|
DataMuseum.dkPresents historical artifacts from the history of: DKUUG/EUUG Conference tapes |
This is an automatic "excavation" of a thematic subset of
See our Wiki for more about DKUUG/EUUG Conference tapes Excavated with: AutoArchaeologist - Free & Open Source Software. |
top - metrics - downloadIndex: T U
Length: 409432 (0x63f58)
Types: TextFile
Notes: Uncompressed file
└─⟦4f9d7c866⟧ Bits:30007245 EUUGD6: Sikkerheds distributionen
└─⟦f8cee5421⟧ »./papers/Kerberos/V5DRAFT4-RFC.PS.Z«
└─⟦this⟧
%!PS-Adobe-1.0
%%Creator: quicksilver:jtkohl (John T Kohl,,E40-321M,31510,6176432831)
%%Title: stdin (ditroff)
%%CreationDate: Thu Dec 20 09:23:00 1990
%%EndComments
% Start of psdit.pro -- prolog for ditroff translator
% Copyright (c) 1985,1987 Adobe Systems Incorporated. All Rights Reserved.
% GOVERNMENT END USERS: See Notice file in TranScript library directory
% -- probably /usr/lib/ps/Notice
% RCS: $Header: psdit.pro,v 2.2 87/11/17 16:40:42 byron Rel $
/$DITroff 140 dict def $DITroff begin
/fontnum 1 def /fontsize 10 def /fontheight 10 def /fontslant 0 def
/xi {0 72 11 mul translate 72 resolution div dup neg scale 0 0 moveto
/fontnum 1 def /fontsize 10 def /fontheight 10 def /fontslant 0 def F
/pagesave save def}def
/PB{save /psv exch def currentpoint translate
resolution 72 div dup neg scale 0 0 moveto}def
/PE{psv restore}def
/m1 matrix def /m2 matrix def /m3 matrix def /oldmat matrix def
/tan{dup sin exch cos div}bind def
/point{resolution 72 div mul}bind def
/dround {transform round exch round exch itransform}bind def
/xT{/devname exch def}def
/xr{/mh exch def /my exch def /resolution exch def}def
/xp{}def
/xs{docsave restore end}def
/xt{}def
/xf{/fontname exch def /slotno exch def fontnames slotno get fontname eq not
{fonts slotno fontname findfont put fontnames slotno fontname put}if}def
/xH{/fontheight exch def F}bind def
/xS{/fontslant exch def F}bind def
/s{/fontsize exch def /fontheight fontsize def F}bind def
/f{/fontnum exch def F}bind def
/F{fontheight 0 le {/fontheight fontsize def}if
fonts fontnum get fontsize point 0 0 fontheight point neg 0 0 m1 astore
fontslant 0 ne{1 0 fontslant tan 1 0 0 m2 astore m3 concatmatrix}if
makefont setfont .04 fontsize point mul 0 dround pop setlinewidth}bind def
/X{exch currentpoint exch pop moveto show}bind def
/N{3 1 roll moveto show}bind def
/Y{exch currentpoint pop exch moveto show}bind def
/S /show load def
/ditpush{}def/ditpop{}def
/AX{3 -1 roll currentpoint exch pop moveto 0 exch ashow}bind def
/AN{4 2 roll moveto 0 exch ashow}bind def
/AY{3 -1 roll currentpoint pop exch moveto 0 exch ashow}bind def
/AS{0 exch ashow}bind def
/MX{currentpoint exch pop moveto}bind def
/MY{currentpoint pop exch moveto}bind def
/MXY /moveto load def
/cb{pop}def % action on unknown char -- nothing for now
/n{}def/w{}def
/p{pop showpage pagesave restore /pagesave save def}def
/abspoint{currentpoint exch pop add exch currentpoint pop add exch}def
/dstroke{currentpoint stroke moveto}bind def
/Dl{2 copy gsave rlineto stroke grestore rmoveto}bind def
/arcellipse{oldmat currentmatrix pop
currentpoint translate 1 diamv diamh div scale /rad diamh 2 div def
rad 0 rad -180 180 arc oldmat setmatrix}def
/Dc{gsave dup /diamv exch def /diamh exch def arcellipse dstroke
grestore diamh 0 rmoveto}def
/De{gsave /diamv exch def /diamh exch def arcellipse dstroke
grestore diamh 0 rmoveto}def
/Da{currentpoint /by exch def /bx exch def /fy exch def /fx exch def
/cy exch def /cx exch def /rad cx cx mul cy cy mul add sqrt def
/ang1 cy neg cx neg atan def /ang2 fy fx atan def cx bx add cy by add
2 copy rad ang1 ang2 arcn stroke exch fx add exch fy add moveto}def
/Barray 200 array def % 200 values in a wiggle
/D~{mark}def
/D~~{counttomark Barray exch 0 exch getinterval astore /Bcontrol exch def pop
/Blen Bcontrol length def Blen 4 ge Blen 2 mod 0 eq and
{Bcontrol 0 get Bcontrol 1 get abspoint /Ycont exch def /Xcont exch def
Bcontrol 0 2 copy get 2 mul put Bcontrol 1 2 copy get 2 mul put
Bcontrol Blen 2 sub 2 copy get 2 mul put
Bcontrol Blen 1 sub 2 copy get 2 mul put
/Ybi /Xbi currentpoint 3 1 roll def def 0 2 Blen 4 sub
{/i exch def
Bcontrol i get 3 div Bcontrol i 1 add get 3 div
Bcontrol i get 3 mul Bcontrol i 2 add get add 6 div
Bcontrol i 1 add get 3 mul Bcontrol i 3 add get add 6 div
/Xbi Xcont Bcontrol i 2 add get 2 div add def
/Ybi Ycont Bcontrol i 3 add get 2 div add def
/Xcont Xcont Bcontrol i 2 add get add def
/Ycont Ycont Bcontrol i 3 add get add def
Xbi currentpoint pop sub Ybi currentpoint exch pop sub rcurveto
}for dstroke}if}def
end
/ditstart{$DITroff begin
/nfonts 60 def % NFONTS makedev/ditroff dependent!
/fonts[nfonts{0}repeat]def
/fontnames[nfonts{()}repeat]def
/docsave save def
}def
% character outcalls
/oc {/pswid exch def /cc exch def /name exch def
/ditwid pswid fontsize mul resolution mul 72000 div def
/ditsiz fontsize resolution mul 72 div def
ocprocs name known{ocprocs name get exec}{name cb}
ifelse}def
/fractm [.65 0 0 .6 0 0] def
/fraction
{/fden exch def /fnum exch def gsave /cf currentfont def
cf fractm makefont setfont 0 .3 dm 2 copy neg rmoveto
fnum show rmoveto currentfont cf setfont(\244)show setfont fden show
grestore ditwid 0 rmoveto} def
/oce {grestore ditwid 0 rmoveto}def
/dm {ditsiz mul}def
/ocprocs 50 dict def ocprocs begin
(14){(1)(4)fraction}def
(12){(1)(2)fraction}def
(34){(3)(4)fraction}def
(13){(1)(3)fraction}def
(23){(2)(3)fraction}def
(18){(1)(8)fraction}def
(38){(3)(8)fraction}def
(58){(5)(8)fraction}def
(78){(7)(8)fraction}def
(sr){gsave .05 dm .16 dm rmoveto(\326)show oce}def
(is){gsave 0 .15 dm rmoveto(\362)show oce}def
(->){gsave 0 .02 dm rmoveto(\256)show oce}def
(<-){gsave 0 .02 dm rmoveto(\254)show oce}def
(==){gsave 0 .05 dm rmoveto(\272)show oce}def
end
% DIThacks fonts for some special chars
50 dict dup begin
/FontType 3 def
/FontName /DIThacks def
/FontMatrix [.001 0.0 0.0 .001 0.0 0.0] def
/FontBBox [-220 -280 900 900] def% a lie but ...
/Encoding 256 array def
0 1 255{Encoding exch /.notdef put}for
Encoding
dup 8#040/space put %space
dup 8#110/rc put %right ceil
dup 8#111/lt put %left top curl
dup 8#112/bv put %bold vert
dup 8#113/lk put %left mid curl
dup 8#114/lb put %left bot curl
dup 8#115/rt put %right top curl
dup 8#116/rk put %right mid curl
dup 8#117/rb put %right bot curl
dup 8#120/rf put %right floor
dup 8#121/lf put %left floor
dup 8#122/lc put %left ceil
dup 8#140/sq put %square
dup 8#141/bx put %box
dup 8#142/ci put %circle
dup 8#143/br put %box rule
dup 8#144/rn put %root extender
dup 8#145/vr put %vertical rule
dup 8#146/ob put %outline bullet
dup 8#147/bu put %bullet
dup 8#150/ru put %rule
dup 8#151/ul put %underline
pop
/DITfd 100 dict def
/BuildChar{0 begin
/cc exch def /fd exch def
/charname fd /Encoding get cc get def
/charwid fd /Metrics get charname get def
/charproc fd /CharProcs get charname get def
charwid 0 fd /FontBBox get aload pop setcachedevice
40 setlinewidth
newpath 0 0 moveto gsave charproc grestore
end}def
/BuildChar load 0 DITfd put
%/UniqueID 5 def
/CharProcs 50 dict def
CharProcs begin
/space{}def
/.notdef{}def
/ru{500 0 rls}def
/rn{0 750 moveto 500 0 rls}def
/vr{20 800 moveto 0 -770 rls}def
/bv{20 800 moveto 0 -1000 rls}def
/br{20 770 moveto 0 -1040 rls}def
/ul{0 -250 moveto 500 0 rls}def
/ob{200 250 rmoveto currentpoint newpath 200 0 360 arc closepath stroke}def
/bu{200 250 rmoveto currentpoint newpath 200 0 360 arc closepath fill}def
/sq{80 0 rmoveto currentpoint dround newpath moveto
640 0 rlineto 0 640 rlineto -640 0 rlineto closepath stroke}def
/bx{80 0 rmoveto currentpoint dround newpath moveto
640 0 rlineto 0 640 rlineto -640 0 rlineto closepath fill}def
/ci{355 333 rmoveto currentpoint newpath 333 0 360 arc
50 setlinewidth stroke}def
/lt{20 -200 moveto 0 550 rlineto currx 800 2cx s4 add exch s4 a4p stroke}def
/lb{20 800 moveto 0 -550 rlineto currx -200 2cx s4 add exch s4 a4p stroke}def
/rt{20 -200 moveto 0 550 rlineto currx 800 2cx s4 sub exch s4 a4p stroke}def
/rb{20 800 moveto 0 -500 rlineto currx -200 2cx s4 sub exch s4 a4p stroke}def
/lk{20 800 moveto 20 300 -280 300 s4 arcto pop pop 1000 sub
currentpoint stroke moveto
20 300 4 2 roll s4 a4p 20 -200 lineto stroke}def
/rk{20 800 moveto 20 300 320 300 s4 arcto pop pop 1000 sub
currentpoint stroke moveto
20 300 4 2 roll s4 a4p 20 -200 lineto stroke}def
/lf{20 800 moveto 0 -1000 rlineto s4 0 rls}def
/rf{20 800 moveto 0 -1000 rlineto s4 neg 0 rls}def
/lc{20 -200 moveto 0 1000 rlineto s4 0 rls}def
/rc{20 -200 moveto 0 1000 rlineto s4 neg 0 rls}def
end
/Metrics 50 dict def Metrics begin
/.notdef 0 def
/space 500 def
/ru 500 def
/br 0 def
/lt 250 def
/lb 250 def
/rt 250 def
/rb 250 def
/lk 250 def
/rk 250 def
/rc 250 def
/lc 250 def
/rf 250 def
/lf 250 def
/bv 250 def
/ob 350 def
/bu 350 def
/ci 750 def
/bx 750 def
/sq 750 def
/rn 500 def
/ul 500 def
/vr 0 def
end
DITfd begin
/s2 500 def /s4 250 def /s3 333 def
/a4p{arcto pop pop pop pop}def
/2cx{2 copy exch}def
/rls{rlineto stroke}def
/currx{currentpoint pop}def
/dround{transform round exch round exch itransform} def
end
end
/DIThacks exch definefont pop
ditstart
(psc)xT
576 1 1 xr
1(Times-Roman)xf 1 f
2(Times-Italic)xf 2 f
3(Times-Bold)xf 3 f
4(Times-BoldItalic)xf 4 f
5(Helvetica)xf 5 f
6(Helvetica-Bold)xf 6 f
7(Courier)xf 7 f
8(Courier-Bold)xf 8 f
9(Symbol)xf 9 f
10(DIThacks)xf 10 f
10 s
1 f
xi
%%EndProlog
%%Page: 1 1
10 s 0 xH 0 xS 1 f
32(--)Y
4323(--)X
555 672(Date:)N
749(20)X
849(December)X
1200(1990)X
555 768(From:)N
770(John)X
941(Kohl,)X
1141(Clifford)X
1419(Neuman)X
555 864(To:)N
686(RFC)X
856(readers)X
555 960(Re:)N
686(Kerberos)X
1001(Version)X
1275(5)X
1335(RFC,)X
1525(draft)X
1697(#4)X
555 1084(This)N
717(is)X
790(the)X
908(fourth)X
1124(draft)X
1296(of)X
1383(version)X
1639(5)X
1699(of)X
1786(the)X
1904(Kerberos)X
2219(Protocol.)X
2550(At)X
2650(this)X
2785(point,)X
2989(the)X
3107(protocol)X
3394(is)X
3467(\256xed.)X
555 1208(Readers)N
834(should)X
1067(note)X
1225(several)X
1473(things:)X
555 1332(We)N
691(are)X
814(are)X
937(suggesting)X
1303(the)X
1425(use)X
1555(of)X
1645(the)X
1766(CRC-32)X
2055(checksum)X
2399(to)X
2484(augment)X
2783(the)X
2904(integrity)X
3198(of)X
3288(the)X
3409(DES)X
3583(CBC)X
3765(encryp-)X
555 1428(tion)N
703(mode.)X
945(We)X
1081(are)X
1204(also)X
1357(suggesting)X
1722(the)X
1843(use)X
1973(of)X
2063(either)X
2269(the)X
2390(DES)X
2564(MAC)X
2769(or)X
2859(the)X
2980(RSA)X
3158(MD4)X
3350(checksum)X
3694(encrypted)X
555 1524(under)N
766(a)X
830(DES)X
1009(key)X
1153(collision-proof)X
1657(keyed)X
1877(checksums)X
2257(for)X
2379(the)X
2505(KRB_SAFE)X
2931(exchange.)X
3302(Alternative)X
3690(checksum)X
555 1620(algorithms)N
917(may)X
1075(be)X
1171(used,)X
1358(but)X
1480(may)X
1638(not)X
1760(be)X
1856(supported)X
2192(in)X
2274(the)X
2392(initial)X
2598(implementation.)X
555 1744(We)N
691(have)X
867(decided)X
1141(\(again\))X
1393(to)X
1479(encrypt)X
1744(the)X
1866(authorization)X
2313(data)X
2471(passed)X
2709(to)X
2795(the)X
2917(KDC)X
3110(in)X
3196(the)X
3318(request)X
3574(for)X
3691(additional)X
555 1840(tickets)N
784(\(KRB_TGS_REQ\).)X
555 1964(MIT's)N
784(alpha-test)X
1120(versions)X
1411(of)X
1502(Kerberos)X
1821(V5)X
1943(code)X
2119(support)X
2383(what)X
2563(is)X
2640(colloquially)X
3046(known)X
3288(as)X
3378("speci\256cation)X
3839(zero")X
555 2060(of)N
645(the)X
766(interoperability)X
1283(requirements)X
1725(\(see)X
1878(section)X
2128(8)X
2190(for)X
2306(speci\256cation)X
2733(1\);)X
2844(it)X
2910(is)X
2985(a)X
3043(moving)X
3309(target.)X
3554(At)X
3656(some)X
3847(point)X
555 2156(the)N
673(MIT)X
840(code)X
1012(will)X
1156(conform)X
1448(to)X
1530(speci\256cation)X
1955(1.)X
555 2280(Please)N
780(send)X
947(any)X
1083(comments)X
1432(about)X
1630(this)X
1765(draft)X
1937(to)X
2019(the)X
2137(mailing)X
2401(list)X
7 f
2546(krb-protocol@athena.mit.edu.)X
1 f
555 2404(We)N
687(thank)X
885(you)X
1025(for)X
1139(your)X
1306(interest)X
1562(in)X
1644(Kerberos,)X
1979(and)X
2115(look)X
2277(forward)X
2552(to)X
2634(hearing)X
2895(your)X
3062(comments.)X
3 f
555 2596(Major)N
794(changes)X
1085(since)X
1274(draft)X
1468(3)X
1 f
555 2720(This)N
717(list)X
834(doesn't)X
1090(include)X
1346(rewordings,)X
1747(typos)X
1940(&)X
2022(such.)X
10 f
555 2844(g)N
1 f
755(New)X
927(section)X
1174(detailing)X
1474(new)X
1628(\(since)X
1840(V4\))X
1985(ticket)X
2183(\257ags)X
10 f
555 2968(g)N
1 f
755(Message)X
1064(\256elds)X
1265(are)X
1392(now)X
1558(described)X
1894(alongside)X
2229(the)X
2355(ASN.1)X
2603(descriptions)X
3018(as)X
3113(they)X
3279(are)X
3406(used,)X
3601(so)X
3699(that)X
3846(these)X
755 3064(descriptions)N
1162(can)X
1294(be)X
1390(seen)X
1553(in)X
1635(context.)X
10 f
555 3188(g)N
1 f
755(authorization-data)X
1359(are)X
1478(now)X
1636(back)X
1808(in)X
1890(an)X
1986(encrypted)X
2323(part)X
2468(of)X
2555(the)X
2673(TGS-REQ.)X
10 f
555 3312(g)N
1 f
755(The)X
909(pseudo-code)X
1344(has)X
1480(been)X
1660(updated)X
1942(and)X
2086(uni\256ed)X
2336(into)X
2488(a)X
2552(single)X
2771(style;)X
2972(however)X
3277(it)X
3349(may)X
3515(still)X
3662(need)X
3842(some)X
755 3408(\256ne-tuning)N
1126(and)X
1262(cross-checking)X
1764(with)X
1926(the)X
2044(textual)X
2282(error)X
2459(descriptions.)X
555 6144(Section)N
2216(-)X
2263(1)X
2323(-)X
1 p
%%Page: 1 2
10 s 0 xH 0 xS 1 f
0 32(--)N
4323(--)X
555 672(Network)N
856(Working)X
1161(Group)X
3679(John)X
3850(Kohl)X
555 768(Request)N
833(for)X
947(Comments:)X
1335(DRAFT)X
1617(3)X
3367(B.)X
3460(Clifford)X
3738(Neuman)X
3364 864(MIT)N
3531(Project)X
3778(Athena)X
3399 960(20)N
3499(December)X
3850(1990)X
1488 1392(The)N
1633(Kerberos)X
9 f
1928(\324)X
1 f
2039(Network)X
2340(Authentication)X
2836(Service)X
555 1584(DRAFT)N
3 f
555 1776(STATUS)N
885(OF)X
1016(THIS)X
1226(MEMO)X
1 f
755 1900(This)N
924(DRAFT)X
1213(document)X
1556(gives)X
1752(an)X
1855(overview)X
2181(and)X
2324(speci\256cation)X
2756(of)X
2850(the)X
2975(Version)X
3256(5)X
3323(protocol)X
3617(for)X
3738(the)X
3863(Ker-)X
555 1996(beros)N
755(network)X
1044(authentication)X
1524(system.)X
1812(Version)X
2092(4,)X
2178(described)X
2512(elsewhere,[1,)X
2954(2])X
3047(is)X
3126(presently)X
3445(in)X
3532(production)X
3904(use)X
555 2092(at)N
633(MIT's)X
858(Project)X
1105(Athena,)X
1377(and)X
1513(at)X
1591(other)X
1776(Internet)X
2046(sites.)X
2248(Distribution)X
2654(of)X
2741(this)X
2876(memo)X
3096(is)X
3169(unlimited.)X
3 f
555 2284(OVERVIEW)N
1 f
755 2408(This)N
924(DRAFT)X
1212(RFC)X
1388(describes)X
1713(the)X
1837(concepts)X
2144(and)X
2286(model)X
2512(upon)X
2698(which)X
2920(the)X
3044(Kerberos)X
3365(network)X
3654(authentica-)X
555 2504(tion)N
699(system)X
941(is)X
1014(based.)X
1257(It)X
1326(also)X
1475(speci\256es)X
1771(the)X
1889(present)X
2141(proposal)X
2437(for)X
2551(Version)X
2825(5.)X
755 2628(The)N
914(motivations,)X
1345(goals,)X
1568(assumptions,)X
2017(and)X
2167(rationale)X
2482(behind)X
2734(most)X
2923(design)X
3166(decisions)X
3497(are)X
3629(treated)X
3881(cur-)X
555 2724(sorily;)N
788(they)X
955(are)X
1083(fully)X
1263(described)X
1599(for)X
1721(the)X
1847(previous)X
2151(version)X
2415(in)X
2505(the)X
2631(Kerberos)X
2954(portion)X
3213(of)X
3308(the)X
3434(Athena)X
3694(Technical)X
555 2820(Plan.[1])N
838(The)X
989(protocols)X
1313(are)X
1438(under)X
1647(review,)X
1912(and)X
2054(are)X
2179(not)X
2307(proposed)X
2627(as)X
2720(an)X
2822(Internet)X
3098(standard)X
3396(at)X
3480(this)X
3621(time.)X
3829(Com-)X
555 2916(ments)N
787(are)X
927(encouraged.)X
1379(Requests)X
1709(for)X
1843(additions)X
2176(to)X
2278(an)X
2394(electronic)X
2751(mailing)X
3035(list)X
3172(on)X
3292(Kerberos)X
3627(discussions,)X
7 f
555 3012(kerberos@athena.mit.edu,)N
1 f
1737(may)X
1905(be)X
2010(addressed)X
2356(to)X
7 f
2475(kerberos)X
9 f
2861(-)X
7 f
2907(request@athena.mit.edu.)X
1 f
555 3108(This)N
720(mailing)X
987(list)X
1107(is)X
1183(gatewayed)X
1550(onto)X
1715(the)X
1836(Usenet)X
2082(as)X
2171(the)X
2291(group)X
7 f
2528(comp.protocols.kerberos.)X
1 f
3722(Requests)X
555 3204(for)N
744(further)X
1058(information,)X
1551(including)X
1948(documents)X
2390(and)X
2601(code)X
2848(availability,)X
3323(may)X
3556(be)X
3726(sent)X
3949(to)X
7 f
555 3300(info)N
9 f
749(-)X
7 f
795(kerberos@athena.mit.edu.)X
3 f
555 3588(BACKGROUND)N
1 f
755 3712(The)N
904(Kerberos)X
1223(model)X
1447(is)X
1524(based)X
1731(in)X
1817(part)X
1966(on)X
2070(Needham)X
2402(and)X
2542(Schroeder's)X
2950(trusted)X
3191(third-party)X
3557(authentication)X
555 3808(protocol[3])N
937(and)X
1074(on)X
1175(modi\256cations)X
1631(suggested)X
1968(by)X
2069(Denning)X
2365(and)X
2501(Sacco.[4])X
2827(The)X
2972(original)X
3241(design)X
3470(and)X
3606(implementa-)X
555 3904(tion)N
707(of)X
802(Kerberos)X
1125(Versions)X
1438(1)X
1506(through)X
1783(4)X
1851(was)X
2004(the)X
2130(work)X
2322(of)X
2416(two)X
2563(former)X
2809(Project)X
3063(Athena)X
3322(staff)X
3492(members,)X
3833(Steve)X
555 4000(Miller)N
787(of)X
886(Digital)X
1140(Equipment)X
1523(Corporation)X
1942(and)X
2090(Clifford)X
2380(Neuman)X
2684(\(now)X
2881(of)X
2980(the)X
3110(University)X
3479(of)X
3577(Washington\),)X
555 4096(along)N
760(with)X
929(Jerome)X
1188(Saltzer,)X
1458(Technical)X
1802(Director)X
2096(of)X
2189(Project)X
2442(Athena,)X
2720(and)X
2862(Jeffrey)X
3112(Schiller,)X
3407(MIT)X
3580(Campus)X
3868(Net-)X
555 4192(work)N
749(Manager.)X
1104(Many)X
1320(other)X
1514(members)X
1837(of)X
1933(Project)X
2189(Athena)X
2449(have)X
2629(also)X
2786(contributed)X
3179(to)X
3269(the)X
3395(work)X
3588(on)X
3696(Kerberos.)X
555 4288(Version)N
829(4)X
889(is)X
962(publicly)X
1244(available,)X
1574(and)X
1710(has)X
1837(seen)X
2000(wide)X
2176(use)X
2303(across)X
2524(the)X
2642(Internet)X
2912(community.)X
755 4412(Version)N
1034(5)X
1099(\(described)X
1459(in)X
1546(this)X
1685(document\))X
2052(has)X
2183(evolved)X
2461(from)X
2641(Version)X
2919(4)X
2983(based)X
3190(on)X
3294(new)X
3452(requirements)X
3895(and)X
555 4508(desires)N
798(for)X
912(features)X
1187(not)X
1309(available)X
1619(in)X
1701(Version)X
1975(4.)X
3 f
12 s
555 4700(1.)N
675(Introduction)X
1 f
10 s
755 4824(Kerberos)N
1074(provides)X
1374(a)X
1433(means)X
1661(of)X
1751(verifying)X
2068(the)X
2189(identities)X
2505(of)X
2595(principals,)X
2954(\(e.g.)X
3120(a)X
3179(workstation)X
3580(user)X
3737(or)X
3827(a)X
3886(net-)X
555 4920(work)N
742(server\))X
988(on)X
1090(an)X
1188(open)X
1365(\(unprotected\))X
1819(network.)X
2143(This)X
2306(is)X
2380(accomplished)X
2842(without)X
3107(relying)X
3355(on)X
3456(authentication)X
3931(by)X
555 5016(the)N
674(host)X
828(operating)X
1152(system,)X
1415(without)X
1680(basing)X
1910(trust)X
2072(on)X
2172(host)X
2325(addresses)X
8 s
2633 4991(1)N
10 s
5016(,)Y
2705(without)X
2969(requiring)X
3283(physical)X
3570(security)X
3844(of)X
3931(all)X
555 5112(the)N
679(hosts)X
869(on)X
975(the)X
1099(network,)X
1408(and)X
1550(under)X
1759(the)X
1883(assumption)X
2273(that)X
2419(packets)X
2686(traveling)X
2997(along)X
3201(the)X
3325(network)X
3614(can)X
3751(be)X
3852(read,)X
8 s
10 f
555 5192(hhhhhhhhhhhhhhhhhh)N
1 f
555 5272(Project)N
752(Athena,)X
968(Athena,)X
1184(Athena)X
1384(MUSE,)X
1594(Discuss,)X
1825(Hesiod,)X
2038(Kerberos,)X
2303(Moira,)X
2491(and)X
2599(Zephyr)X
2799(are)X
2892(trademarks)X
3191(of)X
3260(the)X
3354(Massachusetts)X
555 5352(Institute)N
785(of)X
858(Technology)X
1183(\(MIT\).)X
1394(No)X
1492(commercial)X
1813(use)X
1918(of)X
1991(these)X
2142(trademarks)X
2445(may)X
2575(be)X
2655(made)X
2812(without)X
3027(prior)X
3170(written)X
3370(permission)X
3670(of)X
555 5432(MIT.)N
6 s
555 5507(1)N
8 s
611 5526(Note,)N
770(however,)X
1024(that)X
1139(many)X
1300(applications)X
1628(use)X
1732(Kerberos')X
2005(functions)X
2262(only)X
2395(upon)X
2542(the)X
3 f
2639(initiation)X
1 f
2908(of)X
2980(a)X
3027(stream-based)X
3382(network)X
3610(con-)X
555 5606(nection,)N
780(and)X
892(assume)X
1100(the)X
1198(absence)X
1419(of)X
1492(any)X
1604(``hijackers'')X
1938(who)X
2068(might)X
2238(subvert)X
2446(such)X
2583(a)X
2631(connection.)X
2963(Such)X
3111(use)X
3216(implicitly)X
3486(trusts)X
3645(the)X
555 5686(host)N
678(addresses)X
938(involved.)X
10 s
555 6144(Section)N
815(1.)X
2216(-)X
2263(1)X
2323(-)X
2 p
%%Page: 2 3
10 s 0 xH 0 xS 1 f
0 32(--)N
4323(--)X
3 f
2115 416(DRAFT)N
2411(4)X
1 f
555 672(modi\256ed,)N
884(and)X
1025(inserted)X
1304(at)X
1387(will.)X
1576(Kerberos)X
1895(performs)X
2209(authentication)X
2687(under)X
2894(these)X
3083(conditions)X
3440(as)X
3531(a)X
3591(trusted)X
3833(third-)X
555 768(party)N
740(authentication)X
1214(service)X
1462(by)X
1562(using)X
1755(conventional)X
2189(\(shared)X
2446(secret)X
2654(key)X
8 s
2770 743(1)N
10 s
768(\))Y
2849(cryptography.)X
755 892(The)N
904(authentication)X
1382(process)X
1647(proceeds)X
1957(as)X
2048(follows:)X
2334(A)X
2415(client)X
2616(sends)X
2817(a)X
2876(request)X
3131(to)X
3216(the)X
3337(authentication)X
3814(server)X
555 988(\(AS\))N
734(requesting)X
1091("credentials")X
1528(for)X
1645(a)X
1704(given)X
1905(server.)X
2165(The)X
2313(AS)X
2438(responds)X
2746(with)X
2911(these)X
3099(credentials,)X
3490(encrypted)X
3829(in)X
3913(the)X
555 1084(client's)N
812(key.)X
989(The)X
1135(credentials)X
1504(consist)X
1747(of)X
1835(1\))X
1922(a)X
1978("ticket")X
2242(for)X
2356(the)X
2474(server)X
2691(and)X
2827(2\))X
2914(a)X
2970(temporary)X
3320(encryption)X
3683(key)X
3819(\(often)X
555 1180(called)N
773(a)X
835("session)X
1125(key"\).)X
1367(The)X
1518(client)X
1722(transmits)X
2041(the)X
2165(ticket)X
2368(\(which)X
2616(contains)X
2908(the)X
3031(client's)X
3292(identity)X
3561(and)X
3702(a)X
3763(copy)X
3944(of)X
555 1276(the)N
676(session)X
930(key,)X
1089(all)X
1192(encrypted)X
1532(in)X
1617(the)X
1738(server's)X
2016(key\))X
2182(to)X
2267(the)X
2388(server.)X
2648(The)X
2796(session)X
3050(key)X
3189(\(now)X
3377(shared)X
3610(by)X
3713(the)X
3833(client)X
555 1372(and)N
694(server\))X
940(is)X
1015(used)X
1184(to)X
1268(authenticate)X
1678(the)X
1798(client,)X
2018(and)X
2156(may)X
2316(optionally)X
2662(be)X
2760(used)X
2929(to)X
3013(authenticate)X
3423(the)X
3543(server.)X
3802(It)X
3873(may)X
555 1468(also)N
704(be)X
800(used)X
967(to)X
1049(encrypt)X
1310(further)X
1549(communication)X
2067(between)X
2355(the)X
2473(two)X
2613(parties.)X
755 1592(The)N
915(implementation)X
1452(consists)X
1740(of)X
1842(one)X
1993(or)X
2095(more)X
2295(authentication)X
2783(servers)X
3045(running)X
3328(on)X
3442(physically)X
3805(secure)X
555 1688(hosts.)N
782(The)X
930(authentication)X
1407(servers)X
1658(maintain)X
1961(a)X
2020(database)X
2320(of)X
2409(principals)X
2747(\(i.e.,)X
2914(users)X
3101(and)X
3239(servers\))X
3516(and)X
3654(their)X
3823(secret)X
555 1784(keys.)N
765(Code)X
957(libraries)X
1243(provide)X
1511(encryption)X
1877(and)X
2016(implement)X
2381(the)X
2502(Kerberos)X
2820(protocol.)X
3150(In)X
3240(order)X
3432(to)X
3516(add)X
3654(authentica-)X
555 1880(tion)N
705(to)X
793(its)X
894(transactions,)X
1323(a)X
1385(typical)X
1629(network)X
1918(application)X
2300(adds)X
2473(one)X
2615(or)X
2708(two)X
2854(calls)X
3026(to)X
3113(the)X
3236(Kerberos)X
3556(library,)X
3815(which)X
555 1976(results)N
784(in)X
866(the)X
984(transmission)X
1408(of)X
1495(the)X
1613(necessary)X
1946(messages)X
2269(to)X
2351(achieve)X
2617(authentication.)X
755 2100(The)N
906(Kerberos)X
1227(protocol)X
1520(consists)X
1799(of)X
1892(several)X
2146(sub-protocols)X
2607(\(or)X
2726(exchanges\).)X
3153(There)X
3366(are)X
3490(two)X
3635(methods)X
3931(by)X
555 2196(which)N
776(a)X
837(client)X
1040(can)X
1177(ask)X
1309(a)X
1370(Kerberos)X
1690(server)X
1912(for)X
2031(credentials.)X
2444(In)X
2536(the)X
2659(\256rst)X
2808(approach,)X
3148(the)X
3270(client)X
3472(sends)X
3674(a)X
3734(cleartext)X
555 2292(request)N
812(for)X
931(a)X
992(ticket)X
1195(for)X
1313(the)X
1435(desired)X
1691(server)X
1912(to)X
1998(the)X
2120(AS.)X
2286(The)X
2435(reply)X
2624(is)X
2701(sent)X
2854(encrypted)X
3195(in)X
3281(the)X
3403(client's)X
3663(secret)X
3875(key.)X
555 2388(Usually)N
831(this)X
973(request)X
1232(is)X
1312(for)X
1433(a)X
1496(ticket-granting)X
1995(ticket)X
2200(\(TGT\))X
2437(which)X
2660(can)X
2799(later)X
2969(be)X
3072(used)X
3246(with)X
3415(the)X
3539(ticket-granting)X
555 2484(server)N
779(\(TGS\).)X
1051(In)X
1144(the)X
1268(second)X
1517(method,)X
1803(the)X
1927(client)X
2131(sends)X
2335(a)X
2397(request)X
2655(to)X
2743(the)X
2867(TGS.)X
3084(The)X
3235(client)X
3439(sends)X
3643(the)X
3767(TGT)X
3949(to)X
555 2580(the)N
677(TGS)X
852(in)X
938(the)X
1060(same)X
1249(manner)X
1514(as)X
1605(if)X
1678(it)X
1746(were)X
1927(contacting)X
2285(any)X
2425(other)X
2614(application)X
2994(server)X
3215(which)X
3434(requires)X
3716(Kerberos)X
555 2676(credentials.)N
963(The)X
1108(reply)X
1293(is)X
1366(encrypted)X
1703(in)X
1785(the)X
1903(session)X
2154(key)X
2290(from)X
2466(the)X
2584(TGT.)X
755 2800(Once)N
955(obtained,)X
1281(credentials)X
1659(may)X
1827(be)X
1933(used)X
2110(to)X
2202(verify)X
2424(the)X
2551(identity)X
2824(of)X
2920(the)X
3047(principals)X
3392(in)X
3483(a)X
3548(transaction,)X
3949(to)X
555 2896(ensure)N
795(the)X
923(integrity)X
1224(of)X
1321(messages)X
1653(exchanged)X
2026(between)X
2323(them,)X
2532(or)X
2628(to)X
2719(preserve)X
3021(privacy)X
3291(of)X
3387(the)X
3514(messages.)X
3886(The)X
555 2992(application)N
931(is)X
1004(free)X
1150(to)X
1232(choose)X
1475(whatever)X
1790(protection)X
2135(may)X
2293(be)X
2389(necessary.)X
755 3116(To)N
869(verify)X
1086(the)X
1209(identities)X
1526(of)X
1617(the)X
1739(principals)X
2079(in)X
2165(a)X
2225(transaction,)X
2621(the)X
2743(client)X
2945(transmits)X
3262(the)X
3384(ticket)X
3586(to)X
3672(the)X
3794(server.)X
555 3212(Since)N
755(the)X
875(ticket)X
1075(is)X
1150(sent)X
1301(in)X
1385(the)X
1505(clear,)X
1704(and)X
1842(might)X
2050(be)X
2148(intercepted)X
2527(and)X
2664(reused)X
2895(by)X
2996(an)X
3093(attacker,)X
3389(additional)X
3730(informa-)X
555 3308(tion)N
704(is)X
781(sent)X
934(to)X
1020(prove)X
1227(that)X
1371(the)X
1493(message)X
1789(was)X
1938(originated)X
2287(by)X
2391(the)X
2513(principal)X
2822(to)X
2908(whom)X
3132(the)X
3254(ticket)X
3456(was)X
3605(issued.)X
3869(This)X
555 3404(information)N
955(\(called)X
1196(the)X
2 f
1316(authenticator)X
1 f
1747(\))X
1796(is)X
1871(encrypted)X
2209(in)X
2292(the)X
2411(session)X
2663(key,)X
2820(and)X
2957(includes)X
3245(a)X
3302(timestamp.)X
3696(The)X
3842(time-)X
555 3500(stamp)N
770(proves)X
1008(that)X
1152(the)X
1274(message)X
1570(was)X
1719(recently)X
2002(generated)X
2339(and)X
2479(is)X
2556(not)X
2682(a)X
2742(replay.)X
3007(Encrypting)X
3386(the)X
3507(authenticator)X
3949(in)X
555 3596(the)N
675(session)X
928(key)X
1066(proves)X
1302(that)X
1444(it)X
1510(was)X
1656(generated)X
1990(by)X
2091(a)X
2148(party)X
2334(possessing)X
2697(the)X
2816(session)X
3068(key.)X
3245(Since)X
3444(no)X
3545(one)X
3682(except)X
3913(the)X
555 3692(requesting)N
911(principal)X
1218(and)X
1356(the)X
1476(server)X
1695(know)X
1895(the)X
2015(session)X
2268(key)X
2406(\(it)X
2498(is)X
2572(never)X
2772(sent)X
2922(over)X
3086(the)X
3205(network)X
3489(in)X
3572(the)X
3691(clear\))X
3896(this)X
555 3788(guarantees)N
919(the)X
1037(identity)X
1301(of)X
1388(the)X
1506(client.)X
755 3912(The)N
901(integrity)X
1193(of)X
1281(the)X
1400(messages)X
1724(exchanged)X
2089(between)X
2378(principals)X
2715(can)X
2848(also)X
2998(be)X
3095(guaranteed)X
3469(using)X
3662(the)X
3780(session)X
555 4008(key)N
702(\(passed)X
974(in)X
1067(the)X
1196(ticket)X
1405(and)X
1552(contained)X
1895(in)X
1988(the)X
2116(credentials\).)X
2561(This)X
2733(approach)X
3058(affords)X
3316(detection)X
3640(not)X
3772(only)X
3944(of)X
555 4104(replay,)N
806(but)X
938(also)X
1097(of)X
1194(message)X
1496(stream)X
1740(modi\256cation.)X
2214(This)X
2386(is)X
2468(accomplished)X
2938(by)X
3047(generating)X
3415(and)X
3560(transmitting)X
3975(a)X
555 4200(collision-proof)N
1055(checksum)X
1400(\(elsewhere)X
1773(called)X
1989(a)X
2049(hash)X
2220(or)X
2311(digest)X
2526(function\))X
2843(of)X
2933(the)X
3054(client's)X
3313(message.)X
3648(The)X
3796(check-)X
555 4296(sum)N
717(is)X
799(keyed)X
1020(with)X
1190(the)X
1316(session)X
1575(key.)X
1759(Privacy)X
2032(and)X
2176(integrity)X
2475(of)X
2570(the)X
2696(messages)X
3027(exchanged)X
3399(between)X
3695(principals)X
555 4392(can)N
688(be)X
785(secured)X
1052(by)X
1153(encrypting)X
1517(the)X
1636(data)X
1791(to)X
1874(be)X
1971(passed)X
2206(using)X
2400(the)X
2519(session)X
2771(key)X
2908(passed)X
3143(in)X
3226(the)X
3345(ticket,)X
3563(and)X
3699(contained)X
555 4488(in)N
637(the)X
755(credentials.)X
755 4612(The)N
909(authentication)X
1392(exchanges)X
1756(mentioned)X
2123(above)X
2344(require)X
2601(read-only)X
2938(access)X
3173(to)X
3264(the)X
3391(Kerberos)X
3714(database.)X
555 4708(Sometimes,)N
954(however,)X
1275(the)X
1397(entries)X
1635(in)X
1721(the)X
1843(database)X
2144(must)X
2323(be)X
2423(modi\256ed,)X
2750(such)X
2920(as)X
3010(when)X
3207(adding)X
3448(new)X
3605(principals)X
3944(or)X
555 4804(changing)N
872(a)X
931(principal's)X
1297(key.)X
1476(This)X
1641(is)X
1717(done)X
1896(using)X
2092(a)X
2151(protocol)X
2440(between)X
2730(a)X
2788(client)X
2988(and)X
3126(a)X
3184(third)X
3357(Kerberos)X
3674(server,)X
3913(the)X
555 4900(Kerberos)N
875(Administration)X
1384(Server)X
1619(\(KADM\).)X
1983(The)X
2133(administration)X
2620(protocol)X
2912(is)X
2990(not)X
3117(described)X
3450(in)X
3536(this)X
3675(document.)X
555 4996(There)N
775(is)X
860(also)X
1021(a)X
1089(protocol)X
1387(for)X
1512(maintaining)X
1925(multiple)X
2222(copies)X
2458(of)X
2556(the)X
2685(Kerberos)X
3011(database,)X
3339(but)X
3472(this)X
3618(can)X
3761(be)X
3868(con-)X
555 5092(sidered)N
807(an)X
903(implementation)X
1425(detail)X
1623(and)X
1759(may)X
1917(vary)X
2080(to)X
2162(support)X
2422(different)X
2719(database)X
3016(technologies.)X
8 s
10 f
555 5410(hhhhhhhhhhhhhhhhhh)N
6 s
1 f
555 5485(1)N
2 f
8 s
611 5504(Secret)N
1 f
789(and)X
2 f
900(private)X
1 f
1100(are)X
1196(often)X
1346(used)X
1482(interchangeably)X
1908(in)X
1977(the)X
2074(literature.)X
2355(In)X
2427(our)X
2531(usage,)X
2711(it)X
2766(takes)X
2916(two)X
3031(\(or)X
3123(more\))X
3293(to)X
3361(share)X
3513(a)X
3559(secret,)X
555 5584(thus)N
680(a)X
726(shared)X
910(DES)X
1049(key)X
1159(is)X
1220(a)X
2 f
1266(secret)X
1 f
1436(key.)X
1578(Something)X
1874(is)X
1934(only)X
2065(private)X
2259(when)X
2414(no)X
2495(one)X
2604(but)X
2703(its)X
2781(owner)X
2957(knows)X
3141(it.)X
3226(Thus,)X
3387(in)X
3454(public)X
3631(key)X
555 5664(cryptosystems,)N
953(one)X
1061(has)X
1162(a)X
1206(public)X
1382(and)X
1490(a)X
2 f
1534(private)X
1 f
1731(key.)X
12 s
555 6144(Section)N
868(1.)X
2203(-)X
2259(2)X
2331(-)X
3 p
%%Page: 3 4
12 s 0 xH 0 xS 1 f
10 s
0 32(--)N
4323(--)X
3 f
12 s
2082 432(DRAFT)N
2436(4)X
555 672(1.1.)N
747(Inter-Realm)X
1278(Operation)X
1 f
10 s
755 796(The)N
916(Kerberos)X
1247(protocol)X
1550(is)X
1639(designed)X
1960(to)X
2058(operate)X
2331(across)X
2568(organizational)X
3063(boundaries.)X
3491(A)X
3585(client)X
3798(in)X
3895(one)X
555 892(organization)N
989(can)X
1134(be)X
1243(authenticated)X
1704(to)X
1799(a)X
1868(server)X
2097(in)X
2191(another.)X
2504(Each)X
2697(organization)X
3130(wishing)X
3415(to)X
3509(run)X
3648(a)X
3716(Kerberos)X
555 988(server)N
783(establishes)X
1161(its)X
1267(own)X
1436("realm".)X
1756(The)X
1912(name)X
2117(of)X
2215(the)X
2343(realm)X
2556(in)X
2648(which)X
2874(a)X
2940(client)X
3148(is)X
3231(registered)X
3578(is)X
3661(part)X
3816(of)X
3913(the)X
555 1084(client's)N
811(name,)X
1025(and)X
1161(can)X
1293(be)X
1389(used)X
1556(by)X
1656(the)X
1774(end)X
1910(service)X
2158(to)X
2240(decide)X
2470(whether)X
2749(to)X
2831(honor)X
3038(a)X
3094(request.)X
755 1208(By)N
872(establishing)X
1278("inter-realm")X
1725(keys,)X
1915(the)X
2036(administrators)X
2517(of)X
2607(two)X
2750(realms)X
2987(can)X
3122(allow)X
3323(a)X
3382(client)X
3583(authenticated)X
555 1304(in)N
638(the)X
757(local)X
934(realm)X
1138(to)X
1221(use)X
1349(its)X
1445(authentication)X
1920(remotely.)X
2266(The)X
2412(exchange)X
2737(of)X
2825(inter-realm)X
3203(keys)X
3370(\(a)X
3453(separate)X
3737(key)X
3873(may)X
555 1400(be)N
661(used)X
838(for)X
962(each)X
1140(direction\))X
1482(registers)X
1783(the)X
1910(ticket-granting)X
2411(service)X
2668(of)X
2764(each)X
2941(realm)X
3153(as)X
3249(a)X
3314(principal)X
3628(in)X
3719(the)X
3846(other)X
555 1496(realm.)N
801(A)X
882(client)X
1083(is)X
1159(then)X
1320(able)X
1477(to)X
1562(obtain)X
1785(a)X
1844(ticket-granting)X
2339(ticket)X
2540(for)X
2657(the)X
2778(remote)X
3024(realm's)X
3288(ticket-granting)X
3783(service)X
555 1592(from)N
739(its)X
842(local)X
1025(realm.)X
1275(When)X
1494(that)X
1641(ticket-granting)X
2140(ticket)X
2345(is)X
2425(used,)X
2619(the)X
2744(remote)X
2994(ticket-granting)X
3493(service)X
3748(uses)X
3913(the)X
555 1688(inter-realm)N
936(key)X
1076(\(which)X
1323(usually)X
1578(differs)X
1812(from)X
1992(its)X
2091(own)X
2253(normal)X
2504(TGS)X
2679(key\))X
2846(to)X
2932(decrypt)X
3197(the)X
3318(ticket-granting)X
3813(ticket,)X
555 1784(and)N
699(is)X
780(thus)X
941(certain)X
1188(that)X
1336(it)X
1408(was)X
1561(issued)X
1789(by)X
1897(the)X
2023(client's)X
2287(local)X
2471(Kerberos.)X
2834(Tickets)X
3097(issued)X
3324(by)X
3431(the)X
3556(remote)X
3806(ticket-)X
555 1880(granting)N
842(service)X
1090(will)X
1234(indicate)X
1508(that)X
1648(the)X
1766(client)X
1964(was)X
2109(authenticated)X
2557(in)X
2639(its)X
2734(local)X
2910(realm.)X
755 2004(A)N
838(realm)X
1046(is)X
1124(said)X
1278(to)X
2 f
1365(communicate)X
1 f
1818(with)X
1985(another)X
2251(realm)X
2459(if)X
2532(the)X
2654(two)X
2798(realms)X
3036(share)X
3230(an)X
3330(inter-realm)X
3711(key,)X
3871(or)X
3962(if)X
555 2100(the)N
682(local)X
866(realm)X
1077(shares)X
1306(an)X
1410(inter-realm)X
1795(key)X
1939(with)X
2109(an)X
2213(intermediate)X
2642(realm)X
2853(that)X
3001(communicates)X
3492(with)X
3662(the)X
3788(remote)X
555 2196(realm.)N
803(An)X
2 f
926(authentication)X
1413(path)X
1 f
1580(is)X
1658(the)X
1781(sequence)X
2101(of)X
2193(intermediate)X
2619(realms)X
2858(that)X
3003(are)X
3127(transited)X
3427(in)X
3513(communicating)X
555 2292(from)N
731(one)X
867(realm)X
1070(to)X
1152(another.)X
755 2416(Realms)N
1026(are)X
1156(typically)X
1467(organized)X
1815(hierarchically.)X
2328(Each)X
2519(realm)X
2732(shares)X
2963(a)X
3029(key)X
3175(with)X
3347(its)X
3452(parent)X
3683(and)X
3829(a)X
3895(dif-)X
555 2512(ferent)N
775(key)X
923(with)X
1097(each)X
1277(child.)X
1509(If)X
1595(an)X
1703(inter-realm)X
2092(key)X
2240(is)X
2325(not)X
2458(directly)X
2734(shared)X
2975(by)X
3086(two)X
3237(realms,)X
3502(the)X
3631(hierarchical)X
555 2608(organization)N
986(allows)X
1225(an)X
1331(authentication)X
1815(path)X
1983(to)X
2075(be)X
2181(easily)X
2398(constructed.)X
2838(If)X
2922(a)X
2988(hierarchical)X
3397(organization)X
3827(is)X
3909(not)X
555 2704(used,)N
751(it)X
824(may)X
991(be)X
1096(necessary)X
1438(to)X
1529(consult)X
1789(some)X
1986(database)X
2291(in)X
2381(order)X
2579(to)X
2669(construct)X
2991(an)X
3095(authentication)X
3577(path)X
3743(between)X
555 2800(realms.)N
755 2924(Although)N
1087(realms)X
1331(are)X
1460(typically)X
1770(hierarchical,)X
2200(intermediate)X
2631(realms)X
2875(may)X
3043(be)X
3148(bypassed)X
3471(to)X
3562(achieve)X
3837(inter-)X
555 3020(realm)N
763(authentication)X
1242(through)X
1516(alternate)X
1818(authentication)X
2297(paths)X
2491(\(these)X
2708(might)X
2918(be)X
3018(established)X
3398(to)X
3484(make)X
3682(communi-)X
555 3116(cation)N
775(between)X
1067(two)X
1211(realms)X
1449(more)X
1638(ef\256cient\).)X
1992(It)X
2065(is)X
2142(important)X
2477(for)X
2595(the)X
2717(end)X
2857(service)X
3109(to)X
3195(know)X
3397(which)X
3617(realms)X
3854(were)X
555 3212(transited)N
852(when)X
1047(deciding)X
1344(how)X
1503(much)X
1702(faith)X
1870(to)X
1953(place)X
2144(in)X
2227(the)X
2346(authentication)X
2821(process.)X
3123(To)X
3232(facilitate)X
3533(this)X
3668(decision,)X
3975(a)X
555 3308(\256eld)N
717(in)X
799(each)X
967(ticket)X
1165(contains)X
1452(the)X
1570(names)X
1795(of)X
1882(the)X
2000(realms)X
2234(that)X
2374(were)X
2551(involved)X
2851(in)X
2933(authenticating)X
3407(the)X
3525(client.)X
3 f
12 s
555 3500(1.2.)N
747(Environmental)X
1390(assumptions)X
1 f
10 s
555 3624(Kerberos)N
870(imposes)X
1152(a)X
1208(few)X
1349(assumptions)X
1764(on)X
1864(the)X
1982(environment)X
2407(in)X
2489(which)X
2705(it)X
2769(can)X
2901(properly)X
3193(function:)X
10 f
555 3748(g)N
1 f
755("Denial)X
1027(of)X
1118(service")X
1403(attacks)X
1650(are)X
1773(not)X
1899(solved)X
2132(with)X
2298(Kerberos.)X
2657(There)X
2869(are)X
2992(places)X
3217(in)X
3303(these)X
3492(protocols)X
3814(where)X
755 3844(an)N
858(intruder)X
1139(can)X
1278(prevent)X
1545(an)X
1647(application)X
2029(from)X
2211(participating)X
2642(in)X
2730(the)X
2854(proper)X
3090(authentication)X
3570(steps.)X
3796(Detec-)X
755 3940(tion)N
907(and)X
1050(solution)X
1334(of)X
1428(such)X
1602(attacks)X
1852(\(some)X
2075(of)X
2169(which)X
2392(can)X
2531(appear)X
2773(to)X
2862(be)X
2965(not-uncommon)X
3481("normal")X
3801(failure)X
755 4036(modes)N
984(for)X
1098(the)X
1216(system\))X
1485(is)X
1558(usually)X
1809(best)X
1958(left)X
2085(to)X
2167(the)X
2285(human)X
2523(administrators)X
3001(and)X
3137(users.)X
10 f
555 4160(g)N
1 f
755(Principals)X
1098(must)X
1276(keep)X
1451(their)X
1621(secret)X
1832(keys)X
2002(secret.)X
2253(If)X
2330(an)X
2429(intruder)X
2706(somehow)X
3036(steals)X
3237(a)X
3296(principal's)X
3662(key,)X
3821(it)X
3887(will)X
755 4256(be)N
856(able)X
1015(to)X
1102(masquerade)X
1511(as)X
1603(that)X
1748(principal)X
2058(or)X
2150(convince)X
2465(the)X
2588(principal)X
2898(that)X
3043(it)X
3112(is)X
3190(some)X
3383(server)X
3604(the)X
3726(principal)X
755 4352(desires)N
998(to)X
1080(contact.)X
10 f
555 4476(g)N
1 f
755(Each)X
939(host)X
1095(on)X
1197(the)X
1317(network)X
1602(must)X
1779(have)X
1953(a)X
2011(clock)X
2207(which)X
2425(is)X
2500("loosely)X
2786(synchronized")X
3269(to)X
3353(the)X
3473(time)X
3637(of)X
3726(the)X
3846(other)X
755 4572(hosts;)N
963(this)X
1100(synchronization)X
1634(is)X
1709(used)X
1878(to)X
1962(reduce)X
2199(the)X
2319(bookkeeping)X
2755(needs)X
2960(of)X
3049(application)X
3427(servers)X
3677(when)X
3873(they)X
755 4668(do)N
855(replay)X
1076(detection.)X
1430(\(The)X
1602(degree)X
1837(of)X
1924(required)X
2212("looseness")X
2605(can)X
2737(be)X
2833(con\256gured)X
3196(on)X
3296(a)X
3352(per-server)X
3699(basis.\))X
10 f
555 4792(g)N
1 f
755(Principal)X
1066(identi\256ers)X
1408(are)X
1528(not)X
1651(recycled)X
1945(on)X
2046(a)X
2103(short-term)X
2458(basis.)X
2679(A)X
2758(typical)X
2997(mode)X
3196(of)X
3284(access)X
3511(control)X
3759(will)X
3904(use)X
755 4888(access)N
990(control)X
1246(lists)X
1403(\(ACLs\))X
1677(to)X
1768(grant)X
1962(permissions)X
2373(to)X
2464(particular)X
2801(princpals,)X
3144(and)X
3289(these)X
3482(ACL)X
3670(entries)X
3912(are)X
755 4984(often)N
944(hard)X
1111(to)X
1197(discover)X
1493(until)X
1663(it's)X
1788(too)X
1913(late.)X
2092(By)X
2208(not)X
2333(re-using)X
2619(principal)X
2927(identi\256ers,)X
3290(the)X
3411(danger)X
3653(of)X
3743(inadver-)X
755 5080(tent)N
895(access)X
1121(is)X
1194(removed.)X
3 f
12 s
555 5272(1.3.)N
747(Glossary)X
1134(of)X
1238(terms)X
1 f
10 s
555 5396(Below)N
784(is)X
857(a)X
913(list)X
1030(of)X
1117(terms)X
1315(used)X
1482(throughout)X
1853(this)X
1988(document.)X
3 f
555 5616(Authentication)N
1 f
1355(Verifying)X
1687(the)X
1805(claimed)X
2079(identity)X
2343(of)X
2430(a)X
2486(principal.)X
3 f
555 5836(Authentication)N
1093(header)X
1 f
1362(A)X
1447(record)X
1679(containing)X
2043(a)X
2105(Ticket)X
2336(and)X
2478(an)X
2580(Authenticator)X
3047(to)X
3135(be)X
3237(presented)X
3571(to)X
3659(a)X
3721(server)X
3944(as)X
555 6144(Section)N
815(1.3.)X
2216(-)X
2263(3)X
2323(-)X
4 p
%%Page: 4 5
10 s 0 xH 0 xS 1 f
0 32(--)N
4323(--)X
3 f
2115 416(DRAFT)N
2411(4)X
1 f
1355 672(part)N
1500(of)X
1587(the)X
1705(authentication)X
2179(process.)X
3 f
555 892(Authentication)N
1097(path)X
1 f
1366(A)X
1455(sequence)X
1781(of)X
1879(intermediate)X
2311(realms)X
2556(transited)X
2862(in)X
2954(the)X
3082(authentication)X
3566(process)X
3837(when)X
1355 988(communicating)N
1873(from)X
2049(one)X
2185(realm)X
2388(to)X
2470(another.)X
3 f
555 1208(Authenticator)N
1 f
1355(A)X
1446(record)X
1685(containing)X
2056(information)X
2467(that)X
2620(can)X
2765(be)X
2874(shown)X
3115(to)X
3209(have)X
3393(been)X
3577(recently)X
3868(gen-)X
1355 1304(erated)N
1572(using)X
1765(the)X
1883(session)X
2134(key)X
2270(known)X
2508(only)X
2670(by)X
2770(the)X
2888(client)X
3086(and)X
3222(server.)X
3 f
555 1524(Authorization)N
1 f
1355(The)X
1503(process)X
1767(of)X
1857(determining)X
2267(whether)X
2549(a)X
2608(client)X
2809(may)X
2969(use)X
3098(a)X
3156(service,)X
3446(which)X
3664(objects)X
3913(the)X
1355 1620(client)N
1553(is)X
1626(allowed)X
1900(to)X
1982(access,)X
2228(and)X
2364(the)X
2482(type)X
2640(of)X
2727(access)X
2953(allowed)X
3227(for)X
3341(each.)X
3 f
555 1840(Capability)N
1 f
1355(A)X
1439(token)X
1643(that)X
1789(grants)X
2011(the)X
2135(bearer)X
2363(permission)X
2740(to)X
2828(access)X
3060(an)X
3162(object)X
3384(or)X
3477(service.)X
3771(In)X
3863(Ker-)X
1355 1936(beros,)N
1572(this)X
1710(might)X
1919(be)X
2018(a)X
2077(ticket)X
2278(whose)X
2506(use)X
2636(is)X
2712(restricted)X
3034(by)X
3137(the)X
3258(contents)X
3548(of)X
3637(the)X
3757(authori-)X
1355 2032(zation)N
1579(data)X
1741(\256eld,)X
1931(but)X
2061(which)X
2285(lists)X
2441(no)X
2549(network)X
2840(addresses,)X
3196(together)X
3486(with)X
3655(the)X
3780(session)X
1355 2128(key)N
1491(necessary)X
1824(to)X
1906(use)X
2033(the)X
2151(ticket.)X
3 f
555 2348(Ciphertext)N
1 f
1355(The)X
1501(output)X
1726(of)X
1814(an)X
1910(encryption)X
2273(function.)X
2600(Encryption)X
2976(transforms)X
3339(plaintext)X
3639(into)X
3783(cipher-)X
1355 2444(text.)N
3 f
555 2664(Client)N
1 f
1355(A)X
1439(process)X
1706(that)X
1852(makes)X
2083(use)X
2216(of)X
2309(a)X
2371(network)X
2660(service,)X
2934(on)X
3040(behalf)X
3267(of)X
3360(a)X
3422(user.)X
3622(Note)X
3804(that)X
3949(in)X
1355 2760(some)N
1546(cases)X
1738(a)X
3 f
1796(Server)X
1 f
2046(may)X
2205(itself)X
2386(be)X
2483(a)X
2540(client)X
2739(of)X
2827(some)X
3017(other)X
3203(server)X
3421(\(e.g.)X
3585(a)X
3642(print)X
3814(server)X
1355 2856(may)N
1513(be)X
1609(a)X
1665(client)X
1863(of)X
1950(a)X
2006(\256le)X
2128(server\).)X
3 f
555 3076(Credentials)N
1 f
1355(A)X
1438(ticket)X
1641(plus)X
1799(the)X
1922(secret)X
2135(session)X
2391(key)X
2532(necessary)X
2870(to)X
2956(successfully)X
3372(use)X
3503(that)X
3647(ticket)X
3849(in)X
3935(an)X
1355 3172(authentication)N
1829(exchange.)X
3 f
555 3392(KDC)N
1 f
1355(Key)X
1523(Distribution)X
1943(Center,)X
2211(a)X
2281(network)X
2578(service)X
2840(that)X
2994(supplies)X
3290(tickets)X
3532(and)X
3681(temporary)X
1355 3488(session)N
1608(keys;)X
1799(or)X
1888(an)X
1986(instance)X
2271(of)X
2360(that)X
2502(service)X
2752(or)X
2841(the)X
2960(host)X
3114(on)X
3215(which)X
3432(it)X
3497(runs.)X
3696(The)X
3842(KDC)X
1355 3584(services)N
1648(both)X
1824(initial)X
2044(ticket)X
2255(and)X
2404(ticket-granting)X
2909(ticket)X
3120(requests.)X
3456(The)X
3614(initial)X
3833(ticket)X
1355 3680(portion)N
1618(is)X
1703(sometimes)X
2077(referred)X
2365(to)X
2459(as)X
2558(the)X
2687(Authentication)X
3194(Server)X
3435(\(or)X
3560(service\).)X
3886(The)X
1355 3776(ticket-granting)N
1850(ticket)X
2051(portion)X
2305(is)X
2381(sometimes)X
2746(referred)X
3025(to)X
3110(as)X
3200(the)X
3320(ticket-granting)X
3814(server)X
1355 3872(\(or)N
1469(service\).)X
3 f
555 4092(Kerberos)N
1 f
1355(Aside)X
1565(from)X
1743(the)X
1863(3-headed)X
2180(dog)X
2322(guarding)X
2629(Hades,)X
2872(the)X
2992(name)X
3188(given)X
3388(to)X
3472(Project)X
3721(Athena's)X
1355 4188(authentication)N
1848(service,)X
2135(the)X
2272(protocol)X
2578(used)X
2764(by)X
2883(that)X
3042(service,)X
3329(or)X
3435(the)X
3572(code)X
3763(used)X
3949(to)X
1355 4284(implement)N
1717(the)X
1835(authentication)X
2309(service.)X
3 f
555 4504(Plaintext)N
1 f
1355(The)X
1524(input)X
1731(to)X
1836(an)X
1955(encryption)X
2341(function)X
2651(or)X
2761(the)X
2902(output)X
3149(of)X
3259(a)X
3338(decryption)X
3724(function.)X
1355 4600(Decryption)N
1736(transforms)X
2099(ciphertext)X
2440(into)X
2584(plaintext.)X
3 f
555 4820(Principal)N
1 f
1355(A)X
1434(uniquely)X
1734(named)X
1968(client)X
2166(or)X
2253(server)X
2470(instance)X
2753(that)X
2893(participates)X
3283(in)X
3365(a)X
3421(network)X
3704(commun-)X
1355 4916(ication.)N
3 f
555 5136(Principal)N
890(identi\256er)X
1 f
1355(The)X
1500(name)X
1694(used)X
1861(to)X
1943(uniquely)X
2243(identify)X
2512(each)X
2680(different)X
2977(principal.)X
3 f
555 5356(Seal)N
1 f
1355(To)X
1466(encipher)X
1765(a)X
1823(record)X
2051(containing)X
2411(several)X
2661(\256elds,)X
2876(in)X
2960(such)X
3129(a)X
3187(way)X
3343(that)X
3484(the)X
3603(\256elds)X
3797(cannot)X
1355 5452(be)N
1458(individually)X
1871(replaced)X
2171(without)X
2442(either)X
2651(knowledge)X
3029(of)X
3122(the)X
3246(encryption)X
3615(key)X
3757(or)X
3850(leav-)X
1355 5548(ing)N
1477(evidence)X
1783(of)X
1870(tampering.)X
3 f
555 5768(Secret)N
804(key)X
1 f
1369(An)X
1501(encryption)X
1878(key)X
2028(shared)X
2272(by)X
2385(a)X
2454(principal)X
2772(and)X
2921(the)X
3052(KDC,)X
3274(distributed)X
3649(outside)X
3913(the)X
555 6144(Section)N
815(1.3.)X
2216(-)X
2263(4)X
2323(-)X
5 p
%%Page: 5 6
10 s 0 xH 0 xS 1 f
0 32(--)N
4323(--)X
3 f
2115 416(DRAFT)N
2411(4)X
1 f
1355 672(bounds)N
1612(of)X
1705(the)X
1829(system,)X
2096(with)X
2263(a)X
2324(long)X
2491(lifetime.)X
2805(In)X
2897(the)X
3020(case)X
3184(of)X
3276(a)X
3337(human)X
3580(user's)X
3797(princi-)X
1355 768(pal,)N
1493(the)X
1611(secret)X
1819(key)X
1955(is)X
2028(derived)X
2289(from)X
2465(a)X
2521(password.)X
3 f
555 988(Server)N
1 f
1355(A)X
1433(particular)X
1761(Principal)X
2070(which)X
2286(provides)X
2582(a)X
2638(resource)X
2931(to)X
3013(network)X
3296(clients.)X
3 f
555 1208(Service)N
1 f
1355(A)X
1442(resource)X
1744(provided)X
2057(to)X
2147(network)X
2438(clients;)X
2697(often)X
2890(provided)X
3203(by)X
3311(more)X
3504(than)X
3670(one)X
3814(server)X
1355 1304(\(for)N
1496(example,)X
1808(remote)X
2051(\256le)X
2173(service\).)X
3 f
555 1524(Session)N
829(key)X
1 f
1361(A)X
1445(temporary)X
1801(encryption)X
2170(key)X
2312(used)X
2484(between)X
2777(two)X
2922(principals,)X
3283(with)X
3450(a)X
3511(lifetime)X
3785(limited)X
1355 1620(to)N
1437(the)X
1555(duration)X
1842(of)X
1929(a)X
1985(single)X
2196(communications)X
2745("session".)X
3 f
555 1840(Ticket)N
1 f
1355(A)X
1441(record)X
1674(that)X
1821(helps)X
2017(a)X
2080(client)X
2285(authenticate)X
2700(itself)X
2887(to)X
2976(a)X
3039(server;)X
3285(it)X
3356(contains)X
3650(the)X
3775(client's)X
1355 1936(identity,)N
1650(a)X
1717(session)X
1979(key,)X
2146(a)X
2213(timestamp,)X
2597(and)X
2744(other)X
2940(information,)X
3369(all)X
3479(sealed)X
3710(using)X
3913(the)X
1355 2032(server's)N
1639(secret)X
1856(key.)X
2041(It)X
2119(only)X
2290(serves)X
2519(to)X
2609(authenticate)X
3025(a)X
3089(client)X
3295(when)X
3497(presented)X
3833(along)X
1355 2128(with)N
1517(a)X
1573(fresh)X
1754(Authenticator.)X
3 f
12 s
555 2320(2.)N
675(Ticket)X
961(\257ag)X
1134(uses)X
1328(and)X
1506(requests)X
1 f
10 s
555 2444(Each)N
748(Kerberos)X
1075(ticket)X
1285(contains)X
1584(a)X
1652(set)X
1773(of)X
1872(\257ags)X
2055(which)X
2282(are)X
2412(used)X
2590(to)X
2683(indicate)X
2968(various)X
3235(attributes)X
3564(of)X
3662(that)X
3813(ticket.)X
555 2540(Most)N
743(\257ags)X
918(may)X
1080(be)X
1180(requested)X
1512(by)X
1615(a)X
1674(client)X
1875(when)X
2072(the)X
2193(ticket)X
2394(is)X
2470(obtained;)X
2791(some)X
2983(are)X
3105(automatically)X
3564(turned)X
3792(on)X
3895(and)X
555 2636(off)N
681(by)X
793(a)X
860(Kerberos)X
1186(server)X
1414(as)X
1512(required.)X
1851(The)X
2007(following)X
2349(sections)X
2638(explain)X
2905(what)X
3092(the)X
3221(various)X
3488(\257ags)X
3670(mean,)X
3895(and)X
555 2732(gives)N
744(some)X
933(examples)X
1256(of)X
1343(reasons)X
1604(to)X
1686(use)X
1813(such)X
1980(a)X
2036(\257ag.)X
3 f
12 s
555 2924(2.1.)N
747(Initial)X
1022(tickets)X
1 f
10 s
755 3048(The)N
904(INITIAL)X
1222(\257ag)X
1365(indicates)X
1673(that)X
1816(a)X
1875(ticket)X
2076(was)X
2224(issued)X
2447(using)X
2643(the)X
2764(AS)X
2889(protocol)X
3179(and)X
3318(not)X
3443(issued)X
3666(based)X
3872(on)X
3975(a)X
555 3144(ticket-granting)N
1048(ticket.)X
1287(Application)X
1685(servers)X
1933(that)X
2073(want)X
2249(to)X
2331(require)X
2579(the)X
2697(knowledge)X
3069(of)X
3156(a)X
3212(client's)X
3468(secret)X
3676(key)X
3812(\(e.g.)X
3975(a)X
555 3240(password-changing)N
1204(program\))X
1528(can)X
1665(insist)X
1858(that)X
2003(this)X
2143(\257ag)X
2288(be)X
2389(set)X
2502(in)X
2588(any)X
2728(tickets)X
2961(they)X
3123(accept,)X
3373(and)X
3513(thus)X
3670(be)X
3770(assured)X
555 3336(that)N
695(the)X
813(client's)X
1069(key)X
1205(was)X
1350(recently)X
1629(presented)X
1957(to)X
2039(the)X
2157(application)X
2533(client.)X
3 f
12 s
555 3528(2.2.)N
747(Invalid)X
1064(tickets)X
1 f
10 s
755 3652(The)N
909(INVALID)X
1273(\257ag)X
1422(indicates)X
1736(that)X
1885(a)X
1949(ticket)X
2155(is)X
2236(invalid.)X
2526(Application)X
2932(servers)X
3188(must)X
3371(reject)X
3578(tickets)X
3815(which)X
555 3748(have)N
731(this)X
870(\257ag)X
1014(set.)X
1167(A)X
1249(postdated)X
1580(ticket)X
1782(will)X
1930(usually)X
2185(be)X
2285(issued)X
2509(in)X
2595(this)X
2734(form.)X
2954(Invalid)X
3205(tickets)X
3438(must)X
3617(be)X
3717(validated)X
555 3844(by)N
666(the)X
795(KDC)X
994(before)X
1230(use,)X
1387(by)X
1497(presenting)X
1861(them)X
2051(to)X
2143(the)X
2271(KDC)X
2470(in)X
2562(a)X
2628(TGS)X
2809(request)X
3071(with)X
3243(the)X
3371(VALIDATE)X
3807(option)X
555 3940(speci\256ed.)N
905(The)X
1055(KDC)X
1249(will)X
1398(only)X
1565(validate)X
1844(tickets)X
2078(after)X
2251(their)X
3 f
2423(starttime)X
1 f
2761(has)X
2893(passed.)X
3172(The)X
3322(validation)X
3666(is)X
3743(required)X
555 4036(so)N
664(that)X
822(postdated)X
1167(tickets)X
1413(which)X
1646(have)X
1835(been)X
2024(stolen)X
2252(before)X
2495(their)X
3 f
2679(starttime)X
1 f
3029(can)X
3178(be)X
3291(rendered)X
3610(permanently)X
555 4132(invalid)N
797(\(through)X
1093(a)X
1149(hot-list)X
1395(mechanism\).)X
3 f
12 s
555 4324(2.3.)N
747(Renewable)X
1219(tickets)X
1 f
10 s
755 4448(Applications)N
1190(may)X
1354(desire)X
1572(to)X
1660(hold)X
1828(tickets)X
2063(which)X
2285(can)X
2423(be)X
2525(valid)X
2710(for)X
2829(long)X
2996(periods)X
3257(of)X
3349(time.)X
3556(However,)X
3896(this)X
555 4544(can)N
693(expose)X
942(their)X
1115(credentials)X
1489(to)X
1577(potential)X
1883(theft)X
2056(for)X
2176(equally)X
2438(long)X
2606(periods,)X
2887(and)X
3028(those)X
3222(stolen)X
3438(credentials)X
3811(would)X
555 4640(be)N
655(valid)X
839(until)X
1009(the)X
1131(expiration)X
1480(time)X
1646(of)X
1737(the)X
1859(ticket\(s\).)X
2186(Simply)X
2440(using)X
2637(short-lived)X
3008(tickets)X
3241(and)X
3381(obtaining)X
3707(new)X
3864(ones)X
555 4736(periodically)N
975(would)X
1212(require)X
1477(the)X
1612(client)X
1826(to)X
1924(have)X
2112(long-term)X
2464(access)X
2706(to)X
