable)N
1326(PAD)X
1802(pad)X
2501(null)X
2645(pad)X
2781(to)X
2863(blocksize-octet)X
3369(multiple)X
711 4636(===========)N
7 f
555 4780(+-----------------+)N
9 f
571 4876(|)N
7 f
747(asn1_header)X
9 f
1435(|)X
7 f
555 4972(+========+========+=====================================================+)N
9 f
571 5068(|)N
7 f
651(a_vno)X
9 f
1003(|)X
7 f
2091("crealm")X
9 f
4027(|)X
7 f
555 5164(+--------+--------------------------------------------------------------+)N
9 f
571 5260(|)N
7 f
2091(<cname>)X
9 f
4027(|)X
7 f
555 5356(+--------+--------+-----------------------------------------------------+)N
9 f
571 5452(|)N
7 f
699(checksum_type)X
9 f
1435(|)X
7 f
2427('checksum')X
9 f
4027(|)X
7 f
555 5548(+--------+--------+--------+--------+--------+--------+-----------------+)N
9 f
571 5644(|)N
7 f
891(cmsec)X
9 f
1435(|)X
7 f
2187(ctime)X
9 f
3163(|)X
7 f
3435([PAD])X
9 f
4027(|)X
7 f
555 5740(+========+========+========+========+========+========+=================+)N
1 f
555 6144(Section)N
815(7.1.2.)X
2196(-)X
2243(35)X
2343(-)X
36 p
%%Page: 36 38
10 s 0 xH 0 xS 1 f
0 32(--)N
4323(--)X
3 f
2115 416(DRAFT)N
2411(2)X
12 s
555 672(7.2.)N
747(Authentication)X
1384(Server)X
1681(\(AS\))X
1891(message)X
2251(speci\256cations)X
1 f
10 s
755 796(This)N
924(section)X
1178(speci\256es)X
1481(the)X
1606(format)X
1847(of)X
1941(the)X
2066(messages)X
2396(used)X
2570(in)X
2659(the)X
2784(exchange)X
3115(with)X
3284(the)X
3409(authentication)X
3890(ser-)X
555 892(vice.)N
749(The)X
894(format)X
1128(of)X
1215(error)X
1392(messages)X
1715(appears)X
1981(in)X
2063(section)X
2310(7.7.)X
3 f
555 1084(7.2.1.)N
775(KRB_AS_REQ)X
1323(de\256nition)X
1 f
755 1208(The)N
910(KRB_AS_REQ)X
1446(message)X
1747(\(sent)X
1932(from)X
2117(the)X
2244(client)X
2451(to)X
2542(the)X
2669(Authentication)X
3174(Server\))X
3440(contains)X
3736(the)X
3863(Ker-)X
555 1304(beros)N
757(protocol)X
1052(version)X
1316(number,)X
1609(the)X
1735(KRB_AS_REQ)X
2269(message)X
2569(type,)X
2755(the)X
2881(desired)X
3141(options,)X
3423(the)X
3548(identity)X
3819(of)X
3913(the)X
555 1400(client)N
761(for)X
883(which)X
1107(the)X
1233(credentials)X
1609(are)X
1736(requested,)X
2092(the)X
2218(host)X
2379(addresses)X
2715(to)X
2805(be)X
2909(included)X
3213(in)X
3303(the)X
3429(ticket,)X
3654(the)X
3779(desired)X
555 1496(start)N
720(and)X
863(end)X
1006(times)X
1206(of)X
1300(the)X
1425(ticket)X
1630(life,)X
1784(the)X
1909(identity)X
2180(of)X
2274(the)X
2399(server)X
2623(to)X
2711(which)X
2933(the)X
3057(credentials)X
3431(will)X
3581(be)X
3683(presented,)X
555 1592(and)N
691(the)X
809(local)X
985(host's)X
1196(timestamp.)X
755 1812(The)N
900(message)X
1192(\256elds)X
1385(are:)X
2 f
972 1956(Length)N
1529(Type)X
1997(Label)X
2519(Value)X
1 f
972 2148(variable)N
1997(asn1_header)X
2519(ASN.1)X
2759(compatibility)X
3205(header)X
972 2244(1)N
1032(octet)X
1529(ui_1)X
1997(pvno)X
2519(protocol)X
2806(version)X
3062(number)X
3327(\(=)X
3419(5\))X
972 2340(1)N
1032(octet)X
1529(type)X
1997(msg_type)X
2519(message)X
2811(type)X
2969(\(=)X
3061(KRB_AS_REQ\))X
972 2436(4)N
1032(octets)X
1529(\257ags)X
1997(kdc_options)X
2519(options)X
2774(desired)X
972 2532(4)N
1032(octets)X
1529(timestamp)X
1997(ctime)X
2519(client's)X
2775(timestamp)X
3128(in)X
3210(seconds)X
972 2628(4)N
1032(octets)X
1529(timestamp)X
1997(from)X
2519(desired)X
2771(start)X
2929(time)X
972 2724(4)N
1032(octets)X
1529(timestamp)X
1997(till)X
2519(desired)X
2771(expiration)X
3116(time)X
972 2820(4)N
1032(octets)X
1529(timestamp)X
1997(rtime)X
2519(OPTIONAL:)X
2962(desired)X
3214(renew_till)X
972 2916(2)N
1032(octets)X
1529(ui_2)X
1997(etype)X
2519(desired)X
2771(encryption)X
3134(type)X
3292(for)X
3406(reply)X
972 3012(<=)N
1082(128)X
1222(octets)X
1529(string)X
1997(crealm)X
2519(client's)X
2775(realm)X
972 3108(<=)N
1082(128)X
1222(octets)X
1529(stringarray)X
1997(cname)X
2519(client's)X
2775(name)X
972 3204(<=)N
1082(256)X
1222(octets)X
1529(hostaddr)X
1997(addresses)X
2519(host)X
2672(address\(es\))X
3054(for)X
3168(ticket)X
972 3300(<=)N
1082(128)X
1222(octets)X
1529(stringarray)X
1997(sname)X
2519(service's)X
2825(name)X
555 3444(and)N
691(the)X
809(packet)X
1039(format)X
1273(is:)X
7 f
555 3540(+-----------------+--------+--------+--------+--------+--------+--------+)N
9 f
571 3636(|)N
7 f
747(asn1_header)X
9 f
1435(|)X
7 f
1563(pvno)X
9 f
1867(|)X
7 f
1899(msg_type)X
9 f
2299(|)X
7 f
2907(kdc_options)X
9 f
4027(|)X
7 f
555 3732(+--------+--------+--------+--------+--------+--------+--------+--------+)N
9 f
571 3828(|)N
7 f
1323(ctime)X
9 f
2299(|)X
7 f
3051(from)X
9 f
4027(|)X
7 f
555 3924(+--------+--------+--------+--------+--------+--------+--------+--------+)N
9 f
571 4020(|)N
7 f
1323(till)X
9 f
2299(|)X
7 f
3003([rtime])X
9 f
4027(|)X
7 f
555 4116(+--------+--------+-----------------+-----------------------------------+)N
9 f
571 4212(|)N
7 f
891(etype)X
9 f
1435(|)X
7 f
2523("crealm")X
9 f
4027(|)X
7 f
555 4308(+-----------------+-----------------------------------------------------+)N
9 f
571 4404(|)N
7 f
2139(<cname>)X
9 f
4027(|)X
7 f
555 4500(+-----------------------------------------------------------------------+)N
9 f
571 4596(|)N
7 f
2043('addresses')X
9 f
4027(|)X
7 f
555 4692(+-----------------------------------------------------------------------+)N
9 f
571 4788(|)N
7 f
2139(<sname>)X
9 f
4027(|)X
7 f
555 4884(+-----------------------------------------------------------------------+)N
3 f
555 5124(7.2.2.)N
775(KRB_AS_REP)X
1310(de\256nition)X
1 f
755 5248(The)N
906(KRB_AS_REP)X
1424(message)X
1722(is)X
1801(an)X
1902(instance)X
2190(of)X
2282(the)X
2405(KRB_KDC_REP)X
2989(message)X
3286(with)X
3453(the)X
3576(message)X
3873(type)X
555 5344(set)N
664(to)X
746(KRB_AS_REP,)X
1278(and)X
1414(where)X
1631(the)X
1749(ciphertext)X
2090(portion)X
2341(is)X
2414(encrypted)X
2751(in)X
2833(the)X
2951(client's)X
3207(secret)X
3415(key.)X
3 f
555 5536(7.2.3.)N
775(KRB_KDC_REP)X
1386(de\256nition)X
1 f
755 5660(The)N
906(KRB_KDC_REP)X
1491(message)X
1789(format)X
2029(is)X
2108(used)X
2281(for)X
2401(the)X
2525(reply)X
2716(from)X
2898(the)X
3022(KDC)X
3216(for)X
3335(either)X
3543(an)X
3644(initial)X
3855(\(AS\))X
555 5756(request,)N
831(or)X
922(a)X
982(subsequent)X
1362(\(TGS\))X
1591(request.)X
1887(There)X
2099(is)X
2176(no)X
2280(message)X
2576(type)X
2738(for)X
2855(KRB_KDC_REP.)X
3477(Instead,)X
3752(the)X
3873(type)X
555 5852(will)N
700(be)X
797(one)X
934(of)X
1022(KRB_AS_REP,)X
1555(or)X
1643(KRB_TGS_REP.)X
2245(The)X
2391(key)X
2527(used)X
2694(to)X
2776(encrypt)X
3037(the)X
3155(ciphertext)X
3496(part)X
3641(of)X
3728(the)X
3846(reply)X
555 6144(Section)N
815(7.2.3.)X
2196(-)X
2243(36)X
2343(-)X
37 p
%%Page: 37 39
10 s 0 xH 0 xS 1 f
0 32(--)N
4323(--)X
3 f
2115 416(DRAFT)N
2411(2)X
1 f
555 672(depends)N
847(on)X
956(the)X
1083(message)X
1384(type.)X
1591(For)X
1731(KRB_AS_REP,)X
2272(the)X
2399(ciphertext)X
2749(is)X
2831(encrypted)X
3177(in)X
3268(the)X
3395(client's)X
3659(secret)X
3875(key,)X
555 768(and)N
693(the)X
813(client's)X
1071(key)X
1209(version)X
1467(number)X
1734(is)X
1808(included)X
2105(in)X
2188(ckvno.)X
2445(For)X
2577(KRB_TGS_REP,)X
3159(the)X
3278(ciphertext)X
3620(is)X
3694(encrypted)X
555 864(in)N
637(the)X
755(session)X
1006(key)X
1142(from)X
1318(the)X
1436(ticket)X
1634(granting)X
1921(ticket)X
2119(used)X
2286(in)X
2368(the)X
2486(request.)X
2778(In)X
2865(that)X
3005(case,)X
3184(ckvno)X
3400(will)X
3544(be)X
3640(zero.)X
755 988(The)N
900(KRB_KDC_REP)X
1479(message)X
1771(contains)X
2058(the)X
2176(following)X
2507(\256elds:)X
2 f
577 1132(Length)N
1134(Type)X
1620(Label)X
2142(Value)X
1 f
577 1324(variable)N
1620(asn1_header)X
2142(ASN.1)X
2382(compatibility)X
2828(header)X
577 1420(1)N
637(octet)X
1134(ui_1)X
1620(pvno)X
2142(protocol)X
2429(version)X
2685(number)X
2950(\(=)X
3042(5\))X
577 1516(1)N
637(octet)X
1134(type)X
1620(msg_type)X
2142(message)X
2434(type)X
2592(\(either)X
2822(KRB_AS_REP)X
3334(or)X
3421(KRB_TGS_REP\))X
577 1612(<=)N
687(128)X
827(octets)X
1134(string)X
1620(crealm)X
2142(client's)X
2398(realm)X
577 1708(<=)N
687(128)X
827(octets)X
1134(stringarray)X
1620(cname)X
2142(client's)X
2398(name)X
577 1804(2)N
637(octets)X
1134(ui_2)X
1620(etype)X
2142(encryption)X
2505(type)X
577 1900(1)N
637(octet)X
1134(ui_1)X
1620(ckvno)X
2142(client's)X
2398(key)X
2534(version)X
2790(number)X
577 1996(variable)N
1134(ticket)X
1620(ticket)X
2142(ticket)X
2340(for)X
2454(the)X
2572(service)X
577 2092(variable)N
1134(PAD)X
1620(pad)X
2142(null)X
2286(pad)X
2422(to)X
2504(blocksize-octet)X
3010(multiple)X
577 2188(=======)N
577 2284(2)N
637(octets)X
1134(confounder)X
1620(confounder)X
2142(random)X
2407(data)X
577 2380(2)N
637(octets)X
1134(ui_2)X
1620(keytype)X
2142(encryption)X
2505(key)X
2641(type)X
2799(of)X
2886(session)X
3137(key)X
577 2476(variable)N
1134(bytes_asn1)X
1620(session)X
2142(session)X
2393(key)X
577 2572(<=)N
687(128)X
827(octets)X
1134(bytes_asn1)X
1620(last_req)X
2142(last)X
2273(request)X
2525(information)X
577 2668(4)N
637(octets)X
1134(timestamp)X
1620(ctime)X
2142(client's)X
2398(timestamp)X
2751(\(used)X
2945(as)X
3032(nonce\))X
577 2764(4)N
637(octets)X
1134(timestamp)X
1620(ktime)X
2142(KDC)X
2331(timestamp)X
2684(\(for)X
2825(sync\))X
577 2860(4)N
637(octets)X
1134(timestamp)X
1620(key_exp)X
2142(principal)X
2447(expiration)X
2792(date)X
577 2956(4)N
637(octets)X
1134(\257ags)X
1620(\257ags)X
2142(\257ags)X
2313(set)X
2422(in)X
2504(ticket)X
577 3052(4)N
637(octets)X
1134(timestamp)X
1620(starttime)X
2142(ticket)X
2340(start)X
2498(date)X
577 3148(4)N
637(octets)X
1134(timestamp)X
1620(endtime)X
2142(ticket)X
2340(expire)X
2561(date)X
577 3244(4)N
637(octets)X
1134(timestamp)X
1620(renew_till)X
2142(OPTIONAL:)X
2585(end)X
2721(of)X
2808(renewable_life)X
577 3340(<=)N
687(128)X
827(octets)X
1134(string)X
1620(srealm)X
2142(server's)X
2417(realm)X
577 3436(<=)N
687(128)X
827(octets)X
1134(stringarray)X
1620(sname)X
2142(server's)X
2417(name)X
2611(\(to)X
2720(link)X
2864(ticket)X
3062(and)X
3198(ciphertext\))X
577 3532(<=)N
687(256)X
827(octets)X
1134(hostaddr)X
1620(caddr)X
2142(client's)X
2398(host)X
2551(address\(es\))X
577 3628(variable)N
1134(PAD)X
1620(pad)X
2142(null)X
2286(pad)X
2422(to)X
2504(blocksize-octet)X
3010(multiple)X
577 3724(=======)N
555 3964(in)N
637(the)X
755(following)X
1086(format:)X
555 6144(Section)N
815(7.2.3.)X
2196(-)X
2243(37)X
2343(-)X
38 p
%%Page: 38 40
10 s 0 xH 0 xS 1 f
7 f
1 f
0 32(--)N
4323(--)X
3 f
2115 416(DRAFT)N
2411(2)X
7 f
555 672(+-----------------+--------+--------+-----------------------------------+)N
9 f
571 768(|)N
7 f
747(asn1_header)X
9 f
1435(|)X
7 f
1563(pvno)X
9 f
1867(|)X
7 f
1899(msg_type)X
9 f
2299(|)X
7 f
3003("crealm")X
9 f
4027(|)X
7 f
555 864(+-----------------+-----------------------------------------------------+)N
9 f
571 960(|)N
7 f
2139(<cname>)X
9 f
4027(|)X
7 f
555 1056(+--------+--------+--------+-----------------------------------+--------+)N
9 f
571 1152(|)N
7 f
891(etype)X
9 f
1435(|)X
7 f
1515(ckvno)X
9 f
1867(|)X
7 f
2475('ticket')X
9 f
3595(|)X
7 f
3675([PAD])X
9 f
4027(|)X
7 f
555 1248(+=================+========+========+===================================+)N
9 f
571 1344(|)N
7 f
747(confounder)X
9 f
1435(|)X
7 f
1707(keytype)X
9 f
2299(|)X
7 f
2859('session')X
9 f
4027(|)X
7 f
555 1440(+--------+--------+--------+--------+--------+--------+--------+--------+)N
9 f
571 1536(|)N
7 f
2043('last_req')X
9 f
4027(|)X
7 f
555 1632(+--------+--------+--------+--------+--------+--------+--------+--------+)N
9 f
571 1728(|)N
7 f
1323(ctime)X
9 f
2299(|)X
7 f
3051(ktime)X
9 f
4027(|)X
7 f
555 1824(+--------+--------+--------+--------+--------+--------+--------+--------+)N
9 f
571 1920(|)N
7 f
1275(key_exp)X
9 f
2299(|)X
7 f
3051(flags)X
9 f
4027(|)X
7 f
555 2016(+--------+--------+--------+--------+--------+--------+--------+--------+)N
9 f
571 2112(|)N
7 f
1227(starttime)X
9 f
2299(|)X
7 f
3003(endtime)X
9 f
4027(|)X
7 f
555 2208(+--------+--------+--------+--------+--------+--------+--------+--------+)N
9 f
571 2304(|)N
7 f
1227(renew_till)X
9 f
2299(|)X
7 f
3003("srealm")X
9 f
4027(|)X
7 f
555 2400(+--------------------------+--------+-----------------+-----------------+)N
9 f
571 2496(|)N
7 f
1083(<sname>)X
9 f
1867(|)X
7 f
2379('caddr')X
9 f
3163(|)X
7 f
3483([PAD])X
9 f
4027(|)X
7 f
555 2592(+==========================+==========================+=================+)N
1 f
555 2736(The)N
701(ticket)X
900(should)X
1134(be)X
1231(thought)X
1496(of)X
1584(as)X
1672(an)X
1769(opaque)X
2021(object.)X
2277(It)X
2346(is)X
2419(of)X
2506(type)X
2664(bytes_asn1,)X
3060(and)X
3196(its)X
3291(\256rst)X
3435(few)X
3576(octets)X
3783(encode)X
555 2832(its)N
654(length.)X
918(Although)X
1244(the)X
1366(ticket)X
1568(itself)X
1752(is)X
1829(a)X
1889(multiple)X
2179(of)X
2270(blocksize)X
2597(octets,)X
2828(the)X
2950(ticket)X
3152(\256eld)X
3317(is)X
3393(not)X
3518(\(because)X
3823(of)X
3913(the)X
555 2928(length)N
775(encoding\).)X
1156(It)X
1225(is)X
1298(not)X
1420(necessary)X
1753(for)X
1867(the)X
1985(ticket)X
2183(to)X
2265(be)X
2361(aligned.)X
755 3052(The)N
905(encrypted)X
1247(part)X
1397(of)X
1488(the)X
1610(response)X
1915(\(shown)X
2175(above)X
2391(between)X
2683(double)X
2925(dashed)X
3172(lines\))X
3374(must)X
3553(begin)X
3755(and)X
3895(end)X
555 3148(on)N
669(a)X
739(blocksize)X
1076(boundary.)X
1453(Encryption)X
1843(occurs)X
2087(under)X
2304(the)X
2436(client's)X
2706(secret)X
2928(key)X
3078(if)X
3161(this)X
3310(is)X
3397(a)X
3467(message)X
3773(of)X
3873(type)X
555 3244(KRB_AP_REP.)N
1110(If)X
1187(the)X
1308(type)X
1468(is)X
1543(KRB_TGS_REP,)X
2126(then)X
2286(the)X
2406(session)X
2659(key)X
2797(from)X
2975(the)X
3095(ticket-granting)X
3589(ticket)X
3789(is)X
3864(used)X
555 3340(for)N
669(the)X
787(encryption.)X
555 3464(The)N
706(caddr)X
911(\256eld)X
1079(will)X
1229(contain)X
1491(the)X
1615(requested)X
1949(addresses)X
2283(\(for)X
2430(modi\256cation)X
2860(detection\))X
3207(if)X
3282(the)X
3406(message)X
3703(is)X
3781(of)X
3873(type)X
555 3560(KRB_AS_REP.)N
1110(If)X
1187(the)X
1308(type)X
1469(is)X
1545(KRB_TGS_REP,)X
2128(then)X
2288(this)X
2425(\256eld)X
2589(will)X
2735(only)X
2899(be)X
2997(\256lled)X
3183(in)X
3267(if)X
3338(the)X
3458(request)X
3712(was)X
3859(for)X
3975(a)X
555 3656(proxy)N
764(or)X
853(forwarded)X
1206(ticket.)X
1446(If)X
1522(not,)X
1666(then)X
1826(the)X
1946(addresses)X
2276(contained)X
2610(in)X
2694(the)X
2814(ticket)X
3014(are)X
3135(the)X
3255(same)X
3442(as)X
3531(included)X
3829(in)X
3913(the)X
555 3752(ticket-granting)N
1047(ticket.)X
3 f
12 s
555 3944(7.3.)N
747(Client/Server)X
1322(\(CS\))X
1532(message)X
1892(speci\256cations)X
1 f
10 s
755 4068(This)N
922(section)X
1174(speci\256es)X
1475(the)X
1598(format)X
1837(of)X
1929(the)X
2052(messages)X
2380(used)X
2552(for)X
2671(the)X
2794(authentication)X
3272(of)X
3363(the)X
3485(client)X
3687(to)X
3773(the)X
3895(end)X
555 4164(server.)N