2804(its)X
2915(secret)X
3139(key,)X
3311(an)X
3423(even)X
3611(greater)X
3871(risk.)X
555 4832(Renewable)N
935(tickets)X
1167(can)X
1302(be)X
1401(used)X
1571(to)X
1656(mitigate)X
1941(the)X
2062(consequences)X
2526(of)X
2615(theft.)X
2824(Renewable)X
3203(tickets)X
3434(have)X
3608(two)X
3750("expira-)X
555 4928(tion)N
701(times":)X
951(the)X
1071(\256rst)X
1217(is)X
1292(when)X
1488(the)X
1608(current)X
1858(instance)X
2143(of)X
2232(the)X
2352(ticket)X
2552(expires,)X
2826(and)X
2964(the)X
3084(second)X
3329(is)X
3404(the)X
3523(latest)X
3713(permissi-)X
555 5024(ble)N
679(value)X
879(for)X
999(an)X
1101(individual)X
1450(expiration)X
1800(time.)X
2007(An)X
2130(application)X
2511(client)X
2714(must)X
2894(periodically)X
3302(\(i.e.)X
3452(before)X
3683(it)X
3752(expires\))X
555 5120(present)N
815(a)X
879(renewable)X
1238(ticket)X
1444(to)X
1534(the)X
1660(KDC,)X
1877(with)X
2046(the)X
2171(RENEW)X
2483(option)X
2714(set)X
2830(in)X
2919(the)X
3044(KDC)X
3240(request.)X
3539(The)X
3691(KDC)X
3887(will)X
555 5216(issue)N
739(a)X
799(new)X
957(ticket)X
1159(with)X
1325(a)X
1385(new)X
1543(session)X
1798(key)X
1938(and)X
2078(a)X
2138(later)X
2305(expiration)X
2654(time.)X
2860(All)X
2986(other)X
3174(\256elds)X
3370(of)X
3460(the)X
3581(ticket)X
3782(are)X
3904(left)X
555 5312(unmodi\256ed)N
943(by)X
1047(the)X
1169(renewal)X
1448(process.)X
1753(When)X
1969(the)X
2091(latest)X
2284(permissible)X
2677(expiration)X
3026(time)X
3192(arrives,)X
3455(the)X
3577(ticket)X
3779(expires)X
555 5408(permanently.)N
1018(At)X
1120(each)X
1290(renewal,)X
1587(the)X
1707(KDC)X
1898(may)X
2058(consult)X
2311(a)X
2369(hot-list)X
2617(to)X
2701(determine)X
3044(if)X
3115(the)X
3234(ticket)X
3433(had)X
3570(been)X
3743(reported)X
555 5504(stolen)N
767(since)X
953(its)X
1049(last)X
1181(renewal;)X
1479(it)X
1544(will)X
1689(refuse)X
1906(to)X
1988(renew)X
2205(such)X
2372(stolen)X
2583(tickets,)X
2832(and)X
2968(thus)X
3121(the)X
3239(usable)X
3464(lifetime)X
3733(of)X
3820(stolen)X
555 5600(tickets)N
784(is)X
857(reduced.)X
755 5724(The)N
908(RENEWABLE)X
1430(\257ag)X
1578(in)X
1668(a)X
1732(ticket)X
1938(is)X
2018(normally)X
2334(only)X
2503(interpreted)X
2878(by)X
2985(the)X
3110(ticket-granting)X
3609(service)X
3864(\(dis-)X
555 5820(cussed)N
791(below)X
1009(in)X
1093(section)X
1342(3.3\).)X
1530(It)X
1600(can)X
1733(usually)X
1985(be)X
2082(ignored)X
2348(by)X
2449(application)X
2826(servers.)X
3115(However,)X
3451(some)X
3641(particularly)X
555 6144(Section)N
815(2.3.)X
2216(-)X
2263(5)X
2323(-)X
6 p
%%Page: 6 7
10 s 0 xH 0 xS 1 f
0 32(--)N
4323(--)X
3 f
2115 416(DRAFT)N
2411(4)X
1 f
555 672(careful)N
801(application)X
1179(servers)X
1429(may)X
1588(wish)X
1760(to)X
1843(disallow)X
2135(renewable)X
2487(tickets.)X
2757(If)X
2832(a)X
2889(renewable)X
3241(ticket)X
3440(is)X
3514(not)X
3637(renewed)X
3931(by)X
555 768(its)N
657(expiration)X
1009(time,)X
1198(the)X
1323(KDC)X
1519(will)X
1670(not)X
1799(renew)X
2023(the)X
2148(ticket.)X
2393(The)X
2545(RENEWABLE)X
3066(\257ag)X
3213(is)X
3293(reset)X
3472(by)X
3578(default,)X
3847(but)X
3975(a)X
555 864(client)N
762(may)X
929(request)X
1190(it)X
1263(be)X
1368(set)X
1486(by)X
1595(setting)X
1837(the)X
1964(RENEWABLE)X
2487(option)X
2720(in)X
2811(the)X
2938(AS)X
3069(request.)X
3370(If)X
3453(it)X
3526(is)X
3608(set,)X
3746(then)X
3913(the)X
3 f
555 960(renew-till)N
1 f
905(\256eld)X
1067(in)X
1149(the)X
1267(ticket)X
1465(contains)X
1752(the)X
1870(time)X
2032(after)X
2200(which)X
2416(the)X
2534(ticket)X
2732(may)X
2890(not)X
3012(be)X
3108(renewed.)X
3 f
12 s
555 1152(2.4.)N
747(Postdated)X
1176(tickets)X
1 f
10 s
755 1276(Applications)N
1186(may)X
1346(occasionally)X
1769(need)X
1943(to)X
2027(obtain)X
2249(tickets)X
2480(for)X
2596(use)X
2725(much)X
2925(later,)X
3110(e.g.)X
3248(a)X
3306(batch)X
3502(submission)X
3882(sys-)X
555 1372(tem)N
700(would)X
925(need)X
1102(tickets)X
1336(to)X
1423(be)X
1524(valid)X
1709(at)X
1792(the)X
1915(time)X
2082(the)X
2205(batch)X
2404(job)X
2531(is)X
2609(serviced.)X
2942(However,)X
3282(it)X
3351(is)X
3429(dangerous)X
3783(to)X
3869(hold)X
555 1468(valid)N
740(tickets)X
974(in)X
1061(a)X
1121(batch)X
1319(queue,)X
1555(since)X
1744(they)X
1906(will)X
2054(be)X
2154(on-line)X
2405(longer)X
2634(and)X
2774(more)X
2963(prone)X
3170(to)X
3256(theft.)X
3467(Postdated)X
3802(tickets)X
555 1564(provide)N
827(a)X
890(way)X
1051(to)X
1140(obtain)X
1367(these)X
1559(tickets)X
1794(from)X
1976(the)X
2100(KDC)X
2295(at)X
2379(job)X
2507(submission)X
2892(time,)X
3080(but)X
3208(to)X
3296(leave)X
3492(them)X
3678("dormant")X
555 1660(until)N
723(they)X
883(are)X
1004(activated)X
1316(and)X
1454(validated)X
1770(by)X
1872(a)X
1930(further)X
2171(request)X
2425(of)X
2514(the)X
2634(KDC.)X
2864(If)X
2939(a)X
2996(ticket)X
3195(theft)X
3363(were)X
3541(reported)X
3830(in)X
3913(the)X
555 1756(interim,)N
826(the)X
944(KDC)X
1133(would)X
1353(refuse)X
1570(to)X
1652(validate)X
1926(the)X
2044(ticket,)X
2262(and)X
2398(the)X
2516(thief)X
2683(will)X
2827(be)X
2923(foiled.)X
755 1880(The)N
904(MAY-POSTDATE)X
1551(\257ag)X
1695(in)X
1781(a)X
1841(ticket)X
2043(is)X
2120(normally)X
2433(only)X
2599(interpreted)X
2971(by)X
3075(the)X
3196(ticket-granting)X
3691(service.)X
3962(It)X
555 1976(can)N
694(be)X
797(ignored)X
1069(by)X
1176(application)X
1559(servers.)X
1853(This)X
2021(\257ag)X
2167(must)X
2348(be)X
2450(set)X
2565(in)X
2653(a)X
2715(ticket-granting)X
3213(ticket)X
3417(in)X
3505(order)X
3701(to)X
3789(issue)X
3975(a)X
555 2072(postdated)N
885(ticket)X
1086(based)X
1292(on)X
1395(the)X
1516(presented)X
1847(ticket.)X
2088(It)X
2160(is)X
2236(reset)X
2410(by)X
2512(default;)X
2779(it)X
2845(may)X
3005(be)X
3103(requested)X
3433(by)X
3535(a)X
3593(client)X
3793(by)X
3895(set-)X
555 2168(ting)N
702(the)X
823(ALLOW-POSTDATE)X
1572(option)X
1799(in)X
1884(the)X
2005(AS)X
2130(request.)X
2425(This)X
2590(\257ag)X
2733(does)X
2903(not)X
3028(allow)X
3229(a)X
3287(client)X
3487(to)X
3571(obtain)X
3793(a)X
3851(post-)X
555 2264(dated)N
755(ticket-granting)X
1253(ticket;)X
1479(Postdated)X
1816(ticket-granting)X
2314(tickets)X
2549(can)X
2687(only)X
2855(by)X
2961(obtained)X
3263(by)X
3369(requesting)X
3728(the)X
3851(post-)X
555 2360(dating)N
790(in)X
887(the)X
1020(KRB_AS_REQ)X
1561(message.)X
1908(The)X
2068(life)X
2210(\()X
3 f
2237(endtime)X
1 f
2513(-)X
3 f
2540(starttime)X
1 f
2853(\))X
2915(of)X
3017(a)X
3088(postdated)X
3430(ticket)X
3643(will)X
3802(be)X
3913(the)X
555 2456(remaining)N
908(life)X
1043(of)X
1138(the)X
1264(ticket-granting)X
1764(ticket)X
1970(at)X
2056(the)X
2182(time)X
2352(of)X
2447(the)X
2573(request,)X
2853(unless)X
3081(the)X
3206(RENEWABLE)X
3727(option)X
3958(is)X
555 2552(also)N
705(set,)X
835(in)X
918(which)X
1135(case)X
1295(it)X
1360(can)X
1493(be)X
1590(the)X
1708(full)X
1839(life)X
1966(of)X
2053(the)X
2171(ticket-granting)X
2663(ticket.)X
2901(The)X
3046(KDC)X
3235(may)X
3393(limit)X
3563(how)X
3721(far)X
3831(in)X
3913(the)X
555 2648(future)N
767(a)X
823(ticket)X
1021(may)X
1179(be)X
1275(postdated.)X
755 2772(The)N
905(POSTDATED)X
1397(\257ag)X
1542(indicates)X
1852(that)X
1997(a)X
2057(ticket)X
2259(has)X
2390(been)X
2566(postdated.)X
2937(The)X
3086(application)X
3466(server)X
3687(can)X
3823(check)X
555 2868(the)N
3 f
689(authtime)X
1 f
1032(\256eld)X
1210(in)X
1308(the)X
1442(ticket)X
1655(to)X
1752(see)X
1890(when)X
2099(the)X
2232(original)X
2516(authentication)X
3005(occurred.)X
3362(Some)X
3579(services)X
3873(may)X
555 2964(choose)N
805(to)X
894(reject)X
1100(postdated)X
1434(tickets,)X
1689(or)X
1782(they)X
1946(may)X
2110(only)X
2278(accept)X
2510(them)X
2696(within)X
2926(a)X
2988(certain)X
3233(period)X
3464(after)X
3638(the)X
3762(original)X
555 3060(authentication.)N
1073(When)X
1289(the)X
1411(KDC)X
1604(issues)X
1819(a)X
1879(POSTDATED)X
2370(ticket,)X
2592(it)X
2660(will)X
2808(also)X
2961(be)X
3061(marked)X
3326(as)X
3417(INVALID,)X
3796(so)X
3891(that)X
555 3156(the)N
673(application)X
1049(client)X
1247(must)X
1422(present)X
1674(the)X
1792(ticket)X
1990(to)X
2072(the)X
2190(KDC)X
2379(to)X
2461(be)X
2557(validated)X
2871(before)X
3097(use.)X
3 f
12 s
555 3348(2.5.)N
747(Proxiable)X
1167(and)X
1345(proxy)X
1609(tickets)X
1 f
10 s
755 3472(At)N
858(times)X
1054(it)X
1121(may)X
1282(be)X
1381(necessary)X
1717(for)X
1834(a)X
1893(principal)X
2201(to)X
2286(allow)X
2487(a)X
2546(service)X
2797(to)X
2882(perform)X
3164(an)X
3263(operation)X
3589(on)X
3692(its)X
3790(behalf.)X
555 3568(The)N
702(service)X
952(must)X
1129(be)X
1227(able)X
1383(to)X
1467(take)X
1623(on)X
1725(the)X
1845(identity)X
2111(of)X
2200(the)X
2320(client,)X
2540(but)X
2664(only)X
2828(for)X
2944(a)X
3002(particular)X
3332(purpose.)X
3647(A)X
3726(principal)X
555 3664(can)N
687(allow)X
885(a)X
941(service)X
1189(to)X
1271(take)X
1425(on)X
1525(the)X
1643(principal's)X
2006(identity)X
2270(for)X
2384(a)X
2440(particular)X
2768(purpose)X
3042(by)X
3142(granting)X
3429(it)X
3493(a)X
3549(proxy.)X
755 3788(The)N
907(PROXIABLE)X
1383(\257ag)X
1530(in)X
1619(a)X
1682(ticket)X
1886(is)X
1965(normally)X
2280(only)X
2448(interpreted)X
2822(by)X
2928(the)X
3052(ticket-granting)X
3550(service.)X
3824(It)X
3899(can)X
555 3884(be)N
653(ignored)X
920(by)X
1022(application)X
1400(servers.)X
1690(When)X
1903(set,)X
2033(this)X
2169(\257ag)X
2310(tells)X
2464(the)X
2583(ticket-granting)X
3076(server)X
3294(that)X
3435(it)X
3500(is)X
3574(OK)X
3711(to)X
3794(issue)X
3975(a)X
555 3980(new)N
712(ticket)X
913(\(but)X
1065(not)X
1190(a)X
1249(ticket-granting)X
1744(ticket\))X
1972(with)X
2137(a)X
2196(different)X
2495(network)X
2780(address)X
3043(based)X
3248(on)X
3350(this)X
3487(ticket.)X
3727(This)X
3891(\257ag)X
555 4076(is)N
628(set)X
737(by)X
837(default.)X
755 4200(This)N
922(\257ag)X
1067(allows)X
1301(a)X
1362(client)X
1565(to)X
1652(pass)X
1815(a)X
1876(proxy)X
2088(to)X
2174(a)X
2234(server)X
2455(to)X
2541(perform)X
2824(a)X
2884(remote)X
3131(request)X
3387(on)X
3491(its)X
3590(behalf,)X
3835(e.g.)X
3975(a)X
555 4296(print)N
729(service)X
980(client)X
1181(can)X
1316(give)X
1477(the)X
1598(print)X
1772(server)X
1992(a)X
2051(proxy)X
2261(to)X
2346(access)X
2575(the)X
2696(client's)X
2955(\256les)X
3111(on)X
3214(a)X
3273(particular)X
3604(\256le)X
3729(server)X
3949(in)X
555 4392(order)N
745(to)X
827(satisfy)X
1056(a)X
1112(print)X
1283(request.)X
755 4516(In)N
855(order)X
1058(to)X
1152(complicate)X
1536(the)X
1666(use)X
1805(of)X
1904(stolen)X
2127(credentials,)X
2527(Kerberos)X
2854(tickets)X
3095(are)X
3226(usually)X
3489(valid)X
3681(from)X
3869(only)X
555 4612(those)N
754(network)X
1047(addresses)X
1385(speci\256cally)X
1780(included)X
2086(in)X
2178(the)X
2306(ticket)X
8 s
2484 4587(1)N
10 s
4612(.)Y
2586(For)X
2727(this)X
2872(reason,)X
3132(a)X
3198(client)X
3406(wishing)X
3689(to)X
3781(grant)X
3975(a)X
555 4708(proxy)N
762(must)X
937(request)X
1189(a)X
1245(new)X
1399(ticket)X
1597(valid)X
1777(for)X
1891(the)X
2009(network)X
2292(address)X
2553(of)X
2640(the)X
2758(service)X
3006(to)X
3088(be)X
3184(granted)X
3445(the)X
3563(proxy.)X
755 4832(The)N
901(PROXY)X
1193(\257ag)X
1334(is)X
1408(set)X
1518(in)X
1601(a)X
1658(ticket)X
1857(by)X
1958(the)X
2077(TGS)X
2249(when)X
2444(it)X
2509(issues)X
2721(a)X
2778(proxy)X
2986(ticket.)X
3225(Application)X
3624(servers)X
3873(may)X
555 4928(check)N
764(this)X
900(\257ag)X
1041(and)X
1178(require)X
1427(additional)X
1768(authentication)X
2243(from)X
2420(the)X
2539(agent)X
2733(presenting)X
3087(the)X
3205(proxy)X
3412(in)X
3494(order)X
3684(to)X
3766(provide)X
555 5024(an)N
651(audit)X
831(trail.)X
3 f
12 s
555 5216(2.6.)N
747(Forwardable)X
1305(tickets)X
1 f
10 s
755 5340(Authentication)N
1253(forwarding)X
1632(is)X
1707(an)X
1805(instance)X
2090(of)X
2179(the)X
2299(proxy)X
2507(case)X
2667(where)X
2885(the)X
3004(service)X
3253(is)X
3327(granted)X
3589(complete)X
3904(use)X
555 5436(of)N
646(the)X
768(client's)X
1028(identity.)X
1336(An)X
1458(example)X
1754(where)X
1975(it)X
2043(might)X
2253(be)X
2353(used)X
2524(is)X
2601(when)X
2799(a)X
2859(user)X
3017(logs)X
3174(in)X
3260(to)X
3345(a)X
3404(remote)X
3650(system)X
3895(and)X
555 5532(wants)N
762(authentication)X
1236(to)X
1318(work)X
1503(from)X
1679(that)X
1819(system)X
2061(as)X
2148(if)X
2217(the)X
2335(login)X
2519(were)X
2696(local.)X
8 s
10 f
555 5612(hhhhhhhhhhhhhhhhhh)N
6 s
1 f
555 5687(1)N
8 s
611 5706(It)N
666(is)X
725(permissible)X
1036(to)X
1102(request)X
1302(or)X
1371(issue)X
1515(tickets)X
1698(with)X
1828(no)X
1908(network)X
2133(addresses)X
2393(speci\256ed,)X
2652(but)X
2750(we)X
2840(do)X
2920(not)X
3018(recommend)X
3335(it.)X
10 s
555 6144(Section)N
815(2.6.)X
2216(-)X
2263(6)X
2323(-)X
7 p
%%Page: 7 8
10 s 0 xH 0 xS 1 f
0 32(--)N
4323(--)X
3 f
2115 416(DRAFT)N
2411(4)X
1 f
755 672(The)N
904(FORWARDABLE)X
1537(\257ag)X
1681(in)X
1767(a)X
1827(ticket)X
2028(is)X
2104(normally)X
2416(only)X
2581(interpreted)X
2952(by)X
3055(the)X
3176(ticket-granting)X
3671(service.)X
3962(It)X
555 768(can)N
693(be)X
795(ignored)X
1066(by)X
1172(application)X
1553(servers.)X
1846(The)X
1996(FORWARDABLE)X
2630(\257ag)X
2775(has)X
2907(an)X
3008(interpretation)X
3465(similar)X
3712(to)X
3799(that)X
3944(of)X
555 864(the)N
678(PROXIABLE)X
1152(\257ag,)X
1317(except)X
1552(ticket-granting)X
2049(tickets)X
2283(may)X
2446(also)X
2600(be)X
2701(issued)X
2926(with)X
3093(different)X
3395(network)X
3683(addresses.)X
555 960(This)N
730(\257ag)X
883(is)X
969(reset)X
1154(by)X
1267(default,)X
1543(but)X
1678(users)X
1876(may)X
2047(request)X
2312(that)X
2464(it)X
2540(be)X
2648(set)X
2769(when)X
2975(they)X
3145(request)X
3409(their)X
3588(initial)X
3806(ticket-)X
555 1056(granting)N
842(ticket,)X
1060(by)X
1160(setting)X
1393(the)X
1511(FORWARDABLE)X
2140(option)X
2364(in)X
2446(the)X
2564(AS)X
2686(request.)X
755 1180(This)N
923(\257ag)X
1069(allows)X
1304(for)X
1424(authentication)X
1903(forwarding)X
2285(without)X
2554(requiring)X
2873(the)X
2996(user)X
3155(to)X
3242(enter)X
3428(a)X
3489(password)X
3817(again.)X
555 1276(If)N
637(the)X
763(\257ag)X
911(is)X
992(not)X
1122(set,)X
1259(then)X
1425(authentication)X
1907(forwarding)X
2292(is)X
2373(not)X
2502(permitted,)X
2856(but)X
2985(the)X
3110(same)X
3302(end)X
3445(result)X
3650(can)X
3789(still)X
3935(be)X
555 1372(achieved)N
861(if)X
930(the)X
1048(user)X
1202(engages)X
1481(in)X
1563(the)X
1681(AS)X
1803(exchange)X
2127(with)X
2289(the)X
2407(requested)X
2735(network)X
3018(addresses.)X
755 1496(The)N
912(FORWARDED)X
1451(\257ag)X
1603(is)X
1688(set)X
1809(by)X
1920(the)X
2049(TGS)X
2231(when)X
2436(a)X
2503(client)X
2712(presents)X
3006(a)X
3073(ticket)X
3282(with)X
3455(the)X
3584(FORWARD-)X
555 1592(ABLE)N
789(\257ag)X
934(set)X
1048(and)X
1188(requests)X
1475(it)X
1543(be)X
1643(set)X
1756(by)X
1860(specifying)X
2218(the)X
2340(FORWARDED)X
2871(KDC)X
3064(option)X
3292(and)X
3432(supplying)X
3771(a)X
3831(set)X
3944(of)X
555 1688(addresses)N
884(for)X
999(the)X
1118(new)X
1273(ticket.)X
1512(It)X
1582(is)X
1656(also)X
1806(set)X
1916(in)X
1999(all)X
2100(tickets)X
2330(issued)X
2551(based)X
2755(on)X
2855(tickets)X
3084(with)X
3246(the)X
3364(FORWARDED)X
3891(\257ag)X
555 1784(set.)N
710(Application)X
1114(servers)X
1368(may)X
1532(wish)X
1709(to)X
1797(process)X
2064(FORWARDED)X
2596(tickets)X
2830(differently)X
3194(than)X
3357(non-FORWARDED)X
555 1880(tickets.)N
3 f
12 s
555 2072(2.7.)N
747(Other)X
1017(KDC)X
1254(options)X
1 f
10 s
755 2196(There)N
963(are)X
1082(two)X
1222(additional)X
1562(options)X
1817(which)X
2033(may)X
2191(be)X
2287(set)X
2396(in)X
2478(a)X
2534(client's)X
2790(request)X
3042(of)X
3129(the)X
3247(KDC.)X
755 2320(The)N
902(RENEWABLE-OK)X
1561(option)X
1787(indicates)X
2094(that)X
2236(the)X
2356(client)X
2556(will)X
2702(accept)X
2930(a)X
2988(renewable)X
3341(ticket)X
3541(if)X
3612(a)X
3670(ticket)X
3869(with)X
555 2416(the)N
675(requested)X
1005(life)X
1134(cannot)X
1369(otherwise)X
1702(be)X
1799(provided.)X
2145(If)X
2220(a)X
2277(ticket)X
2476(with)X
2639(the)X
2758(requested)X
3087(life)X
3215(cannot)X
3450(be)X
3547(provided,)X
3873(then)X
555 2512(the)N
678(KDC)X
872(may)X
1034(issue)X
1218(a)X
1278(renewable)X
1633(ticket)X
1835(with)X
2001(a)X
3 f
2061(renew-till)X
1 f
2415(equal)X
2613(to)X
2699(the)X
2821(the)X
2943(requested)X
3275(endtime.)X
3597(The)X
3746(value)X
3944(of)X
555 2608(the)N
3 f
675(renew-till)X
1 f
1027(\256eld)X
1191(may)X
1351(still)X
1492(be)X
1590(adjusted)X
1879(by)X
1981(site-determined)X
2502(limits)X
2705(or)X
2794(limits)X
2997(imposed)X
3290(by)X
3391(the)X
3510(individual)X
3855(prin-)X
555 2704(cipal)N
731(or)X
818(server.)X
755 2828(The)N
904(ENC-TKT-IN-SKEY)X
1619(option)X
1847(is)X
1924(honored)X
2211(only)X
2377(by)X
2481(the)X
2603(ticket-granting)X
3099(service.)X
3390(It)X
3462(indicates)X
3770(that)X
3913(the)X
555 2924(to-be-issued)N
982(ticket)X
1195(for)X
1324(the)X
1457(end)X
1608(server)X
1840(is)X
1928(to)X
2025(be)X
2136(encrypted)X
2487(in)X
2583(the)X
2715(session)X
2980(key)X
3130(from)X
3320(the)X
3452(additional)X
3806(ticket-)X
555 3020(granting)N
842(ticket)X
1040(provided)X
1345(with)X
1507(the)X
1625(request.)X
1917(See)X
2053(section)X
2300(3.3.3)X
2480(for)X
2594(speci\256c)X
2859(details.)X
3 f
12 s
555 3212(3.)N
675(Message)X
1046(Exchanges)X
1 f
10 s
555 3336(The)N
713(following)X
1057(sections)X
1348(describe)X
1649(the)X
1780(interactions)X
2186(between)X
2486(network)X
2781(clients)X
3022(and)X
3170(servers)X
3430(and)X
3578(the)X
3708(messages)X
555 3432(involved)N
855(in)X
937(those)X
1126(exchanges.)X
3 f
12 s
555 3624(3.1.)N
747(The)X
931(Authentication)X
1568(Service)X
1892(Exchange)X
10 s
2113 3768(Summary)N
2 f
1374 3864(Message)N
1675(direction)X
2211(Message)X
2512(type)X
2942(Section)X
1 f
1374 3960(1.)N
1454(Client)X
1669(to)X
1751(Kerberos)X
2211(KRB_AS_REQ)X
2942(5.3.1)X
1374 4056(2.)N
1454(Kerberos)X
1769(to)X
1851(client)X
2211(KRB_AS_REP)X
2723(or)X
2942(5.3.2)X
2211 4152(KRB_ERROR)N
2942(5.7.1)X
755 4324(The)N
918(Authentication)X
1432(Service)X
1711(\(AS\))X
1905(Exchange)X
2260(between)X
2565(the)X
2700(client)X
2915(and)X
3068(the)X
3203(Kerberos)X
3535(Authentication)X
555 4420(Server)N
789(is)X
866(usually)X
1121(initiated)X
1407(by)X
1511(a)X
1571(client)X
1773(when)X
1971(it)X
2039(wishes)X
2281(to)X
2366(obtain)X
2589(authentication)X
3066(credentials)X
3437(for)X
3554(a)X
3613(given)X
3814(server)X
555 4516(but)N
689(currently)X
1011(holds)X
1216(no)X
1328(credentials.)X
1748(The)X
1905(client's)X
2173(secret)X
2393(key)X
2541(is)X
2626(used)X
2805(for)X
2931(encryption)X
3306(and)X
3454(decryption.)X
3869(This)X
555 4612(exchange)N
888(is)X
970(typically)X
1279(used)X
1455(at)X
1542(the)X
1668(initiation)X
1984(of)X
2079(a)X
2143(login)X
2335(session,)X
2614(to)X
2704(obtain)X
2932(credentials)X
3308(for)X
3430(a)X
3494(Ticket-Granting)X
555 4708(Server,)N
821(which)X
1053(will)X
1213(subsequently)X
1667(be)X
1779(used)X
1962(obtain)X
2198(credentials)X
2582(for)X
2712(other)X
2913(servers)X
3177(\(see)X
3343(section)X
3605(3.3\))X
3767(without)X
555 4804(requiring)N
876(further)X
1122(use)X
1256(of)X
1350(the)X
1475(client's)X
1738(secret)X
1953(key.)X
2136(This)X
2305(exchange)X
2636(is)X
2716(also)X
2872(used)X
3046(to)X
3135(request)X
3394(credentials)X
3769(for)X
3890(ser-)X
555 4900(vices)N
752(which)X
980(must)X
1167(not)X
1301(be)X
1409(mediated)X
1735(through)X
2016(the)X
2146(Ticket-Granting)X
2695(Service,)X
2988(but)X
3122(rather)X
3342(require)X
3601(a)X
3668(principal's)X
555 4996(secret)N
763(key,)X
919(such)X
1086(as)X
1173(the)X
1291(password-changing)X
1935(service)X
8 s
2163 4971(1)N
10 s
4996(.)Y
755 5120(The)N
933(exchange)X
1290(consists)X
1596(of)X
1716(two)X
1889(messages:)X
2267(KRB_AS_REQ)X
2826(from)X
3034(the)X
3184(client)X
3414(to)X
3528(Kerberos,)X
3895(and)X
555 5216(KRB_AS_REP)N
1072(or)X
1164(KRB_ERROR)X
1659(in)X
1746(reply.)X
1976(The)X
2125(formats)X
2394(for)X
2512(these)X
2701(messages)X
3028(are)X
3151(described)X
3483(in)X
3569(sections)X
3851(5.3.2)X
555 5312(and)N
691(5.7.1.)X
8 s
10 f
555 5410(hhhhhhhhhhhhhhhhhh)N
6 s
1 f
555 5485(1)N
8 s
611 5504(The)N
739(password-changing)X
1264(request)X
1477(must)X
1630(not)X
1740(be)X
1828(honored)X
2065(unless)X
2253(the)X
2359(requester)X
2620(can)X
2736(provide)X
2959(the)X
3065(old)X
3175(password)X
3444(\(the)X
3571(user's)X
555 5584(current)N
755(secret)X
923(key\).)X
1088(Otherwise,)X
1386(it)X
1442(would)X
1622(be)X
1702(possible)X
1932(for)X
2026(someone)X
2273(to)X
2343(walk)X
2487(up)X
2571(to)X
2640(an)X
2719(unattended)X
3018(session)X
3222(and)X
3333(change)X
3532(another)X
555 5664(user's)N
723(password.)X
10 s
555 6144(Section)N
815(3.1.)X
2216(-)X
2263(7)X
2323(-)X
8 p
%%Page: 8 9
10 s 0 xH 0 xS 1 f
0 32(--)N
4323(--)X
3 f
2115 416(DRAFT)N
2411(4)X
1 f
755 672(In)N
843(the)X
961(request,)X
1233(the)X
1351(client)X
1549(sends)X
1747(\(in)X
1856(cleartext\))X
2180(its)X
2275(own)X
2433(identity)X
2697(and)X
2833(the)X
2951(identity)X
3215(of)X
3302(the)X
3420(server)X
3637(for)X
3751(which)X
3967(it)X
555 768(is)N
638(requesting)X
1002(credentials.)X
1420(The)X
1574(response,)X
1904(KRB_AS_REP,)X
2445(contains)X
2741(a)X
2806(ticket)X
3013(for)X
3136(the)X
3263(client)X
3470(to)X
3561(present)X
3822(to)X
3913(the)X
555 864(server,)N
799(and)X
941(a)X
1003(session)X
1260(key)X
1402(that)X
1548(will)X
1698(be)X
1800(shared)X
2036(by)X
2142(the)X
2266(client)X
2470(and)X
2612(the)X
2736(server.)X
2999(The)X
3150(session)X
3407(key)X
3549(and)X
3691(additional)X
555 960(information)N
966(are)X
1098(encrypted)X
1448(in)X
1543(the)X
1673(client's)X
1941(secret)X
2161(key.)X
2349(The)X
2506(KRB_AS_REP)X
3030(message)X
3334(contains)X
3633(information)X
555 1056(which)N
772(can)X
905(be)X
1002(used)X
1170(to)X
1253(detect)X
1466(replays,)X
1739(and)X
1876(to)X
1959(associate)X
2270(it)X
2335(with)X
2498(the)X
2617(message)X
2910(to)X
2993(which)X
3210(it)X
3275(replies.)X
3549(Various)X
3823(errors)X
555 1152(can)N
688(occur;)X
910(these)X
1095(are)X
1214(indicated)X
1528(by)X
1628(an)X
1724(error)X
1901(response)X
2202(\(KRB_ERROR\))X
2746(instead)X
2993(of)X
3080(the)X
3198(KRB_AS_REP)X
3710(response.)X
555 1248(The)N
707(error)X
890(message)X
1188(is)X
1267(not)X
1395(encrypted.)X
1778(The)X
1929(KRB_ERROR)X
2425(message)X
2723(also)X
2878(contains)X
3171(information)X
3575(which)X
3797(can)X
3935(be)X
555 1344(used)N
724(to)X
808(associate)X
1120(it)X
1186(with)X
1350(the)X
1470(message)X
1764(to)X
1848(which)X
2066(it)X
2132(replies.)X
2408(The)X
2555(lack)X
2710(of)X
2798(encryption)X
3162(in)X
3245(the)X
3364(KRB_ERROR)X
3855(mes-)X
555 1440(sage)N
718(precludes)X
1046(the)X
1164(ability)X
1388(to)X
1470(detect)X
1682(replays)X
1934(or)X
2021(fabrications)X
2420(of)X
2507(such)X
2674(messages.)X
755 1564(In)N
843(the)X
962(normal)X
1210(case)X
1370(the)X
1488(authentication)X
1962(server)X
2179(does)X
2346(not)X
2468(know)X
2666(whether)X
2945(the)X
3063(client)X
3261(is)X
3334(actually)X
3608(the)X
3726(principal)X
555 1660(named)N
793(in)X
879(the)X
1001(request.)X
1297(It)X
1370(simply)X
1611(sends)X
1813(a)X
1873(reply)X
2062(without)X
2330(knowing)X
2634(or)X
2725(caring)X
2950(whether)X
3233(they)X
3395(are)X
3518(the)X
3640(same.)X
3869(This)X
555 1756(is)N
633(acceptable)X
998(because)X
1278(nobody)X
1543(but)X
1669(the)X
1791(principal)X
2100(whose)X
2329(identity)X
2597(was)X
2746(given)X
2948(in)X
3034(the)X
3156(request)X
3412(will)X
3560(be)X
3660(able)X
3818(to)X
3904(use)X
555 1852(the)N
690(reply.)X
912(Its)X
1029(critical)X
1289(information)X
1704(is)X
1794(encrypted)X
2148(in)X
2247(that)X
2404(principal's)X
2784(key.)X
2977(The)X
3138(initial)X
3360(request)X
3628(supports)X
3935(an)X
555 1948(optional)N
840(\256eld)X
1005(that)X
1148(can)X
1283(be)X
1382(used)X
1552(to)X
1637(pass)X
1798(additional)X
2141(information)X
2542(that)X
2685(might)X
2894(be)X
2993(needed)X
3243(for)X
3359(the)X
3479(initial)X
3687(exchange.)X
555 2044(This)N
717(\256eld)X
879(may)X
1037(be)X
1133(used)X
1300(for)X
1414(pre-authentication)X
2018(if)X
2087(desired,)X
2359(but)X
2481(the)X
2599(mechanism)X
2984(is)X
3057(not)X
3179(currently)X
3489(speci\256ed.)X
3 f
555 2236(3.1.1.)N
775(Generation)X
1182(of)X
1269(KRB_AS_REQ)X
1817(message)X
1 f
755 2360(The)N
904(client)X
1106(may)X
1268(specify)X
1524(a)X
1584(number)X
1853(of)X
1944(options)X
2203(in)X
2289(the)X
2411(initial)X
2621(request.)X
2917(Among)X
3181(these)X
3370(options)X
3629(are)X
3752(whether)X
555 2456(the)N
678(requested)X
1010(ticket)X
1212(is)X
1289(to)X
1375(be)X
1475(renewable,)X
1850(proxiable,)X
2197(or)X
2288(forwardable;)X
2723(whether)X
3006(it)X
3074(should)X
3311(be)X
3411(postdated)X
3742(or)X
3833(allow)X
555 2552(postdating)N
910(of)X
999(derivative)X
1342(tickets;)X
1594(and)X
1731(whether)X
2011(a)X
2068(renewable)X
2420(ticket)X
2619(will)X
2764(be)X
2861(accepted)X
3164(in)X
3247(lieu)X
3388(of)X
3476(a)X
3533(non-renewable)X
555 2648(ticket)N
777(if)X
870(the)X
1012(requested)X
1364(ticket)X
1586(expiration)X
1955(date)X
2133(cannot)X
2391(be)X
2511(satis\256ed)X
2817(by)X
2941(a)X
3021(non-renewable)X
3542(ticket)X
3763(\(due)X
3949(to)X
555 2744(con\256guration)N
1002(constraints;)X
1391(see)X
1514(section)X
1761(4\).)X
1888(See)X
2024(section)X
2271(10.1)X
2431(for)X
2545(pseudocode.)X
755 2868(The)N
900(client)X
1098(prepares)X
1391(the)X
1509(KRB_AS_REQ)X
2035(message)X
2327(and)X
2463(sends)X
2661(it)X
2725(to)X
2807(the)X
2925(KDC.)X
3 f
555 3060(3.1.2.)N
775(Receipt)X
1054(of)X
1141(KRB_AS_REQ)X
1689(message)X
1 f
755 3184(If)N
833(all)X
937(goes)X
1108(well,)X
1290(processing)X
1657(the)X
1779(KRB_AS_REQ)X
2309(message)X
2605(will)X
2753(result)X
2955(in)X
3041(the)X
3163(creation)X
3446(of)X
3536(a)X
3595(ticket)X
3796(for)X
3913(the)X
555 3280(client)N
758(to)X
845(present)X
1102(to)X
1189(the)X
1312(server.)X
1574(The)X
1724(format)X
1963(for)X
2082(the)X
2205(ticket)X
2408(is)X
2486(described)X
2819(in)X
2906(section)X
3158(5.2.1.)X
3382(The)X
3531(contents)X
3822(of)X
3913(the)X
555 3376(ticket)N
753(are)X
872(determined)X
1253(as)X
1340(follows.)X
3 f
555 3568(3.1.3.)N
775(Generation)X
1182(of)X
1269(KRB_AS_REP)X
1804(message)X
1 f
755 3692(The)N
901(authentication)X
1376(server)X
1594(looks)X
1788(up)X
1889(the)X
2007(client)X
2205(and)X
2341(server)X
2558(principals)X
2894(named)X
3128(in)X
3210(the)X
3328(KRB_AS_REQ)X
3854(in)X
3936(its)X
555 3788(database,)N
873(extracting)X
1215(their)X
1382(respective)X
1728(keys.)X
1935(If)X
2009(the)X
2127(server)X
2344(cannot)X
2578(accommodate)X
3044(the)X
3162(requested)X
3490(encryption)X
3853(type,)X
555 3884(an)N
654(error)X
834(message)X
1129(with)X
1294(code)X
1469(KDC_ERR_ETYPE_NOSUPP)X
2491(is)X
2567(returned.)X
2898(Otherwise)X
3250(it)X
3316(generates)X
3642(a)X
3700("random")X
555 3980(session)N
806(key)X
8 s
922 3955(1)N
10 s
3980(.)Y
755 4104(If)N
834(the)X
957(requested)X
1290(start)X
1452(time)X
1618(is)X
1695(absent)X
1924(or)X
2015(indicates)X
2324(a)X
2384(time)X
2550(in)X
2636(the)X
2758(past,)X
2931(then)X
3093(the)X
3215(start)X
3377(time)X
3543(of)X
3634(the)X
3756(ticket)X
3958(is)X
555 4200(set)N
674(to)X
766(the)X
894(authentication)X
1378(server's)X
1663(current)X
1921(time.)X
2113(If)X
2197(it)X
2271(indicates)X
2586(a)X
2652(time)X
2824(in)X
2916(the)X
3044(future,)X
3286(but)X
3417(the)X
3544(POSTDATED)X
555 4296(option)N
788(has)X
924(not)X
1055(been)X
1236(speci\256ed,)X
1570(then)X
1737(the)X
1864(error)X
2049(KDC_ERR_CANNOT_POSTDATE)X
3264(is)X
3345(returned.)X
3681(Otherwise)X
555 4392(the)N
678(requested)X
1011(start)X
1174(time)X
1341(is)X
1419(checked)X
1708(against)X
1959(the)X
2081(policy)X
2305(of)X
2396(the)X
2518(local)X
2698(realm)X
2905(\(the)X
3054(administrator)X
3505(might)X
3715(decide)X
3949(to)X
555 4488(prohibit)N
841(certain)X
1093(types)X
1295(or)X
1395(ranges)X
1638(of)X
1738(postdated)X
2078(tickets\),)X
2367(and)X
2516(if)X
2598(acceptable,)X
2991(the)X
3122(ticket's)X
3391(start)X
3562(time)X
3737(is)X
3823(set)X
3944(as)X
555 4584(requested)N
884(and)X
1041(the)X
1160(INVALID)X
1516(\257ag)X
1657(is)X
1731(set)X
1841(in)X
1924(the)X
2043(new)X
2198(ticket.)X
2417(The)X
2563(postdated)X
2891(ticket)X
3090(must)X
3266(be)X
3363(validated)X
3678(before)X
3904(use)X
555 4680(by)N
655(presenting)X
1009(it)X
1073(to)X
1155(the)X
1273(KDC)X
1462(after)X
1630(the)X
1748(start)X
1906(time)X
2068(has)X
2195(been)X
2367(reached.)X
8 s
10 f
555 5330(hhhhhhhhhhhhhhhhhh)N
6 s
1 f
555 5405(1)N
8 s
611 5424("Random")N
899(means)X
1081(that,)X
1212(among)X
1405(other)X
1554(things,)X
1745(it)X
1799(should)X
1988(be)X
2066(impossible)X
2362(to)X
2430(guess)X
2590(the)X
2686(next)X
2814(session)X
3017(key)X
3127(based)X
3290(on)X
3372(knowledge)X
3670(of)X
555 5504(past)N
678(session)X
883(keys.)X
1052(This)X
1186(can)X
1294(only)X
1428(be)X
1508(achieved)X
1753(in)X
1822(a)X
1869(pseudo-random)X
2285(number)X
2499(generator)X
2758(if)X
2816(it)X
2871(is)X
2933(based)X
3097(on)X
3180(cryptographic)X
3553(princi-)X
555 5584(ples.)N
710(It)X
769(would)X
949(be)X
1029(more)X
1180(desirable)X
1430(to)X
1500(use)X
1605(a)X
1653(truly)X
1794(random)X
2009(number)X
2224(generator,)X
2500(such)X
2637(as)X
2710(one)X
2822(based)X
2987(on)X
3071(measurements)X
3456(of)X
3528(random)X
555 5664(physical)N
784(phenomena.)X
10 s
555 6144(Section)N
815(3.1.3.)X
2216(-)X
2263(8)X
2323(-)X
9 p
%%Page: 9 10
10 s 0 xH 0 xS 1 f
0 32(--)N
4323(--)X
3 f
2115 416(DRAFT)N
2411(4)X
1 f
555 672(The)N
700(expiration)X
1045(time)X
1207(of)X
1294(the)X
1412(ticket)X
1610(will)X
1754(be)X
1850(set)X
1959(to)X
2041(the)X
2159(minimum)X
2489(of)X
2576(the)X
2694(following:)X
10 f
555 796(g)N
1 f
595(The)X
740(expiration)X
1085(time)X
1247(\(endtime\))X
1579(requested)X
1907(in)X
1989(the)X
2107(KRB_AS_REQ)X
2633(message.)X
10 f
555 920(g)N
1 f
595(The)X
747(ticket's)X
1010(start)X
1175(time)X
1344(plus)X
1504(the)X
1629(maximum)X
1980(allowable)X
2319(lifetime)X
2594(associated)X
2950(with)X
3118(the)X
3242(client)X
3446(principal)X
3757(\(the)X
3908(au-)X
595 1016(thentication)N
995(server's)X
1272(database)X
1570(includes)X
1858(a)X
1915(maximum)X
2260(ticket)X
2459(lifetime)X
2729(\256eld)X
2892(in)X
2975(each)X
3144(principal's)X
3508(record;)X
3757(see)X
3881(sec-)X
595 1112(tion)N
739(4\).)X
10 f
555 1236(g)N
1 f
595(The)X
740(ticket's)X
996(start)X
1154(time)X
1316(plus)X
1469(the)X
1587(maximum)X
1931(allowable)X
2263(lifetime)X
2532(associated)X
2882(with)X
3044(the)X
3162(server)X
3379(principal.)X
10 f
555 1360(g)N
1 f
595(The)X
740(ticket's)X
996(start)X
1154(time)X
1316(plus)X
1469(the)X
1587(maximum)X
1931(lifetime)X
2200(set)X
2309(by)X
2409(the)X
2527(policy)X
2747(of)X
2834(the)X
2952(local)X
3128(realm.)X
755 1484(If)N
847(the)X
983(requested)X
1329(expiration)X
1692(time)X
1872(minus)X
2104(the)X
2239(start)X
2414(time)X
2593(\(as)X
2724(determined)X
3122(above\))X
3378(is)X
3468(less)X
3625(than)X
3800(a)X
3873(site-)X
555 1580(determined)N
937(minimum)X
1268(lifetime,)X
1558(an)X
1654(error)X
1831(message)X
2123(with)X
2285(code)X
2457(KDC_ERR_NEVER_VALID)X
3438(is)X
3511(returned.)X
3839(If)X
3913(the)X
555 1676(requested)N
926(expiration)X
1314(time)X
1519(for)X
1676(the)X
1836(ticket)X
2076(exceeds)X
2393(what)X
2611(was)X
2798(determined)X
3221(as)X
3350(above,)X
3624(and)X
3802(if)X
3913(the)X
555 1772("RENEWABLE-OK")N
1281(option)X
1508(was)X
1655(requested,)X
2005(then)X
2165(the)X
2285("RENEWABLE")X
2867(\257ag)X
3009(is)X
3084(set)X
3195(in)X
3279(the)X
3399(new)X
3555(ticket,)X
3775(and)X
3913(the)X
3 f
555 1868(renew-till)N
1 f
915(value)X
1119(is)X
1202(set)X
1321(as)X
1418(if)X
1497(the)X
1625("RENEWABLE")X
2215(option)X
2449(were)X
2636(requested)X
2974(\(the)X
3129(\256eld)X
3300(and)X
3445(option)X
3678(names)X
3912(are)X
555 1964(described)N
883(fully)X
1054(in)X
1136(section)X
1383(5.3.1\).)X
555 2088(If)N
640(the)X
769(RENEWABLE)X
1294(option)X
1529(has)X
1666(been)X
1848(requested)X
2186(or)X
2283(if)X
2362(the)X
2490(RENEWABLE-OK)X
3157(option)X
3391(has)X
3528(been)X
3710(set)X
3829(and)X
3975(a)X
555 2184(renewable)N
906(ticket)X
1104(is)X
1177(to)X
1259(be)X
1355(issued,)X
1595(then)X
1753(the)X
3 f
1871(renew-till)X
1 f
2221(\256eld)X
2383(is)X
2456(set)X
2565(to)X
2647(the)X
2765(minimum)X
3095(of:)X
10 f
555 2308(g)N
1 f
595(Its)X
695(requested)X
1023(value.)X
10 f
555 2432(g)N
1 f
595(The)X
748(start)X
914(time)X
1084(of)X
1178(the)X
1303(ticket)X
1508(plus)X
1668(the)X
1793(minimum)X
2130(of)X
2224(the)X
2349(two)X
2496(maximum)X
2847(renewable)X
3205(lifetimes)X
3512(associated)X
3869(with)X
595 2528(the)N
713(principals')X
1076(database)X
1373(entries.)X
10 f
555 2652(g)N
1 f
595(The)X
740(start)X
898(time)X
1060(of)X
1147(the)X
1265(ticket)X
1463(plus)X
1616(the)X
1734(maximum)X
2078(renewable)X
2429(lifetime)X
2698(set)X
2807(by)X
2907(the)X
3025(policy)X
3245(of)X
3332(the)X
3450(local)X
3626(realm.)X
755 2776(The)N
901(\257ags)X
1073(\256eld)X
1236(of)X
1324(the)X
1443(new)X
1598(ticket)X
1797(will)X
1942(have)X
2114(the)X
2232(following)X
2563(options)X
2818(set)X
2927(if)X
2996(they)X
3154(have)X
3326(been)X
3498(requested)X
3826(and)X
3962(if)X
555 2872(the)N
693(policy)X
933(of)X
1040(the)X
1178(local)X
1374(realm)X
1597(allows:)X
1868(FORWARDABLE,)X
2536(MAY-POSTDATE,)X
3218(POSTDATED,)X
3744(PROXI-)X
555 2968(ABLE,)N
805(RENEWABLE.)X
1340(If)X
1415(the)X
1534(new)X
1689(ticket)X
1888(is)X
1962(postdated)X
2290(\(the)X
2436(start)X
2595(time)X
2758(is)X
2832(in)X
2915(the)X
3034(future\),)X
3294(its)X
3390(INVALID)X
3746(\257ag)X
3887(will)X
555 3064(also)N
704(be)X
800(set.)X
755 3188(If)N
831(all)X
933(of)X
1022(the)X
1142(above)X
1356(succeed,)X
1653(the)X
1773(server)X
1992(formats)X
2259(a)X
2317(KRB_AS_REP)X
2831(message)X
3125(\(see)X
3277(section)X
3525(5.3.2\),)X
3753(copying)X
555 3284(the)N
674(addresses)X
1003(in)X
1086(the)X
1205(request)X
1458(into)X
1603(the)X
1722(caddr)X
1922(of)X
2010(the)X
2128(response,)X
2449(placing)X
2705(any)X
2841(required)X
3129(pre-authentication)X
3733(data)X
3887(into)X
555 3380(the)N
676(pa-data)X
936(of)X
1026(the)X
1147(response,)X
1471(and)X
1610(encrypts)X
1905(the)X
2026(ciphertext)X
2370(part)X
2518(in)X
2603(the)X
2724(client's)X
2982(key)X
3120(using)X
3315(the)X
3435(requested)X
3765(encryp-)X
555 3476(tion)N
699(method,)X
979(and)X
1115(sends)X
1313(it)X
1377(to)X
1459(the)X
1577(client.)X
1815(See)X
1951(section)X
2198(10.2)X
2358(for)X
2472(pseudocode.)X
3 f
555 3668(3.1.4.)N
775(Generation)X
1182(of)X
1269(KRB_ERROR)X
1791(message)X
1 f
755 3792(Several)N
1030(errors)X
1252(can)X
1398(occur,)X
1630(and)X
1779(the)X
1910(Authentication)X
2419(Server)X
2662(responds)X
2980(by)X
3093(returning)X
3420(an)X
3529(error)X
3719(message,)X
555 3888(KRB_ERROR,)N
1077(to)X
1171(the)X
1301(client,)X
1531(with)X
1705(the)X
3 f
1835(error-code)X
1 f
2234(and)X
3 f
2382(e-text)X
1 f
2607(\256elds)X
2812(set)X
2932(to)X
3025(appropriate)X
3422(values.)X
3698(The)X
3854(error)X
555 3984(message)N
847(contents)X
1134(and)X
1270(details)X
1499(are)X
1618(described)X
1946(in)X
2028(Section)X
2288(5.7.1.)X
3 f
555 4176(3.1.5.)N
775(Receipt)X
1054(of)X
1141(KRB_AS_REP)X
1676(message)X
1 f
755 4300(If)N
831(the)X
951(reply)X
1138(message)X
1432(type)X
1592(is)X
1667(KRB_AS_REP,)X
2201(then)X
2361(the)X
2481(client)X
2681(veri\256es)X
2939(that)X
3080(the)X
3 f
3199(cname)X
1 f
3443(and)X
3 f
3580(crealm)X
1 f
3838(\256elds)X
555 4396(in)N
640(the)X
761(cleartext)X
1061(portion)X
1315(of)X
1405(the)X
1526(reply)X
1714(match)X
1933(what)X
2112(it)X
2179(requested.)X
2550(If)X
2627(any)X
3 f
2766(padata)X
1 f
3024(\256elds)X
3220(are)X
3341(present,)X
3615(they)X
3775(may)X
3935(be)X
555 4492(used)N
727(to)X
814(derive)X
1040(the)X
1163(proper)X
1398(secret)X
1611(key)X
1752(to)X
1839(decrypt)X
2105(the)X
2227(message.)X
2563(The)X
2712(client)X
2914(decrypts)X
3210(the)X
3332(encrypted)X
3673(part)X
3822(of)X
3913(the)X
555 4588(response)N
860(using)X
1057(its)X
1156(secret)X
1367(key,)X
1526(veri\256es)X
1785(that)X
1928(the)X
3 f
2049(nonce)X
1 f
2272(in)X
2357(the)X
2478(encrypted)X
2818(part)X
2966(matches)X
3252(the)X
3373(nonce)X
3588(it)X
3655(supplied)X
3949(in)X
555 4684(its)N
652(request)X
906(\(to)X
1017(detect)X
1231(replays\).)X
1552(It)X
1623(also)X
1773(veri\256es)X
2030(that)X
2171(the)X
3 f
2290(sname)X
1 f
2529(and)X
3 f
2666(srealm)X
1 f
2919(in)X
3002(the)X
3121(response)X
3423(match)X
3640(those)X
3830(in)X
3913(the)X
555 4780(request,)N
828(and)X
965(that)X
1106(the)X
1225(host)X
1379(address)X
1641(\256eld)X
1804(is)X
1878(also)X
2028(correct.)X
2312(It)X
2381(then)X
2539(stores)X
2746(the)X
2864(ticket,)X
3082(session)X
3333(key,)X
3489(start)X
3647(and)X
3783(expira-)X
555 4876(tion)N
709(times,)X
932(and)X
1078(other)X
1273(information)X
1681(for)X
1805(later)X
1977(use.)X
2153(The)X
3 f
2307(key-expiration)X
1 f
2834(\256eld)X
3005(from)X
3190(the)X
3317(encrypted)X
3663(part)X
3817(of)X
3913(the)X
555 4972(response)N
866(may)X
1034(be)X
1140(checked)X
1434(to)X
1526(notify)X
1747(the)X
1875(user)X
2038(of)X
2134(impending)X
2505(key)X
2650(expiration)X
3004(\(the)X
3158(client)X
3365(program)X
3666(could)X
3873(then)X
555 5068(suggest)N
815(remedial)X
1116(action,)X
1352(such)X
1519(as)X
1606(a)X
1662(password)X
1985(change\).)X
755 5192(Proper)N
996(decryption)X
1366(of)X
1460(the)X
1585(KRB_AS_REP)X
2104(message)X
2403(is)X
2 f
2483(not)X
1 f
2612(suf\256cient)X
2937(to)X
3026(verify)X
3244(the)X
3368(identity)X
3638(of)X
3731(the)X
3855(user;)X
555 5288(the)N
687(user)X
855(and)X
1005(an)X
1115(attacker)X
1404(could)X
1616(cooperate)X
1963(to)X
2058(generate)X
2364(a)X
2433(KRB_AS_REP)X
2958(format)X
3205(message)X
3510(which)X
3739(decrypts)X
555 5384(properly)N
859(but)X
993(is)X
1078(not)X
1212(from)X
1400(the)X
1530(proper)X
1772(KDC.)X
2013(If)X
2099(the)X
2229(host)X
2394(wishes)X
2644(to)X
2738(verify)X
2962(the)X
3092(identity)X
3368(of)X
3467(the)X
3596(user,)X
3781(it)X
3856(must)X
555 5480(require)N
806(the)X
927(user)X
1084(to)X
1169(present)X
1424(application)X
1803(credentials)X
2174(which)X
2393(can)X
2528(be)X
2627(veri\256ed)X
2895(using)X
3091(a)X
3150(securely-stored)X
3664(secret)X
3875(key.)X
555 5576(If)N
632(those)X
824(credentials)X
1195(can)X
1330(be)X
1429(veri\256ed,)X
1717(then)X
1878(the)X
1999(identity)X
2266(of)X
2356(the)X
2477(user)X
2634(can)X
2769(be)X
2868(assured.)X
3172(See)X
3310(section)X
3559(10.3)X
3721(for)X
3837(pseu-)X
555 5672(docode.)N
555 6144(Section)N
815(3.1.5.)X
2216(-)X
2263(9)X
2323(-)X
10 p
%%Page: 10 11
10 s 0 xH 0 xS 1 f
0 32(--)N
4323(--)X
3 f
2115 416(DRAFT)N
2411(4)X
555 672(3.1.6.)N
775(Receipt)X
1054(of)X
1141(KRB_ERROR)X
1663(message)X
1 f
755 796(If)N
842(the)X
973(reply)X
1171(message)X
1476(type)X
1647(is)X
1733(KRB_ERROR,)X
2256(then)X
2426(the)X
2556(client)X
2766(interprets)X
3101(it)X
3177(as)X
3276(an)X
3384(error)X
3573(and)X
3721(performs)X
555 892(whatever)N
870(application-speci\256c)X
1518(tasks)X
1698(are)X
1817(necessary)X
2150(to)X
2232(recover.)X
3 f
12 s
555 1084(3.2.)N
747(The)X
931(Client/Server)X
1506(Authentication)X
2143(Exchange)X
10 s
2114 1228(Summary)N
2 f
1090 1324(Message)N
1391(direction)X
2491(Message)X
2792(type)X
3227(Section)X
1 f
1090 1420(Client)N
1305(to)X
1387(Application)X
1785(server)X
2491(KRB_AP_REQ)X
3227(5.4.1)X
1090 1516([optional])N
1426(Application)X
1824(server)X
2041(to)X
2123(client)X
2491(KRB_AP_REP)X
3003(or)X
3227(5.4.2)X
2491 1612(KRB_ERROR)N
3227(5.7.1)X
755 1784(The)N
909(client/server)X
1335(authentication)X
1818(\(CS\))X
1998(exchange)X
2331(is)X
2413(used)X
2589(by)X
2698(network)X
2990(applications)X
3406(to)X
3497(authenticate)X
3913(the)X
555 1880(client)N
759(to)X
847(the)X
970(server)X
1192(and)X
1333(vice)X
1492(versa.)X
1727(The)X
1877(client)X
2080(must)X
2260(have)X
2437(already)X
2699(acquired)X
3001(credentials)X
3374(for)X
3493(the)X
3616(server)X
3838(using)X
555 1976(the)N
673(AS)X
795(or)X
882(TGS)X
1053(exchange.)X
3 f
555 2168(3.2.1.)N
775(The)X
928(KRB_AP_REQ)X
1481(message)X
1 f
755 2292(The)N
903(KRB_AP_REQ)X
1432(contains)X
1722(authentication)X
2199(information)X
2600(which)X
2819(should)X
3055(be)X
3153(part)X
3300(of)X
3389(the)X
3509(\256rst)X
3655(message)X
3949(in)X
555 2388(an)N
654(authenticated)X
1105(transaction.)X
1520(It)X
1592(contains)X
1882(a)X
1941(ticket,)X
2162(an)X
2260(authenticator,)X
2721(and)X
2859(some)X
3050(additional)X
3392(bookkeeping)X
3828(infor-)X
555 2484(mation)N
803(\(see)X
959(section)X
1212(5.4.1)X
1398(for)X
1518(the)X
1642(exact)X
1838(format\).)X
2145(The)X
2296(ticket)X
2499(by)X
2604(itself)X
2789(is)X
2867(insuf\256cient)X
3252(to)X
3339(authenticate)X
3752(a)X
3813(client,)X
555 2580(since)N
752(tickets)X
993(are)X
1124(passed)X
1370(across)X
1603(the)X
1733(network)X
2028(in)X
2121(cleartext)X
8 s
2398 2555(1)N
10 s
2580(,)Y
2481(so)X
2583(the)X
2712(authenticator)X
3162(is)X
3246(used)X
3424(to)X
3517(prevent)X
3789(invalid)X
555 2676(replay)N
778(of)X
867(tickets)X
1098(by)X
1200(proving)X
1471(to)X
1555(the)X
1675(server)X
1894(that)X
2036(the)X
2156(client)X
2355(knows)X
2585(the)X
2704(session)X
2956(key)X
3093(of)X
3181(the)X
3300(ticket)X
3499(and)X
3636(thus)X
3790(is)X
3864(enti-)X
555 2772(tled)N
695(to)X
777(use)X
904(it.)X
1008(The)X
1153(KRB_AP_REQ)X
1679(message)X
1971(is)X
2044(referred)X
2320(to)X
2402(elsewhere)X
2744(as)X
2831(the)X
2949("authentication)X
3456(header.")X
3 f
555 2964(3.2.2.)N
775(Generation)X
1182(of)X
1269(a)X
1329(KRB_AP_REQ)X
1882(message)X
1 f
755 3088(When)N
978(a)X
1045(client)X
1254(wishes)X
1503(to)X
1596(initiate)X
1849(authentication)X
2334(to)X
2427(a)X
2494(server,)X
2742(it)X
2817(obtains)X
3078(\(either)X
3318(through)X
3597(a)X
3663(credentials)X
555 3184(cache,)N
782(the)X
903(AS)X
1028(exchange,)X
1375(or)X
1465(the)X
1586(TGS)X
1760(exchange\))X
2114(a)X
2173(ticket)X
2374(and)X
2513(session)X
2767(key)X
2906(for)X
3022(the)X
3142(desired)X
3396(service.)X
3686(The)X
3833(client)X
555 3280(may)N
718(re-use)X
940(any)X
1081(tickets)X
1315(it)X
1384(holds)X
1582(until)X
1753(they)X
1916(expire.)X
2182(The)X
2332(client)X
2535(then)X
2698(constructs)X
3048(a)X
3109(new)X
3268(Authenticator)X
3733(from)X
3913(the)X
555 3376(the)N
679(system)X
927(time,)X
1115(its)X
1216(name,)X
1436(and)X
1578(optionally)X
1928(an)X
2030(application)X
2411(speci\256c)X
2681(checksum,)X
3047(an)X
3148(initial)X
3359(sequence)X
3679(number)X
3949(to)X
555 3472(be)N
657(used)X
830(in)X
918(KRB_SAFE)X
1343(or)X
1435(KRB_PRIV)X
1846(messages,)X
2194(and/or)X
2424(a)X
2485(session)X
2741(subkey)X
2993(to)X
3080(be)X
3181(used)X
3353(in)X
3440(negotiations)X
3856(for)X
3975(a)X
555 3568(session)N
817(key)X
964(unique)X
1213(to)X
1306(this)X
1452(particular)X
1791(session.)X
2093(Authenticators)X
2596(may)X
2765(not)X
2898(be)X
3004(re-used)X
3271(and)X
3417(will)X
3571(be)X
3677(rejected)X
3962(if)X
555 3664(replayed)N
858(to)X
946(a)X
1008(server)X
8 s
1205 3639(2)N
10 s
3664(.)Y
1303(If)X
1383(a)X
1445(sequence)X
1766(number)X
2037(is)X
2116(to)X
2204(be)X
2306(included,)X
2628(it)X
2698(should)X
2937(be)X
3038(randomly)X
3370(chosen)X
3618(so)X
3714(that)X
3859(even)X
555 3760(after)N
723(many)X
921(messages)X
1244(have)X
1416(been)X
1588(exchanged)X
1952(it)X
2016(is)X
2089(not)X
2211(likely)X
2413(to)X
2495(collide)X
2733(with)X
2895(other)X
3080(sequence)X
3395(numbers)X
3691(in)X
3773(use.)X
755 3884(The)N
911(client)X
1120(may)X
1289(indicate)X
1574(a)X
1641(requirement)X
2060(of)X
2158(mutual)X
2411(authentication)X
2896(or)X
2994(the)X
3123(use)X
3261(of)X
3358(a)X
3424(session-key)X
3828(based)X
555 3980(ticket)N
753(by)X
853(setting)X
1086(the)X
1204(appropriate)X
1590(\257ag\(s\))X
1815(in)X
1897(the)X
2015(ap-options)X
2373(\256eld)X
2535(of)X
2622(the)X
2740(message.)X
755 4104(The)N
924(Authenticator)X
1409(is)X
1505(encrypted)X
1865(in)X
1970(the)X
2111(session)X
2385(key)X
2544(and)X
2703(combined)X
3062(with)X
3247(the)X
3388(ticket)X
3609(to)X
3714(form)X
3913(the)X
555 4200(KRB_AP_REQ)N
1083(message)X
1377(which)X
1595(is)X
1670(then)X
1830(sent)X
1981(to)X
2065(the)X
2185(end)X
2323(server)X
2542(along)X
2742(with)X
2905(any)X
3042(additional)X
3383(application-speci\256c)X
555 4296(information.)N
993(See)X
1129(section)X
1376(10.9)X
1536(for)X
1650(pseudocode.)X
3 f
555 4488(3.2.3.)N
775(Receipt)X
1054(of)X
1141(KRB_AP_REQ)X
1694(message)X
1 f
755 4612(Authentication)N
1259(is)X
1340(based)X
1551(on)X
1659(the)X
1785(server's)X
2068(current)X
2324(time)X
2494(of)X
2589(day)X
2733(\(clocks)X
2993(must)X
3175(be)X
3278(loosely)X
3536(synchronized\),)X
555 4708(the)N
680(authenticator,)X
1146(and)X
1288(the)X
1412(ticket.)X
1656(Several)X
1923(errors)X
2137(are)X
2262(possible.)X
2590(If)X
2670(an)X
2772(error)X
2955(occurs,)X
3211(the)X
3335(server)X
3558(is)X
3637(expected)X
3949(to)X
555 4804(reply)N
749(to)X
840(the)X
967(client)X
1174(with)X
1345(a)X
1410(KRB_ERROR)X
1909(message.)X
2250(This)X
2421(message)X
2722(may)X
2889(be)X
2994(encapsulated)X
3438(in)X
3529(the)X
3655(application)X
555 4900(protocol)N
849(if)X
925(its)X
1027("raw")X
1240(form)X
1422(is)X
1501(not)X
1629(acceptable)X
1995(to)X
2083(the)X
2207(protocol.)X
2540(The)X
2691(format)X
2931(of)X
3024(error)X
3207(messages)X
3536(is)X
3615(described)X
3949(in)X
555 4996(section)N
802(5.7.1.)X
755 5120(The)N
915(algorithm)X
1261(for)X
1390(verifying)X
1719(authentication)X
2208(information)X
2621(is)X
2709(as)X
2810(follows.)X
3124(If)X
3212(the)X
3344(message)X
3650(type)X
3822(is)X
3909(not)X
555 5216(KRB_AP_REQ,)N
1105(the)X
1227(server)X
1448(returns)X
1695(the)X
1817(KRB_AP_ERR_MSG_TYPE)X
2795(error.)X
3016(If)X
3094(the)X
3216(key)X
3355(version)X
3614(indicated)X
3931(by)X
555 5312(the)N
678(Ticket)X
908(in)X
995(the)X
1118(KRB_AP_REQ)X
1649(is)X
1726(not)X
1852(one)X
1992(the)X
2114(server)X
2335(can)X
2471(use)X
2602(\(e.g.,)X
2789(it)X
2857(indicates)X
3166(an)X
3266(old)X
3392(key,)X
3552(and)X
3692(the)X
3814(server)X
8 s
10 f
555 5392(hhhhhhhhhhhhhhhhhh)N
6 s
1 f
555 5467(1)N
8 s
611 5486(Tickets)N
816(contain)X
1021(both)X
1152(an)X
1229(encrypted)X
1497(and)X
1606(unencrypted)X
1938(portion,)X
2155(so)X
2228(cleartext)X
2463(here)X
2588(refers)X
2748(to)X
2814(the)X
2908(entire)X
3069(unit,)X
3201(which)X
3373(can)X
3477(be)X
3553(copied)X
555 5566(from)N
695(one)X
803(message)X
1035(and)X
1143(replayed)X
1378(in)X
1444(another)X
1651(without)X
1863(any)X
1971(cryptographic)X
2341(skill.)X
6 s
555 5641(2)N
8 s
611 5660(Note)N
761(that)X
883(this)X
1002(can)X
1116(make)X
1280(applications)X
1615(based)X
1786(on)X
1876(unreliable)X
2157(transports)X
2435(dif\256cult)X
2664(to)X
2740(code)X
2886(correctly,)X
3154(if)X
3218(the)X
3321(transport)X
3573(might)X
555 5740(deliver)N
748(duplicated)X
1030(messages.)X
1319(In)X
1388(such)X
1521(cases,)X
1687(XXX.)X
10 s
555 6144(Section)N
815(3.2.3.)X
2196(-)X
2243(10)X
2343(-)X
11 p
%%Page: 11 12
10 s 0 xH 0 xS 1 f
0 32(--)N
4323(--)X
3 f
2115 416(DRAFT)N
2411(4)X
1 f
555 672(no)N
665(longer)X
900(possesses)X
1237(a)X
1303(copy)X
1488(of)X
1584(the)X
1711(old)X
1842(key\),)X
2034(the)X
2161(KRB_AP_ERR_BADKEYVER)X
3225(error)X
3411(is)X
3493(returned.)X
3830(If)X
3913(the)X
555 768(USE-SESSION-KEY)N
1271(\257ag)X
1413(is)X
1488(set)X
1599(in)X
1683(the)X
3 f
1803(ap-options)X
1 f
2184(\256eld,)X
2368(it)X
2434(indicates)X
2741(to)X
2824(the)X
2943(server)X
3161(that)X
3302(the)X
3421(ticket)X
3620(is)X
3694(encrypted)X
555 864(in)N
639(the)X
759(session)X
1012(key)X
1150(from)X
1327(the)X
1446(server's)X
1722(ticket-granting)X
2215(ticket)X
2414(rather)X
2623(than)X
2782(its)X
2878(secret)X
3087(key)X
8 s
3203 839(1)N
10 s
864(.)Y
3296(Since)X
3495(it)X
3560(is)X
3634(possible)X
3917(for)X
555 960(the)N
683(server)X
910(to)X
1002(be)X
1108(registered)X
1455(in)X
1547(multiple)X
1843(realms,)X
2107(with)X
2279(different)X
2586(keys)X
2763(in)X
2854(each,)X
3051(the)X
3 f
3178(srealm)X
1 f
3439(\256eld)X
3610(in)X
3701(the)X
3828(unen-)X
555 1056(crypted)N
817(portion)X
1069(of)X
1157(the)X
1276(ticket)X
1475(in)X
1558(the)X
1676(KRB_AP_REQ)X
2202(is)X
2275(used)X
2442(to)X
2524(specify)X
2776(which)X
2992(secret)X
3200(key)X
3336(the)X
3454(server)X
3671(should)X
3904(use)X
555 1152(to)N
645(decrypt)X
914(that)X
1062(ticket.)X
1307(The)X
1459(KRB_AP_ERR_NOKEY)X
2308(error)X
2492(code)X
2671(is)X
2751(returned)X
3046(if)X
3122(the)X
3247(server)X
3471(doesn't)X
3734(have)X
3913(the)X
555 1248(proper)N
785(key)X
921(to)X
1003(decipher)X
1300(the)X
1418(ticket.)X
755 1372(The)N
902(ticket)X
1102(is)X
1177(decrypted)X
1516(using)X
1711(the)X
1831(version)X
2089(of)X
2177(the)X
2296(server's)X
2572(key)X
2709(speci\256ed)X
3015(by)X
3116(the)X
3235(ticket.)X
3474(If)X
3549(the)X
3668(decryption)X
555 1468(routines)N
848(detect)X
1075(a)X
1146(modi\256cation)X
1585(of)X
1687(the)X
1820(ticket)X
2033(\(each)X
2243(encryption)X
2621(system)X
2877(must)X
3066(provide)X
3345(safeguards)X
3723(to)X
3819(detect)X
555 1564(modi\256ed)N
865(ciphertext;)X
1234(see)X
1362(section)X
1614(6\),)X
1726(the)X
1849(KRB_AP_ERR_BAD_INTEGRITY)X
3052(error)X
3234(is)X
3312(returned)X
3605(\(chances)X
3912(are)X
555 1660(good)N
735(that)X
875(different)X
1172(keys)X
1339(were)X
1516(used)X
1683(to)X
1765(encrypt)X
2026(and)X
2162(decrypt\).)X
755 1784(The)N
905(authenticator)X
1349(is)X
1427(decrypted)X
1769(using)X
1966(the)X
2088(session)X
2343(key)X
2483(extracted)X
2802(from)X
2982(the)X
3104(decrypted)X
3445(ticket.)X
3687(If)X
3765(decryp-)X
555 1880(tion)N
704(shows)X
929(it)X
998(to)X
1085(have)X
1262(been)X
1439(modi\256ed,)X
1768(the)X
1891(KRB_AP_ERR_BAD_INTEGRITY)X
3094(error)X
3276(is)X
3354(returned.)X
3687(The)X
3837(name)X
555 1976(and)N
699(realm)X
910(of)X
1005(the)X
1131(client)X
1337(from)X
1521(the)X
1646(ticket)X
1851(are)X
1977(compared)X
2321(against)X
2575(the)X
2700(same)X
2892(\256elds)X
3092(in)X
3181(the)X
3306(authenticator.)X
3792(If)X
3873(they)X
555 2072(don't)N
745(match,)X
982(the)X
1101(KRB_AP_ERR_BADMATCH)X
2121(error)X
2299(is)X
2373(returned)X
2662(\(they)X
2848(might)X
3055(not)X
3178(match,)X
3415(for)X
3530(example,)X
3843(if)X
3913(the)X
555 2168(wrong)N
791(session)X
1053(key)X
1200(was)X
1356(used)X
1534(to)X
1627(encrypt)X
1899(the)X
2028(authenticator\).)X
2544(The)X
2699(addresses)X
3037(in)X
3129(the)X
3257(ticket)X
3465(\(if)X
3571(any\))X
3744(are)X
3873(then)X
555 2264(searched)N
860(for)X
976(an)X
1074(address)X
1337(matching)X
1657(the)X
1777(operating-system)X
2351(reported)X
2641(address)X
2904(of)X
2993(the)X
3113(client.)X
3353(If)X
3429(no)X
3531(match)X
3749(is)X
3824(found)X
555 2360(or)N
646(the)X
768(server)X
988(insists)X
1210(on)X
1313(ticket)X
1514(addresses)X
1845(but)X
1970(none)X
2149(are)X
2271(present)X
2526(in)X
2611(the)X
2732(ticket,)X
2953(the)X
3074(KRB_AP_ERR_BADADDR)X
555 2456(error)N
732(is)X
805(returned.)X
755 2580(If)N
837(the)X
963(local)X
1147(\(server\))X
1426(time)X
1596(and)X
1740(the)X
1866(client)X
2072(time)X
2242(in)X
2332(the)X
2458(authenticator)X
2904(differ)X
3110(by)X
3217(more)X
3409(than)X
3574(the)X
3699(allowable)X
555 2676(clock)N
754(skew)X
944(\(e.g.,)X
1132(5)X
1197(minutes\),)X
1522(the)X
1645(KRB_AP_ERR_SKEW)X
2438(error)X
2619(is)X
2696(returned.)X
3028(If)X
3106(the)X
3228(server)X
3449(name,)X
3667(along)X
3869(with)X
555 2772(the)N
679(client)X
882(name,)X
1101(time)X
1268(and)X
1409(microsecond)X
1844(\256elds)X
2042(from)X
2223(the)X
2346(Authenticator)X
2812(match)X
3033(any)X
3174(recently-seen)X
3628(such)X
3800(tuples,)X
555 2868(the)N
682(KRB_AP_ERR_REPEAT)X
1554(error)X
1740(is)X
1822(returned)X
8 s
2090 2843(2)N
10 s
2868(.)Y
2191(The)X
2345(server)X
2571(must)X
2755(remember)X
3110(any)X
3255(authenticator)X
3703(presented)X
555 2964(within)N
780(the)X
899(allowable)X
1232(clock)X
1427(skew,)X
1633(so)X
1725(that)X
1866(a)X
1923(replay)X
2145(attempt)X
2405(is)X
2478(guaranteed)X
2851(to)X
2933(fail.)X
3100(If)X
3174(a)X
3230(server)X
3447(loses)X
3627(track)X
3808(of)X
3895(any)X
555 3060(authenticator)N
1005(presented)X
1344(within)X
1578(the)X
1706(allowable)X
2048(clock)X
2252(skew,)X
2467(it)X
2541(must)X
2726(reject)X
2935(all)X
3045(requests)X
3338(until)X
3514(the)X
3642(clock)X
3846(skew)X
555 3156(interval)N
829(has)X
965(passed.)X
1248(This)X
1419(assures)X
1680(that)X
1829(any)X
1974(lost)X
2118(or)X
2214(re-played)X
2547(authenticators)X
3026(will)X
3179(fall)X
3314(outside)X
3573(the)X
3699(allowable)X
555 3252(clock)N
755(skew)X
946(and)X
1088(can)X
1226(no)X
1332(longer)X
1563(be)X
1665(successfully)X
2083(replayed)X
2386(\(If)X
2493(this)X
2633(is)X
2711(not)X
2838(done,)X
3039(an)X
3140(attacker)X
3420(could)X
3623(conceivably)X
555 3348(record)N
785(the)X
907(ticket)X
1109(and)X
1249(authenticator)X
1692(sent)X
1845(over)X
2012(the)X
2134(network)X
2421(to)X
2507(a)X
2567(server,)X
2807(then)X
2968(disable)X
3218(the)X
3339(client's)X
3598(host,)X
3774(pose)X
3944(as)X
555 3444(the)N
686(disabled)X
986(host,)X
1172(and)X
1321(replay)X
1555(the)X
1686(ticket)X
1897(and)X
2046(authenticator)X
2497(to)X
2591(subvert)X
2859(the)X
2989(authentication.\).)X
3562(If)X
3648(a)X
3716(sequence)X
555 3540(number)N
826(is)X
905(provided)X
1216(in)X
1304(the)X
1428(authenticator,)X
1893(the)X
2017(server)X
2240(saves)X
2439(it)X
2508(for)X
2627(later)X
2795(use)X
2927(in)X
3014(processing)X
3382(KRB_SAFE)X
3806(and/or)X
555 3636(KRB_PRIV)N
965(messages.)X
1332(If)X
1410(a)X
1470(subkey)X
1721(is)X
1798(present,)X
2074(the)X
2196(server)X
2417(either)X
2624(saves)X
2822(it)X
2890(for)X
3008(later)X
3174(use)X
3304(or)X
3394(uses)X
3555(it)X
3622(to)X
3707(help)X
3868(gen-)X
555 3732(erate)N
732(its)X
827(own)X
985(choice)X
1215(for)X
1329(a)X
1385(subkey)X
1632(to)X
1714(be)X
1810(returned)X
2098(in)X
2180(a)X
2236(KRB_AP_REP)X
2748(message.)X
755 3856(The)N
905(server)X
1127(computes)X
1459(the)X
1582(age)X
1719(of)X
1811(the)X
1934(ticket:)X
2159(local)X
2339(\(server\))X
2614(time)X
2780(minus)X
2999(the)X
3121(start)X
3283(time)X
3449(inside)X
3664(the)X
3786(Ticket.)X
555 3952(If)N
630(the)X
748(start)X
906(time)X
1068(is)X
1141(later)X
1304(than)X
1462(the)X
1580(current)X
1828(time)X
1990(by)X
2090(more)X
2275(than)X
2433(the)X
2551(allowable)X
2883(clock)X
3077(skew)X
3262(or)X
3349(if)X
3418(the)X
3536(INVALID)X
3891(\257ag)X
555 4048(is)N
631(set)X
743(in)X
828(the)X
949(ticket,)X
1170(the)X
1291(KRB_AP_ERR_TKT_NYV)X
2225(error)X
2405(is)X
2481(returned.)X
2812(Otherwise,)X
3185(if)X
3257(the)X
3378(current)X
3629(time)X
3793(is)X
3868(later)X
555 4144(than)N
734(end)X
891(time)X
1074(by)X
1195(more)X
1401(than)X
1579(the)X
1717(allowable)X
2069(clock)X
2283(skew,)X
2508(the)X
2646(KRB_AP_ERR_TKT_EXPIRED)X
3761(error)X
3958(is)X
555 4240(returned.)N
755 4364(If)N
830(all)X
931(these)X
1117(checks)X
1357(succeed)X
1633(without)X
1898(an)X
1995(error,)X
2193(the)X
2312(server)X
2530(is)X
2604(assured)X
2866(that)X
3007(the)X
3126(client)X
3324(possesses)X
3651(the)X
3769(creden-)X
555 4460(tials)N
712(of)X
803(the)X
925(principal)X
1234(named)X
1472(in)X
1558(the)X
1680(ticket)X
1882(and)X
2022(thus,)X
2198(the)X
2319(client)X
2520(has)X
2650(been)X
2825(authenticated)X
3276(to)X
3361(the)X
3482(server.)X
3742(See)X
3881(sec-)X
555 4556(tion)N
699(10.10)X
899(for)X
1013(pseudocode.)X
3 f
555 4748(3.2.4.)N
775(Generation)X
1182(of)X
1269(a)X
1329(KRB_AP_REP)X
1869(message)X
1 f
755 4872(Typically,)N
1105(a)X
1164(client's)X
1423(request)X
1678(will)X
1825(include)X
2084(both)X
2249(the)X
2370(authentication)X
2847(information)X
3248(and)X
3387(its)X
3485(initial)X
3694(request)X
3949(in)X
555 4968(the)N
685(same)X
882(message,)X
1206(and)X
1354(the)X
1484(server)X
1713(need)X
1897(not)X
2031(explicitly)X
2365(reply)X
2562(to)X
2656(the)X
2786(KRB_AP_REQ.)X
3363(However,)X
3709(if)X
3789(mutual)X
555 5064(authentication)N
1030(\(not)X
1180(only)X
1343(authenticating)X
1818(the)X
1937(client)X
2136(to)X
2219(the)X
2338(server,)X
2576(but)X
2699(also)X
2849(the)X
2968(server)X
3185(to)X
3267(the)X
3385(client\))X
3610(is)X
3683(being)X
3881(per-)X
555 5160(formed,)N
838(the)X
967(KRB_AP_REQ)X
1504(message)X
1807(will)X
1962(have)X
2145(MUTUAL-REQUIRED)X
2951(set)X
3071(in)X
3164(its)X
3269(ap-options)X
3637(\256eld,)X
3829(and)X
3975(a)X
555 5256(KRB_AP_REP)N
1091(message)X
1407(is)X
1504(required)X
1816(in)X
1922(response.)X
2287(As)X
2420(with)X
2605(the)X
2746(error)X
2946(message,)X
3281(this)X
3439(message)X
3754(may)X
3935(be)X
8 s
10 f
555 5336(hhhhhhhhhhhhhhhhhh)N
6 s
1 f
555 5411(1)N
8 s
611 5430(This)N
741(is)X
800(used)X
933(in)X
999(the)X
1093(Davis)X
1258(&)X
1324(Swick)X
1500(proposal.[5])X
6 s
555 5505(2)N
8 s
611 5524(Note)N
753(that)X
867(the)X
963(rejection)X
1204(here)X
1331(is)X
1392(restricted)X
1647(to)X
1715(authenticators)X
2090(from)X
2231(the)X
2326(same)X
2474(principal)X
2718(to)X
2785(the)X
2880(same)X
3028(server.)X
3232(Other)X
3394(client)X
3553(princi-)X
555 5604(pals)N
683(communicating)X
1106(with)X
1245(the)X
1348(same)X
1504(server)X
1684(principal)X
1936(should)X
2132(not)X
2239(be)X
2323(have)X
2467(their)X
2608(authenticators)X
2990(rejected)X
3215(if)X
3278(the)X
3380(time)X
3518(and)X
3634(mi-)X
555 5684(crosecond)N
829(\256elds)X
984(happen)X
1184(to)X
1250(match)X
1422(some)X
1573(other)X
1720(client's)X
1924(authenticator.)X
10 s
555 6144(Section)N
815(3.2.4.)X
2196(-)X
2243(11)X
2343(-)X
12 p
%%Page: 12 13
10 s 0 xH 0 xS 1 f
0 32(--)N
4323(--)X
3 f
2115 416(DRAFT)N
2411(4)X
1 f
555 672(encapsulated)N
999(in)X
1090(the)X
1217(application)X
1602(protocol)X
1898(if)X
1976(its)X
2080("raw")X
2296(form)X
2481(is)X
2563(not)X
2694(acceptable)X
3063(to)X
3154(the)X
3281(application's)X
3724(protocol.)X
555 768(The)N
709(timestamp)X
1071(and)X
1216(microsecond)X
1655(\256eld)X
1826(used)X
2002(in)X
2093(the)X
2220(reply)X
2414(must)X
2598(be)X
2703(the)X
2830(client's)X
3095(timestamp)X
3457(and)X
3601(microsecond)X
555 864(\256eld)N
727(\(as)X
851(provided)X
1166(in)X
1258(the)X
1386(authenticator\))X
8 s
1832 839(1)N
10 s
864(.)Y
1934(If)X
2018(a)X
2083(sequence)X
2407(number)X
2681(is)X
2763(to)X
2854(be)X
2959(included,)X
3284(it)X
3357(should)X
3599(be)X
3704(randomly)X
555 960(chosen)N
804(as)X
897(described)X
1231(above)X
1448(for)X
1567(the)X
1690(authenticator.)X
2174(A)X
2257(subkey)X
2509(may)X
2672(be)X
2773(included)X
3074(if)X
3148(the)X
3271(server)X
3493(desires)X
3741(to)X
3828(nego-)X
555 1056(tiate)N
722(a)X
787(different)X
1093(subkey.)X
1388(The)X
1541(KRB_AP_REP)X
2061(message)X
2361(is)X
2442(encrypted)X
2787(in)X
2877(the)X
3003(session)X
3262(key)X
3406(extracted)X
3729(from)X
3913(the)X
555 1152(ticket.)N
793(See)X
929(section)X
1176(10.11)X
1376(for)X
1490(pseudocode.)X
3 f
555 1344(3.2.5.)N
775(Receipt)X
1054(of)X
1141(KRB_AP_REP)X
1681(message)X
1 f
755 1468(If)N
834(a)X
895(KRB_AP_REP)X
1412(message)X
1709(is)X
1787(returned,)X
2100(the)X
2223(client)X
2426(uses)X
2589(the)X
2711(session)X
2966(key)X
3106(to)X
3192(decrypt)X
3457(the)X
3579(message,)X
3895(and)X
555 1564(veri\256es)N
814(that)X
957(the)X
1078(timestamp)X
1434(and)X
1573(microsecond)X
2006(\256elds)X
2201(match)X
2419(those)X
2610(in)X
2694(the)X
2814(Authenticator)X
3277(it)X
3343(sent)X
3494(to)X
3578(the)X
3698(server.)X
3957(If)X
555 1660(they)N
726(match,)X
975(then)X
1146(the)X
1277(client)X
1487(is)X
1572(assured)X
1845(that)X
1997(the)X
2127(server)X
2356(is)X
2441(genuine.)X
2767(The)X
2924(sequence)X
3251(number)X
3528(and)X
3676(subkey)X
3935(\(if)X
555 1756(present\))N
834(are)X
953(retained)X
1232(for)X
1346(later)X
1509(use.)X
1676(See)X
1812(section)X
2059(10.12)X
2259(for)X
2373(pseudocode.)X
3 f
555 1948(3.2.6.)N
775(Using)X
990(the)X
1117(encryption)X
1506(key)X
1 f
755 2072(After)N
964(the)X
1101(KRB_AP_REQ/KRB_AP_REP)X
2159(exchange)X
2501(has)X
2646(occurred,)X
2986(the)X
3122(client)X
3338(and)X
3492(server)X
3727(share)X
3935(an)X
555 2168(encryption)N
925(key)X
1068(which)X
1290(can)X
1428(be)X
1530(used)X
1703(by)X
1809(the)X
1933(application.)X
2355(The)X
2506("true)X
2690(session)X
2947(key")X
3122(to)X
3210(be)X
3312(used)X
3485(for)X
3605(KRB_PRIV,)X
555 2264(KRB_SAFE,)N
1000(or)X
1093(other)X
1284(application-speci\256c)X
1938(uses)X
2102(may)X
2266(be)X
2368(chosen)X
2617(by)X
2723(the)X
2847(application)X
3229(based)X
3438(on)X
3543(the)X
3666(subkeys)X
3949(in)X
555 2360(the)N
677(KRB_AP_REP)X
1193(message)X
1489(and)X
1629(authenticator)X
8 s
2048 2335(2)N
10 s
2360(.)Y
2144(In)X
2235(some)X
2428(cases,)X
2642(the)X
2764(use)X
2895(of)X
2986(this)X
3124(session)X
3378(key)X
3517(will)X
3664(be)X
3763(implicit)X
555 2456(in)N
639(the)X
759(protocol;)X
1070(in)X
1154(others)X
1372(the)X
1492(method)X
1754(of)X
1843(use)X
1972(must)X
2149(be)X
2247(chosen)X
2492(from)X
2670(a)X
2728(vast)X
2879(array)X
3067(of)X
3156(alternatives.)X
3588(We)X
3722(leave)X
3913(the)X
555 2552(protocol)N
844(negotiations)X
1257(of)X
1346(how)X
1506(to)X
1590(use)X
1719(the)X
1839(key)X
1977(\(e.g.)X
2162(selecting)X
2469(an)X
2567(encryption)X
2932(or)X
3021(checksum)X
3364(type\))X
3550(to)X
3633(the)X
3752(applica-)X
555 2648(tion)N
699(programmer;)X
1138(the)X
1256(Kerberos)X
1571(protocol)X
1858(does)X
2025(not)X
2147(constrain)X
2461(the)X
2579(implementation)X
3101(options.)X
755 2772(With)N
940(both)X
1107(the)X
1230(one-way)X
1532(and)X
1673(mutual)X
1920(authentication)X
2399(exchanges,)X
2779(the)X
2902(peers)X
3097(should)X
3335(take)X
3493(care)X
3652(not)X
3778(to)X
3864(send)X
555 2868(sensitive)N
875(information)X
1293(to)X
1395(each)X
1583(other)X
1788(without)X
2072(proper)X
2321(protection.)X
2725(In)X
2831(particular,)X
3198(applications)X
3624(that)X
3783(require)X
555 2964(privacy)N
821(or)X
913(integrity)X
1209(should)X
1447(use)X
1579(the)X
1701(KRB_AP_REP)X
2217(or)X
2308(KRB_ERROR)X
2802(responses)X
3138(from)X
3318(the)X
3440(server)X
3661(to)X
3747(client)X
3949(to)X
555 3060(assure)N
779(both)X
944(client)X
1144(and)X
1282(server)X
1501(of)X
1590(their)X
1759(peer's)X
1978(identity.)X
2284(If)X
2360(an)X
2458(application)X
2836(protocol)X
3125(requires)X
3406(privacy)X
3669(of)X
3758(its)X
3855(mes-)X
555 3156(sages,)N
780(it)X
855(can)X
998(use)X
1136(the)X
1265(KRB_PRIV)X
1682(message)X
1985(\(section)X
2269(3.5\).)X
2466(The)X
2621(KRB_SAFE)X
3050(message)X
3352(\(section)X
3636(3.4\))X
3793(can)X
3935(be)X
555 3252(used)N
722(to)X
804(assure)X
1025(integrity.)X
3 f
12 s
555 3540(3.3.)N
747(The)X
931(Ticket-Granting)X
1628(Service)X
1952(\(TGS\))X
2232(Exchange)X
10 s
2114 3684(Summary)N
2 f
1346 3780(Message)N
1647(direction)X
2183(Message)X
2484(type)X
2971(Section)X
1 f
1346 3876(1.)N
1426(Client)X
1641(to)X
1723(Kerberos)X
2183(KRB_TGS_REQ)X
2971(5.3.1)X
1346 3972(2.)N
1426(Kerberos)X
1741(to)X
1823(client)X
2183(KRB_TGS_REP)X
2744(or)X
2971(5.3.2)X
2183 4068(KRB_ERROR)N
2971(5.7.1)X
755 4240(The)N
904(TGS)X
1079(exchange)X
1407(between)X
1699(a)X
1758(client)X
1959(and)X
2098(the)X
2219(Kerberos)X
2537(Ticket-Granting)X
3077(Server)X
3310(is)X
3386(initiated)X
3671(by)X
3774(a)X
3833(client)X
555 4336(when)N
764(it)X
843(wishes)X
1096(to)X
1193(obtain)X
1428(authentication)X
1917(credentials)X
2300(for)X
2428(a)X
2498(given)X
2710(server)X
2941(\(which)X
3198(might)X
3418(be)X
3528(registered)X
3879(in)X
3975(a)X
555 4432(remote)N
803(realm\),)X
1058(when)X
1257(it)X
1326(wishes)X
1569(to)X
1656(renew)X
1878(or)X
1970(validate)X
2249(an)X
2350(existing)X
2628(ticket,)X
2851(or)X
2943(when)X
3142(it)X
3211(wishes)X
3454(to)X
3540(obtain)X
3764(a)X
3824(proxy)X
555 4528(ticket.)N
794(In)X
882(the)X
1001(\256rst)X
1146(case,)X
1326(the)X
1445(client)X
1644(must)X
1820(already)X
2078(have)X
2251(acquired)X
2549(a)X
2606(ticket)X
2805(for)X
2920(the)X
3039(Ticket-Granting)X
3577(Service)X
3838(using)X
555 4624(the)N
680(AS)X
809(exchange)X
1140(\(the)X
1292(ticket-granting)X
1791(ticket)X
1996(is)X
2076(usually)X
2334(obtained)X
2637(when)X
2838(a)X
2901(client)X
3106(initially)X
3380(authenticates)X
3825(to)X
3913(the)X
555 4720(system,)N
819(such)X
988(as)X
1077(when)X
1273(a)X
1331(user)X
1487(logs)X
1642(in\).)X
1793(The)X
1940(message)X
2234(format)X
2470(for)X
2586(the)X
2706(TGS)X
2878(exchange)X
3203(is)X
3277(almost)X
3511(identical)X
3808(to)X
3891(that)X
555 4816(for)N
673(the)X
795(AS)X
921(exchange.)X
1289(The)X
1438(primary)X
1716(difference)X
2067(is)X
2143(that)X
2286(encryption)X
2652(and)X
2791(decryption)X
3157(in)X
3242(the)X
3363(TGS)X
3537(exchange)X
3864(does)X
555 4912(not)N
681(take)X
839(place)X
1033(under)X
1240(the)X
1362(client's)X
1622(key.)X
1802(Instead,)X
2078(the)X
2200(session)X
2455(key)X
2594(from)X
2773(the)X
2894(ticket-granting)X
3389(ticket)X
3590(or)X
3680(renewable)X
555 5008(ticket)N
761(is)X
842(used.)X
1057(As)X
1174(is)X
1255(the)X
1381(case)X
1548(for)X
1670(all)X
1778(application)X
2162(servers,)X
2438(expired)X
2707(tickets)X
2944(are)X
3071(not)X
3201(accepted)X
3510(by)X
3617(the)X
3742(TGS,)X
3940(so)X
555 5104(once)N
733(a)X
795(renewable)X
1152(or)X
1245(ticket-granting)X
1742(ticket)X
1945(expires,)X
2222(the)X
2345(client)X
2548(must)X
2728(use)X
2860(a)X
2921(separate)X
3210(exchange)X
3539(to)X
3626(obtain)X
3851(valid)X
555 5200(tickets.)N
8 s
10 f
555 5280(hhhhhhhhhhhhhhhhhh)N
6 s
1 f
555 5355(1)N
8 s
611 5374(In)N
682(the)X
778(Kerberos)X
1029(version)X
1235(4)X
1285(protocol,)X
1532(the)X
1627(timestamp)X
1911(in)X
1978(the)X
2073(reply)X
2221(was)X
2337(the)X
2432(client's)X
2637(timestamp)X
2921(plus)X
3045(one.)X
3186(This)X
3317(is)X
3377(not)X
3476(necessary)X
555 5454(in)N
624(version)X
831(5)X
882(because)X
1102(version)X
1309(5)X
1360(messages)X
1620(are)X
1716(formatted)X
1983(in)X
2052(such)X
2188(a)X
2235(way)X
2360(that)X
2475(it)X
2530(is)X
2592(not)X
2693(possible)X
2922(to)X
2991(create)X
3161(the)X
3257(reply)X
3406(by)X
3488(judicious)X
555 5534(message)N
787(surgery)X
994(\(even)X
1151(in)X
1217(encrypted)X
1484(form\))X
1645(without)X
1857(knowledge)X
2153(of)X
2222(the)X
2316(appropriate)X
2622(encryption)X
2911(keys.)X
6 s
555 5609(2)N
8 s
611 5628(Implementations)N
1066(of)X
1144(the)X
1247(protocol)X
1485(may)X
1620(wish)X
1766(to)X
1841(provide)X
2061(routines)X
2292(to)X
2367(choose)X
2569(subkeys)X
2800(based)X
2970(on)X
3059(session)X
3269(keys)X
3411(and)X
3528(random)X
555 5708(numbers)N
791(and)X
899(to)X
965(orchestrate)X
1260(a)X
1304(negotiated)X
1586(key)X
1694(to)X
1760(be)X
1836(returned)X
2064(in)X
2130(the)X
2224(KRB_AP_REP)X
2636(message.)X
10 s
555 6144(Section)N
815(3.3.)X
2196(-)X
2243(12)X
2343(-)X
13 p
%%Page: 13 14
10 s 0 xH 0 xS 1 f
0 32(--)N
4323(--)X
3 f
2115 416(DRAFT)N
2411(4)X
1 f
755 672(The)N
910(TGS)X
1091(exchange)X
1425(consists)X
1708(of)X
1805(two)X
1955(messages:)X
2310(A)X
2398(request)X
2660(\(KRB_TGS_REQ\))X
3299(from)X
3485(the)X
3613(client)X
3821(to)X
3913(the)X
555 768(Kerberos)N
888(Ticket-Granting)X
1443(Server,)X
1711(and)X
1865(a)X
1939(reply)X
2142(\(KRB_TGS_REP)X
2748(or)X
2853(KRB_ERROR\).)X
3428(The)X
3591(TGS)X
3779(request)X
555 864(includes)N
843(information)X
1241(authenticating)X
1715(the)X
1833(client)X
2031(plus)X
2184(a)X
2240(request)X
2492(for)X
2606(credentials.)X
3014(The)X
3159(authentication)X
3633(information)X
555 960(consists)N
845(of)X
949(the)X
1083(authentication)X
1573(header)X
1824(\(KRB_AP_REQ\))X
2420(which)X
2652(includes)X
2955(the)X
3089(client's)X
3361(previously)X
3735(obtained)X
555 1056(ticket-granting,)N
1071(renewable,)X
1446(or)X
1537(invalid)X
1783(ticket.)X
2025(In)X
2116(the)X
2238(ticket-granting)X
2734(ticket)X
2935(and)X
3074(proxy)X
3284(cases,)X
3497(the)X
3618(request)X
3873(may)X
555 1152(include)N
814(one)X
953(or)X
1043(more)X
1231(of:)X
1343(a)X
1402(list)X
1522(of)X
1612(network)X
1898(addresses,)X
2249(a)X
2308(collection)X
2647(of)X
2737(typed)X
2938(authorization)X
3384(data)X
3541(to)X
3626(be)X
3725(sealed)X
3949(in)X
555 1248(the)N
692(ticket)X
909(for)X
1042(authorization)X
1504(use)X
1650(by)X
1769(the)X
1906(application)X
2300(server,)X
2555(or)X
2660(additional)X
3018(tickets)X
3265(\(the)X
3428(use)X
3573(of)X
3678(which)X
3912(are)X
555 1344(described)N
895(later\).)X
1137(The)X
1294(TGS)X
1477(reply)X
1674(\(KRB_TGS_REP\))X
2301(contains)X
2600(the)X
2730(requested)X
3070(credentials,)X
3470(encrypted)X
3819(in)X
3913(the)X
555 1440(session)N
816(key)X
962(from)X
1147(the)X
1274(ticket-granting)X
1775(ticket)X
1982(or)X
2078(renewable)X
2438(ticket.)X
2685(The)X
2839(KRB_ERROR)X
3338(message)X
3639(contains)X
3935(an)X
555 1536(error)N
749(code)X
938(and)X
1091(text)X
1248(explaining)X
1623(what)X
1816(went)X
2009(wrong.)X
2291(The)X
2452(KRB_ERROR)X
2958(message)X
3266(is)X
3355(not)X
3493(encrypted.)X
3886(The)X
555 1632(KRB_TGS_REP)N
1117(message)X
1410(contains)X
1698(information)X
2097(which)X
2314(can)X
2447(be)X
2544(used)X
2711(to)X
2793(detect)X
3005(replays,)X
3277(and)X
3413(to)X
3495(associate)X
3805(it)X
3869(with)X
555 1728(the)N
677(message)X
973(to)X
1059(which)X
1279(it)X
1347(replies.)X
1625(The)X
1774(KRB_ERROR)X
2268(message)X
2564(also)X
2717(contains)X
3008(information)X
3410(which)X
3630(can)X
3765(be)X
3864(used)X
555 1824(to)N
638(associate)X
949(it)X
1014(with)X
1177(the)X
1296(message)X
1589(to)X
1671(which)X
1887(it)X
1951(replies,)X
2205(but)X
2327(the)X
2445(lack)X
2599(of)X
2686(encryption)X
3049(in)X
3131(the)X
3249(KRB_ERROR)X
3739(message)X
555 1920(precludes)N
883(the)X
1001(ability)X
1225(to)X
1307(detect)X
1519(replays)X
1771(or)X
1858(fabrications)X
2257(of)X
2344(such)X
2511(messages.)X
3 f
555 2112(3.3.1.)N
775(Generation)X
1182(of)X
1269(KRB_TGS_REQ)X
1874(message)X
1 f
755 2236(Before)N
998(sending)X
1271(a)X
1331(request)X
1587(to)X
1672(the)X
1793(ticket-granting)X
2288(service,)X
2559(the)X
2680(client)X
2881(must)X
3059(determine)X
3403(in)X
3488(which)X
3707(realm)X
3913(the)X
555 2332(application)N
947(server)X
1180(is)X
1268(registered)X
8 s
1585 2307(1)N
10 s
2332(.)Y
1692(If)X
1781(the)X
1914(client)X
2127(does)X
2309(not)X
2446(already)X
2718(possess)X
2993(a)X
3064(ticket-granting)X
3571(ticket)X
3784(for)X
3913(the)X
555 2428(appropriate)N
945(realm,)X
1172(then)X
1334(one)X
1474(must)X
1653(be)X
1753(obtained.)X
2092(This)X
2257(is)X
2333(\256rst)X
2480(attempted)X
2819(by)X
2922(requesting)X
3279(a)X
3338(ticket-granting)X
3833(ticket)X
555 2524(for)N
671(the)X
791(destination)X
1164(realm)X
1369(from)X
1547(the)X
1667(local)X
1845(Kerberos)X
2162(server)X
2381(\(using)X
2603(the)X
2723(TGS)X
2895(request)X
3148(message)X
3441(recursively\).)X
3886(The)X
555 2620(Kerberos)N
872(server)X
1091(may)X
1251(return)X
1465(a)X
1523(TGT)X
1701(for)X
1817(the)X
1937(desired)X
2191(realm)X
2396(in)X
2480(which)X
2698(case)X
2859(one)X
2997(can)X
3131(proceed.)X
3448(Alternatively,)X
3913(the)X
555 2716(Kerberos)N
880(server)X
1107(may)X
1275(return)X
1496(a)X
1561(TGT)X
1746(for)X
1869(a)X
1934(realm)X
2146(which)X
2371(is)X
2453("closer")X
2740(to)X
2831(the)X
2958(desired)X
3219(realm)X
3431(\(further)X
3706(along)X
3913(the)X
555 2812(standard)N
855(hierarchical)X
1263(path\),)X
1475(in)X
1564(which)X
1787(case)X
1953(this)X
2095(step)X
2251(must)X
2433(be)X
2536(repeated)X
2836(with)X
3005(a)X
3068(Kerberos)X
3390(server)X
3614(in)X
3703(the)X
3828(realm)X
555 2908(speci\256ed)N
870(in)X
962(the)X
1090(returned)X
1388(TGT.)X
1614(If)X
1698(neither)X
1951(are)X
2080(returned,)X
2397(then)X
2564(the)X
2691(request)X
2952(must)X
3136(be)X
3241(retried)X
3480(with)X
3651(a)X
3716(Kerberos)X
555 3004(server)N
780(for)X
902(a)X
966(realm)X
1177(higher)X
1410(in)X
1500(the)X
1626(hierarchy.)X
1998(This)X
2168(request)X
2428(will)X
2580(itself)X
2768(require)X
3024(a)X
3088(ticket-granting)X
3587(ticket)X
3792(for)X
3913(the)X
555 3100(higher)N
780(realm)X
983(which)X
1199(must)X
1374(be)X
1470(obtained)X
1766(by)X
1866(recursively)X
2243(applying)X
2543(these)X
2728(directions.)X
755 3224(Once)N
953(the)X
1079(client)X
1285(obtains)X
1544(a)X
1608(ticket-granting)X
2108(ticket)X
2314(for)X
2436(the)X
2562(appropriate)X
2956(realm,)X
3187(it)X
3259(determines)X
3639(which)X
3863(Ker-)X
555 3320(beros)N
752(servers)X
1003(serve)X
1196(that)X
1339(realm,)X
1565(and)X
1704(contacts)X
1990(one.)X
2169(The)X
2317(list)X
2437(might)X
2646(be)X
2744(obtained)X
3042(through)X
3313(a)X
3371(con\256guration)X
3820(\256le)X
3944(or)X
555 3416(network)N
849(service;)X
1130(as)X
1228(long)X
1401(as)X
1499(the)X
1628(secret)X
1847(keys)X
2025(exchanged)X
2399(by)X
2509(realms)X
2753(are)X
2882(kept)X
3050(secret,)X
3288(only)X
3460(denial)X
3686(of)X
3783(service)X
555 3512(results)N
784(from)X
960(a)X
1016(false)X
1188(Kerberos)X
1503(server.)X
755 3636(As)N
870(in)X
958(the)X
1082(AS)X
1210(exchange,)X
1560(the)X
1684(client)X
1888(may)X
2052(specify)X
2310(a)X
2372(number)X
2643(of)X
2736(options)X
2997(in)X
3085(the)X
3209(TGS)X
3386(request.)X
3683(The)X
3833(client)X
555 3732(prepares)N
858(the)X
986(KRB_TGS_REQ)X
1571(message,)X
1893(providing)X
2234(an)X
2340(authentication)X
2824(header)X
3069(as)X
3165(an)X
3270(element)X
3553(of)X
3649(the)X
3 f
3776(padata)X
1 f
555 3828(\256eld,)N
749(and)X
897(including)X
1231(the)X
1361(same)X
1558(\256elds)X
1763(as)X
1862(used)X
2041(in)X
2135(the)X
2265(KRB_AS_REQ)X
2803(message)X
3107(along)X
3317(with)X
3490(several)X
3749(optional)X
555 3924(\256elds:)N
775(the)X
3 f
898(enc-authorization-data)X
1 f
1706(\256eld)X
1873(for)X
1992(application)X
2373(server)X
2595(use)X
2727(and)X
2868(additional)X
3213(tickets)X
3446(required)X
3738(by)X
3842(some)X
555 4020(options.)N
851(If)X
926(the)X
3 f
1045(enc-authorization-data)X
1 f
1849(is)X
1923(present,)X
2196(it)X
2261(must)X
2437(be)X
2534(encrypted)X
2872(in)X
2954(a)X
3010(sub-session)X
3399(key)X
3535(included)X
3831(in)X
3913(the)X
555 4116(authenticator)N
994(portion)X
1245(of)X
1332(the)X
1450(authentication)X
1924(header.)X
755 4240(Once)N
950(prepared,)X
1277(the)X
1400(message)X
1697(is)X
1775(sent)X
1929(to)X
2016(a)X
2077(Kerberos)X
2397(server)X
2618(for)X
2736(the)X
2858(destination)X
3233(realm.)X
3480(See)X
3620(section)X
3871(10.5)X
555 4336(for)N
669(pseudocode.)X
3 f
555 4528(3.3.2.)N
775(Receipt)X
1054(of)X
1141(KRB_TGS_REQ)X
1746(message)X
1 f
755 4652(The)N
907(TGS)X
1084(request)X
1342(is)X
1421(processed)X
1764(in)X
1852(a)X
1914(manner)X
2181(similar)X
2429(to)X
2517(the)X
2641(AS)X
2769(request,)X
3047(but)X
3175(there)X
3362(are)X
3487(many)X
3691(additional)X
555 4748(checks)N
796(to)X
880(be)X
978(performed.)X
1355(First,)X
1543(the)X
1663(Kerberos)X
1980(server)X
2198(must)X
2374(determine)X
2716(which)X
2933(server)X
3151(the)X
3270(accompanying)X
3759(ticket)X
3958(is)X
555 4844(for)N
674(and)X
815(it)X
883(must)X
1062(select)X
1269(the)X
1391(appropriate)X
1781(key)X
1921(to)X
2007(decrypt)X
2272(it.)X
2380(For)X
2515(a)X
2575(normal)X
2826(TGS)X
3001(request,)X
3277(it)X
3345(will)X
3493(be)X
3593(for)X
3711(the)X
3833(ticket)X
555 4940(granting)N
857(service,)X
1140(and)X
1291(the)X
1424(TGS's)X
1668(key)X
1819(will)X
1978(be)X
2089(used.)X
2311(If)X
2400(the)X
2532(TGT)X
2722(was)X
2881(issued)X
3115(by)X
3229(another)X
3504(realm,)X
3741(then)X
3913(the)X
555 5036(appropriate)N
946(inter-realm)X
1328(key)X
1469(must)X
1649(be)X
1749(used.)X
1960(If)X
2038(the)X
2160(accompanying)X
2652(ticket)X
2854(is)X
2931(not)X
3057(a)X
3117(ticket)X
3319(granting)X
3610(ticket,)X
3832(but)X
3958(is)X
555 5132(for)N
684(an)X
795(application)X
1186(server)X
1418(in)X
1515(the)X
1648(current)X
1911(realm,)X
2149(and)X
2300(the)X
2433(RENEW,)X
2773(VALIDATE,)X
3234(or)X
3336(PROXY)X
3642(options)X
3912(are)X
555 5228(speci\256ed)N
861(in)X
944(the)X
1063(request,)X
1336(then)X
1495(the)X
1613(KDC)X
1802(will)X
1946(decrypt)X
2207(the)X
2325(ticket)X
2523(in)X
2605(the)X
2723(authenticator)X
3162(using)X
3355(the)X
3473(key)X
3609(of)X
3696(the)X
3814(server)X
8 s
10 f
555 5308(hhhhhhhhhhhhhhhhhh)N
6 s
1 f
555 5383(1)N
8 s
611 5402(This)N
753(can)X
869(be)X
957(accomplished)X
1336(in)X
1414(several)X
1622(ways.)X
1813(It)X
1880(might)X
2058(be)X
2145(known)X
2346(beforehand)X
2659(\(since)X
2838(the)X
2943(realm)X
3115(is)X
3185(part)X
3311(of)X
3391(the)X
3496(principal)X
555 5482(identi\256er\),)N
840(or)X
910(it)X
963(might)X
1130(be)X
1207(stored)X
1380(in)X
1447(a)X
1492(nameserver.)X
1834(Presently,)X
2105(however,)X
2357(this)X
2467(information)X
2786(is)X
2846(obtained)X
3083(from)X
3224(a)X
3268(con\256guration)X
3625(\256le.)X
555 5562(If)N
617(the)X
715(realm)X
880(to)X
950(be)X
1029(used)X
1165(is)X
1227(obtained)X
1466(from)X
1609(a)X
1656(nameserver,)X
1984(there)X
2130(is)X
2192(a)X
2239(danger)X
2431(of)X
2503(being)X
2664(spoofed)X
2885(if)X
2943(the)X
3040(nameservice)X
3377(providing)X
3645(the)X
555 5642(realm)N
718(name)X
874(is)X
935(not)X
1035(authenticated.)X
1425(This)X
1557(might)X
1725(result)X
1885(in)X
1953(the)X
2049(use)X
2152(of)X
2223(a)X
2269(realm)X
2432(which)X
2606(has)X
2709(been)X
2847(compromised,)X
3228(and)X
3337(would)X
3514(result)X
3673(in)X
555 5722(an)N
631(attacker's)X
894(ability)X
1074(to)X
1140(compromise)X
1472(the)X
1566(authentication)X
1944(of)X
2013(the)X
2107(application)X
2407(server)X
2578(to)X
2644(the)X
2738(client.)X
10 s
555 6144(Section)N
815(3.3.2.)X
2196(-)X
2243(13)X
2343(-)X
14 p
%%Page: 14 15
10 s 0 xH 0 xS 1 f
0 32(--)N
4323(--)X
3 f
2115 416(DRAFT)N
2411(4)X
1 f
555 672(to)N
714(which)X
1007(it)X
1148(was)X
1370(issued.)X
1707(If)X
1858(no)X
2035(ticket)X
2309(can)X
2517(be)X
2689(found)X
2972(in)X
3130(the)X
3 f
3324(padata)X
1 f
3655(\256eld,)X
3913(the)X
555 768(KDC_ERR_PADATA_TYPE_NOSUPP)N
1890(error)X
2067(is)X
2140(returned.)X
755 892(Once)N
950(the)X
1073(accompanying)X
1566(ticket)X
1769(has)X
1901(been)X
2078(decrypted,)X
2439(the)X
2561(user-supplied)X
3017(checksum)X
3362(in)X
3448(the)X
3570(Authenticator)X
555 988(must)N
743(be)X
852(veri\256ed)X
1130(against)X
1390(the)X
1521(contents)X
1820(of)X
1919(the)X
2049(request,)X
2333(and)X
2481(the)X
2611(message)X
2915(rejected)X
3202(if)X
3283(the)X
3413(checksums)X
3797(do)X
3909(not)X
555 1084(match)N
793(\(with)X
1004(an)X
1122(error)X
1321(code)X
1515(of)X
1624(KRB_AP_ERR_MODIFIED\))X
2626(or)X
2735(if)X
2826(the)X
2966(checksum)X
3329(is)X
3424(not)X
3568(keyed)X
3801(or)X
3909(not)X
555 1180(collision-proof)N
1054(\(with)X
1246(an)X
1345(error)X
1525(code)X
1700(of)X
1790(KRB_AP_ERR_INAPP_CKSUM\).)X
2975(If)X
3051(the)X
3171(checksum)X
3514(type)X
3674(is)X
3749(not)X
3873(sup-)X
555 1276(ported,)N
815(the)X
948(KDC_ERR_SUMTYPE_NOSUPP)X
2106(error)X
2298(is)X
2386(returned.)X
2729(If)X
2818(the)X
3 f
2951(authorization-data)X
1 f
3626(are)X
3759(present,)X
555 1372(they)N
713(are)X
832(decrypted)X
1169(using)X
1362(the)X
1480(sub-session)X
1869(key)X
2005(from)X
2181(the)X
2299(Authenticator.)X
755 1496(If)N
842(any)X
991(of)X
1091(the)X
1222(decryptions)X
1628(indicate)X
1914(failed)X
2129(integrity)X
2432(checks,)X
2703(the)X
2833(KRB_AP_ERR_BAD_INTEGRITY)X
555 1592(error)N
732(is)X
805(returned.)X
3 f
555 1784(3.3.3.)N
775(Generation)X
1182(of)X
1269(KRB_TGS_REP)X
1861(message)X
1 f
755 1908(The)N
917(KRB_TGS_REP)X
1494(message)X
1802(shares)X
2039(its)X
2150(format)X
2400(with)X
2578(the)X
2712(KRB_AS_REP)X
3240(\(KRB_KDC_REP\),)X
3909(but)X
555 2004(with)N
717(its)X
812(type)X
970(\256eld)X
1132(set)X
1241(to)X
1323(KRB_TGS_REP.)X
1924(The)X
2069(detailed)X
2343(speci\256cation)X
2768(is)X
2841(in)X
2923(section)X
3170(5.3.2.)X
755 2128(The)N
913(response)X
1227(will)X
1384(include)X
1653(a)X
1722(ticket)X
1933(for)X
2059(the)X
2189(requested)X
2529(server.)X
2798(The)X
2955(Kerberos)X
3282(database)X
3591(is)X
3676(queried)X
3949(to)X
555 2224(retrieve)N
826(the)X
949(record)X
1180(for)X
1299(the)X
1422(requested)X
1755(server)X
1976(\(including)X
2329(the)X
2451(key)X
2591(with)X
2757(which)X
2977(the)X
3099(ticket)X
3301(will)X
3449(be)X
3549(encrypted\).)X
3957(If)X
555 2320(the)N
683(request)X
945(is)X
1028(for)X
1152(a)X
1218(ticket)X
1426(granting)X
1723(ticket)X
1931(for)X
2055(a)X
2121(remote)X
2374(realm,)X
2607(and)X
2752(if)X
2830(no)X
2939(key)X
3084(is)X
3166(shared)X
3405(with)X
3576(the)X
3703(requested)X
555 2416(realm,)N
786(then)X
952(the)X
1078(Kerberos)X
1401(server)X
1626(will)X
1778(select)X
1989(the)X
2115(realm)X
2326("closest")X
2638(to)X
2728(the)X
2854(requested)X
3190(realm)X
3401(with)X
3570(which)X
3793(it)X
3864(does)X
555 2512(share)N
747(a)X
805(key,)X
963(and)X
1101(use)X
1230(that)X
1372(realm)X
1577(instead.)X
1866(This)X
2030(is)X
2105(the)X
2225(only)X
2389(case)X
2550(where)X
2768(the)X
2887(response)X
3189(from)X
3366(the)X
3485(KDC)X
3675(will)X
3820(be)X
3917(for)X
555 2608(a)N
611(different)X
908(server)X
1125(than)X
1283(that)X
1423(requested)X
1751(by)X
1851(the)X
1969(client.)X
755 2732(By)N
871(default,)X
1137(the)X
1258(address)X
1522(\256eld,)X
1707(the)X
1828(client's)X
2086(name)X
2282(and)X
2420(realm,)X
2645(the)X
2765(list)X
2884(of)X
2973(transited)X
3271(realms,)X
3527(the)X
3647(time)X
3811(of)X
3900(ini-)X
555 2828(tial)N
680(authentication,)X
1177(the)X
1298(expiration)X
1646(time,)X
1831(and)X
1970(the)X
2091(authorization)X
2537(data)X
2694(of)X
2784(the)X
2905(newly-issued)X
3351(ticket)X
3552(will)X
3699(be)X
3797(copied)X
555 2924(from)N
733(the)X
853(ticket-granting)X
1347(ticket)X
1547(\(TGT\))X
1778(or)X
1866(renewable)X
2218(ticket.)X
2457(If)X
2532(the)X
2651(transited)X
2948(\256eld)X
3111(needs)X
3315(to)X
3398(be)X
3495(updated,)X
3790(but)X
3913(the)X
555 3020(transited)N
851(type)X
1009(is)X
1082(not)X
1204(supported,)X
1560(the)X
1678(KDC_ERR_TRTYPE_NOSUPP)X
2750(error)X
2927(is)X
3000(returned.)X
755 3144(If)N
836(the)X
961(request)X
1220(speci\256es)X
1523(an)X
1626(endtime,)X
1931(then)X
2096(the)X
2221(endtime)X
2505(of)X
2598(the)X
2722(new)X
2882(ticket)X
3086(is)X
3165(set)X
3280(to)X
3368(the)X
3492(minimum)X
3828(of)X
3921(\(a\))X
555 3240(that)N
697(request,)X
971(\(b\))X
1087(the)X
1207(endtime)X
1487(from)X
1665(the)X
1785(TGT,)X
1983(and)X
2120(\(c\))X
2231(the)X
2350(starttime)X
2651(of)X
2739(the)X
2858(TGT)X
3035(plus)X
3189(the)X
3308(minimum)X
3639(of)X
3727(the)X
3846(max-)X
555 3336(imum)N
769(life)X
904(for)X
1026(the)X
1152(application)X
1536(server)X
1761(and)X
1905(the)X
2031(maximum)X
2382(life)X
2516(for)X
2637(the)X
2762(local)X
2945(realm)X
3155(\(the)X
3307(maximum)X
3658(life)X
3792(for)X
3913(the)X
555 3432(requesting)N
915(principal)X
1226(was)X
1377(already)X
1639(applied)X
1900(when)X
2099(the)X
2222(TGT)X
2403(was)X
2553(issued\).)X
2845(If)X
2924(the)X
3047(new)X
3206(ticket)X
3409(is)X
3487(to)X
3574(be)X
3675(a)X
3736(renewal,)X
555 3528(then)N
715(the)X
835(endtime)X
1115(above)X
1329(is)X
1404(replaced)X
1699(by)X
1801(the)X
1921(minimum)X
2253(of)X
2342(\(a\))X
2454(the)X
2574(value)X
2770(of)X
2859(the)X
2979(renew_till)X
3326(\256eld)X
3489(of)X
3577(the)X
3696(ticket)X
3895(and)X
555 3624(\(b\))N
669(the)X
787(starttime)X
1087(for)X
1201(the)X
1319(new)X
1473(ticket)X
1671(plus)X
1824(the)X
1942(life)X
2069(\(endtime-starttime\))X
2708(of)X
2795(the)X
2913(old)X
3035(ticket.)X
755 3748(If)N
834(the)X
957(FORWARDED)X
1489(option)X
1718(has)X
1850(been)X
2027(requested,)X
2380(then)X
2543(the)X
2666(resulting)X
2971(ticket)X
3173(will)X
3321(contain)X
3581(the)X
3703(addresses)X
555 3844(speci\256ed)N
867(by)X
974(the)X
1098(client.)X
1342(This)X
1510(option)X
1740(will)X
1890(only)X
2058(be)X
2160(honored)X
2449(if)X
2524(the)X
2648(FORWARDABLE)X
3283(\257ag)X
3429(is)X
3508(set)X
3623(in)X
3711(the)X
3835(TGT.)X
555 3940(The)N
702(PROXY)X
995(option)X
1221(is)X
1296(similar;)X
1582(the)X
1702(resulting)X
2003(ticket)X
2202(will)X
2347(contain)X
2604(the)X
2723(addresses)X
3052(speci\256ed)X
3358(by)X
3459(the)X
3578(client.)X
3817(It)X
3887(will)X
555 4036(be)N
659(honored)X
950(only)X
1120(if)X
1196(the)X
1321(PROXIABLE)X
1797(\257ag)X
1944(in)X
2033(the)X
2158(TGT)X
2341(is)X
2421(set.)X
2577(The)X
2729(PROXY)X
3027(option)X
3258(will)X
3409(not)X
3538(be)X
3641(honored)X
3931(on)X
555 4132(requests)N
838(for)X
952(additional)X
1292(ticket-granting)X
1784(tickets.)X
755 4256(If)N
834(the)X
957(requested)X
1290(start)X
1452(time)X
1618(is)X
1695(absent)X
1924(or)X
2015(indicates)X
2324(a)X
2384(time)X
2550(in)X
2636(the)X
2758(past,)X
2931(then)X
3093(the)X
3215(start)X
3377(time)X
3543(of)X
3634(the)X
3756(ticket)X
3958(is)X
555 4352(set)N
673(to)X
764(the)X
891(authentication)X
1374(server's)X
1658(current)X
1915(time.)X
2126(If)X
2209(it)X
2282(indicates)X
2596(a)X
2661(time)X
2832(in)X
2922(the)X
3048(future,)X
3288(but)X
3418(the)X
3544(POSTDATED)X
555 4448(option)N
802(has)X
952(not)X
1097(been)X
1292(speci\256ed)X
1620(or)X
1730(the)X
1871(MAY-POSTDATE)X
2537(\257ag)X
2700(is)X
2796(not)X
2941(set)X
3072(in)X
3176(the)X
3316(TGT,)X
3534(then)X
3714(the)X
3854(error)X
555 4544(KDC_ERR_CANNOT_POSTDATE)N
1777(is)X
1865(returned.)X
2207(Otherwise,)X
2591(if)X
2674(the)X
2806(ticket-granting)X
3312(ticket)X
3524(has)X
3665(the)X
3797(MAY-)X
555 4640(POSTDATE)N
998(\257ag)X
1152(set,)X
1295(then)X
1466(the)X
1597(resulting)X
1910(ticket)X
2121(will)X
2278(be)X
2387(postdated)X
2727(and)X
2876(the)X
3007(requested)X
3348(starttime)X
3661(is)X
3747(checked)X
555 4736(against)N
817(the)X
950(policy)X
1185(of)X
1287(the)X
1420(local)X
1611(realm.)X
1849(If)X
1938(acceptable,)X
2333(the)X
2466(ticket's)X
2737(start)X
2910(time)X
3087(is)X
3175(set)X
3299(as)X
3401(requested,)X
3763(and)X
3913(the)X
555 4832(INVALID)N
915(\257ag)X
1060(is)X
1138(set.)X
1292(The)X
1441(postdated)X
1772(ticket)X
1974(must)X
2153(be)X
2253(validated)X
2571(before)X
2801(use)X
2932(by)X
3036(presenting)X
3394(it)X
3462(to)X
3548(the)X
3670(KDC)X
3863(after)X
555 4928(the)N
683(starttime)X
992(has)X
1128(been)X
1309(reached.)X
1629(However,)X
1973(in)X
2064(no)X
2173(case)X
2341(may)X
2508(the)X
2635(starttime,)X
2964(endtime,)X
3271(or)X
3367(renew-till)X
3708(time)X
3879(of)X
3975(a)X
555 5024(newly-issued)N
998(postdated)X
1325(ticket)X
1523(extend)X
1757(beyond)X
2013(the)X
2131(renew-till)X
2463(time)X
2625(of)X
2712(the)X
2830(ticket-granting)X
3322(ticket.)X
755 5148(If)N
830(the)X
949(ENC-TKT-IN-SKEY)X
1661(option)X
1886(has)X
2014(been)X
2187(speci\256ed,)X
2513(and)X
2650(if)X
2720(an)X
2816(additional)X
3156(ticket)X
3354(has)X
3481(been)X
3653(included)X
3949(in)X
555 5244(the)N
682(request,)X
963(then)X
1130(the)X
1257(KDC)X
1455(will)X
1628(verify)X
1849(that)X
1998(the)X
2124(principal)X
2437(identi\256er)X
2754(of)X
2849(the)X
2975(server)X
3200(in)X
3290(the)X
3416(ticket)X
3622(matches)X
3913(the)X
555 5340(requested)N
885(server)X
1104(in)X
1188(the)X
1308(KDC)X
1499(request)X
1753(\(to)X
1864(make)X
2059(sure)X
2214(someone)X
2520(doesn't)X
2777(insert)X
2976(a)X
3033(different)X
3331(ticket)X
3530(in)X
3613(the)X
3732(request\),)X
555 5436(decrypt)N
824(the)X
950(additional)X
1298(ticket)X
1504(using)X
1705(the)X
1831(key)X
1974(for)X
2095(the)X
2220(server)X
2444(to)X
2533(which)X
2756(it)X
2827(was)X
2979(issued,)X
3226(verify)X
3445(that)X
3592(it)X
3663(is)X
3743(a)X
3806(ticket-)X
555 5532(granting)N
852(ticket,)X
1080(and)X
1226(use)X
1363(the)X
1491(session)X
1752(key)X
1898(from)X
2084(the)X
2211(additional)X
2560(ticket)X
2767(to)X
2858(encrypt)X
3128(the)X
3255(new)X
3418(ticket)X
3625(it)X
3698(will)X
3851(issue)X
555 5628(instead)N
802(of)X
889(encrypting)X
1252(the)X
1370(new)X
1524(ticket)X
1722(in)X
1804(the)X
1922(key)X
2058(of)X
2145(the)X
2263(server)X
2480(for)X
2594(which)X
2810(it)X
2874(is)X
2947(to)X
3029(be)X
3125(issued)X
8 s
5603(1)Y
10 s
5628(.)Y
8 s
10 f
555 5708(hhhhhhhhhhhhhhhhhh)N
6 s
1 f
555 5783(1)N
8 s
611 5802(This)N
746(allows)X
934(easy)X
1068(implementation)X
1491(of)X
1565(the)X
1664(Davis)X
1834(&)X
1905(Swick)X
2086(proposal[5])X
2401(to)X
2472(use)X
2578(ticket-granting)X
2975(ticket)X
3138(session)X
3344(keys)X
3482(in)X
3553(lieu)X
3670(of)X
10 s
555 6144(Section)N
815(3.3.3.)X
2196(-)X
2243(14)X
2343(-)X
15 p
%%Page: 15 16
10 s 0 xH 0 xS 1 f
0 32(--)N
4323(--)X
3 f
2115 416(DRAFT)N
2411(4)X
1 f
755 672(If)N
842(the)X
972(name)X
1178(of)X
1277(the)X
1407(server)X
1636(in)X
1730(the)X
1860(ticket)X
2070(that)X
2222(is)X
2307(presented)X
2647(to)X
2741(the)X
2871(KDC)X
3072(as)X
3171(part)X
3328(of)X
3427(the)X
3557(authentication)X
555 768(header)N
791(is)X
865(not)X
988(that)X
1129(of)X
1217(the)X
1336(ticket-granting)X
1829(server)X
2047(itself,)X
2248(and)X
2385(the)X
2504(server)X
2722(is)X
2796(registered)X
3134(in)X
3217(the)X
3336(realm)X
3540(of)X
3628(the)X
3747(KDC,)X
3957(If)X
555 864(the)N
679(RENEW)X
990(option)X
1220(is)X
1299(requested,)X
1653(then)X
1816(the)X
1939(KDC)X
2133(will)X
2282(verify)X
2499(that)X
2644(the)X
2767(RENEWABLE)X
3286(\257ag)X
3431(is)X
3509(set)X
3623(in)X
3710(the)X
3833(ticket)X
555 960(and)N
702(that)X
853(the)X
982(renew_till)X
1338(time)X
1511(is)X
1595(still)X
1745(in)X
1838(the)X
1967(future.)X
2230(If)X
2315(the)X
2444(VALIDATE)X
2881(option)X
3116(is)X
3200(rqeuested,)X
3559(the)X
3688(KDC)X
3887(will)X
555 1056(check)N
769(that)X
915(the)X
1038(starttime)X
1343(has)X
1475(passed)X
1714(and)X
1855(the)X
1978(INVALID)X
2338(\257ag)X
2483(is)X
2561(set.)X
2715(If)X
2794(the)X
2917(PROXY)X
3213(option)X
3442(is)X
3520(requested,)X
3873(then)X
555 1152(the)N
676(KDC)X
868(will)X
1015(check)X
1226(that)X
1369(the)X
1490(PROXIABLE)X
1962(\257ag)X
2105(is)X
2181(set)X
2293(in)X
2377(the)X
2497(ticket.)X
2737(If)X
2813(the)X
2933(tests)X
3097(succeed,)X
3394(the)X
3514(KDC)X
3705(will)X
3851(issue)X
555 1248(the)N
673(appropriate)X
1059(new)X
1213(ticket.)X
755 1372(Whenever)N
1120(a)X
1190(request)X
1456(is)X
1543(made)X
1751(to)X
1847(the)X
1979(ticket-granting)X
2485(server,)X
2736(the)X
2868(presented)X
3210(ticket\(s\))X
3507(is\(are\))X
3747(checked)X
555 1468(against)N
813(a)X
880(hot-list)X
1137(of)X
1234(tickets)X
1473(which)X
1699(have)X
1881(been)X
2063(canceled.)X
2415(This)X
2587(hot-list)X
2843(might)X
3059(be)X
3165(implemented)X
3613(by)X
3723(storing)X
3975(a)X
555 1564(range)N
762(of)X
856(issue)X
1043(dates)X
1235(for)X
1356("suspect)X
1652(tickets";)X
1943(if)X
2019(a)X
2082(presented)X
2417(ticket)X
2622(had)X
2765(an)X
2868(authtime)X
3175(in)X
3264(that)X
3411(range,)X
3637(it)X
3708(would)X
3935(be)X
555 1660(rejected.)N
876(In)X
969(this)X
1110(way,)X
1290(a)X
1352(stolen)X
1569(ticket-granting)X
2067(ticket)X
2271(or)X
2364(renewable)X
2721(ticket)X
2925(cannot)X
3165(be)X
3267(used)X
3440(to)X
3528(gain)X
3691(additional)X
555 1756(tickets)N
788(\(renewals)X
1125(or)X
1215(otherwise\))X
1577(once)X
1752(the)X
1873(theft)X
2043(has)X
2173(been)X
2348(reported.)X
2679(Any)X
2840(normal)X
3090(ticket)X
3291(obtained)X
3590(before)X
3819(it)X
3886(was)X
555 1852(reported)N
850(stolen)X
1068(will)X
1219(still)X
1365(be)X
1468(valid)X
1655(\(because)X
1964(they)X
2129(require)X
2384(no)X
2491(interaction)X
2861(with)X
3030(the)X
3154(KDC\),)X
3396(but)X
3524(only)X
3692(until)X
3864(their)X
555 1948(normal)N
802(expiration)X
1147(time.)X
755 2072(The)N
906(ciphertext)X
1253(part)X
1404(of)X
1497(the)X
1621(response)X
1928(in)X
2016(the)X
2140(KRB_TGS_REP)X
2707(message)X
3005(is)X
3084(encrypted)X
3427(in)X
3515(the)X
3639(session)X
3895(key)X
555 2168(from)N
735(the)X
857(ticket-granting)X
1353(ticket)X
1555(instead)X
1805(of)X
1895(the)X
2016(client's)X
2275(secret)X
2486(key.)X
2665(Furthermore,)X
3109(the)X
3230(client's)X
3489(key's)X
3686(expiration)X
555 2264(date)N
710(and)X
847(the)X
966(key)X
1103(version)X
1360(number)X
1625(\256elds)X
1818(are)X
1937(left)X
2064(out)X
2186(since)X
2371(these)X
2556(values)X
2781(are)X
2900(stored)X
3116(along)X
3314(with)X
3476(the)X
3594(client's)X
3850(data-)X
555 2360(base)N
720(record,)X
968(and)X
1106(that)X
1248(record)X
1476(is)X
1551(not)X
1675(needed)X
1925(to)X
2009(satisfy)X
2240(a)X
2298(request)X
2552(based)X
2757(on)X
2858(a)X
2915(ticket-granting)X
3408(ticket.)X
3647(See)X
3784(section)X
555 2456(10.6)N
715(for)X
829(pseudocode.)X
3 f
555 2648(3.3.3.1.)N
835(Encoding)X
1178(the)X
1305(transited)X
1632(\256eld)X
1 f
755 2772(If)N
839(the)X
967(identity)X
1241(of)X
1338(the)X
1466(server)X
1693(in)X
1785(the)X
1913(TGT)X
2099(that)X
2249(is)X
2331(presented)X
2668(to)X
2759(the)X
2886(KDC)X
3084(as)X
3180(part)X
3334(of)X
3430(the)X
3557(authentication)X
555 2868(header)N
791(is)X
865(that)X
1006(of)X
1094(the)X
1213(ticket-granting)X
1706(service,)X
1975(but)X
2098(the)X
2217(TGT)X
2393(was)X
2538(issued)X
2758(from)X
2934(another)X
3195(realm,)X
3418(the)X
3536(KDC)X
3725(will)X
3869(look)X
555 2964(up)N
661(the)X
785(inter-realm)X
1168(key)X
1310(shared)X
1546(with)X
1714(that)X
1860(realm)X
2069(and)X
2211(use)X
2343(that)X
2488(key)X
2629(to)X
2716(decrypt)X
2982(the)X
3105(ticket.)X
3348(If)X
3427(the)X
3550(ticket)X
3753(is)X
3831(valid,)X
555 3060(then)N
716(the)X
837(KDC)X
1029(will)X
1176(honor)X
1386(the)X
1507(request,)X
1782(subject)X
2032(to)X
2117(the)X
2237(constraints)X
2606(outlined)X
2890(above)X
3104(in)X
3188(the)X
3308(section)X
3557(describing)X
3913(the)X
555 3156(AS)N
688(exchange.)X
1063(The)X
1219(realm)X
1433(part)X
1589(of)X
1687(the)X
1816(client's)X
2083(identity)X
2358(will)X
2512(be)X
2618(taken)X
2822(from)X
3008(the)X
3136(ticket-granting)X
3638(ticket.)X
3886(The)X
555 3252(name)N
750(of)X
838(the)X
957(realm)X
1161(that)X
1302(issued)X
1523(the)X
1642(ticket-granting)X
2135(ticket)X
2334(will)X
2479(be)X
2576(added)X
2789(to)X
2872(the)X
2991(transited)X
3288(\256eld)X
3450(of)X
3537(the)X
3655(ticket)X
3853(to)X
3935(be)X
555 3348(issued.)N
820(This)X
987(is)X
1065(accomplished)X
1531(by)X
1636(reading)X
1902(the)X
2025(transited)X
2326(\256eld)X
2493(from)X
2673(the)X
2795(ticket-granting)X
3291(ticket,)X
3513(adding)X
3755(the)X
3877(new)X
555 3444(realm,)N
779(then)X
938(constructing)X
1355(and)X
1492(writing)X
1744(out)X
1867(its)X
1963(encoded)X
2252(\(shorthand\))X
2643(form)X
2820(\(this)X
2983(may)X
3142(involve)X
3403(a)X
3459 0.2604(rearrangement)AX
3944(of)X
555 3540(the)N
673(existing)X
946(encoding\).)X
755 3664(Note)N
933(that)X
1074(the)X
1193(ticket-granting)X
1686(service)X
1935(does)X
2103(not)X
2226(add)X
2363(the)X
2482(name)X
2677(of)X
2765(its)X
2861(own)X
3020(realm.)X
3264(Instead,)X
3537(its)X
3633(responsibil-)X
555 3760(ity)N
660(is)X
734(to)X
817(add)X
954(the)X
1073(name)X
1268(of)X
1356(the)X
1475(previous)X
1772(realm.)X
2016(This)X
2179(prevents)X
2472(a)X
2529(malicious)X
2860(Kerberos)X
3175(from)X
3351(intentionally)X
3775(leaving)X
555 3856(out)N
677(its)X
772(own)X
930(name)X
1124(\(it)X
1215(could,)X
1433(however,)X
1750(omit)X
1916(other)X
2101(realms')X
2362(names\).)X
755 3980(The)N
911(names)X
1147(of)X
1245(neither)X
1499(the)X
1628(local)X
1815(realm)X
2029(nor)X
2167(the)X
2296(principal's)X
2669(realm)X
2882(are)X
3011(to)X
3103(be)X
3209(included)X
3515(in)X
3607(the)X
3735(transited)X
555 4076(\256eld.)N
758(They)X
944(appear)X
1180(elsewhere)X
1523(in)X
1606(the)X
1725(ticket)X
1924(and)X
2061(both)X
2224(are)X
2344(known)X
2583(to)X
2666(have)X
2839(taken)X
3034(part)X
3180(in)X
3263(authenticating)X
3737(the)X
3855(prin-)X
555 4172(cipal.)N
774(Since)X
975(the)X
1096(endpoints)X
1430(are)X
1552(not)X
1677(included,)X
1996(both)X
2160(local)X
2338(and)X
2476(single-hop)X
2836(inter-realm)X
3215(authentication)X
3691(result)X
3891(in)X
3975(a)X
555 4268(transited)N
851(\256eld)X
1013(that)X
1153(is)X
1226(empty.)X
755 4392(Because)N
1045(the)X
1165(name)X
1361(of)X
1450(each)X
1620(realm)X
1825(transited)X
2123(is)X
2198(added)X
2412(to)X
2496(this)X
2633(\256eld,)X
2817(it)X
2883(might)X
3091(potentially)X
3455(be)X
3553(very)X
3718(long.)X
3922(To)X
555 4488(decrease)N
855(the)X
974(length)X
1195(of)X
1283(this)X
1419(\256eld,)X
1602(its)X
1698(contents)X
1986(are)X
2106(encoded.)X
2435(The)X
2581(initially)X
2850(supported)X
3187(encoding)X
3502(is)X
3576(optimized)X
3917(for)X
555 4584(the)N
674(normal)X
922(case)X
1082(of)X
1170(inter-realm)X
1548(communication:)X
2089(a)X
2145(hierarchical)X
2545(arrangement)X
2967(of)X
3054(realms)X
3288(using)X
3481(either)X
3684(domain)X
3944(or)X
555 4680(X.500)N
773(style)X
944(realm)X
1147(names.)X
1412(This)X
1574(encoding)X
1888(\(called)X
2127(DOMAIN-X500-COMPRESS\))X
3152(is)X
3225(now)X
3383(described.)X
755 4804(Realm)N
997(names)X
1235(in)X
1330(the)X
1461(transited)X
1770(\256eld)X
1945(are)X
2077(separated)X
2414(by)X
2527(a)X
2596(",".)X
2755(The)X
2913(",",)X
3052("\\",)X
3193(trailing)X
3457("."s,)X
3627(and)X
3775(leading)X
555 4900(spaces)N
786(\(")X
867("\))X
948(are)X
1068(special)X
1312(characters,)X
1680(and)X
1817(if)X
1886(they)X
2044(are)X
2163(part)X
2308(of)X
2395(a)X
2451(realm)X
2654(name,)X
2868(they)X
3026(must)X
3201(be)X
3297(quoted)X
3535(in)X
3617(the)X
3735(transited)X
555 4996(\256eld)N
717(by)X
817(preceding)X
1154(them)X
1334(with)X
1496(a)X
1552("\\".)X
755 5120(A)N
837(realm)X
1044(name)X
1242(ending)X
1484(with)X
1650(a)X
1710(".")X
1820(is)X
1897(interpreted)X
2269(as)X
2360(being)X
2562(prepended)X
2921(to)X
3007(the)X
3129(previous)X
3429(realm.)X
3676(For)X
3810(exam-)X
555 5216(ple,)N
719(we)X
859(can)X
1017(encode)X
1291(traversal)X
1614(of)X
1727(EDU,)X
1957(MIT.EDU,)X
2354(ATHENA.MIT.EDU,)X
3101(WASHINGTON.EDU,)X
3895(and)X
555 5312(CS.WASHINGTON.EDU)N
1421(as:)X
843 5408 0.1284("EDU,MIT.,ATHENA.,WASHINGTON.EDU,CS.".)AN
555 5504(Note)N
744(that)X
897(if)X
979(ATHENA.MIT.EDU,)X
1714(or)X
1814(CS.WASHINGTON.EDU)X
2693(were)X
2883(endpoints,)X
3247(that)X
3399(they)X
3569(would)X
3801(not)X
3935(be)X
8 s
10 f
555 5584(hhhhhhhhhhhhhhhhhh)N
1 f
555 5664(secret)N
719(server)X
890(keys)X
1023(in)X
1089(situations)X
1351(where)X
1522(such)X
1655(secret)X
1819(keys)X
1952(could)X
2110(be)X
2186(easily)X
2351(compromised.)X
10 s
555 6144(Section)N
815(3.3.3.1.)X
2196(-)X
2243(15)X
2343(-)X
16 p
%%Page: 16 17
10 s 0 xH 0 xS 1 f
0 32(--)N
4323(--)X
3 f
2115 416(DRAFT)N
2411(4)X
1 f
555 672(included)N
851(in)X
933(this)X
1068(\256eld,)X
1250(and)X
1386(we)X
1500(would)X
1720(have:)X
843 768 0.1823("EDU,MIT.,WASHINGTON.EDU")AN
555 864(A)N
635(realm)X
840(name)X
1036(beginning)X
1378(with)X
1542(a)X
1600("/")X
1710(is)X
1785(interpreted)X
2154(as)X
2242(being)X
2441(appended)X
2770(to)X
2853(the)X
2972(previous)X
3269(realm)X
8 s
3452 839(1)N
10 s
864(.)Y
3545(If)X
3620(it)X
3685(is)X
3759(to)X
3842(stand)X
555 960(by)N
680(itself,)X
905(then)X
1088(it)X
1177(should)X
1435(be)X
1556(preceded)X
1891(by)X
2015(a)X
2095(space)X
2318(\(")X
2422("\).)X
2566(For)X
2721(example,)X
3057(we)X
3195(can)X
3351(encode)X
3623(traversal)X
3944(of)X
555 1056(/COM/HP/APOLLO,)N
1261(/COM/HP,)X
1629(/COM,)X
1873(and)X
2009(/COM/DEC)X
2415(as:)X
843 1152("/COM,/HP,/APOLLO,)N
1622(/COM/DEC".)X
555 1248(Like)N
733(the)X
862(example)X
1165(above,)X
1408(if)X
1488(/COM/HP/APOLLO)X
2185(and)X
2331(/COM/DEC)X
2747(are)X
2876(endpoints,)X
3237(they)X
3405(they)X
3573(would)X
3803(not)X
3935(be)X
555 1344(included)N
851(in)X
933(this)X
1068(\256eld,)X
1250(and)X
1386(we)X
1500(would)X
1720(have:)X
843 1440("/COM,/HP")N
755 1564(A)N
836(null)X
983(sub\256eld)X
1259(preceding)X
1599(or)X
1689(following)X
2023(a)X
2082(",")X
2191(indicates)X
2499(that)X
2642(all)X
2745(realms)X
2982(between)X
3272(the)X
3392(previous)X
3690(realm)X
3895(and)X
555 1660(the)N
676(next)X
837(realm)X
1043(have)X
1218(been)X
1393(traversed)X
8 s
1688 1635(2)N
10 s
1660(.)Y
1783(Thus,)X
1986(",")X
2095(means)X
2323(that)X
2466(all)X
2569(realms)X
2805(along)X
3005(the)X
3125(path)X
3285(between)X
3575(the)X
3695(client)X
3895(and)X
555 1756(the)N
682(server)X
908(have)X
1089(been)X
1270(traversed.)X
1614(",EDU,)X
1881(/COM,")X
2167(means)X
2401(that)X
2550(that)X
2699(all)X
2808(realms)X
3051(from)X
3236(the)X
3363(client's)X
3628(realm)X
3840(up)X
3949(to)X
555 1852(EDU)N
755(\(in)X
879(a)X
950(domain)X
1225(style)X
1410(hierarchy\))X
1775(have)X
1961(been)X
2147(traversed,)X
2496(and)X
2646(that)X
2800(everything)X
3177(from)X
3367(/COM)X
3605(down)X
3817(to)X
3913(the)X
555 1948(server's)N
833(realm)X
1039(in)X
1124(an)X
1222(X.500)X
1442(style)X
1615(has)X
1744(also)X
1895(been)X
2069(traversed.)X
2426(This)X
2590(could)X
2790(occur)X
2991(if)X
3062(the)X
3182(EDU)X
3369(realm)X
3574(in)X
3658(one)X
3796(hierar-)X
555 2044(chy)N
691(shares)X
912(an)X
1008(inter-realm)X
1385(key)X
1521(directly)X
1786(with)X
1948(the)X
2066(/COM)X
2290(realm)X
2493(in)X
2575(another)X
2836(hierarchy.)X
3 f
555 2236(3.3.4.)N
775(Receipt)X
1054(of)X
1141(KRB_TGS_REP)X
1733(message)X
1 f
555 2360(When)N
796(the)X
943(KRB_TGS_REP)X
1533(is)X
1635(received)X
1957(by)X
2086(the)X
2233(client,)X
2480(it)X
2573(is)X
2675(processed)X
3040(in)X
3150(the)X
3296(same)X
3509(manner)X
3798(as)X
3913(the)X
555 2456(KRB_AS_REP)N
1085(processing)X
1466(described)X
1812(above.)X
2082(The)X
2245(primary)X
2537(difference)X
2902(is)X
2993(that)X
3151(the)X
3287(ciphertext)X
3646(part)X
3809(of)X
3913(the)X
555 2552(response)N
866(must)X
1051(be)X
1157(decrypted)X
1504(using)X
1707(the)X
1835(session)X
2096(key)X
2242(from)X
2428(the)X
2556(ticket-granting)X
3057(ticket)X
3264(rather)X
3481(than)X
3648(the)X
3775(client's)X
555 2648(private)N
798(key.)X
974(See)X
1110(section)X
1357(10.7)X
1517(for)X
1631(pseudocode.)X
3 f
12 s
555 2840(3.4.)N
747(The)X
931(KRB_SAFE)X
1456(Exchange)X
1 f
10 s
755 2964(The)N
901(KRB_SAFE)X
1321(message)X
1613(may)X
1771(be)X
1867(used)X
2034(by)X
2134(clients)X
2363(requiring)X
2677(the)X
2795(ability)X
3019(to)X
3101(detect)X
3313(modi\256cations)X
3768(of)X
3855(mes-)X
555 3060(sages)N
755(they)X
919(exchange.)X
1289(It)X
1363(achieves)X
1665(this)X
1805(by)X
1910(including)X
2237(a)X
2298(keyed)X
2515(collision-proof)X
3016(checksum)X
3362(of)X
3454(the)X
3577(user)X
3736(data)X
3895(and)X
555 3156(some)N
748(control)X
999(information.)X
1441(The)X
1590(checksum)X
1935(is)X
2012(keyed)X
2228(with)X
2394(an)X
2494(encryption)X
2861(key)X
3001(\(usually)X
3283(the)X
3404(last)X
3538(key)X
3677(negotiated)X
555 3252(via)N
673(subkeys,)X
971(or)X
1058(the)X
1176(session)X
1427(key)X
1563(if)X
1632(no)X
1732(negotiation)X
2112(has)X
2239(occured\).)X
3 f
555 3444(3.4.1.)N
775(Generation)X
1182(of)X
1269(a)X
1329(KRB_SAFE)X
1766(message)X
1 f
555 3568(When)N
771(an)X
871(application)X
1251(wishes)X
1493(to)X
1579(send)X
1749(a)X
1808(KRB_SAFE)X
2230(message,)X
2545(it)X
2612(collects)X
2880(its)X
2978(data)X
3135(and)X
3274(the)X
3395(appropriate)X
3784(control)X
555 3664(information)N
958(and)X
1098(computes)X
1429(a)X
1489(checksum)X
1834(over)X
2001(them.)X
2225(The)X
2374(checksum)X
2719(algorithm)X
3054(should)X
3291(be)X
3391(some)X
3584(sort)X
3728(of)X
3819(keyed)X
555 3760(one-way)N
857(hash)X