3 f
555 4356(7.3.1.)N
775(KRB_AP_REQ)X
1328(de\256nition)X
1 f
755 4480(The)N
918(KRB_AP_REQ)X
1462(message)X
1772(contains)X
2077(the)X
2213(Kerberos)X
2546(protocol)X
2851(version)X
3125(number,)X
3428(the)X
3564(message)X
3873(type)X
555 4576(KRB_AP_REQ,)N
1103(an)X
1201(options)X
1458(\256eld)X
1621(to)X
1704(indicate)X
1979(any)X
2116(options)X
2372(in)X
2455(use,)X
2603(and)X
2740(the)X
2859(ticket)X
3058(and)X
3195(authenticator)X
3635(themselves.)X
555 4672(The)N
707(ticket)X
912(and)X
1055(authenticator)X
1501(are)X
1627(included)X
1930(in)X
2019(\256elds)X
2219(of)X
2313(type)X
2478(bytes_asn1,)X
2881(and)X
3024(the)X
3149(lengths)X
3406(are)X
3531(encoded)X
3825(in)X
3913(the)X
555 4768(initial)N
761(octets.)X
1008(The)X
1153(KRB_AP_REQ)X
1679(message)X
1971(is)X
2044(often)X
2229(referred)X
2505(to)X
2587(as)X
2674(the)X
2792("authentication)X
3299(header".)X
2 f
1137 4912(Length)N
1516(Type)X
1814(Label)X
2353(Value)X
1 f
1137 5104(variable)N
1814(asn1_header)X
2353(ASN.1)X
2593(compatibility)X
3039(header)X
1137 5200(1)N
1197(octet)X
1516(ui_1)X
1814(pvno)X
2353(protocol)X
2640(version)X
2896(number)X
3161(\(=)X
3253(5\))X
1137 5296(1)N
1197(octet)X
1516(type)X
1814(type)X
2353(message)X
2645(type)X
2803(\(=)X
2895(KRB_AP_REQ\))X
1137 5392(4)N
1197(octets)X
1516(\257ags)X
1814(ap_options)X
2353(message)X
2645(options)X
1137 5488(variable)N
1516(ticket)X
1814(ticket)X
2353(Ticket)X
1137 5584(variable)N
1516(ticket)X
1814(authenticator)X
2353(Authenticator)X
555 5728(The)N
700(message)X
992(format)X
1226(is:)X
555 6144(Section)N
815(7.3.1.)X
2196(-)X
2243(38)X
2343(-)X
39 p
%%Page: 39 41
10 s 0 xH 0 xS 1 f
7 f
1 f
0 32(--)N
4323(--)X
3 f
2115 416(DRAFT)N
2411(2)X
7 f
555 672(+-----------------+--------+--------+--------+--------+--------+--------+)N
9 f
571 768(|)N
7 f
747(asn1_header)X
9 f
1435(|)X
7 f
1563(pvno)X
9 f
1867(|)X
7 f
1995(type)X
9 f
2299(|)X
7 f
2907(ap_options)X
9 f
4027(|)X
7 f
555 864(+-----------------+--------+--------+--------+--------+-----------------+)N
9 f
571 960(|)N
7 f
1947('ticket')X
9 f
4027(|)X
7 f
555 1056(+-----------------------------------------------------------------------+)N
9 f
571 1152(|)N
7 f
1803('authenticator')X
9 f
4027(|)X
7 f
555 1248(+-----------------------------------------------------------------------+)N
3 f
555 1584(7.3.2.)N
775(KRB_AP_REP)X
1315(de\256nition)X
1 f
755 1708(The)N
905(KRB_AP_REP)X
1422(message)X
1719(contains)X
2011(the)X
2134(Kerberos)X
2454(protocol)X
2746(version)X
3006(number,)X
3295(the)X
3417(message)X
3713(type,)X
3895(and)X
555 1804(an)N
651(encrypted)X
988(timestamp.)X
1381(The)X
1526(message)X
1818(is)X
1891(sent)X
2040(in)X
2122(response)X
2423(to)X
2505(a)X
2561(request)X
2813(for)X
2927(mutual)X
3169(authentication.)X
2 f
988 1948(Length)N
1468(Type)X
1921(Label)X
2443(Value)X
1 f
988 2140(variable)N
1921(asn1_header)X
2443(ASN.1)X
2683(compatibility)X
3129(header)X
988 2236(1)N
1048(octet)X
1468(ui_1)X
1921(pvno)X
2443(protocol)X
2730(version)X
2986(number)X
3251(\(=)X
3343(5\))X
988 2332(1)N
1048(octet)X
1468(type)X
1921(type)X
2443(message)X
2735(type)X
2893(\(=)X
2985(KRB_AP_REP\))X
988 2428(========)N
988 2524(4)N
1048(octets)X
1468(timestamp)X
1921(ctime)X
2443(ctime)X
2641(from)X
2817(authenticator)X
3256(\(nonce\))X
988 2620(2)N
1048(octets)X
1468(ui_2)X
1921(cmsec)X
2443(cmsec)X
2664(from)X
2840(authenticator)X
988 2716(variable)N
1468(PAD)X
1921(PAD)X
2443(null)X
2587(pad)X
2723(to)X
2805(blocksize-octet)X
3311(multiple)X
988 2812(=======)N
555 2956(The)N
700(data)X
854(between)X
1142(the)X
1260(double)X
1498(dashed)X
1741(lines)X
1912(are)X
2031(encrypted)X
2368(in)X
2450(the)X
2568(shared)X
2798(session)X
3049(key.)X
7 f
555 3052(+-----------------+--------+--------+)N
9 f
571 3148(|)N
7 f
747(asn1_header)X
9 f
1435(|)X
7 f
1563(pvno)X
9 f
1867(|)X
7 f
1995(type)X
9 f
2299(|)X
7 f
555 3244(+========+========+========+========+========+========+=================+)N
9 f
571 3340(|)N
7 f
1323(ctime)X
9 f
2299(|)X
7 f
2619(cmsec)X
9 f
3163(|)X
7 f
3483([PAD])X
9 f
4027(|)X
7 f
555 3436(+========+========+========+========+========+========+=================+)N
3 f
555 3772(7.3.3.)N
775(Error)X
996(message)X
1297(reply)X
1 f
755 3992(If)N
830(an)X
927(error)X
1105(occurs,)X
1356(the)X
1475(KRB_ERROR)X
1966(message)X
2259(will)X
2404(be)X
2501(sent)X
2651(in)X
2734(response.)X
3076(The)X
3222("cname")X
3519(\256eld)X
3681(may)X
3839(be)X
3935(an)X
555 4088(empty)N
789(string)X
1005(array)X
1205(and)X
1355(the)X
1487("crealm")X
1806(\256eld)X
1982(may)X
2154(be)X
2263(an)X
2372(empty)X
2605(string)X
2820(if)X
2902(the)X
3033(server)X
3263(cannot)X
3510(determine)X
3864(their)X
555 4184(appropriate)N
944(values)X
1172(from)X
1351(the)X
1472(corresponding)X
1954(KRB_AP_REQ)X
2483(message.)X
2818(The)X
2966(ctime)X
3166(and)X
3304(cmsec)X
3527(\256elds)X
3722(will)X
3868(con-)X
555 4280(tain)N
695(the)X
813(values)X
1038(read)X
1197(from)X
1373(the)X
1491(authenticator)X
1930(if)X
1999(they)X
2157(were)X
2334(successfully)X
2746(read.)X
3 f
12 s
555 4472(7.4.)N
747(Ticket-granting)X
1417(service)X
1725(\(TGS\))X
2005(message)X
2365(de\256nition)X
1 f
10 s
755 4596(This)N
928(section)X
1186(speci\256es)X
1493(the)X
1622(format)X
1867(of)X
1965(the)X
2094(messages)X
2428(used)X
2606(to)X
2699(request)X
2961(additional)X
3311(ticket)X
3519(from)X
3705(the)X
3833(ticket)X
555 4692(granting)N
842(server)X
1059(after)X
1227(the)X
1345(initial)X
1551(ticket)X
1749(granting)X
2036(ticket)X
2234(has)X
2361(been)X
2533(received.)X
3 f
555 4884(7.4.1.)N
775(KRB_TGS_REQ)X
1380(de\256nition)X
1 f
755 5008(The)N
916(KRB_TGS_REQ)X
1507(message)X
1815(consists)X
2104(of)X
2207(an)X
2319(authentication)X
2808(header)X
3058(\(KRB_AP_REQ,)X
3646(see)X
3784(section)X
555 5104(7.3\),)N
727(and)X
868(\256elds)X
1066(containing)X
1429(information)X
1832(about)X
2035(the)X
2158(speci\256c)X
2428(request.)X
2725(These)X
2941(\256elds)X
3138(include)X
3398(the)X
3520(desired)X
3776(options)X
555 5200(for)N
672(the)X
793(new)X
950(ticket,)X
1170(the)X
1290(host)X
1445(addresses)X
1775(to)X
1859(insert)X
2059(in)X
2143(the)X
2263(ticket,)X
2483(the)X
2603(desired)X
2857(start)X
3017(and)X
3155(expiration)X
3502(times,)X
3717(the)X
3837(name)X
555 5296(of)N
648(the)X
772(server)X
995(for)X
1114(which)X
1335(credentials)X
1708(are)X
1832(to)X
1919(be)X
2020(obtained,)X
2341(and)X
2482(the)X
2605(client's)X
2866(timestamp.)X
3264(The)X
3414(client)X
3617(may)X
3780(option-)X
555 5392(ally)N
698(include)X
957(addresses)X
1288(from)X
1467(which)X
1686(the)X
1807(new)X
1964(ticket)X
2165(is)X
2241(to)X
2326(be)X
2424(valid,)X
2626(a)X
2684(second)X
2929(ticket,)X
3149(or)X
3238(a)X
3296(free-form)X
3627(sequence)X
3944(of)X
555 5488(bytes)N
748(\(the)X
897(authorization_dat)X
1482(\256eld\))X
1674(to)X
1759(be)X
1858(sealed)X
2082(in)X
2167(the)X
2288(ticket)X
2489(and)X
2628(used)X
2798(to)X
2883(assist)X
3079(in)X
3164(authorization)X
3610(decisions)X
3931(by)X
555 5584(the)N
673(server.)X
2 f
716 5728(Length)N
1273(Type)X
1899(Label)X
2580(Value)X
1 f
555 6144(Section)N
815(7.4.1.)X
2196(-)X
2243(39)X
2343(-)X
40 p
%%Page: 40 42
10 s 0 xH 0 xS 1 f
0 32(--)N
4323(--)X
3 f
2115 416(DRAFT)N
2411(2)X
1 f
716 672(variable)N
1273(KRB_AP_REQ)X
1899(KRB_AP_REQ)X
2580(KRB_AP_REQ)X
3106(header)X
716 768(variable)N
1899(asn1_header)X
2580(ASN.1)X
2820(compatibility)X
3266(header)X
716 864(1)N
776(octet)X
1273(ui_1)X
1899(pvno)X
2580(protovol)X
2871(version)X
3127(number)X
3392(\(=)X
3484(5\))X
716 960(1)N
776(octet)X
1273(type)X
1899(type)X
2580(message)X
2872(type)X
3030(\(=)X
3122(KRB_TGS_REQ\))X
716 1056(4)N
776(octets)X
1273(\257ags)X
1899(options)X
2580(options)X
2835(desired)X
716 1152(4)N
776(octets)X
1273(timestamp)X
1899(from)X
2580(desired)X
2832(start)X
2990(time)X
716 1248(4)N
776(octets)X
1273(timestamp)X
1899(till)X
2580(desired)X
2832(expiration)X
3177(time)X
716 1344(4)N
776(octets)X
1273(timestamp)X
1899(rtime)X
2580(OPTIONAL:)X
3023(desired)X
3275(renew_till)X
716 1440(4)N
776(octets)X
1273(timestamp)X
1899(ctime)X
2580(client's)X
2836(timestamp)X
3189(in)X
3271(seconds)X
716 1536(2)N
776(octets)X
1273(ui_2)X
1899(etype)X
2580(desired)X
2832(encryption)X
3195(type)X
3353(for)X
3467(reply)X
716 1632(<=)N
826(128)X
966(octets)X
1273(stringarray)X
1899(sname)X
2580(name)X
2774(of)X
2861(service)X
716 1728(<=)N
826(256)X
966(octets)X
1273(hostaddr)X
1899(addresses)X
2580(OPTIONAL:)X
3023(host)X
3176(address\(es\))X
3558(for)X
3672(ticket)X
716 1824(variable)N
1273(PAD)X
1899(PAD)X
2580(null)X
2724(pad)X
2860(to)X
2942(blocksize-octet)X
3448(multiple)X
716 1920(========)N
716 2016(<=)N
826(512)X
966(octets)X
1273(bytes_asn1)X
1899(authorization_dat)X
2580(OPTIONAL:)X
3023(authorization)X
3466(data)X
716 2112(variable)N
1273(ticket)X
1899(second_ticket)X
2580(OPTIONAL:)X
3023(additional)X
3363(ticket)X
716 2208(variable)N
1273(PAD)X
1899(PAD)X
2580(null)X
2724(pad)X
2860(to)X
2942(blocksize-octet)X
3448(multiple)X
716 2304(========)N
555 2448(The)N
717(data)X
888(between)X
1193(dashed)X
1453(lines)X
1641(are)X
1777(encrypted)X
2131(in)X
2230(the)X
2365(session)X
2633(key)X
2786(from)X
2979(the)X
3114(ticket)X
3329(granting)X
3632(ticket.)X
3886(The)X
555 2544(optional)N
845(\256elds)X
1046(are)X
1173(only)X
1343(included)X
1647(if)X
1724(necessary)X
2064(to)X
2153(perform)X
2439(the)X
2564(operation)X
2894(speci\256ed)X
3206(in)X
3295(the)X
3420("options")X
3748(\256eld.)X
3957(If)X
555 2640(none)N
743(of)X
842(the)X
972(three)X
1165(optional)X
1458(\256elds)X
1662(are)X
1792(included,)X
2119(then)X
2288(the)X
2417(encrypted)X
2765(part)X
2921(of)X
3019(the)X
3148(request)X
3411(is)X
3495(eliminated)X
3864(alto-)X
555 2736(gether.)N
816(The)X
961(optional)X
1243(\256elds)X
1436(are)X
1555(followed)X
1860(by)X
1960(a)X
2016(PAD.)X
555 2928(The)N
703(user-supplied)X
1158(checksum)X
1502(of)X
1592(the)X
1712(KRB_AP_REQ)X
2240(header)X
2477(of)X
2566(the)X
2686(KRB_TGS_REQ)X
3263(message)X
3557(is)X
3632(a)X
3690(checksum)X
555 3024(of)N
650(the)X
776(KRB_TGS_REQ)X
1359(\256elds)X
1560(\(from)X
1771(pvno)X
1958(to)X
2047(second_ticket,)X
2535(inclusive\))X
2878(before)X
3111(encryption.)X
3521(This)X
3690(checksum)X
555 3120(enables)N
833(the)X
968(KDC)X
1174(to)X
1273(determine)X
1631(whether)X
1927(the)X
2062(encrypted)X
2416(portions)X
2715(of)X
2819(the)X
2954(KRB_TGS_REQ)X
3546(message)X
3854(were)X
555 3216(modi\256ed)N
859(in)X
941(transit.)X
555 3408(It)N
630(should)X
869(be)X
971(noted)X
1175(that)X
1321(in)X
1409(KRB_TGS_REQ,)X
2010(the)X
2134(protocol)X
2427(version)X
2688(number)X
2958(appears)X
3229(twice,)X
3448(and)X
3589(two)X
3734(different)X
555 3504(message)N
867(types)X
1075(appear.)X
1369(The)X
1533(authentication)X
2026(header)X
2280(\(KRB_AP_REQ\))X
2879(includes)X
3185(these)X
3389(\256elds,)X
3621(as)X
3727(does)X
3913(the)X
555 3600(KRB_TGS_REQ)N
1130(message)X
1422(itself.)X
555 3792(The)N
700(packet)X
930(format)X
1164(is)X
1237(\(optional)X
1546(\256elds)X
1739(in)X
1821([brackets]\):)X
555 6144(Section)N
815(7.4.1.)X
2196(-)X
2243(40)X
2343(-)X
41 p
%%Page: 41 43
10 s 0 xH 0 xS 1 f
7 f
1 f
0 32(--)N
4323(--)X
3 f
2115 416(DRAFT)N
2411(2)X
7 f
555 672(+-----------------------------------------------------------------------+)N
9 f
571 768(|)N
4027(|)X
7 f
555 864(/)N
2043(KRB_AP_REQ)X
4011(/)X
9 f
571 960(|)N
4027(|)X
7 f
555 1056(+-----------------+--------+--------+--------+--------+--------+--------+)N
9 f
571 1152(|)N
7 f
747(asn1_header)X
9 f
1435(|)X
7 f
1563(pvno)X
9 f
1867(|)X
7 f
1995(type)X
9 f
2299(|)X
7 f
3003(options)X
9 f
4027(|)X
7 f
555 1248(+-----------------+--------+--------+--------+--------+--------+--------+)N
9 f
571 1344(|)N
7 f
1323(from)X
9 f
2299(|)X
7 f
3051(till)X
9 f
4027(|)X
7 f
555 1440(+--------+--------+--------+--------+--------+--------+--------+--------+)N
9 f
571 1536(|)N
7 f
1275([rtime])X
9 f
2299(|)X
7 f
3051(ctime)X
9 f
4027(|)X
7 f
555 1632(+--------+--------+-----------------+--------+--------+--------+--------+)N
9 f
571 1728(|)N
7 f
891(etype)X
9 f
1435(|)X
7 f
2571(<sname>)X
9 f
4027(|)X
7 f
555 1824(+-----------------+-----------------+-----------------------------------+)N
9 f
571 1920(|)N
7 f
1131(['addresses'])X
9 f
2299(|)X
7 f
3051([PAD])X
9 f
4027(|)X
7 f
555 2016(+===================================+===================================+)N
9 f
571 2112(|)N
7 f
1851(['authorization_data'])X
9 f
4027(|)X
7 f
555 2208(+-----------------------------------------------------------------------+)N
9 f
571 2304(|)N
7 f
1899([)X
1995('second_ticket')X
2763(])X
9 f
4027(|)X
7 f
555 2400(+-----------------------------------------------------------------------+)N
9 f
571 2496(|)N
7 f
2187([PAD])X
9 f
4027(|)X
7 f
555 2592(+=======================================================================+)N
3 f
555 2832(7.4.2.)N
775(KRB_TGS_REP)X
1367(de\256nition)X
1 f
755 2956(The)N
904(KRB_TGS_REP)X
1469(is)X
1546(an)X
1646(instance)X
1932(of)X
2022(the)X
2143(KRB_KDC_REP)X
2725(message)X
3020(described)X
3351(in)X
3436(section)X
3686(7.2.3)X
3869(with)X
555 3052(the)N
680(message)X
978(type)X
1142(KRB_TGS_REP,)X
1729(and)X
1871(where)X
2094(the)X
2218(ciphertext)X
2565(portion)X
2822(is)X
2901(encrypted)X
3244(in)X
3332(the)X
3456(session)X
3713(key)X
3855(from)X
555 3148(the)N
677(ticket)X
879(granting)X
1170(ticket.)X
1412(The)X
1561('caddr')X
1818(\256eld)X
1984(in)X
2069(the)X
2190(KRB_TGS_REP)X
2754(is)X
2830(set)X
2942(to)X
3027(the)X
3148(contents)X
3438(of)X
3528(the)X
3649('addresses')X
555 3244(\256eld)N
750(of)X
870(the)X
1021(corresponding)X
1533(KRB_TGS_REP)X
2127(\(if)X
2256(present\))X
2568(or)X
2688(the)X
2839('caddr')X
3125(\256eld)X
3320(of)X
3440(the)X
3591(TGT)X
3799(in)X
3913(the)X
555 3340(KRB_TGS_REP)N
1116(\(if)X
1212(no)X
1312('addresses')X
1694(\256eld)X
1856(is)X
1929(supplied\).)X
3 f
12 s
555 3724(7.5.)N
747(KRB_SAFE)X
1272(message)X
1632(speci\256cation)X
1 f
10 s
755 3848(This)N
921(section)X
1171(speci\256es)X
1470(the)X
1591(format)X
1828(of)X
1918(a)X
1977(message)X
2272(that)X
2415(can)X
2550(be)X
2649(used)X
2819(by)X
2922(either)X
3128(side)X
3280(\(client)X
3508(or)X
3598(server\))X
3845(of)X
3935(an)X
555 3944(application)N
934(to)X
1019(send)X
1189(a)X
1248(tamper-proof)X
1695(message)X
1990(to)X
2075(its)X
2173(peer.)X
2375(It)X
2447(presumes)X
2773(that)X
2916(a)X
2975(session)X
3229(key)X
3368(has)X
3498(previously)X
3859(been)X
555 4040(exchanged)N
919(\(for)X
1060(example,)X
1372(by)X
1472(using)X
1665(the)X
1783(KRB_AP_REQ)X
2309(message\).)X
3 f
555 4260(7.5.1.)N
775(KRB_SAFE)X
1212(de\256nition)X
1 f
755 4384(The)N
903(KRB_SAFE)X
1325(message)X
1620(contains)X
1910(user)X
2067(data)X
2224(along)X
2425(with)X
2590(a)X
2648(cryptographic)X
3116(checksum)X
3459(based)X
3664(on)X
3766(the)X
3886(ses-)X
555 4480(sion)N
708(key.)X
884(The)X
1029(message)X
1321(\256elds)X
1514(are:)X
2 f
797 4624(Length)N
1354(Type)X
1830(Label)X