1029(function)X
1321(\(such)X
1520(as)X
1612(the)X
1735(RSA-MD4-DES)X
2289(checksum)X
2635(algorithm)X
2971(speci\256ed)X
3281(in)X
3367(section)X
3618(6.4.3,)X
3822(or)X
3913(the)X
555 3856(DES)N
727(MAC\),)X
977(generated)X
1311(using)X
1505(the)X
1624(session)X
1876(key.)X
2053(Different)X
2369(algorithms)X
2731(may)X
2889(be)X
2985(selected)X
3264(by)X
3364(changing)X
3678(the)X
3796(check-)X
555 3952(sum)N
708(type)X
866(in)X
948(the)X
1066(message.)X
3 f
1398(Unkeyed)X
1720(or)X
1816(non-collision-proof)X
2484(checksums)X
2873(are)X
3005(not)X
3136(suitable)X
3422(for)X
3545(this)X
3689(use.)X
1 f
755 4076(The)N
914(control)X
1175(information)X
1587(for)X
1715(the)X
1847(KRB_SAFE)X
2280(message)X
2586(includes)X
2887(both)X
3063(a)X
3132(timestamp)X
3498(and)X
3647(a)X
3716(sequence)X
555 4172(number.)N
861(The)X
1007(designer)X
1300(of)X
1388(an)X
1485(application)X
1862(using)X
2056(the)X
2175(KRB_SAFE)X
2595(message)X
2887(must)X
3062(choose)X
3305(at)X
3383(least)X
3550(one)X
3686(of)X
3773(the)X
3891(two)X
555 4268(mechanisms.)N
1011(This)X
1173(choice)X
1403(should)X
1636(be)X
1732(based)X
1935(on)X
2035(the)X
2153(needs)X
2356(of)X
2443(the)X
2561(application)X
2937(protocol.)X
755 4392(Sequence)N
1093(numbers)X
1399(are)X
1528(useful)X
1754(when)X
1958(all)X
2068(messages)X
2401(sent)X
2560(will)X
2714(be)X
2820(received)X
3122(by)X
3231(one's)X
3434(peer.)X
3642(Connection)X
555 4488(state)N
724(is)X
799(presently)X
1115(required)X
1405(to)X
1489(maintain)X
1791(the)X
1911(session)X
2163(key,)X
2320(so)X
2412(maintaining)X
2815(the)X
2934(next)X
3093(sequence)X
3409(number)X
3675(should)X
3909(not)X
555 4584(present)N
807(an)X
903(additional)X
1243(problem.)X
755 4708(If)N
832(the)X
953(application)X
1332(protocol)X
1621(is)X
1696(expected)X
2004(to)X
2088(tolerate)X
2351(lost)X
2488(messages)X
2813(without)X
3079(them)X
3261(being)X
3461(resent,)X
3695(the)X
3815(use)X
3944(of)X
555 4804(the)N
685(timestamp)X
1050(is)X
1135(the)X
1265(appropriate)X
1662(replay)X
1894(detection)X
2219(mechanism.)X
2655(Using)X
2877(timestamps)X
3272(is)X
3356(also)X
3516(the)X
3645(appropriate)X
555 4900(mechanism)N
951(for)X
1076(multi-cast)X
1427(protocols)X
1756(where)X
1984(all)X
2095(of)X
2192(one's)X
2396(peers)X
2596(share)X
2796(a)X
2862(common)X
3172(subsession)X
3544(key,)X
3710(but)X
3842(some)X
555 4996(messages)N
878(will)X
1022(be)X
1118(sent)X
1267(to)X
1349(a)X
1405(subset)X
1625(of)X
1712(one's)X
1906(peers.)X
755 5120(After)N
952(computing)X
1321(the)X
1446(checksum,)X
1814(the)X
1939(client)X
2144(then)X
2309(transmits)X
2629(the)X
2754(information)X
3159(and)X
3302(checksum)X
3650(to)X
3739(the)X
3863(reci-)X
555 5216(pient)N
735(in)X
817(the)X
935(message)X
1227(format)X
1461(speci\256ed)X
1766(in)X
1848(section)X
2095(5.5.1.)X
8 s
10 f
555 5396(hhhhhhhhhhhhhhhhhh)N
6 s
1 f
555 5471(1)N
8 s
611 5490(For)N
716(the)X
810(purpose)X
1028(of)X
1097(appending,)X
1395(the)X
1489(realm)X
1650(preceding)X
1917(the)X
2011(\256rst)X
2127(listed)X
2282(realm)X
2443(is)X
2502(considered)X
2794(to)X
2860(be)X
2936(the)X
3030(null)X
3146(realm)X
3307(\(""\).)X
6 s
555 5565(2)N
8 s
611 5584(For)N
720(the)X
818(purpose)X
1040(of)X
1113(interpreting)X
1431(null)X
1550(sub\256elds,)X
1813(the)X
1910(client's)X
2117(realm)X
2281(is)X
2343(considered)X
2638(to)X
2707(precede)X
2923(those)X
3077(in)X
3146(the)X
3243(transited)X
3482(\256eld,)X
3631(and)X
555 5664(the)N
649(server's)X
866(realm)X
1027(is)X
1086(considered)X
1378(to)X
1444(follow)X
1627(them.)X
10 s
555 6144(Section)N
815(3.4.1.)X
2196(-)X
2243(16)X
2343(-)X
17 p
%%Page: 17 18
10 s 0 xH 0 xS 1 f
0 32(--)N
4323(--)X
3 f
2115 416(DRAFT)N
2411(4)X
555 672(3.4.2.)N
775(Receipt)X
1054(of)X
1141(KRB_SAFE)X
1578(message)X
1 f
555 796(When)N
770(an)X
869(application)X
1248(receives)X
1535(a)X
1594(KRB_SAFE)X
2016(message,)X
2330(it)X
2396(veri\256es)X
2654(it)X
2720(as)X
2809(follows.)X
3111(If)X
3187(any)X
3325(error)X
3504(occurs,)X
3756(an)X
3854(error)X
555 892(code)N
727(is)X
800(reported)X
1088(for)X
1202(use)X
1329(by)X
1429(the)X
1547(application.)X
755 1016(The)N
904(message)X
1200(is)X
1277(\256rst)X
1425(checked)X
1713(by)X
1817(verifying)X
2134(that)X
2277(the)X
2398(protocol)X
2688(version)X
2947(and)X
3086(type)X
3247(\256elds)X
3443(match)X
3662(the)X
3783(current)X
555 1112(version)N
839(and)X
1002(KRB_SAFE,)X
1468(respectively.)X
1943(A)X
2048(mismatch)X
2406(generates)X
2757(a)X
2840(KRB_AP_ERR_BADVERSION)X
3944(or)X
555 1208(KRB_AP_ERR_MSG_TYPE)N
1540(error.)X
1768(The)X
1924(application)X
2311(veri\256es)X
2578(that)X
2729(the)X
2858(checksum)X
3209(used)X
3386(is)X
3469(a)X
3535(collision-proof)X
555 1304(keyed)N
775(checksum,)X
1144(and)X
1288(if)X
1365(it)X
1437(is)X
1518(not,)X
1668(a)X
1732(KRB_AP_ERR_INAPP_CKSUM)X
2855(is)X
2935(generated.)X
3315(The)X
3467(recipient)X
3775(veri\256es)X
555 1400(that)N
697(the)X
817(operating)X
1142(system's)X
1444(report)X
1658(of)X
1747(the)X
1867(sender's)X
2157(address)X
2420(matches)X
2705(the)X
2825(sender's)X
3115(address)X
3378(in)X
3462(the)X
3582(message,)X
3895(and)X
555 1496(\(if)N
654(a)X
713(recipient)X
1017(address)X
1281(is)X
1357(speci\256ed)X
1665(or)X
1755(the)X
1876(recipient)X
2180(requires)X
2462(an)X
2561(address\))X
2852(that)X
2995(one)X
3133(of)X
3222(the)X
3342(recipient's)X
3703(addresses)X
555 1592(appears)N
855(as)X
976(the)X
1128(recipient's)X
1521(address)X
1816(in)X
1931(the)X
2082(message.)X
2447(A)X
2558(failed)X
2794(match)X
3043(for)X
3190(either)X
3426(case)X
3618(generates)X
3975(a)X
555 1688(KRB_AP_ERR_BADADDR)N
1522(error.)X
1749(Then)X
1944(the)X
2072(timestamp)X
2434(and)X
2579(usec)X
2751(and/or)X
2985(the)X
3112(sequence)X
3436(number)X
3710(\256elds)X
3912(are)X
555 1784(checked.)N
893(If)X
981(timestamp)X
1348(and)X
1498(usec)X
1674(are)X
1806(expected)X
2125(and)X
2274(not)X
2409(present,)X
2694(or)X
2794(they)X
2965(are)X
3097(present)X
3362(but)X
3497(not)X
3632(current,)X
3913(the)X
555 1880(KRB_AP_ERR_SKEW)N
1362(error)X
1558(is)X
1649(generated.)X
2040(If)X
2132(the)X
2268(server)X
2503(name,)X
2735(along)X
2951(with)X
3131(the)X
3267(client)X
3483(name,)X
3715(time)X
3895(and)X
555 1976(microsecond)N
1064(\256elds)X
1335(from)X
1589(the)X
1785(Authenticator)X
2324(match)X
2618(any)X
2832(recently-seen)X
3359(such)X
3604(tuples,)X
3913(the)X
555 2072(KRB_AP_ERR_REPEAT)N
1425(error)X
1609(is)X
1689(generated.)X
2069(If)X
2150(an)X
2253(incorrect)X
2566(sequence)X
2888(number)X
3160(is)X
3239(included,)X
3561(or)X
3654(a)X
3716(sequence)X
555 2168(number)N
821(is)X
895(expected)X
1202(but)X
1325(not)X
1448(present,)X
1721(the)X
1840(KRB_AP_ERR_BADORDER)X
2842(error)X
3020(is)X
3094(generated.)X
3468(If)X
3543(neither)X
3786(a)X
3842(time-)X
555 2264(stamp)N
766(and)X
902(usec)X
1065(or)X
1152(a)X
1208(sequence)X
1523(number)X
1788(is)X
1861(present,)X
2133(a)X
2189(KRB_AP_ERR_MODIFIED)X
3142(error)X
3319(is)X
3392(generated.)X
3765(Finally,)X
555 2360(the)N
687(checksum)X
1042(is)X
1129(computed)X
1479(over)X
1656(the)X
1788(data)X
1956(and)X
2106(control)X
2367(information,)X
2799(and)X
2949(if)X
3032(it)X
3109(doesn't)X
3378(match)X
3607(the)X
3738(received)X
555 2456(checksum,)N
916(a)X
972(KRB_AP_ERR_MODIFIED)X
1925(error)X
2102(is)X
2175(generated.)X
755 2580(If)N
836(all)X
943(the)X
1067(checks)X
1312(succeed,)X
1613(the)X
1737(application)X
2119(is)X
2198(assured)X
2465(that)X
2611(the)X
2735(message)X
3033(was)X
3184(generated)X
3523(by)X
3629(its)X
3730(peer)X
3895(and)X
555 2676(was)N
700(not)X
822(modi\256ed)X
1126(in)X
1208(transit.)X
3 f
12 s
555 2868(3.5.)N
747(The)X
931(KRB_PRIV)X
1445(Exchange)X
1 f
10 s
755 2992(The)N
909(KRB_PRIV)X
1324(message)X
1625(may)X
1791(be)X
1895(used)X
2070(by)X
2178(clients)X
2415(requiring)X
2737(con\256dentiality)X
3227(and)X
3371(the)X
3497(ability)X
3729(to)X
3819(detect)X
555 3088(modi\256cations)N
1024(of)X
1125(exchanged)X
1503(messages.)X
1880(It)X
1963(achieves)X
2274(this)X
2423(by)X
2537(encrypting)X
2914(the)X
3046(messages)X
3383(and)X
3533(adding)X
3784(control)X
555 3184(information.)N
3 f
555 3376(3.5.1.)N
775(Generation)X
1182(of)X
1269(a)X
1329(KRB_PRIV)X
1758(message)X
1 f
555 3500(When)N
772(an)X
873(application)X
1253(wishes)X
1495(to)X
1581(send)X
1752(a)X
1812(KRB_PRIV)X
2222(message,)X
2538(it)X
2606(collects)X
2875(its)X
2974(data)X
3132(and)X
3272(the)X
3394(appropriate)X
3784(control)X
555 3596(information)N
963(\(speci\256ed)X
1305(in)X
1397(section)X
1654(5.6.1\))X
1871(and)X
2017(encrypts)X
2318(them)X
2507(under)X
2719(an)X
2824(encryption)X
3196(key)X
3341(\(usually)X
3628(the)X
3755(last)X
3895(key)X
555 3692(negotiated)N
915(via)X
1039(subkeys,)X
1343(or)X
1436(the)X
1559(session)X
1815(key)X
1956(if)X
2030(no)X
2135(negotiation)X
2520(has)X
2652(occured\).)X
2999(As)X
3113(part)X
3263(of)X
3355(the)X
3478(control)X
3730(informa-)X
555 3788(tion,)N
721(the)X
841(client)X
1041(must)X
1218(choose)X
1463(to)X
1547(use)X
1676(either)X
1881(a)X
1939(timestamp)X
2294(or)X
2383(a)X
2441(sequence)X
2758(number)X
3025(\(or)X
3140(both\);)X
3352(see)X
3476(the)X
3595(discussion)X
3949(in)X
555 3884(section)N
804(3.4.1)X
986(for)X
1102(guidelines)X
1453(on)X
1555(which)X
1773(to)X
1857(use.)X
2026(After)X
2218(the)X
2338(user)X
2494(data)X
2650(and)X
2788(control)X
3036(information)X
3435(are)X
3555(encrypted,)X
3913(the)X
555 3980(client)N
753(transmits)X
1066(the)X
1184(ciphertext)X
1525(and)X
1661(some)X
1850("envelope")X
2226(information)X
2624(to)X
2706(the)X
2824(recipient.)X
3 f
555 4172(3.5.2.)N
775(Receipt)X
1054(of)X
1141(KRB_PRIV)X
1570(message)X
1 f
555 4296(When)N
771(an)X
871(application)X
1250(receives)X
1537(a)X
1596(KRB_PRIV)X
2005(message,)X
2320(it)X
2387(veri\256es)X
2646(it)X
2713(as)X
2803(follows.)X
3106(If)X
3183(any)X
3322(error)X
3502(occurs,)X
3755(an)X
3854(error)X
555 4392(code)N
727(is)X
800(reported)X
1088(for)X
1202(use)X
1329(by)X
1429(the)X
1547(application.)X
755 4516(The)N
904(message)X
1200(is)X
1277(\256rst)X
1425(checked)X
1713(by)X
1817(verifying)X
2134(that)X
2277(the)X
2398(protocol)X
2688(version)X
2947(and)X
3086(type)X
3247(\256elds)X
3443(match)X
3662(the)X
3783(current)X
555 4612(version)N
840(and)X
1005(KRB_PRIV,)X
1460(respectively.)X
1937(A)X
2044(mismatch)X
2403(generates)X
2755(a)X
2839(KRB_AP_ERR_BADVERSION)X
3944(or)X
555 4708(KRB_AP_ERR_MSG_TYPE)N
1536(error.)X
1760(The)X
1912(application)X
2295(then)X
2459(decrypts)X
2757(the)X
2881(ciphertext)X
3228(and)X
3370(processes)X
3704(the)X
3828(resul-)X
555 4804(tant)N
701(plaintext.)X
1047(If)X
1127(decryption)X
1495(shows)X
1720(the)X
1843(data)X
2002(to)X
2089(have)X
2266(been)X
2443(modi\256ed,)X
2772(a)X
2833(KRB_AP_ERR_BAD_INTEGRITY)X
555 4900(error)N
734(is)X
809(generated.)X
1184(The)X
1331(recipient)X
1634(veri\256es)X
1892(that)X
2033(the)X
2152(operating)X
2476(system's)X
2777(report)X
2990(of)X
3078(the)X
3197(sender's)X
3486(address)X
3748(matches)X
555 4996(the)N
685(sender's)X
984(address)X
1256(in)X
1349(the)X
1478(message,)X
1801(and)X
1948(\(if)X
2055(a)X
2122(recipient)X
2434(address)X
2706(is)X
2790(speci\256ed)X
3106(or)X
3204(the)X
3333(recipient)X
3645(requires)X
3935(an)X
555 5092(address\))N
851(that)X
999(one)X
1143(of)X
1238(the)X
1363(recipient's)X
1729(addresses)X
2064(appears)X
2337(as)X
2431(the)X
2556(recipient's)X
2922(address)X
3190(in)X
3279(the)X
3404(message.)X
3743(A)X
3828(failed)X
555 5188(match)N
775(for)X
893(either)X
1100(case)X
1263(generates)X
1591(a)X
1651(KRB_AP_ERR_BADADDR)X
2612(error.)X
2833(Then)X
3022(the)X
3144(timestamp)X
3501(and)X
3640(usec)X
3806(and/or)X
555 5284(the)N
679(sequence)X
1000(number)X
1271(\256elds)X
1470(are)X
1595(checked.)X
1925(If)X
2005(timestamp)X
2364(and)X
2506(usec)X
2675(are)X
2800(expected)X
3112(and)X
3253(not)X
3380(present,)X
3657(or)X
3749(they)X
3912(are)X
555 5380(present)N
814(but)X
943(not)X
1072(current,)X
1347(the)X
1472(KRB_AP_ERR_SKEW)X
2267(error)X
2451(is)X
2531(generated.)X
2891(If)X
2972(the)X
3097(server)X
3321(name,)X
3541(along)X
3745(with)X
3913(the)X
555 5476(client)N
759(name,)X
978(time)X
1145(and)X
1286(microsecond)X
1721(\256elds)X
1919(from)X
2100(the)X
2223(Authenticator)X
2689(match)X
2910(any)X
3051(recently-seen)X
3505(such)X
3677(tuples,)X
3913(the)X
555 5572(KRB_AP_ERR_REPEAT)N
1425(error)X
1609(is)X
1689(generated.)X
2069(If)X
2150(an)X
2253(incorrect)X
2566(sequence)X
2888(number)X
3160(is)X
3239(included,)X
3561(or)X
3654(a)X
3716(sequence)X
555 5668(number)N
821(is)X
895(expected)X
1202(but)X
1325(not)X
1448(present,)X
1721(the)X
1840(KRB_AP_ERR_BADORDER)X
2842(error)X
3020(is)X
3094(generated.)X
3468(If)X
3543(neither)X
3786(a)X
3842(time-)X
555 5764(stamp)N
766(and)X
902(usec)X
1065(or)X
1152(a)X
1208(sequence)X
1523(number)X
1788(is)X
1861(present,)X
2133(a)X
2189(KRB_AP_ERR_MODIFIED)X
3142(error)X
3319(is)X
3392(generated.)X
3765(Finally,)X
555 6144(Section)N
815(3.5.2.)X
2196(-)X
2243(17)X
2343(-)X
18 p
%%Page: 18 19
10 s 0 xH 0 xS 1 f
0 32(--)N
4323(--)X
3 f
2115 416(DRAFT)N
2411(4)X
1 f
555 672(the)N
687(checksum)X
1042(is)X
1129(computed)X
1479(over)X
1656(the)X
1788(data)X
1956(and)X
2106(control)X
2367(information,)X
2799(and)X
2949(if)X
3032(it)X
3109(doesn't)X
3378(match)X
3607(the)X
3738(received)X
555 768(checksum,)N
916(a)X
972(KRB_AP_ERR_MODIFIED)X
1925(error)X
2102(is)X
2175(generated.)X
755 892(If)N
831(all)X
933(the)X
1053(checks)X
1294(succeed,)X
1591(the)X
1711(application)X
2089(can)X
2223(assume)X
2480(the)X
2599(message)X
2892(was)X
3038(generated)X
3372(by)X
3473(its)X
3569(peer,)X
3749(and)X
3886(was)X
555 988(securely)N
843(transmitted)X
1223(\(without)X
1514(intruders)X
1819(able)X
1973(to)X
2055(see)X
2178(the)X
2296(unencrypted)X
2713(contents\).)X
3 f
12 s
555 1180(4.)N
675(The)X
859(Kerberos)X
1268(Database)X
1 f
10 s
555 1304(The)N
705(Kerberos)X
1025(server)X
1247(must)X
1427(have)X
1604(access)X
1835(to)X
1922(a)X
1983(database)X
2284(containing)X
2646(the)X
2768(principal)X
3077(identi\256ers)X
3421(and)X
3561(secret)X
3773(keys)X
3944(of)X
555 1400(principals)N
891(to)X
973(be)X
1069(authenticated)X
8 s
1497 1375(1)N
10 s
1400(.)Y
3 f
12 s
555 1592(4.1.)N
747(Database)X
1149(contents)X
1 f
10 s
555 1716(A)N
633(database)X
930(entry)X
1115(should)X
1348(contain)X
1604(at)X
1682(least)X
1849(the)X
1967(following)X
2298(\256elds:)X
2 f
555 1860(Field)N
1331(Value)X
1 f
555 2052(name)N
1331(Principal's)X
1698(identi\256er)X
555 2148(key)N
1331(Principal's)X
1698(secret)X
1906(key)X
555 2244(p_kvno)N
1331(Principal's)X
1698(key)X
1834(version)X
555 2340(max_life)N
1331(Maximum)X
1684(lifetime)X
1953(for)X
2067(Tickets)X
555 2436(max_renewable_life)N
1331(Maximum)X
1684(total)X
1846(lifetime)X
2115(for)X
2229(renewable)X
2580(Tickets)X
555 2580(The)N
3 f
702(name)X
1 f
911(\256eld)X
1075(is)X
1150(an)X
1248(encoding)X
1564(of)X
1653(the)X
1773(principal's)X
2138(identi\256er.)X
2489(The)X
3 f
2636(key)X
1 f
2778(\256eld)X
2942(contains)X
3231(an)X
3328(encryption)X
3692(key.)X
3869(This)X
555 2676(key)N
694(is)X
770(the)X
891(principal's)X
1257(secret)X
1468(key.)X
1647(\(The)X
1822(key)X
1960(can)X
2094(be)X
2192(encrypted)X
2531(before)X
2759(storage)X
3013(under)X
3218(a)X
3276(Kerberos)X
3593("master)X
3862(key")X
555 2772(to)N
639(protect)X
884(it)X
950(in)X
1034(case)X
1195(the)X
1315(database)X
1614(is)X
1689(compromised)X
2147(but)X
2271(the)X
2391(master)X
2627(key)X
2765(is)X
2840(not.)X
3004(In)X
3093(that)X
3234(case,)X
3414(an)X
3511(extra)X
3693(\256eld)X
3856(must)X
555 2868(be)N
655(added)X
871(to)X
957(indicate)X
1235(the)X
1357(master)X
1595(key)X
1735(version)X
1995(used,)X
2186(see)X
2313(below.\))X
2580(The)X
3 f
2729(p_kvno)X
1 f
3005(\256eld)X
3171(is)X
3247(the)X
3368(key)X
3507(version)X
3766(number)X
555 2964(of)N
644(the)X
763(principal's)X
1127(secret)X
1336(key.)X
1513(The)X
3 f
1659(max_life)X
1 f
1974(\256eld)X
2137(contains)X
2425(the)X
2544(maximum)X
2889(allowable)X
3222(lifetime)X
3492(\(endtime)X
3798(-)X
3846(start-)X
555 3060(time\))N
745(for)X
860(any)X
997(Ticket)X
1223(issued)X
1444(for)X
1559(this)X
1695(principal.)X
2041(The)X
3 f
2187(max_renewable_life)X
1 f
2894(\256eld)X
3057(contains)X
3344(the)X
3462(maximum)X
3806(allow-)X
555 3156(able)N
715(total)X
883(lifetime)X
1158(for)X
1277(any)X
1418(renewable)X
1774(Ticket)X
2004(issued)X
2229(for)X
2348(this)X
2488(principal.)X
2838(\(See)X
3006(section)X
3258(3.1)X
3383(for)X
3502(a)X
3563(description)X
3944(of)X
555 3252(how)N
713(these)X
898(lifetimes)X
1198(are)X
1317(used)X
1484(in)X
1566(determining)X
1973(the)X
2091(lifetime)X
2360(of)X
2447(a)X
2503(given)X
2701(Ticket.\))X
755 3376(A)N
834(server)X
1052(may)X
1211(provide)X
1477(KDC)X
1667(service)X
1916(to)X
1999(several)X
2248(realms,)X
2503(as)X
2591(long)X
2754(as)X
2842(the)X
2961(database)X
3259(representation)X
3735(provides)X
555 3472(a)N
611(mechanism)X
996(to)X
1078(distinguish)X
1448(between)X
1736(principal)X
2041(records)X
2298(with)X
2460(identi\256ers)X
2800(which)X
3016(differ)X
3215(only)X
3377(in)X
3459(the)X
3577(realm)X
3780(name.)X
755 3596(When)N
969(an)X
1067(application)X
1445(server's)X
1722(key)X
1860(changes,)X
2161(if)X
2232(the)X
2352(change)X
2601(is)X
2675(routine)X
2923(\(i.e.)X
3069(not)X
3192(the)X
3311(result)X
3510(of)X
3598(disclosure)X
3944(of)X
555 3692(the)N
674(old)X
797(key\),)X
980(the)X
1098(old)X
1220(key)X
1356(should)X
1589(be)X
1685(retained)X
1964(by)X
2064(the)X
2182(server)X
2399(until)X
2565(all)X
2665(tickets)X
2894(that)X
3034(had)X
3170(been)X
3342(issued)X
3562(using)X
3755(that)X
3895(key)X
555 3788(have)N
730(expired.)X
1034(Because)X
1325(of)X
1415(this,)X
1573(it)X
1640(is)X
1716(possible)X
2001(for)X
2118(several)X
2369(keys)X
2539(to)X
2624(be)X
2723(active)X
2938(for)X
3055(a)X
3113(single)X
3326(principal.)X
3673(Ciphertext)X
555 3884(encrypted)N
895(in)X
980(a)X
1039(principal's)X
1405(key)X
1544(is)X
1620(always)X
1865(tagged)X
2101(with)X
2265(the)X
2385(version)X
2643(of)X
2732(the)X
2852(key)X
2990(that)X
3132(was)X
3279(used)X
3448(for)X
3564(encryption,)X
3949(to)X
555 3980(help)N
713(the)X
831(recipient)X
1132(\256nd)X
1276(the)X
1394(proper)X
1624(key)X
1760(for)X
1874(decryption.)X
755 4104(When)N
975(more)X
1168(than)X
1334(one)X
1478(key)X
1621(is)X
1701(active)X
1920(for)X
2041(a)X
2104(particular)X
2439(principal,)X
2771(the)X
2896(principal)X
3208(will)X
3359(have)X
3538(more)X
3730(than)X
3895(one)X
555 4200(record)N
788(in)X
877(the)X
1002(Kerberos)X
1324(database.)X
1668(The)X
1820(keys)X
1994(and)X
2137(key)X
2280(version)X
2543(numbers)X
2846(will)X
2997(differ)X
3203(between)X
3498(the)X
3623(records)X
3886(\(the)X
555 4296(rest)N
693(of)X
782(the)X
902(\256elds)X
1097(may)X
1257(or)X
1346(may)X
1506(not)X
1630(be)X
1728(the)X
1848(same\).)X
2082(Whenever)X
2435(Kerberos)X
2752(issues)X
2965(a)X
3023(ticket,)X
3243(or)X
3332(responds)X
3639(to)X
3722(a)X
3779(request)X
555 4392(for)N
674(initial)X
885(authentication,)X
1384(the)X
1507(most)X
1687(recent)X
1909(key)X
2049(\(known)X
2318(by)X
2422(the)X
2544(Kerberos)X
2863(server\))X
3111(will)X
3259(be)X
3359(used)X
3530(for)X
3648(encryption.)X
555 4488(This)N
717(is)X
790(the)X
908(key)X
1044(with)X
1206(the)X
1324(highest)X
1575(key)X
1711(version)X
1967(number.)X
3 f
12 s
555 4680(4.2.)N
747(Additional)X
1208(\256elds)X
1 f
10 s
555 4804(Project)N
802(Athena's)X
1112(KDC)X
1301(implementation)X
1823(uses)X
1981(additional)X
2321(\256elds)X
2514(in)X
2596(its)X
2691(database:)X
2 f
555 4948(Field)N
1031(Value)X
1 f
555 5140(K_kvno)N
1031(Kerberos')X
1373(key)X
1509(version)X
555 5236(expiration)N
1031(Expiration)X
1389(date)X
1543(for)X
1657(entry)X
555 5332(attributes)N
1031(Bit)X
1148(\256eld)X
1310(of)X
1397(attributes)X
8 s
10 f
555 5412(hhhhhhhhhhhhhhhhhh)N
6 s
1 f
555 5487(1)N
8 s
611 5506(The)N
727(implementation)X
1145(of)X
1214(the)X
1308(Kerberos)X
1557(server)X
1728(need)X
1864(not)X
1962(combine)X
2198(the)X
2292(database)X
2527(and)X
2635(the)X
2729(server)X
2900(on)X
2980(the)X
3074(same)X
3221(machine;)X
3471(it)X
3523(is)X
3582(feasi-)X
555 5586(ble)N
653(to)X
723(store)X
867(the)X
965(principal)X
1212(database)X
1451(in,)X
1537(say,)X
1658(a)X
1706(network)X
1935(name)X
2093(service,)X
2309(as)X
2382(long)X
2516(as)X
2589(the)X
2687(entries)X
2876(stored)X
3051(therein)X
3247(are)X
3343(protected)X
3599(from)X
555 5666(disclosure)N
832(to)X
900(and)X
1010(modi\256cation)X
1352(by)X
1433(unauthorized)X
1783(parties.)X
2002(However,)X
2268(we)X
2359(recommend)X
2677(against)X
2875(such)X
3009(strategies,)X
3283(as)X
3353(they)X
3480(can)X
3585(make)X
555 5746(system)N
749(management)X
1091(and)X
1199(threat)X
1360(analysis)X
1582(quite)X
1726(complex.)X
10 s
555 6144(Section)N
815(4.2.)X
2196(-)X
2243(18)X
2343(-)X
19 p
%%Page: 19 20
10 s 0 xH 0 xS 1 f
0 32(--)N
4323(--)X
3 f
2115 416(DRAFT)N
2411(4)X
1 f
555 672(mod_date)N
1031(Timestamp)X
1411(of)X
1498(last)X
1629(modi\256cation)X
555 768(mod_name)N
1031(Modifying)X
1393(principal's)X
1756(identi\256er)X
555 940(The)N
3 f
705(K_kvno)X
1 f
1000(\256eld)X
1166(indicates)X
1475(the)X
1597(key)X
1737(version)X
1997(of)X
2088(the)X
2210(Kerberos)X
2529(master)X
2767(key)X
2907(under)X
3114(which)X
3334(the)X
3456(principal's)X
3823(secret)X
555 1036(key)N
691(is)X
764(encrypted.)X
755 1160(After)N
948(an)X
1047(entry's)X
3 f
1293(expiration)X
1 f
1667(date)X
1824(has)X
1954(passed,)X
2211(the)X
2332(KDC)X
2524(will)X
2671(return)X
2886(an)X
2984(error)X
3163(to)X
3247(any)X
3385(client)X
3585(attempting)X
3949(to)X
555 1256(gain)N
722(tickets)X
960(as)X
1056(or)X
1152(for)X
1275(the)X
1402(principal.)X
1756(\(A)X
1870(database)X
2176(may)X
2343(want)X
2528(to)X
2619(maintain)X
2928(two)X
3077(expiration)X
3431(dates:)X
3647(one)X
3791(for)X
3913(the)X
555 1352(principal,)N
881(and)X
1018(one)X
1154(for)X
1268(the)X
1386(principal's)X
1749(current)X
1997(key.)X
2173(This)X
2335(allows)X
2564(password)X
2887(aging)X
3085(to)X
3167(work)X
3352(independently)X
3826(of)X
3913(the)X
555 1448(principal's)N
919(expiration)X
1265(date.)X
1460(However,)X
1796(due)X
1933(to)X
2016(the)X
2135(limited)X
2382(space)X
2582(in)X
2665(the)X
2783(responses,)X
3135(the)X
3253(KDC)X
3442(must)X
3617(combine)X
3913(the)X
555 1544(key)N
693(expiration)X
1040(and)X
1178(principal)X
1485(expiration)X
1832(date)X
1988(into)X
2134(a)X
2192(single)X
2405(value)X
2601(called)X
2815("key_exp",)X
3195(which)X
3413(is)X
3488(used)X
3657(as)X
3746(a)X
3804(hint)X
3949(to)X
555 1640(the)N
673(user)X
827(to)X
909(take)X
1063(administrative)X
1541(action.\))X
755 1764(The)N
3 f
911(attributes)X
1 f
1276(\256eld)X
1449(is)X
1533(a)X
1600(bit\256eld)X
1857(used)X
2035(to)X
2128(govern)X
2382(the)X
2511(operations)X
2876(involving)X
3213(the)X
3342(principal.)X
3697(This)X
3869(\256eld)X
555 1860(might)N
769(be)X
873(useful)X
1097(in)X
1187(conjunction)X
1593(with)X
1763(user)X
1925(registration)X
2318(procedures,)X
2719(for)X
2841(site-speci\256c)X
3251(policy)X
3478(implementations)X
555 1956(\(Project)N
833(Athena)X
1089(currently)X
1403(uses)X
1565(it)X
1633(for)X
1751(their)X
1922(user)X
2080(registration)X
2469(process)X
2734(controlled)X
3082(by)X
3185(the)X
3306(system-wide)X
3734(database)X
555 2052(service,)N
835(Moira.[6])X
1177(\),)X
1255(or)X
1353(to)X
1446(identify)X
1726(the)X
1855("string)X
2101(to)X
2194(key")X
2374(conversion)X
2757(algorithm)X
3099(used)X
3277(for)X
3402(a)X
3469(principal's)X
3843(key)X
8 s
3959 2027(1)N
10 s
2052(.)Y
555 2148(Other)N
760(bits)X
897(are)X
1018(used)X
1187(to)X
1271(indicate)X
1547(that)X
1689(certain)X
1930(ticket)X
2130(options)X
2387(should)X
2622(not)X
2746(be)X
2844(allowed)X
3120(in)X
3203(tickets)X
3433(encrypted)X
3771(under)X
3975(a)X
555 2244(principal's)N
931(key)X
1080(\(one)X
1256(bit)X
1372(each\):)X
1621(Disallow)X
1942(issuing)X
2200(postdated)X
2539(tickets,)X
2800(disallow)X
3103(issuing)X
3361(forwardable)X
3782(tickets,)X
555 2340(disallow)N
852(issuing)X
1104(tickets)X
1339(based)X
1547(on)X
1652(TGT)X
1833(authentication,)X
2332(disallow)X
2628(issuing)X
2879(renewable)X
3235(tickets,)X
3489(disallow)X
3785(issuing)X
555 2436(proxiable)N
878(tickets.)X
755 2560(The)N
3 f
901(mod_date)X
1 f
1260(\256eld)X
1423(contains)X
1711(the)X
1830(time)X
1993(of)X
2081(last)X
2213(modi\256cation)X
2638(of)X
2726(the)X
2845(entry,)X
3051(and)X
3188(the)X
3 f
3307(mod_name)X
1 f
3706(\256eld)X
3868(con-)X
555 2656(tains)N
726(the)X
844(name)X
1038(of)X
1125(the)X
1243(principal)X
1548(which)X
1764(last)X
1895(modi\256ed)X
2199(the)X
2317(entry.)X
3 f
12 s
555 2848(4.3.)N
747(Frequently)X
1225(Changing)X
1648(Fields)X
1 f
10 s
755 2972(Some)N
960(KDC)X
1152(implementations)X
1708(may)X
1868(wish)X
2041(to)X
2125(maintain)X
2427(the)X
2547(last)X
2680(time)X
2844(that)X
2986(a)X
3044(request)X
3298(was)X
3445(made)X
3641(by)X
3743(a)X
3801(partic-)X
555 3068(ular)N
707(principal.)X
1059(Information)X
1469(that)X
1615(might)X
1827(be)X
1929(maintained)X
2311(includes)X
2604(the)X
2728(time)X
2896(of)X
2989(the)X
3113(last)X
3250(request,)X
3528(the)X
3652(time)X
3820(of)X
3913(the)X
555 3164(last)N
694(request)X
954(for)X
1076(a)X
1140(ticket-granting)X
1640(ticket,)X
1866(the)X
1991(time)X
2160(of)X
2254(the)X
2379(last)X
2517(use)X
2651(of)X
2745(a)X
2808(ticket-granting)X
3307(ticket,)X
3532(or)X
3626(other)X
3818(times.)X
555 3260(This)N
717(information)X
1115(can)X
1247(then)X
1405(be)X
1501(returned)X
1789(to)X
1871(the)X
1989(user)X
2143(in)X
2225(the)X
3 f
2343(last-req)X
1 f
2626(\256eld)X
2788(\(see)X
2938(section)X
3185(5.1\).)X
755 3384(Other)N
968(frequently)X
1328(changing)X
1652(information)X
2060(that)X
2209(can)X
2350(be)X
2455(maintained)X
2840(is)X
2922(the)X
3049(latest)X
3247(expiration)X
3601(time)X
3772(for)X
3895(any)X
555 3480(tickets)N
788(that)X
932(have)X
1107(been)X
1282(issued)X
1505(using)X
1701(each)X
1872(key.)X
2051(This)X
2216(\256eld)X
2381(would)X
2604(be)X
2703(used)X
2873(to)X
2958(indicate)X
3235(how)X
3396(long)X
3561(old)X
3686(keys)X
3856(must)X
555 3576(remain)N
798(valid)X
978(to)X
1060(allow)X
1258(the)X
1376(continued)X
1712(use)X
1839(of)X
1926(outstanding)X
2319(tickets.)X
3 f
12 s
555 3768(4.4.)N
747(Site)X
926(Constants)X
1 f
10 s
755 3892(The)N
907(KDC)X
1103(implementation)X
1632(should)X
1872(have)X
2051(the)X
2176(following)X
2514(con\256gurable)X
2942(constants)X
3267(or)X
3361(options,)X
3643(to)X
3731(allow)X
3935(an)X
555 3988(administrator)N
1002(to)X
1084(make)X
1278(and)X
1414(enforce)X
1676(policy)X
1896(decisions:)X
10 f
555 4112(g)N
1 f
675(The)X
831(minimum)X
1172(supported)X
1519(lifetime)X
1799(\(used)X
2003(to)X
2095(determine)X
2446(whether)X
2735(the)X
2863(KDC_ERR_NEVER_VALID)X
3854(error)X
675 4208(should)N
923(be)X
1034(returned\).)X
1404(This)X
1581(constant)X
1883(should)X
2131(re\257ect)X
2367(reasonable)X
2746(expectations)X
3181(of)X
3282(round-trip)X
3641(time)X
3817(to)X
3913(the)X
675 4304(KDC,)N
895(encryption/decryption)X
1634(time,)X
1827(and)X
1974(processing)X
2348(time)X
2521(by)X
2632(the)X
2761(client)X
2970(and)X
3117(target)X
3331(server,)X
3578(and)X
3724(it)X
3798(should)X
675 4400(allow)N
873(for)X
987(a)X
1043(minimum)X
1373("useful")X
1655(lifetime.)X
10 f
555 4524(g)N
1 f
675(The)X
820(maximum)X
1164(allowable)X
1496(total)X
1658 0.3125(\(renewable\))AX
2063(lifetime)X
2332(of)X
2419(a)X
2475(ticket)X
2673(\(renew_till)X
3045(-)X
3092(starttime\).)X
10 f
555 4648(g)N
1 f
675(The)X
820(maximum)X
1164(allowable)X
1496(lifetime)X
1765(of)X
1852(a)X
1908(ticket)X
2106(\(endtime)X
2411(-)X
2458(starttime\).)X
10 f
555 4772(g)N
1 f
675(Whether)X
983(to)X
1076(allow)X
1285(the)X
1414(issue)X
1604(of)X
1701(tickets)X
1940(with)X
2112(empty)X
2342(address)X
2613(\256elds)X
2816(\(including)X
3175(the)X
3303(ability)X
3537(to)X
3629(specify)X
3891(that)X
675 4868(such)N
842(tickets)X
1071(may)X
1229(only)X
1391(be)X
1487(issued)X
1707(if)X
1776(the)X
1894(request)X
2146(speci\256es)X
2442(some)X
2631(authorization_data\).)X
10 f
555 4992(g)N
1 f
675(Whether)X
972(proxiable,)X
1315(forwardable,)X
1744(renewable)X
2095(or)X
2182(post-datable)X
2594(tickets)X
2823(are)X
2942(to)X
3024(be)X
3120(issued.)X
3 f
12 s
555 5280(5.)N
675(Message)X
1046(Speci\256cations)X
1 f
10 s
755 5404(The)N
907(following)X
1245(sections)X
1530(describe)X
1825(the)X
1950(exact)X
2147(contents)X
2441(and)X
2584(encoding)X
2905(of)X
2999(protocol)X
3293(messages)X
3622(and)X
3764(objects.)X
555 5500(The)N
710(ASN.1)X
960(base)X
1133(de\256nitions)X
1500(are)X
1629(presented)X
1967(in)X
2059(the)X
2186(\256rst)X
2339(subsection.)X
2746(The)X
2900(remaining)X
3254(subsections)X
3652(specify)X
3913(the)X
8 s
10 f
555 5580(hhhhhhhhhhhhhhhhhh)N
6 s
1 f
555 5655(1)N
8 s
611 5674(See)N
719(the)X
813(discussion)X
1096(of)X
1165(the)X
3 f
1259(padata)X
1 f
1464(\256eld)X
1594(in)X
1660(section)X
1857(5.3.2)X
2001(for)X
2091(details)X
2274(on)X
2354(why)X
2480(this)X
2589(can)X
2693(be)X
2769(useful.)X
10 s
555 6144(Section)N
815(5.)X
2196(-)X
2243(19)X
2343(-)X
20 p
%%Page: 20 21
10 s 0 xH 0 xS 1 f
0 32(--)N
4323(--)X
3 f
2115 416(DRAFT)N
2411(4)X
1 f
555 672(protocol)N
843(objects)X
1091(\(tickets)X
1348(and)X
1485(authenticators\))X
1983(and)X
2120(messages.)X
2484(Speci\256cation)X
2923(of)X
3010(encryption)X
3373(and)X
3509(checksum)X
3850(tech-)X
555 768(niques,)N
804(and)X
940(the)X
1058(\256elds)X
1251(related)X
1490(to)X
1572(them,)X
1772(appear)X
2007(in)X
2089(section)X
2336(6.)X
3 f
12 s
555 960(5.1.)N
747(ASN.1)X
1034(Base)X
1250(De\256nitions)X
1 f
10 s
755 1084(The)N
904(following)X
1239(ASN.1)X
1483(base)X
1650(de\256nitions)X
2011(are)X
2134(used)X
2305(in)X
2391(the)X
2513(rest)X
2652(of)X
2742(this)X
2880(section.)X
3170(Note)X
3349(that)X
3492(since)X
3680(the)X
3801(under-)X
555 1180(score)N
749(character)X
1068(\(_\))X
1185(is)X
1261(not)X
1386(permitted)X
1716(in)X
1801(ASN.1)X
2044(names,)X
2292(the)X
2413(hyphen)X
2672(\(-\))X
2776(is)X
2852(used)X
3022(in)X
3107(its)X
3205(place)X
3398(for)X
3515(the)X
3636(purposes)X
3944(of)X
555 1276(ASN.1)N
795(names.)X
3 f
1316 1420(Realm)N
1559(::=)X
1 f
2072(GeneralString)X
3 f
1316 1516(PrincipalName)N
1852(::=)X
1 f
2072(SEQUENCE)X
2510(OF)X
2632(GeneralString)X
3 f
1316 1708(KerberosTime)N
1835(::=)X
1 f
2072(GeneralizedTime)X
2072 1804(--)N
2146(Specifying)X
2513(UTC)X
2693(time)X
2855(zone)X
3027(\(Z\))X
555 1948(Kerberos)N
888(realms)X
1140(are)X
1277(encoded)X
1583(as)X
1688(GeneralStrings;)X
2229(a)X
2302(PrincipalName)X
2820(is)X
2910(a)X
2983(sequence)X
3315(of)X
3419(components,)X
3863(each)X
555 2044(encoded)N
855(as)X
954(a)X
1022(GeneralString.)X
1544(Taken)X
1777(together,)X
2092(a)X
2160(PrincipalName)X
2673(and)X
2821(a)X
2889(Realm)X
3130(form)X
3318(a)X
3386(principal)X
3702(identi\256er.)X
555 2140(Most)N
749(realms)X
993(will)X
1147(usually)X
1408(consist)X
1660(of)X
1757(several)X
2015(components)X
2432(separated)X
2766(by)X
2876(periods)X
3142(\(.\),)X
3266(in)X
3358(the)X
3485(style)X
3665(of)X
3761(Internet)X
555 2236(Domain)N
833(Names.)X
1116(Most)X
1300(PrincipalNames)X
1832(will)X
1976(have)X
2148(only)X
2310(a)X
2366(few)X
2507(components)X
2914(\(typically)X
3241(one)X
3377(or)X
3464(two\).)X
3 f
1048 2380(HostAddress)N
1508(::=)X
1 f
1795(SEQUENCE)X
2253({)X
1795 2476(addr-type[0])N
1795 2572(address[1])N
3 f
1048 2668(})N
1048 2860(HostAddresses)N
1575(::=)X
1 f
1795(SEQUENCE)X
2233(OF)X
2355(SEQUENCE)X
2793({)X
1795 2956(addr-type[0])N
2951(INTEGER,)X
1795 3052(address[1])N
2951(OCTET)X
3229(STRING)X
3 f
1048 3148(})N
1 f
555 3292(The)N
700(host)X
853(adddress)X
1154(encodings)X
1499(consists)X
1772(of)X
1859(two)X
1999(\256elds:)X
3 f
555 3416(addr-type)N
1 f
955(This)X
1134(\256eld)X
1333(speci\256es)X
1646(the)X
1780(type)X
1954(of)X
2057(address)X
2334(that)X
2490(follows.)X
2806(Pre-de\256ned)X
3212(values)X
3453(for)X
3583(this)X
3734(\256eld)X
3912(are)X
955 3512(speci\256ed)N
1260(in)X
1342(section)X
1589(7.1.)X
3 f
555 3732(address)N
1 f
955(This)X
1117(\256eld)X
1279(encodes)X
1558(a)X
1614(single)X
1825(address)X
2086(of)X
2173(type)X
3 f
2331(addr-type)X
1 f
2669(.)X
555 3856(The)N
719(two)X
878(forms)X
1103(differ)X
1320(slightly.)X
3 f
1617(HostAddress)X
1 f
2095(contains)X
2400(exactly)X
2670(one)X
2824(address;)X
3 f
3125(HostAddresses)X
1 f
3670(contains)X
3975(a)X
555 3952(sequence)N
870(of)X
957(possibly)X
1243(many)X
1441(addresses.)X
3 f
979 4096(AuthorizationData)N
1644(::=)X
1 f
1864(SEQUENCE)X
2302(OF)X
2424(SEQUENCE)X
2862({)X
1864 4192(ad-type[0])N
3020(INTEGER,)X
1864 4288(ad-data[1])N
3020(OCTET)X
3298(STRING)X
3 f
979 4384(})N
555 4556(ad-data)N
1 f
955(This)X
1147(\256eld)X
1339(contains)X
1656(authorization)X
2129(data)X
2313(to)X
2425(be)X
2551(interpreted)X
2949(according)X
3316(to)X
3427(the)X
3574(value)X
3797(of)X
3913(the)X
955 4652(corresponding)N
3 f
1434(ad-type)X
1 f
1712(\256eld.)X
3 f
555 4776(ad-type)N
1 f
955(This)X
1125(\256eld)X
1295(speci\256es)X
1599(the)X
1725(format)X
1967(for)X
2089(the)X
3 f
2215(ad-data)X
1 f
2505(sub\256eld.)X
2826(All)X
2956(negative)X
3256(values)X
3489(are)X
3616(reserved)X
3917(for)X
955 4872(local)N
1131(use.)X
1298(Non-negative)X
1755(values)X
1980(are)X
2099(reserved)X
2392(for)X
2506(registered)X
2843(use.)X
3 f
1806 5016(ApOptions)N
2198(::=)X
1 f
2418(BIT)X
2567(STRING)X
2876({)X
2418 5112(reserved\(0\),)N
2418 5208(use-session-key\(1\),)N
2418 5304(mutual-required\(2\))N
3 f
1806 5400(})N
1830 5592(TicketFlags)N
2250(::=)X
1 f
2470(BIT)X
2619(STRING)X
2928({)X
2470 5688(reserved\(0\),)N
2470 5784 0.2411(forwardable\(1\),)AN
555 6144(Section)N
815(5.1.)X
2196(-)X
2243(20)X
2343(-)X
21 p
%%Page: 21 22
10 s 0 xH 0 xS 1 f
0 32(--)N
4323(--)X
3 f
2115 416(DRAFT)N
2411(4)X
1 f
2470 672 0.2604(forwarded\(2\),)AN
2470 768(proxiable\(3\),)N
2470 864(proxy\(4\),)N
2470 960(may-postdate\(5\),)N
2470 1056(postdated\(6\),)N
2470 1152(invalid\(7\),)N
2470 1248 0.2604(renewable\(8\),)AN
2470 1344(initial\(9\),)N
3 f
1830 1440(})N
1759 1632(KDCOptions)N
2227(::=)X
1 f
2447(BIT)X
2596(STRING)X
2905({)X
2447 1728(reserved\(0\),)N
2447 1824 0.2411(forwardable\(1\),)AN
2447 1920 0.2604(forwarded\(2\),)AN
2447 2016(proxiable\(3\),)N
2447 2112(proxy\(4\),)N
2447 2208(allow-postdate\(5\),)N
2447 2304(postdated\(6\),)N
2447 2400(unused7\(7\),)N
2447 2496 0.2604(renewable\(8\),)AN
2447 2592(unused9\(9\),)N
2447 2688 0.2188(renewable-ok\(27\),)AN
2447 2784(enc-tkt-in-skey\(28\),)N
2447 2880(renew\(30\),)N
2447 2976(validate\(31\))N
3 f
1759 3072(})N
1408 3264(LastReq)N
1717(::=)X
1 f
1937(SEQUENCE)X
2375(OF)X
2497(SEQUENCE)X
2935({)X
1937 3360(lr-type[0])N
3093(INTEGER,)X
1937 3456(lr-value[1])N
3093(KerberosTime)X
3 f
1408 3552(})N
555 3724(lr-type)N
1 f
955(This)X
1119(\256eld)X
1283(indicates)X
1590(how)X
1750(the)X
1870(following)X
3 f
2203(lr-value)X
1 f
2492(\256eld)X
2656(is)X
2731(to)X
2815(be)X
2913(interpreted.)X
3323(Negative)X
3634(values)X
3860(indi-)X
955 3820(cate)N
1112(that)X
1259(the)X
1384(information)X
1789(pertains)X
2069(only)X
2237(to)X
2325(the)X
2449(responding)X
2831(server.)X
3094(Non-negative)X
3557(values)X
3788(pertain)X
955 3916(to)N
1037(all)X
1137(servers)X
1385(for)X
1499(the)X
1617(realm.)X
955 4108(If)N
1031(the)X
1151(absolute)X
1440(value)X
1636(of)X
1725(the)X
3 f
1845(lr-type)X
1 f
2099(\256eld)X
2263(is)X
2338(one)X
2476(\(1\),)X
2612(then)X
2772(the)X
3 f
2892(lr-value)X
1 f
3181(sub\256eld)X
3456(is)X
3530(the)X
3649(time)X
3812(of)X
3900(last)X
955 4204(initial)N
1169(request)X
1428(for)X
1549(a)X
1612(TGT.)X
1835(If)X
1916(it)X
1987(is)X
2067(two)X
2214(\(2\),)X
2355(then)X
2520(the)X
3 f
2645(lr-value)X
1 f
2939(sub\256eld)X
3219(is)X
3299(the)X
3424(time)X
3593(of)X
3687(last)X
3825(initial)X
955 4300(request.)N
1253(If)X
1333(it)X
1403(is)X
1482(three)X
1669(\(3\),)X
1809(then)X
1973(the)X
3 f
2097(lr-value)X
1 f
2390(sub\256eld)X
2669(is)X
2748(the)X
2872(time)X
3039(of)X
3131(issue)X
3316(for)X
3435(the)X
3558(newest)X
3806(ticket-)X
955 4396(granting)N
1246(ticket)X
1448(used.)X
1659(If)X
1737(it)X
1805(is)X
1882(four)X
2040(\(4\),)X
2178(then)X
2340(the)X
3 f
2462(lr-value)X
1 f
2753(sub\256eld)X
3029(is)X
3105(the)X
3226(time)X
3391(of)X
3481(the)X
3602(last)X
3736(renewal.)X
955 4492(If)N
1029(it)X
1093(is)X
1166(\256ve)X
1306(\(5\),)X
1440(then)X
1598(the)X
3 f
1716(lr-value)X
1 f
2003(sub\256eld)X
2276(is)X
2349(the)X
2467(time)X
2629(of)X
2716(last)X
2847(request)X
3099(\(of)X
3213(any)X
3349(type\).)X
3 f
555 4712(lr-value)N
1 f
955(This)X
1122(\256eld)X
1289(contains)X
1581(the)X
1704(time)X
1871(of)X
1963(the)X
2086(last)X
2222(request.)X
2519(The)X
2669(time)X
2835(must)X
3014(be)X
3114(interpreted)X
3486(according)X
3827(to)X
3913(the)X
955 4808(contents)N
1242(of)X
1329(the)X
1447(accompanying)X
3 f
1935(lr-type)X
1 f
2187(sub\256eld.)X
755 4932(See)N
910(section)X
1176(6)X
1255(for)X
1388(the)X
1524(de\256nitions)X
1899(of)X
2004(Checksum,)X
2400(ChecksumType,)X
2961(EncryptedData,)X
3501(EncryptionKey,)X
555 5028(EncryptionType,)N
1116(and)X
1252(KeyType.)X
3 f
12 s
555 5220(5.2.)N
747(Tickets)X
1070(and)X
1248(Authenticators)X
1 f
10 s
755 5344(This)N
923(section)X
1176(describes)X
1500(the)X
1623(format)X
1862(and)X
2003(encryption)X
2371(parameters)X
2749(for)X
2868(tickets)X
3102(and)X
3243(authenticators.)X
3758(When)X
3975(a)X
555 5440(ticket)N
753(or)X
840(authenticator)X
1279(is)X
1352(included)X
1648(in)X
1730(a)X
1786(protocol)X
2073(message)X
2365(it)X
2429(is)X
2502(treated)X
2741(as)X
2828(an)X
2924(opaque)X
3176(object.)X
555 6144(Section)N
815(5.2.)X
2196(-)X
2243(21)X
2343(-)X
22 p
%%Page: 22 23
10 s 0 xH 0 xS 1 f
0 32(--)N
4323(--)X
3 f
2115 416(DRAFT)N
2411(4)X
555 672(5.2.1.)N
775(Tickets)X
1 f
755 796(A)N
845(ticket)X
1055(is)X
1139(a)X
1206(record)X
1443(that)X
1594(helps)X
1794(a)X
1861(client)X
2070(authenticate)X
2489(to)X
2582(a)X
2649(service.)X
2948(A)X
3037(Ticket)X
3273(contains)X
3571(the)X
3700(following)X
555 892(information:)N
3 f
636 1036(Ticket)N
874(::=)X
1 f
1656([APPLICATION)X
2228(1])X
2315(SEQUENCE)X
2753({)X
1656 1132(tkt-vno[0])N
2911(INTEGER,)X
1656 1228(realm[1])N
2911(Realm,)X
1656 1324(sname[2])N
2911(PrincipalName,)X
1656 1420(enc-part[3])N
2911(EncryptedData)X
3 f
636 1516(})N
636 1612(--)N
710(Encrypted)X
1090(part)X
1257(of)X
1344(ticket)X
636 1708(EncTicketPart)N
1159(::=)X
1 f
1656([APPLICATION)X
2228(3])X
2315(SEQUENCE)X
2753({)X
1656 1804(\257ags[0])N
2911(TicketFlags,)X
1656 1900(key[1])N
2911(EncryptionKey,)X
1656 1996(crealm[2])N
2911(Realm,)X
1656 2092(cname[3])N
2911(PrincipalName,)X
1656 2188(transited[4])N
2911(TransitedEncoding,)X
1656 2284(authtime[5])N
2911(KerberosTime,)X
1656 2380(starttime[6])N
2911(KerberosTime)X
3395(OPTIONAL,)X
1656 2476(endtime[7])N
2911(KerberosTime,)X
1656 2572(renew-till[8])N
2911(KerberosTime)X
3395(OPTIONAL,)X
1656 2668(caddr[9])N
2911(HostAddresses)X
3412(OPTIONAL,)X
1656 2764(authorization-data[10])N
2911(AuthorizationData)X
3528(OPTIONAL)X
3 f
636 2860(})N
636 2956(--)N
710(encoded)X
1010(Transited)X
1363(\256eld)X
636 3052(TransitedEncoding)N
1312(::=)X
1 f
1656(SEQUENCE)X
2094({)X
1656 3148(tr-type[0])N
2911(INTEGER,)X
2911 3244(--)N
2985(must)X
3160(be)X
3256(a)X
3312(registered)X
3649(value)X
1656 3340(contents[1])N
2911(OCTET)X
3189(STRING)X
3 f
636 3436(})N
1 f
555 3580(The)N
717(encoding)X
1048(of)X
3 f
1152(EncTicketPart)X
1 f
1692(is)X
1782(encrypted)X
2136(in)X
2235(the)X
2370(key)X
2522(shared)X
2768(by)X
2884(Kerberos)X
3215(and)X
3367(the)X
3501(end)X
3653(server)X
3886(\(the)X
555 3676(server's)N
830(secret)X
1038(key\).)X
1241(See)X
1377(section)X
1624(6)X
1684(for)X
1798(the)X
1916(format)X
2150(of)X
2237(the)X
2355(ciphertext.)X
3 f
555 3800(tkt-vno)N
1 f
955(This)X
1121(\256eld)X
1286(speci\256es)X
1585(the)X
1706(version)X
1965(number)X
2233(for)X
2350(the)X
2471(ticket)X
2672(format.)X
2949(This)X
3114(document)X
3453(describes)X
3775(version)X
955 3896(number)N
1220(5.)X
3 f
555 4116(realm)N
1 f
955(This)X
1119(\256eld)X
1283(speci\256es)X
1580(the)X
1699(realm)X
1903(that)X
2044(issued)X
2265(a)X
2322(ticket.)X
2561(It)X
2631(also)X
2781(serves)X
3003(to)X
3086(identify)X
3356(the)X
3475(realm)X
3679(part)X
3825(of)X
3913(the)X
955 4212(server's)N
1236(principal)X
1547(identi\256er.)X
1902(Since)X
2106(a)X
2168(Kerberos)X
2489(server)X
2712(can)X
2849(only)X
3016(issue)X
3201(tickets)X
3435(for)X
3554(servers)X
3807(within)X
955 4308(its)N
1050(realm,)X
1273(the)X
1391(two)X
1531(will)X
1675(always)X
1918(be)X
2014(identical.)X
3 f
555 4528(sname)N
1 f
955(This)X
1117(\256eld)X
1279(speci\256es)X
1575(the)X
1693(name)X
1887(part)X
2032(of)X
2119(the)X
2237(server's)X
2512(identity.)X
3 f
555 4748(enc-part)N
1 f
955(This)X
1117(\256eld)X
1279(holds)X
1472(the)X
1590(encrypted)X
1927(encoding)X
2241(of)X
2328(the)X
3 f
2446(EncTicketPart)X
1 f
2969(sequence.)X
3 f
555 4968(\257ags)N
1 f
955(This)X
1133(\256eld)X
1311(indicates)X
1632(which)X
1864(of)X
1967(various)X
2239(options)X
2510(were)X
2703(used)X
2886(or)X
2988(requested)X
3331(when)X
3540(the)X
3673(ticket)X
3886(was)X
955 5064(issued.)N
1216(It)X
1286(is)X
1360(a)X
1417(bit-\256eld,)X
1711(where)X
1929(the)X
2047(selected)X
2326(options)X
2581(are)X
2700(indicated)X
3014(by)X
3114(the)X
3232(bit)X
3336(being)X
3534(set)X
3643(\(1\),)X
3777(and)X
3913(the)X
955 5160(unselected)N
1323(options)X
1587(and)X
1732(reserved)X
2034(\256elds)X
2236(being)X
2443(reset)X
2624(\(0\).)X
2787(Bit)X
2913(0)X
2982(is)X
3064(the)X
3190(most)X
3373(signi\256cant)X
3734(bit.)X
3886(The)X
955 5256(encoding)N
1271(of)X
1360(the)X
1480(bits)X
1617(is)X
1692(speci\256ed)X
1999(in)X
2083(section)X
2332(5.1.)X
2494(The)X
2641(\257ags)X
2814(are)X
2935(described)X
3265(in)X
3349(more)X
3536(detail)X
3736(above)X
3949(in)X
955 5352(section)N
1202(2.)X
1302(The)X
1447(meanings)X
1774(of)X
1861(the)X
1979(\257ags)X
2150(are:)X
555 6144(Section)N
815(5.2.1.)X
2196(-)X
2243(22)X
2343(-)X
23 p
%%Page: 23 24
10 s 0 xH 0 xS 1 f
0 32(--)N
4323(--)X
3 f
2115 416(DRAFT)N
2411(4)X
2 f
955 672(Bit\(s\))N
1313(Name)X
2107(Description)X
1 f
955 864(0)N
1313(RESERVED)X
2107(Reserved)X
2426(for)X
2540(future)X
2752(expansion)X
3097(of)X
3184(this)X
3319(\256eld.)X
955 1056(1)N
1313(FORWARDABLE)X
2107(The)X
2262(FORWARDABLE)X
2901(\257ag)X
3051(is)X
3134(normally)X
3453(only)X
3625(interpreted)X
4003(by)X
4113(the)X
4240(TGS,)X
2107 1152(and)N
2248(can)X
2385(be)X
2486(ignored)X
2756(by)X
2861(end)X
3002(servers.)X
3295(When)X
3511(set,)X
3644(this)X
3783(\257ag)X
3927(tells)X
4084(the)X
4206(ticket-)X
2107 1248(granting)N
2397(server)X
2616(that)X
2758(it)X
2824(is)X
2899(OK)X
3037(to)X
3121(issue)X
3303(a)X
3361(new)X
3517(ticket-granting)X
4011(ticket)X
4211(with)X
4375(a)X
2107 1344(different)N
2404(network)X
2687(address)X
2948(based)X
3151(on)X
3251(the)X
3369(presented)X
3697(ticket.)X
955 1536(2)N
1313(FORWARDED)X
2107(When)X
2320(set,)X
2450(this)X
2586(\257ag)X
2727(indicates)X
3033(that)X
3174(the)X
3293(ticket)X
3491(has)X
3618(either)X
3821(been)X
3993(forwarded)X
4344(or)X
2107 1632(was)N
2280(issued)X
2528(based)X
2759(on)X
2887(authentication)X
3389(involving)X
3743(a)X
3827(forwarded)X
4206(ticket-)X
2107 1728(granting)N
2394(ticket.)X
955 1920(3)N
1313(PROXIABLE)X
2107(The)X
2264(PROXIABLE)X
2745(\257ag)X
2897(is)X
2981(normally)X
3301(only)X
3474(interpreted)X
3853(by)X
3964(the)X
4093(TGS,)X
4295(and)X
2107 2016(can)N
2242(be)X
2341(ignored)X
2609(by)X
2712(end)X
2851(servers.)X
3142(The)X
3290(PROXIABLE)X
3762(\257ag)X
3905(has)X
4035(an)X
4134(interpre-)X
2107 2112(tation)N
2322(identical)X
2631(to)X
2725(that)X
2877(of)X
2976(the)X
3106(FORWARDABLE)X
3747(\257ag,)X
3919(except)X
4161(that)X
4313(the)X
2107 2208(PROXIABLE)N
2584(\257ag)X
2732(tells)X
2893(the)X
3019(ticket-granting)X
3519(server)X
3743(that)X
3890(only)X
4059(non-ticket-)X
2107 2304(granting)N
2394(tickets)X
2623(may)X
2781(be)X
2877(issued)X
3097(with)X
3259(different)X
3556(network)X
3839(addresses.)X
955 2496(4)N
1313(PROXY)X
2107(When)X
2319(set,)X
2448(this)X
2583(\257ag)X
2723(indicates)X
3028(that)X
3168(a)X
3224(ticket)X
3422(is)X
3495(a)X
3551(proxy.)X
955 2688(5)N
1313(MAY-POSTDATE)X
2107(The)X
2261(MAY-POSTDATE)X
2913(\257ag)X
3062(is)X
3143(normally)X
3460(only)X
3630(interpreted)X
4006(by)X
4114(the)X
4240(TGS,)X
2107 2784(and)N
2253(can)X
2395(be)X
2501(ignored)X
2776(by)X
2886(end)X
3032(servers.)X
3330(This)X
3501(\257ag)X
3650(tells)X
3812(the)X
3939(ticket-granting)X
2107 2880(server)N
2347(that)X
2510(a)X
2589(postdated)X
2939(ticket)X
3160(may)X
3341(be)X
3460(issued)X
3702(based)X
3927(on)X
4049(this)X
4206(ticket-)X
2107 2976(granting)N
2394(ticket.)X
955 3168(6)N
1313(POSTDATED)X
2107(This)X
2274(\257ag)X
2419(indicates)X
2728(that)X
2872(this)X
3011(ticket)X
3213(has)X
3344(been)X
3520(postdated.)X
3891(The)X
4040(end-service)X
2107 3264(can)N
2251(check)X
2471(the)X
3 f
2601(authtime)X
1 f
2940(\256eld)X
3114(to)X
3208(see)X
3343(when)X
3548(the)X
3677(original)X
3957(authentication)X
2107 3360(occurred.)N
955 3552(7)N
1313(INVALID)X
2107(This)X
2277(\257ag)X
2425(indicates)X
2738(that)X
2886(a)X
2950(ticket)X
3156(is)X
3237(invalid,)X
3507(and)X
3651(it)X
3723(must)X
3906(be)X
4010(validated)X
4331(by)X
2107 3648(the)N
2243(KDC)X
2450(before)X
2694(use.)X
2879(Application)X
3295(servers)X
3561(must)X
3753(reject)X
3969(tickets)X
4215(which)X
2107 3744(have)N
2279(this)X
2414(\257ag)X
2554(set.)X
955 3936(8)N
1313(RENEWABLE)X
2107(The)X
2259(RENEWABLE)X
2780(\257ag)X
2927(is)X
3007(normally)X
3323(only)X
3492(interpreted)X
3867(by)X
3974(the)X
4098(TGS,)X
4295(and)X
2107 4032(can)N
2267(usually)X
2546(be)X
2670(ignored)X
2962(by)X
3089(end)X
3252(servers)X
3527(\(some)X
3770(particularly)X
4187(careful)X
2107 4128(servers)N
2367(may)X
2536(wish)X
2718(to)X
2811(disallow)X
3113(renewable)X
3475(tickets\).)X
3782(A)X
3871(renewable)X
4233(ticket)X
2107 4224(can)N
2239(be)X
2335(used)X
2502(to)X
2584(obtain)X
2804(a)X
2860(replacement)X
3273(ticket)X
3471(that)X
3611(expires)X
3863(at)X
3941(a)X
3997(later)X
4160(date.)X
955 4416(9)N
1313(INITIAL)X
2107(This)X
2270(\257ag)X
2411(indicates)X
2717(that)X
2857(this)X
2992(ticket)X
3190(was)X
3335(issued)X
3555(using)X
3748(the)X
3866(AS)X
3988(protocol,)X
4295(and)X
2107 4512(not)N
2229(issued)X
2449(based)X
2652(on)X
2752(a)X
2808(ticket-granting)X
3300(ticket.)X
955 4704(10-31)N
1313(RESERVED)X
2107(Reserved)X
2426(for)X
2540(future)X
2752(use.)X
3 f
555 4972(key)N
1 f
955(This)X
1124(\256eld)X
1293(exists)X
1502(in)X
1590(the)X
1714(ticket)X
1918(and)X
2060(the)X
2184(KDC)X
2379(response)X
2686(and)X
2828(is)X
2907(used)X
3080(to)X
3168(pass)X
3332(the)X
3456(session)X
3713(key)X
3855(from)X
955 5068(Kerberos)N
1275(to)X
1362(the)X
1485(application)X
1866(server)X
2088(and)X
2229(the)X
2352(client.)X
2595(The)X
2745(\256eld's)X
2970(encoding)X
3289(is)X
3366(described)X
3698(in)X
3784(section)X
955 5164(6.1.)N
3 f
555 5288(crealm)N
1 f
955(This)X
1122(\256eld)X
1289(contains)X
1581(the)X
1704(name)X
1903(of)X
1995(the)X
2118(realm)X
2326(in)X
2413(which)X
2634(the)X
2757(client)X
2960(is)X
3038(registered)X
3379(and)X
3519(in)X
3605(which)X
3825(initial)X
955 5384(authentication)N
1429(took)X
1591(place.)X
3 f
555 5604(cname)N
1 f
955(This)X
1117(\256eld)X
1279(contains)X
1566(the)X
1684(name)X
1878(part)X
2023(of)X
2110(the)X
2228(client's)X
2484(principal)X
2789(identi\256er.)X
3 f
555 5824(transited)N
1 f
955(This)X
1127(\256eld)X
1299(lists)X
1457(the)X
1585(names)X
1820(of)X
1917(the)X
2044(Kerberos)X
2368(realms)X
2611(that)X
2760(took)X
2931(part)X
3085(in)X
3176(authenticating)X
3659(the)X
3786(user)X
3949(to)X
555 6144(Section)N
815(5.2.1.)X
2196(-)X
2243(23)X
2343(-)X
24 p
%%Page: 24 25
10 s 0 xH 0 xS 1 f
0 32(--)N
4323(--)X
3 f
2115 416(DRAFT)N
2411(4)X
1 f
955 672(whom)N
1179(this)X
1318(ticket)X
1520(was)X
1669(issued.)X
1933(It)X
2006(does)X
2177(not)X
2303(specify)X
2559(the)X
2680(order)X
2873(in)X
2958(which)X
3177(the)X
3298(realms)X
3535(were)X
3715(transited.)X
955 768(See)N
1091(section)X
1338(3.3.3.1)X
1578(for)X
1692(details)X
1921(on)X
2021(how)X
2179(this)X
2314(\256eld)X
2476(encodes)X
2755(the)X
2873(traversed)X
3188(realms.)X
3 f
555 988(authtime)N
1 f
955(This)X
1122(\256eld)X
1289(indicates)X
1599(the)X
1722(time)X
1889(of)X
1981(initial)X
2192(authentication)X
2671(for)X
2790(the)X
2913(named)X
3152(principal.)X
3502(It)X
3576(is)X
3654(the)X
3777(time)X
3944(of)X
955 1084(issue)N
1138(for)X
1255(the)X
1376(original)X
1648(ticket)X
1849(on)X
1952(which)X
2171(this)X
2309(ticket)X
2510(is)X
2586(based.)X
2832(It)X
2904(is)X
2980(included)X
3278(in)X
3362(the)X
3482(ticket)X
3682(to)X
3766(provide)X
955 1180(additional)N
1300(information)X
1703(to)X
1790(the)X
1913(end)X
2054(service,)X
2327(and)X
2468(to)X
2554(provide)X
2823(the)X
2945(necessary)X
3282(information)X
3684(for)X
3802(imple-)X
955 1276(mentation)N
1297(of)X
1386(a)X
1444(`hot)X
1595(list')X
1741(service)X
1991(at)X
2071(the)X
2190(KDC.)X
2420(An)X
2539(end)X
2676(service)X
2925(that)X
3066(is)X
3140(particularly)X
3531(paranoid)X
3833(could)X
955 1372(refuse)N
1172(to)X
1254(accept)X
1480(tickets)X
1709(for)X
1823(which)X
2039(the)X
2157(initial)X
2363(authentication)X
2837(occurred)X
3139("too)X
3294(far")X
3437(in)X
3519(the)X
3637(past.)X
955 1564(This)N
1120(\256eld)X
1285(is)X
1361(also)X
1513(returned)X
1804(as)X
1894(part)X
2042(of)X
2132(the)X
2252(response)X
2555(from)X
2733(the)X
2853(KDC.)X
3084(When)X
3298(returned)X
3588(as)X
3677(part)X
3824(of)X
3913(the)X
955 1660(response)N
1270(to)X
1366(initial)X
1585(authentication)X
2072(\(KRB_AS_REP\),)X
2671(this)X
2819(is)X
2905(the)X
3036(current)X
3297(time)X
3472(on)X
3585(the)X
3716(Kerberos)X
955 1756(server)N
8 s
1152 1731(1)N
10 s
1756(.)Y
3 f
555 1976(starttime)N
1 f
955(This)X
1126(\256eld)X
1297(in)X
1388(the)X
1515(ticket)X
1722(speci\256es)X
2027(the)X
2154(time)X
2325(after)X
2502(which)X
2727(the)X
2854(ticket)X
3061(is)X
3143(valid.)X
3372(Together)X
3690(with)X
3 f
3860(end-)X
955 2072(time)N
1 f
1107(,)X
1149(this)X
1286(\256eld)X
1450(speci\256es)X
1748(the)X
1868(life)X
1997(of)X
2086(the)X
2206(ticket.)X
2446(If)X
2522(it)X
2588(is)X
2663(absent)X
2890(from)X
3068(the)X
3188(ticket,)X
3408(its)X
3505(value)X
3701(should)X
3935(be)X
955 2168(treated)N
1194(as)X
1281(that)X
1421(of)X
1508(the)X
3 f
1626(authtime)X
1 f
1953(\256eld.)X
3 f
555 2388(endtime)N
1 f
955(This)X
1128(\256eld)X
1301(contains)X
1599(the)X
1728(time)X
1901(after)X
2080(which)X
2307(the)X
2436(ticket)X
2645(will)X
2800(not)X
2933(be)X
3040(honored)X
3334(\(its)X
3467(expiration)X
3822(time\).)X
955 2484(Note)N
1136(that)X
1281(individual)X
1630(services)X
1914(may)X
2077(place)X
2272(their)X
2444(own)X
2607(limits)X
2813(on)X
2918(the)X
3041(life)X
3173(of)X
3265(a)X
3326(ticket)X
3529(and)X
3670(may)X
3832(reject)X
955 2580(tickets)N
1193(which)X
1417(have)X
1597(not)X
1727(yet)X
1853(expired.)X
2162(As)X
2279(such,)X
2474(this)X
2617(is)X
2698(really)X
2909(an)X
3013(upper)X
3224(bound)X
3452(on)X
3560(the)X
3686(expiration)X
955 2676(time)N
1117(for)X
1231(the)X
1349(ticket.)X
3 f
555 2896(renew-till)N
1 f
955(This)X
1124(\256eld)X
1293(is)X
1373(only)X
1542(present)X
1801(in)X
1890(tickets)X
2126(that)X
2273(have)X
2452(the)X
2577(RENEWABLE)X
3098(\257ag)X
3245(set)X
3361(in)X
3449(the)X
3 f
3573(\257ags)X
1 f
3754(\256eld.)X
3962(It)X
955 2992(indicates)N