2449(Value)X
1 f
797 4816(variable)N
1830(asn1_header)X
2449(ASN.1)X
2689(compatibility)X
3135(header)X
797 4912(1)N
857(octet)X
1354(ui_1)X
1830(pvno)X
2449(protocol)X
2736(version)X
2992(number)X
3257(\(=)X
3349(5\))X
797 5008(1)N
857(octet)X
1354(type)X
1830(type)X
2449(message)X
2741(type)X
2899(\(=)X
2991(KRB_SAFE\))X
797 5104(========)N
797 5200(variable)N
1354(bytes_asn1)X
1830(DATA)X
2449(user)X
2603(data)X
797 5296(4)N
857(octets)X
1354(timestamp)X
1830(timestamp)X
2449(message)X
2741(sender's)X
3029(timestamp)X
797 5392(2)N
857(octets)X
1354(ui_2)X
1830(msec)X
2449(sender's)X
2737(timestamp)X
3090(\(millisecond)X
3510(portion\))X
837 5488(1)N
897(bit)X
1354(--)X
1830(D)X
2449(direction)X
2754(in)X
2836(most)X
3011(signi\256cant)X
3364(bit)X
2449 5584(of)N
2536(msec)X
2721(\256eld)X
797 5680(<=)N
907(256)X
1047(octets)X
1354(hostaddr)X
1830(haddr)X
2449(sender's)X
2737(host)X
2890(address\(es\))X
797 5776(2)N
857(octets)X
1354(ui_2)X
1830(checksum_type)X
2449(type)X
2607(of)X
2694(checksum)X
555 6144(Section)N
815(7.5.1.)X
2196(-)X
2243(41)X
2343(-)X
42 p
%%Page: 42 44
10 s 0 xH 0 xS 1 f
0 32(--)N
4323(--)X
3 f
2115 416(DRAFT)N
2411(2)X
1 f
797 672(========)N
797 768(variable)N
1354(bytes_asn1)X
1830(checksum)X
2449(cryptographic)X
2915(checksum)X
555 1008(The)N
700(data)X
854(between)X
1142(the)X
1260(dashed)X
1503(lines)X
1674(above)X
1886(are)X
2005(computed)X
2341(into)X
2485(the)X
2603(checksum.)X
2984(The)X
3129(packet)X
3359(format)X
3593(is:)X
7 f
555 1200(+-----------------+--------+--------+)N
9 f
571 1296(|)N
7 f
747(asn1_header)X
9 f
1435(|)X
7 f
1563(pvno)X
9 f
1867(|)X
7 f
1995(type)X
9 f
2299(|)X
7 f
555 1392(+=================+========+========+===================================+)N
9 f
571 1488(|)N
4027(|)X
7 f
555 1584(/)N
2139('DATA')X
4011(/)X
9 f
571 1680(|)N
4027(|)X
7 f
555 1776(+--------+--------+--------+--------+--------+--------+-----------------+)N
9 f
571 1872(|)N
7 f
1227(timestamp)X
9 f
2299(|)X
7 f
2331(D)X
2619(msec)X
9 f
3163(|)X
7 f
3435('haddr')X
9 f
4027(|)X
7 f
555 1968(+--------+--------+--------+--------+--------+--------+-----------------+)N
9 f
571 2064(|)N
7 f
699(checksum_type)X
9 f
1435(|)X
7 f
555 2160(+========+========+=====================================================+)N
9 f
571 2256(|)N
7 f
2091('checksum')X
9 f
4027(|)X
7 f
555 2352(+-----------------------------------------------------------------------+)N
3 f
12 s
555 2592(7.6.)N
747(KRB_PRIV)X
1261(message)X
1621(speci\256cation)X
1 f
10 s
755 2716(This)N
921(section)X
1171(speci\256es)X
1470(the)X
1591(format)X
1828(of)X
1918(a)X
1977(message)X
2272(that)X
2415(can)X
2550(be)X
2649(used)X
2819(by)X
2922(either)X
3128(side)X
3280(\(client)X
3508(or)X
3598(server\))X
3845(of)X
3935(an)X
555 2812(application)N
936(to)X
1023(securely)X
1316(and)X
1457(privately)X
1767(send)X
1939(a)X
2000(message)X
2297(to)X
2384(its)X
2484(peer.)X
2688(It)X
2762(presumes)X
3089(that)X
3233(a)X
3293(session)X
3548(key)X
3688(has)X
3819(previ-)X
555 2908(ously)N
748(been)X
920(exchanged)X
1284(\(for)X
1425(example,)X
1737(by)X
1837(using)X
2030(the)X
2148(KRB_AP_REQ)X
2674(message\).)X
3 f
555 3100(7.6.1.)N
775(KRB_PRIV)X
1204(de\256nition)X
1 f
755 3224(The)N
900(KRB_PRIV)X
1306(message)X
1598(contains)X
1885(user)X
2039(data)X
2193(encrypted)X
2530(in)X
2612(the)X
2730(Session)X
2994(Key.)X
3188(The)X
3333(message)X
3625(\256elds)X
3818(are:)X
2 f
846 3368(Length)N
1403(Type)X
1879(Label)X
2401(Value)X
1 f
846 3560(variable)N
1879(asn1_header)X
2401(ASN.1)X
2641(compatibility)X
3087(header)X
846 3656(1)N
906(octet)X
1403(ui_1)X
1879(pvno)X
2401(protocol)X
2688(version)X
2944(number)X
3209(\(=)X
3301(5\))X
846 3752(1)N
906(octet)X
1403(type)X
1879(type)X
2401(message)X
2693(type)X
2851(\(=)X
2943(KRB_PRIV\))X
846 3848(4)N
906(octets)X
1403(ui_4)X
1879(len_E)X
2401(length)X
2621(of)X
2708(encrypted)X
3045(portion)X
846 3944(2)N
906(octets)X
1403(ui_2)X
1879(etype)X
2401(encryption)X
2764(type)X
846 4040(=======)N
846 4136(variable)N
1403(bytes_asn1)X
1879(DATA)X
2401(user)X
2555(data)X
846 4232(4)N
906(octets)X
1403(timestamp)X
1879(timestamp)X
2401(sender's)X
2689(timestamp)X
3042(\(seconds\))X
846 4328(2)N
906(octets)X
1403(ui_2)X
1879(msec)X
2401(sender's)X
2689(timestamp)X
3042(\(millisecond)X
3462(portion\))X
886 4424(1)N
946(bit)X
1403(--)X
1879(D)X
2401(direction)X
2706(in)X
2788(most)X
2963(signi\256cant)X
3316(bit)X
2401 4520(of)N
2488(msec)X
2673(\256eld)X
846 4616(<=)N
956(256)X
1096(octets)X
1403(hostaddr)X
1879(haddr)X
2401(sender's)X
2689(host)X
2842(address\(es\))X
846 4712(variable)N
1403(PAD)X
1879(PAD)X
2401(null)X
2545(pad)X
2681(to)X
2763(blocksize-octet)X
3269(multiple)X
846 4808(=======)N
755 4980(The)N
900(\256elds)X
1093(between)X
1381(the)X
1499(double)X
1737(dashed)X
1980(lines)X
2151(are)X
2270(encrypted)X
2607(in)X
2689(the)X
2807(session)X
3058(key)X
3194(before)X
3420(transmission.)X
755 5104(The)N
900(packet)X
1130(format)X
1364(is:)X
555 6144(Section)N
815(7.6.1.)X
2196(-)X
2243(42)X
2343(-)X
43 p
%%Page: 43 45
10 s 0 xH 0 xS 1 f
7 f
1 f
0 32(--)N
4323(--)X
3 f
2115 416(DRAFT)N
2411(2)X
7 f
555 672(+-----------------+--------+--------+--------+--------+--------+--------+)N
9 f
571 768(|)N
7 f
747(asn1_header)X
9 f
1435(|)X
7 f
1563(pvno)X
9 f
1867(|)X
7 f
1995(type)X
9 f
2299(|)X
7 f
3051(len_E)X
9 f
4027(|)X
7 f
555 864(+--------+--------+--------+--------+--------+--------+--------+--------+)N
9 f
571 960(|)N
7 f
891(etype)X
9 f
1435(|)X
7 f
555 1056(+========+========+========+========+========+========+========+========+)N
9 f
571 1152(|)N
4027(|)X
7 f
555 1248(/)N
2139('DATA')X
4011(/)X
9 f
571 1344(|)N
4027(|)X
7 f
555 1440(+--------+--------+--------+--------+--------+--------+-----------------+)N
9 f
571 1536(|)N
7 f
1179(timestamp)X
9 f
2299(|)X
7 f
2331(D)X
2667(msec)X
9 f
3163(|)X
7 f
555 1632(+-----------------------------------+-----------------+-----------------+)N
9 f
571 1728(|)N
7 f
1275('haddr')X
9 f
2299(|)X
7 f
3051([PAD])X
9 f
4027(|)X
7 f
555 1824(+===================================+===================================+)N
3 f
12 s
555 2064(7.7.)N
747(Error)X
1012(message)X
1372(speci\256cation)X
1 f
10 s
755 2188(This)N
920(section)X
1170(speci\256es)X
1469(the)X
1590(format)X
1827(for)X
1944(the)X
2065(KRB_ERROR)X
2558(message.)X
2893(The)X
3041(\256elds)X
3237(included)X
3535(in)X
3619(the)X
3739(message)X
555 2284(are)N
678(intended)X
978(to)X
1064(return)X
1280(as)X
1371(much)X
1573(information)X
1975(as)X
2066(possible)X
2352(about)X
2554(an)X
2654(error.)X
2875(It)X
2948(is)X
3025(not)X
3151(expected)X
3461(that)X
3604(all)X
3707(the)X
3828(infor-)X
555 2380(mation)N
805(required)X
1101(by)X
1209(the)X
1335(\256elds)X
1536(will)X
1688(be)X
1791(available)X
2108(for)X
2229(all)X
2336(types)X
2532(of)X
2626(errors.)X
2881(If)X
2962(information)X
3367(is)X
3447(not)X
3576(available,)X
3913(the)X
555 2476(corresponding)N
1039(\256eld)X
1206(will)X
1355(be)X
1456(\256lled)X
1645(with)X
1812(zeroes)X
2043(\(if)X
2144(it)X
2213(is)X
2291(numeric\),)X
2626(or)X
2718(be)X
2819(a)X
2880(zero-length)X
3271(string)X
3477(\(if)X
3577(it)X
3645(is)X
3722(a)X
3782(string\).)X
555 2572(To)N
664(interpret)X
956(the)X
1074(error)X
1251(code,)X
1443(see)X
1566(section)X
1813(8.)X
3 f
555 2764(7.7.1.)N
775(KRB_ERROR)X
1297(de\256nition)X
1 f
755 2888(The)N
900(KRB_ERROR)X
1390(message)X
1682(consists)X
1955(of)X
2042(the)X
2160(following)X
2491(\256elds:)X
2 f
856 3032(Length)N
1413(Type)X
1881(Label)X
2403(Value)X
1 f
856 3224(variable)N
1881(asn1_header)X
2403(ASN.1)X
2643(compatibility)X
3089(header)X
856 3320(1)N
916(octet)X
1413(ui_1)X
1881(pvno)X
2403(protocol)X
2690(version)X
2946(number)X
3211(\(=)X
3303(5\))X
856 3416(1)N
916(octet)X
1413(type)X
1881(type)X
2403(message)X
2695(type)X
2853(\(=)X
2945(KRB_ERROR\))X
856 3512(4)N
916(octets)X
1413(timestamp)X
1881(ctime)X
2403(client's)X
2659(timestamp)X
3012(in)X
3094(seconds)X
856 3608(2)N
916(octets)X
1413(ui_2)X
1881(cmsec)X
2403(client's)X
2659(timestamp)X
3012(\(millisecond)X
3432(portion\))X
856 3704(2)N
916(octets)X
1413(ui_2)X
1881(smsec)X
2403(server's)X
2678(timestamp)X
3031(\(millisecond)X
3451(portion\))X
856 3800(4)N
916(octets)X
1413(timestamp)X
1881(stime)X
2403(server's)X
2678(timestamp)X
3031(in)X
3113(seconds)X
856 3896(4)N
916(octets)X
1413(ui_4)X
1881(error)X
2403(error)X
2580(code)X
856 3992(<=)N
966(128)X
1106(octets)X
1413(string)X
1881(crealm)X
2403(client's)X
2659(realm)X
856 4088(<=)N
966(128)X
1106(octets)X
1413(stringarray)X
1881(cname)X
2403(client's)X
2659(name)X
856 4184(<=)N
966(128)X
1106(octets)X
1413(string)X
1881(srealm)X
2403(server's)X
2678(realm)X
856 4280(<=)N
966(128)X
1106(octets)X
1413(stringarray)X
1881(sname)X
2403(server's)X
2678(name)X
856 4376(<=)N
966(128)X
1106(octets)X
1413(string)X
1881(e_text)X
2403(additional)X
2743(error)X
2920(text)X
555 4520(in)N
637(the)X
755(following)X
1086(format:)X
555 6144(Section)N
815(7.7.1.)X
2196(-)X
2243(43)X
2343(-)X
44 p
%%Page: 44 46
10 s 0 xH 0 xS 1 f
7 f
1 f
0 32(--)N
4323(--)X
3 f
2115 416(DRAFT)N
2411(2)X
7 f
555 672(+-----------------+--------+--------+--------+--------+---------+--------+)N
9 f
571 768(|)N
7 f
747(asn1_header)X
9 f
1435(|)X
7 f
1563(pvno)X
9 f
1867(|)X
7 f
1995(type)X
9 f
2299(|)X
7 f
3051(ctime)X
9 f
4075(|)X
7 f
555 864(+--------+--------+--------+--------+--------+--------+---------+--------+)N
9 f
571 960(|)N
7 f
891(cmsec)X
9 f
1435(|)X
7 f
1755(smsec)X
9 f
2299(|)X
7 f
3051(stime)X
9 f
4075(|)X
7 f
555 1056(+--------+--------+--------+--------+--------+--------+---------+--------+)N
9 f
571 1152(|)N
7 f
1323(error)X
9 f
2299(|)X
7 f
2955("crealm")X
9 f
4075(|)X
7 f
555 1248(+--------+--------+--------+--------+------------------------------------+)N
9 f
571 1344(|)N
7 f
2187(<cname>)X
9 f
4075(|)X
7 f
555 1440(+------------------------------------------------------------------------+)N
9 f
571 1536(|)N
7 f
2187("srealm")X
9 f
4075(|)X
7 f
555 1632(+------------------------------------------------------------------------+)N
9 f
571 1728(|)N
7 f
2187(<sname>)X
9 f
4075(|)X
7 f
555 1824(+------------------------------------------------------------------------+)N
9 f
571 1920(|)N
7 f
2187("e_text")X
9 f
4075(|)X
7 f
555 2016(+------------------------------------------------------------------------+)N
3 f
12 s
555 2352(8.)N
675(Constants)X
1 f
10 s
755 2476(The)N
900(following)X
1231(table)X
1407(lists)X
1555(the)X
1673(constants)X
1991(used)X
2158(in)X
2240(the)X
2358(protocol)X
2645(and)X
2781(de\256nes)X
3028(their)X
3195(meanings.)X
2 f
555 2620(Label)N
2054(Value)X
2361(Meaning)X
2666(or)X
2757(MIT)X
2915(code)X
1 f
555 2812(pvno)N
2201(5)X
2361(current)X
2609(Kerberos)X
2924(protocol)X
3211(version)X
3467(number)X
555 3004(message)N
847(types)X
555 3196(KRB_AS_REQ)N
2201(2)X
2361(Request)X
2639(for)X
2753(initial)X
2959(authentication)X
555 3292(KRB_AS_REP)N
2201(4)X
2361(Response)X
2688(to)X
2770(KRB_AS_REQ)X
3296(request)X
555 3388(KRB_AP_REQ)N
2201(6)X
2361(application)X
2737(request)X
2989(to)X
3071(server)X
555 3484(KRB_AP_REQ_MUTUAL)N
2201(8)X
2361(KRB_AP_REQ)X
2887(with)X
3049(request)X
3301(for)X
2361 3580(mutual)N
2603(authentication)X
555 3676(KRB_AP_REP)N
2161(10)X
2361(Response)X
2688(to)X
2770(KRB_AP_REQ_MUTUAL)X
555 3772(KRB_TGS_REP)N
2161(12)X
2361(Response)X
2688(to)X
2770(KRB_TGS_REQ)X
3345(request)X
555 3868(KRB_SAFE)N
2161(14)X
2361(Safe)X
2524(\(checksummed\))X
3057(application)X
3433(message)X
555 3964(KRB_PRIV)N
2161(12)X
2361(Private)X
2608(\(encrypted\))X
2999(application)X
3375(message)X
555 4060(KRB_ERROR)N
2161(32)X
2361(Error)X
2551(response)X
555 4252(error)N
732(codes)X
555 4444(KDC_ERR_NONE)N
2201(0)X
2361(No)X
2479(error)X
555 4540(KDC_ERR_NAME_EXP)N
2201(1)X
2361(Client's)X
2634(entry)X
2819(in)X
2901(database)X
3198(has)X
3325(expired)X
555 4636(KDC_ERR_SERVICE_EXP)N
2201(2)X
2361(Server's)X
2649(entry)X
2834(in)X
2916(database)X
3213(has)X
3340(expired)X
555 4732(KDC_ERR_BAD_PVNO)N
2201(3)X
2361(Requested)X
2715(protocol)X
3002(version)X
3258(number)X
2361 4828(not)N
2483(supported)X
555 4924(KDC_ERR_C_OLD_MAST_KVNO)N
2201(4)X
2361(Client's)X
2634(key)X
2770(encrypted)X
3107(in)X
2361 5020(old)N
2483(master)X
2717(key)X
555 5116(KDC_ERR_S_OLD_MAST_KVNO)N
2201(5)X
2361(Server's)X
2649(key)X
2785(encrypted)X
3122(in)X
2361 5212(old)N
2483(master)X
2717(key)X
555 5308(KDC_ERR_C_PRINCIPAL_UNKNOWN)N
2201(6)X
2361(Client)X
2576(not)X
2698(found)X
2905(in)X
2987(Kerberos)X
3302(database)X
555 5404(KDC_ERR_S_PRINCIPAL_UNKNOWN)N
2201(7)X
2361(Server)X
2591(not)X
2713(found)X
2920(in)X
3002(Kerberos)X
3317(database)X
555 5500(KDC_ERR_PRINCIPAL_NOT_UNIQUE)N
2201(8)X
2361(Multiple)X
2656(entries)X
2890(for)X
3004(principal)X
2361 5596(in)N
2443(Kerberos)X
2758(database)X
555 5692(KDC_ERR_NULL_KEY)N
2201(9)X
2361(The)X
2506(client)X
2704(or)X
2791(server)X
3008(has)X
3135(a)X
3191(null)X
3335(key)X
555 5788(KDC_ERR_CANNOT_POSTDATE)N
2161(10)X
2361(Ticket)X
2586(not)X
2708(eligible)X
2968(for)X
3082(postdating)X
555 6144(Section)N
815(8.)X
2196(-)X
2243(44)X
2343(-)X
45 p
%%Page: 45 47
10 s 0 xH 0 xS 1 f
0 32(--)N
4323(--)X
3 f
2115 416(DRAFT)N
2411(2)X
1 f
555 672(KDC_ERR_NEVER_VALID)N
2161(11)X
2361(Requested)X
2715(start)X
2873(time)X
3035(is)X
3108(later)X
3271(than)X
3429(end)X
3565(time)X
555 768(KDC_ERR_POLICY)N
2161(12)X
2361(KDC)X
2550(policy)X
2770(rejects)X
3000(request)X
555 864(KDC_ERR_BADOPTION)N
2161(13)X
2361(KDC)X
2550(cannot)X
2784(accomodate)X
3188(requested)X
3516(option)X
555 1056(KRB_AP_ERR_BAD_INTEGRITY)N
2161(31)X
2361(Integrity)X
2657(check)X
2865(on)X
2965(decrypted)X
3302(\256eld)X
3464(failed)X
555 1152(KRB_AP_ERR_TKT_EXPIRED)N
2161(32)X
2361(Ticket)X
2586(expired)X
555 1248(KRB_AP_ERR_TKT_NYV)N
2161(33)X
2361(Ticket)X
2586(not)X
2708(yet)X
2826(valid)X
555 1344(KRB_AP_ERR_REPEAT)N
2161(34)X
2361(Request)X
2639(is)X
2712(a)X
2768(replay)X
555 1440(KRB_AP_ERR_NOT_US)N
2161(35)X
2361(The)X
2506(ticket)X
2704(isn't)X
2866(for)X
2980(us)X
555 1536(KRB_AP_ERR_BADMATCH)N
2161(36)X
2361(Ticket)X
2586(and)X
2722(authenticator)X
3161(don't)X
3350(match)X
555 1632(KRB_AP_ERR_SKEW)N
2161(37)X
2361(Clock)X
2572(skew)X
2757(too)X
2879(great)X
555 1728(KRB_AP_ERR_BADADDR)N
2161(38)X
2361(Incorrect)X
2672(net)X
2790(address)X
555 1824(KRB_AP_ERR_BADVERSION)N
2161(39)X
2361(Protocol)X
2652(version)X
2908(mismatch)X
555 1920(KRB_AP_ERR_MSG_TYPE)N
2161(40)X
2361(Invalid)X
2608(msg)X
2761(type)X
555 2016(KRB_AP_ERR_MODIFIED)N
2161(41)X
2361(Message)X
2662(stream)X
2896(modi\256ed)X
555 2112(KRB_AP_ERR_BADORDER)N
2161(42)X
2361(Message)X
2662(out)X
2784(of)X
2871(order)X
555 2208(KRB_AP_ERR_BADKEYVER)N
2161(44)X
2361(Speci\256ed)X
2679(version)X
2935(of)X
3022(key)X
3158(is)X
3231(not)X
3353(available)X
555 2304(KRB_AP_ERR_NOKEY)N
2161(45)X
2361(Service)X
2622(key)X
2758(not)X
2880(available)X
555 2400(KRB_AP_ERR_ETYPE_NOSUPP)N
2161(46)X
2361(No)X
2479(support)X