1261(the)X
1380(maximum)X
3 f
1725(endtime)X
1 f
2022(that)X
2163(may)X
2322(be)X
2419(included)X
2716(in)X
2799(a)X
2856(renewal.)X
3172(It)X
3242(can)X
3375(be)X
3472(thought)X
3737(of)X
3825(as)X
3913(the)X
955 3088(absolute)N
1242(expiration)X
1587(time)X
1749(for)X
1863(the)X
1981(ticket,)X
2199(including)X
2521(all)X
2621(renewals.)X
3 f
555 3308(caddr)N
1 f
955(This)X
1123(\256eld)X
1291(in)X
1379(a)X
1441(ticket)X
1644(contains)X
1936(zero)X
2100(\(if)X
2201(omitted\))X
2497(or)X
2589(more)X
2779(\(if)X
2880(present\))X
3164(host)X
3322(addresses.)X
3695(These)X
3912(are)X
955 3404(the)N
1081(addresses)X
1417(from)X
1600(which)X
1823(the)X
1948(ticket)X
2153(can)X
2292(be)X
2395(used.)X
2609(If)X
2690(there)X
2878(are)X
3004(no)X
3111(addresses,)X
3466(the)X
3591(ticket)X
3796(can)X
3935(be)X
955 3500(used)N
1135(from)X
1324(any)X
1473(location.)X
1804(The)X
1962(decision)X
2262(by)X
2375(the)X
2506(KDC)X
2707(to)X
2801(issue)X
2993(or)X
3092(by)X
3204(the)X
3334(end)X
3482(server)X
3711(to)X
3805(accept)X
955 3596(zero-address)N
1384(tickets)X
1615(is)X
1690(a)X
1748(policy)X
1970(decision)X
2259(and)X
2397(is)X
2471(left)X
2599(to)X
2682(the)X
2801(Kerberos)X
3117(and)X
3254(end-service)X
3646(administra-)X
955 3692(tors;)N
1123(they)X
1287(may)X
1451(refuse)X
1674(to)X
1762(issue)X
1948(or)X
2041(accept)X
2273(such)X
2446(tickets.)X
2721(The)X
2871(suggested)X
3212(and)X
3353(default)X
3601(policy,)X
3846(how-)X
955 3788(ever,)N
1139(is)X
1217(that)X
1362(such)X
1534(tickets)X
1768(will)X
1917(only)X
2084(be)X
2185(issued)X
2410(or)X
2502(accepted)X
2809(when)X
3008(additional)X
3353(information)X
3755(that)X
3899(can)X
955 3884(be)N
1053(used)X
1221(to)X
1304(restrict)X
1548(the)X
1667(use)X
1795(of)X
1883(the)X
2002(ticket)X
2201(is)X
2275(included)X
2572(in)X
2655(the)X
2774(authorization_data)X
3392(\256eld.)X
3595(Such)X
3776(a)X
3833(ticket)X
955 3980(is)N
1028(a)X
1084(capability.)X
955 4172(Network)N
1267(addresses)X
1606(are)X
1736(included)X
2042(in)X
2134(the)X
2262(ticket)X
2470(to)X
2562(make)X
2766(it)X
2840(harder)X
3076(for)X
3200(an)X
3306(attacker)X
3591(to)X
3683(use)X
3820(stolen)X
955 4268(credentials.)N
1365(Because)X
1655(the)X
1775(session)X
2028(key)X
2166(is)X
2240(not)X
2363(sent)X
2513(over)X
2677(the)X
2796(network)X
3080(in)X
3163(cleartext,)X
3481(credentials)X
3850(can't)X
955 4364(be)N
1056(stolen)X
1272(simply)X
1514(by)X
1619(listening)X
1919(to)X
2006(the)X
2129(network;)X
2439(an)X
2540(attacker)X
2820(has)X
2952(to)X
3039(gain)X
3202(access)X
3432(to)X
3518(the)X
3640(session)X
3895(key)X
955 4460(\(perhaps)N
1253(through)X
1523(operating)X
1847(system)X
2090(security)X
2365(breaches)X
2668(or)X
2756(a)X
2812(careless)X
3087(user's)X
3299(unattended)X
3671(session\))X
3949(to)X
955 4556(make)N
1149(use)X
1276(of)X
1363(stolen)X
1574(tickets.)X
955 4748(It)N
1027(is)X
1103(important)X
1437(to)X
1522(note)X
1683(that)X
1826(the)X
1947(network)X
2233(address)X
2497(from)X
2676(which)X
2895(a)X
2954(connection)X
3329(is)X
3404(received)X
3699(cannot)X
3935(be)X
955 4844(reliably)N
1223(determined.)X
1646(Even)X
1833(if)X
1904(it)X
1970(could)X
2170(be,)X
2288(an)X
2386(attacker)X
2663(who)X
2823(has)X
2952(compromised)X
3410(the)X
3530(client's)X
3788(works-)X
955 4940(tation)N
1170(could)X
1381(use)X
1521(the)X
1651(credentials)X
2031(from)X
2219(there.)X
2452(Including)X
2791(the)X
2921(network)X
3216(addresses)X
3556(only)X
3730(makes)X
3967(it)X
955 5036(more)N
1145(dif\256cult,)X
1443(not)X
1570(impossible,)X
1961(for)X
2080(an)X
2181(attacker)X
2461(to)X
2548(walk)X
2729(off)X
2848(with)X
3015(stolen)X
3230(credentials)X
3602(and)X
3742(then)X
3904(use)X
955 5132(them)N
1135(from)X
1311(a)X
1367("safe")X
1583(location.)X
3 f
555 5352(authorization-data)N
1 f
8 s
10 f
555 5432(hhhhhhhhhhhhhhhhhh)N
6 s
1 f
555 5507(1)N
8 s
611 5526(This)N
747(time)X
883(value)X
1043(might)X
1215(be)X
1297(used)X
1435(\(at)X
1523(the)X
1622(host's)X
1796(option\))X
2002(to)X
2073(adjust)X
2247(the)X
2346(workstation's)X
2715(clock.)X
2906(HOWEVER,)X
3262(this)X
3376(is)X
3440(not)X
3543(recom-)X
555 5606(mended,)N
799(since)X
956(the)X
1060(client)X
1228(cannot)X
1424(determine)X
1705(that)X
1826(such)X
1968(a)X
2021(KRB_AS_REP)X
2442(actually)X
2669(came)X
2828(from)X
2977(the)X
3080(proper)X
3271(KDC)X
3431(in)X
3506(a)X
3559(timely)X
555 5686(manner)N
762(unless)X
938(the)X
1032(enclosed)X
1271(ticket)X
1429(can)X
1533(be)X
1609(used)X
1742(in)X
1808(communication)X
2222(with)X
2352(a)X
2396(server)X
2567(whose)X
2746(secrets)X
2935(are)X
3028(uncompromised.)X
10 s
555 6144(Section)N
815(5.2.1.)X
2196(-)X
2243(24)X
2343(-)X
25 p
%%Page: 25 26
10 s 0 xH 0 xS 1 f
0 32(--)N
4323(--)X
3 f
2115 416(DRAFT)N
2411(4)X
1 f
955 672(The)N
3 f
1109(authorization-data)X
1 f
1778(\256eld)X
1949(is)X
2031(used)X
2206(to)X
2296(pass)X
2462(authorization)X
2913(data)X
3075(from)X
3259(the)X
3385(principal)X
3698(on)X
3806(whose)X
955 768(behalf)N
1182(a)X
1244(ticket)X
1447(was)X
1597(issued)X
1822(to)X
1909(the)X
2032(application)X
2413(service.)X
2706(If)X
2785(no)X
2890(authorization)X
3338(data)X
3497(is)X
3575(included,)X
3896(this)X
955 864(\256eld)N
1123(will)X
1273(be)X
1375(left)X
1508(out.)X
1676(The)X
1827(data)X
1987(in)X
2075(this)X
2216(\256eld)X
2384(are)X
2509(speci\256c)X
2780(to)X
2868(the)X
2992(end)X
3134(service.)X
3428(It)X
3502(is)X
3580(expected)X
3891(that)X
955 960(the)N
1075(\256eld)X
1239(will)X
1385(contain)X
1643(the)X
1763(names)X
1990(of)X
2079(service)X
2329(speci\256c)X
2596(objects,)X
2865(and)X
3003(the)X
3122(rights)X
3325(to)X
3408(those)X
3598(objects.)X
3886(The)X
955 1056(format)N
1195(for)X
1315(this)X
1456(\256eld)X
1623(is)X
1701(described)X
2034(in)X
2121(section)X
2373(5.1.)X
2538(Although)X
2865(Kerberos)X
3185(is)X
3263(not)X
3390(concerned)X
3746(with)X
3913(the)X
955 1152(format)N
1189(of)X
1276(the)X
1394(contents)X
1681(of)X
1768(the)X
1886(sub\256elds,)X
2210(it)X
2274(does)X
2441(carry)X
2627(type)X
2785(information)X
3183(\()X
3 f
3210(ad-type)X
1 f
3468(\).)X
955 1344(By)N
1076(using)X
1277(the)X
3 f
1402(authorization_data)X
1 f
2082(\256eld,)X
2271(a)X
2334(principal)X
2646(is)X
2726(able)X
2887(to)X
2976(issue)X
3163(a)X
3226(proxy)X
3440(that)X
3587(is)X
3667(valid)X
3854(for)X
3975(a)X
955 1440(speci\256c)N
1224(purpose.)X
1542(For)X
1677(example,)X
1993(a)X
2053(client)X
2255(wishing)X
2532(to)X
2618(print)X
2793(a)X
2852(\256le)X
2977(can)X
3112(obtain)X
3335(a)X
3394(\256le)X
3519(server)X
3739(proxy)X
3949(to)X
955 1536(be)N
1061(passed)X
1305(to)X
1397(the)X
1525(print)X
1705(server.)X
1971(By)X
2093(specifying)X
2456(the)X
2583(name)X
2786(of)X
2882(the)X
3009(\256le)X
3140(in)X
3231(the)X
3 f
3358(authorization_data)X
1 f
955 1632(\256eld,)N
1140(the)X
1261(\256le)X
1386(server)X
1606(knows)X
1838(that)X
1981(the)X
2102(print)X
2276(server)X
2496(can)X
2631(only)X
2796(use)X
2925(the)X
3045(client's)X
3303(rights)X
3507(when)X
3703(accessing)X
955 1728(the)N
1073(particular)X
1401(\256le)X
1523(to)X
1605(be)X
1701(printed.)X
955 1920(It)N
1027(is)X
1103(interesting)X
1464(to)X
1549(note)X
1710(that)X
1853(if)X
1925(one)X
2064(speci\256es)X
2363(the)X
3 f
2484(authorization-data)X
1 f
3147(\256eld)X
3312(of)X
3402(a)X
3461(proxy)X
3671(and)X
3810(leaves)X
955 2016(the)N
1084(host)X
1248(addresses)X
1587(blank,)X
1816(the)X
1944(resulting)X
2254(ticket)X
2462(and)X
2608(session)X
2869(key)X
3015(can)X
3157(be)X
3263(treated)X
3512(as)X
3609(a)X
3675(capability.)X
955 2112(See[7])N
1185(for)X
1299(some)X
1488(suggested)X
1824(uses)X
1982(of)X
2069(this)X
2204(\256eld.)X
955 2304(The)N
3 f
1100(authorization-data)X
1 f
1760(\256eld)X
1922(is)X
1995(optional)X
2277(and)X
2413(does)X
2580(not)X
2702(have)X
2874(to)X
2956(be)X
3052(included)X
3348(in)X
3430(a)X
3486(ticket.)X
3 f
555 2496(5.2.2.)N
775(Authenticators)X
1 f
755 2620(An)N
884(authenticator)X
1333(is)X
1416(a)X
1482(record)X
1718(sent)X
1877(with)X
2049(a)X
2115(ticket)X
2323(to)X
2415(a)X
2481(server)X
2708(to)X
2800(certify)X
3040(the)X
3168(client's)X
3434(knowledge)X
3816(of)X
3913(the)X
555 2716(encryption)N
919(key)X
1056(in)X
1139(the)X
1258(ticket,)X
1477(to)X
1560(help)X
1719(the)X
1838(server)X
2056(detect)X
2269(replays,)X
2542(and)X
2679(to)X
2762(help)X
2921(choose)X
3165(a)X
3222("true)X
3401(session)X
3653(key")X
3822(to)X
3904(use)X
555 2812(with)N
722(the)X
845(particular)X
1178(session.)X
1474(The)X
1624(encoding)X
1943(is)X
2021(encrypted)X
2363(in)X
2450(the)X
2573(ticket's)X
2834(session)X
3090(key)X
3231(shared)X
3466(by)X
3571(the)X
3693(client)X
3895(and)X
555 2908(the)N
673(server:)X
3 f
619 3052(--)N
693(Unencrypted)X
1158(authenticator)X
619 3148(Authenticator)N
1120(::=)X
1 f
1741([APPLICATION)X
2313(2])X
2400(SEQUENCE)X
2858({)X
1741 3244(authenticator-vno[0])N
3016(INTEGER,)X
1741 3340(crealm[1])N
3016(Realm,)X
1741 3436(cname[2])N
3016(PrincipalName,)X
1741 3532(cksum[3])N
3016(Checksum)X
3374(OPTIONAL,)X
1741 3628(cusec[4])N
3016(INTEGER,)X
1741 3724(ctime[5])N
3016(KerberosTime,)X
1741 3820(subkey[6])N
3016(EncryptionKey)X
3526(OPTIONAL,)X
1741 3916(seq-number[7])N
3016(INTEGER)X
3379(OPTIONAL)X
3 f
619 4012(})N
555 4184(authenticator-vno)N
1 f
955 4280(This)N
1130(\256eld)X
1305(speci\256es)X
1614(the)X
1745(version)X
2014(number)X
2292(for)X
2419(the)X
2550(format)X
2797(of)X
2897(the)X
3028(authenticator.)X
3520(This)X
3695(document)X
955 4376(speci\256es)N
1251(version)X
1507(5.)X
3 f
555 4596(crealm)N
1 f
812(and)X
3 f
948(cname)X
1 f
955 4692(These)N
1167(\256elds)X
1360(are)X
1479(the)X
1597(same)X
1782(as)X
1869(those)X
2058(described)X
2386(for)X
2500(the)X
2618(ticket)X
2816(in)X
2898(section)X
3145(5.2.1.)X
3 f
555 4912(cksum)N
1 f
955(This)X
1161(\256eld)X
1367(contains)X
1698(a)X
1798(checksum)X
2183(of)X
2314(the)X
2475(the)X
2636(application)X
3055(data)X
3252(that)X
3435(accompanies)X
3913(the)X
955 5008(KRB_AP_REQ.)N
3 f
555 5228(cusec)N
1 f
955(This)X
1126(\256eld)X
1296(contains)X
1591(the)X
1717(microsecond)X
2155(part)X
2308(of)X
2403(the)X
2529(client's)X
2793(timestamp.)X
3194(Its)X
3302(value)X
3504(\(before)X
3765(encryp-)X
955 5324(tion\))N
1137(ranges)X
1378(from)X
1565(0)X
1636(to)X
1729(999999.)X
2039(It)X
2118(often)X
2313(appears)X
2589(along)X
2797(with)X
3 f
2969(ctime)X
1 f
3157(.)X
3227(The)X
3382(two)X
3532(\256elds)X
3735(are)X
3864(used)X
955 5420(together)N
1238(to)X
1320(specify)X
1572(a)X
1628(reasonably)X
1996(accurate)X
2285(timestamp.)X
3 f
555 5640(ctime)N
1 f
955(This)X
1117(\256eld)X
1279(contains)X
1566(the)X
1684(current)X
1932(time)X
2094(on)X
2194(the)X
2312(client's)X
2568(host.)X
555 6144(Section)N
815(5.2.2.)X
2196(-)X
2243(25)X
2343(-)X
26 p
%%Page: 26 27
10 s 0 xH 0 xS 1 f
0 32(--)N
4323(--)X
3 f
2115 416(DRAFT)N
2411(4)X
555 672(subkey)N
1 f
955(This)X
1121(\256eld)X
1287(contains)X
1578(the)X
1700(client's)X
1960(choice)X
2194(for)X
2312(an)X
2411(encryption)X
2777(key)X
2916(which)X
3135(is)X
3211(to)X
3296(be)X
3395(used)X
3565(to)X
3650(protect)X
3896(this)X
955 768(speci\256c)N
1220(application)X
1596(session.)X
3 f
555 988(seq-number)N
1 f
964(This)X
1142(optional)X
1440(\256eld)X
1618(includes)X
1921(the)X
2054(initial)X
2275(sequence)X
2605(number)X
2885(to)X
2982(be)X
3093(used)X
3275(by)X
3390(the)X
3523(KRB_PRIV)X
3944(or)X
955 1084(KRB_SAFE)N
1377(messages)X
1703(when)X
1900(sequence)X
2217(numbers)X
2515(are)X
2636(used)X
2805(to)X
2889(detect)X
3103(replays)X
3357(\(It)X
3455(may)X
3615(also)X
3766(be)X
3864(used)X
955 1180(by)N
1063(application)X
1447(speci\256c)X
1720(messages\).)X
2117(When)X
2336(included)X
2639(in)X
2728(the)X
2853(authenticator)X
3299(this)X
3441(\256eld)X
3610(speci\256es)X
3913(the)X
955 1276(initial)N
1165(sequence)X
1484(number)X
1752(for)X
1869(messages)X
2195(from)X
2374(the)X
2495(client)X
2696(to)X
2781(the)X
2902(server.)X
3162(When)X
3377(included)X
3676(in)X
3761(the)X
3882(AP-)X
955 1372(REP)N
1129(message,)X
1449(the)X
1575(initial)X
1789(sequence)X
2112(number)X
2385(is)X
2466(that)X
2614(for)X
2736(messages)X
3067(from)X
3250(the)X
3375(server)X
3599(to)X
3688(the)X
3813(client.)X
955 1468(When)N
1172(used)X
1344(in)X
1430(KRB_PRIV)X
1840(or)X
1931(KRB_SAFE)X
2354(messages,)X
2701(it)X
2769(is)X
2846(incremented)X
3267(by)X
3371(one)X
3511(after)X
3683(each)X
3855(mes-)X
955 1564(sage)N
1118(is)X
1191(sent.)X
955 1756(For)N
1102(sequence)X
1433(numbers)X
1745(to)X
1843(adequately)X
2226(support)X
2501(the)X
2634(detection)X
2963(of)X
3065(replays)X
3332(they)X
3505(should)X
3753(be)X
3864(non-)X
955 1852(repeating,)N
1298(even)X
1474(across)X
1698(connection)X
2073(boundaries.)X
2488(The)X
2636(initial)X
2845(sequence)X
3163(number)X
3431(should)X
3667(be)X
3766(random)X
955 1948(and)N
1094(uniformly)X
1437(distributed)X
1802(across)X
2026(the)X
2147(full)X
2281(space)X
2483(of)X
2573(possible)X
2858(sequence)X
3176(numbers,)X
3495(so)X
3589(that)X
3731(it)X
3797(cannot)X
955 2044(be)N
1060(guessed)X
1343(by)X
1452(an)X
1557(attacker)X
1841(and)X
1986(so)X
2086(that)X
2235(it)X
2308(and)X
2453(the)X
2580(successive)X
2948(sequence)X
3272(numbers)X
3576(do)X
3684(not)X
3814(repeat)X
955 2140(other)N
1140(sequences.)X
3 f
12 s
555 2332(5.3.)N
747(Speci\256cations)X
1331(for)X
1478(the)X
1630(AS)X
1776(and)X
1954(TGS)X
2170(exchanges)X
1 f
10 s
755 2456(This)N
923(section)X
1176(speci\256es)X
1478(the)X
1602(format)X
1842(of)X
1935(the)X
2059(messages)X
2388(used)X
2561(in)X
2649(exchange)X
2979(between)X
3273(the)X
3396(client)X
3599(and)X
3740(the)X
3863(Ker-)X
555 2552(beros)N
749(server.)X
1006(The)X
1151(format)X
1385(of)X
1472(possible)X
1754(error)X
1931(messages)X
2254(appears)X
2520(in)X
2602(section)X
2849(5.7.1.)X
3 f
555 2744(5.3.1.)N
775(KRB_KDC_REQ)X
1399(de\256nition)X
1 f
755 2868(The)N
903(KRB_KDC_REQ)X
1499(message)X
1794(has)X
1924(no)X
2027(type)X
2188(of)X
2278(its)X
2376(own.)X
2577(Instead,)X
2852(its)X
2950(type)X
3111(is)X
3187(one)X
3326(of)X
3416(KRB_AS_REQ)X
3944(or)X
555 2964(KRB_TGS_REQ)N
1134(depending)X
1492(on)X
1596(whether)X
1879(the)X
2001(request)X
2257(is)X
2334(for)X
2452(an)X
2552(initial)X
2762(ticket)X
2964(or)X
3055(an)X
3154(additional)X
3497(ticket.)X
3738(In)X
3828(either)X
555 3060(case,)N
734(the)X
852(message)X
1144(is)X
1217(sent)X
1366(from)X
1542(the)X
1660(client)X
1858(to)X
1940(the)X
2058(Authentication)X
2554(Server)X
2784(to)X
2866(request)X
3118(credentials)X
3486(for)X
3600(a)X
3656(service.)X
755 3184(The)N
900(message)X
1192(\256elds)X
1385(are:)X
3 f
555 3328(KDC-REQ)N
953(::=)X
1 f
1173([APPLICATION)X
1745(10)X
1845(or)X
1932(12\262])X
2099(SEQUENCE)X
2537({)X
1173 3424(pvno[1])N
2695(INTEGER,)X
1173 3520(msg-type[2])N
2695(INTEGER,)X
1173 3616(padata[3])N
2695(SEQUENCE)X
3133(OF)X
3255(PA-DATA)X
3627(OPTIONAL,)X
1173 3712(req-body[4])N
2695(KDC-REQ-BODY)X
3 f
555 3808(})N
679 4000(PA-DATA)N
1060(::=)X
1 f
1555(SEQUENCE)X
1993({)X
1555 4096(padata-type[1])N
2552(INTEGER,)X
1555 4192(pa-data[2])N
2552(OCTET)X
2830(STRING,)X
2552 4288(--)N
2626(might)X
2832(be)X
2928(encoded)X
3216(AP-REQ)X
3 f
679 4384(})N
679 4576(KDC-REQ-BODY)N
1335(::=)X
1 f
1555(SEQUENCE)X
1993({)X
1575 4672(kdc-options[0])N
2552(KDCOptions,)X
1575 4768(cname[1])N
2552(PrincipalName)X
3053(OPTIONAL,)X
2552 4864(--)N
2626(Used)X
2811(only)X
2973(in)X
3055(AS-REQ)X
1575 4960(realm[2])N
2552(Realm,)X
2801(--)X
2875(Server's)X
3163(realm)X
2552 5056(--)N
2626(Also)X
2797(client's)X
3053(in)X
3135(AS-REQ)X
1575 5152(sname[3])N
2552(PrincipalName,)X
1575 5248(from[4])N
2552(KerberosTime)X
3036(OPTIONAL,)X
1575 5344(till[5])N
2552(KerberosTime,)X
1575 5440(rtime[6])N
2552(KerberosTime)X
3036(OPTIONAL,)X
8 s
10 f
555 5520(hhhhhhhhhhhhhhhhhh)N
1 f
555 5614(\262)N
619([APPLICATION)X
1078(10)X
1161(or)X
1233(12])X
1337(is)X
1399(not)X
1500(valid)X
1647(ASN.1)X
1842(notation.)X
2087(The)X
2205(two)X
2320(types)X
2474(of)X
2545(messages)X
2804(\(AS-REQ)X
3074(and)X
3184(TGS-REQ\))X
3493(have)X
3631(dif-)X
555 5694(ferent)N
719(application)X
1019(codes,)X
1196(but)X
1294(the)X
1388(format)X
1574(for)X
1664(the)X
1758(remainder)X
2032(of)X
2101(the)X
2195(message)X
2427(is)X
2486(identical.)X
10 s
555 6144(Section)N
815(5.3.1.)X
2196(-)X
2243(26)X
2343(-)X
27 p
%%Page: 27 28
10 s 0 xH 0 xS 1 f
0 32(--)N
4323(--)X
3 f
2115 416(DRAFT)N
2411(4)X
1 f
1575 672(nonce[7])N
2552(INTEGER,)X
1575 768(etype[8])N
2552(INTEGER,)X
2935(--)X
3009(EncryptionType)X
1575 864(addresses[9])N
2552(HostAddresses)X
3053(OPTIONAL,)X
1575 960 0.1650(enc-authorization-data[10])AN
2552(EncryptedData)X
3054(OPTIONAL,)X
2552 1056(--)N
2626(Encrypted)X
2976(AuthorizationData)X
3593(encoding)X
1575 1152(additional-tickets[11])N
2552(SEQUENCE)X
2990(OF)X
3112(Ticket)X
3337(OPTIONAL)X
3 f
679 1248(})N
1 f
555 1392(The)N
700(\256elds)X
893(in)X
975(this)X
1110(message)X
1402(are:)X
3 f
555 1612(pvno)N
1 f
955(This)X
1122(\256eld)X
1289(is)X
1366(included)X
1666(in)X
1752(each)X
1924(message,)X
2240(and)X
2380(speci\256es)X
2680(the)X
2802(protocol)X
3093(version)X
3353(number.)X
3662(This)X
3828(docu-)X
955 1708(ment)N
1135(speci\256es)X
1431(protocol)X
1718(version)X
1974(5.)X
3 f
555 1928(msg-type)N
1 f
955(This)X
1124(\256eld)X
1293(indicates)X
1605(the)X
1730(type)X
1895(of)X
1989(a)X
2052(protocol)X
2346(message.)X
2685(It)X
2761(will)X
2912(almost)X
3152(always)X
3402(be)X
3505(the)X
3629(same)X
3820(as)X
3913(the)X
955 2024(application)N
1344(identi\256er)X
1666(associated)X
2029(with)X
2204(a)X
2273(message.)X
2618(It)X
2700(is)X
2786(included)X
3095(to)X
3189(make)X
3395(the)X
3525(identi\256er)X
3846(more)X
955 2120(readily)N
1232(accessible)X
1612(to)X
1728(the)X
1880(application.)X
2330(For)X
2494(the)X
2645(KDC-REQ)X
3054(message,)X
3399(this)X
3567(type)X
3758(will)X
3935(be)X
955 2216(KRB_AS_REQ)N
1481(or)X
1568(KRB_TGS_REQ.)X
3 f
555 2436(padata)N
1 f
955(The)X
1111(padata)X
1352(\(pre-authentication)X
1994(data\))X
2186(\256eld)X
2359(contains)X
2657(a)X
2724(sequence)X
3050(of)X
3148(authentication)X
3633(information)X
955 2532(which)N
1172(may)X
1331(be)X
1428(needed)X
1677(before)X
1903(credentials)X
2271(can)X
2403(be)X
2499(issued)X
2719(or)X
2806(decrypted.)X
3183(In)X
3270(the)X
3388(case)X
3547(of)X
3634(requests)X
3917(for)X
955 2628(additional)N
1305(tickets)X
1544(\(KRB_TGS_REQ\),)X
2203(this)X
2348(\256eld)X
2520(will)X
2674(include)X
2940(an)X
3045(element)X
3328(with)X
3 f
3499(pa-type)X
1 f
3786(of)X
3882(PA-)X
955 2724(TGS-REQ)N
1315(and)X
3 f
1453(data)X
1 f
1626(of)X
1715(an)X
1812(authentication)X
2287(header)X
2523(\(ticket-granting)X
3043(ticket)X
3242(and)X
3379(authenticator\).)X
3886(The)X
955 2820(checksum)N
1311(in)X
1408(the)X
1541(authenticator)X
1995(\(which)X
2253(must)X
2443(be)X
2554(collision-proof\))X
3092(is)X
3180(to)X
3276(be)X
3386(computed)X
3736(over)X
3913(the)X
955 2916(KDC-REQ-BODY)N
1590(encoding.)X
1948(In)X
2039(most)X
2218(requests)X
2505(for)X
2623(initial)X
2833(authentication)X
3311(\(KRB_AS_REQ\))X
3895(and)X
955 3012(most)N
1136(replies)X
1376(\(KDC-REP\),)X
1817(the)X
3 f
1940(padata)X
1 f
2200(\256eld)X
2367(will)X
2516(be)X
2617(left)X
2749(out.)X
2916(This)X
3083(\256eld)X
3250(may)X
3413(also)X
3567(contain)X
3828(infor-)X
955 3108(mation)N
1203(needed)X
1456(by)X
1561(certain)X
1805(extensions)X
2168(to)X
2255(the)X
2378(Kerberos)X
2698(protocol.)X
3030(For)X
3166(example,)X
3483(it)X
3552(might)X
3763(be)X
3864(used)X
955 3204(to)N
1046(initially)X
1323(verify)X
1544(the)X
1671(identity)X
1944(of)X
2040(a)X
2104(client)X
2310(before)X
2544(any)X
2688(response)X
2997(is)X
3078(returned,)X
3394(or)X
3489(it)X
3561(might)X
3775(contain)X
955 3300(information)N
1368(needed)X
1631(to)X
1728(help)X
1901(the)X
2034(KDC)X
2237(or)X
2338(the)X
2470(client)X
2682(select)X
2899(the)X
3031(key)X
3181(needed)X
3443(for)X
3571(generating)X
3944(or)X
955 3396(decrypting)N
1330(the)X
1459(response.)X
1811(The)X
1967(latter)X
2163(cases)X
2364(would)X
2595(be)X
2702(useful)X
2929(for)X
3054(supporting)X
3427(the)X
3556(use)X
3694(of)X
3792(certain)X
955 3492("smartcards")N
1389(with)X
1551(Kerberos.)X
1906(The)X
2051(details)X
2280(of)X
2367(such)X
2534(extensions)X
2892(are)X
3011(not)X
3133(presently)X
3447(speci\256ed.)X
3 f
555 3712(padata-type)N
1 f
955 3808(The)N
3 f
1104(padata-type)X
1 f
1537(element)X
1815(of)X
1906(the)X
3 f
2028(padata)X
1 f
2287(\256eld)X
2453(indicates)X
2762(the)X
2884(way)X
3042(that)X
3186(the)X
3 f
3308(pa-data)X
1 f
3594(element)X
3872(is)X
3949(to)X
955 3904(be)N
1075(interpreted.)X
1507(Negative)X
1841(values)X
2090(of)X
3 f
2201(padata-type)X
1 f
2654(are)X
2797(reserved)X
3114(for)X
3252(unregistered)X
3692(use;)X
3864(non-)X
955 4000(negative)N
1247(values)X
1472(are)X
1591(used)X
1758(for)X
1872(a)X
1928(registered)X
2265(interpretation)X
2717(of)X
2804(the)X
2922(element)X
3196(type.)X
3 f
555 4220(req-body)N
1 f
955(This)X
1120(\256eld)X
1285(is)X
1361(a)X
1420(placeholder)X
1818(delimiting)X
2169(the)X
2290(extent)X
2508(of)X
2597(the)X
2717(remaining)X
3064(\256elds.)X
3299(If)X
3375(a)X
3433(checksum)X
3776(is)X
3851(to)X
3935(be)X
955 4316(calculated)N
1325(over)X
1512(the)X
1654(request,)X
1950(it)X
2038(is)X
2135(calculated)X
2505(over)X
2692(an)X
2812(encoding)X
3150(of)X
3260(the)X
3401(KDC-REQ-BODY)X
955 4412(sequence)N
1270(which)X
1486(is)X
1559(enclosed)X
1860(within)X
2084(the)X
3 f
2202(req-body)X
1 f
2533(\256eld.)X
3 f
555 4632(kdc-options)N
1 f
955 4728(This)N
1123(\256eld)X
1291(appears)X
1563(in)X
1651(the)X
1775(KRB_AS_REQ)X
2306(and)X
2447(KRB_TGS_REQ)X
3027(requests)X
3315(to)X
3402(the)X
3525(KDC)X
3719(and)X
3860(indi-)X
955 4824(cates)N
1146(the)X
1274(\257ags)X
1455(that)X
1605(the)X
1733(client)X
1941(wants)X
2158(set)X
2277(on)X
2387(the)X
2515(tickets)X
2754(as)X
2851(well)X
3019(as)X
3116(other)X
3311(information)X
3718(that)X
3867(is)X
3949(to)X
955 4920(modify)N
1210(the)X
1332(behavior)X
1637(of)X
1728(the)X
1850(KDC.)X
2083(Where)X
2322(appropriate,)X
2731(the)X
2852(name)X
3049(of)X
3139(an)X
3238(option)X
3465(may)X
3626(be)X
3725(the)X
3846(same)X
955 5016(as)N
1046(the)X
1168(\257ag)X
1312(that)X
1456(is)X
1533(set)X
1646(by)X
1750(that)X
1894(option.)X
2161(Although)X
2486(in)X
2571(most)X
2749(case,)X
2931(the)X
3052(bit)X
3159(in)X
3244(the)X
3365(options)X
3623(\256eld)X
3788(will)X
3935(be)X
955 5112(the)N
1077(same)X
1266(as)X
1357(that)X
1501(in)X
1587(the)X
1709(\257ags)X
1884(\256eld,)X
2070(this)X
2208(is)X
2284(not)X
2409(guaranteed,)X
2805(so)X
2899(it)X
2966(is)X
3042(not)X
3167(acceptable)X
3530(to)X
3615(simply)X
3855(copy)X
955 5208(the)N
1074(options)X
1330(\256eld)X
1493(to)X
1576(the)X
1695(\257ags)X
1867(\256eld.)X
2069(There)X
2277(are)X
2396(various)X
2652(checks)X
2891(that)X
3031(must)X
3206(be)X
3302(made)X
3496(before)X
3722(honoring)X
955 5304(an)N
1051(option)X
1275(anyway.)X
955 5496(The)N
1101(kdc_options)X
1513(\256eld)X
1676(is)X
1750(a)X
1807(bit-\256eld,)X
2100(where)X
2317(the)X
2435(selected)X
2714(options)X
2969(are)X
3088(indicated)X
3402(by)X
3502(the)X
3620(bit)X
3724(being)X
3922(set)X
955 5592(\(1\),)N
1093(and)X
1233(the)X
1355(unselected)X
1718(options)X
1977(and)X
2117(reserved)X
2414(\256elds)X
2611(being)X
2812(reset)X
2987(\(0\).)X
3144(The)X
3292(encoding)X
3609(of)X
3699(the)X
3820(bits)X
3958(is)X
955 5688(speci\256ed)N
1273(in)X
1368(section)X
1628(5.1.)X
1801(The)X
1958(options)X
2225(are)X
2356(described)X
2696(in)X
2790(more)X
2987(detail)X
3197(above)X
3421(in)X
3515(section)X
3774(2.)X
3886(The)X
955 5784(meanings)N
1282(of)X
1369(the)X
1487(options)X
1742(are:)X
555 6144(Section)N
815(5.3.1.)X
2196(-)X
2243(27)X
2343(-)X
28 p
%%Page: 28 29
10 s 0 xH 0 xS 1 f
0 32(--)N
4323(--)X
3 f
2115 416(DRAFT)N
2411(4)X
2 f
955 672(Bit\(s\))N
1256(Name)X
2105(Description)X
1 f
955 864(0)N
1256(RESERVED)X
2105(Reserved)X
2424(for)X
2538(future)X
2750(expansion)X
3095(of)X
3182(this)X
3317(\256eld.)X
955 1056(1)N
1256(FORWARDABLE)X
2105(The)X
2252(FORWARDABLE)X
2882(option)X
3107(indicates)X
3413(that)X
3554(the)X
3673(ticket)X
3872(to)X
3955(be)X
4052(issued)X
4273(is)X
4347(to)X
2105 1152(have)N
2283(its)X
2384(forwardable)X
2799(\257ag)X
2945(set.)X
3099(It)X
3173(may)X
3336(only)X
3503(be)X
3604(set)X
3718(on)X
3823(the)X
3946(initial)X
4157(request,)X
2105 1248(or)N
2204(in)X
2298(a)X
2366(subsequent)X
2754(request)X
3018(if)X
3099(the)X
3229(ticket-granting)X
3733(ticket)X
3943(on)X
4054(which)X
4281(it)X
4356(is)X
2105 1344(based)N
2308(is)X
2381(also)X
2530(forwardable.)X
955 1536(2)N
1256(FORWARDED)X
2105(The)X
2257(FORWARDED)X
2791(option)X
3022(is)X
3102(only)X
3271(speci\256ed)X
3583(in)X
3672(a)X
3734(request)X
3992(to)X
4080(the)X
4204(ticket-)X
2105 1632(granting)N
2396(server)X
2617(and)X
2757(will)X
2905(only)X
3071(be)X
3171(honored)X
3458(if)X
3530(the)X
3651(ticket-granting)X
4146(ticket)X
4347(in)X
2105 1728(the)N
2225(request)X
2479(has)X
2608(its)X
2705(FORWARDABLE)X
3336(bit)X
3442(set.)X
3593(This)X
3757(option)X
3983(indicates)X
4289(that)X
2105 1824(this)N
2240(is)X
2313(a)X
2369(request)X
2621(for)X
2735(forwarding.)X
3152(The)X
3297(address\(es\))X
3679(of)X
3766(the)X
3884(host)X
4037(from)X
4213(which)X
2105 1920(the)N
2230(resulting)X
2537(ticket)X
2742(is)X
2822(to)X
2911(be)X
3014(valid)X
3201(are)X
3326(included)X
3628(in)X
3716(the)X
3840(addresses)X
4174(\256eld)X
4342(of)X
2105 2016(the)N
2223(request.)X
955 2208(3)N
1256(PROXIABLE)X
2105(The)X
2250(PROXIABLE)X
2719(option)X
2943(indicates)X
3248(that)X
3388(the)X
3506(ticket)X
3704(to)X
3786(be)X
3882(issued)X
4102(is)X
4175(to)X
4257(have)X
2105 2304(its)N
2207(proxiable)X
2537(\257ag)X
2684(set.)X
2840(It)X
2916(may)X
3081(only)X
3250(be)X
3353(set)X
3469(on)X
3576(the)X
3701(initial)X
3914(request,)X
4192(or)X
4285(in)X
4373(a)X
2105 2400(subsequent)N
2490(request)X
2751(if)X
2828(the)X
2954(ticket-granting)X
3454(ticket)X
3660(on)X
3768(which)X
3992(it)X
4064(is)X
4145(based)X
4356(is)X
2105 2496(also)N
2254(proxiable.)X
955 2688(4)N
1256(PROXY)X
2105(The)X
2261(PROXY)X
2563(option)X
2798(indicates)X
3114(that)X
3264(this)X
3409(is)X
3492(a)X
3558(request)X
3820(for)X
3944(a)X
4010(proxy.)X
4267(This)X
2105 2784(option)N
2337(will)X
2489(only)X
2659(be)X
2763(honored)X
3054(if)X
3131(the)X
3257(ticket-granting)X
3757(ticket)X
3963(in)X
4052(the)X
4177(request)X
2105 2880(has)N
2242(its)X
2347(PROXIABLE)X
2826(bit)X
2940(set.)X
3098(The)X
3252(address\(es\))X
3643(of)X
3739(the)X
3866(host)X
4028(from)X
4213(which)X
2105 2976(the)N
2230(resulting)X
2537(ticket)X
2742(is)X
2822(to)X
2911(be)X
3014(valid)X
3201(are)X
3326(included)X
3628(in)X
3716(the)X
3840(addresses)X
4174(\256eld)X
4342(of)X
2105 3072(the)N
2223(request.)X
955 3264(5)N
1256(ALLOW-POSTDATE)X
2105(The)X
2256(ALLOW-POSTDATE)X
3008(option)X
3238(indicates)X
3549(that)X
3695(the)X
3818(ticket)X
4021(to)X
4108(be)X
4209(issued)X
2105 3360(is)N
2180(to)X
2264(have)X
2438(its)X
2535(MAY-POSTDATE)X
3180(\257ag)X
3322(set.)X
3473(It)X
3544(may)X
3704(only)X
3868(be)X
3966(set)X
4077(on)X
4179(the)X
4298(ini-)X
2105 3456(tial)N
2237(request,)X
2518(or)X
2614(in)X
2705(a)X
2770(subsequent)X
3155(request)X
3416(if)X
3494(the)X
3621(ticket-granting)X
4122(ticket)X
4329(on)X
2105 3552(which)N
2321(it)X
2385(is)X
2458(based)X
2661(also)X
2810(has)X
2937(its)X
3032(MAY-POSTDATE)X
3675(\257ag)X
3815(set.)X
955 3744(6)N
1256(POSTDATED)X
2105(The)X
2251(POSTDATED)X
2739(option)X
2964(indicates)X
3270(that)X
3411(this)X
3547(is)X
3621(a)X
3678(request)X
3931(for)X
4046(a)X
4102(postdated)X
2105 3840(ticket.)N
2347(This)X
2513(option)X
2741(will)X
2889(only)X
3055(be)X
3154(honored)X
3440(if)X
3512(the)X
3633(ticket-granting)X
4128(ticket)X
4329(on)X
2105 3936(which)N
2338(it)X
2419(is)X
2509(based)X
2729(has)X
2873(its)X
2985(MAY-POSTDATE)X
3645(\257ag)X
3802(set.)X
3968(The)X
4129(resulting)X
2105 4032(ticket)N
2303(will)X
2447(also)X
2596(have)X
2768(its)X
2863(INVALID)X
3218(\257ag)X
3358(set,)X
3487(and)X
3623(that)X
3763(\257ag)X
3903(may)X
4061(be)X
4157(reset)X
4329(by)X
2105 4128(a)N
2173(subsequent)X
2561(request)X
2825(to)X
2919(the)X
3049(KDC)X
3250(after)X
3430(the)X
3560(starttime)X
3871(in)X
3964(the)X
4093(ticket)X
4302(has)X
2105 4224(been)N
2277(reached.)X
955 4416(7)N
1256(UNUSED)X
2105(This)X
2267(option)X
2491(is)X
2564(presently)X
2878(unused.)X
955 4608(8)N
1256(RENEWABLE)X
2105(The)X
2262(RENEWABLE)X
2788(option)X
3024(indicates)X
3341(that)X
3493(the)X
3623(ticket)X
3832(to)X
3925(be)X
4032(issued)X
4263(is)X
4347(to)X
2105 4704(have)N
2297(its)X
2412(RENEWABLE)X
2946(\257ag)X
3106(set.)X
3275(It)X
3364(may)X
3542(only)X
3724(be)X
3839(set)X
3967(on)X
4086(the)X
4223(initial)X
2105 4800(request,)N
2378(or)X
2465(when)X
2659(the)X
2777(ticket-granting)X
3269(ticket)X
3467(on)X
3567(which)X
3783(the)X
3901(request)X
4153(is)X
4226(based)X
2105 4896(is)N
2179(also)X
2329(renewable.)X
2721(If)X
2796(this)X
2932(option)X
3157(is)X
3231(requested,)X
3580(then)X
3739(the)X
3 f
3858(rtime)X
1 f
4067(\256eld)X
4229(in)X
4311(the)X
2105 4992(request)N
2357(contains)X
2644(the)X
2762(desired)X
3014(absolute)X
3301(expiration)X
3646(time)X
3808(for)X
3922(the)X
4040(ticket.)X
955 5184(9-26)N
1256(RESERVED)X
2105(Reserved)X
2424(for)X
2538(future)X
2750(use.)X
555 6144(Section)N
815(5.3.1.)X
2196(-)X
2243(28)X
2343(-)X
29 p
%%Page: 29 30
10 s 0 xH 0 xS 1 f
0 32(--)N
4323(--)X
3 f
2115 416(DRAFT)N
2411(4)X
1 f
955 672(27)N
1256(RENEWABLE-OK)X
2105(The)X
2251(RENEWABLE-OK)X
2909(option)X
3134(indicates)X
3440(that)X
3581(a)X
3638(renewable)X
3990(ticket)X
4189(will)X
4333(be)X
2105 768(acceptable)N
2474(if)X
2552(a)X
2616(ticket)X
2822(with)X
2992(the)X
3118(requested)X
3454(life)X
3589(cannot)X
3831(otherwise)X
4171(be)X
4275(pro-)X
2105 864(vided.)N
2356(If)X
2443(a)X
2512(ticket)X
2723(with)X
2898(the)X
3029(requested)X
3370(life)X
3510(cannot)X
3757(be)X
3866(provided,)X
4203(then)X
4373(a)X
2105 960(renewable)N
2477(ticket)X
2695(may)X
2873(be)X
2989(issued)X
3229(with)X
3411(a)X
3 f
3487(renew-till)X
1 f
3857(equal)X
4071(to)X
4173(the)X
4311(the)X
2105 1056(requested)N
2440(endtime.)X
2765(The)X
2917(value)X
3118(of)X
3212(the)X
3 f
3337(renew-till)X
1 f
3694(\256eld)X
3863(may)X
4028(still)X
4174(be)X
4276(lim-)X
2105 1152(ited)N
2261(by)X
2376(local)X
2567(limits,)X
2803(or)X
2905(limits)X
3121(selected)X
3415(by)X
3530(the)X
3663(individual)X
4022(principal)X
4342(or)X
2105 1248(server.)N
955 1440(28)N
1256(ENC-TKT-IN-SKEY)X
2105(This)X
2286(option)X
2529(is)X
2621(used)X
2807(only)X
2988(by)X
3107(the)X
3243(ticket-granting)X
3753(service.)X
4059(The)X
4222(ENC-)X
2105 1536(TKT-IN-SKEY)N
2636(option)X
2867(indicates)X
3179(that)X
3326(the)X
3451(ticket)X
3656(for)X
3777(the)X
3902(end)X
4045(server)X
4268(is)X
4347(to)X
2105 1632(be)N
2221(encrypted)X
2578(in)X
2680(the)X
2818(session)X
3089(key)X
3245(from)X
3441(the)X
3578(additional)X
3937(ticket-granting)X
2105 1728(ticket)N
2303(provided.)X
955 1920(29)N
1256(RESERVED)X
2105(Reserved)X
2424(for)X
2538(future)X
2750(use.)X
955 2112(30)N
1256(RENEW)X
2105(This)X
2276(option)X
2509(is)X
2591(used)X
2767(only)X
2938(by)X
3047(the)X
3174(ticket-granting)X
3675(service.)X
3971(The)X
4124(RENEW)X
2105 2208(option)N
2341(indicates)X
2658(that)X
2810(the)X
2940(present)X
3204(request)X
3468(is)X
3553(for)X
3679(a)X
3747(renewal.)X
4074(The)X
4231(ticket)X
2105 2304(provided)N
2423(is)X
2509(encrypted)X
2859(in)X
2954(the)X
3085(secret)X
3306(key)X
3455(for)X
3581(the)X
3711(server)X
3940(on)X
4052(which)X
4280(it)X
4356(is)X
2105 2400(valid.)N
2329(This)X
2495(option)X
2723(will)X
2871(only)X
3037(be)X
3137(honored)X
3424(if)X
3497(the)X
3619(ticket)X
3821(to)X
3907(be)X
4006(renewed)X
4302(has)X
2105 2496(its)N
2204(RENEWABLE)X
2722(\257ag)X
2866(set)X
2979(and)X
3118(if)X
3190(the)X
3311(time)X
3476(in)X
3561(its)X
3 f
3659(renew-till)X
1 f
4012(\256eld)X
4177(has)X
4307(not)X
2105 2592(passed.)N
2386(The)X
2538(ticket)X
2742(to)X
2830(be)X
2932(renewed)X
3231(is)X
3310(passed)X
3550(in)X
3638(the)X
3 f
3762(padata)X
1 f
4023(\256eld)X
4191(as)X
4284(part)X
2105 2688(of)N
2192(the)X
2310(authentication)X
2784(header.)X
955 2880(31)N
1256(VALIDATE)X
2105(This)X
2283(option)X
2523(is)X
2612(used)X
2795(only)X
2972(by)X
3087(the)X
3220(ticket-granting)X
3727(service.)X
4030(The)X
4190(VALI-)X
2105 2976(DATE)N
2341(option)X
2567(indicates)X
2874(that)X
3016(the)X
3136(request)X
3390(is)X
3465(to)X
3549(validate)X
3825(a)X
3883(postdated)X
4211(ticket.)X
2105 3072(It)N
2186(will)X
2342(only)X
2515(be)X
2622(honored)X
2916(if)X
2996(the)X
3125(ticket)X
3334(presented)X
3673(is)X
3757(postdated,)X
4115(presently)X
2105 3168(has)N
2239(its)X
2341(INVALID)X
2702(\257ag)X
2848(set,)X
2983(and)X
3125(would)X
3351(be)X
3453(otherwise)X
3791(usable)X
4022(at)X
4106(this)X
4247(time.)X
2105 3264(A)N
2187(ticket)X
2389(cannot)X
2627(be)X
2727(validated)X
3045(before)X
3275(its)X
3 f
3374(starttime)X
1 f
3687(.)X
3751(The)X
3900(ticket)X
4101(presented)X
2105 3360(for)N
2223(validation)X
2567(is)X
2644(encrypted)X
2985(in)X
3071(the)X
3193(key)X
3333(of)X
3424(the)X
3546(server)X
3767(for)X
3885(which)X
4105(it)X
4173(is)X
4249(valid)X
2105 3456(and)N
2241(is)X
2314(passed)X
2548(in)X
2630(the)X
3 f
2748(padata)X
1 f
3003(\256eld)X
3165(as)X
3252(part)X
3397(of)X
3484(the)X
3602(authentication)X
4076(header.)X
3 f
555 3724(cname)N
1 f
798(and)X
3 f
934(sname)X
1 f
955 3820(These)N
1167(\256elds)X
1360(are)X
1479(the)X
1597(same)X
1782(as)X
1869(those)X
2058(described)X
2386(for)X
2500(the)X
2618(ticket)X
2816(in)X
2898(section)X
3145(5.2.1.)X
3 f
555 4040(enc-authorization-data)N
1 f
955 4136(The)N
3 f
1104(enc-authorization-data)X
1 f
1887(,)X
1931(if)X
2004(present)X
2260(\(and)X
2427(it)X
2495(can)X
2631(only)X
2797(be)X
2897(present)X
3152(in)X
3237(the)X
3358(TGS_REQ)X
3732(form\),)X
3958(is)X
955 4232(an)N
1065(encoding)X
1393(of)X
1494(the)X
1626(desired)X
3 f
1892(authorization-data)X
1 f
2566(encrypted)X
2917(under)X
3133(the)X
3264(sub-session)X
3666(key)X
3815(which)X
955 4328(appears)N
1221(in)X
1303(the)X
1421(authenticator)X
1860(in)X
1942(the)X
2060(KRB_AP_REQ)X
2586(in)X
2668(the)X
2786(pa-data)X
3043(\256eld.)X
3 f
555 4548(realm)N
1 f
955(This)X
1121(\256eld)X
1287(speci\256es)X
1587(the)X
1709(realm)X
1916(part)X
2064(of)X
2154(the)X
2275(server's)X
2553(principal)X
2861(identi\256er.)X
3213(In)X
3303(the)X
3424(AS)X
3549(exchange,)X
3896(this)X
955 4644(is)N
1028(also)X
1177(the)X
1295(realm)X
1498(part)X
1643(of)X
1730(the)X
1848(client's)X
2104(principal)X
2409(identi\256er.)X
3 f
555 4864(from)N
1 f
955(This)X
1130(\256eld)X
1305(is)X
1391(included)X
1700(in)X
1795(the)X
1926(KRB_AS_REQ)X
2465(and)X
2614(KRB_TGS_REQ)X
3202(ticket)X
3412(requests)X
3707(when)X
3913(the)X
955 4960(requested)N
1283(ticket)X
1481(is)X
1554(to)X
1636(be)X
1732(postdated.)X
2079(It)X
2148(speci\256es)X
2444(the)X
2562(desired)X
2814(start)X
2972(time)X
3134(for)X
3248(the)X
3366(requested)X
3694(ticket.)X
3 f
555 5276(till)N
1 f
955(This)X
1117(\256eld)X
1279(contains)X
1566(the)X
1684(expiration)X
2029(date)X
2183(requested)X
2511(by)X
2611(the)X
2729(client)X
2927(in)X
3009(a)X
3065(ticket)X
3263(request.)X
3 f
555 5496(rtime)N
1 f
955(This)X
1121(\256eld)X
1287(is)X
1363(the)X
1484(requested)X
3 f
1815(renew-till)X
1 f
2168(time)X
2333(sent)X
2485(from)X
2664(a)X
2723(client)X
2924(to)X
3009(the)X
3130(KDC)X
3322(in)X
3407(a)X
3466(ticket)X
3667(request.)X
3962(It)X
955 5592(is)N
1028(optional.)X
3 f
555 5812(nonce)N
1 f
955(This)X
1126(\256eld)X
1297(is)X
1379(part)X
1533(of)X
1629(the)X
1756(KDC)X
1954(request)X
2215(and)X
2360(response.)X
2710(It)X
2788(it)X
2861(intended)X
3166(to)X
3257(hold)X
3428(a)X
3493(random)X
3766(number)X
555 6144(Section)N
815(5.3.1.)X
2196(-)X
2243(29)X
2343(-)X
30 p
%%Page: 30 31
10 s 0 xH 0 xS 1 f
0 32(--)N
4323(--)X
3 f
2115 416(DRAFT)N
2411(4)X
1 f
955 672(generated)N
1298(by)X
1408(the)X
1536(client.)X
1784(If)X
1868(the)X
1996(same)X
2191(number)X
2466(is)X
2549(included)X
2854(in)X
2945(the)X
3072(encrypted)X
3418(response)X
3728(from)X
3913(the)X
955 768(KDC,)N
1167(it)X
1234(provides)X
1533(evidence)X
1842(that)X
1985(the)X
2106(response)X
2410(is)X
2486(fresh)X
2670(and)X
2809(has)X
2939(not)X
3063(been)X
3237(replayed)X
3536(by)X
3638(an)X
3736(attacker.)X
955 864(Nonces)N
1228(must)X
1415(never)X
1626(be)X
1734(re-used.)X
2043(Ideally,)X
2317(it)X
2392(should)X
2636(be)X
2743(generated)X
3087(randomly,)X
3445(but)X
3578(if)X
3658(the)X
3787(correct)X
955 960(time)N
1117(is)X
1190(known,)X
1448(it)X
1512(may)X
1670(suf\256ce)X
8 s
1884 935(1)N
10 s
960(.)Y
3 f
555 1180(etype)N
1 f
955(This)X
1117(\256eld)X
1279(speci\256es)X
1575(the)X
1693(desired)X
1945(encryption)X
2308(algorithm)X
2639(to)X
2721(be)X
2817(used)X
2984(in)X
3066(the)X
3184(response.)X
3 f
555 1400(addresses)N
1 f
955(This)X
1125(\256eld)X
1295(is)X
1375(included)X
1678(in)X
1767(the)X
1892(initial)X
2105(request)X
2364(for)X
2485(tickets,)X
2741(and)X
2884(optionally)X
3235(included)X
3538(in)X
3627(requests)X
3917(for)X
955 1496(additional)N
1307(tickets)X
1548(from)X
1736(the)X
1866(ticket-granting)X
2370(server.)X
2639(It)X
2720(speci\256es)X
3028(the)X
3158(addresses)X
3498(from)X
3686(which)X
3913(the)X
955 1592(requested)N
1292(ticket)X
1499(is)X
1581(to)X
1672(be)X
1777(valid.)X
2006(Normally)X
2342(it)X
2415(includes)X
2711(the)X
2838(addresses)X
3175(for)X
3298(the)X
3425(client's)X
3690(host.)X
3892(If)X
3975(a)X
955 1688(proxy)N
1163(is)X
1237(requested,)X
1586(this)X
1722(\256eld)X
1885(will)X
2030(contain)X
2287(other)X
2473(addresses.)X
2842(The)X
2988(contents)X
3276(of)X
3364(this)X
3499(\256eld)X
3661(are)X
3780(usually)X
955 1784(copied)N
1189(by)X
1289(the)X
1407(KDC)X
1596(into)X
1740(the)X
3 f
1858(caddr)X
1 f
2078(\256eld)X
2240(of)X
2327(the)X
2445(resulting)X
2745(ticket.)X
3 f
555 2004(additional-tickets)N
1 f
955 2100(Additional)N
1323(tickets)X
1558(may)X
1722(be)X
1824(optionally)X
2174(included)X
2476(in)X
2564(a)X
2626(request)X
2884(to)X
2972(the)X
3095(ticket-granting)X
3592(server.)X
3834(If)X
3913(the)X
955 2196(ENC-TKT-IN-SKEY)N
1668(option)X
1894(has)X
2023(been)X
2197(speci\256ed,)X
2524(then)X
2684(the)X
2804(session)X
3057(key)X
3195(from)X
3373(the)X
3492(additional)X
3833(ticket)X
955 2292(will)N
1108(be)X
1213(used)X
1389(in)X
1480(place)X
1679(of)X
1775(the)X
1902(server's)X
2185(key)X
2329(to)X
2419(encrypt)X
2688(the)X
2814(new)X
2976(ticket.)X
3222(If)X
3304(more)X
3497(than)X
3663(one)X
3807(option)X
955 2388(which)N
1176(requires)X
1459(additional)X
1803(tickets)X
2036(has)X
2167(been)X
2343(speci\256ed,)X
2672(then)X
2834(the)X
2956(additional)X
3300(tickets)X
3533(are)X
3656(used)X
3827(in)X
3913(the)X
955 2484(order)N
1145(speci\256ed)X
1450(by)X
1550(the)X
1668(ordering)X
1960(of)X
2047(the)X
2165(options)X
2420(bits)X
2555(\(see)X
2705(kdc-options,)X
3123(above\).)X
755 2704(The)N
901(application)X
1278(code)X
1451(will)X
1596(be)X
1693(either)X
1897(ten)X
2016(\(10\))X
2170(or)X
2257(twelve)X
2491(\(12\))X
2645(depending)X
2999(on)X
3099(whether)X
3378(the)X
3496(request)X
3748(is)X
3821(for)X
3935(an)X
555 2800(initial)N
761(ticket)X
959(\(AS-REQ\))X
1322(or)X
1409(for)X
1523(an)X
1619(additional)X
1959(ticket)X
2157(\(TGS-REQ\).)X
755 2924(The)N
918(optional)X
1218(\256elds)X
1429(\()X
3 f
1456(addresses,)X
1843(authorization-data)X
1 f
2521(and)X
3 f
2675(additional-tickets)X
1 f
3270(\))X
3334(are)X
3470(only)X
3649(included)X
3962(if)X
555 3020(necessary)N
888(to)X
970(perform)X
1249(the)X
1367(operation)X
1690(speci\256ed)X
1995(in)X
2077(the)X
3 f
2195(kdc-options)X
1 f
2614(\256eld.)X
755 3144(It)N
829(should)X
1067(be)X
1168(noted)X
1371(that)X
1516(in)X
1602(KRB_TGS_REQ,)X
2201(the)X
2323(protocol)X
2614(version)X
2874(number)X
3143(appears)X
3413(twice)X
3611(and)X
3751(two)X
3895(dif-)X
555 3240(ferent)N
765(message)X
1058(types)X
1248(appear:)X
1526(the)X
1645(KRB_TGS_REQ)X
2221(message)X
2514(contains)X
2802(these)X
2988(\256elds)X
3182(as)X
3270(does)X
3438(the)X
3557(authentication)X
555 3336(header)N
790(\(KRB_AP_REQ\))X
1370(that)X
1510(is)X
1583(passed)X
1817(in)X
1899(the)X
3 f
2017(padata)X
1 f
2272(\256eld.)X
3 f
555 3528(5.3.2.)N
775(KRB_KDC_REP)X
1386(de\256nition)X
1 f
755 3652(The)N
906(KRB_KDC_REP)X
1491(message)X
1789(format)X
2029(is)X
2108(used)X
2281(for)X
2401(the)X
2525(reply)X
2716(from)X
2898(the)X
3022(KDC)X
3216(for)X
3335(either)X
3543(an)X
3644(initial)X
3855(\(AS\))X
555 3748(request)N
813(or)X
905(a)X
966(subsequent)X
1347(\(TGS\))X
1577(request.)X
1874(There)X
2087(is)X
2165(no)X
2270(message)X
2567(type)X
2730(for)X
2849(KRB_KDC_REP.)X
3473(Instead,)X
3750(the)X
3873(type)X
555 3844(will)N
702(be)X
801(either)X
1007(KRB_AS_REP)X
1522(or)X
1612(KRB_TGS_REP.)X
2216(The)X
2364(key)X
2503(used)X
2673(to)X
2758(encrypt)X
3022(the)X
3143(ciphertext)X
3487(part)X
3635(of)X
3725(the)X
3846(reply)X
555 3940(depends)N
847(on)X
956(the)X
1083(message)X
1384(type.)X
1591(For)X
1731(KRB_AS_REP,)X
2272(the)X
2399(ciphertext)X
2749(is)X
2831(encrypted)X
3177(in)X
3268(the)X
3395(client's)X
3659(secret)X
3875(key,)X
555 4036(and)N
703(the)X
833(client's)X
1100(key)X
1247(version)X
1514(number)X
1790(is)X
1874(included)X
2181(in)X
2274(the)X
2403(key)X
2550(version)X
2817(number)X
3093(for)X
3218(the)X
3347(encrypted)X
3695(data.)X
3900(For)X
555 4132(KRB_TGS_REP,)N
1142(the)X
1266(ciphertext)X
1613(is)X
1692(encrypted)X
2035(in)X
2123(the)X
2247(session)X
2504(key)X
2646(from)X
2828(the)X
2952(ticket-granting)X
3450(ticket)X
3654(used)X
3826(in)X
3913(the)X
555 4228(request.)N
847(In)X
934(that)X
1074(case,)X
1253(no)X
1353(version)X
1609(number)X
1874(will)X
2018(present)X
2270(in)X
2352(the)X
2470(EncryptedData)X
2972(sequence.)X
755 4352(The)N
900(KRB_KDC_REP)X
1479(message)X
1771(contains)X
2058(the)X
2176(following)X
2507(\256elds:)X
8 s
10 f
555 5236(hhhhhhhhhhhhhhhhhh)N
6 s
1 f
555 5311(1)N
8 s
611 5330(Note,)N
771(however,)X
1026(that)X
1142(if)X
1201(the)X
1299(time)X
1433(is)X
1496(used)X
1633(as)X
1706(the)X
1804(nonce,)X
1992(one)X
2104(must)X
2249(make)X
2407(sure)X
2533(that)X
2649(the)X
2747(workstation)X
3068(time)X
3201(is)X
3263(monotonically)X
3652(in-)X
555 5410(creasing.)N
815(If)X
873(the)X
967(time)X
1097(is)X
1156(ever)X
1281(reset)X
1417(backwards,)X
1721(there)X
1864(is)X
1923(a)X
1967(small,)X
2138(but)X
2236(\256nite,)X
2400(probability)X
2697(that)X
2809(a)X
2853(nonce)X
3021(will)X
3137(be)X
3213(reused.)X
555 5504(\262)N
619([APPLICATION)X
1078(11)X
1161(or)X
1233(13])X
1337(is)X
1399(not)X
1500(valid)X
1647(ASN.1)X
1842(notation.)X
2087(The)X
2205(two)X
2320(types)X
2474(of)X
2545(messages)X
2804(\(AS-REQ)X
3074(and)X
3184(TGS-REQ\))X
3493(have)X
3631(dif-)X
555 5584(ferent)N
726(application)X
1033(codes,)X
1217(but)X
1322(the)X
1423(format)X
1616(of)X
1692(the)X
1793(remainder)X
2074(of)X
2150(the)X
2251(message)X
2490(is)X
2555(identical)X
2797(\(before)X
3002(encryption)X
3297(of)X
3372(the)X
3472(encrypted)X
555 5664(part\).)N
10 s
555 6144(Section)N
815(5.3.2.)X
2196(-)X
2243(30)X
2343(-)X
31 p
%%Page: 31 32
10 s 0 xH 0 xS 1 f
0 32(--)N
4323(--)X
3 f
2115 416(DRAFT)N
2411(4)X
823 720(KDC-REP)N
1208(::=)X
1 f
1428([APPLICATION)X
2000(11)X
2100(or)X
2187(13\262])X
2354(SEQUENCE)X
2792({)X
1428 816(pvno[0])N
2950(INTEGER,)X
1428 912(msg-type[1])N
2950(INTEGER,)X
1428 1008(padata[2])N
2950(PA-DATA)X
3322(OPTIONAL,)X
1428 1104(crealm[3])N
2950(Realm,)X
1428 1200(cname[4])N
2950(PrincipalName,)X
1428 1296(ticket[5])N
2950(Ticket,)X
1428 1392(enc-part[6])N
2950(EncryptedData)X
3 f
823 1488(})N
649 1680(EncKDCRepPart)N
1270(::=)X
1 f
1490([APPLICATION)X
2062(25)X
2162(or)X
2249(26\263])X
2416(SEQUENCE)X
2854({)X
1490 1776(key[0])N
3012(EncryptionKey,)X
1490 1872(last-req[1])N
3012(LastReq,)X
1490 1968(nonce[2])N
3012(INTEGER,)X
1490 2064(key-expiration[3])N
3012(KerberosTime)X
3496(OPTIONAL,)X
1490 2160(\257ags[4])N
3012(TicketFlags,)X
1490 2256(authtime[5])N
3012(KerberosTime,)X
1490 2352(starttime[6])N
3012(KerberosTime)X
3496(OPTIONAL,)X
1490 2448(endtime[7])N
3012(KerberosTime,)X
1490 2544(renew-till[8])N
3012(KerberosTime)X
3496(OPTIONAL,)X
1490 2640(srealm[9])N
3012(Realm,)X
1490 2736(sname[10])N
3012(PrincipalName,)X
1490 2832(caddr[11])N
3012(HostAddresses)X
3513(OPTIONAL)X
3 f
649 2928(})N
555 3100(pvno)N
1 f
743(and)X
3 f
879(msg-type)X
1 f
955 3196(These)N
1189(\256elds)X
1404(are)X
1545(described)X
1895(above)X
2128(in)X
2231(section)X
2499(5.3.1.)X
3 f
2740(msg-type)X
1 f
3093(is)X
3187(either)X
3411(KRB_AS_REP)X
3944(or)X
955 3292(KRB_TGS_REP.)N
3 f
555 3512(padata)N
1 f
955(This)X
1120(\256eld)X
1285(is)X
1361(described)X
1692(in)X
1777(detail)X
1978(above.)X
2233(One)X
2390(possible)X
2675(use)X
2805(for)X
2922(this)X
3060(\256eld)X
3225(is)X
3301(to)X
3386(encode)X
3636(an)X
3734(alternate)X
955 3608("mix-in")N
1259(string)X
1466(to)X
1553(be)X
1654(used)X
1826(with)X
1993(a)X
2054(string-to-key)X
2493(algorithm)X
2829(\(such)X
3028(as)X
3120(is)X
3198(described)X
3531(in)X
3618(6.3.2\).)X
3869(This)X
955 3704(ability)N
1186(is)X
1266(useful)X
1489(to)X
1578(ease)X
1744(transitions)X
2104(if)X
2180(a)X
2243(realm)X
2453(name)X
2654(needs)X
2864(to)X
2953(change)X
3207(\(e.g.)X
3376(when)X
3576(a)X
3638(company)X
3958(is)X
955 3800(acquired\);)N
1306(in)X
1393(such)X
1565(a)X
1626(case)X
1790(all)X
1895(existing)X
2173(password-derived)X
2769(entries)X
3008(in)X
3095(the)X
3217(KDC)X
3410(database)X
3711(would)X
3935(be)X
955 3896(\257agged)N
1211(as)X
1298(needing)X
1572(a)X
1628(special)X
1871(mix-in)X
2104(string)X
2306(until)X
2472(the)X
2590(next)X
2748(password)X
3071(change.)X
3 f
555 4116(crealm,)N
832(cname,)X
1095(srealm)X
1 f
1347(and)X
3 f
1483(sname)X
1 f
955 4212(These)N
1167(\256elds)X
1360(are)X
1479(the)X
1597(same)X
1782(as)X
1869(those)X
2058(described)X
2386(for)X
2500(the)X
2618(ticket)X
2816(in)X
2898(section)X
3145(5.2.1.)X
3 f
555 4432(ticket)N
1 f
955(The)X
1100(newly-issued)X
1543(ticket,)X
1761(from)X
1937(section)X
2184(5.2.1.)X
3 f
555 4652(enc-part)N
1 f
955(This)X
1121(\256eld)X
1287(is)X
1364(a)X
1424(place)X
1618(holder)X
1847(for)X
1965(the)X
2087(ciphertext)X
2432(and)X
2572(related)X
2815(information)X
3217(that)X
3361(forms)X
3572(the)X
3694(encrypted)X
955 4748(part)N
1105(of)X
1196(a)X
1256(message.)X
1592(The)X
1741(description)X
2121(of)X
2212(the)X
2334(encrypted)X
2675(part)X
2824(of)X
2915(the)X
3037(message)X
3333(follows)X
3597(each)X
3769(appear-)X
955 4844(ance)N
1123(of)X
1210(this)X
1345(\256eld.)X
1547(The)X
1692(encrypted)X
2029(part)X
2174(is)X
2247(encoded)X
2535(as)X
2622(described)X
2950(in)X
3032(section)X
3279(6.1.)X
3 f
555 5064(key)N
1 f
955(This)X
1117(\256eld)X
1279(is)X
1352(the)X
1470(same)X
1655(as)X
1742(described)X
2070(for)X
2184(the)X
2302(ticket)X
2500(in)X
2582(section)X
2829(5.2.1.)X
3 f
555 5284(last-req)N
1 f
955(This)X
1124(\256eld)X
1293(is)X
1373(returned)X
1668(by)X
1775(the)X
1900(KDC)X
2096(and)X
2239(speci\256es)X
2542(the)X
2667(time\(s\))X
2921(of)X
3015(the)X
3140(last)X
3278(request)X
3537(by)X
3644(a)X
3706(principal.)X
955 5380(Depending)N
1338(on)X
1448(what)X
1634(information)X
2042(is)X
2125(available,)X
2465(this)X
2610(might)X
2826(be)X
2932(the)X
3060(last)X
3201(time)X
3373(that)X
3523(a)X
3589(request)X
3851(for)X
3975(a)X
955 5476(ticket-granting)N
1450(ticket)X
1651(was)X
1798(made,)X
2014(or)X
2103(the)X
2223(last)X
2356(time)X
2520(that)X
2662(a)X
2720(request)X
2974(based)X
3179(on)X
3281(a)X
3339(ticket-granting)X
3833(ticket)X
8 s
10 f
555 5556(hhhhhhhhhhhhhhhhhh)N
1 f
555 5650(\263)N
619(An)X
721(application)X
1029(code)X
1173(in)X
1247(the)X
1349(encrypted)X
1624(part)X
1747(of)X
1824(a)X
1876(message)X
2115(provides)X
2358(an)X
2441(additional)X
2720(check)X
2891(that)X
3010(the)X
3111(message)X
3350(was)X
3472(decrypted)X
555 5730(properly.)N
10 s
555 6144(Section)N
815(5.3.2.)X
2196(-)X
2243(31)X
2343(-)X
32 p
%%Page: 32 33
10 s 0 xH 0 xS 1 f
0 32(--)N
4323(--)X
3 f
2115 416(DRAFT)N
2411(4)X
1 f
955 672(was)N
1104(successful.)X
1498(It)X
1570(also)X
1722(might)X
1931(cover)X
2133(all)X
2236(servers)X
2487(for)X
2604(a)X
2663(realm,)X
2889(or)X
2979(just)X
3117(the)X
3238(particular)X
3569(server.)X
3829(Some)X
955 768(implementations)N
1518(may)X
1686(display)X
1947(this)X
2092(information)X
2499(to)X
2590(the)X
2717(user)X
2880(to)X
2971(aid)X
3098(in)X
3189(discovering)X
3592(unauthorized)X
955 864(use)N
1089(of)X
1183(one's)X
1384(identity.)X
1695(It)X
1771(is)X
1851(similar)X
2099(in)X
2187(spirit)X
2377(to)X
2465(the)X
2589(last)X
2726(login)X
2916(time)X
3084(displayed)X
3417(when)X
3617(logging)X
3887(into)X
955 960(timesharing)N
1353(systems.)X
3 f
555 1180(nonce)N
1 f
955(This)X
1117(\256eld)X
1279(is)X
1352(described)X
1680(above)X
1892(in)X
1974(section)X
2221(5.3.1.)X
3 f
555 1400(key-expiration)N
1 f
955 1496(The)N
3 f
1105(key-expiration)X
1 f
1628(\256eld)X
1795(is)X
1873(part)X
2023(of)X
2115(the)X
2238(response)X
2544(from)X
2725(the)X
2848(KDC)X
3041(and)X
3181(speci\256es)X
3481(the)X
3603(time)X
3769(that)X
3913(the)X
955 1592(client's)N
1213(secret)X
1423(key)X
1561(is)X
1636(due)X
1774(to)X
1858(expire.)X
2121(The)X
2268(expiration)X
2614(might)X
2821(be)X
2918(the)X
3037(result)X
3236(of)X
3324(password)X
3648(aging)X
3847(or)X
3935(an)X
955 1688(account)N
1232(expiration.)X
1624(This)X
1793(\256eld)X
1962(will)X
2113(usually)X
2371(be)X
2474(left)X
2608(out)X
2737(of)X
2831(the)X
2956(TGS)X
3134(reply)X
3326(since)X
3518(the)X
3642(response)X
3949(to)X
955 1784(the)N
1075(TGS)X
1248(request)X
1501(is)X
1575(encrypted)X
1913(in)X
1996(a)X
2053(session)X
2305(key)X
2442(and)X
2579(no)X
2680(client)X
2879(information)X
3278(need)X
3451(be)X
3548(retrieved)X
3855(from)X
955 1880(the)N
1092(KDC)X
1300(database.)X
1656(It)X
1744(is)X
1836(up)X
1955(to)X
2056(the)X
2193(application)X
2588(client)X
2805(\(usually)X
3102(the)X
3238(login)X
3440(program\))X
3777(to)X
3877(take)X
955 1976(appropriate)N
1341(action)X
1557(\(such)X
1751(as)X
1838(notifying)X
2151(the)X
2269(user\))X
2450(if)X
2519(the)X
2637(expiration)X
2982(time)X
3144(is)X
3217(imminent.)X
3 f
555 2196(\257ags,)N
750(authtime,)X
1097(starttime,)X
1450(endtime,)X
1766(renew-till)X
1 f
2116(and)X
3 f
2252(caddr)X
1 f
955 2292(These)N
1174(\256elds)X
1374(are)X
1500(duplicates)X
1852(of)X
1946(those)X
2141(found)X
2354(in)X
2442(the)X
2566(encrypted)X
2909(portion)X
3166(of)X
3259(the)X
3383(attached)X
3677(ticket)X
3881(\(see)X
955 2388(section)N
1207(5.2.1\),)X
1439(provided)X
1749(so)X
1845(the)X
1968(client)X
2171(may)X
2334(verify)X
2551(they)X
2714(match)X
2934(the)X
3056(intended)X
3356(request)X
3612(and)X
3752(to)X
3838(assist)X
955 2484(in)N
1042(proper)X
1277(ticket)X
1480(caching.)X
1795(If)X
1874(the)X
1997(message)X
2294(is)X
2371(of)X
2462(type)X
2624(KRB_TGS_REP,)X
3209(the)X
3 f
3331(caddr)X
1 f
3555(\256eld)X
3721(will)X
3869(only)X
955 2580(be)N
1059(\256lled)X
1251(in)X
1341(if)X
1418(the)X
1544(request)X
1804(was)X
1957(for)X
2079(a)X
2143(proxy)X
2358(or)X
2453(forwarded)X
2812(ticket,)X
3038(or)X
3133(if)X
3210(the)X
3335(user)X
3496(is)X
3576(substituting)X
3975(a)X
955 2676(subset)N
1176(of)X
1264(the)X
1383(addresses)X
1712(from)X
1889(the)X
2008(ticket)X
2207(granting)X
2495(ticket.)X
2734(If)X
2809(the)X
2928(client-requested)X
3462(addresses)X
3790(are)X
3909(not)X
955 2772(present)N
1225(or)X
1330(not)X
1470(used,)X
1674(then)X
1849(the)X