2739(for)X
2853(encryption)X
3216(type)X
555 2496(KRB_AP_ERR_MUT_FAIL)N
2161(47)X
2361(Mutual)X
2612(authentication)X
3086(failed)X
555 2688(KRB_ERR_FIELD_TOOLONG)N
2161(50)X
2361(Field)X
2545(is)X
2618(too)X
2740(long)X
2902(for)X
3016(this)X
3151(implementation)X
555 6144(Section)N
815(8.)X
2196(-)X
2243(45)X
2343(-)X
46 p
%%Page: 46 48
10 s 0 xH 0 xS 1 f
0 32(--)N
4323(--)X
3 f
2115 416(DRAFT)N
2411(2)X
12 s
555 672(9.)N
675(REFERENCES)X
1 f
10 s
555 852(1.)N
755(S.)X
845(P.)X
935(Miller,)X
1181(B.)X
1280(C.)X
1379(Neuman,)X
1697(J.)X
1774(I.)X
1847(Schiller,)X
2142(and)X
2284(J.)X
2361(H.)X
2465(Saltzer,)X
2 f
2734(Section)X
2996(E.2.1:)X
3217(Kerberos)X
3540(Authentication)X
755 948(and)N
895(Authorization)X
1354(System,)X
1 f
1617(M.I.T.)X
1844(Project)X
2091(Athena,)X
2363(Cambridge,)X
2759(Massachusetts)X
3242(\(December)X
3620(21,)X
3740(1987\).)X
555 1072(2.)N
755(J.)X
829(G.)X
930(Steiner,)X
1200(B.)X
1296(C.)X
1392(Neuman,)X
1707(and)X
1846(J.)X
1920(I.)X
1990(Schiller,)X
2282(``Kerberos:)X
2675(An)X
2795(Authentication)X
3293(Service)X
3556(for)X
3672(Open)X
3868(Net-)X
755 1168(work)N
940(Systems,'')X
1300(pp.)X
1420(191-202)X
1707(in)X
2 f
1789(Usenix)X
2032(Conference)X
2422(Proceedings)X
1 f
2823(,)X
2863(Dallas,)X
3108(Texas)X
3320(\(February,)X
3677(1988\).)X
555 1292(3.)N
755(R.)X
854(M.)X
971(Needham)X
1305(and)X
1446(M.)X
1562(D.)X
1665(Schroeder,)X
2036(``Using)X
2306(Encryption)X
2687(for)X
2806(Authentication)X
3307(in)X
3394(Large)X
3607(Networks)X
3944(of)X
755 1388(Computers,'')N
2 f
1200(Communications)X
1762(of)X
1844(the)X
1962(ACM)X
3 f
2151(21)X
1 f
(\(12\),)S
2405(pp.)X
2525(993-999)X
2812(\(December,)X
3210(1978\).)X
555 1512(4.)N
755(Dorothy)X
1043(E.)X
1133(Denning)X
1430(and)X
1567(Giovanni)X
1886(Maria)X
2098(Sacco,)X
2330(``Timestamps)X
2795(in)X
2877(Key)X
3031(Distribution)X
3437(Protocols,'')X
2 f
3833(Com-)X
755 1608(munications)N
1166(of)X
1248(the)X
1366(ACM)X
3 f
1555(24)X
1 f
(\(8\),)S
1769(pp.)X
1889(533-536)X
2176(\(August)X
2454(1981\).)X
555 1732(5.)N
755(Don)X
919(Davis)X
1132(and)X
1274(Ralph)X
1491(Swick,)X
2 f
1737(Workstation)X
2154(Services)X
2448(and)X
2594(Kerberos)X
2918(Authentication)X
3415(at)X
3503(Project)X
3764(Athena,)X
1 f
755 1828(MIT)N
922(Project)X
1169(Athena)X
1421(\(March)X
1678(3,)X
1758(1989\).)X
555 1952(6.)N
755(National)X
1060(Bureau)X
1321(of)X
1417(Standards,)X
1782(``Data)X
2016(Encryption)X
2400(Standard,'')X
2787(Federal)X
3056(Information)X
3467(Processing)X
3842(Stan-)X
755 2048(dards)N
949(Publication)X
1333(46,)X
1473(Washington,)X
1900(D.C.)X
2071(\(1977\).)X
555 2172(7.)N
755(National)X
1061(Bureau)X
1322(of)X
1418(Standards,)X
1783(``DES)X
2017(Modes)X
2264(of)X
2360(Operation,'')X
2784(Federal)X
3054(Information)X
3466(Processing)X
3842(Stan-)X
755 2268(dards)N
949(Publication)X
1333(81,)X
1473(Spring\256eld,)X
1868(VA)X
2004(\(1980\).)X
555 2392(8.)N
755(P.)X
842(J.)X
916(Levine,)X
1182(M.)X
1296(R.)X
1392(Gretzinger,)X
1779(J.)X
1852(M.)X
1965(Diaz,)X
2159(W.)X
2277(E.)X
2368(Sommerfeld,)X
2806(and)X
2944(K.)X
3044(Raeburn,)X
2 f
3358(Section)X
3616(E.1:)X
3774(Service)X
755 2488(Management)N
1194(System,)X
1 f
1457(M.I.T.)X
1684(Project)X
1931(Athena,)X
2203(Cambridge,)X
2599(Massachusetts)X
3082(\(1987\).)X
555 2612(9.)N
755(J.)X
834(L.)X
931(Smith,)X
1169(``The)X
1376(design)X
1613(of)X
1708(Lucifer,)X
1993(a)X
2056(cryptographic)X
2529(device)X
2766(for)X
2887(data)X
3048(communications.,'')X
3698(RC)X
3831(3326,)X
755 2708(IBM)N
926(T.J.)X
1066(Watson)X
1331(Research)X
1646(Center,)X
1920(Yorktown)X
2265(Heights,)X
2554(NY)X
2690(\(April)X
2906(15,)X
3026(1971\).)X
555 2832(10.)N
755(International)X
1192(Organization)X
1638(for)X
1759(Standardization,)X
2309(``ISO)X
2519(Information)X
2929(Processing)X
3303(Systems)X
3596(-)X
3650(Data)X
3829(Com-)X
755 2928(munication)N
1150(-)X
1212(High-Level)X
1617(Data)X
1803(Link)X
1988(Control)X
2266(Procedure)X
2626(-)X
2687(Frame)X
2926(Structure,'')X
3328(3309,)X
3562(ISO)X
3725(\(October)X
755 3024(1984\).)N
1002(3rd)X
1129(Edition.)X
555 3148(11.)N
755(Ralph)X
985(C.)X
1097(Merkle,)X
2 f
1388(A)X
1476(Fast)X
1657(Software)X
1980(One)X
2153(Way)X
2334(Hash)X
2541(Function,)X
1 f
2888(Xerox)X
3127(PARC,)X
3393(Palo)X
3573(Alto,)X
3773(CA)X
3922(\(in)X
755 3244(preparation\).)N
3 f
12 s
555 3532(A.)N
696(Pseudo-code)X
1232(for)X
1379(protocol)X
1745(processing)X
1 f
10 s
755 3656(This)N
926(appendix)X
1249(provides)X
1554(pseudo-code)X
1989(describing)X
2351(how)X
2517(the)X
2643(messages)X
2974(are)X
3101(to)X
3191(be)X
3295(constructed)X
3693(and)X
3837(inter-)X
555 3752(preted)N
776(by)X
876(clients)X
1105(and)X
1241(servers.)X
3 f
12 s
555 4040(A.1.)N
768(KRB_AS_REQ)X
1426(generation)X
7 f
10 s
939 4136(req.asn1_header)N
1707(=)X
1803(HEADER;)X
2187(/*)X
2331(constant)X
2763(except)X
3099(for)X
3291(length)X
3627(encoding)X
4059(*/)X
939 4232(req.pvno)N
1371(=)X
1467(5;)X
939 4328(req.type)N
1371(=)X
1467(KRB_AS_REQ;)X
939 4424(req.kdc_options)N
1707(=)X
1803(\(set)X
2043(according)X
2523(to)X
2667(user's)X
3003(preferences\);)X
939 4520(req.cname)N
1419(=)X
1515(name;)X
2091(/*)X
2235(passed)X
2571(in)X
2715(by)X
2859(user)X
3099(*/)X
939 4616(req.crealm)N
1467(=)X
1563(realm;)X
2091(/*)X
2235(passed)X
2571(in)X
2715(by)X
2859(user)X
3099(*/)X
939 4712(req.addresses)N
1611(=)X
1707(\(host-address\);)X
939 4808(req.from)N
1371(=)X
1467(0;)X
1611(/*)X
1755(unless)X
2091(user)X
2331(specifies)X
2811(a)X
2907(specific)X
3339(start)X
3627(time)X
3867(*/)X
939 4904(req.till)N
1371(=)X
1467(0;)X
1611(/*)X
1755(unless)X
2091(user)X
2331(specifies)X
2811(a)X
2907(specific)X
3339(end)X
3531(time)X
3771(*/)X
939 5000(if)N
1083(renewable)X
1563(then)X
1323 5096(/*)N
1467(user)X
1707(wants)X
1995(renewable)X
2475(*/)X
1323 5192(req.rtime)N
1803(=)X
1899(\(time)X
2187(specified)X
2667(by)X
2811(user\);)X
939 5288(endif)N
939 5384(req.sname)N
1419(=)X
1515(\(service-name\))X
2235(/*)X
2379(usually)X
2763("krbtgt",)X
3291("localrealm")X
3915(*/)X
939 5480(get)N
1131(system_time;)X
939 5576(req.ctime)N
1419(=)X
1515(system_time.seconds;)X
939 5768(kerberos)N
1371(=)X
1467(lookup\(name)X
2043(of)X
2187(local)X
2475(kerberose)X
2955(server)X
3291(\(or)X
3483(servers\)\);)X
1 f
555 6144(Section)N
815(A.1.)X
2196(-)X
2243(46)X
2343(-)X
47 p
%%Page: 47 49
10 s 0 xH 0 xS 1 f
7 f
1 f
0 32(--)N
4323(--)X
3 f
2115 416(DRAFT)N
2411(2)X
7 f
939 672(send\(packet,kerberos\);)N
939 864(wait\(for)N
1371(response\);)X
939 960(if)N
1083(\(timed_out\))X
1659(then)X
1323 1056(retry)N
1611(or)X
1755(use)X
1947(alternate)X
2427(server;)X
939 1152(endif)N
3 f
12 s
555 1344(A.2.)N
768(KRB_AS_REQ)X
1426(veri\256cation)X
1915(and)X
2093(KRB_AS_REP)X
2735(generation)X
7 f
10 s
939 1440(parse)N
1227(request)X
1611(into)X
1851(req;)X
939 1632(client)N
1275(=)X
1371(lookup\(req.cname,req.realm\);)X
939 1728(server)N
1275(=)X
1371(lookup\(req.sname,req.realm\);)X
939 1920(get)N
1131(system_time;)X
939 2016(kdc_time)N
1371(=)X
1467(system_time.seconds;)X
939 2208(if)N
1083(\(!client\))X
1563(then)X
1323 2304(/*)N
1467(no)X
1611(client)X
1947(in)X
2091(Database)X
2523(*/)X
1323 2400(return)N
1659(KRB_ERROR)X
2139(message)X
2523(with)X
1707 2496(code)N
1947(==)X
2091(KDC_ERR_C_PRINCIPAL_UNKNOWN;)X
939 2592(endif)N
939 2688(if)N
1083(\(!server\))X
1563(then)X
1323 2784(/*)N
1467(no)X
1611(server)X
1947(in)X
2091(Database)X
2523(*/)X
1323 2880(return)N
1659(KRB_ERROR)X
2139(message)X
2523(with)X
1707 2976(code)N
1947(==)X
2091(KDC_ERR_S_PRINCIPAL_UNKNOWN;)X
939 3072(endif)N
939 3264(session)N
1323(=)X
1419(generate_random_session_key\(\);)X
939 3456(tkt.asn1_header)N
1707(=)X
1803(HEADER;)X
2187(/*)X
2331(constant)X
2763(except)X
3099(for)X
3291(length)X
3627(encoding)X
4059(*/)X
939 3552(tkt.vno)N
1323(=)X
1419(5;)X
939 3648(tkt.sname)N
1419(=)X
1515(req.sname;)X
939 3744(tkt.srealm)N
1467(=)X
1563(req.realm;)X
939 3840(tkt.etype)N
1419(=)X
1515(\(encryption-type\);)X
2427(/*)X
2571(might)X
2859(be)X
3003(DES)X
3195(*/)X
939 3936(tkt.skvno)N
1419(=)X
1515(server.kvno;)X
939 4128(pad\(to)N
1275(cryptosystem)X
1899(boundary\);)X
939 4320(tkt.confounder)N
1659(=)X
1755(random\(\);)X
939 4416(tkt.flags)N
1419(=)X
1515(0;)X
939 4608(/*)N
1083(It)X
1227(should)X
1563(be)X
1707(noted)X
1995(that)X
2235(local)X
2523(policy)X
2859(may)X
3051(affect)X
3387(the)X
3627(*/)X
939 4704(/*)N
1083(processing)X
1611(of)X
1755(any)X
1947(of)X
2091(these)X
2379(flags.)X
2763(For)X
2955(example,)X
3387(some)X
3627(*/)X
939 4800(/*)N
1083(realms)X
1419(may)X
1611(refuse)X
1947(to)X
2091(issue)X
2379(renewable)X
2859(tickets)X
3627(*/)X
939 4992(if)N
1083(\(req.kdc_options.FORWARDABLE\))X
2523(then)X
1323 5088(set\(tkt.flags.FORWARDABLE\);)N
939 5184(endif)N
939 5280(if)N
1083(\(req.kdc_options.FORWARDED\))X
2427(then)X
1323 5376(return)N
1659(KRB_ERROR,)X
2187(code)X
2427(KDC_ERR_BADOPTION;)X
939 5472(endif)N
939 5568(if)N
1083(\(req.kdc_options.PROXIABLE\))X
2427(then)X
1323 5664(set\(tkt.flags.PROXIABLE\);)N
939 5760(endif)N
1 f
555 6144(Section)N
815(A.2.)X
2196(-)X
2243(47)X
2343(-)X
48 p
%%Page: 48 50
10 s 0 xH 0 xS 1 f
7 f
1 f
0 32(--)N
4323(--)X
3 f
2115 416(DRAFT)N
2411(2)X
7 f
939 672(if)N
1083(\(req.kdc_options.PROXY\))X
2235(then)X
1323 768(return)N
1659(KRB_ERROR,)X
2187(code)X
2427(KDC_ERR_BADOPTION;)X
939 864(endif)N
939 960(if)N
1083(\(req.kdc_options.ALLOW-POSTDATE\))X
2667(then)X
1323 1056(set\(tkt.flags.ALLOW-POSTDATE\);)N
939 1152(endif)N
939 1344(if)N
1083(\(req.kdc_options.DUPLICATE-SKEY\))X
2667(then)X
1323 1440(set\(tkt.flags.DUPLICATE-SKEY\);)N
939 1536(endif)N
939 1632(if)N
1083(\(req.kdc_options.RENEW)X
2187(or)X
2331(req.kdc_options.VALIDATE)X
3531(or)X
1083 1728(req.kdc_options.REUSE-SKEY)N
2379(or)X
1083 1824(req.kdc_options.ENC-TKT-IN-SKEY\))N
2667(then)X
1323 1920(return)N
1659(KRB_ERROR,)X
2187(code)X
2427(KDC_ERR_BADOPTION;)X
939 2016(endif)N
939 2208(tkt.keytype)N
1515(=)X
1611(\(encryption-type\);)X
2523(/*)X
2667(Presently)X
3147(DES)X
3339(*/)X
939 2304(tkt.session)N
1515(=)X
1611(session;)X
939 2400(tkt.cname)N
1419(=)X
1515(req.cname;)X
939 2496(tkt.crealm)N
1467(=)X
1563(req.crealm;)X
939 2592(tkt.transited)N
1611(=)X
1707("";)X
939 2784(tkt.authtime)N
1563(=)X
1659(kdc_time;)X
939 2976(if)N
1083(\(req.kdc_options.POSTDATED\))X
2427(then)X
1083 3072(set\(tkt.flags.INVALID\);)N
1083 3168(if)N
1227(\(against_postdate_policy\(req.from\)\))X
2955(then)X
1323 3264(return)N
1659(KRB_ERROR,)X
2187(code)X
2427(KDC_ERR_POLICY;)X
1083 3360(endif)N
1083 3456(tkt.starttime)N
1755(=)X
1851(req.from;)X
939 3552(else)N
1323 3648(tkt.starttime)N
1995(=)X
2091(kdc_time;)X
939 3744(endif)N
939 3840(if)N
1083(\(req.till)X
1563(=)X
1659(0\))X
1803(then)X
1323 3936(till)N
1563(=)X
1659(infinity;)X
939 4032(else)N
1323 4128(till)N
1563(=)X
1659(req.till;)X
939 4224(endif)N
939 4416(tkt.endtime)N
1515(=)X
1611(min\(till,tkt.starttime+client.max_life,)X
1803 4512(tkt.starttime+server.max_life,)N
2091 4608(tkt.starttime+max_life_for_realm\);)N
939 4800(if)N
1083(\(req.kdc_options.RENEWABLE-OK)X
2523(and)X
2715(\(tkt.endtime)X
3339(<)X
3435(req.till\)\))X
3963(then)X
1323 4896(/*)N
1467(we)X
1611(set)X
1803(the)X
1995(RENEWABLE)X
2475(option)X
2811(for)X
3003(later)X
3291(processing)X
3819(*/)X
1323 4992(set\(req.kdc_options.RENEWABLE\);)N
1323 5088(req.rtime)N
1803(=)X
1899(req.till;)X
939 5184(endif)N
939 5376(if)N
1083(\(req.rtime)X
1611(=)X
1707(0\))X
1851(then)X
1323 5472(rtime)N
1611(=)X
1707(infinity;)X
939 5568(else)N
1323 5664(rtime)N
1611(=)X
1707(req.rtime;)X
939 5760(endif)N
1 f
555 6144(Section)N
815(A.2.)X
2196(-)X
2243(48)X
2343(-)X
49 p
%%Page: 49 51
10 s 0 xH 0 xS 1 f
7 f
1 f
0 32(--)N
4323(--)X
3 f
2115 416(DRAFT)N
2411(2)X
7 f
939 672(if)N
1083(\(req.kdc_options.RENEWABLE\))X
2427(then)X
1323 768(set\(tkt.flags.RENEWABLE\);)N
1323 864(tkt.renew_till)N
2043(=)X
2139(min\(rtime,starttime+client.max_rlife,)X
2331 960(tkt.starttime+server.max_rlife,)N
2331 1056(tkt.starttime+max_rlife_for_realm\);)N
939 1152(else)N
1323 1248(tkt.renew_till)N
2043(=)X
2139(OMIT;)X
2427(/*)X
2571(leave)X
2859(the)X
3051(renew_till)X
3579(field)X
3867(out)X
4059(*/)X
939 1344(endif)N
939 1536(tkt.caddr)N
1419(=)X
1515(req.addresses;)X
939 1632(tkt.authorization_data)N
2043(=)X
2139("";)X
939 1824(encrypt\(appropriate)N
1899(part)X
2139(of)X
2283(ticket\);)X
939 2016(/*)N
1083(Start)X
1371(processing)X
1899(the)X
2091(response)X
2523(*/)X
939 2208(resp.asn1_header)N
1755(=)X
1851(HEADER;)X
2235(/*)X
2379(constant)X
2811(except)X
3147(for)X
3339(length)X
3675(encoding)X
4107(*/)X
939 2304(resp.pvno)N
1419(=)X
1515(5;)X
939 2400(resp.type)N
1419(=)X
1515(KRB_AS_REP;)X
939 2496(resp.cname)N
1467(=)X
1563(req.cname;)X
939 2592(resp.crealm)N
1515(=)X
1611(req.realm;)X
939 2688(resp.etype)N
1467(=)X
1563(\(encryption-type\);)X
2475(/*)X
2619(Presently)X
3099(DES)X
3291(*/)X
939 2784(resp.ckvno)N
1467(=)X
1563(client.kvno;)X
939 2880(resp.ticket)N
1515(=)X
1611(ticket;)X
939 3072(pad\(to)N
1275(cryptosystem)X
1899(boundary\);)X
939 3264(resp.confounder)N
1707(=)X
1803(random\(\);)X
939 3360(resp.keytupe)N
1563(=)X
1659(\(encryption-type\);)X
2571(/*)X
2715(Presently)X
3195(DES)X
3387(*/)X
939 3552(resp.session)N
1563(=)X
1659(session;)X
939 3648(resp.ctime)N
1467(=)X
1563(req.ctime;)X
939 3744(resp.ktime)N
1467(=)X
1563(kdc_time;)X
939 3936(resp.last_req)N
1611(=)X
1707(fetch_last_request_info\(client\);)X
939 4128(resp.princ_exp)N
1659(=)X
1755(client.expiration;)X
939 4224(resp.flags)N
1467(=)X
1563(tkt.flags;)X
939 4320(resp.sname)N
1467(=)X
1563(tkt.sname;)X
939 4416(resp.srealm)N
1515(=)X
1611(tkt.srealm;)X
939 4608(resp.starttime)N
1659(=)X
1755(tkt.starttime;)X
939 4704(resp.endtime)N
1563(=)X
1659(tkt.endtime;)X
939 4896(if)N
1083(\(tkt.flags.RENEWABLE\))X
2139(then)X
1323 4992(resp.renew_till)N
2091(=)X
2187(tkt.renew_till;)X
939 5088(endif)N
939 5280(resp.caddr)N
1467(=)X
1563(tkt.caddr;)X
939 5472(pad\(to)N
1275(cryptosystem)X
1899(boundary\);)X
939 5664(encrypt\(appropriate)N
1899(part)X
2139(of)X
2283(response\);)X
1 f
555 6144(Section)N
815(A.2.)X
2196(-)X
2243(49)X
2343(-)X
50 p
%%Page: 50 52
10 s 0 xH 0 xS 1 f
7 f
1 f
0 32(--)N
4323(--)X
3 f
2115 416(DRAFT)N
2411(2)X
7 f
939 672(send\(resp\);)N
3 f
12 s
555 864(A.3.)N
768(KRB_AS_REP)X
1410(veri\256cation)X
7 f
10 s
939 1056(if)N
1083(\(resp.type)X
1611(==)X
1755(KRB_ERROR\))X
2283(then)X
1323 1152(process_error\(resp\);)N
1323 1248(return;)N
939 1344(endif)N
939 1536(/*)N
1083(On)X
1227(error,)X
1563(discard)X
1947(the)X
2139(response,)X
2619(and)X
2811(zero)X
3051(the)X
3243(session)X
3627(key)X
3819(*/)X
939 1632(/*)N
1083(from)X
1323(the)X
1515(response)X
1947(immediately)X
2523(*/)X
939 1824(prompt_user_for\(key\);)N
939 1920(decrypt\(resp,key\);)N
939 2016(zero\(key\);)N
939 2208(if)N
1083(\(!integrity_ok\(resp\)\))X
2139(then)X
1035 2304(destroy)N
1419(session)X
1803(key)X
1995(in)X
2139(resp;)X
1323 2400(return)N
1659(KRB_AP_ERR_MODIFIED;)X
939 2496(endif)N
939 2592(if)N
1083(\(req.cname)X
1611(!=)X
1755(resp.cname\))X
2331(then)X
1035 2688(destroy)N
1419(session)X
1803(key)X
1995(in)X
2139(resp;)X
1323 2784(return)N
1659(KRB_AP_ERR_MODIFIED;)X
939 2880(endif)N
939 2976(if)N
1083(\(req.realm)X
1611(!=)X
1755(resp.crealm\))X
2379(then)X
1035 3072(destroy)N
1419(session)X
1803(key)X
1995(in)X
2139(resp;)X
1323 3168(return)N
1659(KRB_AP_ERR_MODIFIED;)X
939 3264(endif)N
939 3360(if)N
1083(\(req.sname)X
1611(!=)X
1755(resp.sname\))X
2331(then)X
1035 3456(destroy)N
1419(session)X
1803(key)X
1995(in)X
2139(resp;)X
1323 3552(return)N
1659(KRB_AP_ERR_MODIFIED;)X
939 3648(endif)N
939 3744(if)N
1083(\(req.realm)X
1611(!=)X
1755(resp.srealm\))X
2379(then)X
1035 3840(destroy)N
1419(session)X
1803(key)X
1995(in)X
2139(resp;)X
1323 3936(return)N
1659(KRB_AP_ERR_MODIFIED;)X
939 4032(endif)N
939 4128(if)N
1083(\(req.ctime)X
1611(!=)X
1755(resp.ctime\))X
2331(then)X
1035 4224(destroy)N
1419(session)X
1803(key)X
1995(in)X
2139(resp;)X
1323 4320(return)N
1659(KRB_AP_ERR_MODIFIED;)X
939 4416(endif)N
939 4512(if)N
1083(\(req.addresses)X
1803(!=)X
1947(resp.caddr\))X
2523(then)X
1035 4608(destroy)N
1419(session)X
1803(key)X
1995(in)X
2139(resp;)X
1323 4704(return)N
1659(KRB_AP_ERR_MODIFIED;)X
939 4800(endif)N
939 4992(/*)N
1083(make)X
1323(sure)X
1563(no)X
1707(flags)X
1995(are)X
2187(set)X
2379(that)X
2619(shouldn't)X
3099(be,)X
3291(and)X
3483(that)X
3723(all)X
3915(that)X
4155(*/)X
939 5088(/*)N
1083(should)X
1419(be)X
1563(are)X
1755(set)X
4155(*/)X
939 5184(if)N
1083(\(!check_flags_for_compatability\(req.kdc_options,resp.flags\)\))X
4011(then)X
1035 5280(destroy)N
1419(session)X
1803(key)X
1995(in)X
2139(resp;)X
1323 5376(return)N
1659(KRB_AP_ERR_MODIFIED;)X
939 5472(endif)N
939 5664(if)N
1083(\(\(req.from)X
1611(=)X
1707(0\))X
1851(and)X
1131 5760(\(resp.starttime)N
1899(is)X
2043(not)X
2235(within)X
2571(allowable)X
3051(skew\)\))X
3387(then)X
1 f
555 6144(Section)N
815(A.3.)X
2196(-)X
2243(50)X
2343(-)X
51 p
%%Page: 51 53
10 s 0 xH 0 xS 1 f
7 f
1 f
0 32(--)N
4323(--)X
3 f
2115 416(DRAFT)N
2411(2)X
7 f
1035 672(destroy)N
1419(session)X
1803(key)X
1995(in)X
2139(resp;)X
1323 768(return)N
1659(KRB_AP_ERR_SKEW;)X
939 864(endif)N
939 960(if)N
1083(\(\(req.from)X
1611(!=)X
1755(0\))X
1899(and)X
2091(\(req.from)X
2571(!=)X
2715(resp.starttime\)\))X
3531(then)X
1035 1056(destroy)N
1419(session)X
1803(key)X
1995(in)X
2139(resp;)X
1323 1152(return)N
1659(KRB_AP_ERR_MODIFIED;)X
939 1248(endif)N
939 1344(if)N
1083(\(\(req.till)X
1611(!=)X
1755(0\))X
1899(and)X
2091(\(resp.endtime)X
2763(>)X
2859(req.till\)\))X
3387(then)X
1035 1440(destroy)N
1419(session)X
1803(key)X
1995(in)X
2139(resp;)X
1323 1536(return)N
1659(KRB_AP_ERR_MODIFIED;)X
939 1632(endif)N
939 1728(if)N
1083(\(\(req.kdc_options.RENEWABLE\))X
2475(and)X
1131 1824(\(req.rtime)N
1659(!=)X
1803(0\))X
1947(and)X
2139(\(resp.renew_till)X
2955(>)X
3051(req.rtime\)\))X
3627(then)X
1035 1920(destroy)N
1419(session)X
1803(key)X
1995(in)X
2139(resp;)X
1323 2016(return)N
1659(KRB_AP_ERR_MODIFIED;)X
939 2112(endif)N
939 2208(if)N
1083(\(\(req.kdc_options.RENEWABLE-OK\))X
2619(and)X
1131 2304(\(resp.flags.RENEWABLE\))N
2235(and)X
1131 2400(\(req.till)N
1611(!=)X
1755(0\))X
1899(and)X
1131 2496(\(resp.renew_till)N
1947(>)X
2043(req.till\)\))X
2571(then)X
1035 2592(destroy)N
1419(session)X
1803(key)X
1995(in)X
2139(resp;)X
1323 2688(return)N
1659(KRB_AP_ERR_MODIFIED;)X
939 2784(endif)N
939 2976(if)N
1083(near\(resp.princ_exp\))X
2091(then)X
1323 3072(print\(warning)N
1995(message\);)X
939 3168(endif)N
939 3264(save_for_later\(ticket,session,client,server,times,flags\);)N
3 f
12 s
555 3456(A.4.)N
768(KRB_TGS_REQ)X
1496(generation)X
7 f
10 s
939 3552(/*)N
1083(Note)X
1323(that)X
1563(make_application_request)X
2763(might)X
3051(have)X
3291(to)X
3435(recursivly)X
4155(*/)X
939 3648(/*)N
1083(call)X
1323(this)X
1563(routine)X
1947(to)X
2091(get)X
2283(the)X
2475(appropriate)X
3051(ticket)X
3387(granting)X
3819(ticket)X
4155(*/)X
939 3840(req.ahdr)N
1371(=)X
1467(make_application_request\(krbtgt,srealm\);)X
939 4032(req.asn1_header)N
1707(=)X
1803(HEADER;)X
2187(/*)X
2331(constant)X
2763(except)X
3099(for)X
3291(length)X
3627(encoding)X
4059(*/)X
939 4128(req.pvno)N
1371(=)X
1467(5;)X
939 4224(req.type)N
1371(=)X
1467(KRB_TGS_REQ;)X
939 4320(req.kdc_options)N
1707(=)X
1803(\(set)X
2043(according)X
2523(to)X
2667(user's)X
3003(preferences\);)X
939 4512(req.from)N
1371(=)X
1467(0;)X
1611(/*)X
1755(unless)X
2091(this)X
2331(is)X
2475(a)X
2571(request)X
2955(for)X
3147(a)X
3243(postdated)X
3723(ticket)X
4059(*/)X
939 4608(req.till)N
1371(=)X
1467(0;)X
1611(/*)X
1755(unless)X
2091(user)X
2331(specifies)X
2811(a)X
2907(specific)X
3339(life)X
3579(*/)X
939 4800(if)N
1083(\(renewable\))X
1659(then)X
1323 4896(req.rtime)N
1803(=)X
1899(\(time)X
2187(specified)X
2667(by)X
2811(user\);)X
939 4992(endif)N
939 5088(req.sname)N
1419(=)X
1515(\(the)X
1755(name)X
1995(of)X
2139(the)X
2331(desired)X
2715(service\);)X
939 5184(get)N
1131(system_time;)X
939 5280(req.ctime)N
1419(=)X
1515(system_time.seconds;)X
939 5472(pad\(to)N
1275(cryptosystem)X
1899(boundary\);)X
939 5664(req.addresses)N
1611(=)X
1707(0;)X
1851(/*)X
1995(Unless)X
2331(we)X
2475(are)X
2667(changing)X
3099(them)X
3339(*/)X
939 5760(req.authorization_dat)N
1995(=)X
2091(\(as)X
2283(set)X
2475(by)X
2619(the)X
2811(user,)X
3099(null)X
3339(by)X
3483(default\);)X
1 f
555 6144(Section)N
815(A.4.)X
2196(-)X
2243(51)X
2343(-)X
52 p
%%Page: 52 54
10 s 0 xH 0 xS 1 f
7 f
1 f
0 32(--)N
4323(--)X
3 f
2115 416(DRAFT)N
2411(2)X
7 f
939 672(req.second_ticket)N
1803(=)X
1899(\(second)X
2283(ticket)X
2619(if)X
2763(needed,)X
3147(null)X
3387(by)X
3531(default\);)X
939 864(pad\(to)N
1275(cryptosystem)X
1899(boundary\);)X
939 1056(encrypt\(appropriate)N
1899(part)X
2139(of)X
2283(request\);)X
939 1248(kerberos)N
1371(=)X
1467(lookup\(name)X
2043(of)X
2187(local)X
2475(kerberose)X
2955(server)X
3291(\(or)X
3483(servers\)\);)X
939 1344(send\(packet,kerberos\);)N
939 1536(wait\(for)N
1371(response\);)X
939 1632(if)N
1083(\(timed_out\))X
1659(then)X
1323 1728(retry)N
1611(or)X
1755(use)X
1947(alternate)X
2427(server;)X
939 1824(endif)N
3 f
12 s
555 2016(A.5.)N
768(KRB_TGS_REQ)X
1496(veri\256cation)X
1985(and)X
2163(KRB_TGS_REP)X
2875(generation)X
7 f
10 s
939 2112(/*)N
1083(note)X
1323(that)X
1563(reading)X
1947(the)X
2139(application)X
2715(request)X
3099(requires)X
3531(first)X
939 2208(determining)N
1515(the)X
1707(server)X
2043(for)X
2235(which)X
2523(a)X
2619(ticket)X
2955(was)X
3147(issued,)X
3531(and)X
3723(choosing)X
4155(the)X
939 2304(correct)N
1323(key)X
1515(for)X
1707(decryption.)X
2331(The)X
2523(name)X
2763(of)X
2907(the)X
3099(server)X
3435(appears)X
3819(in)X
3963(the)X
939 2400(plaintext)N
1419(part)X
1659(of)X
1803(the)X
1995(ticket.)X
2379(*/)X
939 2592(read_application_request\(req\);)N
939 2784(/*)N
1083(Note)X
1323(that)X
1563(the)X
1755(realm)X
2043(in)X
2187(which)X
2475(the)X
2667(Kerberos)X
3099(server)X
3435(is)X
3579(operating)X
4059(is)X
939 2880(determined)N
1467(by)X
1611(the)X
1803(instance)X
2235(from)X
2475(the)X
2667(ticket)X
3003(granting)X
3435(ticket.)X
3867(The)X
4059(realm)X
939 2976(in)N
1083(the)X
1275(ticket)X
1611(granting)X
2043(ticket)X
2379(is)X
2523(the)X
2715(realm)X
3003(under)X
3291(which)X
3579(the)X
3771(ticket)X
939 3072(granting)N
1371(ticket)X
1707(was)X
1899(issued.)X
2331(It)X
2475(is)X
2619(possible)X
3051(for)X
3243(a)X
3339(single)X
3675(Kerberos)X
939 3168(server)N
1275(to)X
1419(support)X
1803(more)X
2043(than)X
2283(one)X
2475(realm.)X
2811(*/)X
939 3360(realm)N
1227(=)X
1323(realm_of_tgt\(req.auth_hdr.ticket\);)X
939 3552(parse)N
1227(remainder)X
1707(of)X
1851(request;)X
939 3744(server)N
1275(=)X
1371(lookup\(req.sname,realm\);)X
939 3936(if)N
1083(\(!server\))X
1563(then)X
1323 4032(/*)N
1467(no)X
1611(server)X
1947(in)X
2091(Database)X
2523(*/)X
1323 4128(return)N
1659(KRB_ERROR)X
2139(message)X
2523(with)X
1707 4224(code)N
1947(==)X
2091(KDC_ERR_S_PRINCIPAL_UNKNOWN;)X
939 4320(endif)N
939 4512(if)N
1083(\(req.kdc_options.REUSE-SKEY\))X
2475(then)X
1323 4608(decrypt\(req.second_ticket\);)N
1323 4704(if)N
1467(\(!req.second_ticket.flags.DUPLICATE-SKEY\))X
3483(then)X
1707 4800(return)N
2043(KRB_ERROR,)X
2571(code)X
2811(KDC_ERR_BADOPTION;)X
1323 4896(endif)N
1323 4992(session)N
1707(=)X
1803(req.second_ticket.session;)X
939 5088(else)N
1323 5184(session)N
1707(=)X
1803(generate_random_session_key\(\);)X
939 5280(endif)N
939 5472(tkt.asn1_header)N
1707(=)X
1803(HEADER;)X
2187(/*)X
2331(constant)X
2763(except)X
3099(for)X
3291(length)X
3627(encoding)X
4059(*/)X
939 5568(tkt.vno)N
1323(=)X
1419(5;)X
939 5760(tkt.sname)N
1419(=)X
1515(req.sname;)X
1 f
555 6144(Section)N
815(A.5.)X
2196(-)X
2243(52)X
2343(-)X
53 p
%%Page: 53 55
10 s 0 xH 0 xS 1 f
7 f
1 f
0 32(--)N
4323(--)X
3 f
2115 416(DRAFT)N
2411(2)X
7 f
939 672(tkt.srealm)N
1467(=)X
1563(realm;)X
939 864(tkt.etype)N
1419(=)X
1515(\(encryption-type\);)X
2427(/*)X
2571(Presently)X
3051(DES)X
3243(*/)X
939 960(tkt.skvno)N
1419(=)X
1515(server.kvno;)X
939 1152(pad\(to)N
1275(cryptosystem)X
1899(boundary\);)X
939 1344(tkt.confounder)N
1659(=)X
1755(random\(\);)X
939 1536(tkt.flags)N
1419(=)X
1515(0;)X
939 1632(tkt.starttime)N
1611(=)X
1707(0;)X
939 1824(/*)N
1083(It)X
1227(should)X
1563(be)X
1707(noted)X
1995(that)X
2235(local)X
2523(policy)X
2859(may)X
3051(affect)X
3387(the)X
3627(*/)X
939 1920(/*)N
1083(processing)X
1611(of)X
1755(any)X
1947(of)X
2091(these)X
2379(flags.)X
2763(For)X
2955(example,)X
3387(some)X
3627(*/)X
939 2016(/*)N
1083(realms)X
1419(may)X
1611(refuse)X
1947(to)X
2091(issue)X
2379(renewable)X
2859(tickets)X
3627(*/)X
939 2208(tkt.caddr)N
1419(=)X
1515(req.auth_hdr.ticket.caddr;)X
939 2304(resp.caddr)N
1467(=)X
1563(NULL;)X
1851(/*)X
1995(We)X
2139(only)X
2379(include)X
2763(this)X
3003(if)X
3147(they)X
3387(change)X
3723(*/)X
939 2400(if)N
1083(\(req.kdc_options.FORWARDABLE\))X
2523(then)X
1323 2496(if)N
1467(\(!req.auth_hdr.ticket.flags.FORWARDABLE\))X
3435(then)X
1707 2592(return)N
2043(KRB_ERROR,)X
2571(code)X
2811(KDC_ERR_BADOPTION;)X
1323 2688(endif)N
1323 2784(set\(tkt.flags.FORWARDABLE\);)N
939 2880(endif)N
939 2976(if)N
1083(\(req.kdc_options.FORWARDED\))X
2427(then)X
1323 3072(if)N
1467(\(!req.auth_hdr.ticket.flags.FORWARDABLE\))X
1707 3168(return)N
2043(KRB_ERROR,)X
2571(code)X
2811(KDC_ERR_BADOPTION;)X
1323 3264(endif)N
1323 3360(set\(tkt.flags.FORWARDED\);)N
1323 3456(tkt.caddr)N
1803(=)X
1899(req.addresses;)X
1323 3552(resp.caddr)N
1851(=)X
1947(req.addresses;)X
939 3648(endif)N
939 3840(if)N
1083(\(req.kdc_options.PROXIABLE\))X
2427(then)X
1323 3936(if)N
1467(\(!req.auth_hdr.ticket.flags.PROXIABLE\))X
1707 4032(return)N
2043(KRB_ERROR,)X
2571(code)X
2811(KDC_ERR_BADOPTION;)X
1323 4128(endif)N
1323 4224(set\(tkt.flags.PROXIABLE\);)N
939 4320(endif)N
939 4416(if)N
1083(\(req.kdc_options.PROXY\))X
2235(then)X
1323 4512(if)N
1467(\(!req.auth_hdr.ticket.flags.PROXIABLE\))X
1707 4608(return)N
2043(KRB_ERROR,)X
2571(code)X
2811(KDC_ERR_BADOPTION;)X
1323 4704(endif)N
1323 4800(set\(tkt.flags.PROXY\);)N
1323 4896(tkt.caddr)N
1803(=)X
1899(req.addresses;)X
1323 4992(resp.caddr)N
1851(=)X
1947(req.addresses;)X
939 5088(endif)N
939 5280(if)N
1083(\(req.kdc_options.POSTDATE\))X
2379(then)X
1323 5376(if)N
1467(\(!req.auth_hdr.ticket.flags.POSTDATE\))X
1707 5472(return)N
2043(KRB_ERROR,)X
2571(code)X
2811(KDC_ERR_BADOPTION;)X
1323 5568(endif)N
1323 5664(set\(tkt.flags.POSTDATE\);)N
939 5760(endif)N
1 f
555 6144(Section)N
815(A.5.)X
2196(-)X
2243(53)X
2343(-)X
54 p
%%Page: 54 56
10 s 0 xH 0 xS 1 f
7 f
1 f
0 32(--)N
4323(--)X
3 f
2115 416(DRAFT)N
2411(2)X
7 f
939 672(if)N
1083(\(req.kdc_options.POSTDATED\))X
2427(then)X
1323 768(if)N
1467(\(!req.auth_hdr.ticket.flags.POSTDATE\))X
3291(then)X
1707 864(return)N
2043(KRB_ERROR,)X
2571(code)X
2811(KDC_ERR_BADOPTION;)X
1323 960(endif)N
1323 1056(set\(tkt.flags.POSTDATED\);)N
1323 1152(set\(tkt.flags.INVALID\);)N
1323 1248(if)N
1467(\(against_postdate_policy\(req.from\)\))X
3195(then)X
1707 1344(return)N
2043(KRB_ERROR,)X
2571(code)X
2811(KDC_ERR_POLICY;)X
1323 1440(endif)N
1323 1536(tkt.starttime)N
1995(=)X
2091(req.from;)X
1035 1632(endif)N
939 1824(if)N
1083(\(\(req.kdc_options.DUPLICATE-SKEY\))X
2715(or)X
1131 1920(\(req.kdc_options.REUSE-SKEY\)\))N
2571(then)X
1323 2016(set\(tkt.flags.DUPLICATE-SKEY\);)N
939 2112(endif)N
939 2304(if)N
1083(\(req.kdc_options.VALIDATE\))X
2379(then)X
1323 2400(if)N
1467(\(!req.auth_hdr.ticket.flags.INVALID\))X
3243(then)X
1707 2496(return)N
2043(KRB_ERROR,)X
2571(code)X
2811(KDC_ERR_POLICY;)X
1323 2592(endif)N
1323 2688(if)N
1467(\(req.auth_hdr.ticket.starttime)X
2955(>)X
3051(kdc_time\))X
3531(then)X
1707 2784(return)N
2043(KRB_ERROR,)X
2571(code)X
2811(KRB_AP_ERR_NYV;)X
1323 2880(endif)N
1323 2976(if)N
1467(\(check_hot_list\(req.auth_hdr.ticket\)\))X
3291(then)X
1707 3072(return)N
2043(KRB_ERROR,)X
2571(code)X
2811(KRB_AP_ERR_REPLAY;)X
1323 3168(endif)N
1323 3264(tkt)N
1515(=)X
1611(req.auth_hdr.ticket;)X
1323 3360(clear\(tkt.flags.INVALID\);)N
939 3456(endif)N
939 3648(if)N
1083(\(req.kdc_options.\(any)X
2139(flag)X
2379(except)X
2715(ENC-TKT-IN-SKEY,)X
3531(RENEW,)X
1947 3744(and)N
2139(those)X
2427(already)X
2811(processed\))X
3339(then)X
1323 3840(return)N
1659(KRB_ERROR,)X
2187(code)X
2427(KDC_ERR_BADOPTION;)X
939 3936(endif)N
939 4128(tkt.authtime)N
1563(=)X
1659(req.auth_hdr.ticket.authtime;)X
939 4320(if)N
1083(\(req.kdc_options.RENEW\))X
2235(then)X
1035 4416(/*)N
1179(Note)X
1419(that)X
1659(if)X
1803(the)X
1995(endtime)X
2379(has)X
2571(already)X
2955(passed,)X
3339(the)X
3531(ticket)X
3867(would)X
4203(*/)X
1035 4512(/*)N
1179(have)X
1419(been)X
1659(rejected)X
2091(in)X
2235(the)X
2427(initial)X
2811(authewntication)X
3579(stage,)X
3915(so)X
4203(*/)X
1035 4608(/*)N
1179(there)X
1467(is)X
1611(no)X
1755(need)X
1995(to)X
2139(check)X
2427(again)X
2715(here)X
4203(*/)X
1323 4704(if)N
1467(\(!req.auth_hdr.ticket.flags.RENEWABLE\))X
3339(then)X
1707 4800(return)N
2043(KRB_ERROR,)X
2571(code)X
2811(KDC_ERR_BADOPTION;)X
1323 4896(endif)N
1323 4992(if)N
1467(\(!req.auth_hdr.ticket.renew_till)X
3051(<)X
3147(kdc_time\))X
3627(then)X
1707 5088(return)N
2043(KRB_ERROR,)X
2571(code)X
2811(KRB_AP_ERR_TKT_EXPIRED;)X
1323 5184(endif)N
1323 5280(tkt)N
1515(=)X
1611(req.auth_hdr.ticket;)X
1323 5376(tkt.starttime)N
1995(=)X
2091(kdc_time;)X
1323 5472(old_life)N
1755(=)X
1851(req.auth_hdr.ticket.endttime)X
3243(-)X
1851 5568(req.auth_hdr.ticket.starttime;)N
1323 5664(tkt.endtime)N
1899(=)X
1995(min\(req.auth_hdr.ticket.renew_till,)X
2187 5760(tkt.starttime)N
2859(+)X
2955(old_life\);)X
1 f
555 6144(Section)N
815(A.5.)X
2196(-)X
2243(54)X
2343(-)X
55 p
%%Page: 55 57
10 s 0 xH 0 xS 1 f
7 f
1 f
0 32(--)N
4323(--)X
3 f
2115 416(DRAFT)N
2411(2)X
7 f
939 672(else)N
1323 768(tkt.starttime)N
1995(=)X
2091(kdc_time;)X
1323 864(if)N
1467(\(req.till)X
1947(=)X
2043(0\))X
2187(then)X
1707 960(till)N
1947(=)X