1984(addresses)X
2329(contained)X
2678(in)X
2777(the)X
2912(ticket)X
3127(will)X
3288(be)X
3401(the)X
3536(same)X
3738(as)X
3842(those)X
955 2868(included)N
1251(in)X
1333(the)X
1451(ticket-granting)X
1943(ticket.)X
3 f
12 s
555 3156(5.4.)N
747(Client/Server)X
1322(\(CS\))X
1532(message)X
1892(speci\256cations)X
1 f
10 s
755 3280(This)N
918(section)X
1166(speci\256es)X
1463(the)X
1582(format)X
1817(of)X
1905(the)X
2024(messages)X
2348(used)X
2515(for)X
2629(the)X
2747(authentication)X
3221(of)X
3308(the)X
3426(client)X
3624(to)X
3706(the)X
3824(appli-)X
555 3376(cation)N
771(server.)X
3 f
555 3568(5.4.1.)N
775(KRB_AP_REQ)X
1328(de\256nition)X
1 f
755 3692(The)N
918(KRB_AP_REQ)X
1462(message)X
1772(contains)X
2077(the)X
2213(Kerberos)X
2546(protocol)X
2851(version)X
3125(number,)X
3428(the)X
3564(message)X
3873(type)X
555 3788(KRB_AP_REQ,)N
1103(an)X
1201(options)X
1458(\256eld)X
1621(to)X
1704(indicate)X
1979(any)X
2116(options)X
2372(in)X
2455(use,)X
2603(and)X
2740(the)X
2859(ticket)X
3058(and)X
3195(authenticator)X
3635(themselves.)X
555 3884(The)N
700(KRB_AP_REQ)X
1226(message)X
1518(is)X
1591(often)X
1776(referred)X
2052(to)X
2134(as)X
2221(the)X
2339("authentication)X
2846(header".)X
3 f
1086 4028(AP-REQ)N
1413(::=)X
1 f
1703([APPLICATION)X
2275(14])X
2402(SEQUENCE)X
2840({)X
1703 4124(pvno[0])N
2998(INTEGER,)X
1703 4220(msg-type[1])N
2998(INTEGER,)X
1703 4316(ap-options[2])N
2998(APOptions,)X
1703 4412(ticket[3])N
2998(Ticket,)X
1703 4508(authenticator[4])N
2998(EncryptedData)X
3 f
1086 4604(})N
1086 4796(APOptions)N
1483(::=)X
1 f
1703(BIT)X
1852(STRING)X
2161({)X
1703 4892(reserved\(0\),)N
1703 4988(use-session-key\(1\),)N
1703 5084(mutual-required\(2\))N
3 f
1086 5180(})N
555 5352(pvno)N
1 f
743(and)X
3 f
879(msg-type)X
1 f
955 5448(These)N
1167(\256elds)X
1360(are)X
1479(described)X
1807(above)X
2019(in)X
2101(section)X
2348(5.3.1.)X
3 f
2568(msg-type)X
1 f
2900(is)X
2973(KRB_AP_REQ.)X
3 f
555 5668(ap-options)N
1 f
955(This)X
1122(\256eld)X
1289(appears)X
1560(in)X
1647(the)X
1770(application)X
2151(request)X
2408(\(KRB_AP_REQ\))X
2993(and)X
3134(affects)X
3374(the)X
3497(way)X
3656(the)X
3779(request)X
955 5764(is)N
1033(processed.)X
1415(It)X
1488(is)X
1565(a)X
1625(bit-\256eld,)X
1922(where)X
2143(the)X
2265(selected)X
2548(options)X
2807(are)X
2930(indicated)X
3248(by)X
3352(the)X
3474(bit)X
3582(being)X
3784(set)X
3897(\(1\),)X
555 6144(Section)N
815(5.4.1.)X
2196(-)X
2243(32)X
2343(-)X
33 p
%%Page: 33 34
10 s 0 xH 0 xS 1 f
0 32(--)N
4323(--)X
3 f
2115 416(DRAFT)N
2411(4)X
1 f
955 672(and)N
1104(the)X
1235(unselected)X
1607(options)X
1875(and)X
2024(reserved)X
2330(\256elds)X
2536(being)X
2747(reset)X
2932(\(0\).)X
3099(The)X
3256(encoding)X
3582(of)X
3681(the)X
3811(bits)X
3958(is)X
955 768(speci\256ed)N
1260(in)X
1342(section)X
1589(5.1.)X
1749(The)X
1894(meanings)X
2221(of)X
2308(the)X
2426(options)X
2681(are:)X
2 f
955 912(Bit\(s\))N
1232(Name)X
2106(Description)X
1 f
955 1104(0)N
1232(RESERVED)X
2106(Reserved)X
2425(for)X
2539(future)X
2751(expansion)X
3096(of)X
3183(this)X
3318(\256eld.)X
955 1296(1)N
1232(USE-SESSION-KEY)X
2106(The)X
2262(USE-SESSION-KEY)X
2986(option)X
3220(indicates)X
3535(that)X
3685(the)X
3813(ticket)X
4021(the)X
4149(client)X
4357(is)X
2106 1392(presenting)N
2465(to)X
2551(a)X
2611(server)X
2832(is)X
2909(encrypted)X
3250(in)X
3336(the)X
3458(session)X
3713(key)X
3853(from)X
4033(the)X
4155(server's)X
2106 1488(ticket-granting)N
2610(ticket.)X
2860(When)X
3084(this)X
3231(option)X
3466(is)X
3550(not)X
3683(speci\256ed,)X
4019(the)X
4148(ticket)X
4357(is)X
2106 1584(encrypted)N
2443(in)X
2525(the)X
2643(server's)X
2918(secret)X
3126(key.)X
955 1776(2)N
1232(MUTUAL-REQUIRED)X
2106(The)X
2278(MUTUAL-REQUIRED)X
3100(option)X
3351(tells)X
3531(the)X
3676(server)X
3920(that)X
4087(the)X
4232(client)X
2106 1872(requires)N
2419(mutual)X
2695(authentication,)X
3223(and)X
3393(that)X
3567(it)X
3664(must)X
3872(respond)X
4179(with)X
4374(a)X
2106 1968(KRB_AP_REP)N
2618(message.)X
955 2160(3-31)N
1232(RESERVED)X
2106(Reserved)X
2425(for)X
2539(future)X
2751(use.)X
3 f
555 2428(ticket)N
1 f
955(This)X
1117(\256eld)X
1279(is)X
1352(a)X
1408(ticket)X
1606(authenticating)X
2080(the)X
2198(client)X
2396(to)X
2478(the)X
2596(server.)X
3 f
555 2648(authenticator)N
1 f
955 2744(This)N
1119(contains)X
1408(the)X
1528(authenticator,)X
1989(which)X
2207(includes)X
2496(the)X
2616(client's)X
2874(choice)X
3106(of)X
3195(a)X
3253(subkey.)X
3542(Its)X
3643(encoding)X
3958(is)X
955 2840(described)N
1283(in)X
1365(section)X
1612(5.2.2.)X
3 f
555 3032(5.4.2.)N
775(KRB_AP_REP)X
1315(de\256nition)X
1 f
755 3156(The)N
905(KRB_AP_REP)X
1422(message)X
1719(contains)X
2011(the)X
2134(Kerberos)X
2454(protocol)X
2746(version)X
3006(number,)X
3295(the)X
3417(message)X
3713(type,)X
3895(and)X
555 3252(an)N
661(encrypted)X
1008(timestamp.)X
1411(The)X
1566(message)X
1868(is)X
1951(sent)X
2110(in)X
2202(in)X
2294(response)X
2605(to)X
2697(an)X
2803(application)X
3189(request)X
3451(\(KRB_AP_REQ\))X
555 3348(where)N
772(the)X
890(mutual)X
1132(authentication)X
1606(option)X
1830(has)X
1957(been)X
2129(selected)X
2408(in)X
2490(the)X
3 f
2608(ap-options)X
1 f
2987(\256eld.)X
3 f
765 3492(AP-REP)N
1079(::=)X
1 f
1535([APPLICATION)X
2107(15])X
2234(SEQUENCE)X
2672({)X
1535 3588(pvno[0])N
2870(INTEGER,)X
1535 3684(msg-type[1])N
2870(INTEGER,)X
1535 3780(enc-part[2])N
2870(EncryptedData)X
3 f
765 3876(})N
765 4068(EncAPRepPart)N
1315(::=)X
1 f
1535([APPLICATION)X
2107(27\262])X
2274(SEQUENCE)X
2712({)X
1535 4164(ctime[0])N
2870(KerberosTime,)X
1535 4260(cusec[1])N
2870(INTEGER,)X
1535 4356(subkey[2])N
2870(EncryptionKey)X
3380(OPTIONAL,)X
1535 4452(seq-number[3])N
2870(INTEGER)X
3233(OPTIONAL)X
3 f
765 4548(})N
1 f
555 4692(The)N
702(encoded)X
992(EncAPRepPart)X
1499(is)X
1574(encrypted)X
1912(in)X
1995(the)X
2114(shared)X
2345(session)X
2597(key)X
2734(of)X
2822(the)X
2941(ticket.)X
3180(The)X
3326(optional)X
3 f
3609(subkey)X
1 f
3869(\256eld)X
555 4788(can)N
687(be)X
783(used)X
950(in)X
1032(an)X
1128 0.1645(application-arranged)AX
1813(negotiation)X
2193(to)X
2275(choose)X
2518(a)X
2574("true)X
2752(session)X
3003(key.")X
3 f
555 5008(pvno)N
1 f
743(and)X
3 f
879(msg-type)X
1 f
955 5104(These)N
1167(\256elds)X
1360(are)X
1479(described)X
1807(above)X
2019(in)X
2101(section)X
2348(5.3.1.)X
3 f
2568(msg-type)X
1 f
2900(is)X
2973(KRB_AP_REP.)X
3 f
555 5324(enc-part)N
1 f
955(This)X
1117(\256eld)X
1279(is)X
1352(described)X
1680(above)X
1892(in)X
1974(section)X
2221(5.3.2.)X
8 s
10 f
555 5490(hhhhhhhhhhhhhhhhhh)N
1 f
555 5584(\262)N
619(An)X
721(application)X
1029(code)X
1173(in)X
1247(the)X
1349(encrypted)X
1624(part)X
1747(of)X
1824(a)X
1876(message)X
2115(provides)X
2358(an)X
2441(additional)X
2720(check)X
2891(that)X
3010(the)X
3111(message)X
3350(was)X
3472(decrypted)X
555 5664(properly.)N
10 s
555 6144(Section)N
815(5.4.2.)X
2196(-)X
2243(33)X
2343(-)X
34 p
%%Page: 34 35
10 s 0 xH 0 xS 1 f
0 32(--)N
4323(--)X
3 f
2115 416(DRAFT)N
2411(4)X
555 672(ctime)N
1 f
955(This)X
1117(\256eld)X
1279(contains)X
1566(the)X
1684(current)X
1932(time)X
2094(on)X
2194(the)X
2312(client's)X
2568(host.)X
3 f
555 892(cusec)N
1 f
955(This)X
1117(\256eld)X
1279(contains)X
1566(the)X
1684(microsecond)X
2114(part)X
2259(of)X
2346(the)X
2464(client's)X
2720(timestamp.)X
3 f
555 1112(subkey)N
1 f
955(This)X
1126(\256eld)X
1297(contains)X
1593(an)X
1698(encryption)X
2070(key)X
2215(which)X
2440(is)X
2522(to)X
2613(be)X
2718(used)X
2894(to)X
2985(protect)X
3237(this)X
3381(speci\256c)X
3655(application)X
955 1208(session.)N
1246(See)X
1382(section)X
1629(3.2.6)X
1809(for)X
1923(speci\256cs)X
2219(on)X
2319(how)X
2477(this)X
2612(\256eld)X
2774(is)X
2847(used)X
3014(to)X
3096(negotiate)X
3410(a)X
3466(key.)X
3 f
555 1400(5.4.3.)N
775(Error)X
996(message)X
1297(reply)X
1 f
755 1524(If)N
830(an)X
926(error)X
1103(occurs)X
1333(while)X
1531(processing)X
1894(the)X
2012(application)X
2388(request,)X
2660(the)X
2778(KRB_ERROR)X
3268(message)X
3560(will)X
3704(be)X
3800(sent)X
3949(in)X
555 1620(response.)N
899(See)X
1037(section)X
1286(5.7.1)X
1468(for)X
1584(the)X
1704(format)X
1940(of)X
2029(the)X
2149(error)X
2328(message.)X
2662(The)X
3 f
2809(cname)X
1 f
3054(and)X
3 f
3192(crealm)X
1 f
3451(\256elds)X
3646(may)X
3806(be)X
3904(left)X
555 1716(out)N
687(if)X
766(the)X
894(server)X
1121(cannot)X
1365(determine)X
1715(their)X
1891(appropriate)X
2286(values)X
2520(from)X
2705(the)X
2832(corresponding)X
3320(KRB_AP_REQ)X
3855(mes-)X
555 1812(sage.)N
758(If)X
832(the)X
950(authenticator)X
1389(was)X
1534(decipherable,)X
1985(the)X
3 f
2103(ctime)X
1 f
2311(and)X
3 f
2447(cusec)X
1 f
2650(\256elds)X
2843(will)X
2987(contain)X
3243(the)X
3361(values)X
3586(from)X
3762(it.)X
3 f
12 s
555 2004(5.5.)N
747(KRB_SAFE)X
1272(message)X
1632(speci\256cation)X
1 f
10 s
755 2128(This)N
921(section)X
1171(speci\256es)X
1470(the)X
1591(format)X
1828(of)X
1918(a)X
1977(message)X
2272(that)X
2415(can)X
2550(be)X
2649(used)X
2819(by)X
2922(either)X
3128(side)X
3280(\(client)X
3508(or)X
3598(server\))X
3845(of)X
3935(an)X
555 2224(application)N
934(to)X
1019(send)X
1189(a)X
1248(tamper-proof)X
1695(message)X
1990(to)X
2075(its)X
2173(peer.)X
2375(It)X
2447(presumes)X
2773(that)X
2916(a)X
2975(session)X
3229(key)X
3368(has)X
3498(previously)X
3859(been)X
555 2320(exchanged)N
919(\(for)X
1060(example,)X
1372(by)X
1472(using)X
1665(the)X
1783(KRB_AP_REQ/KRB_AP_REP)X
2823(messages\).)X
3 f
555 2512(5.5.1.)N
775(KRB_SAFE)X
1212(de\256nition)X
1 f
755 2636(The)N
907(KRB_SAFE)X
1333(message)X
1631(contains)X
1924(user)X
2084(data)X
2244(along)X
2448(with)X
2616(a)X
2678(collision-proof)X
3180(checksum)X
3527(keyed)X
3745(with)X
3913(the)X
555 2732(session)N
806(key.)X
982(The)X
1127(message)X
1419(\256elds)X
1612(are:)X
3 f
732 2876(KRB-SAFE)N
1156(::=)X
1 f
1634([APPLICATION)X
2206(20])X
2333(SEQUENCE)X
2771({)X
1634 2972(pvno[0])N
2929(INTEGER,)X
1634 3068(msg-type[1])N
2929(INTEGER,)X
1634 3164(safe-body[2])N
2929(KRB-SAFE-BODY,)X
1634 3260(cksum[3])N
2929(Checksum)X
3 f
732 3356(})N
732 3548(KRB-SAFE-BODY)N
1414(::=)X
1 f
1634(SEQUENCE)X
2072({)X
1634 3644(user-data[0])N
2929(OCTET)X
3207(STRING,)X
1634 3740(timestamp[1])N
2929(KerberosTime)X
3413(OPTIONAL,)X
1634 3836(usec[2])N
2929(INTEGER)X
3292(OPTIONAL,)X
1634 3932(seq-number[3])N
2929(INTEGER)X
3292(OPTIONAL,)X
1634 4028(s-address[4])N
2929(HostAddress,)X
1634 4124(r-address[5])N
2929(HostAddress)X
3363(OPTIONAL)X
3 f
732 4220(})N
555 4584(pvno)N
1 f
743(and)X
3 f
879(msg-type)X
1 f
955 4680(These)N
1167(\256elds)X
1360(are)X
1479(described)X
1807(above)X
2019(in)X
2101(section)X
2348(5.3.1.)X
3 f
2568(msg-type)X
1 f
2900(is)X
2973(KRB_SAFE.)X
3 f
555 4900(safe-body)N
1 f
955(This)X
1134(\256eld)X
1313(is)X
1403(a)X
1476(placeholder)X
1888(for)X
2019(the)X
2154(body)X
2351(of)X
2455(the)X
2589(KRB-SAFE)X
3011(message.)X
3359(It)X
3444(is)X
3533(to)X
3631(be)X
3743(encoded)X
955 4996(separately)N
1301(and)X
1437(then)X
1595(have)X
1767(the)X
1885(checksum)X
2226(computed)X
2562(over)X
2725(it,)X
2809(for)X
2923(use)X
3050(in)X
3132(the)X
3 f
3250(cksum)X
1 f
3492(\256eld.)X
3 f
555 5216(cksum)N
1 f
955(This)X
1126(\256eld)X
1297(contains)X
1593(the)X
1720(checksum)X
2070(of)X
2166(the)X
2293(application)X
2678(data.)X
2881(Checksum)X
3248(details)X
3486(are)X
3613(described)X
3949(in)X
955 5312(section)N
1231(6.4.)X
1420(The)X
1594(checksum)X
1964(is)X
2066(computed)X
2431(over)X
2622(the)X
2768(encoding)X
3110(of)X
3225(the)X
3371(KRB-SAFE-BODY)X
955 5408(sequence.)N
3 f
555 5628(user-data)N
1 f
955(This)X
1130(\256eld)X
1305(is)X
1391(part)X
1548(of)X
1647(the)X
1777(KRB_SAFE)X
2208(and)X
2356(KRB_PRIV)X
2774(messages)X
3109(and)X
3257(contain)X
3525(the)X
3655(application)X
955 5724(speci\256c)N
1220(data)X
1374(that)X
1514(is)X
1587(being)X
1785(passed)X
2019(from)X
2195(the)X
2313(sender)X
2543(to)X
2625(the)X
2743(recipient.)X
555 6144(Section)N
815(5.5.1.)X
2196(-)X
2243(34)X
2343(-)X
35 p
%%Page: 35 36
10 s 0 xH 0 xS 1 f
0 32(--)N
4323(--)X
3 f
2115 416(DRAFT)N
2411(4)X
555 672(timestamp)N
1 f
955(This)X
1127(\256eld)X
1299(is)X
1382(part)X
1537(of)X
1634(the)X
1762(KRB_SAFE)X
2191(and)X
2336(KRB_PRIV)X
2751(messages.)X
3123(Its)X
3232(contents)X
3528(are)X
3656(the)X
3783(current)X
955 768(time)N
1122(as)X
1214(known)X
1456(by)X
1560(the)X
1682(sender)X
1916(of)X
2007(the)X
2129(message.)X
2465(By)X
2582(checking)X
2896(the)X
3018(timestamp,)X
3395(the)X
3517(recipient)X
3822(of)X
3913(the)X
955 864(message)N
1247(is)X
1320(able)X
1474(to)X
1556(make)X
1750(sure)X
1904(that)X
2044(it)X
2108(was)X
2253(recently)X
2532(generated,)X
2885(and)X
3021(is)X
3094(not)X
3216(a)X
3272(replay.)X
3 f
555 1084(usec)N
1 f
955(This)X
1118(\256eld)X
1281(is)X
1355(part)X
1501(of)X
1589(the)X
1708(KRB_SAFE)X
2128(and)X
2265(KRB_PRIV)X
2672(headers.)X
2979(It)X
3049(contains)X
3337(the)X
3456(microsecond)X
3886(part)X
955 1180(of)N
1042(the)X
1160(timestamp.)X
3 f
555 1400(seq-number)N
1 f
955 1496(This)N
1117(\256eld)X
1279(is)X
1352(described)X
1680(above)X
1892(in)X
1974(section)X
2221(5.2.2.)X
3 f
555 1716(s-address)N
1 f
955(This)X
1117(\256eld)X
1279(speci\256es)X
1575(the)X
1693(address)X
1954(in)X
2036(use)X
2163(by)X
2263(the)X
2381(sender)X
2611(of)X
2698(the)X
2816(message.)X
3 f
555 1936(r-address)N
1 f
955(This)X
1124(\256eld)X
1293(speci\256es)X
1596(the)X
1721(address)X
1989(in)X
2078(use)X
2212(by)X
2319(the)X
2444(recipient)X
2751(of)X
2844(the)X
2968(message.)X
3306(It)X
3381(may)X
3545(be)X
3647(omitted)X
3917(for)X
955 2032(some)N
1145(uses)X
1304(\(such)X
1499(as)X
1587(broadcast)X
1916(protocols\),)X
2282(but)X
2404(the)X
2522(recipient)X
2823(may)X
2981(arbitrarily)X
3322(reject)X
3521(such)X
3688(messages.)X
955 2128(This)N
1140(\256eld)X
1325(along)X
1546(with)X
3 f
1731(s-address)X
1 f
2094(can)X
2249(be)X
2368(used)X
2558(to)X
2663(help)X
2844(detect)X
3079(messages)X
3425(which)X
3664(have)X
3859(been)X
955 2224(incorrectly)N
1323(or)X
1410(maliciously)X
1803(delivered)X
2122(to)X
2204(the)X
2322(wrong)X
2547(recipient.)X
3 f
12 s
555 2416(5.6.)N
747(KRB_PRIV)X
1261(message)X
1621(speci\256cation)X
1 f
10 s
755 2540(This)N
921(section)X
1171(speci\256es)X
1470(the)X
1591(format)X
1828(of)X
1918(a)X
1977(message)X
2272(that)X
2415(can)X
2550(be)X
2649(used)X
2819(by)X
2922(either)X
3128(side)X
3280(\(client)X
3508(or)X
3598(server\))X
3845(of)X
3935(an)X
555 2636(application)N
936(to)X
1023(securely)X
1316(and)X
1457(privately)X
1767(send)X
1939(a)X
2000(message)X
2297(to)X
2384(its)X
2484(peer.)X
2688(It)X
2762(presumes)X
3089(that)X
3233(a)X
3293(session)X
3548(key)X
3688(has)X
3819(previ-)X
555 2732(ously)N
748(been)X
920(exchanged)X
1284(\(for)X
1425(example,)X
1737(by)X
1837(using)X
2030(the)X
2148(KRB_AP_REQ/KRB_AP_REP)X
3188(messages\).)X
3 f
555 2924(5.6.1.)N
775(KRB_PRIV)X
1204(de\256nition)X
1 f
755 3048(The)N
900(KRB_PRIV)X
1306(message)X
1598(contains)X
1885(user)X
2039(data)X
2193(encrypted)X
2530(in)X
2612(the)X
2730(Session)X
2994(Key.)X
3188(The)X
3333(message)X
3625(\256elds)X
3818(are:)X
3 f
555 3192(KRB-PRIV)N
971(::=)X
1 f
1369([APPLICATION)X
1941(21])X
2068(SEQUENCE)X
2506({)X
1369 3288(pvno[0])N
2704(INTEGER,)X
1369 3384(msg-type[1])N
2704(INTEGER,)X
1369 3480(enc-part[3])N
2704(EncryptedData)X
3 f
555 3576(})N
555 3768(EncKrbPrivPart)N
1149(::=)X
1 f
1369([APPLICATION)X
1941(28\262])X
2108(SEQUENCE)X
2546({)X
1369 3864(user-data[0])N
2704(OCTET)X
2982(STRING,)X
1369 3960(timestamp[1])N
2704(KerberosTime)X
3188(OPTIONAL,)X
1369 4056(usec[2])N
2704(INTEGER)X
3067(OPTIONAL,)X
1369 4152(seq-number[3])N
2704(INTEGER)X
3067(OPTIONAL,)X
1369 4248(s-address[4])N
2704(HostAddress,)X
3158(--)X
3232(sender's)X
3520(addr)X
1369 4344(r-address[5])N
2704(HostAddress)X
3138(OPTIONAL)X
3559(--)X
3633(recip's)X
3872(addr)X
3 f
555 4440(})N
555 4708(pvno)N
1 f
743(and)X
3 f
879(msg-type)X
1 f
955 4804(These)N
1167(\256elds)X
1360(are)X
1479(described)X
1807(above)X
2019(in)X
2101(section)X
2348(5.3.1.)X
3 f
2568(msg-type)X
1 f
2900(is)X
2973(KRB_PRIV.)X
3 f
555 5024(enc-part)N
1 f
955(This)X
1128(\256eld)X
1301(holds)X
1505(an)X
1612(encoding)X
1937(of)X
2035(the)X
3 f
2163(EncKrbPrivPart)X
1 f
2767(sequence)X
3092(encrypted)X
3439(under)X
3652(the)X
3780(session)X
955 5120(key)N
8 s
1071 5095(1)N
10 s
5120(.)Y
1167(This)X
1333(encrypted)X
1674(encoding)X
1991(is)X
2067(used)X
2237(for)X
2354(the)X
3 f
2475(enc-part)X
1 f
2788(\256eld)X
2953(of)X
3043(the)X
3164(KRB-PRIV)X
3560(message.)X
3895(See)X
8 s
10 f
555 5200(hhhhhhhhhhhhhhhhhh)N
1 f
555 5294(\262)N
619(An)X
721(application)X
1029(code)X
1173(in)X
1247(the)X
1349(encrypted)X
1624(part)X
1747(of)X
1824(a)X
1876(message)X
2115(provides)X
2358(an)X
2441(additional)X
2720(check)X
2891(that)X
3010(the)X
3111(message)X
3350(was)X
3472(decrypted)X
555 5374(properly.)N
6 s
555 5449(1)N
8 s
611 5468(If)N
670(supported)X
939(by)X
1020(the)X
1115(encryption)X
1405(method)X
1614(in)X
1681(use,)X
1799(an)X
1876(initialization)X
2217(vector)X
2393(may)X
2520(be)X
2597(passed)X
2784(to)X
2851(the)X
2946(encryption)X
3236(procedure,)X
3523(in)X
3589(order)X
555 5548(to)N
621(achieve)X
831(proper)X
1013(cipher)X
1188(chaining.)X
1456(The)X
1571(initialization)X
1911(vector)X
2086(might)X
2252(come)X
2406(from)X
2546(the)X
2640(last)X
2745(block)X
2903(of)X
2972(the)X
3066(ciphertext)X
3337(from)X
3477(the)X
3571(previ-)X
555 5628(ous)N
665(KRB_PRIV)X
996(message,)X
1249(but)X
1352(it)X
1409(is)X
1473(the)X
1572(application's)X
1923(choice)X
2110(whether)X
2336(or)X
2409(not)X
2511(to)X
2581(use)X
2686(such)X
2823(an)X
2903(initialization)X
3247(vector.)X
3458(If)X
3520(left)X
3625(out,)X
555 5708(the)N
649(default)X
842(initialization)X
1182(vector)X
1357(for)X
1447(the)X
1541(encryption)X
1830(algorithm)X
2095(will)X
2211(be)X
2287(used.)X
10 s
555 6144(Section)N
815(5.6.1.)X
2196(-)X
2243(35)X
2343(-)X
36 p
%%Page: 36 37
10 s 0 xH 0 xS 1 f
0 32(--)N
4323(--)X
3 f
2115 416(DRAFT)N
2411(4)X
1 f
955 672(section)N
1202(6)X
1262(for)X
1376(the)X
1494(format)X
1728(of)X
1815(the)X
1933(ciphertext.)X
3 f
555 892(user-data,)N
920(timestamp,)X
1321(usec,)X
1508(s-address)X
1 f
1848(and)X
3 f
1984(r-address)X
1 f
955 988(These)N
1167(\256elds)X
1360(are)X
1479(described)X
1807(above)X
2019(in)X
2101(section)X
2348(5.5.1.)X
3 f
555 1208(seq-number)N
1 f
955 1304(This)N
1117(\256eld)X
1279(is)X
1352(described)X
1680(above)X
1892(in)X
1974(section)X
2221(5.2.2.)X
3 f
12 s
555 1496(5.7.)N
747(Error)X
1012(message)X
1372(speci\256cation)X
1 f
10 s
755 1620(This)N
920(section)X
1170(speci\256es)X
1469(the)X
1590(format)X
1827(for)X
1944(the)X
2065(KRB_ERROR)X
2558(message.)X
2893(The)X
3041(\256elds)X
3237(included)X
3535(in)X
3619(the)X
3739(message)X
555 1716(are)N
678(intended)X
978(to)X
1064(return)X
1280(as)X
1371(much)X
1573(information)X
1975(as)X
2066(possible)X
2352(about)X
2554(an)X
2654(error.)X
2875(It)X
2948(is)X
3025(not)X
3151(expected)X
3461(that)X
3604(all)X
3707(the)X
3828(infor-)X
555 1812(mation)N
802(required)X
1095(by)X
1200(the)X
1323(\256elds)X
1520(will)X
1668(be)X
1768(available)X
2082(for)X
2200(all)X
2304(types)X
2497(of)X
2588(errors.)X
2840(If)X
2918(the)X
3040(appropriate)X
3430(information)X
3832(is)X
3909(not)X
555 1908(available)N
865(when)X
1059(the)X
1177(message)X
1469(is)X
1542(composed,)X
1907(the)X
2025(corresponding)X
2504(\256eld)X
2666(will)X
2810(be)X
2906(left)X
3033(out)X
3155(of)X
3242(the)X
3360(message.)X
755 2032(Note)N
933(that)X
1075(since)X
1262(the)X
1382(KRB_ERROR)X
1874(message)X
2168(is)X
2243(not)X
2367(protected)X
2688(by)X
2790(any)X
2928(encryption,)X
3313(it)X
3379(is)X
3453(quite)X
3634(possible)X
3917(for)X
555 2128(an)N
653(intruder)X
929(to)X
1013(synthesize)X
1369(or)X
1458(modify)X
1711(such)X
1880(a)X
1938(message.)X
2272(In)X
2361(particular,)X
2711(this)X
2848(means)X
3075(that)X
3217(the)X
3337(client)X
3537(should)X
3 f
3772(not)X
1 f
3904(use)X
555 2224(any)N
692(\256elds)X
886(in)X
969(this)X
1105(message)X
1398(for)X
1513(security-critical)X
2038(purposes,)X
2364(such)X
2532(as)X
2620(setting)X
2854(a)X
2911(system)X
3154(clock)X
3348(or)X
3435(generating)X
3794(a)X
3850(fresh)X
555 2320(authenticator.)N
1034(The)X
1179(message)X
1471(can)X
1603(be)X
1699(useful,)X
1935(however,)X
2252(for)X
2366(advising)X
2657(a)X
2713(user)X
2867(on)X
2967(the)X
3085(reason)X
3315(for)X
3429(some)X
3618(failure.)X
3 f
555 2512(5.7.1.)N
775(KRB_ERROR)X
1297(de\256nition)X
1 f
755 2636(The)N
900(KRB_ERROR)X
1390(message)X
1682(consists)X
1955(of)X
2042(the)X
2160(following)X
2491(\256elds:)X
3 f
756 2780(KRB-ERROR)N
1265(::=)X
1 f
1485([APPLICATION)X
2057(30])X
2184(SEQUENCE)X
2622({)X
1485 2876(pvno[0])N
2780(INTEGER,)X
1485 2972(msg-type[1])N
2780(INTEGER,)X
1485 3068(ctime[2])N
2780(KerberosTime)X
3264(OPTIONAL,)X
1485 3164(cusec[3])N
2780(INTEGER)X
3143(OPTIONAL,)X
1485 3260(stime[4])N
2780(KerberosTime,)X
1485 3356(susec[5])N
2780(INTEGER,)X
1485 3452 0.3125(error-code[6])AN
2780(INTEGER,)X
1485 3548(crealm[7])N
2780(Realm)X
3009(OPTIONAL,)X
1485 3644(cname[8])N
2780(PrincipalName)X
3281(OPTIONAL,)X
1485 3740(realm[9])N
2780(Realm,)X
3029(--)X
3103(Correct)X
3364(realm)X
1485 3836(sname[10])N
2780(PrincipalName,)X
3301(--)X
3375(Correct)X
3636(name)X
1485 3932(e-text[11])N
2780(GeneralString)X
3250(OPTIONAL,)X
1485 4028(e-data[12])N
2780(OCTET)X
3058(STRING)X
3367(OPTIONAL)X
3 f
756 4124(})N
555 4392(pvno)N
1 f
743(and)X
3 f
879(msg-type)X
1 f
955 4488(These)N
1167(\256elds)X
1360(are)X
1479(described)X
1807(above)X
2019(in)X
2101(section)X
2348(5.3.1.)X
3 f
2568(msg-type)X
1 f
2900(is)X
2973(KRB_ERROR.)X
3 f
555 4708(ctime)N
1 f
955(This)X
1117(\256eld)X
1279(is)X
1352(described)X
1680(above)X
1892(in)X
1974(section)X
2221(5.3.1.)X
3 f
555 5024(cusec)N
1 f
955(This)X
1117(\256eld)X
1279(is)X
1352(described)X
1680(above)X
1892(in)X
1974(section)X
2221(5.4.2.)X
3 f
555 5244(stime)N
1 f
955(This)X
1117(\256eld)X
1279(contains)X
1566(the)X
1684(current)X
1932(time)X
2094(on)X
2194(the)X
2312(server.)X
2569(It)X
2638(is)X
2711(of)X
2798(type)X
2956(KerberosTime.)X
3 f
555 5464(susec)N
1 f
955(This)X
1121(\256eld)X
1287(contains)X
1578(the)X
1700(microsecond)X
2134(part)X
2283(of)X
2374(the)X
2496(server's)X
2775(timestamp.)X
3172(Its)X
3276(value)X
3474(ranges)X
3707(from)X
3886(0)X
3949(to)X
955 5560(999.)N
1141(It)X
1216(appears)X
1488(along)X
1692(with)X
3 f
1860(stime)X
1 f
2043(.)X
2089(The)X
2240(two)X
2385(\256elds)X
2583(are)X
2707(used)X
2879(in)X
2966(conjunction)X
3369(to)X
3456(specify)X
3713(a)X
3774(reason-)X
955 5656(ably)N
1113(accurate)X
1402(timestamp.)X
555 6144(Section)N
815(5.7.1.)X
2196(-)X
2243(36)X
2343(-)X
37 p
%%Page: 37 38
10 s 0 xH 0 xS 1 f
0 32(--)N
4323(--)X
3 f
2115 416(DRAFT)N
2411(4)X
555 672(error-code)N
1 f
955(This)X
1121(\256eld)X
1287(contains)X
1578(the)X
1700(error)X
1881(code)X
2057(returned)X
2349(by)X
2453(Kerberos)X
2772(or)X
2863(the)X
2985(server)X
3206(when)X
3404(a)X
3464(request)X
3720(fails.)X
3922(To)X
955 768(interpret)N
1257(the)X
1385(value)X
1589(of)X
1686(this)X
1831(\256eld)X
2003(see)X
2136(the)X
2264(list)X
2391(of)X
2488(error)X
2675(codes)X
2888(in)X
2980(section)X
3236(7.)X
3345(Implementations)X
3912(are)X
955 864(encouraged)N
1346(to)X
1428(provide)X
1693(for)X
1807(national)X
2085(language)X
2395(support)X
2655(in)X
2737(the)X
2855(display)X
3106(of)X
3193(error)X
3370(messages.)X
3 f
555 1084(crealm,)N
832(cname,)X
1095(srealm)X
1 f
1347(and)X
3 f
1483(sname)X
1 f
955 1180(These)N
1167(\256elds)X
1360(are)X
1479(described)X
1807(above)X
2019(in)X
2101(section)X
2348(5.2.1.)X
3 f
555 1400(e-text)N
1 f
955(This)X
1131(\256eld)X
1307(contains)X
1608(additional)X
1962(text)X
2116(to)X
2212(help)X
2384(explain)X
2653(the)X
2784(error)X
2974(code)X
3159(associated)X
3522(with)X
3697(the)X
3828(failed)X
955 1496(request)N
1207(\(for)X
1348(example,)X
1660(it)X
1724(might)X
1930(include)X
2186(a)X
2242(principal)X
2547(name)X
2741(which)X
2957(was)X
3102(unknown\).)X
3 f
555 1716(e-data)N
1 f
955(This)X
1122(\256eld)X
1289(contains)X
1581(additional)X
1926(data)X
2085(about)X
2288(the)X
2411(error)X
2593(for)X
2712(use)X
2844(by)X
2949(the)X
3072(application)X
3453(to)X
3539(help)X
3701(it)X
3769(recover)X
955 1812(from)N
1132(or)X
1220(handle)X
1455(the)X
1574(error.)X
1792(If)X
1867(the)X
3 f
1986(error-code)X
1 f
2374(is)X
2448(KRB_AP_ERR_METHOD,)X
3373(then)X
3532(the)X
3651(e-data)X
3869(\256eld)X
955 1908(will)N
1099(contain)X
1355(an)X
1451(encoding)X
1765(of)X
1852(the)X
1970(following)X
2301(sequence:)X
3 f
1250 2052(METHOD-DATA)N
1888(::=)X
1 f
2108(SEQUENCE)X
2546({)X
2108 2148(method-type[0])N
2727(INTEGER,)X
2108 2244(method-data[1])N
2727(OCTET)X
3005(STRING)X
3314(OPTIONAL)X
3 f
1250 2340(})N
955 2484(method-type)N
1 f
1430(will)X
1597(indicate)X
1894(the)X
2035(required)X
2346(alternate)X
2666(method;)X
3 f
2971(method-data)X
1 f
3450(will)X
3617(contain)X
3895(any)X
955 2580(required)N
1243(additional)X
1583(information.)X
3 f
12 s
555 2772(6.)N
675(Encryption)X
1163(and)X
1341(Checksum)X
1796(Speci\256cations)X
1 f
10 s
555 2896(The)N
708(Kerberos)X
1030(protocols)X
1355(described)X
1690(in)X
1779(this)X
1921(document)X
2264(are)X
2390(designed)X
2702(to)X
2791(use)X
2925(stream)X
3166(encryption)X
3536(ciphers,)X
3815(which)X
555 2992(can)N
695(be)X
799(simulated)X
1138(using)X
1339(commonly)X
1709(available)X
2027(block)X
2233(encryption)X
2604(ciphers,)X
2884(such)X
3059(as)X
3154(the)X
3280(Data)X
3459(Encryption)X
3842(Stan-)X
555 3088(dard,[8])N
844(in)X
938(conjunction)X
1348(with)X
1522(block)X
1732(chaining)X
2040(and)X
2188(checksum)X
2541(methods.[9])X
2957(Encryption)X
3344(is)X
3428(used)X
3606(to)X
3699(prove)X
3913(the)X
555 3184(identities)N
869(of)X
957(the)X
1076(network)X
1360(entities)X
1612(participating)X
2038(in)X
2121(message)X
2414(exchanges.)X
2810(The)X
2955(Key)X
3109(Distribution)X
3515(Center)X
3749(for)X
3863(each)X
555 3280(realm)N
771(is)X
857(trusted)X
1108(by)X
1221(all)X
1334(principals)X
1683(registered)X
2033(in)X
2128(that)X
2281(realm)X
2497(to)X
2592(store)X
2781(a)X
2850(secret)X
3071(key)X
3220(in)X
3314(con\256dence.)X
3734(Proof)X
3944(of)X
555 3376(knowledge)N
927(of)X
1014(this)X
1149(private)X
1392(key)X
1528(is)X
1601(used)X
1768(to)X
1850(verify)X
2062(the)X
2180(authenticity)X
2578(of)X
2665(a)X
2721(principal.)X
755 3500(The)N
906(KDC)X
1101(uses)X
1265(the)X
1389(principal's)X
1758(secret)X
1972(key)X
2114(\(in)X
2229(the)X
2353(AS)X
2481(exchange\))X
2838(or)X
2930(a)X
2991(shared)X
3226(session)X
3482(key)X
3623(\(in)X
3737(the)X
3860(TGS)X
555 3596(exchange\))N
908(to)X
992(encrypt)X
1255(responses)X
1589(to)X
1673(ticket)X
1873(requests;)X
2180(the)X
2300(ability)X
2526(to)X
2610(obtain)X
2832(the)X
2952(secret)X
3162(key)X
3299(or)X
3387(session)X
3639(key)X
3776(implies)X
555 3692(the)N
680(knowledge)X
1059(of)X
1153(the)X
1278(appropriate)X
1671(keys)X
1845(and)X
1988(the)X
2113(identity)X
2383(of)X
2476(the)X
2600(KDC.)X
2835(The)X
2986(ability)X
3216(of)X
3309(a)X
3371(principal)X
3682(to)X
3770(decrypt)X
555 3788(the)N
681(KDC)X
878(response)X
1187(and)X
1331(present)X
1591(a)X
1655(Ticket)X
1887(and)X
2030(a)X
2093(properly)X
2392(formed)X
2651(Authenticator)X
3119(\(generated)X
3486(with)X
3655(the)X
3780(session)X
555 3884(key)N
699(from)X
883(the)X
1009(KDC)X
1206(response\))X
1542(to)X
1632(a)X
1696(service)X
1952(veri\256es)X
2216(the)X
2342(identity)X
2614(of)X
2709(the)X
2835(principal;)X
3169(likewise)X
3463(the)X
3588(ability)X
3819(of)X
3913(the)X
555 3980(service)N
804(to)X
887(extract)X
1127(the)X
1246(session)X
1498(key)X
1635(from)X
1812(the)X
1931(Ticket)X
2157(and)X
2294(prove)X
2498(its)X
2594(knowledge)X
2967(thereof)X
3216(in)X
3299(a)X
3356(response)X
3657(veri\256es)X
3913(the)X
555 4076(identity)N
819(of)X
906(the)X
1024(service.)X
755 4200(The)N
901(Kerberos)X
1217(protocols)X
1536(generally)X
1856(assume)X
2113(that)X
2254(the)X
2373(encryption)X
2737(used)X
2905(is)X
2979(secure)X
3205(from)X
3381(cryptanalysis;)X
3846(how-)X
555 4296(ever,)N
738(in)X
824(some)X
1016(cases,)X
1229(the)X
1350(order)X
1543(of)X
1633(\256elds)X
1829(in)X
1914(the)X
2035(encrypted)X
2375(portions)X
2660(of)X
2750(messages)X
3076(are)X
3198(arranged)X
3503(to)X
3588(minimize)X
3913(the)X
555 4392(effects)N
796(of)X
889(poorly)X
1124(chosen)X
1373(keys.)X
1586(It)X
1661(is)X
1740(still)X
1885(important)X
2222(to)X
2310(choose)X
2559(good)X
2745(keys.)X
3 f
2958(If)X
3042(keys)X
3219(are)X
3357(derived)X
3641(from)X
3837(user-)X
555 4488(typed)N
770(passwords,)X
1169(those)X
1371(passwords)X
1750(need)X
1934(to)X
2025(be)X
2129(well)X
2291(chosen)X
2546(to)X
2637(make)X
2847(brute)X
3057(force)X
3255(attacks)X
3523(more)X
3725(dif\256cult.)X
1 f
555 4584(Poorly)N
788(chosen)X
1031(keys)X
1198(still)X
1337(make)X
1531(easy)X
1694(targets)X
1928(for)X
2042(intruders.)X
755 4708(The)N
904(following)X
1239(sections)X
1521(specify)X
1777(the)X
1899(encryption)X
2266(and)X
2406(checksum)X
2751(mechanisms)X
3171(currently)X
3485(de\256ned)X
3745(for)X
3863(Ker-)X
555 4804(beros.)N
814(The)X
984(encodings,)X
1374(chaining,)X
1715(and)X
1876(padding)X
2179(requirements)X
2643(for)X
2782(each)X
2975(are)X
3119(described.)X
3512(For)X
3668(encryption)X
555 4900(methods,)N
868(it)X
934(is)X
1009(often)X
1196(desirable)X
1508(to)X
1592(place)X
1784(random)X
2051(information)X
2451(\(often)X
2665(referred)X
2943(to)X
3027(as)X
3116(a)X
2 f
3174(confounder)X
1 f
3539(\))X
3587(at)X
3666(the)X
3785(start)X
3944(of)X
555 4996(the)N
673(message.)X
1005(The)X
1150(requirements)X
1589(for)X
1703(a)X
1759(confounder)X
2145(are)X
2264(speci\256ed)X
2569(with)X
2731(each)X
2899(encryption)X
3262(mechanism.)X
755 5120(Some)N
961(encryption)X
1328(systems)X
1605(use)X
1736(a)X
1796(block-chaining)X
2301(method)X
2565(to)X
2651(improve)X
2942(the)X
3063(the)X
3184(security)X
3461(characteristics)X
3944(of)X
555 5216(the)N
679(ciphertext.)X
1066(However,)X
1407(these)X
1598(chaining)X
1900(methods)X
2197(often)X
2388(don't)X
2583(provide)X
2853(an)X
2954(integrity)X
3250(check)X
3463(upon)X
3648(decryption.)X
555 5312(Such)N
737(systems)X
1012(\(such)X
1208(as)X
1297(DES)X
1470(in)X
1554(CBC)X
1735(mode\))X
1962(must)X
2139(be)X
2237(augmented)X
2611(with)X
2775(a)X
2832(checksum)X
3174(of)X
3262(the)X
3381(plaintext)X
3682(which)X
3899(can)X
555 5408(be)N
655(veri\256ed)X
924(at)X
1006(decryption)X
1373(and)X
1513(used)X
1684(to)X
1770(detect)X
1986(any)X
2126(tampering)X
2474(or)X
2564(damage.)X
2877(Such)X
3060(checksums)X
3435(should)X
3671(be)X
3770(good)X
3953(at)X
555 5504(detecting)N
875(burst)X
1061(errors)X
1275(in)X
1362(the)X
1485(input.)X
1714(If)X
1793(any)X
1934(damage)X
2209(is)X
2287(detected,)X
2600(the)X
2723(decryption)X
3091(routine)X
3343(is)X
3421(expected)X
3732(to)X
3819(return)X
555 5600(an)N
652(error)X
830(indicating)X
1171(the)X
1290(failure)X
1521(of)X
1609(an)X
1706(integrity)X
1998(check.)X
2247(Each)X
2429(encryption)X
2793(type)X
2952(is)X
3026(expected)X
3333(to)X
3416(provide)X
3682(and)X
3819(verify)X
555 5696(an)N
651(appropriate)X
1037(checksum.)X
1418(The)X
1563(speci\256cation)X
1988(of)X
2075(each)X
2243(encryption)X
2606(method)X
2866(sets)X
3006(out)X
3128(its)X
3223(checksum)X
3564(requirements.)X
755 5820(Finally,)N
1039(where)X
1274(a)X
1348(key)X
1502(is)X
1593(to)X
1693(be)X
1807(derived)X
2086(from)X
2279(a)X
2352(user's)X
2581(password,)X
2941(an)X
3054(algorithm)X
3402(for)X
3533(converting)X
3913(the)X
555 6144(Section)N
815(6.)X
2196(-)X
2243(37)X
2343(-)X
38 p
%%Page: 38 39
10 s 0 xH 0 xS 1 f
0 32(--)N
4323(--)X
3 f
2115 416(DRAFT)N
2411(4)X
1 f
555 672(password)N
886(to)X
976(a)X
1040(key)X
1184(of)X
1279(the)X
1405(appropriate)X
1799(type)X
1965(is)X
2046(included.)X
2390(It)X
2467(is)X
2548(desirable)X
2865(for)X
2986(the)X
3111(string)X
3320(to)X
3409(key)X
3552(function)X
3846(to)X
3935(be)X
555 768(one-way,)N
876(and)X
1016(for)X
1134(the)X
1256(mapping)X
1560(to)X
1646(be)X
1746(different)X
2047(in)X
2133(different)X
2433(realms.)X
2710(This)X
2875(is)X
2951(important)X
3285(because)X
3563(users)X
3751(who)X
3912(are)X
555 864(registered)N
903(in)X
996(more)X
1192(than)X
1361(one)X
1508(realm)X
1722(will)X
1877(often)X
2073(use)X
2211(the)X
2340(same)X
2536(password)X
2870(in)X
2963(each,)X
3162(and)X
3308(it)X
3382(is)X
3465(desirable)X
3785(that)X
3935(an)X
555 960(attacker)N
830(compromising)X
1312(the)X
1430(Kerberos)X
1745(server)X
1962(in)X
2044(one)X
2180(realm)X
2383(not)X
2505(obtain)X
2725(or)X
2812(derive)X
3033(the)X
3151(user's)X
3363(key)X
3499(in)X
3581(another.)X
3 f
12 s
555 1152(6.1.)N
747(Encryption)X
1235(Speci\256cations)X
1 f
10 s
755 1276(The)N
902(following)X
1235(ASN.1)X
1477(de\256nition)X
1805(describes)X
2125(all)X
2226(encrypted)X
2564(messages.)X
2928(The)X
3 f
3074(enc-part)X
1 f
3385(\256eld)X
3548(which)X
3765(appears)X
555 1372(in)N
639(the)X
759(unencrypted)X
1178(part)X
1325(of)X
1414(messages)X
1739(in)X
1823(section)X
2071(5)X
2132(is)X
2206(a)X
2263(sequence)X
2579(consisting)X
2924(of)X
3012(an)X
3109(encryption)X
3473(type,)X
3652(an)X
3749(optional)X
555 1468(key)N
691(version)X
947(number,)X
1232(and)X
1368(the)X
1486(ciphertext.)X
3 f
1111 1640(EncryptedData)N
1656(::=)X
1 f
1876(SEQUENCE)X
2314({)X
1876 1736(etype[0])N
2472(INTEGER,)X
2855(--)X
2929(EncryptionType)X
1876 1832(kvno[1])N
2472(INTEGER)X
2835(OPTIONAL,)X
1876 1928(cipher[2])N
2472(OCTET)X
2750(STRING)X
3059(--)X
3133(ciphertext)X
3 f
1111 2024(})N
555 2196(etype)N
1 f
955(This)X
1130(\256eld)X
1305(identi\256es)X
1631(which)X
1860(encryption)X
2236(algorithm)X
2580(was)X
2737(used)X
2916(to)X
3010(encipher)X
3319(the)X
3 f
3449(cipher)X
1 f
3667(.)X
3739(Detailed)X
955 2292(speci\256cations)N
1411(for)X
1525(selected)X
1804(encryption)X
2167(types)X
2356(appear)X
2591(later)X
2754(in)X
2836(this)X
2971(section.)X
3 f
555 2512(kvno)N
1 f
955(This)X
1127(\256eld)X
1299(contains)X
1596(the)X
1724(version)X
1990(number)X
2265(of)X
2362(the)X
2490(key)X
2636(under)X
2849(which)X
3075(data)X
3239(is)X
3322(encrypted.)X
3709(It)X
3787(is)X
3869(only)X
955 2608(present)N
1207(in)X
1289(messages)X
1612(encrypted)X
1949(under)X
2152(long)X
2314(lasting)X
2547(keys,)X
2734(such)X
2901(as)X
2988(principals')X
3351(secret)X
3559(keys.)X
3 f
555 2828(cipher)N
1 f
955(This)X
1117(\256eld)X
1279(contains)X
1566(the)X
1684(enciphered)X
2057(text,)X
2217(encoded)X
2505(as)X
2592(an)X
2688(OCTET)X
2966(STRING.)X
755 3048(The)N
3 f
902(cipher)X
1 f
1142(\256eld)X
1306(is)X
1381(generated)X
1716(by)X
1818(applying)X
2120(the)X
2239(speci\256ed)X
2545(encryption)X
2909(algorithm)X
3241(to)X
3324(data)X
3479(composed)X
3825(of)X
3913(the)X
555 3144(message)N
855(and)X
999(algorithm-speci\256c)X
1610(inputs.)X
1873(Encryption)X
2257(mechanisms)X
2681(de\256ned)X
2945(for)X
3067(use)X
3202(with)X
3372(Kerberos)X
3695(must)X
3877(take)X
555 3240(suf\256cient)N
878(measures)X
1201(to)X
1287(guarantee)X
1624(the)X
1746(integrity)X
2041(of)X
2132(the)X
2254(plaintext,)X
2578(and)X
2718(we)X
2836(recommend)X
3239(they)X
3401(also)X
3554(take)X
3712(measures)X
555 3336(to)N
639(protect)X
884(against)X
1133(precomputed)X
1574(dictionary)X
1921(attacks.)X
2206(If)X
2281(the)X
2400(encryption)X
2764(algorithm)X
3096(is)X
3170(not)X
3293(itself)X
3474(capable)X
3741(of)X
3829(doing)X
555 3432(so,)N
666(the)X
784(protections)X
1160(can)X
1292(often)X
1477(be)X
1573(enhanced)X
1897(by)X
1997(adding)X
2235(a)X
2291(checksum)X
2632(and)X
2768(a)X
2824(confounder.)X
755 3556(The)N
906(suggested)X
1248(format)X
1488(for)X
1608(the)X
1732(data)X
1892(to)X
1980(be)X
2082(encrypted)X
2425(includes)X
2718(a)X
2780(confounder,)X
3192(a)X
3254(checksum,)X
3620(the)X
3743(encoded)X
555 3652(plaintext,)N
897(and)X
1055(any)X
1212(necessary)X
1566(padding.)X
1905(The)X
3 f
2071(msg-seq)X
1 f
2388(\256eld)X
2571(contains)X
2879(the)X
3018(part)X
3184(of)X
3292(the)X
3431(protocol)X
3739(message)X
555 3748(described)N
887(in)X
973(section)X
1224(5)X
1288(which)X
1508(is)X
1585(to)X
1671(be)X
1771(encrypted.)X
2151(The)X
2299(confounder,)X
2708(checksum,)X
3072(and)X
3211(padding)X
3492(are)X
3614(all)X
3717(untagged)X
555 3844(and)N
703(untyped,)X
1013(and)X
1161(their)X
1340(length)X
1572(is)X
1657(exactly)X
1921(suf\256cient)X
2250(to)X
2343(hold)X
2516(the)X
2645(appropriate)X
3042(item.)X
3255(The)X
3411(type)X
3580(and)X
3727(length)X
3958(is)X
555 3940(implicit)N
829(and)X
971(speci\256ed)X
1282(by)X
1388(the)X
1512(particular)X
1846(encryption)X
2215(type)X
2379(being)X
2583(used)X
2756(\()X
3 f
2783(etype)X
1 f
2966(\).)X
3058(The)X
3208(format)X
3447(for)X
3566(the)X
3689(data)X
3848(to)X
3935(be)X
555 4036(encrypted)N
892(is)X
965(described)X
1293(in)X
1375(the)X
1493(following)X
1824(diagram:)X
7 f
843 4228(+-----------+----------+-------------+-----+)N
9 f
859 4324(|)N
7 f
891(confounder)X
9 f
1435(|)X
7 f
1611(check)X
9 f
1963(|)X
7 f
2139(msg-seq)X
9 f
2635(|)X
7 f
2715(pad)X
9 f
2923(|)X
7 f
843 4420(+-----------+----------+-------------+-----+)N
1 f
555 4612(The)N
700(format)X
934(cannot)X
1168(be)X
1264(described)X
1592(in)X
1674(ASN.1,)X
1934(but)X
2056(for)X
2170(those)X
2359(who)X
2517(prefer)X
2730(an)X
2826(ASN.1-)X
2 f
3073(like)X
1 f
3209(notation:)X
8 s
10 f
555 5330(hhhhhhhhhhhhhhhhhh)N
1 f
555 5424(\262)N
619(In)X
692(the)X
790(above)X
962(speci\256cation,)X
1321(UNTAGGED)X
1694(OCTET)X
1919(STRING\(length\))X
2371(is)X
2433(notation)X
2662(for)X
2755(an)X
2834(octet)X
2977(string)X
3142(with)X
3275(its)X
3355(tag)X
3452(and)X
3563(length)X
555 5504(removed.)N
830(It)X
889(is)X
952(not)X
1054(a)X
1102(valid)X
1250(ASN.1)X
1446(type.)X
1608(The)X
1727(tag)X
1825(bits)X
1938(and)X
2049(length)X
3 f
2228(must)X
1 f
2382(be)X
2461(removed)X
2703(for)X
2796(the)X
2893(confounder)X
3202(since)X
3352(the)X
3449(purpose)X
3670(of)X
555 5584(the)N
656(confounder)X
969(is)X
1035(so)X
1115(that)X
1234(the)X
1335(message)X
1574(starts)X
1732(with)X
1869(random)X
2087(data,)X
2232(but)X
2337(the)X
2438(tag)X
2539(and)X
2654(its)X
2738(length)X
2921(are)X
3021(\256xed.)X
3204(For)X
3315(other)X
3468(\256elds,)X
3645(the)X
555 5664(length)N
731(and)X
839(tag)X
933(would)X
1109(be)X
1185(redundant)X
1456(if)X
1511(they)X
1637(were)X
1776(included)X
2012(because)X
2229(they)X
2355(are)X
2448(speci\256ed)X
2691(by)X
2771(the)X
2865(encryption)X
3154(type.)X
10 s
555 6144(Section)N
815(6.1.)X
2196(-)X
2243(38)X
2343(-)X
39 p
%%Page: 39 40
10 s 0 xH 0 xS 1 f
0 32(--)N
4323(--)X
3 f
2115 416(DRAFT)N
2411(4)X
555 720(CipherText)N
971(::=)X
1 f
1191(ENCRYPTED)X
1682(SEQUENCE)X
2120({)X
1191 816(confounder[0])N
2278(UNTAGGED\262)X
2784(OCTET)X
3062(STRING\(conf_length\))X
3808(OPTIONAL,)X
1191 912(check[1])N
2278(UNTAGGED)X
2744(OCTET)X
3022(STRING\(checksum_length\))X
3946(OPTIONAL,)X
1191 1008(msg-seq[2])N
2278(MsgSequence,)X
1191 1104(pad)N
2278(UNTAGGED)X
2744(OCTET)X
3022(STRING\(pad_length\))X
3741(OPTIONAL)X
3 f
555 1200(})N
1 f
755 1372(One)N
916(generates)X
1247(a)X
1310(random)X
1582(confounder)X
1975(of)X
2069(the)X
2194(appropriate)X
2587(length,)X
2834(placing)X
3097(it)X
3168(in)X
3 f
3257(confounder)X
1 f
3648(,)X
3694(calculates)X
555 1468(the)N
679(appropriate)X
1071(checksum)X
1418(over)X
3 f
1587(confounder)X
1 f
2004(and)X
3 f
2146(msg-seq)X
1 f
2448(as)X
2541(if)X
2616(they)X
2780(were)X
2963(contiguous,)X
3360(placing)X
3622(the)X
3746(result)X
3949(in)X
3 f
555 1564(check)N
1 f
751(,)X
798(adds)X
972(the)X
1097(necessary)X
1437(padding,)X
1742(then)X
1907(encrypts)X
2206(using)X
2406(the)X
2531(speci\256ed)X
2843(encryption)X
3213(type)X
3378(and)X
3521(the)X
3645(appropriate)X
555 1660(key.)N
755 1784(Unless)N
1010(otherwise)X
1359(speci\256ed,)X
1701(a)X
1774(de\256nition)X
2117(of)X
2220(an)X
2332(encryption)X
2711(algorithm)X
3058(that)X
3214(speci\256es)X
3526(a)X
3598(checksum,)X
3975(a)X
555 1880(length)N
778(for)X
894(the)X
1014(confounder)X
1402(\256eld,)X
1586(or)X
1675(an)X
1773(octet)X
1951(boundary)X
2276(for)X
2392(padding)X
2672(uses)X
2832(this)X
2969(ciphertext)X
3312(format)X
8 s
3526 1855(1)N
10 s
1880(.)Y
3620(Those)X
3838(\256elds)X
555 1976(which)N
771(are)X
890(not)X
1012(speci\256ed)X
1317(will)X
1461(be)X
1557(omitted.)X
755 2100(In)N
853(the)X
982(interest)X
1249(of)X
1347(allowing)X
1658(all)X
1769(implementations)X
2333(using)X
2537(a)X
2604(particular)X
2943(encryption)X
3317(type)X
3486(to)X
3579(communicate)X
555 2196(with)N
721(all)X
825(others)X
1045(using)X
1242(that)X
1385(type,)X
1566(the)X
1687(speci\256cation)X
2115(of)X
2205(an)X
2304(encryption)X
2670(type)X
2831(de\256nes)X
3081(any)X
3220(checksum)X
3564(that)X
3707(is)X
3783(needed)X
555 2292(as)N
646(part)X
795(of)X
886(the)X
1008(encryption)X
1375(process.)X
1680(If)X
1758(an)X
1858(alternative)X
2220(checksum)X
2564(is)X
2640(to)X
2725(be)X
2824(used,)X
3014(a)X
3073(new)X
3230(encryption)X
3596(type)X
3757(must)X
3935(be)X
555 2388(de\256ned.)N
755 2512(Some)N
958(cryptosystems)X
1437(require)X
1686(additional)X
2027(information)X
2426(beyond)X
2683(the)X
2801(key)X
2937(and)X
3073(the)X
3191(data)X
3345(to)X
3427(be)X
3523(encrypted.)X
3900(For)X
555 2608(example,)N
869(DES,)X
1062(when)X
1258(used)X
1427(in)X
1511(cipher-block-chaining)X
2242(mode,)X
2462(requires)X
2743(an)X
2841(initialization)X
3267(vector.)X
3529(If)X
3604(required,)X
3913(the)X
555 2704(description)N
931(for)X
1045(each)X
1213(encryption)X
1576(type)X
1734(must)X
1909(specify)X
2161(the)X
2279(source)X
2509(of)X
2596(such)X
2763(additional)X
3103(information.)X
3 f
12 s
555 2896(6.2.)N
747(Encryption)X
1235(Keys)X
1 f
10 s
755 3020(The)N
900(sequence)X
1215(below)X
1431(shows)X
1651(the)X
1769(encoding)X
2083(of)X
2170(an)X
2266(encryption)X
2629(key:)X
3 f
1319 3164(EncryptionKey)N
1863(::=)X
1 f
2083(SEQUENCE)X
2521({)X
2083 3260(keytype[0])N
2679(INTEGER,)X
2083 3356(keyvalue[1])N
2679(OCTET)X
2957(STRING)X
3 f
1319 3452(})N
555 3624(keytype)N
1 f
955(This)X
1119(\256eld)X
1283(speci\256es)X
1581(the)X
1701(type)X
1861(of)X
1950(encryption)X
2315(key)X
2453(that)X
2594(follows)X
2855(in)X
2938(the)X
3 f
3057(keyvalue)X
1 f
3380(\256eld.)X
3583(It)X
3653(will)X
3798(almost)X
955 3720(always)N
1211(correspond)X
1601(to)X
1696(the)X
1827(encryption)X
2203(algorithm)X
2547(used)X
2726(to)X
2820(generate)X
3125(the)X
3255(EncryptedData,)X
3789(though)X
955 3816(more)N
1148(than)X
1314(one)X
1458(algorithm)X
1797(may)X
1963(use)X
2098(the)X
2224(same)X
2417(type)X
2583(of)X
2678(key)X
2822(\(the)X
2975(mapping)X
3283(is)X
3364(many)X
3570(to)X
3659(one\).)X
3869(This)X
955 3912(might)N
1167(happen,)X
1445(for)X
1565(example,)X
1883(if)X
1958(the)X
2082(encryption)X
2451(algorithm)X
2788(uses)X
2951(an)X
3052(alternate)X
3354(checksum)X
3700(algorithm)X
955 4008(for)N
1069(an)X
1165(integrity)X
1456(check,)X
1684(or)X
1771(a)X
1827(different)X
2124(chaining)X
2420(mechanism.)X
3 f
555 4228(keyvalue)N
1 f
955(This)X
1117(\256eld)X
1279(contains)X
1566(the)X
1684(key)X
1820(itself,)X
2020(encoded)X
2308(as)X
2395(an)X
2491(octet)X
2667(string.)X
755 4352(All)N
884(negative)X
1183(values)X
1415(for)X
1535(the)X
1659(encryption)X
2028(key)X
2170(type)X
2334(are)X
2459(reserved)X
2758(for)X
2878(local)X
3060(use.)X
3233(All)X
3361(non-negative)X
3806(values)X
555 4448(are)N
674(reserved)X
967(for)X
1081(of\256cially)X
1390(assigned)X
1686(type)X
1844(\256elds)X
2037(and)X
2173(interpretations.)X
3 f
12 s
555 4640(6.3.)N
747(Encryption)X
1235(Systems)X
10 s
555 4832(6.3.1.)N
775(The)X
928(NULL)X
1170(Encryption)X
1576(System)X
1841(\(null\))X
1 f
755 4956(If)N
836(no)X
943(encryption)X
1313(is)X
1393(in)X
1481(use,)X
1634(the)X
1758(encryption)X
2127(system)X
2375(is)X
2454(said)X
2609(to)X
2697(be)X
2799(the)X
2923(NULL)X
3163(encryption)X
3532(system.)X
3820(In)X
3913(the)X
555 5052(NULL)N
790(encryption)X
1154(system)X
1397(there)X
1579(is)X
1653(no)X
1754(checksum,)X
2116(confounder)X
2503(or)X
2591(padding.)X
2910(The)X
3055(ciphertext)X
3396(is)X
3469(simply)X
3706(the)X
3824(plain-)X
555 5148(text.)N
738(The)X
886(NULL)X
1123(Key)X
1280(is)X
1356(used)X
1526(by)X
1629(the)X
1750(null)X
1897(encryption)X
2263(system)X
2508(and)X
2647(is)X
2723(zero)X
2884(octets)X
3093(in)X
3177(length,)X
3419(with)X
3 f
3583(keytype)X
1 f
3872(zero)X
555 5244(\(0\).)N
8 s
10 f
555 5410(hhhhhhhhhhhhhhhhhh)N
6 s
1 f
555 5485(1)N
8 s
611 5504(Indeed,)N
819(the)X
916(ordering)X
1151(of)X
1223(these)X
1373(\256elds)X
1531(is)X
1592(important.)X
1891(If)X
1951(the)X
2047(checksum)X
2320(is)X
2381(placed)X
2565(after)X
2699(the)X
2795(msg-seq,)X
3042(then)X
3170(a)X
3216(chosen-plaintext)X
3656(at-)X
555 5584(tack)N
681(which)X
857(uses)X
987(a)X
1035(msg-seq)X
1268(with)X
1402(the)X
1500(form)X
1644(msg-seq'+cksum')X
2122(can)X
2230(convince)X
2480(the)X
2578(recipient)X
2821(that)X
2937(msg-seq')X
3190(was)X
3308(sent,)X
3446(rather)X
3613(than)X
555 5664(the)N
649(actual)X
817(message)X
1049(msg-seq.)X
10 s
555 6144(Section)N
815(6.3.1.)X
2196(-)X
2243(39)X
2343(-)X
40 p
%%Page: 40 41
10 s 0 xH 0 xS 1 f
0 32(--)N
4323(--)X
3 f
2115 416(DRAFT)N
2411(4)X
555 672(6.3.2.)N
775(DES)X
950(in)X
1036(CBC)X
1225(mode)X
1432(with)X
1603(a)X
1663(CRC-32)X
1964(checksum)X
2322 0.2812(\(des-cbc-crc\))AX
1 f
755 796(The)N
3 f
917(des-cbc-crc)X
1 f
1343(encryption)X
1723(mode)X
1938(encrypts)X
2247(information)X
2662(under)X
2882(the)X
3016(Data)X
3204(Encryption)X
3596(Standard)X
3917([8])X
555 892(using)N
753(the)X
876(cipher)X
1102(block)X
1305(chaining)X
1606(mode.[9])X
1923(A)X
2006(CRC-32)X
2297(checksum)X
2643(\(described)X
3003(in)X
3090(ISO)X
3243(3309[10])X
3561(\))X
3612(is)X
3689(applied)X
3949(to)X
555 988(the)N
681(confounder)X
1075(and)X
1219(message)X
1519(sequence)X
1842(\()X
3 f
1869(msg-seq)X
1 f
2145(\))X
2200(and)X
2344(placed)X
2582(in)X
2671(the)X
3 f
2796(cksum)X
1 f
3045(\256eld.)X
3254(DES)X
3432(encryption)X
3802(blocks)X
555 1084(are)N
682(8)X
750(bytes.)X
986(As)X
1102(a)X
1165(result,)X
1390(the)X
1515(data)X
1676(to)X
1765(be)X
1868(encrypted)X
2212(\(the)X
2364(concatenation)X
2837(of)X
2931(confounder,)X
3344(checksum,)X
3712(and)X
3855(mes-)X
555 1180(sage\))N
749(must)X
928(be)X
1028(padded)X
1284(to)X
1370(an)X
1469(8)X
1532(byte)X
1693(boundary)X
2019(before)X
2248(encryption.)X
2654(Encryption)X
3033(under)X
3239(DES)X
3413(using)X
3609(cipher)X
3833(block)X
555 1276(chaining)N
857(requires)X
1142(an)X
1244(additional)X
1590(input)X
1780(in)X
1868(the)X
1992(form)X
2174(of)X
2267(an)X
2369(initialization)X
2799(vector.)X
3065(Unless)X
3308(otherwise)X
3645(speci\256ed,)X
3975(a)X
555 1372(copy)N
731(of)X
818(the)X
936(key)X
1072(should)X
1305(be)X
1401(used)X
1568(as)X
1655(the)X
1773(initialization)X
2197(vector.)X
755 1496(A)N
834(DES)X
1006(key)X
1143(is)X
1217(8)X
1278(octets)X
1486(of)X
1574(data,)X
1749(with)X
3 f
1912(keytype)X
1 f
2200(one)X
2337(\(1\).)X
2492(This)X
2655(consists)X
2928(of)X
3015(56)X
3115(bits)X
3250(of)X
3337(key,)X
3493(and)X
3629(8)X
3689(parity)X
3896(bits)X
555 1592(\(one)N
718(per)X
841(octet\).)X
1084(Kerberos')X
1426(use)X
1553(of)X
1640(DES)X
1811(requires)X
2090(an)X
2186(8-octet)X
2429(confounder.)X
755 1812(To)N
871(generate)X
1170(a)X
1232(DES)X
1409(key)X
1551(from)X
1733(a)X
1795(text)X
1941(string)X
2149(\(password\),)X
2552(the)X
2676(text)X
2822(string)X
3030(normally)X
3345(must)X
3526(have)X
3704(the)X
3828(realm)X
555 1908(and)N
702(each)X
881(component)X
1268(of)X
1366(the)X
1495(principal's)X
1869(name)X
2074(appended)X
8 s
2382 1883(1)N
10 s
1908(,)Y
2465(then)X
2633(padded)X
2895(with)X
3067(nulls)X
3252(to)X
3344(an)X
3450(8)X
3520(byte)X
3688(boundary.)X
555 2004(This)N
726(string)X
937(is)X
1019(then)X
1186(fan-folded)X
1550(and)X
1694(eXclusive-ORed)X
2257(with)X
2427(itself)X
2615(to)X
2705(form)X
2889(an)X
2993(8)X
3061(byte)X
3227(DES)X
3406(key.)X
3590(The)X
3743(parity)X
3958(is)X
555 2100(corrected)N
880(on)X
985(the)X
1108(key,)X
1269(and)X
1409(it)X
1477(is)X
1554(used)X
1725(to)X
1811(generate)X
2108(a)X
2168(DES)X
2343(CBC)X
2526(checksum)X
2871(on)X
2975(the)X
3097(initial)X
3307(string)X
3513(\(with)X
3706(the)X
3828(realm)X
555 2196(and)N
692(name)X
887(appended\).)X
1283(Finally,)X
1550(parity)X
1758(is)X
1832(corrected)X
2153(on)X
2253(the)X
2371(CBC)X
2550(checksum)X
2891(and)X
3027(it)X
3091(is)X
3164(returned)X
3452(as)X
3539(the)X
3657(key.)X
3833(Pseu-)X
555 2292(docode)N
807(follows:)X
7 f
755 2484(string_to_key\(string,realm,name\))N
2339({)X
955 2580(odd)N
1147(=)X
1243(1;)X
955 2676(s)N
1051(=)X
1147(string)X
1483(+)X
1579(realm;)X
955 2772(for\(each)N
1387(component)X
1867(in)X
2011(name\))X
2299({)X
1155 2868(s)N
1251(=)X
1347(s)X
1443(+)X
1539(component;)X
955 2964(})N
955 3060(tempkey)N
1339(=)X
1435(NULL;)X
955 3156(pad\(s\);)N
1339(/*)X
1483(with)X
1723(nulls)X
2011(to)X
2155(8)X
2251(byte)X
2491(boundary)X
2923(*/)X
955 3252(for\(8byteblock)N
1675(in)X
1819(s\))X
1963({)X
1155 3348(if\(odd)N
1491(==)X
1635(0\))X
1827({)X
1347 3444(odd)N
1539(=)X
1635(1;)X
1347 3540(reverse\(8byteblock\))N
1155 3636(})N
1155 3732(else)N
1395(odd)X
1587(=)X
1683(0;)X
1155 3828(tempkey)N
1539(=)X
1635(tempkey)X
2019(XOR)X
2211(8byteblock;)X
955 3924(})N
955 4020(fixparity\(tempkey\);)N
955 4116(key)N
1147(=)X
1243(DES-CBC-check\(s,tempkey\);)X
955 4212(fixparity\(key\);)N
955 4308(return\(key\);)N
755 4404(})N
3 f
12 s
555 4596(6.4.)N
747(Checksums)X
1 f
10 s
755 4720(The)N
900(following)X
1231(is)X
1304(the)X
1422(ASN.1)X
1662(de\256nition)X
1988(used)X
2155(for)X
2269(a)X
2325(checksum:)X
3 f
1401 4864(Checksum)N
1781(::=)X
1 f
2001(SEQUENCE)X
2439({)X
2001 4960(cksumtype[0])N
2597(INTEGER,)X
2001 5056(checksum[1])N
2597(OCTET)X
2875(STRING)X
3 f
1401 5152(})N
555 5324(cksumtype)N
1 f
955(This)X
1117(\256eld)X
1279(indicates)X
1584(the)X
1702(algorithm)X
2033(used)X
2200(to)X
2282(generate)X
2575(the)X
2693(accompanying)X
3181(checksum.)X
3 f
555 5448(checksum)N
1 f
955(This)X
1117(\256eld)X
1279(contains)X
1566(the)X
1684(checksum)X
2025(itself,)X
2225(encoded)X
2513(as)X
2600(an)X
2696(octet)X
2872(string.)X
8 s
10 f
555 5528(hhhhhhhhhhhhhhhhhh)N
6 s
1 f
555 5603(1)N
8 s
611 5622(In)N
683(some)X
837(cases,)X
1006(it)X
1061(may)X
1190(be)X
1269(necessary)X
1535(to)X
1604(use)X
1708(a)X
1755(different)X
1993("mix-in")X
2235(string)X
2400(for)X
2493(compatibility)X
2854(reasons;)X
3082(see)X
3182(the)X
3278(discussion)X
3563(of)X
3 f
3634(pa-)X
555 5702(data)N
1 f
692(in)X
758(section)X
955(5.3.2.)X
10 s
555 6144(Section)N
815(6.4.)X
2196(-)X
2243(40)X
2343(-)X
41 p
%%Page: 41 42
10 s 0 xH 0 xS 1 f
0 32(--)N
4323(--)X
3 f
2115 416(DRAFT)N
2411(4)X
1 f
755 672(Detailed)N
1056(speci\256cation)X
1490(of)X
1586(selected)X
1874(checksum)X
2224(types)X
2422(appear)X
2666(later)X
2838(in)X
2928(this)X
3071(section.)X
3366(Negative)X
3684(values)X
3917(for)X
555 768(the)N
678(checksum)X
1024(type)X
1187(are)X
1311(reserved)X
1609(for)X
1728(local)X
1909(use.)X
2081(All)X
2208(non-negative)X
2652(values)X
2882(are)X
3006(reserved)X
3304(for)X
3422(of\256cially)X
3735(assigned)X
555 864(type)N
713(\256elds)X
906(and)X
1042(interpretations.)X
755 988(Checksums)N
1149(used)X
1321(by)X
1426(Kerberos)X
1746(can)X
1883(be)X
1984(classi\256ed)X
2307(by)X
2412(two)X
2557(properties:)X
2945(whether)X
3229(they)X
3392(are)X
3515(collision-proof,)X
555 1084(and)N
692(whether)X
972(they)X
1131(are)X
1251(keyed.)X
1504(It)X
1574(is)X
1648(infeasible)X
1981(to)X
2064(\256nd)X
2209(two)X
2350(plaintexts)X
2682(which)X
2899(generate)X
3193(the)X
3311(same)X
3496(checksum)X
3837(value)X
555 1180(for)N
675(a)X
737(collision-proof)X
1239(checksum.)X
1626(A)X
1710(key)X
1852(is)X
1931(required)X
2225(to)X
2313(perturb)X
2571(or)X
2664(initialize)X
2970(the)X
3094(algorithm)X
3431(in)X
3518(a)X
3579(keyed)X
3796(check-)X
555 1276(sum.)N
756(To)X
873(prevent)X
1142(message-stream)X
1683(modi\256cation)X
2115(by)X
2223(an)X
2327(active)X
2546(attacker,)X
2848(unkeyed)X
3147(checksums)X
3526(should)X
3766(only)X
3935(be)X
555 1372(used)N
727(when)X
926(the)X
1049(checksum)X
1395(and)X
1536(message)X
1833(will)X
1982(be)X
2083(subsequently)X
2526(encrypted)X
2868(\(e.g.)X
3036(the)X
3159(checksums)X
3535(de\256ned)X
3795(as)X
3886(part)X
555 1468(of)N
658(the)X
792(encryption)X
1171(algorithms)X
1549(covered)X
1840(earlier)X
2082(in)X
2180(this)X
2331(section\).)X
2661(Collision-proof)X
3190(checksums)X
3578(can)X
3726(be)X
3837(made)X
555 1564(tamper-proof)N
1003(as)X
1094(well)X
1256(if)X
1329(the)X
1451(checksum)X
1796(value)X
1994(is)X
2071(encrypted)X
2412(before)X
2642(inclusion)X
2959(in)X
3045(a)X
3105(message.)X
3440(In)X
3530(such)X
3700(cases,)X
3913(the)X
555 1660(composition)N
975(of)X
1067(the)X
1190(checksum)X
1536(and)X
1677(the)X
1800(encryption)X
2167(algorithm)X
2502(must)X
2681(be)X
2781(considered)X
3153(a)X
3213(separate)X
3501(checksum)X
3846(algo-)X
555 1756(rithm)N
748(\(e.g.)X
911(RSA-MD4)X
1282(encrypted)X
1619(using)X
1812(DES)X
1983(is)X
2056(a)X
2112(new)X
2266(checksum)X
2607(algorithm)X
2938(of)X
3025(type)X
3183(RSA-MD4-DES\).)X
3 f
555 1948(6.4.1.)N
775(The)X
928(CRC-32)X
1229(Checksum)X
1609(\(crc32\))X
1 f
755 2072(The)N
3 f
906(CRC-32)X
1 f
1213(checksum)X
1560(calculates)X
1903(a)X
1965(checksum)X
2312(based)X
2521(on)X
2627(a)X
2689(cyclic)X
2907(redundancy)X
3308(check)X
3522(as)X
3615(described)X
3949(in)X
555 2168(ISO)N
719(3309.[10])X
1068(The)X
1228(resulting)X
1543(checksum)X
1899(is)X
1987(four)X
2156(\(4\))X
2284(octets)X
2505(in)X
2601(length.)X
2875(The)X
3034(CRC-32)X
3334(is)X
3421(neither)X
3678(keyed)X
3904(nor)X
555 2264(collision-proof,)N
1075(and)X
1215(is)X
1292(useful)X
1512(in)X
1598(Kerberos)X
1917(mainly)X
2163(to)X
2249(detect)X
2465(modi\256cations)X
2924(when)X
3122(included)X
3422(with)X
3588(plaintext)X
3891(that)X
555 2360(is)N
628(encrypted.)X
3 f
555 2552(6.4.2.)N
775(The)X
928(RSA)X
1108(MD4)X
1302(Checksum)X
1682(\(rsa-md4\))X
1 f
755 2676(The)N
3 f
904(RSA-MD4)X
1 f
1289(checksum)X
1634(calculates)X
1974(a)X
2033(checksum)X
2377(using)X
2573(the)X
2694(RSA)X
2872(MD4)X
3064(algorithm.[11])X
3552(The)X
3700(algorithm)X
555 2772(takes)N
746(as)X
839(input)X
1029(an)X
1131(input)X
1320(message)X
1617(of)X
1709(arbitrary)X
2011(length)X
2236(and)X
2377(produces)X
2692(as)X
2784(output)X
3013(a)X
3074(128-bit)X
3330(\(16)X
3462(octet\))X
3670(checksum.)X
3 f
555 2868(RSA-MD4)N
1 f
936(is)X
1009(believed)X
1301(to)X
1383(be)X
1479(collision-proof.)X
3 f
555 3060(6.4.3.)N
775(RSA)X
955(MD4)X
1149(Cryptographic)X
1676(Checksum)X
2056(Using)X
2271(DES)X
2446(\(rsa-md4-des\))X
1 f
755 3184(The)N
3 f
909(RSA-MD4-DES)X
1 f
1481(checksum)X
1831(calculates)X
2177(a)X
2241(keyed)X
2461(collision-proof)X
2965(checksum)X
3314(by)X
3422(applying)X
3730(the)X
3856(RSA)X
555 3280(MD4)N
758(checksum)X
1113(algorithm)X
1458(and)X
1608(encrypting)X
1985(the)X
2117(results)X
2360(using)X
2566(DES)X
2750(in)X
2845(cipher-block-chaining)X
3587(\(CBC\))X
3833(mode)X
555 3376(using)N
759(a)X
826(DES)X
1008(key)X
1155(as)X
1253(both)X
1426(key)X
1573(and)X
1720(initialization)X
2155(vector.)X
2427(The)X
2583(resulting)X
2894(checksum)X
3246(is)X
3330(16)X
3440(octets)X
3657(long.)X
3869(This)X
555 3472(checksum)N
896(is)X
969(tamper-proof)X
1413(and)X
1549(believed)X
1841(to)X
1923(be)X
2019(collision-proof.)X
3 f
555 3664(6.4.4.)N
775(DES)X
950(cipher-block)X
1401(chained)X
1687(checksum)X
2045(\(des-mac\))X
1 f
755 3788(The)N
3 f
901(DES-MAC)X
1 f
1296(checksum)X
1638(is)X
1712(computed)X
2049(by)X
2150(performing)X
2532(a)X
2588(DES)X
2759(CBC-mode)X
3143(encryption)X
3506(of)X
3593(the)X
3711(plaintext,)X
555 3884(and)N
693(using)X
888(the)X
1008(last)X
1141(block)X
1341(of)X
1430(the)X
1550(ciphertext)X
1893(as)X
1982(the)X
2102(checksum)X
2445(value.)X
2680(It)X
2750(is)X
2824(keyed)X
3037(with)X
3200(an)X
3297(encryption)X
3661(key)X
3798(and)X
3935(an)X
555 3980(initialization)N
988(vector;)X
1240(any)X
1385(uses)X
1552(which)X
1776(do)X
1884(not)X
2014(specify)X
2274(an)X
2378(additional)X
2726(initialization)X
3158(vector)X
3387(will)X
3539(use)X
3674(the)X
3800(key)X
3944(as)X
555 4076(both)N
728(key)X
875(and)X
1022(initialization)X
1457(vector.)X
1728(The)X
1883(resulting)X
2193(checksum)X
2544(is)X
2627(64)X
2737(bits)X
2882(\(8)X
2979(octets\))X
3223(long.)X
3435(This)X
3607(checksum)X
3958(is)X
555 4172(tamper-proof)N
999(and)X
1135(collision-proof.)X
3 f
12 s
555 4364(7.)N
675(Constants)X
1108(and)X
1286(other)X
1529(de\256ned)X
1851(values)X
555 4584(7.1.)N
747(Host)X
963(address)X
1301(types)X
1 f
10 s
755 4708(All)N
881(negative)X
1177(values)X
1406(for)X
1524(the)X
1646(host)X
1803(address)X
2068(type)X
2230(are)X
2353(reserved)X
2650(for)X
2768(local)X
2947(use.)X
3117(All)X
3242(non-negative)X
3684(values)X
3912(are)X
555 4804(reserved)N
848(for)X
962(of\256cially)X
1271(assigned)X
1567(type)X
1725(\256elds)X
1918(and)X
2054(interpretations.)X
755 4928(The)N
907(values)X
1138(of)X
1231(the)X
1355(types)X
1550(for)X
1670(the)X
1794(following)X
2131(addresses)X
2465(are)X
2590(chosen)X
2839(to)X
2927(match)X
3149(the)X
3273(de\256ned)X
3535(address)X
3802(family)X
555 5024(constants)N
877(in)X
963(the)X
1085(Berkeley)X
1399(Standard)X
1708(Distributions)X
2149(of)X
2240(Unix.)X
2464(They)X
2653(can)X
2789(be)X
2889(found)X
3099(in)X
3184(<sys/socket.h>)X
3686(with)X
3851(sym-)X
555 5120(bolic)N
735(names)X
960(AF_xxx)X
1242(\(where)X
1486(xxx)X
1626(is)X
1699(an)X
1795(abbreviation)X
2216(of)X
2303(the)X
2421(address)X
2682(family)X
2911(name\).)X
3 f
555 5340(Internet)N
856(addresses)X
1 f
755 5464(Internet)N
1045(addresses)X
1393(are)X
1532(32-bit)X
1763(\(4-octet\))X
2080(quantities,)X
2451(encoded)X
2759(in)X
2861(MSB)X
3069(order.)X
3319(The)X
3483(type)X
3660(of)X
3766(internet)X
555 5560(addresses)N
883(is)X
956(two)X
1096(\(2\).)X
555 6144(Section)N
815(7.1.)X
2196(-)X
2243(41)X
2343(-)X
42 p
%%Page: 42 43
10 s 0 xH 0 xS 1 f
0 32(--)N
4323(--)X
3 f
2115 416(DRAFT)N
2411(4)X
555 672(CHAOSnet)N
966(addresses)X
1 f
755 796(CHAOSnet)N
1146(addresses)X
1475(are)X
1595(16-bit)X
1807(\(2-octet\))X
2105(quantities,)X
2457(encoded)X
2746(in)X
2829(MSB)X
3018(order.)X
3249(The)X
3395(type)X
3554(of)X
3642(CHAOSnet)X
555 892(addresses)N
883(is)X
956(\256ve)X
1096(\(5\).)X
3 f
555 1084(ISO)N
712(addresses)X
1 f
755 1208(ISO)N
904(addresses)X
1232(are)X
1351(variable-length.)X
1897(The)X
2042(type)X
2200(of)X
2287(ISO)X
2436(addresses)X
2764(is)X
2837(seven)X
3040(\(7\).)X
3 f
555 1400(Xerox)N
785(Network)X
1104(Services)X
1405(\(XNS\))X
1639(addresses)X
1 f
755 1524(XNS)N
938(addresses)X
1268(are)X
1389(48-bit)X
1602(\(6-octet\))X
1901(quantities,)X
2254(encoded)X
2544(in)X
2628(MSB)X
2818(order.)X
3050(The)X
3197(type)X
3357(of)X
3446(XNS)X
3628(addresses)X
3958(is)X
555 1620(six)N
668(\(6\).)X
3 f
555 1812(AppleTalk)N
938(Datagram)X
1306(Delivery)X
1616(Protocol)X
1926(\(DDP\))X
2165(addresses)X
1 f
755 1936(AppleTalk)N
1124(DDP)X
1310(addresses)X
1644(consist)X
1892(of)X
1985(an)X
2087(8-bit)X
2264(node)X
2446(number)X
2717(and)X
2859(a)X
2921(16-bit)X
3138(network)X
3427(number.)X
3737(The)X
3887(\256rst)X
555 2032(octet)N
742(of)X
840(the)X
969(address)X
1241(is)X
1325(the)X
1454(node)X
1641(number;)X
1939(the)X
2068(remaining)X
2424(two)X
2575(octets)X
2793(encode)X
3052(the)X
3181(network)X
3475(number)X
3751(in)X
3843(MSB)X
555 2128(order.)N
785(The)X
930(type)X
1088(of)X
1175(AppleTalk)X
1538(DDP)X
1718(addresses)X
2046(is)X
2119(sixteen)X
2366(\(16\).)X
3 f
555 2320(DECnet)N
851(Phase)X
1071(IV)X
1180(addresses)X
1 f
755 2444(DECnet)N
1036(Phase)X
1246(IV)X
1354(addresses)X
1685(are)X
1807(16-bit)X
2021(addresses,)X
2372(encoded)X
2663(in)X
2748(LSB)X
2916(order.)X
3148(The)X
3295(type)X
3455(of)X
3544(DECnet)X
3824(Phase)X
555 2540(IV)N
660(addresses)X
988(is)X
1061(twelve)X
1295(\(12\).)X
3 f
12 s
555 2732(7.2.)N
747(KDC)X
984(messages)X
10 s
555 2924(7.2.1.)N
775(IP)X
875(transport)X
1 f
755 3048(When)N
976(contacting)X
1339(a)X
1403(Kerberos)X
1726(server)X
1951(\(KDC\))X
2202(for)X
2324(a)X
2388(KRB_KDC_REQ)X
2989(request)X
3249(using)X
3450(IP)X
3549(transports,)X
3913(the)X
555 3144(client)N
758(shall)X
934(send)X
1106(a)X
1167(UDP)X
1352(datagram)X
1676(containing)X
2039(only)X
2206(an)X
2307(encoding)X
2626(of)X
2718(the)X
2841(request)X
3098(to)X
3185(port)X
3339(750)X
3484(at)X
3567(the)X
3689(KDC's)X
3940(IP)X
555 3240(address;)N
847(the)X
974(KDC)X
1172(will)X
1325(respond)X
1608(with)X
1779(a)X
1843(reply)X
2036(datagram)X
2363(containing)X
2729(only)X
2899(an)X
3003(encoding)X
3325(of)X
3420(the)X
3546(reply)X
3739(message)X
555 3336(\(either)N
785(a)X
841(KRB_ERROR)X
1331(or)X
1418(a)X
1474(KRB_KDC_REP\))X
2080(to)X
2162(the)X
2280(sending)X
2549(port)X
2698(at)X
2776(the)X
2894(sender's)X
3182(IP)X
3273(address.)X
3 f
555 3528(7.2.2.)N
775(Name)X
996(of)X
1083(the)X
1210(TGS)X
1 f
755 3652(The)N
904(principal)X
1213(identi\256er)X
1526(of)X
1617(the)X
1739(ticket-granting)X
2235(service)X
2487(shall)X
2662(be)X
2762(composed)X
3111(of)X
3202(three)X
3387(parts:)X
3589(\(1\))X
3707(the)X
3828(realm)X
555 3748(of)N
646(the)X
768(KDC)X
961(issuing)X
1211(the)X
1333(TGS)X
1508(ticket)X
1710(\(2\))X
1827(a)X
1886(two-part)X
2181(name,)X
2398(with)X
2563(the)X
2684(\256rst)X
2831(part)X
2979("krbtgt")X
3259(and)X
3398(the)X
3519(second)X
3765(part)X
3913(the)X
555 3844(name)N
752(of)X
841(the)X
961(realm)X
1166(which)X
1384(will)X
1530(accept)X
1758(the)X
1878(ticket-granting)X
2372(ticket.)X
2612(For)X
2745(example,)X
3059(a)X
3117(ticket-granting)X
3611(ticket)X
3811(issued)X
555 3940(by)N
658(the)X
779(ATHENA.MIT.EDU)X
1484(realm)X
1689(to)X
1773(be)X
1871(used)X
2040(to)X
2124(get)X
2244(tickets)X
2475(from)X
2653(the)X
2773(ATHENA.MIT.EDU)X
3477(KDC)X
3668(has)X
3797(a)X
3855(prin-)X
555 4036(cipal)N
748(identi\256er)X
1074(of)X
1178("ATHENA.MIT.EDU")X
1963(\(realm\),)X
2257(\("krbtgt",)X
2597 0.2109("ATHENA.MIT.EDU"\))AX
3408(\(name\).)X
3712(A)X
3806(ticket-)X
555 4132(granting)N
844(ticket)X
1044(issued)X
1266(by)X
1368(the)X
1488(ATHENA.MIT.EDU)X
2192(realm)X
2397(to)X
2481(be)X
2579(used)X
2747(to)X
2830(get)X
2949(tickets)X
3179(from)X
3356(the)X
3475(MIT.EDU)X
3828(realm)X
555 4228(has)N
682(a)X
738(principal)X
1043(identi\256er)X
1352(of)X
1439("ATHENA.MIT.EDU")X
2207(\(realm\),)X
2484(\("krbtgt",)X
2808("MIT.EDU"\))X
3253(\(name\).)X
3 f
12 s
555 4420(7.3.)N
747(Protocol)X
1119(constants)X
1526(and)X
1704(associated)X
2144(values)X
1 f
10 s
755 4544(The)N
900(following)X
1231(tables)X
1438(list)X
1555(constants)X
1873(used)X
2040(in)X
2122(the)X
2240(protocol)X
2527(and)X
2663(de\256nes)X
2910(their)X
3077(meanings.)X
555 4688(Encryption)N
931(type)X
2 f
1765(etype)X
1 f
1955(value)X
2476(block)X
2674(size)X
3062(minimum)X
3392(pad)X
3528(size)X
3773(confounder)X
4159(size)X
555 4784(NULL)N
1765(0)X
2476(1)X
3062(0)X
3773(0)X
555 4880 0.3500(des-cbc-crc)AN
1765(1)X
2476(8)X
3062(4)X
3773(8)X
555 5072(Checksum)N
913(type)X
2 f
1765(sumtype)X
1 f
2048(value)X
2476(checksum)X
2817(size)X
555 5168(CRC32)N
1765(1)X
2476(4)X
555 5264(rsa-md4)N
1765(2)X
2476(16)X
555 5360(rsa-md4-des)N
1765(3)X
2476(16)X
555 5456(des-mac)N
1765(4)X
2476(8)X
3062(8)X
555 5648(padata)N
785(type)X
2 f
1765(pa-type)X
1 f
2026(value)X
555 5744(PA-TGS-REQ)N
1765(1)X
555 5840(PA-ENC-TIMESTAMPS)N
1765(2)X
555 6144(Section)N
815(7.3.)X
2196(-)X
2243(42)X
2343(-)X
43 p
%%Page: 43 44
10 s 0 xH 0 xS 1 f
0 32(--)N
4323(--)X
3 f
2115 416(DRAFT)N
2411(4)X
1 f
555 672(PA-PW-SALT)N
1765(3)X
555 864(authorization)N
998(data)X
1152(type)X
2 f
1765(ad-type)X
1 f
2026(value)X
2 f
555 960(reserved)N
852(values)X
1 f
1765(0-63)X
555 1056(OSF-DCE)N
1765(64)X
555 1248(alternate)N
852(authentication)X
1326(type)X
2 f
1765(method-type)X
1 f
2182(value)X
2 f
555 1344(reserved)N
852(values)X
1 f
1765(0-63)X
555 1440(ATT-CHALLENGE-RESPONSE)N
1765(64)X
555 1632(transited)N
851(encoding)X
1165(type)X
2 f
1765(tr-type)X
1 f
1999(value)X
555 1728(DOMAIN-X500-COMPRESS)N
1765(1)X
2 f
555 1824(reserved)N
852(values)X
1 f
1765(all)X
1865(others)X
2 f
555 2016(Label)N
2054(Value)X
2361(Meaning)X
2666(or)X
2757(MIT)X
2915(code)X
1 f
555 2208(pvno)N
2201(5)X
2361(current)X
2609(Kerberos)X
2924(protocol)X
3211(version)X
3467(number)X
555 2400(message)N
847(types)X
555 2592(KRB_AS_REQ)N
2161(10)X
2361(Request)X
2639(for)X
2753(initial)X
2959(authentication)X
555 2688(KRB_AS_REP)N
2161(11)X
2361(Response)X
2688(to)X
2770(KRB_AS_REQ)X
3296(request)X
555 2784(KRB_TGS_REQ)N
2161(12)X
2361(Request)X
2639(for)X
2753(authentication)X
3227(based)X
3430(on)X
3530(TGT)X
555 2880(KRB_TGS_REP)N
2161(13)X
2361(Response)X
2688(to)X
2770(KRB_TGS_REQ)X
3345(request)X
555 2976(KRB_AP_REQ)N
2161(14)X
2361(application)X
2737(request)X
2989(to)X
3071(server)X
555 3072(KRB_AP_REP)N
2161(15)X
2361(Response)X
2688(to)X
2770(KRB_AP_REQ_MUTUAL)X
555 3168(KRB_SAFE)N
2161(20)X
2361(Safe)X
2524(\(checksummed\))X
3057(application)X
3433(message)X
555 3264(KRB_PRIV)N
2161(21)X
2361(Private)X
2608(\(encrypted\))X
2999(application)X
3375(message)X
555 3456(KRB_ERROR)N
2161(30)X
2361(Error)X
2551(response)X
555 3648(error)N
732(codes)X
555 3840(KDC_ERR_NONE)N
2201(0)X
2361(No)X
2479(error)X
555 3936(KDC_ERR_NAME_EXP)N
2201(1)X
2361(Client's)X
2634(entry)X
2819(in)X
2901(database)X
3198(has)X
3325(expired)X
555 4032(KDC_ERR_SERVICE_EXP)N
2201(2)X
2361(Server's)X
2649(entry)X
2834(in)X
2916(database)X
3213(has)X
3340(expired)X
555 4128(KDC_ERR_BAD_PVNO)N
2201(3)X
2361(Requested)X
2715(protocol)X
3002(version)X
3258(number)X
2361 4224(not)N
2483(supported)X
555 4320(KDC_ERR_C_OLD_MAST_KVNO)N
2201(4)X
2361(Client's)X
2634(key)X
2770(encrypted)X
3107(in)X
2361 4416(old)N
2483(master)X
2717(key)X
555 4512(KDC_ERR_S_OLD_MAST_KVNO)N
2201(5)X
2361(Server's)X
2649(key)X
2785(encrypted)X
3122(in)X
2361 4608(old)N
2483(master)X
2717(key)X
555 4704(KDC_ERR_C_PRINCIPAL_UNKNOWN)N
2201(6)X
2361(Client)X
2576(not)X
2698(found)X
2905(in)X
2987(Kerberos)X
3302(database)X
555 4800(KDC_ERR_S_PRINCIPAL_UNKNOWN)N
2201(7)X
2361(Server)X
2591(not)X
2713(found)X
2920(in)X
3002(Kerberos)X
3317(database)X
555 4896(KDC_ERR_PRINCIPAL_NOT_UNIQUE)N
2201(8)X
2361(Multiple)X
2656(entries)X
2890(for)X
3004(principal)X
2361 4992(in)N
2443(Kerberos)X
2758(database)X
555 5088(KDC_ERR_NULL_KEY)N
2201(9)X
2361(The)X
2506(client)X
2704(or)X
2791(server)X
3008(has)X
3135(a)X
3191(null)X
3335(key)X
555 5184(KDC_ERR_CANNOT_POSTDATE)N
2161(10)X
2361(Ticket)X
2586(not)X
2708(eligible)X
2968(for)X
3082(postdating)X
555 5280(KDC_ERR_NEVER_VALID)N
2161(11)X
2361(Requested)X
2715(start)X
2873(time)X
3035(is)X
3108(later)X
3271(than)X
3429(end)X
3565(time)X
555 5376(KDC_ERR_POLICY)N
2161(12)X
2361(KDC)X
2550(policy)X
2770(rejects)X
3000(request)X
555 5472(KDC_ERR_BADOPTION)N
2161(13)X
2361(KDC)X
2550(cannot)X
2784(accommodate)X
3250(requested)X
3578(option)X
555 5568(KDC_ERR_ETYPE_NOSUPP)N
2161(14)X
2361(KDC)X
2550(has)X
2677(no)X
2777(support)X
3037(for)X
3151(encryption)X
3514(type)X
555 5664(KDC_ERR_SUMTYPE_NOSUPP)N
2161(15)X
2361(KDC)X
2550(has)X
2677(no)X
2777(support)X
3037(for)X
3151(checksum)X
3492(type)X
555 5760(KDC_ERR_PADATA_TYPE_NOSUPP)N
2161(16)X
2361(KDC)X
2550(has)X
2677(no)X
2777(support)X
3037(for)X
3151(padata)X
3381(type)X
555 6144(Section)N
815(7.3.)X
2196(-)X
2243(43)X
2343(-)X
44 p
%%Page: 44 45
10 s 0 xH 0 xS 1 f
0 32(--)N
4323(--)X
3 f
2115 416(DRAFT)N
2411(4)X
1 f
555 672(KDC_ERR_TRTYPE_NOSUPP)N
2161(17)X
2361(KDC)X
2550(has)X
2677(no)X
2777(support)X
3037(for)X
3151(transited)X
3447(type)X
555 864(KRB_AP_ERR_BAD_INTEGRITY)N
2161(31)X
2361(Integrity)X
2657(check)X
2865(on)X
2965(decrypted)X
3302(\256eld)X
3464(failed)X
555 960(KRB_AP_ERR_TKT_EXPIRED)N
2161(32)X
2361(Ticket)X
2586(expired)X
555 1056(KRB_AP_ERR_TKT_NYV)N
2161(33)X
2361(Ticket)X
2586(not)X
2708(yet)X
2826(valid)X
555 1152(KRB_AP_ERR_REPEAT)N
2161(34)X
2361(Request)X
2639(is)X
2712(a)X
2768(replay)X
555 1248(KRB_AP_ERR_NOT_US)N
2161(35)X
2361(The)X
2506(ticket)X
2704(isn't)X
2866(for)X
2980(us)X
555 1344(KRB_AP_ERR_BADMATCH)N
2161(36)X
2361(Ticket)X
2586(and)X
2722(authenticator)X
3161(don't)X
3350(match)X
555 1440(KRB_AP_ERR_SKEW)N
2161(37)X
2361(Clock)X
2572(skew)X
2757(too)X
2879(great)X
555 1536(KRB_AP_ERR_BADADDR)N
2161(38)X
2361(Incorrect)X
2672(net)X
2790(address)X
555 1632(KRB_AP_ERR_BADVERSION)N
2161(39)X
2361(Protocol)X
2652(version)X
2908(mismatch)X
555 1728(KRB_AP_ERR_MSG_TYPE)N
2161(40)X
2361(Invalid)X
2608(msg)X
2761(type)X
555 1824(KRB_AP_ERR_MODIFIED)N
2161(41)X
2361(Message)X
2662(stream)X
2896(modi\256ed)X
555 1920(KRB_AP_ERR_BADORDER)N
2161(42)X
2361(Message)X
2662(out)X
2784(of)X
2871(order)X
555 2016(KRB_AP_ERR_BADKEYVER)N
2161(44)X
2361(Speci\256ed)X
2679(version)X
2935(of)X
3022(key)X
3158(is)X
3231(not)X
3353(available)X
555 2112(KRB_AP_ERR_NOKEY)N
2161(45)X
2361(Service)X
2622(key)X
2758(not)X
2880(available)X
555 2208(KRB_AP_ERR_MUT_FAIL)N
2161(46)X
2361(Mutual)X
2612(authentication)X
3086(failed)X
555 2304(KRB_AP_ERR_BADDIRECTION)N
2161(47)X
2361(Incorrect)X
2672(message)X
2964(direction)X
555 2400(KRB_AP_ERR_METHOD)N
2161(48)X
2361(Alternative)X
2742(authentication)X
3216(method)X
3476(required\262)X
555 2496(KRB_AP_ERR_BADSEQ)N
2161(49)X
2361(Incorrect)X
2672(sequence)X
2987(number)X
3252(in)X
3334(message)X
555 2592(KRB_AP_ERR_INAPP_CKSUM)N
2161(50)X
2361(Inappropriate)X
2814(type)X
2972(of)X
3059(checksum)X
3400(in)X
3482(message)X
555 2784(KRB_ERR_GENERIC)N
2161(60)X
2361(Generic)X
2636(error)X
2813(\(description)X
3216(in)X
3 f
3298(e-text)X
1 f
3491(\))X
555 2880(KRB_ERR_FIELD_TOOLONG)N
2161(61)X
2361(Field)X
2545(is)X
2618(too)X
2740(long)X
2902(for)X
3016(this)X
3151(implementation)X
3 f
12 s
555 3340(8.)N
675(Interoperability)X
1356(requirements)X
1 f
10 s
755 3464(Version)N
1032(5)X
1095(of)X
1185(the)X
1306(Kerberos)X
1624(protocol)X
1914(supports)X
2208(a)X
2267(myriad)X
2517(of)X
2607(options.)X
2905(Among)X
3168(these)X
3356(are)X
3477(multiple)X
3765(encryp-)X
555 3560(tion)N
712(and)X
861(checksum)X
1215(types,)X
1436(alternative)X
1807(encoding)X
2133(schemes)X
2437(for)X
2563(the)X
2693(transited)X
3001(\256eld,)X
3195(optional)X
3489(mechanisms)X
3917(for)X
555 3656(pre-authentication,)N
1180(the)X
1299(handling)X
1600(of)X
1688(tickets)X
1918(with)X
2081(no)X
2182(addresses,)X
2531(options)X
2787(for)X
2902(mutual)X
3145(authentication,)X
3640(user)X
3795(to)X
3877(user)X
555 3752(authentication,)N
1067(support)X
1345(for)X
1477(proxies,)X
1771(forwarding,)X
2186(postdating,)X
2577(and)X
2731(renewing)X
3068(tickets,)X
3335(the)X
3471(format)X
3723(of)X
3828(realm)X
555 3848(names,)N
800(and)X
936(the)X
1054(handling)X
1354(of)X
1441(authorization)X
1884(data.)X
755 3972(In)N
853(order)X
1054(to)X
1147(ensure)X
1388(the)X
1517(interoperability)X
2042(of)X
2140(realms,)X
2404(it)X
2478(is)X
2561(necessary)X
2904(to)X
2996(de\256ne)X
3222(a)X
3288(minimal)X
3584(con\256guration)X
555 4068(which)N
775(must)X
954(be)X
1053(supported)X
1392(by)X
1495(all)X
1598(implementations.)X
2194(This)X
2359(minimal)X
2648(con\256guration)X
3098(is)X
3174(subject)X
3424(to)X
3509(change)X
3760(as)X
3850(tech-)X
555 4164(nology)N
809(does.)X
1028(For)X
1171(example,)X
1495(if)X
1576(at)X
1666(some)X
1867(later)X
2042(date)X
2208(it)X
2283(is)X
2367(discovered)X
2746(that)X
2897(one)X
3044(of)X
3142(the)X
3271(required)X
3570(encryption)X
3944(or)X
555 4260(checksum)N
896(algorithms)X
1258(is)X
1331(not)X
1453(secure,)X
1699(it)X
1763(will)X
1907(be)X
2003(replaced.)X
3 f
12 s
555 4452(8.1.)N
747(Speci\256cation)X
1294(1)X
1 f
10 s
755 4576(This)N
920(section)X
1170(de\256nes)X
1419(the)X
1539(\256rst)X
1685(speci\256cation)X
2112(of)X
2201(these)X
2388(options.)X
2685(Implementations)X
3245(which)X
3463(are)X
3584(con\256gured)X
3949(in)X
555 4672(this)N
690(way)X
844(can)X
976(be)X
1072(said)X
1221(to)X
1303(support)X
1563(Kerberos)X
1878(Version)X
2152(5)X
2212(Speci\256cation)X
2650(1)X
2710(\(5.1\).)X
3 f
555 4864(Encryption)N
961(and)X
1109(checksum)X
1467(methods)X
1 f
555 4988(The)N
711(following)X
1053(encryption)X
1427(and)X
1574(checksum)X
1926(mechanisms)X
2353(must)X
2539(be)X
2646(supported.)X
3033(Implementations)X
3602(may)X
3771(support)X
555 5084(other)N
752(mechanisms)X
1180(as)X
1279(well,)X
1468(but)X
1601(the)X
1730(additional)X
2081(mechanisms)X
2508(may)X
2677(only)X
2850(be)X
2957(used)X
3135(when)X
3340(communicating)X
3869(with)X
555 5180(principals)N
891(known)X
1129(to)X
1211(also)X
1360(support)X
1620(them:)X
555 5276(Encryption:)N
953(DES-CBC-CRC)X
555 5372(Checksums:)N
966(CRC-32)X
1252(and)X
1388(DES-MAC)X
8 s
10 f
555 5490(hhhhhhhhhhhhhhhhhh)N
1 f
555 5584(\262)N
619(This)X
754(error)X
898(carries)X
1088(additional)X
1365(information)X
1688(in)X
1759(the)X
1858(e-data)X
2034(\256eld.)X
2201(The)X
2321(contents)X
2555(of)X
2629(the)X
2728(e-data)X
2904(\256eld)X
3038(will)X
3158(be)X
3238(an)X
3318(encoding)X
3572(of)X
3645(the)X
555 5664(METHOD-DATA)N
1042(sequence)X
1291(\(see)X
1409(section)X
1606(5.7.1\).)X
10 s
555 6144(Section)N
815(8.1.)X
2196(-)X
2243(44)X
2343(-)X
45 p
%%Page: 45 46
10 s 0 xH 0 xS 1 f
0 32(--)N
4323(--)X
3 f
2115 416(DRAFT)N
2411(4)X
555 672(Realm)N
798(Names)X
1 f
555 796(All)N
681(implementations)X
1238(must)X
1417(understand)X
1793(hierarchical)X
2197(realms)X
2434(in)X
2519(both)X
2684(the)X
2805(Internet)X
3078(Domain)X
3359(and)X
3498(the)X
3619(X.500)X
3840(style.)X
555 892(When)N
773(a)X
835(ticket)X
1039(granting)X
1332(ticket)X
1536(for)X
1656(an)X
1758(unknown)X
2082(realm)X
2291(is)X
2370(requested,)X
2723(the)X
2846(KDC)X
3040(must)X
3220(be)X
3321(able)X
3480(to)X
3567(determine)X
3913(the)X
555 988(names)N
780(of)X
867(the)X
985(intermediate)X
1406(realms)X
1640(between)X
1928(the)X
2046(KDCs)X
2266(realm)X
2469(and)X
2605(the)X
2723(requested)X
3051(realm.)X
3 f
555 1180(Transited)N
908(\256eld)X
1074(encoding)X
1 f
555 1304(DOMAIN-X500-COMPRESS)N
1571(\(described)X
1943(in)X
2042(section)X
2306(3.3.3.1\))X
2590(must)X
2782(be)X
2895(supported.)X
3288(Alternative)X
3686(encodings)X
555 1400(may)N
729(be)X
841(supported,)X
1213(but)X
1351(they)X
1525(may)X
1699(be)X
1811(used)X
1994(only)X
2172(when)X
2381(that)X
2536(encoding)X
2865(is)X
2953(supported)X
3304(by)X
3419(ALL)X
3610(intermediate)X
555 1496(realms.)N
3 f
555 1688(Pre-authentication)N
1216(methods)X
1 f
555 1812(The)N
700(TGS-REQ)X
1058(method)X
1318(must)X
1493(be)X
1589(supported.)X
1965(The)X
2110(TGS-REQ)X
2468(method)X
2728(is)X
2801(not)X
2923(used)X
3090(on)X
3190(the)X
3308(initial)X
3514(request.)X
3 f
555 2100(Mutual)N
828(authentication)X
1 f
555 2224(Mutual)N
806(authentication)X
1280(\(via)X
1425(the)X
1543(KRB_AP_REP)X
2055(message\))X
2374(must)X
2549(be)X
2645(supported.)X
3 f
555 2512(Ticket)N
793(addresses)X
1142(and)X
1290(\257ags)X
1 f
555 2636(All)N
681(KDC's)X
932(must)X
1110(pass)X
1271(on)X
1374(tickets)X
1606(that)X
1749(carry)X
1938(no)X
2041(addresses)X
2372(\(i.e.)X
2520(if)X
2592(a)X
2651(TGT)X
2830(contains)X
3120(no)X
3223(addresses,)X
3574(the)X
3695(KDC)X
3887(will)X
555 2732(return)N
771(derivative)X
1116(tickets\),)X
1396(but)X
1522(each)X
1693(realm)X
1899(may)X
2060(set)X
2172(its)X
2270(own)X
2431(policy)X
2654(for)X
2771(issuing)X
3020(such)X
3190(tickets,)X
3442(and)X
3581(each)X
3752(applica-)X
555 2828(tion)N
708(server)X
934(will)X
1087(set)X
1205(its)X
1309(own)X
1476(policy)X
1705(with)X
1876(respect)X
2132(to)X
2222(accepting)X
2558(them.)X
2786(By)X
2907(default,)X
3178(servers)X
3434(should)X
3675(not)X
3805(accept)X
555 2924(them.)N
755 3048(Proxies)N
1021(and)X
1163(forwarded)X
1520(tickets)X
1755(must)X
1935(be)X
2036(supported.)X
2417(Individual)X
2771(realms)X
3010(and)X
3151(application)X
3532(servers)X
3785(can)X
3922(set)X
555 3144(their)N
722(own)X
880(policy)X
1100(on)X
1200(when)X
1394(such)X
1561(tickets)X
1790(will)X
1934(be)X
2030(accepted.)X
755 3268(All)N
887(implementations)X
1450(must)X
1635(recognize)X
1977(renewable)X
2337(and)X
2482(postdated)X
2818(tickets,)X
3076(but)X
3207(need)X
3388(not)X
3519(actually)X
3802(imple-)X
555 3364(ment)N
735(them.)X
955(If)X
1029(these)X
1214(options)X
1469(are)X
1588(not)X
1710(supported,)X
2066(the)X
2184(starttime)X
2484(and)X
2620(endtime)X
2898(in)X
2980(the)X
3098(ticket)X
3296(shall)X
3467(specify)X
3719(a)X
3775(ticket's)X
555 3460(entire)N
760(useful)X
978(life.)X
1147(When)X
1361(a)X
1419(postdated)X
1748(ticket)X
1948(is)X
2023(decoded)X
2313(by)X
2414(a)X
2471(server,)X
2709(all)X
2810(implementations)X
3364(shall)X
3536(make)X
3731(the)X
3850(pres-)X
555 3556(ence)N
723(of)X
810(the)X
928(postdated)X
1255(\257ag)X
1395(visible)X
1628(to)X
1710(the)X
1828(calling)X
2066(server.)X
3 f
555 3748(User-to-user)N
1004(authentication)X
1 f
555 3872(Support)N
828(for)X
942(user)X
1096(to)X
1178(user)X
1332(authentication)X
1806(\(via)X
1951(the)X
2069(ENC-TKT-IN-SKEY)X
2780(KDC)X
2969(option\))X
3220(is)X
3293(not)X
3415(required.)X
3 f
555 4064(Authorization)N
1055(data)X
1 f
555 4188(Implementations)N
1124(must)X
1310(pass)X
1479(all)X
1590(authorization)X
2044(data)X
2209(sub\256elds)X
2524(from)X
2711(ticket-granting)X
3213(tickets)X
3452(to)X
3544(any)X
3690(derivative)X
555 4284(tickets)N
791(unless)X
1018(directed)X
1304(to)X
1393(suppress)X
1696(a)X
1759(sub\256eld)X
2039(as)X
2133(part)X
2285(of)X
2379(the)X
2504(de\256nition)X
2836(of)X
2929(that)X
3075(registered)X
3418(sub\256eld)X
3697(type)X
3861(\(it)X
3958(is)X
555 4380(never)N
760(incorrect)X
1072(to)X
1160(pass)X
1324(on)X
1430(a)X
1492(sub\256eld,)X
1791(and)X
1932(no)X
2037(registered)X
2379(sub\256eld)X
2657(types)X
2851(presently)X
3170(specify)X
3427(suppression)X
3830(at)X
3913(the)X
555 4476(KDC\).)N
755 4600(Implementations)N
1321(must)X
1504(make)X
1705(the)X
1830(contents)X
2124(of)X
2218(any)X
2361(authorization)X
2811(data)X
2972(sub\256elds)X
3283(available)X
3600(to)X
3689(the)X
3814(server)X
555 4696(when)N
762(a)X
831(ticket)X
1042(is)X
1128(used.)X
1347(Implementations)X
1917(are)X
2048(not)X
2182(required)X
2482(to)X
2576(allow)X
2786(clients)X
3027(to)X
3121(specify)X
3385(the)X
3515(contents)X
3814(of)X
3913(the)X
555 4792(authorization)N
998(data)X
1152(\256elds.)X
3 f
12 s
555 4984(8.2.)N
747(Recommended)X
1379(KDC)X
1616(values)X
1 f
10 s
555 5108(Following)N
918(is)X
1006(a)X
1077(list)X
1209(of)X
1311(recommended)X
1801(values)X
2041(for)X
2170(a)X
2241(KDC)X
2444(implementation,)X
3000(based)X
3217(on)X
3331(the)X
3463(list)X
3594(of)X
3695(suggested)X
555 5204(con\256guration)N
1002(constants)X
1320(\(see)X
1470(section)X
1717(4.4\).)X
3 f
555 5328(minimum)N
908(lifetime)X
1 f
1707(5)X
1767(minutes)X
3 f
555 5452(maximum)N
922(renewable)X
1294(lifetime)X
1 f
1707(1)X
1767(week)X
3 f
555 5576(maximum)N
922(ticket)X
1134(lifetime)X
1 f
1707(1)X
1767(day)X
3 f
555 5700(empty)N
789(addresses)X
1 f
1707(Not)X
1847(allowed.)X
3 f
555 5824(proxiable,)N
919(etc.)X
1 f
1707(Allowed.)X
12 s
555 6144(Section)N
868(8.2.)X
2179(-)X
2235(45)X
2355(-)X
46 p
%%Page: 46 47
12 s 0 xH 0 xS 1 f
10 s
0 32(--)N
4323(--)X
3 f
12 s
2082 432(DRAFT)N
2436(4)X
555 672(9.)N
675(Acknowledgments)X
1 f
10 s
755 796(Early)N
966(versions)X
1270(of)X
1374(this)X
1526(document,)X
1899(describing)X
2270(version)X
2543(4)X
2620(of)X
2723(the)X
2857(protocol,)X
3180(were)X
3373(written)X
3636(by)X
3752(Jennifer)X
555 892(Steiner)N
808(\(formerly)X
1142(at)X
1226(Project)X
1479(Athena\);)X
1786(these)X
1977(drafts)X
2186(provided)X
2497(an)X
2599(excellent)X
2915(starting)X
3180(point)X
3369(for)X
3488(this)X
3628(current)X
3881(ver-)X
555 988(sion)N
709(5)X
770(speci\256cation.)X
1235(Many)X
1442(people)X
1676(in)X
1758(the)X
1876(Internet)X
2146(community)X
2530(have)X
2702(contributed)X
3087(ideas)X
3272(and)X
3408(suggested)X
3744(protocol)X
555 1084(changes)N
838(for)X
956(version)X
1216(5.)X
1320(Notable)X
1598(contributions)X
2044(came)X
2238(from)X
2418(Ted)X
2567(Anderson,)X
2923(Steve)X
3125(Bellovin)X
3424(and)X
3564(Michael)X
3850(Mer-)X
555 1180(ritt,[12])N
833(Daniel)X
1078(Bernstein,)X
1436(Mike)X
1636(Burrows,)X
1962(Donald)X
2228(Davis,)X
2465(Morrie)X
2718(Gasser,)X
2987(Bill)X
3136(Griffeth,)X
3445(Mark)X
3649(Lillibridge,)X
555 1276(Mark)N
764(Lomas,)X
1037(Joe)X
1179(Pato,)X
1376(William)X
1673(Sommerfeld,)X
2124(Ralph)X
2349(Swick,)X
2603(and)X
2753(Stanley)X
3027(Zanarotti.)X
3395(Many)X
3616(others)X
3846(com-)X
555 1372(mented)N
811(and)X
947(helped)X
1181(shape)X
1384(this)X
1519(speci\256cation)X
1944(into)X
2088(its)X
2183(current)X
2431(form.)X
3 f
12 s
555 1564(10.)N
723(REFERENCES)X
1 f
10 s
555 1744(1.)N
755(S.)X
845(P.)X
935(Miller,)X
1181(B.)X
1280(C.)X
1379(Neuman,)X
1697(J.)X
1774(I.)X
1847(Schiller,)X
2142(and)X
2284(J.)X
2361(H.)X
2465(Saltzer,)X
2 f
2734(Section)X
2996(E.2.1:)X
3217(Kerberos)X
3540(Authentication)X
755 1840(and)N
895(Authorization)X
1354(System,)X
1 f
1617(M.I.T.)X
1844(Project)X
2091(Athena,)X
2363(Cambridge,)X
2759(Massachusetts)X
3242(\(December)X
3620(21,)X
3740(1987\).)X
555 1964(2.)N
755(J.)X
829(G.)X
930(Steiner,)X
1200(B.)X
1296(C.)X
1392(Neuman,)X
1707(and)X
1846(J.)X
1920(I.)X
1990(Schiller,)X
2282(``Kerberos:)X
2675(An)X
2795(Authentication)X
3293(Service)X
3556(for)X
3672(Open)X
3868(Net-)X
755 2060(work)N
940(Systems,'')X
1300(pp.)X
1420(191-202)X
1707(in)X
2 f
1789(Usenix)X
2032(Conference)X
2422(Proceedings)X
1 f
2823(,)X
2863(Dallas,)X
3108(Texas)X
3320(\(February,)X
3677(1988\).)X
555 2184(3.)N
755(R.)X
854(M.)X
971(Needham)X
1305(and)X
1446(M.)X
1562(D.)X
1665(Schroeder,)X
2036(``Using)X
2306(Encryption)X
2687(for)X
2806(Authentication)X
3307(in)X
3394(Large)X
3607(Networks)X
3944(of)X
755 2280(Computers,'')N
2 f
1200(Communications)X
1762(of)X
1844(the)X
1962(ACM)X
3 f
2151(21)X
1 f
(\(12\),)S
2405(pp.)X
2525(993-999)X
2812(\(December,)X
3210(1978\).)X
555 2404(4.)N
755(Dorothy)X
1043(E.)X
1133(Denning)X
1430(and)X
1567(Giovanni)X
1886(Maria)X
2098(Sacco,)X
2330(``Timestamps)X
2795(in)X
2877(Key)X
3031(Distribution)X
3437(Protocols,'')X
2 f
3833(Com-)X
755 2500(munications)N
1166(of)X
1248(the)X
1366(ACM)X
3 f
1555(24)X
1 f
(\(8\),)S
1769(pp.)X
1889(533-536)X
2176(\(August)X
2454(1981\).)X
555 2624(5.)N
755(Don)X
919(Davis)X
1132(and)X
1274(Ralph)X
1491(Swick,)X
2 f
1737(Workstation)X
2154(Services)X
2448(and)X
2594(Kerberos)X
2918(Authentication)X
3415(at)X
3503(Project)X
3764(Athena,)X
1 f
755 2720(MIT)N
922(Project)X
1169(Athena)X
1421(\(March)X
1678(3,)X
1758(1989\).)X
555 2844(6.)N
755(P.)X
842(J.)X
916(Levine,)X
1182(M.)X
1296(R.)X
1392(Gretzinger,)X
1779(J.)X
1852(M.)X
1965(Diaz,)X
2159(W.)X
2277(E.)X
2368(Sommerfeld,)X
2806(and)X
2944(K.)X
3044(Raeburn,)X
2 f
3358(Section)X
3616(E.1:)X
3774(Service)X
755 2940(Management)N
1194(System,)X
1 f
1457(M.I.T.)X
1684(Project)X
1931(Athena,)X
2203(Cambridge,)X
2599(Massachusetts)X
3082(\(1987\).)X
555 3064(7.)N
755(B.)X
860(Clifford)X
1150(Neuman,)X
2 f
1474(Proxy-Based)X
1921(Authorization)X
2392(and)X
2544(Accounting)X
2941(for)X
3065(Distributed)X
3460(Systems,)X
1 f
3765(Depart-)X
755 3160(ment)N
935(of)X
1022(Computer)X
1362(Science)X
1632(and)X
1768(Engineering,)X
2200(University)X
2558(of)X
2645(Washington)X
3052(\(Draft)X
3269(of)X
3356(November)X
3715(1990\).)X
555 3284(8.)N
755(National)X
1060(Bureau)X
1321(of)X
1417(Standards,)X
1782(``Data)X
2016(Encryption)X
2400(Standard,'')X
2787(Federal)X
3056(Information)X
3467(Processing)X
3842(Stan-)X
755 3380(dards)N
949(Publication)X
1333(46,)X
1473(Washington,)X
1900(D.C.)X
2071(\(1977\).)X
555 3504(9.)N
755(National)X
1061(Bureau)X
1322(of)X
1418(Standards,)X
1783(``DES)X
2017(Modes)X
2264(of)X
2360(Operation,'')X
2784(Federal)X
3054(Information)X
3466(Processing)X
3842(Stan-)X
755 3600(dards)N
949(Publication)X
1333(81,)X
1473(Spring\256eld,)X
1868(VA)X
2004(\(1980\).)X
555 3724(10.)N
755(International)X
1192(Organization)X
1638(for)X
1759(Standardization,)X
2309(``ISO)X
2519(Information)X
2929(Processing)X
3303(Systems)X
3596(-)X
3650(Data)X
3829(Com-)X
755 3820(munication)N
1150(-)X
1212(High-Level)X
1617(Data)X
1803(Link)X
1988(Control)X
2266(Procedure)X
2626(-)X
2687(Frame)X
2926(Structure,'')X
3328(3309,)X
3562(ISO)X
3725(\(October)X
755 3916(1984\).)N
1002(3rd)X
1129(Edition.)X
555 4040(11.)N
755(R.)X
853(Rivest,)X
1102(``The)X
1306(MD4)X
1500(Message)X
1806(Digest)X
2039(Algorithm,'')X
2470(RFC)X
2644(1186,)X
2868(MIT)X
3039(Laboratory)X
3420(for)X
3538(Computer)X
3882(Sci-)X
755 4136(ence)N
923(\(October)X
1229(1990\).)X
555 4260(12.)N
755(S.M.)X
945(Bellovin)X
1255(and)X
1406(M.)X
1532(Merritt,)X
1814(``Limitations)X
2271(of)X
2373(the)X
2506(Kerberos)X
2836(Authentication)X
3347(System,'')X
2 f
3691(Computer)X
755 4356(Communications)N
1317(Review)X
3 f
1569(20)X
1 f
(\(5\),)S
1783(pp.)X
1903(119-132)X
2190(\(October)X
2496(1990\).)X
555 6144(Section)N
815(10.)X
2196(-)X
2243(46)X
2343(-)X
47 p
%%Page: 47 48
10 s 0 xH 0 xS 1 f
0 32(--)N
4323(--)X
3 f
2115 416(DRAFT)N
2411(4)X
12 s
555 672(A.)N
696(Pseudo-code)X
1232(for)X
1379(protocol)X
1745(processing)X
1 f
10 s
755 796(This)N
926(appendix)X
1249(provides)X
1554(pseudo-code)X
1989(describing)X
2351(how)X
2517(the)X
2643(messages)X
2974(are)X
3101(to)X
3191(be)X
3295(constructed)X
3693(and)X
3837(inter-)X
555 892(preted)N
776(by)X
876(clients)X
1105(and)X
1241(servers.)X
3 f
12 s
555 1084(A.1.)N
768(KRB_AS_REQ)X
1426(generation)X
7 f
10 s
939 1180(request.pvno)N
1563(:=)X
1707(protocol)X
2139(version;)X
2571(/*)X
2715(pvno)X
2955(=)X
3051(5)X
3147(*/)X
939 1276(request.msg-type)N
1755(:=)X
1899(message)X
2283(type;)X
2571(/*)X
2715(type)X
2955(=)X
3051(KRB_AS_REQ)X
3579(*/)X
939 1468(body.kdc-options)N
1755(:=)X
1899(users's)X
2283(preferences;)X
939 1564(body.cname)N
1467(:=)X
1611(user's)X
1947(name;)X
939 1660(body.realm)N
1467(:=)X
1611(user's)X
1947(realm;)X
939 1756(body.sname)N
1467(:=)X
1611(service's)X
2091(name;)X
2379(/*)X
2523(usually)X
2907("krbtgt",)X
3435("localrealm")X
4059(*/)X
939 1852(if)N
1083(\(body.kdc-options.POSTDATED)X
2427(is)X
2571(set\))X
2811(then)X
1323 1948(body.from)N
1803(:=)X
1947(requested)X
2427(starting)X
2859(time;)X
939 2044(else)N
1323 2140(omit)N
1563(body.from;)X
939 2236(endif)N
939 2332(body.till)N
1419(:=)X
1563(requested)X
2043(end)X
2235(time;)X
939 2428(if)N
1083(\(body.kdc-options.RENEWABLE)X
2427(is)X
2571(set\))X
2811(then)X
1323 2524(body.rtime)N
1851(:=)X
1995(requested)X
2475(final)X
2763(renewal)X
3147(time;)X
939 2620(endif)N
939 2716(body.nonce)N
1467(:=)X
1611(random_nonce\(\);)X
939 2812(body.etype)N
1467(:=)X
1611(requested)X
2091(etypes;)X
939 2908(if)N
1083(\(user)X
1371(supplied)X
1803(addresses\))X
2331(then)X
1323 3004(body.addresses)N
2043(:=)X
2187(user's)X
2523(addresses;)X
939 3100(else)N
1323 3196(omit)N
1563(body.addresses;)X
939 3292(endif)N
939 3388(omit)N
1179(body.enc-authorization-data;)X
939 3484(request.req-body)N
1755(:=)X
1899(body;)X
939 3676(kerberos)N
1371(:=)X
1515(lookup\(name)X
2091(of)X
2235(local)X
2523(kerberos)X
2955(server)X
3291(\(or)X
3483(servers\)\);)X
939 3772(send\(packet,kerberos\);)N
939 3964(wait\(for)N
1371(response\);)X
939 4060(if)N
1083(\(timed_out\))X
1659(then)X
1323 4156(retry)N
1611(or)X
1755(use)X
1947(alternate)X
2427(server;)X
939 4252(endif)N
3 f
12 s
555 4444(A.2.)N
768(KRB_AS_REQ)X
1426(veri\256cation)X
1915(and)X
2093(KRB_AS_REP)X
2735(generation)X
7 f
10 s
939 4540(decode)N
1275(message)X
1659(into)X
1899(req;)X
939 4732(client)N
1275(:=)X
1419(lookup\(req.cname,req.realm\);)X
939 4828(server)N
1275(:=)X
1419(lookup\(req.sname,req.realm\);)X
939 5020(get)N
1131(system_time;)X
939 5116(kdc_time)N
1371(:=)X
1515(system_time.seconds;)X
939 5308(if)N
1083(\(!client\))X
1563(then)X
1323 5404(/*)N
1467(no)X
1611(client)X
1947(in)X
2091(Database)X
2523(*/)X
1323 5500(error_out\(KDC_ERR_C_PRINCIPAL_UNKNOWN\);)N
939 5596(endif)N
939 5692(if)N
1083(\(!server\))X
1563(then)X
1323 5788(/*)N
1467(no)X
1611(server)X
1947(in)X
2091(Database)X
2523(*/)X
1 f
555 6144(Section)N
815(A.2.)X
2196(-)X
2243(47)X
2343(-)X
48 p
%%Page: 48 49
10 s 0 xH 0 xS 1 f
7 f
1 f
0 32(--)N
4323(--)X
3 f
2115 416(DRAFT)N
2411(4)X
7 f
1323 672(error_out\(KDC_ERR_S_PRINCIPAL_UNKNOWN\);)N
939 768(endif)N
939 960(use_etype)N
1419(:=)X
1563(first)X
1851(supported)X
2331(etype)X
2619(in)X
2763(req.etypes;)X
939 1152(if)N
1083(\(no)X
1275(support)X
1659(for)X
1851(req.etypes\))X
2427(then)X
1323 1248(error_out\(KDC_ERR_ETYPE_NOSUPP\);)N
939 1344(endif)N
939 1536(new_tkt.vno)N
1515(:=)X
1659(ticket)X
1995(version;)X
2427(/*)X
2571(=)X
2667(5)X
2763(*/)X
939 1632(new_tkt.sname)N
1611(:=)X
1755(req.sname;)X
939 1728(new_tkt.srealm)N
1659(:=)X
1803(req.srealm;)X
939 1824(reset)N
1227(all)X
1419(flags)X
1707(in)X
1851(new_tkt.flags;)X
939 2016(/*)N
1083(It)X
1227(should)X
1563(be)X
1707(noted)X
1995(that)X
2235(local)X
2523(policy)X
2859(may)X
3051(affect)X
3387(the)X
3627(*/)X
939 2112(/*)N
1083(processing)X
1611(of)X
1755(any)X
1947(of)X
2091(these)X
2379(flags.)X
2763(For)X
2955(example,)X
3387(some)X
3627(*/)X
939 2208(/*)N
1083(realms)X
1419(may)X
1611(refuse)X
1947(to)X
2091(issue)X
2379(renewable)X
2859(tickets)X
3627(*/)X
939 2400(if)N
1083(\(req.kdc-options.FORWARDABLE)X
2475(is)X
2619(set\))X
2859(then)X
1323 2496(set)N
1515(new_tkt.flags.FORWARDABLE;)X
939 2592(endif)N
939 2688(if)N
1083(\(req.kdc-options.PROXIABLE)X
2379(is)X
2523(set\))X
2763(then)X
1323 2784(set)N
1515(new_tkt.flags.PROXIABLE;)X
939 2880(endif)N
939 2976(if)N
1083(\(req.kdc-options.ALLOW-POSTDATE)X
2619(is)X
2763(set\))X
3003(then)X
1323 3072(set)N
1515(new_tkt.flags.ALLOW-POSTDATE;)X
939 3168(endif)N
939 3264(if)N
1083(\(\(req.kdc-options.RENEW)X
2235(is)X
2379(set\))X
2619(or)X
1131 3360(\(req.kdc-options.VALIDATE)N
2379(is)X
2523(set\))X
2763(or)X
1131 3456(\(req.kdc-options.PROXY)N
2235(is)X
2379(set\))X
2619(or)X
1131 3552(\(req.kdc-options.FORWARDED)N
2427(is)X
2571(set\))X
2811(or)X
1131 3648(\(req.kdc-options.ENC-TKT-IN-SKEY)N
2715(is)X
2859(set\)\))X
3147(then)X
1323 3744(error_out\(KDC_ERR_BADOPTION\);)N
939 3840(endif)N
939 4032(new_tkt.session)N
1707(:=)X
1851(random_session_key\(\);)X
939 4128(new_tkt.cname)N
1611(:=)X
1755(req.cname;)X
939 4224(new_tkt.crealm)N
1659(:=)X
1803(req.crealm;)X
939 4320(new_tkt.transited)N
1803(:=)X
1947(empty_transited_field\(\);)X
939 4512(new_tkt.authtime)N
1755(:=)X
1899(kdc_time;)X
939 4704(if)N
1083(\(req.kdc-options.POSTDATED)X
2379(is)X
2523(set\))X
2763(then)X
1083 4800(if)N
1227(\(against_postdate_policy\(req.from\)\))X
2955(then)X
1323 4896(error_out\(KDC_ERR_POLICY\);)N
1083 4992(endif)N
1083 5088(set)N
1275(new_tkt.flags.INVALID;)X
1083 5184(new_tkt.starttime)N
1947(:=)X
2091(req.from;)X
939 5280(else)N
1083 5376(omit)N
1323(new_tkt.starttime;)X
2235(/*)X
2379(treated)X
2763(as)X
2907(authtime)X
3339(when)X
3579(omitted)X
3963(*/)X
939 5472(endif)N
939 5568(if)N
1083(\(req.till)X
1563(=)X
1659(0\))X
1803(then)X
1323 5664(till)N
1563(:=)X
1707(infinity;)X
939 5760(else)N
1 f
555 6144(Section)N
815(A.2.)X
2196(-)X
2243(48)X
2343(-)X
49 p
%%Page: 49 50
10 s 0 xH 0 xS 1 f
7 f
1 f
0 32(--)N
4323(--)X
3 f
2115 416(DRAFT)N
2411(4)X
7 f
1323 672(till)N
1563(:=)X
1707(req.till;)X
939 768(endif)N
939 960(new_tkt.endtime)N
1707(:=)X
1851(min\(till,)X
1995 1056(new_tkt.starttime+client.max_life,)N
1995 1152(new_tkt.starttime+server.max_life,)N
1995 1248(new_tkt.starttime+max_life_for_realm\);)N
939 1440(if)N
1083(\(\(req.kdc-options.RENEWABLE-OK)X
2571(is)X
2715(set\))X
2955(and)X
1131 1536(\(new_tkt.endtime)N
1947(<)X
2043(req.till\)\))X
2571(then)X
1323 1632(/*)N
1467(we)X
1611(set)X
1803(the)X
1995(RENEWABLE)X
2475(option)X
2811(for)X
3003(later)X
3291(processing)X
3819(*/)X
1323 1728(set)N
1515(req.kdc-options.RENEWABLE;)X
1323 1824(req.rtime)N
1803(:=)X
1947(req.till;)X
939 1920(endif)N
939 2112(if)N
1083(\(req.rtime)X
1611(=)X
1707(0\))X
1851(then)X
1323 2208(rtime)N
1611(:=)X
1755(infinity;)X
939 2304(else)N
1323 2400(rtime)N
1611(:=)X
1755(req.rtime;)X
939 2496(endif)N
939 2688(if)N
1083(\(req.kdc-options.RENEWABLE)X
2379(is)X
2523(set\))X
2763(then)X
1323 2784(set)N
1515(new_tkt.flags.RENEWABLE;)X
1323 2880(new_tkt.renew-till)N
2235(:=)X
2379(min\(rtime,)X
2571 2976(new_tkt.starttime+client.max_rlife,)N
2571 3072(new_tkt.starttime+server.max_rlife,)N
2571 3168(new_tkt.starttime+max_rlife_for_realm\);)N
939 3264(else)N
1323 3360(omit)N
1563(new_tkt.renew-till;)X
2523(/*)X
2667(only)X
2907(present)X
3291(if)X
3435(RENEWABLE)X
3915(*/)X
939 3456(endif)N
939 3648(if)N
1083(\(req.addresses\))X
1851(then)X
1323 3744(new_tkt.caddr)N
1995(:=)X
2139(req.addresses;)X
939 3840(else)N
1323 3936(omit)N
1563(new_tkt.caddr;)X
939 4032(endif)N
939 4224(new_tkt.authorization_data)N
2235(:=)X
2379(empty_authorization_data\(\);)X
939 4416(encode)N
1275(to-be-encrypted)X
2043(part)X
2283(of)X
2427(ticket)X
2763(into)X
3003(OCTET)X
3291(STRING;)X
939 4512(new_tkt.enc-part)N
1755(:=)X
1899(encrypt)X
2283(OCTET)X
2571(STRING)X
1323 4608(using)N
1611(etype_for_key\(server.key\),)X
2907(server.key,)X
3483(server.p_kvno;)X
939 4896(/*)N
1083(Start)X
1371(processing)X
1899(the)X
2091(response)X
2523(*/)X
939 5088(resp.pvno)N
1419(:=)X
1563(5;)X
939 5184(resp.msg-type)N
1611(:=)X
1755(KRB_AS_REP;)X
939 5280(resp.cname)N
1467(:=)X
1611(req.cname;)X
939 5376(resp.crealm)N
1515(:=)X
1659(req.realm;)X
939 5472(resp.ticket)N
1515(:=)X
1659(new_tkt;)X
939 5664(resp.key)N
1371(:=)X
1515(new_tkt.session;)X
939 5760(resp.last-req)N
1611(:=)X
1755(fetch_last_request_info\(client\);)X
1 f
555 6144(Section)N
815(A.2.)X
2196(-)X
2243(49)X
2343(-)X
50 p
%%Page: 50 51
10 s 0 xH 0 xS 1 f
7 f
1 f
0 32(--)N
4323(--)X
3 f
2115 416(DRAFT)N
2411(4)X
7 f
939 672(resp.nonce)N
1467(:=)X
1611(req.nonce;)X
939 768(resp.key-expiration)N
1899(:=)X
2043(client.expiration;)X
939 864(resp.flags)N
1467(:=)X
1611(new_tkt.flags;)X
939 1056(resp.authtime)N
1611(:=)X
1755(new_tkt.authtime;)X
939 1152(resp.starttime)N
1659(:=)X
1803(new_tkt.starttime;)X
939 1248(resp.endtime)N
1563(:=)X
1707(new_tkt.endtime;)X
939 1440(if)N
1083(\(new_tkt.flags.RENEWABLE\))X
2331(then)X
1323 1536(resp.renew-till)N
2091(:=)X
2235(new_tkt.renew-till;)X
939 1632(endif)N
939 1824(resp.realm)N
1467(:=)X
1611(new_tkt.realm;)X
939 1920(resp.sname)N
1467(:=)X
1611(new_tkt.sname;)X
939 2112(resp.caddr)N
1467(:=)X
1611(new_tkt.caddr;)X
939 2304(encode)N
1275(body)X
1515(of)X
1659(reply)X
1947(into)X
2187(OCTET)X
2475(STRING;)X
939 2496(resp.enc-part)N
1611(:=)X
1755(encrypt)X
2139(OCTET)X
2427(STRING)X
1755 2592(using)N
2043(use_etype,)X
2571(client.key,)X
3147(client.p_kvno;)X
939 2688(send\(resp\);)N
3 f
12 s
555 2880(A.3.)N
768(KRB_AS_REP)X
1410(veri\256cation)X
7 f
10 s
939 2976(decode)N
1275(response)X
1707(into)X
1947(resp;)X
939 3168(if)N
1083(\(resp.msg-type)X
1803(=)X
1899(KRB_ERROR\))X
2427(then)X
1323 3264(process_error\(resp\);)N
1323 3360(return;)N
939 3456(endif)N
939 3648(/*)N
1083(On)X
1227(error,)X
1563(discard)X
1947(the)X
2139(response,)X
2619(and)X
2811(zero)X
3051(the)X
3243(session)X
3627(key)X
3819(*/)X
939 3744(/*)N
1083(from)X
1323(the)X
1515(response)X
1947(immediately)X
2523(*/)X
939 3936(key)N
1131(=)X
1227(get_decryption_key\(resp.enc-part.kvno,)X
3099(resp.enc-part.etype,)X
2139 4032(resp.padata\);)N
939 4128(unencrypted)N
1515(part)X
1755(of)X
1899(resp)X
2139(:=)X
2283(decode)X
2619(of)X
2763(decrypt)X
3147(of)X
3291(resp.enc-part)X
2091 4224(using)N
2379(resp.enc-part.etype)X
3339(and)X
3531(key;)X
939 4320(zero\(key\);)N
939 4512(if)N
1083(\(common_as_rep_tgs_rep_checks)X
2523(fail\))X
2811(then)X
1323 4608(destroy)N
1707(resp.key;)X
1323 4704(return)N
1659(error;)X
939 4800(endif)N
939 4992(if)N
1083(near\(resp.princ_exp\))X
2091(then)X
1323 5088(print\(warning)N
1995(message\);)X
939 5184(endif)N
939 5280(save_for_later\(ticket,session,client,server,times,flags\);)N
3 f
12 s
555 5472(A.4.)N
768(KRB_AS_REP)X
1410(and)X
1588(KRB_TGS_REP)X
2300(common)X
2676(checks)X
7 f
10 s
939 5568(if)N
1083(\(decryption_error\(\))X
2043(or)X
1131 5664(\(req.cname)N
1659(!=)X
1803(resp.cname\))X
2379(or)X
1131 5760(\(req.realm)N
1659(!=)X
1803(resp.crealm\))X
2427(or)X
1 f
555 6144(Section)N
815(A.4.)X
2196(-)X
2243(50)X
2343(-)X
51 p
%%Page: 51 52
10 s 0 xH 0 xS 1 f
7 f
1 f
0 32(--)N
4323(--)X
3 f
2115 416(DRAFT)N
2411(4)X
7 f
1131 672(\(req.sname)N
1659(!=)X
1803(resp.sname\))X
2379(or)X
1131 768(\(req.realm)N
1659(!=)X
1803(resp.realm\))X
2379(or)X
1131 864(\(req.nonce)N
1659(!=)X
1803(resp.nonce\))X
2379(or)X
1131 960(\(req.addresses)N
1851(!=)X
1995(resp.caddr\)\))X
2619(then)X
1323 1056(destroy)N
1707(resp.key;)X
1323 1152(return)N
1659(KRB_AP_ERR_MODIFIED;)X
939 1248(endif)N
939 1440(/*)N
1083(make)X
1323(sure)X
1563(no)X
1707(flags)X
1995(are)X
2187(set)X
2379(that)X
2619(shouldn't)X
3099(be,)X
3291(and)X
3483(that)X
3723(all)X
3915(that)X
4155(*/)X
939 1536(/*)N
1083(should)X
1419(be)X
1563(are)X
1755(set)X
4155(*/)X
939 1632(if)N
1083(\(!check_flags_for_compatability\(req.kdc-options,resp.flags\)\))X
4011(then)X
1323 1728(destroy)N
1707(resp.key;)X
1323 1824(return)N
1659(KRB_AP_ERR_MODIFIED;)X
939 1920(endif)N
939 2112(if)N
1083(\(\(req.from)X
1611(=)X
1707(0\))X
1851(and)X
1131 2208(\(resp.starttime)N
1899(is)X
2043(not)X
2235(within)X
2571(allowable)X
3051(skew\)\))X
3387(then)X
1323 2304(destroy)N
1707(resp.key;)X
1323 2400(return)N
1659(KRB_AP_ERR_SKEW;)X
939 2496(endif)N
939 2592(if)N
1083(\(\(req.from)X
1611(!=)X
1755(0\))X
1899(and)X
2091(\(req.from)X
2571(!=)X
2715(resp.starttime\)\))X
3531(then)X
1323 2688(destroy)N
1707(resp.key;)X
1323 2784(return)N
1659(KRB_AP_ERR_MODIFIED;)X
939 2880(endif)N
939 2976(if)N
1083(\(\(req.till)X
1611(!=)X
1755(0\))X
1899(and)X
2091(\(resp.endtime)X
2763(>)X
2859(req.till\)\))X
3387(then)X
1323 3072(destroy)N
1707(resp.key;)X
1323 3168(return)N
1659(KRB_AP_ERR_MODIFIED;)X
939 3264(endif)N
939 3456(if)N
1083(\(\(req.kdc-options.RENEWABLE)X
2427(is)X
2571(set\))X
2811(and)X
1131 3552(\(req.rtime)N
1659(!=)X
1803(0\))X
1947(and)X
2139(\(resp.renew-till)X
2955(>)X
3051(req.rtime\)\))X
3627(then)X
1323 3648(destroy)N
1707(resp.key;)X
1323 3744(return)N
1659(KRB_AP_ERR_MODIFIED;)X
939 3840(endif)N
939 3936(if)N
1083(\(\(req.kdc-options.RENEWABLE-OK)X
2571(is)X
2715(set\))X
2955(and)X
1131 4032(\(resp.flags.RENEWABLE\))N
2235(and)X
1131 4128(\(req.till)N
1611(!=)X
1755(0\))X
1899(and)X
1131 4224(\(resp.renew-till)N
1947(>)X
2043(req.till\)\))X
2571(then)X
1323 4320(destroy)N
1707(resp.key;)X
1323 4416(return)N
1659(KRB_AP_ERR_MODIFIED;)X
939 4512(endif)N
3 f
12 s
555 4704(A.5.)N
768(KRB_TGS_REQ)X
1496(generation)X
7 f
10 s
939 4800(/*)N
1083(Note)X
1323(that)X
1563(make_application_request)X
2763(might)X
3051(have)X
3291(to)X
3435(recursivly)X
4155(*/)X
939 4896(/*)N
1083(call)X
1323(this)X
1563(routine)X
1947(to)X
2091(get)X
2283(the)X
2475(appropriate)X
3051(ticket-granting)X
3819(ticket)X
4155(*/)X
939 5088(request.pvno)N
1563(:=)X
1707(protocol)X
2139(version;)X
2571(/*)X
2715(pvno)X
2955(=)X
3051(5)X
3147(*/)X
939 5184(request.msg-type)N
1755(:=)X
1899(message)X
2283(type;)X
2571(/*)X
2715(type)X
2955(=)X
3051(KRB_TGS_REQ)X
3627(*/)X
939 5376(body.kdc-options)N
1755(:=)X
1899(users's)X
2283(preferences;)X
939 5472(body.sname)N
1467(:=)X
1611(service's)X
2091(name;)X
939 5664(if)N
1083(\(body.kdc-options.POSTDATED)X
2427(is)X
2571(set\))X
2811(then)X
1323 5760(body.from)N
1803(:=)X
1947(requested)X
2427(starting)X
2859(time;)X
1 f
555 6144(Section)N
815(A.5.)X
2196(-)X
2243(51)X
2343(-)X
52 p
%%Page: 52 53
10 s 0 xH 0 xS 1 f
7 f
1 f
0 32(--)N
4323(--)X
3 f
2115 416(DRAFT)N
2411(4)X
7 f
939 672(else)N
1323 768(omit)N
1563(body.from;)X
939 864(endif)N
939 960(body.till)N
1419(:=)X
1563(requested)X
2043(end)X
2235(time;)X
939 1056(if)N
1083(\(body.kdc-options.RENEWABLE)X
2427(is)X
2571(set\))X
2811(then)X
1323 1152(body.rtime)N
1851(:=)X
1995(requested)X
2475(final)X
2763(renewal)X
3147(time;)X
939 1248(endif)N
939 1344(body.nonce)N
1467(:=)X
1611(random_nonce\(\);)X
939 1440(body.etype)N
1467(:=)X
1611(requested)X
2091(etypes;)X
939 1536(if)N
1083(\(user)X
1371(supplied)X
1803(addresses\))X
2331(then)X
1323 1632(body.addresses)N
2043(:=)X
2187(user's)X
2523(addresses;)X
939 1728(else)N
1323 1824(omit)N
1563(body.addresses;)X
939 1920(endif)N
939 2112(body.enc-authorization-data)N
2283(:=)X
2427(user-supplied)X
3099(data;)X
939 2208(if)N
1083(\(body.kdc-options.ENC-TKT-IN-SKEY\))X
2763(then)X
1323 2304(body.additional-tickets_ticket)N
2811(:=)X
2955(second)X
3291(TGT;)X
939 2400(endif)N
939 2592(request.req-body)N
1755(:=)X
1899(body;)X
939 2688(check)N
1227(:=)X
1371(generate_checksum)X
2235(\(req.body,checksumtype\);)X
939 2880(request.pa-data[0].pa-type)N
2235(:=)X
2379(PA-TGS-REQ;)X
939 2976(request.pa-data[0].pa-data)N
2235(:=)X
2379(create)X
2715(a)X
2811(KRB_AP_REQ)X
3339(using)X
2379 3072(the)N
2571(TGT)X
2763(and)X
2955(checksum)X
939 3264(/*)N
1083(add)X
1275(in)X
1419(any)X
1611(other)X
1899(pa-data)X
2283(as)X
2427(required/supplied)X
3291(*/)X
939 3456(kerberos)N
1371(:=)X
1515(lookup\(name)X
2091(of)X
2235(local)X
2523(kerberose)X
3003(server)X
3339(\(or)X
3531(servers\)\);)X
939 3552(send\(packet,kerberos\);)N
939 3744(wait\(for)N
1371(response\);)X
939 3840(if)N
1083(\(timed_out\))X
1659(then)X
1323 3936(retry)N
1611(or)X
1755(use)X
1947(alternate)X
2427(server;)X
939 4032(endif)N
3 f
12 s
555 4224(A.6.)N
768(KRB_TGS_REQ)X
1496(veri\256cation)X
1985(and)X
2163(KRB_TGS_REP)X
2875(generation)X
7 f
10 s
939 4320(/*)N
1083(note)X
1323(that)X
1563(reading)X
1947(the)X
2139(application)X
2715(request)X
3099(requires)X
3531(first)X
939 4416(determining)N
1515(the)X
1707(server)X
2043(for)X
2235(which)X
2523(a)X
2619(ticket)X
2955(was)X
3147(issued,)X
3531(and)X
3723(choosing)X
4155(the)X
939 4512(correct)N
1323(key)X
1515(for)X
1707(decryption.)X
2331(The)X
2523(name)X
2763(of)X
2907(the)X
3099(server)X
3435(appears)X
3819(in)X
3963(the)X
939 4608(plaintext)N
1419(part)X
1659(of)X
1803(the)X
1995(ticket.)X
2379(*/)X
939 4800(if)N
1083(\(no)X
1275(KRB_AP_REQ)X
1803(in)X
1947(req.pa-data\))X
2571(then)X
1323 4896(error_out\(KDC_ERR_PADATA_TYPE_NOSUPP\);)N
939 4992(endif)N
939 5088(verify)N
1275(KRB_AP_REQ)X
1803(in)X
1947(req.pa-data;)X
939 5280(/*)N
1083(Note)X
1323(that)X
1563(the)X
1755(realm)X
2043(in)X
2187(which)X
2475(the)X
2667(Kerberos)X
3099(server)X
3435(is)X
3579(operating)X
4059(is)X
939 5376(determined)N
1467(by)X
1611(the)X
1803(instance)X
2235(from)X
2475(the)X
2667(ticket-granting)X
3435(ticket.)X
3867(The)X
4059(realm)X
939 5472(in)N
1083(the)X
1275(ticket-granting)X
2043(ticket)X
2379(is)X
2523(the)X
2715(realm)X
3003(under)X
3291(which)X
3579(the)X
3771(ticket)X
939 5568(granting)N
1371(ticket)X
1707(was)X
1899(issued.)X
2331(It)X
2475(is)X
2619(possible)X
3051(for)X
3243(a)X
3339(single)X
3675(Kerberos)X
939 5664(server)N
1275(to)X
1419(support)X
1803(more)X
2043(than)X
2283(one)X
2475(realm.)X
2811(*/)X
1 f
555 6144(Section)N
815(A.6.)X
2196(-)X
2243(52)X