2043(infinity;)X
1323 1056(else)N
1707 1152(till)N
1947(=)X
2043(req.till;)X
1323 1248(endif)N
1323 1344(tkt.endtime)N
1899(=)X
1995(min\(till,tkt.starttime+client.max_life,)X
2187 1440(tkt.starttime+server.max_life,)N
2187 1536(tkt.starttime+max_life_for_realm,)N
2187 1632(req.auth_hdr.ticket.endtime\);)N
1323 1824(if)N
1467(\(req.kdc_options.RENEWABLE-OK)X
2907(and)X
1515 1920(\(tkt.endtime)N
2139(<)X
2235(req.till\))X
2715(and)X
1515 2016(req.auth_hdr.ticket.flags.RENEWABLE\))N
3291(then)X
1707 2112(/*)N
1851(we)X
1995(set)X
2187(the)X
2379(RENEWABLE)X
2859(option)X
3195(for)X
3387(later)X
3675(processing)X
4203(*/)X
1707 2208(set\(req.kdc_options.RENEWABLE\);)N
1707 2304(req.rtime)N
2187(=)X
2283(min\(req.till,)X
2475 2400(req.auth_hdr.ticket.renew_till\);)N
1323 2496(endif)N
939 2592(endif)N
939 2784(if)N
1083(\(req.rtime)X
1611(=)X
1707(0\))X
1851(then)X
1323 2880(rtime)N
1611(=)X
1707(infinity;)X
939 2976(else)N
1323 3072(rtime)N
1611(=)X
1707(req.rtime;)X
939 3168(endif)N
939 3360(if)N
1083(\(req.kdc_options.RENEWABLE)X
2379(and)X
1131 3456(req.auth_hdr.ticket.flags.RENEWABLE\))N
2907(then)X
1323 3552(set\(tkt.flags.RENEWABLE\);)N
1323 3648(tkt.renew_till)N
2043(=)X
2139(min\(rtime,starttime+client.max_rlife,)X
2331 3744(tkt.starttime+server.max_rlife,)N
2331 3840(tkt.starttime+max_rlife_for_realm,)N
2331 3936(tkt.auth_hdr.ticket.renew_till\);)N
939 4032(else)N
1323 4128(tkt.renew_till)N
2043(=)X
2139(OMIT;)X
2427(/*)X
2571(leave)X
2859(the)X
3051(renew_till)X
3579(field)X
3867(out)X
4059(*/)X
939 4224(endif)N
939 4320(tkt.authorization_data)N
2043(=)X
2139(req.auth_hdr.ticket.authorization_data)X
4011(+)X
2139 4416(req.authorization_data;)N
939 4608(tkt.keytype)N
1515(=)X
1611(\(encryption-type\);)X
2523(/*)X
2667(Presently)X
3147(DES)X
3339(*/)X
939 4704(tkt.session)N
1515(=)X
1611(session;)X
939 4800(tkt.cname)N
1419(=)X
1515(req.auth_hdr.ticket.cname;)X
939 4896(tkt.crealm)N
1467(=)X
1563(req.auth_hdr.ticket.crealm;)X
939 5088(if)N
1083(\(realm_of_tgt\(req.auth_hdr.ticket\))X
2763(=)X
2859(req.auth_hdr.ticket.realm\))X
4155(then)X
1323 5184(/*)N
1467(tgt)X
1659(issued)X
1995(by)X
2139(local)X
2427(realm)X
2715(*/)X
1323 5280(tkt.transited)N
1995(=)X
2091(req.auth_hdr.ticket.transited.)X
939 5376(else)N
1323 5472(tkt.transited)N
1995(=)X
1323 5568(compress_transited\(req.authenication_header.ticket.transited)N
4251(+)X
2235 5664(req.auth_hdr.ticket.realm\))N
939 5760(endif)N
1 f
555 6144(Section)N
815(A.5.)X
2196(-)X
2243(55)X
2343(-)X
56 p
%%Page: 56 58
10 s 0 xH 0 xS 1 f
7 f
1 f
0 32(--)N
4323(--)X
3 f
2115 416(DRAFT)N
2411(2)X
7 f
939 672(if)N
1083(\(req.kdc_options.ENC-TKT-IN-SKEY\))X
2715(then)X
1323 768(decrypt\(req.second_ticket\);)N
1323 864(encrypt\(appropriate)N
2283(part)X
2523(of)X
2667(ticket,req.second_ticket.session\);)X
939 960(else)N
1323 1056(encrypt\(appropriate)N
2283(part)X
2523(of)X
2667(ticket,server.key\);)X
939 1152(endif)N
939 1344(resp.asn1_header)N
1755(=)X
1851(HEADER;)X
2235(/*)X
2379(constant)X
2811(except)X
3147(for)X
3339(length)X
3675(encoding)X
4107(*/)X
939 1440(resp.pvno)N
1419(=)X
1515(5;)X
939 1536(resp.type)N
1419(=)X
1515(KRB_TGS_REP;)X
939 1632(resp.cname)N
1467(=)X
1563(req.auth_hdr.ticket.cname;)X
939 1728(resp.crealm)N
1515(=)X
1611(req.auth_hdr.ticket.crealm;)X
939 1824(resp.etype)N
1467(=)X
1563(\(encryption-type\);)X
2475(/*)X
2619(Presently)X
3099(DES)X
3291(*/)X
939 2016(resp.ckvno)N
1467(=)X
1563(0;)X
1707(/*)X
1851(We)X
1995(are)X
2187(using)X
2475(the)X
2667(session)X
3051(key)X
3243(*/)X
939 2112(resp.ticket)N
1515(=)X
1611(ticket;)X
939 2304(pad\(to)N
1275(cryptosystem)X
1899(boundary\);)X
939 2496(resp.confounder)N
1707(=)X
1803(random\(\);)X
939 2592(resp.keytupe)N
1563(=)X
1659(\(encryption-type\);)X
2571(/*)X
2715(Presently)X
3195(DES)X
3387(*/)X
939 2688(resp.session)N
1563(=)X
1659(session;)X
939 2784(resp.ctime)N
1467(=)X
1563(req.ctime;)X
939 2880(resp.ktime)N
1467(=)X
1563(now.seconds;)X
939 3072(resp.last_req)N
1611(=)X
1707(fetch_last_request_info\(client\);)X
939 3264(resp.princ_exp)N
1659(=)X
1755(0;)X
939 3360(resp.flags)N
1467(=)X
1563(tkt.flags;)X
939 3456(resp.sname)N
1467(=)X
1563(service.name;)X
939 3552(resp.realm)N
1467(=)X
1563(realm;)X
939 3744(resp.starttime)N
1659(=)X
1755(tkt.starttime;)X
939 3840(resp.endtime)N
1563(=)X
1659(tkt.endtime;)X
939 4032(if)N
1083(\(tkt.flags.RENEWABLE\))X
2139(then)X
1323 4128(resp.renew_till)N
2091(=)X
2187(tkt.renew_till;)X
939 4224(endif)N
939 4416(pad\(to)N
1275(cryptosystem)X
1899(boundary\);)X
939 4512(resp.kdc_resp_cksum\(resp\);)N
939 4608(encrypt\(appropriate)N
1899(part)X
2139(of)X
2283(response\);)X
939 4704(send\(resp\);)N
3 f
12 s
555 4896(A.6.)N
768(KRB_TGS_REP)X
1480(veri\256cation)X
7 f
10 s
939 4992(if)N
1083(\(resp.type)X
1611(==)X
1755(KRB_ERROR\))X
2283(then)X
1323 5088(process_error\(resp\);)N
1323 5184(return;)N
939 5280(endif)N
939 5472(/*)N
1083(On)X
1227(error,)X
1563(discard)X
1947(the)X
2139(response,)X
2619(and)X
2811(zero)X
3051(the)X
3243(session)X
3627(key)X
3819(from)X
939 5568(the)N
1131(response)X
1563(immediately)X
2139(*/)X
939 5760(decrypt\(resp,session_from_tgt\);)N
1 f
555 6144(Section)N
815(A.6.)X
2196(-)X
2243(56)X
2343(-)X
57 p
%%Page: 57 59
10 s 0 xH 0 xS 1 f
7 f
1 f
0 32(--)N
4323(--)X
3 f
2115 416(DRAFT)N
2411(2)X
7 f
939 672(if)N
1083(\(!integrity_ok\(resp\)\))X
2139(then)X
1323 768(return)N
1659(KRB_AP_ERR_MODIFIED;)X
939 864(endif)N
939 960(if)N
1083(\(req.cname)X
1611(!=)X
1755(resp.cname\))X
2331(then)X
1323 1056(return)N
1659(KRB_AP_ERR_MODIFIED;)X
939 1152(endif)N
939 1248(if)N
1083(\(req.realm)X
1611(!=)X
1755(resp.crealm\))X
2379(then)X
1323 1344(return)N
1659(KRB_AP_ERR_MODIFIED;)X
939 1440(endif)N
939 1536(if)N
1083(\(req.sname)X
1611(!=)X
1755(resp.sname\))X
2331(then)X
1323 1632(return)N
1659(KRB_AP_ERR_MODIFIED;)X
939 1728(endif)N
939 1824(if)N
1083(\(req.realm)X
1611(!=)X
1755(resp.srealm\))X
2379(then)X
1323 1920(return)N
1659(KRB_AP_ERR_MODIFIED;)X
939 2016(endif)N
939 2112(if)N
1083(\(req.ctime)X
1611(!=)X
1755(resp.ctime\))X
2331(then)X
1323 2208(return)N
1659(KRB_AP_ERR_MODIFIED;)X
939 2304(endif)N
939 2400(if)N
1083(\(req.addresses)X
1803(!=)X
1947(resp.caddr\))X
2523(then)X
1323 2496(return)N
1659(KRB_AP_ERR_MODIFIED;)X
939 2592(endif)N
939 2784(/*)N
1083(make)X
1323(sure)X
1563(no)X
1707(flags)X
1995(are)X
2187(set)X
2379(that)X
2619(shouldn't)X
3099(be,)X
3291(and)X
3483(that)X
3723(all)X
3915(that)X
4155(*/)X
939 2880(/*)N
1083(should)X
1419(be)X
1563(are)X
1755(set)X
4155(*/)X
939 2976(if)N
1083(\(!check_flags_for_compatability\(req.kdc_options,resp.flags\)\))X
1323 3072(return)N
1659(KRB_AP_ERR_MODIFIED;)X
939 3168(endif)N
939 3360(if)N
1083(\(\(req.from)X
1611(=)X
1707(0\))X
1851(and)X
1131 3456(\(resp.starttime)N
1899(is)X
2043(not)X
2235(within)X
2571(allowable)X
3051(skew\)\))X
3387(then)X
1323 3552(return)N
1659(KRB_AP_ERR_SKEW;)X
939 3648(endif)N
939 3744(if)N
1083(\(\(req.from)X
1611(!=)X
1755(0\))X
1899(and)X
2091(\(req.from)X
2571(!=)X
2715(resp.starttime\)\))X
3531(then)X
1323 3840(return)N
1659(KRB_AP_ERR_MODIFIED;)X
939 3936(endif)N
939 4032(if)N
1083(\(\(req.till)X
1611(!=)X
1755(0\))X
1899(and)X
2091(\(resp.endtime)X
2763(>)X
2859(req.till\)\))X
3387(then)X
1323 4128(return)N
1659(KRB_AP_ERR_MODIFIED;)X
939 4224(endif)N
939 4416(if)N
1083(\(\(req.kdc_options.RENEWABLE\))X
2475(and)X
1131 4512(\(req.rtime)N
1659(!=)X
1803(0\))X
1947(and)X
2139(\(resp.renew_till)X
2955(>)X
3051(req.rtime\)\))X
3627(then)X
1323 4608(return)N
1659(KRB_AP_ERR_MODIFIED;)X
939 4704(endif)N
939 4800(if)N
1083(\(\(req.kdc_options.RENEWABLE-OK\))X
2619(and)X
1131 4896(\(resp.flags.RENEWABLE\))N
2235(and)X
1131 4992(\(req.till)N
1611(!=)X
1755(0\))X
1899(and)X
1131 5088(\(resp.renew_till)N
1947(>)X
2043(req.till\)\))X
2571(then)X
1323 5184(return)N
1659(KRB_AP_ERR_MODIFIED;)X
939 5280(endif)N
939 5472(if)N
1083(near\(resp.princ_exp\))X
2091(then)X
1323 5568(print\(warning)N
1995(message\);)X
939 5664(endif)N
939 5760(save_for_later\(ticket,session,client,server,times,flags\);)N
1 f
555 6144(Section)N
815(A.6.)X
2196(-)X
2243(57)X
2343(-)X
58 p
%%Page: 58 60
10 s 0 xH 0 xS 1 f
7 f
1 f
0 32(--)N
4323(--)X
3 f
2115 416(DRAFT)N
2411(2)X
7 f
939 672(check)N
1227(authorization_data)X
2139(as)X
2283(necessary;)X
3 f
12 s
555 864(A.7.)N
768(Authenticator)X
1368(generation)X
7 f
10 s
939 960(store)N
1227(authenticator_vno)X
2091(in)X
2235(staging)X
2619(area;)X
2907(/*)X
3051(authenticator_vno)X
3915(=)X
4011(5)X
4107(*/)X
939 1056(store)N
1227(client)X
1563(name)X
1803(in)X
1947(staging)X
2331(area;)X
2619(/*)X
2763(cname,)X
3099(crealm)X
3435(*/)X
939 1152(store)N
1227(checksum_type)X
1899(in)X
2043(staging)X
2427(area;)X
2715(/*)X
2859(checksum_type)X
3531(*/)X
939 1248(store)N
1227(checksum)X
1659(in)X
1803(staging)X
2187(area;)X
2475(/*)X
2619(checksum)X
3051(*/)X
939 1344(get)N
1131(system_time;)X
939 1440(store)N
1227(system_time.milliseconds)X
2427(in)X
2571(staging)X
2955(area;)X
3243(/*)X
3387(cmsec)X
3675(*/)X
939 1536(store)N
1227(system_time.seconds)X
2187(in)X
2331(staging)X
2715(area;)X
3003(/*)X
3147(ctime)X
3435(*/)X
939 1632(pad)N
1131(staging)X
1515(area)X
1755(to)X
1899(blocksize)X
2379(boundary;)X
2859(/*)X
3003(PAD)X
3195(*/)X
939 1824(encrypt)N
1323(staging)X
1707(area;)X
939 1920(store)N
1227(encrypted)X
1707(data)X
1947(in)X
2091(authenticator;)X
939 2016(store)N
1227(asn1_header)X
1803(in)X
1947(authenticator;)X
2667(/*)X
2811(constant)X
3243(except)X
3579(for)X
2811 2112(length)N
3147(encoding)X
3579(*/)X
3 f
12 s
555 2304(A.8.)N
768(KRB_AP_REQ)X
1432(generation)X
7 f
10 s
939 2400(obtain)N
1275(ticket)X
1611(and)X
1803(session_key;)X
939 2592(store)N
1227(asn1_header)X
1803(in)X
1947(packet;)X
2331(/*)X
2475(constant)X
2907(except)X
3243(for)X
3435(length)X
3771(encoding)X
4203(*/)X
939 2688(store)N
1227(protocol)X
1659(version)X
2043(in)X
2187(packet;)X
2571(/*)X
2715(pvno)X
2955(=)X
3051(5)X
3147(*/)X
939 2784(store)N
1227(message)X
1611(type)X
1851(in)X
1995(packet;)X
2379(/*)X
2523(type)X
2763(=)X
2859(KRB_AP_REQ)X
3387(*/)X
939 2976(if)N
1083(desired\(MUTUAL_AUTHENTICATION\))X
2571(then)X
1323 3072(set)N
1515(options.MUTUAL-REQUIRED;)X
939 3168(else)N
1323 3264(reset)N
1611(options.MUTUAL-REQUIRED;)X
939 3360(endif)N
939 3456(if)N
1083(using_session_key)X
1947(then)X
1323 3552(set)N
1515(options.USE-SESSION-KEY;)X
939 3648(else)N
1323 3744(reset)N
1611(options.USE-SESSION-KEY;)X
939 3840(endif)N
939 3936(store)N
1227(options)X
1611(in)X
1755(packet;)X
2139(/*)X
2283(ap_options)X
2811(*/)X
939 4032(store)N
1227(ticket)X
1563(in)X
1707(packet;)X
2091(/*)X
2235(ticket)X
2571(*/)X
939 4128(generate)N
1371(authenticator)X
2043(using)X
2331(session_key;)X
939 4224(store)N
1227(authenticator)X
1899(in)X
2043(packet;)X
2427(/*)X
2571(authenticator)X
3243(*/)X
3 f
12 s
555 4416(A.9.)N
768(KRB_AP_REQ)X
1432(veri\256cation)X
7 f
10 s
939 4512(receive)N
1323(packet;)X
939 4608(if)N
1083(packet.pvno)X
1659(!=)X
1803(5)X
1899(then)X
1323 4704(either)N
1659(process)X
2043(using)X
2331(other)X
2619(protocol)X
3051(spec)X
1323 4800(or)N
1467(error_out\(KRB_APP_ERR_BADVERSION\);)X
939 4896(endif)N
939 4992(if)N
1083(packet.type)X
1659(!=)X
1803(KRB_AP_REQ)X
2331(then)X
1323 5088(error_out\(KRB_APP_ERR_MSG_TYPE\);)N
939 5184(endif)N
939 5280(if)N
1083(packet.ticket.tkt_vno)X
2139(!=)X
2283(5)X
2379(then)X
1323 5376(either)N
1659(process)X
2043(using)X
2331(other)X
2619(protocol)X
3051(spec)X
1323 5472(or)N
1467(error_out\(KRB_APP_ERR_BADVERSION\);)X
939 5568(endif)N
939 5664(if)N
1083(packet.ap_options.USE-SESSION-KEY)X
2715(is)X
2859(set)X
3051(then)X
1323 5760(retrieve)N
1755(session)X
2139(key)X
2331(from)X
2571(ticket-granting)X
3339(ticket)X
3675(for)X
1 f
555 6144(Section)N
815(A.9.)X
2196(-)X
2243(58)X
2343(-)X
59 p
%%Page: 59 61
10 s 0 xH 0 xS 1 f
7 f
1 f
0 32(--)N
4323(--)X
3 f
2115 416(DRAFT)N
2411(2)X
7 f
1371 672(packet.ticket.{sname,srealm,etype,skvno})N
939 768(else)N
1323 864(retrieve)N
1755(service)X
2139(key)X
2331(for)X
1371 960(packet.ticket.{sname,srealm,etype,skvno})N
939 1056(endif)N
939 1152(if)N
1083(no_key_available)X
1899(then)X
1323 1248(if)N
1467(cant_find_specified_skvno)X
2715(then)X
1707 1344(error_out\(KRB_AP_ERR_BADKEYVER\);)N
1323 1440(else)N
1707 1536(error_out\(KRB_AP_ERR_NOKEY\);)N
1323 1632(endif)N
939 1728(endif)N
939 1824(decrypt)N
1323(packet.ticket)X
1995(into)X
2235(decr_ticket)X
2811(using)X
3099(key;)X
939 1920(if)N
1083(integrity_error)X
1851(then)X
1323 2016(error_out\(KRB_AP_BAD_INTEGRITY\);)N
939 2112(endif)N
939 2208(decrypt)N
1323(packet.authenticator)X
2331(into)X
2571(decr_authenticator)X
3483(using)X
987 2304(decr_ticket.session)N
1947(and)X
2139(decr_ticket.keytype)X
939 2400(if)N
1083(integrity_error)X
1851(then)X
1323 2496(error_out\(KRB_AP_BAD_INTEGRITY\);)N
939 2592(endif)N
939 2688(if)N
1083(decr_authenticator.{cname,crealm})X
2715(!=)X
987 2784(decr_ticket.{cname,cinst,crealm})N
2571(then)X
1323 2880(error_out\(KRB_AP_ERR_BADMATCH\);)N
939 2976(endif)N
939 3072(if)N
1083(sender_address\(packet\))X
2187(is)X
2331(not)X
2523(in)X
2667(decr_ticket.caddr)X
3531(then)X
1323 3168(error_out\(KRB_AP_ERR_BADADDR\);)N
939 3264(endif)N
939 3360(if)N
1083(not)X
1275(in_clock_skew\(decr_authenticator.ctime\))X
3195(then)X
1323 3456(error_out\(KRB_AP_ERR_SKEW\);)N
939 3552(endif)N
939 3648(if)N
1083(repeated\(decr_authenticator.ctime,decr_authenticator.cmsec,)X
1515 3744(sender_address\(packet\),{cname,crealm}\))N
3387(then)X
1323 3840(error_out\(KRB_AP_ERR_REPEAT\);)N
939 3936(endif)N
939 4032(save_identifier\(decr_authenticator.timestamp,)N
1707 4128(decr_authenticator.cmsec,sender_address\(packet\),)N
1707 4224(sender_principal\(packet\)\);)N
939 4320(get)N
1131(system_time;)X
939 4416(if)N
1083(decr_ticket.starttime-system_time)X
2715(>)X
2811(CLOCK_SKEW)X
3339(then)X
1323 4512(/*)N
1467(it)X
1611(hasn't)X
1947(yet)X
2139(become)X
2475(valid)X
2763(*/)X
1323 4608(error_out\(KRB_AP_ERR_TKT_NYV\);)N
939 4704(endif)N
939 4800(if)N
1083(system_time-decr_ticket.endtime)X
2619(>)X
2715(CLOCK_SKEW)X
3243(then)X
1323 4896(error_out\(KRB_AP_ERR_TKT_EXPIRED\);)N
939 4992(endif)N
939 5088(/*)N
1083(caller)X
1419(must)X
1659(check)X
1947(decr_ticket.flags)X
2811(for)X
3003(any)X
3195(pertinent)X
3675(details)X
4059(*/)X
939 5184(return\(OK,)N
1467(decr_ticket,)X
2091(packet.ap_options.MUTUAL-REQUIRED\);)X
3 f
12 s
555 5376(A.10.)N
816(KRB_AP_REP)X
1464(generation)X
7 f
10 s
939 5472(store)N
1227(asn1_header)X
1803(in)X
1947(packet;)X
2331(/*)X
2475(constant)X
2907(except)X
3243(for)X
3435(length)X
3771(encoding)X
4203(*/)X
939 5568(store)N
1227(protocol)X
1659(version)X
2043(in)X
2187(packet;)X
2571(/*)X
2715(pvno)X
2955(=)X
3051(5)X
3147(*/)X
939 5664(store)N
1227(message)X
1611(type)X
1851(in)X
1995(packet;)X
2379(/*)X
2523(type)X
2763(=)X
2859(KRB_AP_REP)X
3387(*/)X
939 5760(store)N
1227(packet.ctime)X
1851(in)X
1995(staging)X
2379(area;)X
1 f
555 6144(Section)N
815(A.10.)X
2196(-)X