2343(-)X
53 p
%%Page: 53 54
10 s 0 xH 0 xS 1 f
7 f
1 f
0 32(--)N
4323(--)X
3 f
2115 416(DRAFT)N
2411(4)X
7 f
939 672(auth_hdr)N
1371(:=)X
1515(KRB_AP_REQ;)X
939 768(tgt)N
1131(:=)X
1275(auth_hdr.ticket;)X
939 960(realm)N
1227(:=)X
1371(realm_tgt_is_for\(tgt\);)X
939 1152(decode)N
1275(remainder)X
1755(of)X
1899(request;)X
939 1344(if)N
1083(\(auth_hdr.authenticator.cksum)X
2523(type)X
2763(is)X
2907(not)X
3099(supported\))X
3627(then)X
1323 1440(error_out\(KDC_ERR_SUMTYPE_NOSUPP\);)N
939 1536(endif)N
939 1632(if)N
1083(\(auth_hdr.authenticator.cksum)X
2523(is)X
2667(not)X
2859(both)X
3099(collision-proof)X
3867(and)X
4059(keyed\))X
4395(then)X
1323 1728(error_out\(KRB_AP_ERR_INAPP_CKSUM\);)N
939 1824(endif)N
939 1920(server)N
1275(:=)X
1419(lookup\(req.sname,realm\);)X
939 2112(if)N
1083(\(!server\))X
1563(then)X
1323 2208(if)N
1467(\(is_foreign_tgt_name\(server\)\))X
2907(then)X
1707 2304(server)N
2043(:=)X
2187(best_intermediate_tgs\(server\);)X
1323 2400(else)N
1707 2496(/*)N
1851(no)X
1995(server)X
2331(in)X
2475(Database)X
2907(*/)X
1707 2592(error_out\(KDC_ERR_S_PRINCIPAL_UNKNOWN\);)N
1323 2688(endif)N
939 2784(endif)N
939 2976(session)N
1323(:=)X
1467(generate_random_session_key\(\);)X
939 3264(use_etype)N
1419(:=)X
1563(first)X
1851(supported)X
2331(etype)X
2619(in)X
2763(req.etypes;)X
939 3456(if)N
1083(\(no)X
1275(support)X
1659(for)X
1851(req.etypes\))X
2427(then)X
1323 3552(error_out\(KDC_ERR_ETYPE_NOSUPP\);)N
939 3648(endif)N
939 3840(new_tkt.vno)N
1515(:=)X
1659(ticket)X
1995(version;)X
2427(/*)X
2571(=)X
2667(5)X
2763(*/)X
939 3936(new_tkt.sname)N
1611(:=)X
1755(req.sname;)X
939 4032(new_tkt.srealm)N
1659(:=)X
1803(realm;)X
939 4128(reset)N
1227(all)X
1419(flags)X
1707(in)X
1851(new_tkt.flags;)X
939 4320(/*)N
1083(It)X
1227(should)X
1563(be)X
1707(noted)X
1995(that)X
2235(local)X
2523(policy)X
2859(may)X
3051(affect)X
3387(the)X
3627(*/)X
939 4416(/*)N
1083(processing)X
1611(of)X
1755(any)X
1947(of)X
2091(these)X
2379(flags.)X
2763(For)X
2955(example,)X
3387(some)X
3627(*/)X
939 4512(/*)N
1083(realms)X
1419(may)X
1611(refuse)X
1947(to)X
2091(issue)X
2379(renewable)X
2859(tickets)X
3627(*/)X
939 4704(new_tkt.caddr)N
1611(:=)X
1755(tgt.caddr;)X
939 4800(resp.caddr)N
1467(:=)X
1611(NULL;)X
1899(/*)X
2043(We)X
2187(only)X
2427(include)X
2811(this)X
3051(if)X
3195(they)X
3435(change)X
3771(*/)X
939 4896(if)N
1083(\(req.kdc-options.FORWARDABLE)X
2475(is)X
2619(set\))X
2859(then)X
1323 4992(if)N
1467(\(tgt.flags.FORWARDABLE)X
2571(is)X
2715(reset\))X
3051(then)X
1707 5088(error_out\(KDC_ERR_BADOPTION\);)N
1323 5184(endif)N
1323 5280(set)N
1515(new_tkt.flags.FORWARDABLE;)X
939 5376(endif)N
939 5472(if)N
1083(\(req.kdc-options.FORWARDED)X
2379(is)X
2523(set\))X
2763(then)X
1323 5568(if)N
1467(\(tgt.flags.FORWARDABLE)X
2571(is)X
2715(reset\))X
3051(then)X
1707 5664(error_out\(KDC_ERR_BADOPTION\);)N
1323 5760(endif)N
1 f
555 6144(Section)N
815(A.6.)X
2196(-)X
2243(53)X
2343(-)X
54 p
%%Page: 54 55
10 s 0 xH 0 xS 1 f
7 f
1 f
0 32(--)N
4323(--)X
3 f
2115 416(DRAFT)N
2411(4)X
7 f
1323 672(set)N
1515(new_tkt.flags.FORWARDED;)X
1323 768(new_tkt.caddr)N
1995(:=)X
2139(req.addresses;)X
1323 864(resp.caddr)N
1851(:=)X
1995(req.addresses;)X
939 960(endif)N
939 1056(if)N
1083(\(tgt.flags.FORWARDED)X
2091(is)X
2235(set\))X
2475(then)X
1323 1152(set)N
1515(new_tkt.flags.FORWARDED;)X
939 1248(endif)N
939 1440(if)N
1083(\(req.kdc-options.PROXIABLE)X
2379(is)X
2523(set\))X
2763(then)X
1323 1536(if)N
1467(\(tgt.flags.PROXIABLE)X
2475(is)X
2619(reset\))X
1707 1632(error_out\(KDC_ERR_BADOPTION\);)N
1323 1728(endif)N
1323 1824(set)N
1515(new_tkt.flags.PROXIABLE;)X
939 1920(endif)N
939 2016(if)N
1083(\(req.kdc-options.PROXY)X
2187(is)X
2331(set\))X
2571(then)X
1323 2112(if)N
1467(\(tgt.flags.PROXIABLE)X
2475(is)X
2619(reset\))X
2955(then)X
1707 2208(error_out\(KDC_ERR_BADOPTION\);)N
1323 2304(endif)N
1323 2400(set)N
1515(new_tkt.flags.PROXY;)X
1323 2496(new_tkt.caddr)N
1995(:=)X
2139(req.addresses;)X
1323 2592(resp.caddr)N
1851(:=)X
1995(req.addresses;)X
939 2688(endif)N
939 2880(if)N
1083(\(req.kdc-options.POSTDATE)X
2331(is)X
2475(set\))X
2715(then)X
1323 2976(if)N
1467(\(tgt.flags.POSTDATE)X
2427(is)X
2571(reset\))X
1707 3072(error_out\(KDC_ERR_BADOPTION\);)N
1323 3168(endif)N
1323 3264(set)N
1515(new_tkt.flags.POSTDATE;)X
939 3360(endif)N
939 3456(if)N
1083(\(req.kdc-options.POSTDATED)X
2379(is)X
2523(set\))X
2763(then)X
1323 3552(if)N
1467(\(tgt.flags.POSTDATE)X
2427(is)X
2571(reset\))X
2907(then)X
1707 3648(error_out\(KDC_ERR_BADOPTION\);)N
1323 3744(endif)N
1323 3840(set)N
1515(new_tkt.flags.POSTDATED;)X
1323 3936(set)N
1515(new_tkt.flags.INVALID;)X
1323 4032(if)N
1467(\(against_postdate_policy\(req.from\)\))X
3195(then)X
1707 4128(error_out\(KDC_ERR_POLICY\);)N
1323 4224(endif)N
1323 4320(new_tkt.starttime)N
2187(:=)X
2331(req.from;)X
939 4416(endif)N
939 4704(if)N
1083(\(req.kdc-options.VALIDATE)X
2331(is)X
2475(set\))X
2715(then)X
1323 4800(if)N
1467(\(tgt.flags.INVALID)X
2379(is)X
2523(reset\))X
2859(then)X
1707 4896(error_out\(KDC_ERR_POLICY\);)N
1323 4992(endif)N
1323 5088(if)N
1467(\(tgt.starttime)X
2187(>)X
2283(kdc_time\))X
2763(then)X
1707 5184(error_out\(KRB_AP_ERR_NYV\);)N
1323 5280(endif)N
1323 5376(if)N
1467(\(check_hot_list\(tgt\)\))X
2523(then)X
1707 5472(error_out\(KRB_AP_ERR_REPEAT\);)N
1323 5568(endif)N
1323 5664(tkt)N
1515(:=)X
1659(tgt;)X
1323 5760(reset)N
1611(new_tkt.flags.INVALID;)X
1 f
555 6144(Section)N
815(A.6.)X
2196(-)X
2243(54)X
2343(-)X
55 p
%%Page: 55 56
10 s 0 xH 0 xS 1 f
7 f
1 f
0 32(--)N
4323(--)X
3 f
2115 416(DRAFT)N
2411(4)X
7 f
939 672(endif)N
939 864(if)N
1083(\(req.kdc-options.\(any)X
2139(flag)X
2379(except)X
2715(ENC-TKT-IN-SKEY,)X
3531(RENEW,)X
1947 960(and)N
2139(those)X
2427(already)X
2811(processed\))X
3339(is)X
3483(set\))X
3723(then)X
1323 1056(error_out\(KDC_ERR_BADOPTION\);)N
939 1152(endif)N
939 1344(new_tkt.authtime)N
1755(:=)X
1899(tgt.authtime;)X
939 1536(if)N
1083(\(req.kdc-options.RENEW)X
2187(is)X
2331(set\))X
2571(then)X
1035 1632(/*)N
1179(Note)X
1419(that)X
1659(if)X
1803(the)X
1995(endtime)X
2379(has)X
2571(already)X
2955(passed,)X
3339(the)X
3531(ticket)X
3867(would)X
4203(*/)X
1035 1728(/*)N
1179(have)X
1419(been)X
1659(rejected)X
2091(in)X
2235(the)X
2427(initial)X
2811(authentication)X
3531(stage,)X
3867(so)X
4203(*/)X
1035 1824(/*)N
1179(there)X
1467(is)X
1611(no)X
1755(need)X
1995(to)X
2139(check)X
2427(again)X
2715(here)X
4203(*/)X
1323 1920(if)N
1467(\(tgt.flags.RENEWABLE)X
2475(is)X
2619(reset\))X
2955(then)X
1707 2016(error_out\(KDC_ERR_BADOPTION\);)N
1323 2112(endif)N
1323 2208(if)N
1467(\(tgt.renew-till)X
2235(>=)X
2379(kdc_time\))X
2859(then)X
1707 2304(error_out\(KRB_AP_ERR_TKT_EXPIRED\);)N
1323 2400(endif)N
1323 2496(tkt)N
1515(:=)X
1659(tgt;)X
1323 2592(new_tkt.starttime)N
2187(:=)X
2331(kdc_time;)X
1323 2688(old_life)N
1755(:=)X
1899(tgt.endttime)X
2523(-)X
2619(tgt.starttime;)X
1323 2784(new_tkt.endtime)N
2091(:=)X
2235(min\(tgt.renew-till,)X
2427 2880(new_tkt.starttime)N
3291(+)X
3387(old_life\);)X
939 2976(else)N
1323 3072(new_tkt.starttime)N
2187(:=)X
2331(kdc_time;)X
1323 3168(if)N
1467(\(req.till)X
1947(=)X
2043(0\))X
2187(then)X
1707 3264(till)N
1947(:=)X
2091(infinity;)X
1323 3360(else)N
1707 3456(till)N
1947(:=)X
2091(req.till;)X
1323 3552(endif)N
1323 3648(new_tkt.endtime)N
2091(:=)X
2235(min\(till,)X
2427 3744(new_tkt.starttime+client.max_life,)N
2427 3840(new_tkt.starttime+server.max_life,)N
2427 3936(new_tkt.starttime+max_life_for_realm,)N
2427 4032(tgt.endtime\);)N
1323 4224(if)N
1467(\(\(req.kdc-options.RENEWABLE-OK)X
2955(is)X
3099(set\))X
3339(and)X
1515 4320(\(new_tkt.endtime)N
2331(<)X
2427(req.till\))X
2907(and)X
1515 4416(\(tgt.flags.RENEWABLE)N
2523(is)X
2667(set\))X
2907(then)X
1707 4512(/*)N
1851(we)X
1995(set)X
2187(the)X
2379(RENEWABLE)X
2859(option)X
3195(for)X
3387(later)X
3675(processing)X
4203(*/)X
1707 4608(set)N
1899(req.kdc-options.RENEWABLE;)X
1707 4704(req.rtime)N
2187(:=)X
2331(min\(req.till,)X
3003(tgt.renew-till\);)X
1323 4800(endif)N
939 4896(endif)N
939 5088(if)N
1083(\(req.rtime)X
1611(=)X
1707(0\))X
1851(then)X
1323 5184(rtime)N
1611(:=)X
1755(infinity;)X
939 5280(else)N
1323 5376(rtime)N
1611(:=)X
1755(req.rtime;)X
939 5472(endif)N
939 5664(if)N
1083(\(\(req.kdc-options.RENEWABLE)X
2427(is)X
2571(set\))X
2811(and)X
1131 5760(\(tgt.flags.RENEWABLE)N
2139(is)X
2283(set\)\))X
2571(then)X
1 f
555 6144(Section)N
815(A.6.)X
2196(-)X
2243(55)X
2343(-)X
56 p
%%Page: 56 57
10 s 0 xH 0 xS 1 f
7 f
1 f
0 32(--)N
4323(--)X
3 f
2115 416(DRAFT)N
2411(4)X
7 f
1323 672(set)N
1515(new_tkt.flags.RENEWABLE;)X
1323 768(new_tkt.renew-till)N
2235(:=)X
2379(min\(rtime,)X
2571 864(new_tkt.starttime+client.max_rlife,)N
2571 960(new_tkt.starttime+server.max_rlife,)N
2571 1056(new_tkt.starttime+max_rlife_for_realm,)N
2571 1152(tgt.renew-till\);)N
939 1248(else)N
1323 1344(new_tkt.renew-till)N
2235(:=)X
2379(OMIT;)X
2667(/*)X
2811(leave)X
3099(the)X
3291(renew-till)X
3819(field)X
4107(out)X
4299(*/)X
939 1440(endif)N
939 1536(if)N
1083(\(req.enc-authorization-data)X
2427(is)X
2571(present\))X
3003(then)X
1323 1632(decrypt)N
1707(req.enc-authorization-data)X
3003(into)X
3243(decrypted_authorization_data)X
1707 1728(using)N
1995(auth_hdr.authenticator.subkey;)X
1323 1824(if)N
1467(\(decrypt_error\(\)\))X
2331(then)X
1707 1920(error_out\(KRB_AP_ERR_BAD_INTEGRITY\);)N
1323 2016(endif)N
939 2112(endif)N
939 2208(new_tkt.authorization_data)N
2235(:=)X
2379(req.auth_hdr.ticket.authorization_data)X
4251(+)X
2139 2304(decrypted_authorization_data;)N
939 2496(new_tkt.key)N
1515(:=)X
1659(session;)X
939 2592(new_tkt.crealm)N
1659(:=)X
1803(tgt.crealm;)X
939 2688(new_tkt.cname)N
1611(:=)X
1755(req.auth_hdr.ticket.cname;)X
939 2880(if)N
1083(\(realm_tgt_is_for\(tgt\))X
2187(:=)X
2331(tgt.realm\))X
2859(then)X
1323 2976(/*)N
1467(tgt)X
1659(issued)X
1995(by)X
2139(local)X
2427(realm)X
2715(*/)X
1323 3072(new_tkt.transited)N
2187(:=)X
2331(tgt.transited;)X
939 3168(else)N
1323 3264(/*)N
1467(was)X
1659(issued)X
1995(for)X
2187(this)X
2427(realm)X
2715(by)X
2859(some)X
3099(other)X
3387(realm)X
3675(*/)X
1323 3360(if)N
1467(\(tgt.transited.tr-type)X
2571(not)X
2763(supported\))X
3291(then)X
1707 3456(error_out\(KDC_ERR_TRTYPE_NOSUPP\);)N
1323 3552(endif)N
1323 3648(new_tkt.transited)N
2187(:=)X
2331(compress_transited\(tgt.transited)X
3915(+)X
4011(tgt.realm\))X
939 3744(endif)N
939 3936(encode)N
1275(encrypted)X
1755(part)X
1995(of)X
2139(new_tkt)X
2523(into)X
2763(OCTET)X
3051(STRING;)X
939 4032(if)N
1083(\(req.kdc-options.ENC-TKT-IN-SKEY)X
2667(is)X
2811(set\))X
3051(then)X
1323 4128(if)N
1467(\(req.second_ticket)X
2379(is)X
2523(not)X
2715(a)X
2811(TGT\))X
3051(then)X
1707 4224(error_out\(KDC_ERR_POLICY\);)N
1323 4320(endif)N
1323 4512(new_tkt.enc-part)N
2139(:=)X
2283(encrypt)X
2667(OCTET)X
2955(STRING)X
3291(using)X
1707 4608(using)N
1995(etype_for_key\(second-ticket.key\),)X
3627(second-ticket.key;)X
939 4704(else)N
1323 4800(new_tkt.enc-part)N
2139(:=)X
2283(encrypt)X
2667(OCTET)X
2955(STRING)X
1707 4896(using)N
1995(etype_for_key\(server.key\),)X
3291(server.key,)X
3867(server.p_kvno;)X
939 4992(endif)N
939 5184(resp.pvno)N
1419(:=)X
1563(5;)X
939 5280(resp.msg-type)N
1611(:=)X
1755(KRB_TGS_REP;)X
939 5376(resp.crealm)N
1515(:=)X
1659(tgt.crealm;)X
939 5472(resp.cname)N
1467(:=)X
1611(tgt.cname;)X
939 5664(resp.ticket)N
1515(:=)X
1659(new_tkt;)X
1 f
555 6144(Section)N
815(A.6.)X
2196(-)X
2243(56)X
2343(-)X
57 p
%%Page: 57 58
10 s 0 xH 0 xS 1 f
7 f
1 f
0 32(--)N
4323(--)X
3 f
2115 416(DRAFT)N
2411(4)X
7 f
939 672(resp.key)N
1371(:=)X
1515(session;)X
939 768(resp.nonce)N
1467(:=)X
1611(req.nonce;)X
939 864(resp.last-req)N
1611(:=)X
1755(fetch_last_request_info\(client\);)X
939 960(resp.flags)N
1467(:=)X
1611(new_tkt.flags;)X
939 1152(resp.authtime)N
1611(:=)X
1755(new_tkt.authtime;)X
939 1248(resp.starttime)N
1659(:=)X
1803(new_tkt.starttime;)X
939 1344(resp.endtime)N
1563(:=)X
1707(new_tkt.endtime;)X
939 1536(omit)N
1179(resp.key-expiration;)X
939 1728(resp.sname)N
1467(:=)X
1611(new_tkt.sname;)X
939 1824(resp.realm)N
1467(:=)X
1611(new_tkt.realm;)X
939 2016(if)N
1083(\(new_tkt.flags.RENEWABLE\))X
2331(then)X
1323 2112(resp.renew-till)N
2091(:=)X
2235(new_tkt.renew-till;)X
939 2208(endif)N
939 2496(encode)N
1275(body)X
1515(of)X
1659(reply)X
1947(into)X
2187(OCTET)X
2475(STRING;)X
939 2688(resp.enc-part)N
1611(:=)X
1755(encrypt)X
2139(OCTET)X
2427(STRING)X
2763(using)X
3051(use_etype,)X
3579(tgt.key;)X
939 2784(send\(resp\);)N
3 f
12 s
555 2976(A.7.)N
768(KRB_TGS_REP)X
1480(veri\256cation)X
7 f
10 s
939 3072(decode)N
1275(response)X
1707(into)X
1947(resp;)X
939 3264(if)N
1083(\(resp.msg-type)X
1803(=)X
1899(KRB_ERROR\))X
2427(then)X
1323 3360(process_error\(resp\);)N
1323 3456(return;)N
939 3552(endif)N
939 3744(/*)N
1083(On)X
1227(error,)X
1563(discard)X
1947(the)X
2139(response,)X
2619(and)X
2811(zero)X
3051(the)X
3243(session)X
3627(key)X
3819(from)X
939 3840(the)N
1131(response)X
1563(immediately)X
2139(*/)X
939 4032(unencrypted)N
1515(part)X
1755(of)X
1899(resp)X
2139(:=)X
2283(decode)X
2619(of)X
2763(decrypt)X
3147(of)X
3291(resp.enc-part)X
2091 4128(using)N
2379(resp.enc-part.etype)X
3339(and)X
3531(tgt's)X
3819(session)X
4203(key;)X
939 4224(if)N
1083(\(common_as_rep_tgs_rep_checks)X
2523(fail\))X
2811(then)X
1323 4320(destroy)N
1707(resp.key;)X
1323 4416(return)N
1659(error;)X
939 4512(endif)N
939 4704(check)N
1227(authorization_data)X
2139(as)X
2283(necessary;)X
939 4800(save_for_later\(ticket,session,client,server,times,flags\);)N
3 f
12 s
555 4992(A.8.)N
768(Authenticator)X
1368(generation)X
7 f
10 s
939 5088(body.authenticator-vno)N
2043(:=)X
2187(authenticator)X
2859(vno;)X
3099(/*)X
3243(=)X
3339(5)X
3435(*/)X
939 5184(body.cname,)N
1515(body.crealm)X
2091(:=)X
2235(client)X
2571(name;)X
939 5280(if)N
1083(\(supplying)X
1611(checksum\))X
2091(then)X
1323 5376(body.cksum)N
1851(:=)X
1995(checksum;)X
939 5472(endif)N
939 5568(get)N
1131(system_time;)X
939 5664(body.ctime,)N
1515(body.cusec)X
2043(:=)X
2187(system_time;)X
939 5760(if)N
1083(\(selecting)X
1611(sub-session)X
2187(key\))X
2427(then)X
1 f
555 6144(Section)N
815(A.8.)X
2196(-)X
2243(57)X
2343(-)X
58 p
%%Page: 58 59
10 s 0 xH 0 xS 1 f
7 f
1 f
0 32(--)N
4323(--)X
3 f
2115 416(DRAFT)N
2411(4)X
7 f
1323 672(select)N
1659(sub-session)X
2235(key;)X
1323 768(body.subkey)N
1899(:=)X
2043(sub-session)X
2619(key;)X
939 864(endif)N
939 960(if)N
1083(\(using)X
1419(sequence)X
1851(numbers\))X
2283(then)X
1323 1056(select)N
1659(initial)X
2043(sequence)X
2475(number;)X
1323 1152(body.seq-number)N
2091(:=)X
2235(initial)X
2619(sequence;)X
939 1248(endif)N
3 f
12 s
555 1440(A.9.)N
768(KRB_AP_REQ)X
1432(generation)X
7 f
10 s
939 1536(obtain)N
1275(ticket)X
1611(and)X
1803(session_key)X
2379(from)X
2619(cache;)X
939 1728(packet.pvno)N
1515(:=)X
1659(protocol)X
2091(version;)X
2523(/*)X
2667(5)X
2763(*/)X
939 1824(packet.msg-type)N
1707(:=)X
1851(message)X
2235(type;)X
2523(/*)X
2667(KRB_AP_REQ)X
3195(*/)X
939 2016(if)N
1083(\(desired\(MUTUAL_AUTHENTICATION\)\))X
2667(then)X
1323 2112(set)N
1515(packet.ap-options.MUTUAL-REQUIRED;)X
939 2208(else)N
1323 2304(reset)N
1611(packet.ap-options.MUTUAL-REQUIRED;)X
939 2400(endif)N
939 2496(if)N
1083(\(using)X
1419(session)X
1803(key)X
1995(for)X
2187(ticket\))X
2571(then)X
1323 2592(set)N
1515(packet.ap-options.USE-SESSION-KEY;)X
939 2688(else)N
1323 2784(reset)N
1611(packet.ap-options.USE-SESSION-KEY;)X
939 2880(endif)N
939 2976(packet.ticket)N
1611(:=)X
1755(ticket;)X
2139(/*)X
2283(ticket)X
2619(*/)X
939 3072(generate)N
1371(authenticator;)X
939 3168(encode)N
1275(authenticator)X
1947(into)X
2187(OCTET)X
2475(STRING;)X
939 3264(encrypt)N
1323(OCTET)X
1611(STRING)X
1947(into)X
2187(packet.authenticator)X
3195(using)X
3483(session_key;)X
3 f
12 s
555 3456(A.10.)N
816(KRB_AP_REQ)X
1480(veri\256cation)X
7 f
10 s
939 3552(receive)N
1323(packet;)X
939 3648(if)N
1083(\(packet.pvno)X
1707(!=)X
1851(5\))X
1995(then)X
1323 3744(either)N
1659(process)X
2043(using)X
2331(other)X
2619(protocol)X
3051(spec)X
1323 3840(or)N
1467(error_out\(KRB_AP_ERR_BADVERSION\);)X
939 3936(endif)N
939 4032(if)N
1083(\(packet.msg-type)X
1899(!=)X
2043(KRB_AP_REQ\))X
2619(then)X
1323 4128(error_out\(KRB_AP_ERR_MSG_TYPE\);)N
939 4224(endif)N
939 4320(if)N
1083(\(packet.ticket.tkt_vno)X
2187(!=)X
2331(5\))X
2475(then)X
1323 4416(either)N
1659(process)X
2043(using)X
2331(other)X
2619(protocol)X
3051(spec)X
1323 4512(or)N
1467(error_out\(KRB_AP_ERR_BADVERSION\);)X
939 4608(endif)N
939 4704(if)N
1083(\(packet.ap_options.USE-SESSION-KEY)X
2763(is)X
2907(set\))X
3147(then)X
1323 4800(retrieve)N
1755(session)X
2139(key)X
2331(from)X
2571(ticket-granting)X
3339(ticket)X
3675(for)X
1371 4896(packet.ticket.{sname,srealm,enc-part.etype};)N
939 4992(else)N
1323 5088(retrieve)N
1755(service)X
2139(key)X
2331(for)X
1371 5184(packet.ticket.{sname,srealm,enc-part.etype,enc-part.skvno};)N
939 5280(endif)N
939 5376(if)N
1083(\(no_key_available\))X
1995(then)X
1323 5472(if)N
1467(\(cannot_find_specified_skvno\))X
2907(then)X
1707 5568(error_out\(KRB_AP_ERR_BADKEYVER\);)N
1323 5664(else)N
1707 5760(error_out\(KRB_AP_ERR_NOKEY\);)N
1 f
555 6144(Section)N
815(A.10.)X
2196(-)X
2243(58)X
2343(-)X
59 p
%%Page: 59 60
10 s 0 xH 0 xS 1 f
7 f
1 f
0 32(--)N
4323(--)X
3 f
2115 416(DRAFT)N
2411(4)X
7 f
1323 672(endif)N
939 768(endif)N
939 864(decrypt)N
1323(packet.ticket.enc-part)X
2427(into)X
2667(decr_ticket)X
3243(using)X
3531(retrieved)X
4011(key;)X
939 960(if)N
1083(\(decryption_error\(\)\))X
2091(then)X
1323 1056(error_out\(KRB_AP_ERR_BAD_INTEGRITY\);)N
939 1152(endif)N
939 1248(decrypt)N
1323(packet.authenticator)X
2331(into)X
2571(decr_authenticator)X
1323 1344(using)N
1611(decr_ticket.key;)X
939 1440(if)N
1083(\(decryption_error\(\)\))X
2091(then)X
1323 1536(error_out\(KRB_AP_ERR_BAD_INTEGRITY\);)N
939 1632(endif)N
939 1728(if)N
1083(\(decr_authenticator.{cname,crealm})X
2763(!=)X
1131 1824(decr_ticket.{cname,crealm}\))N
2475(then)X
1323 1920(error_out\(KRB_AP_ERR_BADMATCH\);)N
939 2016(endif)N
939 2112(if)N
1083(\(decr_ticket.caddr)X
1995(is)X
2139(present\))X
2571(then)X
1323 2208(if)N
1467(\(sender_address\(packet\))X
2619(is)X
2763(not)X
2955(in)X
3099(decr_ticket.caddr\))X
4011(then)X
1707 2304(error_out\(KRB_AP_ERR_BADADDR\);)N
1323 2400(endif)N
939 2496(elseif)N
1275(\(application)X
1899(requires)X
2331(addresses\))X
2859(then)X
1323 2592(error_out\(KRB_AP_ERR_BADADDR\);)N
939 2688(endif)N
939 2784(if)N
1083(\(not)X
1323(in_clock_skew\(decr_authenticator.ctime,)X
1995 2880(decr_authenticator.cusec\)\))N
3291(then)X
1323 2976(error_out\(KRB_AP_ERR_SKEW\);)N
939 3072(endif)N
939 3168(if)N
1083(\(repeated\(decr_authenticator.{ctime,cusec,cname,crealm}\)\))X
3867(then)X
1323 3264(error_out\(KRB_AP_ERR_REPEAT\);)N
939 3360(endif)N
939 3456(save_identifier\(decr_authenticator.{ctime,cusec,cname,crealm}\);)N
939 3552(get)N
1131(system_time;)X
939 3648(if)N
1083(\(\(decr_ticket.starttime-system_time)X
2811(>)X
2907(CLOCK_SKEW\))X
3483(or)X
1131 3744(\(decr_ticket.flags.INVALID)N
2427(is)X
2571(set\)\))X
2859(then)X
1323 3840(/*)N
1467(it)X
1611(hasn't)X
1947(yet)X
2139(become)X
2475(valid)X
2763(*/)X
1323 3936(error_out\(KRB_AP_ERR_TKT_NYV\);)N
939 4032(endif)N
939 4128(if)N
1083(\(system_time-decr_ticket.endtime)X
2667(>)X
2763(CLOCK_SKEW\))X
3339(then)X
1323 4224(error_out\(KRB_AP_ERR_TKT_EXPIRED\);)N
939 4320(endif)N
939 4416(/*)N
1083(caller)X
1419(must)X
1659(check)X
1947(decr_ticket.flags)X
2811(for)X
3003(any)X
3195(pertinent)X
3675(details)X
4059(*/)X
939 4512(return\(OK,)N
1467(decr_ticket,)X
2091(packet.ap_options.MUTUAL-REQUIRED\);)X
3 f
12 s
555 4704(A.11.)N
816(KRB_AP_REP)X
1464(generation)X
7 f
10 s
939 4800(packet.pvno)N
1515(:=)X
1659(protocol)X
2091(version;)X
2523(/*)X
2667(5)X
2763(*/)X
939 4896(packet.msg-type)N
1707(:=)X
1851(message)X
2235(type;)X
2523(/*)X
2667(KRB_AP_REP)X
3195(*/)X
939 5088(body.ctime)N
1467(:=)X
1611(packet.ctime;)X
939 5184(body.cusec)N
1467(:=)X
1611(packet.cusec;)X
939 5280(if)N
1083(\(selecting)X
1611(sub-session)X
2187(key\))X
2427(then)X
1323 5376(select)N
1659(sub-session)X
2235(key;)X
1323 5472(body.subkey)N
1899(:=)X
2043(sub-session)X
2619(key;)X
939 5568(endif)N
939 5664(if)N
1083(\(using)X
1419(sequence)X
1851(numbers\))X
2283(then)X
1323 5760(select)N
1659(initial)X
2043(sequence)X
2475(number;)X
1 f
555 6144(Section)N
815(A.11.)X
2196(-)X
2243(59)X
2343(-)X
60 p
%%Page: 60 61
10 s 0 xH 0 xS 1 f
7 f
1 f
0 32(--)N
4323(--)X
3 f
2115 416(DRAFT)N
2411(4)X
7 f
1323 672(body.seq-number)N
2091(:=)X
2235(initial)X
2619(sequence;)X
939 768(endif)N
939 960(encode)N
1275(body)X
1515(into)X
1755(OCTET)X
2043(STRING;)X
939 1152(select)N
1275(encryption)X
1803(type;)X
939 1248(encrypt)N
1323(OCTET)X
1611(STRING)X
1947(into)X
2187(packet.enc-part;)X
3 f
12 s
555 1440(A.12.)N
816(KRB_AP_REP)X
1464(veri\256cation)X
7 f
10 s
939 1536(receive)N
1323(packet;)X
939 1632(if)N
1083(\(packet.pvno)X
1707(!=)X
1851(5\))X
1995(then)X
1323 1728(either)N
1659(process)X
2043(using)X
2331(other)X
2619(protocol)X
3051(spec)X
1323 1824(or)N
1467(error_out\(KRB_AP_ERR_BADVERSION\);)X
939 1920(endif)N
939 2016(if)N
1083(\(packet.msg-type)X
1899(!=)X
2043(KRB_AP_REP\))X
2619(then)X
1323 2112(error_out\(KRB_AP_ERR_MSG_TYPE\);)N
939 2208(endif)N
939 2304(cleartext)N
1419(:=)X
1563(decrypt\(packet.enc-part\))X
2763(using)X
3051(ticket's)X
3483(session)X
3867(key;)X
939 2400(if)N
1083(\(decryption_error\(\)\))X
2091(then)X
1323 2496(error_out\(KRB_AP_ERR_BAD_INTEGRITY\);)N
939 2592(endif)N
939 2688(if)N
1083(\(cleartext.ctime)X
1899(!=)X
2043(authenticator.ctime\))X
3051(then)X
1323 2784(error_out\(KRB_AP_ERR_MUT_FAIL\);)N
939 2880(endif)N
939 2976(if)N
1083(\(cleartext.cusec)X
1899(!=)X
2043(authenticator.cusec\))X
3051(then)X
1323 3072(error_out\(KRB_AP_ERR_MUT_FAIL\);)N
939 3168(endif)N
939 3264(if)N
1083(\(cleartext.subkey)X
1947(is)X
2091(present\))X
2523(then)X
1323 3360(save)N
1563(cleartext.subkey)X
2379(for)X
2571(future)X
2907(use;)X
939 3456(endif)N
939 3552(if)N
1083(\(cleartext.seq-number)X
2139(is)X
2283(present\))X
2715(then)X
1323 3648(save)N
1563(cleartext.seq-number)X
2571(for)X
2763(future)X
3099(verifications;)X
939 3744(endif)N
939 3840(return\(AUTHENTICATION_SUCCEEDED\);)N
3 f
12 s
555 4032(A.13.)N
816(KRB_SAFE)X
1341(generation)X
7 f
10 s
939 4128(collect)N
1323(user)X
1563(data)X
1803(in)X
1947(buffer;)X
939 4320(/*)N
1083(assemble)X
1515(packet:)X
1899(*/)X
939 4416(packet.pvno)N
1515(:=)X
1659(protocol)X
2091(version;)X
2523(/*)X
2667(5)X
2763(*/)X
939 4512(packet.msg-type)N
1707(:=)X
1851(message)X
2235(type;)X
2523(/*)X
2667(KRB_SAFE)X
3099(*/)X
939 4704(body.user-data)N
1659(:=)X
1803(buffer;)X
2187(/*)X
2331(DATA)X
2571(*/)X
939 4800(if)N
1083(\(using)X
1419(timestamp\))X
1947(then)X
1323 4896(get)N
1515(system_time;)X
1323 4992(body.timestamp,)N
2091(body.usec)X
2571(:=)X
2715(system_time;)X
939 5088(endif)N
939 5184(if)N
1083(\(using)X
1419(sequence)X
1851(numbers\))X
2283(then)X
1323 5280(body.seq-number)N
2091(:=)X
2235(sequence)X
2667(number;)X
939 5376(endif)N
939 5472(body.s-address)N
1659(:=)X
1803(sender)X
2139(host)X
2379(addresses;)X
939 5568(if)N
1083(\(only)X
1371(one)X
1563(recipient\))X
2091(then)X
1323 5664(body.r-address)N
2043(:=)X
2187(recipient)X
2667(host)X
2907(address;)X
939 5760(endif)N
1 f
555 6144(Section)N
815(A.13.)X
2196(-)X
2243(60)X
2343(-)X
61 p
%%Page: 61 62
10 s 0 xH 0 xS 1 f
7 f
1 f
0 32(--)N
4323(--)X
3 f
2115 416(DRAFT)N
2411(4)X
7 f
939 672(checksum.cksumtype)N
1851(:=)X
1995(checksum)X
2427(type;)X
939 768(compute)N
1323(checksum)X
1755(over)X
1995(body;)X
939 864(checksum.checksum)N
1803(:=)X
1947(checksum)X
2379(value;)X
2715(/*)X
2859(checksum.checksum)X
3723(*/)X
939 960(packet.cksum)N
1563(:=)X
1707(checksum;)X
939 1056(packet.safe-body)N
1755(:=)X
1899(body;)X
3 f
12 s
555 1248(A.14.)N
816(KRB_SAFE)X
1341(veri\256cation)X
7 f
10 s
939 1344(receive)N
1323(packet;)X
939 1440(if)N
1083(\(packet.pvno)X
1707(!=)X
1851(5\))X
1995(then)X
1323 1536(either)N
1659(process)X
2043(using)X
2331(other)X
2619(protocol)X
3051(spec)X
1323 1632(or)N
1467(error_out\(KRB_AP_ERR_BADVERSION\);)X
939 1728(endif)N
939 1824(if)N
1083(\(packet.msg-type)X
1899(!=)X
2043(KRB_SAFE\))X
2523(then)X
1323 1920(error_out\(KRB_AP_ERR_MSG_TYPE\);)N
939 2016(endif)N
939 2112(if)N
1083(\(packet.checksum.cksumtype)X
2379(is)X
2523(not)X
2715(both)X
2955(collision-proof)X
3723(and)X
3915(keyed\))X
4251(then)X
1323 2208(error_out\(KRB_AP_ERR_INAPP_CKSUM\);)N
939 2304(endif)N
939 2400(if)N
1083(\(safe_priv_common_checks_ok\(packet\)\))X
2859(then)X
1323 2496(set)N
1515(computed_checksum)X
2379(:=)X
2523(checksum\(packet.body\);)X
1323 2592(if)N
1467(\(computed_checksum)X
2379(!=)X
2523(packet.checksum\))X
3339(then)X
1707 2688(error_out\(KRB_AP_ERR_MODIFIED\);)N
1323 2784(endif)N
1323 2880(return)N
1659(\(packet,)X
2091(PACKET_IS_GENUINE\);)X
939 2976(else)N
1323 3072(return)N
1659(common_checks_error;)X
939 3168(endif)N
3 f
12 s
555 3360(A.15.)N
816(KRB_SAFE)X
1341(and)X
1519(KRB_PRIV)X
2033(common)X
2409(checks)X
7 f
10 s
939 3456(if)N
1083(\(packet.s-address)X
1947(!=)X
2091(O/S_sender\(packet\)\))X
3051(then)X
1323 3552(/*)N
1467(O/S)X
1659(report)X
1995(of)X
2139(sender)X
2475(not)X
2667(who)X
2859(claims)X
3195(to)X
3339(have)X
3579(sent)X
3819(it)X
3963(*/)X
1323 3648(error_out\(KRB_AP_ERR_BADADDR\);)N
939 3744(endif)N
939 3840(if)N
1083(\(\(packet.r-address)X
1995(is)X
2139(present\))X
2571(and)X
1131 3936(\(packet.r-address)N
1995(!=)X
2139(local_host_address\)\))X
3147(then)X
1323 4032(/*)N
1467(was)X
1659(not)X
1851(sent)X
2091(to)X
2235(proper)X
2571(place)X
2859(*/)X
1323 4128(error_out\(KRB_AP_ERR_BADADDR\);)N
939 4224(endif)N
939 4320(if)N
1083(\(\(\(packet.timestamp)X
2043(is)X
2187(present\))X
2619(and)X
1179 4416(\(not)N
1419(in_clock_skew\(packet.timestamp,packet.usec\)\)\))X
3627(or)X
1131 4512(\(packet.timestamp)N
1995(is)X
2139(not)X
2331(present)X
2715(and)X
2907(timestamp)X
3387(expected\)\))X
3915(then)X
1323 4608(error_out\(KRB_AP_ERR_SKEW\);)N
939 4704(endif)N
939 4800(if)N
1083(\(repeated\(packet.timestamp,packet.usec,packet.s-address\)\))X
3867(then)X
1323 4896(error_out\(KRB_AP_ERR_REPEAT\);)N
939 4992(endif)N
939 5088(if)N
1083(\(\(\(packet.seq-number)X
2091(is)X
2235(present\))X
2667(and)X
1179 5184(\(\(not)N
1467(in_sequence\(packet.seq-number\)\)\)\))X
3099(or)X
1131 5280(\(packet.seq-number)N
2043(is)X
2187(not)X
2379(present)X
2763(and)X
2955(sequence)X
3387(expected\)\))X
3915(then)X
1323 5376(error_out\(KRB_AP_ERR_BADORDER\);)N
939 5472(endif)N
939 5568(if)N
1083(\(packet.timestamp)X
1947(not)X
2139(present)X
2523(and)X
2715(packet.seq-number)X
3579(not)X
3771(present\))X
4203(then)X
1323 5664(error_out\(KRB_AP_ERR_MODIFIED\);)N
939 5760(endif)N
1 f
555 6144(Section)N
815(A.15.)X
2196(-)X
2243(61)X
2343(-)X
62 p
%%Page: 62 63
10 s 0 xH 0 xS 1 f
7 f
1 f
0 32(--)N
4323(--)X
3 f
2115 416(DRAFT)N
2411(4)X
7 f
939 672(save_identifier\(packet.{timestamp,usec,s-address},)N
1707 768(sender_principal\(packet\)\);)N
939 960(return)N
1275(PACKET_IS_OK;)X
3 f
12 s
555 1152(A.16.)N
816(KRB_PRIV)X
1330(generation)X
7 f
10 s
939 1248(collect)N
1323(user)X
1563(data)X
1803(in)X
1947(buffer;)X
939 1440(/*)N
1083(assemble)X
1515(packet:)X
1899(*/)X
939 1536(packet.pvno)N
1515(:=)X
1659(protocol)X
2091(version;)X
2523(/*)X
2667(5)X
2763(*/)X
939 1632(packet.msg-type)N
1707(:=)X
1851(message)X
2235(type;)X
2523(/*)X
2667(KRB_PRIV)X
3099(*/)X
939 1824(packet.enc-part.etype)N
1995(:=)X
2139(encryption)X
2667(type;)X
939 2016(body.user-data)N
1659(:=)X
1803(buffer;)X
939 2112(if)N
1083(\(using)X
1419(timestamp\))X
1947(then)X
1323 2208(get)N
1515(system_time;)X
1323 2304(body.timestamp,)N
2091(body.usec)X
2571(:=)X
2715(system_time;)X
939 2400(endif)N
939 2496(if)N
1083(\(using)X
1419(sequence)X
1851(numbers\))X
2283(then)X
1323 2592(body.seq-number)N
2091(:=)X
2235(sequence)X
2667(number;)X
939 2688(endif)N
939 2784(body.s-address)N
1659(:=)X
1803(sender)X
2139(host)X
2379(addresses;)X
939 2880(if)N
1083(\(only)X
1371(one)X
1563(recipient\))X
2091(then)X
1323 2976(body.r-address)N
2043(:=)X
2187(recipient)X
2667(host)X
2907(address;)X
939 3072(endif)N
939 3264(encode)N
1275(body)X
1515(into)X
1755(OCTET)X
2043(STRING;)X
939 3456(select)N
1275(encryption)X
1803(type;)X
939 3552(encrypt)N
1323(OCTET)X
1611(STRING)X
1947(into)X
2187(packet.enc-part.cipher;)X
3 f
12 s
555 3840(A.17.)N
816(KRB_PRIV)X
1330(veri\256cation)X
7 f
10 s
939 3936(receive)N
1323(packet;)X
939 4032(if)N
1083(\(packet.pvno)X
1707(!=)X
1851(5\))X
1995(then)X
1323 4128(either)N
1659(process)X
2043(using)X
2331(other)X
2619(protocol)X
3051(spec)X
1323 4224(or)N
1467(error_out\(KRB_AP_ERR_BADVERSION\);)X
939 4320(endif)N
939 4416(if)N
1083(\(packet.msg-type)X
1899(!=)X
2043(KRB_PRIV\))X
2523(then)X
1323 4512(error_out\(KRB_AP_ERR_MSG_TYPE\);)N
939 4608(endif)N
939 4800(cleartext)N
1419(:=)X
1563(decrypt\(packet.enc-part\))X
2763(using)X
3051(negotiated)X
3579(key;)X
939 4896(if)N
1083(\(decryption_error\(\)\))X
2091(then)X
1323 4992(error_out\(KRB_AP_ERR_BAD_INTEGRITY\);)N
939 5088(endif)N
939 5280(if)N
1083(\(safe_priv_common_checks_ok\(cleartext\)\))X
3003(then)X
1323 5376(return\(cleartext.DATA,)N
2427(PACKET_IS_GENUINE_AND_UNMODIFIED\);)X
939 5472(else)N
1323 5568(return)N
1659(common_checks_error;)X
939 5664(endif)N
1 f
12 s
555 6144(Section)N
868(A.17.)X
2179(-)X
2235(62)X
2355(-)X
63 p
%%Page: 63 64
12 s 0 xH 0 xS 1 f
10 s
0 32(--)N
4323(--)X
3 f
12 s
2082 432(DRAFT)N
2436(4)X
555 672(A.18.)N
816(KRB_ERROR)X
1442(generation)X
7 f
10 s
939 864(/*)N
1083(assemble)X
1515(packet:)X
1899(*/)X
939 960(packet.pvno)N
1515(:=)X
1659(protocol)X
2091(version;)X
2523(/*)X
2667(5)X
2763(*/)X
939 1056(packet.msg-type)N
1707(:=)X
1851(message)X
2235(type;)X
2523(/*)X
2667(KRB_ERROR)X
3147(*/)X
939 1248(get)N
1131(system_time;)X
939 1344(packet.stime,)N
1611(packet.susec)X
2235(:=)X
2379(system_time;)X
939 1440(packet.realm,)N
1611(packet.sname)X
2235(:=)X
2379(server)X
2715(name;)X
939 1632(if)N
1083(\(client)X
1467(time)X
1707(available\))X
2235(then)X
1323 1728(packet.ctime,)N
1995(packet.cusec)X
2619(:=)X
2763(client_time;)X
939 1824(endif)N
939 1920(packet.error-code)N
1803(:=)X
1947(error)X
2235(code;)X
939 2016(if)N
1083(\(client)X
1467(name)X
1707(available\))X
2235(then)X
1323 2112(packet.cname,)N
1995(packet.crealm)X
2667(:=)X
2811(client)X
3147(name;)X
939 2208(endif)N
939 2304(if)N
1083(\(error)X
1419(text)X
1659(available\))X
2187(then)X
1323 2400(packet.e-text)N
1995(:=)X
2139(error)X
2427(text;)X
939 2496(endif)N
939 2592(if)N
1083(\(error)X
1419(data)X
1659(available\))X
2187(then)X
1323 2688(packet.e-data)N
1995(:=)X
2139(error)X
2427(data;)X
939 2784(endif)N
1 f
2172 6144(-)N
2219(lxiii)X
2367(-)X
1 p
%%Page: 1 65
10 s 0 xH 0 xS 1 f
0 32(--)N
4323(--)X
3 f
12 s
1918 960(Table)N
2177(of)X
2281(Contents)X
1 f
10 s
555 1372(Overview)N
911(.................................................................................................................................................)X
3971(1)X
555 1496(Background)N
971(..............................................................................................................................................)X
3971(1)X
555 1620(1.)N
3 f
635(Introduction)X
1 f
1091(........................................................................................................................................)X
3971(1)X
555 1744(1.1.)N
3 f
695(Inter-Realm)X
1139(Operation)X
1 f
1511(...................................................................................................................)X
3971(3)X
555 1868(1.2.)N
3 f
695(Environmental)X
1230(assumptions)X
1 f
1671(...........................................................................................................)X
3971(3)X
555 1992(1.3.)N
3 f
695(Glossary)X
1017(of)X
1104(terms)X
1 f
1331(............................................................................................................................)X
3971(3)X
555 2116(2.)N
3 f
635(Ticket)X
873(\257ag)X
1017(uses)X
1179(and)X
1327(requests)X
1 f
1651(............................................................................................................)X
3971(5)X
555 2240(2.1.)N
3 f
695(Initial)X
923(tickets)X
1 f
1171(....................................................................................................................................)X
3971(5)X
555 2364(2.2.)N
3 f
695(Invalid)X
958(tickets)X
1 f
1211(..................................................................................................................................)X
3971(5)X
555 2488(2.3.)N
3 f
695(Renewable)X
1089(tickets)X
1 f
1351(...........................................................................................................................)X
3971(5)X
555 2612(2.4.)N
3 f
695(Postdated)X
1053(tickets)X
1 f
1311(.............................................................................................................................)X
3971(6)X
555 2736(2.5.)N
3 f
695(Proxiable)X
1044(and)X
1192(proxy)X
1412(tickets)X
1 f
1671(...........................................................................................................)X
3971(6)X
555 2860(2.6.)N
3 f
695(Forwardable)X
1160(tickets)X
1 f
1411(........................................................................................................................)X
3971(6)X
555 2984(2.7.)N
3 f
695(Other)X
920(KDC)X
1118(options)X
1 f
1391(.........................................................................................................................)X
3971(7)X
555 3108(3.)N
3 f
635(Message)X
945(Exchanges)X
1 f
1331(............................................................................................................................)X
3971(7)X
555 3232(3.1.)N
3 f
695(The)X
848(Authentication)X
1379(Service)X
1649(Exchange)X
1 f
2011(..........................................................................................)X
3971(7)X
555 3356(3.1.1.)N
755(Generation)X
1132(of)X
1219(KRB_AS_REQ)X
1745(message)X
2051(........................................................................................)X
3971(8)X
555 3480(3.1.2.)N
755(Receipt)X
1020(of)X
1107(KRB_AS_REQ)X
1633(message)X
1931(..............................................................................................)X
3971(8)X
555 3604(3.1.3.)N
755(Generation)X
1132(of)X
1219(KRB_AS_REP)X
1731(message)X
2031(.........................................................................................)X
3971(8)X
555 3728(3.1.4.)N
755(Generation)X
1132(of)X
1219(KRB_ERROR)X
1709(message)X
2011(..........................................................................................)X
3971(9)X
555 3852(3.1.5.)N
755(Receipt)X
1020(of)X
1107(KRB_AS_REP)X
1619(message)X
1911(...............................................................................................)X
3971(9)X
555 3976(3.1.6.)N
755(Receipt)X
1020(of)X
1107(KRB_ERROR)X
1597(message)X
1891(................................................................................................)X
3931(10)X
555 4100(3.2.)N
3 f
695(The)X
848(Client/Server)X
1327(Authentication)X
1858(Exchange)X
1 f
2211(................................................................................)X
3931(10)X
555 4224(3.2.1.)N
755(The)X
900(KRB_AP_REQ)X
1426(message)X
1731(........................................................................................................)X
3931(10)X
555 4348(3.2.2.)N
755(Generation)X
1132(of)X
1219(a)X
1275(KRB_AP_REQ)X
1801(message)X
2111(.....................................................................................)X
3931(10)X
555 4472(3.2.3.)N
755(Receipt)X
1020(of)X
1107(KRB_AP_REQ)X
1633(message)X
1931(..............................................................................................)X
3931(10)X
555 4596(3.2.4.)N
755(Generation)X
1132(of)X
1219(a)X
1275(KRB_AP_REP)X
1787(message)X
2091(......................................................................................)X
3931(11)X
555 4720(3.2.5.)N
755(Receipt)X
1020(of)X
1107(KRB_AP_REP)X
1619(message)X
1911(...............................................................................................)X
3931(12)X
555 4844(3.2.6.)N
755(Using)X
966(the)X
1084(encryption)X
1447(key)X
1591(...............................................................................................................)X
3931(12)X
555 4968(3.3.)N
3 f
695(The)X
848(Ticket-Granting)X
1428(Service)X
1698(\(TGS\))X
1931(Exchange)X
1 f
2291(............................................................................)X
3931(12)X
555 5092(3.3.1.)N
755(Generation)X
1132(of)X
1219(KRB_TGS_REQ)X
1794(message)X
2091(......................................................................................)X
3931(13)X
555 5216(3.3.2.)N
755(Receipt)X
1020(of)X
1107(KRB_TGS_REQ)X
1682(message)X
1991(...........................................................................................)X
3931(13)X
555 5340(3.3.3.)N
755(Generation)X
1132(of)X
1219(KRB_TGS_REP)X
1780(message)X
2091(......................................................................................)X
3931(14)X
555 5464(3.3.3.1.)N
815(Encoding)X
1142(the)X
1260(transited)X
1556(\256eld)X
1731(........................................................................................................)X
3931(15)X
555 5588(3.3.4.)N
755(Receipt)X
1020(of)X
1107(KRB_TGS_REP)X
1668(message)X
1971(............................................................................................)X
3931(16)X
555 5712(3.4.)N
3 f
695(The)X
848(KRB_SAFE)X
1285(Exchange)X
1 f
1651(............................................................................................................)X
3931(16)X
555 5836(3.4.1.)N
755(Generation)X
1132(of)X
1219(a)X
1275(KRB_SAFE)X
1694(message)X
1991(...........................................................................................)X
3931(16)X
2225 6144(-)N
2272(i)X
2314(-)X
2 p
%%Page: 2 66
10 s 0 xH 0 xS 1 f
0 32(--)N
4323(--)X
3 f
2115 416(DRAFT)N
2411(4)X
1 f
555 672(3.4.2.)N
755(Receipt)X
1020(of)X
1107(KRB_SAFE)X
1526(message)X
1831(...................................................................................................)X
3931(17)X
555 796(3.5.)N
3 f
695(The)X
848(KRB_PRIV)X
1277(Exchange)X
1 f
1631(.............................................................................................................)X
3931(17)X
555 920(3.5.1.)N
755(Generation)X
1132(of)X
1219(a)X
1275(KRB_PRIV)X
1681(message)X
1991(...........................................................................................)X
3931(17)X
555 1044(3.5.2.)N
755(Receipt)X
1020(of)X
1107(KRB_PRIV)X
1513(message)X
1811(....................................................................................................)X
3931(17)X
555 1168(4.)N
3 f
635(The)X
788(Kerberos)X
1129(Database)X
1 f
1471(.....................................................................................................................)X
3931(18)X
555 1292(4.1.)N
3 f
695(Database)X
1031(contents)X
1 f
1351(...........................................................................................................................)X
3931(18)X
555 1416(4.2.)N
3 f
695(Additional)X
1078(\256elds)X
1 f
1291(..............................................................................................................................)X
3931(18)X
555 1540(4.3.)N
3 f
695(Frequently)X
1093(Changing)X
1445(Fields)X
1 f
1671(...........................................................................................................)X
3931(19)X
555 1664(4.4.)N
3 f
695(Site)X
844(Constants)X
1 f
1211(..................................................................................................................................)X
3931(19)X
555 1788(5.)N
3 f
635(Message)X
945(Speci\256cations)X
1 f
1431(.......................................................................................................................)X
3931(19)X
555 1912(5.1.)N
3 f
695(ASN.1)X
935(Base)X
1115(De\256nitions)X
1 f
1511(...................................................................................................................)X
3931(20)X
555 2036(5.2.)N
3 f
695(Tickets)X
964(and)X
1112(Authenticators)X
1 f
1651(............................................................................................................)X
3931(21)X
555 2160(5.2.1.)N
755(Tickets)X
1011(............................................................................................................................................)X
3931(22)X
555 2284(5.2.2.)N
755(Authenticators)X
1251(................................................................................................................................)X
3931(25)X
555 2408(5.3.)N
3 f
695(Speci\256cations)X
1181(for)X
1304(the)X
1431(AS)X
1553(and)X
1701(TGS)X
1880(exchanges)X
1 f
2251(..............................................................................)X
3931(26)X
555 2532(5.3.1.)N
755(KRB_KDC_REQ)X
1348(de\256nition)X
1691(..........................................................................................................)X
3931(26)X
555 2656(5.3.2.)N
755(KRB_KDC_REP)X
1334(de\256nition)X
1671(...........................................................................................................)X
3931(30)X
555 2780(5.4.)N
3 f
695(Client/Server)X
1174(\(CS\))X
1350(message)X
1651(speci\256cations)X
1 f
2131(....................................................................................)X
3931(32)X
555 2904(5.4.1.)N
755(KRB_AP_REQ)X
1281(de\256nition)X
1611(..............................................................................................................)X
3931(32)X
555 3028(5.4.2.)N
755(KRB_AP_REP)X
1267(de\256nition)X
1611(..............................................................................................................)X
3931(33)X
555 3152(5.4.3.)N
755(Error)X
945(message)X
1237(reply)X
1431(.......................................................................................................................)X
3931(34)X
555 3276(5.5.)N
3 f
695(KRB_SAFE)X
1132(message)X
1433(speci\256cation)X
1 f
1891(................................................................................................)X
3931(34)X
555 3400(5.5.1.)N
755(KRB_SAFE)X
1174(de\256nition)X
1511(...................................................................................................................)X
3931(34)X
555 3524(5.6.)N
3 f
695(KRB_PRIV)X
1124(message)X
1425(speci\256cation)X
1 f
1871(.................................................................................................)X
3931(35)X
555 3648(5.6.1.)N
755(KRB_PRIV)X
1161(de\256nition)X
1491(....................................................................................................................)X
3931(35)X
555 3772(5.7.)N
3 f
695(Error)X
916(message)X
1217(speci\256cation)X
1 f
1671(...........................................................................................................)X
3931(36)X
555 3896(5.7.1.)N
755(KRB_ERROR)X
1245(de\256nition)X
1571(................................................................................................................)X
3931(36)X
555 4020(6.)N
3 f
635(Encryption)X
1041(and)X
1189(Checksum)X
1569(Speci\256cations)X
1 f
2071(.......................................................................................)X
3931(37)X
555 4144(6.1.)N
3 f
695(Encryption)X
1101(Speci\256cations)X
1 f
1591(...............................................................................................................)X
3931(38)X
555 4268(6.2.)N
3 f
695(Encryption)X
1101(Keys)X
1 f
1291(..............................................................................................................................)X
3931(39)X
555 4392(6.3.)N
3 f
695(Encryption)X
1101(Systems)X
1 f
1411(........................................................................................................................)X
3931(39)X
555 4516(6.3.1.)N
755(The)X
900(NULL)X
1134(Encryption)X
1510(System)X
1765(\(null\))X
1971(............................................................................................)X
3931(39)X
555 4640(6.3.2.)N
755(DES)X
926(in)X
1008(CBC)X
1187(mode)X
1385(with)X
1547(a)X
1603(CRC-32)X
1889(checksum)X
2230 0.3542(\(des-cbc-crc\))AX
2691(........................................................)X
3931(40)X
555 4764(6.4.)N
3 f
695(Checksums)X
1 f
1111(.......................................................................................................................................)X
3931(40)X
555 4888(6.4.1.)N
755(The)X
900(CRC-32)X
1186(Checksum)X
1544(\(crc32\))X
1811(....................................................................................................)X
3931(41)X
555 5012(6.4.2.)N
755(The)X
900(RSA)X
1075(MD4)X
1264(Checksum)X
1622(\(rsa-md4\))X
1971(............................................................................................)X
3931(41)X
555 5136(6.4.3.)N
755(RSA)X
930(MD4)X
1119(Cryptographic)X
1602(Checksum)X
1960(Using)X
2171(DES)X
2342(\(rsa-md4-des\))X
2831(.................................................)X
3931(41)X
555 5260(6.4.4.)N
755(DES)X
926(cipher-block)X
1352(chained)X
1622(checksum)X
1963(\(des-mac\))X
2311(...........................................................................)X
3931(41)X
555 5384(7.)N
3 f
635(Constants)X
997(and)X
1145(other)X
1348(de\256ned)X
1616(values)X
1 f
1851(..................................................................................................)X
3931(41)X
555 5508(7.1.)N
3 f
695(Host)X
875(address)X
1157(types)X
1 f
1371(..........................................................................................................................)X
3931(41)X
555 5632(7.2.)N
3 f
695(KDC)X
893(messages)X
1 f
1231(.................................................................................................................................)X
3931(42)X
555 5756(7.2.1.)N
755(IP)X
846(transport)X
1151(.....................................................................................................................................)X
3931(42)X
2214 6144(-)N
2261(ii)X
2325(-)X
3 p
%%Page: 3 67
10 s 0 xH 0 xS 1 f
0 32(--)N
4323(--)X
3 f
2115 416(DRAFT)N
2411(4)X
1 f
555 672(7.2.2.)N
755(Name)X
967(of)X
1054(the)X
1172(TGS)X
1351(...........................................................................................................................)X
3931(42)X
555 796(7.3.)N
3 f
695(Protocol)X
1005(constants)X
1345(and)X
1493(associated)X
1860(values)X
1 f
2111(.....................................................................................)X
3931(42)X
555 920(8.)N
3 f
635(Interoperability)X
1202(requirements)X
1 f
1691(..........................................................................................................)X
3931(44)X
555 1044(8.1.)N
3 f
695(Speci\256cation)X
1150(1)X
1 f
1211(..................................................................................................................................)X
3931(44)X
555 1168(8.2.)N
3 f
695(Recommended)X
1223(KDC)X
1421(values)X
1 f
1671(...........................................................................................................)X
3931(45)X
555 1292(9.)N
3 f
635(Acknowledgments)X
1 f
1291(..............................................................................................................................)X
3931(46)X
555 1416(10.)N
3 f
675(REFERENCES)X
1 f
1251(................................................................................................................................)X
3931(46)X
555 1540(A.)N
3 f
653(Pseudo-code)X
1100(for)X
1223(protocol)X
1528(processing)X
1 f
1911(...............................................................................................)X
3931(47)X
555 1664(A.1.)N
3 f
713(KRB_AS_REQ)X
1261(generation)X
1 f
1651(............................................................................................................)X
3931(47)X
555 1788(A.2.)N
3 f
713(KRB_AS_REQ)X
1261(veri\256cation)X
1668(and)X
1816(KRB_AS_REP)X
2351(generation)X
1 f
2751(.....................................................)X
3931(47)X
555 1912(A.3.)N
3 f
713(KRB_AS_REP)X
1248(veri\256cation)X
1 f
1671(...........................................................................................................)X
3931(50)X
555 2036(A.4.)N
3 f
713(KRB_AS_REP)X
1248(and)X
1396(KRB_TGS_REP)X
1988(common)X
2302(checks)X
1 f
2551(...............................................................)X
3931(50)X
555 2160(A.5.)N
3 f
713(KRB_TGS_REQ)X
1318(generation)X
1 f
1711(.........................................................................................................)X
3931(51)X
555 2284(A.6.)N
3 f
713(KRB_TGS_REQ)X
1318(veri\256cation)X
1725(and)X
1873(KRB_TGS_REP)X
2465(generation)X
1 f
2851(................................................)X
3931(52)X
555 2408(A.7.)N
3 f
713(KRB_TGS_REP)X
1305(veri\256cation)X
1 f
1731(........................................................................................................)X
3931(57)X
555 2532(A.8.)N
3 f
713(Authenticator)X
1214(generation)X
1 f
1611(..............................................................................................................)X
3931(57)X
555 2656(A.9.)N
3 f
713(KRB_AP_REQ)X
1266(generation)X
1 f
1651(............................................................................................................)X
3931(58)X
555 2780(A.10.)N
3 f
753(KRB_AP_REQ)X
1306(veri\256cation)X
1 f
1731(........................................................................................................)X
3931(58)X
555 2904(A.11.)N
3 f
753(KRB_AP_REP)X
1293(generation)X
1 f
1691(..........................................................................................................)X
3931(59)X
555 3028(A.12.)N
3 f
753(KRB_AP_REP)X
1293(veri\256cation)X
1 f
1711(.........................................................................................................)X
3931(60)X
555 3152(A.13.)N
3 f
753(KRB_SAFE)X
1190(generation)X
1 f
1591(...............................................................................................................)X
3931(60)X
555 3276(A.14.)N
3 f
753(KRB_SAFE)X
1190(veri\256cation)X
1 f
1611(..............................................................................................................)X
3931(61)X
555 3400(A.15.)N
3 f
753(KRB_SAFE)X
1190(and)X
1338(KRB_PRIV)X
1767(common)X
2081(checks)X
1 f
2331(..........................................................................)X
3931(61)X
555 3524(A.16.)N
3 f
753(KRB_PRIV)X
1182(generation)X
1 f
1571(................................................................................................................)X
3931(62)X
555 3648(A.17.)N
3 f
753(KRB_PRIV)X
1182(veri\256cation)X
1 f
1591(...............................................................................................................)X
3931(62)X
555 3772(A.18.)N
3 f
753(KRB_ERROR)X
1275(generation)X
1 f
1671(...........................................................................................................)X
3931(63)X
2203 6144(-)N
2250(iii)X
2336(-)X
0 6360(--)N
4323(--)X
67 p
%%Trailer
xt
xs