2243(59)X
2343(-)X
60 p
%%Page: 60 62
10 s 0 xH 0 xS 1 f
7 f
1 f
0 32(--)N
4323(--)X
3 f
2115 416(DRAFT)N
2411(2)X
7 f
939 672(store)N
1227(packet.cmsec)X
1851(in)X
1995(staging)X
2379(area;)X
939 768(pad)N
1131(staging)X
1515(area)X
1755(to)X
1899(encryption)X
2427(blocksize)X
2907(boundary;)X
939 864(encrypt)N
1323(staging)X
1707(area)X
1947(using)X
2235(ticket.session;)X
939 960(store)N
1227(encrypted)X
1707(data)X
1947(in)X
2091(packet;)X
939 1152(return)N
1275(packet;)X
3 f
12 s
555 1344(A.11.)N
816(KRB_AP_REP)X
1464(veri\256cation)X
7 f
10 s
939 1440(receive)N
1323(packet;)X
939 1536(if)N
1083(packet.pvno)X
1659(!=)X
1803(5)X
1899(then)X
1323 1632(either)N
1659(process)X
2043(using)X
2331(other)X
2619(protocol)X
3051(spec)X
1323 1728(or)N
1467(error_out\(KRB_APP_ERR_BADVERSION\);)X
939 1824(endif)N
939 1920(if)N
1083(packet.type)X
1659(!=)X
1803(KRB_AP_REQ)X
2331(then)X
1323 2016(error_out\(KRB_APP_ERR_MSG_TYPE\);)N
939 2112(endif)N
939 2208(decrypted_portion)N
1803(=)X
1899(decrypt\(remainder\(packet\)\);)X
939 2304(if)N
1083(integrity_error)X
1851(then)X
1323 2400(error_out\(KRB_AP_BAD_INTEGRITY\);)N
939 2496(endif)N
939 2592(if)N
1083(decrypted_portion.ctime)X
2235(!=)X
2379(authenticator.system_time.ctime)X
3915(then)X
1323 2688(error_out\(KRB_AP_ERR_MUT_FAIL\);)N
939 2784(endif)N
939 2880(if)N
1083(decrypted_portion.cmsec)X
2235(!=)X
2379(authenticator.system_time.cmsec)X
3915(then)X
1323 2976(error_out\(KRB_AP_ERR_MUT_FAIL\);)N
939 3072(endif)N
939 3168(return\(AUTHENTICATION_SUCCEEDED\);)N
3 f
12 s
555 3360(A.12.)N
816(KRB_SAFE)X
1341(generation)X
7 f
10 s
939 3456(collect)N
1323(user)X
1563(data)X
1803(in)X
1947(buffer;)X
939 3552(encode)N
1275(buffer)X
1611(as)X
1755(bytes_asn1;)X
939 3648(get)N
1131(system)X
1467(time;)X
939 3744(if)N
1083(sender_address)X
1803(>)X
1899(receiver_address)X
2715(then)X
1323 3840(set)N
1515(direction)X
1995(bit;)X
939 3936(else)N
1323 4032(reset)N
1611(direction)X
2091(bit;)X
939 4128(endif)N
939 4224(encode)N
1275(host)X
1515(addresses)X
1995(as)X
2139(hostaddr;)X
939 4320(/*)N
1083(assemble)X
1515(packet:)X
1899(*/)X
939 4416(store)N
1227(asn1_header)X
1803(in)X
1947(packet;)X
2331(/*)X
2475(constant)X
2907(except)X
3243(for)X
3435(length)X
3771(encoding)X
4203(*/)X
939 4512(store)N
1227(protocol)X
1659(version)X
2043(in)X
2187(packet;)X
2571(/*)X
2715(pvno)X
2955(=)X
3051(5)X
3147(*/)X
939 4608(store)N
1227(message)X
1611(type)X
1851(in)X
1995(packet;)X
2379(/*)X
2523(type)X
2763(=)X
2859(KRB_SAFE)X
3291(*/)X
939 4704(store)N
1227(buffer)X
1563(in)X
1707(packet;)X
2091(/*)X
2235(DATA)X
2475(*/)X
939 4800(store)N
1227(milliseconds)X
1851(and)X
2043(direction)X
2523(bit)X
2715(in)X
2859(packet;)X
3243(/*)X
3387(msec+D)X
3723(*/)X
939 4896(store)N
1227(host)X
1467(addresses)X
1947(in)X
2091(packet;)X
2475(/*)X
2619(haddr)X
2907(*/)X
939 4992(store)N
1227(timestamp)X
1707(in)X
1851(packet;)X
2235(/*)X
2379(timestamp)X
2859(*/)X
939 5088(store)N
1227(checksum)X
1659(type)X
1899(in)X
2043(packet;)X
2427(/*)X
2571(checksum_type)X
3243(*/)X
939 5184(compute)N
1323(checksum)X
1755(over)X
1995(packet;)X
2379(/*)X
2523(DATA)X
2763(to)X
2907(checksum_type,)X
3627(inclusive)X
4107(*/)X
939 5280(encode)N
1275(checksum)X
1707(as)X
1851(bytes_asn1;)X
939 5376(store)N
1227(checksum)X
1659(in)X
1803(packet;)X
2187(/*)X
2331(checksum)X
2763(*/)X
1 f
12 s
555 6144(Section)N
868(A.12.)X
2179(-)X
2235(60)X
2355(-)X
61 p
%%Page: 61 63
12 s 0 xH 0 xS 1 f
10 s
0 32(--)N
4323(--)X
3 f
12 s
2082 432(DRAFT)N
2436(2)X
555 672(A.13.)N
816(KRB_SAFE)X
1341(veri\256cation)X
7 f
10 s
939 768(receive)N
1323(packet;)X
939 864(if)N
1083(packet.pvno)X
1659(!=)X
1803(5)X
1899(then)X
1323 960(either)N
1659(process)X
2043(using)X
2331(other)X
2619(protocol)X
3051(spec)X
1323 1056(or)N
1467(error_out\(KRB_APP_ERR_BADVERSION\);)X
939 1152(endif)N
939 1248(if)N
1083(packet.type)X
1659(!=)X
1803(KRB_SAFE)X
2235(then)X
1323 1344(error_out\(KRB_APP_ERR_MSG_TYPE\);)N
939 1440(endif)N
939 1536(if)N
1083(length\(packet.DATA\)+length\(packet.hostaddr\)+)X
1323 1632(length\(packet.checksum\)+10)N
2619(!=)X
2763(O/S_length\(packet\))X
3675(then)X
1323 1728(/*)N
1467(the)X
1659(length)X
1995(didn't)X
2331(match)X
2619(what)X
2859(the)X
3051(operating)X
3531(system)X
1467 1824(reported)N
1899(*/)X
1323 1920(error_out\(KRB_APP_ERR_MODIFIED\);)N
939 2016(endif)N
939 2112(if)N
1083(sender_address\(packet\))X
2187(is)X
2331(not)X
2523(in)X
2667(packet.hostaddr)X
3435(then)X
1323 2208(/*)N
1467(O/S)X
1659(report)X
1995(of)X
2139(sender)X
2475(not)X
2667(in)X
2811(the)X
3003(list)X
3243(*/)X
1323 2304(error_out\(KRB_APP_ERR_BADADDR\);)N
939 2400(endif)N
939 2496(if)N
1083(not)X
1275(in_clock_skew\(packet.timestamp\))X
2811(then)X
1323 2592(error_out\(KRB_APP_ERR_SKEW\);)N
939 2688(endif)N
939 2784(if)N
1083(repeated\(packet.timestamp,packet.msec,sender_address\(packet\),)X
1515 2880(sender_principal\(packet\)\))N
2763(then)X
1323 2976(error_out\(KRB_APP_ERR_REPEAT\);)N
939 3072(endif)N
939 3168(save_identifier\(packet.timestamp,packet.msec,sender_address\(packet\),)N
1707 3264(sender_principal\(packet\)\);)N
939 3360(if)N
1083(sender_address\(packet\))X
2187(>)X
2283(receiver_address\(packet\))X
3483(then)X
1323 3456(set)N
1515(computed_direction;)X
939 3552(else)N
1323 3648(reset)N
1611(computed_direction;)X
939 3744(endif)N
939 3936(if)N
1083(computed_direction)X
1995(!=)X
2139(packet.direction_bit)X
3147(then)X
1323 4032(error_out\(KRB_APP_ERR_REPEAT\);)N
2811(/*)X
2955(XXX)X
3147(*/)X
939 4128(endif)N
939 4224(/*)N
1083(run)X
1275(checksum)X
1707(from)X
1947(DATA)X
2187(to)X
2331(checksum_type,)X
3051(inclusive)X
3531(*/)X
939 4320(set)N
1131(computed_checksum)X
1995(=)X
2091(checksum\(packet\);)X
939 4416(if)N
1083(computed_checksum)X
1947(!=)X
2091(packet.checksum)X
2859(then)X
1323 4512(error_out\(KRB_AP_ERR_MODIFIED\);)N
939 4608(endif)N
939 4704(return\(packet.DATA,)N
1899(PACKET_IS_GENUINE\);)X
3 f
12 s
555 4896(A.14.)N
816(KRB_PRIV)X
1330(generation)X
7 f
10 s
939 4992(collect)N
1323(user)X
1563(data)X
1803(in)X
1947(buffer;)X
939 5088(encode)N
1275(buffer)X
1611(as)X
1755(bytes_asn1;)X
939 5184(get)N
1131(system)X
1467(time;)X
939 5280(if)N
1083(sender_address)X
1803(>)X
1899(receiver_address)X
2715(then)X
1323 5376(set)N
1515(direction)X
1995(bit;)X
939 5472(else)N
1323 5568(clear)N
1611(direction)X
2091(bit;)X
939 5664(endif)N
939 5760(encode)N
1275(host)X
1515(addresses)X
1995(as)X
2139(hostaddr;)X
1 f
555 6144(Section)N
815(A.14.)X
2196(-)X
2243(61)X
2343(-)X
62 p
%%Page: 62 64
10 s 0 xH 0 xS 1 f
7 f
1 f
0 32(--)N
4323(--)X
3 f
2115 416(DRAFT)N
2411(2)X
7 f
939 672(/*)N
1083(compute)X
1467(length)X
1803(of)X
1947(encrypted)X
2427(portion)X
2811(*/)X
939 768(select)N
1275(encryption)X
1803(type;)X
939 864(add)N
1131(length)X
1467(of)X
1611(data)X
1851(buffer)X
2187(encoding,)X
2667(host)X
2907(address)X
3291(encoding,)X
3771(and)X
1323 960(6,)N
1467(rounding)X
1899(up)X
2043(to)X
2187(nearest)X
2571(blocksize;)X
939 1056(/*)N
1083(assemble)X
1515(packet:)X
1899(*/)X
939 1152(store)N
1227(asn1_header)X
1803(in)X
1947(packet;)X
2331(/*)X
2475(constant)X
2907(except)X
3243(for)X
3435(length)X
3771(encoding)X
4203(*/)X
939 1248(store)N
1227(protocol)X
1659(version)X
2043(in)X
2187(packet;)X
2571(/*)X
2715(pvno)X
2955(=)X
3051(5)X
3147(*/)X
939 1344(store)N
1227(message)X
1611(type)X
1851(in)X
1995(packet;)X
2379(/*)X
2523(type)X
2763(=)X
2859(KRB_PRIV)X
3291(*/)X
939 1440(store)N
1227(encryption)X
1755(type)X
1995(in)X
2139(packet;)X
2523(/*)X
2667(etype)X
2955(*/)X
939 1536(store)N
1227(computed)X
1659(length)X
1995(of)X
2139(encrypted)X
2619(portion)X
3003(in)X
3147(packet;)X
939 1632(store)N
1227(buffer)X
1563(in)X
1707(encryption)X
2235(area;)X
2859(/*)X
3003(DATA)X
3243(*/)X
939 1728(store)N
1227(milliseconds)X
1851(and)X
2043(direction)X
2523(bit)X
2715(in)X
2859(encryption)X
3387(area;)X
3675(/*)X
3819(msec+D)X
4155(*/)X
939 1824(store)N
1227(host)X
1467(addresses)X
1947(in)X
2091(encryption)X
2619(area;)X
2907(/*)X
3051(haddr)X
3339(*/)X
939 1920(store)N
1227(timestamp)X
1707(in)X
1851(encryption)X
2379(area;)X
2667(/*)X
2811(timestamp)X
3291(*/)X
939 2016(encrypt)N
1323(data)X
1563(in)X
1707(encryption)X
2235(area;)X
939 2112(store)N
1227(encrypted)X
1707(output)X
2043(in)X
2187(packet;)X
3 f
12 s
555 2304(A.15.)N
816(KRB_PRIV)X
1330(veri\256cation)X
7 f
10 s
939 2400(receive)N
1323(packet;)X
939 2496(if)N
1083(packet.pvno)X
1659(!=)X
1803(5)X
1899(then)X
1323 2592(either)N
1659(process)X
2043(using)X
2331(other)X
2619(protocol)X
3051(spec)X
1323 2688(or)N
1467(error_out\(KRB_APP_ERR_BADVERSION\);)X
939 2784(endif)N
939 2880(if)N
1083(packet.type)X
1659(!=)X
1803(KRB_PRIV)X
2235(then)X
1323 2976(error_out\(KRB_APP_ERR_MSG_TYPE\);)N
939 3072(endif)N
939 3168(if)N
1083(packet.len_E)X
1707(+)X
1803(4)X
1899(!=)X
2043(O/S_length\(packet\))X
2955(then)X
1323 3264(error_out\(KRB_APP_ERR_MODIFIED\);)N
939 3360(endif)N
939 3456(cleartext)N
1419(=)X
1515(decrypt\(packet\);)X
939 3552(/*)N
1083(14)X
1227(is)X
1371(for)X
1563(pvno,)X
1851(type,)X
2139(etype,)X
2475(len_E,)X
2811(msec,)X
3099(timestamp)X
3579(*/)X
939 3648(if)N
1083(length\(cleartext.DATA\))X
2187(>)X
2283(O/S_length\(packet\)-14)X
3339(then)X
1323 3744(error_out\(KRB_APP_ERR_MODIFIED\);)N
939 3840(endif)N
939 3936(/*)N
1083(14)X
1227(is)X
1371(for)X
1563(pvno,)X
1851(type,)X
2139(etype,)X
2475(len_E,)X
2811(msec,)X
3099(timestamp)X
3579(*/)X
939 4032(if)N
1083(length\(cleartext.haddr\))X
2235(>)X
2331(O/S_length\(packet\)-14)X
3387(then)X
1323 4128(error_out\(KRB_APP_ERR_MODIFIED\);)N
939 4224(endif)N
939 4320(if)N
1083(length\(cleartext.DATA\)+length\(cleartext.haddr\)+)X
1323 4416(length\(packet.checksum\)+14)N
2619(+)X
2715(length\(cleartext.PAD\))X
1323 4512(!=)N
1467(length\(packet\))X
2187(then)X
1323 4608(/*)N
1467(the)X
1659(length)X
1995(didn't)X
2331(match)X
2619(what)X
2859(the)X
3051(operating)X
3531(system)X
1467 4704(reported)N
1899(*/)X
1323 4800(error_out\(KRB_APP_ERR_MODIFIED\);)N
939 4896(endif)N
939 4992(if)N
1083(sender_address\(packet\))X
2187(is)X
2331(not)X
2523(in)X
2667(cleartext.haddr)X
3435(then)X
1323 5088(/*)N
1467(O/S)X
1659(report)X
1995(of)X
2139(sender)X
2475(not)X
2667(in)X
2811(the)X
3003(list)X
3243(*/)X
1323 5184(error_out\(KRB_APP_ERR_BADADDR\);)N
939 5280(endif)N
939 5376(if)N
1083(not)X
1275(in_clock_skew\(cleartext.timestamp\))X
2955(then)X
1323 5472(error_out\(KRB_APP_ERR_SKEW\);)N
939 5568(endif)N
939 5664(if)N
1083(repeated\(cleartext.timestamp,cleartext.msec,sender_address\(packet\),)X
1515 5760(sender_principal\(packet\)\))N
2763(then)X
1 f
555 6144(Section)N
815(A.15.)X
2196(-)X
2243(62)X
2343(-)X
63 p
%%Page: 63 65
10 s 0 xH 0 xS 1 f
7 f
1 f
0 32(--)N
4323(--)X
3 f
2115 416(DRAFT)N
2411(2)X
7 f
1323 672(error_out\(KRB_APP_ERR_REPEAT\);)N
939 768(endif)N
939 864(save_identifier\(cleartext.timestamp,cleartext.msec,)N
1707 960(sender_address\(packet\),sender_principal\(packet\)\);)N
939 1056(if)N
1083(sender_address\(packet\))X
2187(>)X
2283(receiver_address\(packet\))X
3483(then)X
1323 1152(set)N
1515(computed_direction;)X
939 1248(else)N
1323 1344(reset)N
1611(computed_direction;)X
939 1440(endif)N
939 1632(if)N
1083(computed_direction)X
1995(!=)X
2139(cleartext.direction_bit)X
3291(then)X
1323 1728(error_out\(KRB_APP_ERR_REPEAT\);)N
2811(/*)X
2955(XXX)X
3147(*/)X
939 1824(endif)N
939 1920(return\(cleartext.DATA,)N
2043(PACKET_IS_GENUINE_AND_UNMODIFIED\);)X
1 f
555 6144(Section)N
815(A.15.)X
2196(-)X
2243(63)X
2343(-)X
64 p
%%Page: 64 66
10 s 0 xH 0 xS 1 f
0 32(--)N
4323(--)X
3 f
2115 416(DRAFT)N
2411(2)X
1 f
555 6144(Section)N
815(A.15.)X
2174(-)X
2221(lxiv)X
2365(-)X
1 p
%%Page: 1 67
10 s 0 xH 0 xS 1 f
0 32(--)N
4323(--)X
3 f
12 s
1918 960(Table)N
2177(of)X
2281(Contents)X
1 f
10 s
555 1372(Overview)N
911(.................................................................................................................................................)X
3971(1)X
555 1496(Acknowledgements)N
1231(.................................................................................................................................)X
3971(1)X
555 1620(1.)N
3 f
635(Introduction)X
1 f
1091(........................................................................................................................................)X
3971(1)X
555 1744(1.1.)N
3 f
695(Glossary)X
1017(of)X
1104(terms)X
1 f
1331(............................................................................................................................)X
3971(3)X
555 1868(2.)N
3 f
635(Message)X
945(Exchanges)X
1 f
1331(............................................................................................................................)X
3971(5)X
555 1992(2.1.)N
3 f
695(The)X
848(Authentication)X
1379(Service)X
1649(\(AS\))X
1825(Exchange)X
1 f
2191(.................................................................................)X
3971(5)X
555 2116(2.1.1.)N
755(Generation)X
1132(of)X
1219(KRB_AS_REQ)X
1745(message)X
2051(........................................................................................)X
3971(5)X
555 2240(2.1.2.)N
755(Receipt)X
1020(of)X
1107(KRB_AS_REQ)X
1633(message)X
1931(..............................................................................................)X
3971(6)X
555 2364(2.1.3.)N
755(Generation)X
1132(of)X
1219(KRB_AS_REP)X
1731(message)X
2031(.........................................................................................)X
3971(6)X
555 2488(2.1.4.)N
755(Generation)X
1132(of)X
1219(KRB_ERROR)X
1709(message)X
2011(..........................................................................................)X
3971(7)X
555 2612(2.1.5.)N
755(Receipt)X
1020(of)X
1107(KRB_AS_REP)X
1619(message)X
1911(...............................................................................................)X
3971(7)X
555 2736(2.1.6.)N
755(Receipt)X
1020(of)X
1107(KRB_ERROR)X
1597(message)X
1891(................................................................................................)X
3971(7)X
555 2860(2.2.)N
3 f
695(The)X
848(Client/Server)X
1327(\(CS\))X
1503(Authentication)X
2034(Exchange)X
1 f
2391(.......................................................................)X
3971(7)X
555 2984(2.2.1.)N
755(The)X
900(KRB_AP_REQ)X
1426(message)X
1731(........................................................................................................)X
3971(7)X
555 3108(2.2.2.)N
755(Generation)X
1132(of)X
1219(a)X
1275(KRB_AP_REQ)X
1801(message)X
2111(.....................................................................................)X
3971(7)X
555 3232(2.2.3.)N
755(Receipt)X
1020(of)X
1107(KRB_AP_REQ)X
1633(message)X
1931(..............................................................................................)X
3971(7)X
555 3356(2.2.4.)N
755(Generation)X
1132(of)X
1219(a)X
1275(KRB_AP_REP)X
1787(message)X
2091(......................................................................................)X
3971(8)X
555 3480(2.2.5.)N
755(Receipt)X
1020(of)X
1107(KRB_AP_REP)X
1619(message)X
1911(...............................................................................................)X
3971(9)X
555 3604(2.2.6.)N
755(Using)X
966(the)X
1084(encryption)X
1447(key)X
1591(...............................................................................................................)X
3971(9)X
555 3728(2.3.)N
3 f
695(The)X
848(Ticket-Granting)X
1428(Service)X
1698(\(TGS\))X
1931(Exchange)X
1 f
2291(............................................................................)X
3971(9)X
555 3852(2.3.1.)N
755(Generation)X
1132(of)X
1219(KRB_TGS_REQ)X
1794(message)X
2091(......................................................................................)X
3971(9)X
555 3976(2.3.2.)N
755(Receipt)X
1020(of)X
1107(KRB_TGS_REQ)X
1682(message)X
1991(...........................................................................................)X
3931(10)X
555 4100(2.3.3.)N
755(Generation)X
1132(of)X
1219(KRB_TGS_REP)X
1780(message)X
2091(......................................................................................)X
3931(10)X
555 4224(2.3.4.)N
755(Receipt)X
1020(of)X
1107(KRB_TGS_REP)X
1668(message)X
1971(............................................................................................)X
3931(11)X
555 4348(2.4.)N
3 f
695(The)X
848(KRB_SAFE)X
1285(Exchange)X
1 f
1651(............................................................................................................)X
3931(11)X
555 4472(2.4.1.)N
755(Generation)X
1132(of)X
1219(a)X
1275(KRB_SAFE)X
1694(message)X
1991(...........................................................................................)X
3931(11)X
555 4596(2.4.2.)N
755(Receipt)X
1020(of)X
1107(KRB_SAFE)X
1526(message)X
1831(...................................................................................................)X
3931(12)X
555 4720(2.5.)N
3 f
695(The)X
848(KRB_PRIV)X
1277(Exchange)X
1 f
1631(.............................................................................................................)X
3931(12)X
555 4844(2.5.1.)N
755(Generation)X
1132(of)X
1219(a)X
1275(KRB_PRIV)X
1681(message)X
1991(...........................................................................................)X
3931(12)X
555 4968(2.5.2.)N
755(Receipt)X
1020(of)X
1107(KRB_PRIV)X
1513(message)X
1811(....................................................................................................)X
3931(12)X
555 5092(3.)N
3 f
635(Encryption)X
1 f
1051(..........................................................................................................................................)X
3931(13)X
555 5216(3.1.)N
3 f
695(Cryptographic)X
1222(checksums)X
1 f
1611(..............................................................................................................)X
3931(13)X
555 5340(3.2.)N
3 f
695(Checksums)X
1 f
1111(.......................................................................................................................................)X
3931(13)X
555 5464(4.)N
3 f
635(The)X
788(Kerberos)X
1129(Database)X
1 f
1471(.....................................................................................................................)X
3931(13)X
555 5588(4.1.)N
3 f
695(Database)X
1031(contents)X
1 f
1351(...........................................................................................................................)X
3931(14)X
555 5712(4.2.)N
3 f
695(Additional)X
1078(\256elds)X
1 f
1291(..............................................................................................................................)X
3931(14)X
555 5836(4.3.)N
3 f
695(Frequently)X
1093(Changing)X
1445(Fields)X
1 f
1671(...........................................................................................................)X
3931(15)X
555 6144(Section)N
815(A.15.)X
2225(-)X
2272(i)X
2314(-)X
2 p
%%Page: 2 68
10 s 0 xH 0 xS 1 f
0 32(--)N
4323(--)X
3 f
2115 416(DRAFT)N
2411(2)X
1 f
555 672(4.4.)N
3 f
695(Site)X
844(Constants)X
1 f
1211(..................................................................................................................................)X
3931(15)X
555 796(5.)N
3 f
635(Notation)X
1 f
971(..............................................................................................................................................)X
3931(15)X
555 920(5.1.)N
3 f
695(Field)X
888(types)X
1 f
1091(........................................................................................................................................)X
3931(16)X
555 1044(5.1.1.)N
755(NULL)X
991(.............................................................................................................................................)X
3931(17)X
555 1168(5.1.2.)N
755(PAD)X
951(...............................................................................................................................................)X
3931(17)X
555 1292(5.1.3.)N
755(Unsigned)X
1082(Integers)X
1371(..........................................................................................................................)X
3931(17)X
555 1416(5.1.4.)N
755(ASN.1)X
995(Byte)X
1166(vectors)X
1418(\(bytes_asn1\))X
1851(..................................................................................................)X
3931(19)X
555 1540(5.1.5.)N
755(ASN.1)X
995(lengths)X
1251(................................................................................................................................)X
3931(19)X
555 1664(5.1.6.)N
755(Strings)X
1011(............................................................................................................................................)X
3931(19)X
555 1788(5.1.7.)N
755(String)X
970(Arrays)X
1211(..................................................................................................................................)X
3931(20)X
555 1912(5.1.8.)N
755(Host)X
926(Addresses)X
1291(..............................................................................................................................)X
3931(20)X
555 2036(5.2.)N
3 f
695(Prede\256ned)X
1084(Data)X
1269(Types)X
1 f
1511(...................................................................................................................)X
3931(20)X
555 2160(5.2.1.)N
755(Host)X
926(address)X
1187(types)X
1391(.........................................................................................................................)X
3931(20)X
555 2284(5.2.2.)N
755(Encryption)X
1131(key)X
1267(types)X
1471(.....................................................................................................................)X
3931(22)X
555 2408(5.2.3.)N
755(Encryption)X
1131(system)X
1373(types)X
1571(................................................................................................................)X
3931(23)X
555 2532(5.2.4.)N
755(Checksum)X
1113(types)X
1311(.............................................................................................................................)X
3931(23)X
555 2656(6.)N
3 f
635(Field)X
828(Descriptions)X
1 f
1291(..............................................................................................................................)X
3931(24)X
555 2780(7.)N
3 f
635(Message)X
945(Speci\256cations)X
1 f
1431(.......................................................................................................................)X
3931(34)X
555 2904(7.1.)N
3 f
695(Tickets)X
964(and)X
1112(Authenticators)X
1 f
1651(............................................................................................................)X
3931(34)X
555 3028(7.1.1.)N
755(Tickets)X
1011(............................................................................................................................................)X
3931(34)X
555 3152(7.1.2.)N
755(Authenticators)X
1251(................................................................................................................................)X
3931(35)X
555 3276(7.2.)N
3 f
695(Authentication)X
1226(Server)X
1474(\(AS\))X
1650(message)X
1951(speci\256cations)X
1 f
2431(.....................................................................)X
3931(36)X
555 3400(7.2.1.)N
755(KRB_AS_REQ)X
1281(de\256nition)X
1611(..............................................................................................................)X
3931(36)X
555 3524(7.2.2.)N
755(KRB_AS_REP)X
1267(de\256nition)X
1611(..............................................................................................................)X
3931(36)X
555 3648(7.2.3.)N
755(KRB_KDC_REP)X
1334(de\256nition)X
1671(...........................................................................................................)X
3931(36)X
555 3772(7.3.)N
3 f
695(Client/Server)X
1174(\(CS\))X
1350(message)X
1651(speci\256cations)X
1 f
2131(....................................................................................)X
3931(38)X
555 3896(7.3.1.)N
755(KRB_AP_REQ)X
1281(de\256nition)X
1611(..............................................................................................................)X
3931(38)X
555 4020(7.3.2.)N
755(KRB_AP_REP)X
1267(de\256nition)X
1611(..............................................................................................................)X
3931(39)X
555 4144(7.3.3.)N
755(Error)X
945(message)X
1237(reply)X
1431(.......................................................................................................................)X
3931(39)X
555 4268(7.4.)N
3 f
695(Ticket-granting)X
1253(service)X
1510(\(TGS\))X
1743(message)X
2044(de\256nition)X
1 f
2391(.......................................................................)X
3931(39)X
555 4392(7.4.1.)N
755(KRB_TGS_REQ)X
1330(de\256nition)X
1671(...........................................................................................................)X
3931(39)X
555 4516(7.4.2.)N
755(KRB_TGS_REP)X
1316(de\256nition)X
1651(............................................................................................................)X
3931(41)X
555 4640(7.5.)N
3 f
695(KRB_SAFE)X
1132(message)X
1433(speci\256cation)X
1 f
1891(................................................................................................)X
3931(41)X
555 4764(7.5.1.)N
755(KRB_SAFE)X
1174(de\256nition)X
1511(...................................................................................................................)X
3931(41)X
555 4888(7.6.)N
3 f
695(KRB_PRIV)X
1124(message)X
1425(speci\256cation)X
1 f
1871(.................................................................................................)X
3931(42)X
555 5012(7.6.1.)N
755(KRB_PRIV)X
1161(de\256nition)X
1491(....................................................................................................................)X
3931(42)X
555 5136(7.7.)N
3 f
695(Error)X
916(message)X
1217(speci\256cation)X
1 f
1671(...........................................................................................................)X
3931(43)X
555 5260(7.7.1.)N
755(KRB_ERROR)X
1245(de\256nition)X
1571(................................................................................................................)X
3931(43)X
555 5384(8.)N
3 f
635(Constants)X
1 f
1011(............................................................................................................................................)X
3931(44)X
555 5508(9.)N
3 f
635(REFERENCES)X
1 f
1211(..................................................................................................................................)X
3931(46)X
555 5632(A.)N
3 f
653(Pseudo-code)X
1100(for)X
1223(protocol)X
1528(processing)X
1 f
1911(...............................................................................................)X
3931(46)X
555 5756(A.1.)N
3 f
713(KRB_AS_REQ)X
1261(generation)X
1 f
1651(............................................................................................................)X
3931(46)X
555 6144(Section)N
815(A.15.)X
2214(-)X
2261(ii)X
2325(-)X
3 p
%%Page: 3 69
10 s 0 xH 0 xS 1 f
0 32(--)N
4323(--)X
3 f
2115 416(DRAFT)N
2411(2)X
1 f
555 672(A.2.)N
3 f
713(KRB_AS_REQ)X
1261(veri\256cation)X
1668(and)X
1816(KRB_AS_REP)X
2351(generation)X
1 f
2751(.....................................................)X
3931(47)X
555 796(A.3.)N
3 f
713(KRB_AS_REP)X
1248(veri\256cation)X
1 f
1671(...........................................................................................................)X
3931(50)X
555 920(A.4.)N
3 f
713(KRB_TGS_REQ)X
1318(generation)X
1 f
1711(.........................................................................................................)X
3931(51)X
555 1044(A.5.)N
3 f
713(KRB_TGS_REQ)X
1318(veri\256cation)X
1725(and)X
1873(KRB_TGS_REP)X
2465(generation)X
1 f
2851(................................................)X
3931(52)X
555 1168(A.6.)N
3 f
713(KRB_TGS_REP)X
1305(veri\256cation)X
1 f
1731(........................................................................................................)X
3931(56)X
555 1292(A.7.)N
3 f
713(Authenticator)X
1214(generation)X
1 f
1611(..............................................................................................................)X
3931(58)X
555 1416(A.8.)N
3 f
713(KRB_AP_REQ)X
1266(generation)X
1 f
1651(............................................................................................................)X
3931(58)X
555 1540(A.9.)N
3 f
713(KRB_AP_REQ)X
1266(veri\256cation)X
1 f
1691(..........................................................................................................)X
3931(58)X
555 1664(A.10.)N
3 f
753(KRB_AP_REP)X
1293(generation)X
1 f
1691(..........................................................................................................)X
3931(59)X
555 1788(A.11.)N
3 f
753(KRB_AP_REP)X
1293(veri\256cation)X
1 f
1711(.........................................................................................................)X
3931(60)X
555 1912(A.12.)N
3 f
753(KRB_SAFE)X
1190(generation)X
1 f
1591(...............................................................................................................)X
3931(60)X
555 2036(A.13.)N
3 f
753(KRB_SAFE)X
1190(veri\256cation)X
1 f
1611(..............................................................................................................)X
3931(61)X
555 2160(A.14.)N
3 f
753(KRB_PRIV)X
1182(generation)X
1 f
1571(................................................................................................................)X
3931(61)X
555 2284(A.15.)N
3 f
753(KRB_PRIV)X
1182(veri\256cation)X
1 f
1591(...............................................................................................................)X
3931(62)X
555 6144(Section)N
815(A.15.)X
2203(-)X
2250(iii)X
2336(-)X
0 6360(--)N
4323(--)X
69 p
%%Trailer
xt
xs