RFC 4120 - The Kerberos Network Authentication Service (V5)

Status of This Memo

This document specifies an Internet standards track protocol for the Internet community, and requests discussion and suggestions for improvements. Please refer to the current edition of the "Internet Official Protocol Standards" (STD 1) for the standardization state and status of this protocol. Distribution of this memo is unlimited.

Copyright Notice

Copyright (C) The Internet Society (2005).

Abstract

This document provides an overview and specification of Version 5 of the Kerberos protocol, and it obsoletes RFC 1510 to clarify aspects of the protocol and its intended use that require more detailed or clearer explanation than was provided in RFC 1510. This document is intended to provide a detailed description of the protocol, suitable for implementation, together with descriptions of the appropriate use of protocol messages and fields within those messages.

Table of Contents

• 1. Introduction
  • 1.1. The Kerberos Protocol
  • 1.2. Cross-Realm Operation
  • 1.3. Choosing a Principal with Which to Communicate
  • 1.4. Authorization
  • 1.5. Extending Kerberos without Breaking Interoperability
    • 1.5.1. Compatibility with RFC 1510
    • 1.5.2. Sending Extensible Messages
  • 1.6. Environmental Assumptions
  • 1.7. Glossary of Terms
• 2. Ticket Flag Uses and Requests
  • 2.1. Initial, Pre-authenticated, and Hardware-Authenticated Tickets
  • 2.2. Invalid Tickets
  • 2.3. Renewable Tickets
  • 2.4. Postdated Tickets
  • 2.5. Proxiable and Proxy Tickets
  • 2.6. Forwardable Tickets
  • 2.7. Transited Policy Checking
  • 2.8. OK as Delegate
  • 2.9. Other KDC Options
    • 2.9.1. Renewable-OK
    • 2.9.2. ENC-TKT-IN-SKEY
    • 2.9.3. Passwordless Hardware Authentication
• 3. Message Exchanges
  • 3.1. The Authentication Service Exchange
    • 3.1.1. Generation of KRB_AS_REQ Message
    • 3.1.2. Receipt of KRB_AS_REQ Message
    • 3.1.3. Generation of KRB_AS_REP Message
    • 3.1.4. Generation of KRB_ERROR Message
    • 3.1.5. Receipt of KRB_AS_REP Message
    • 3.1.6. Receipt of KRB_ERROR Message
  • 3.2. The Client/Server Authentication Exchange
    • 3.2.1. The KRB_AP_REQ Message
    • 3.2.2. Generation of a KRB_AP_REQ Message
    • 3.2.3. Receipt of KRB_AP_REQ Message
    • 3.2.4. Generation of a KRB_AP_REP Message
    • 3.2.5. Receipt of KRB_AP_REP Message
    • 3.2.6. Using the Encryption Key
  • 3.3. The Ticket-Granting Service (TGS) Exchange
    • 3.3.1. Generation of KRB_TGS_REQ Message
    • 3.3.2. Receipt of KRB_TGS_REQ Message
    • 3.3.3. Generation of KRB_TGS_REP Message
    • 3.3.4. Receipt of KRB_TGS_REP Message
  • 3.4. The KRB_SAFE Exchange
    • 3.4.1. Generation of a KRB_SAFE Message
    • 3.4.2. Receipt of KRB_SAFE Message
  • 3.5. The KRB_PRIV Exchange
    • 3.5.1. Generation of a KRB_PRIV Message
    • 3.5.2. Receipt of KRB_PRIV Message
  • 3.6. The KRB_CRED Exchange
    • 3.6.1. Generation of a KRB_CRED Message
    • 3.6.2. Receipt of KRB_CRED Message
  • 3.7. User-to-User Authentication Exchanges
• 4. Encryption and Checksum Specifications
• 5. Message Specifications
  • 5.1. Specific Compatibility Notes on ASN.1
    • 5.1.1. ASN.1 Distinguished Encoding Rules
    • 5.1.2. Optional Integer Fields
    • 5.1.3. Empty SEQUENCE OF Types
    • 5.1.4. Unrecognized Tag Numbers
    • 5.1.5. Tag Numbers Greater Than 30
  • 5.2. Basic Kerberos Types
    • 5.2.1. KerberosString
    • 5.2.2. Realm and PrincipalName
    • 5.2.3. KerberosTime
    • 5.2.4. Constrained Integer Types
    • 5.2.5. HostAddress and HostAddresses
    • 5.2.6. AuthorizationData
    • 5.2.7. PA-DATA
    • 5.2.8. KerberosFlags
    • 5.2.9. Cryptosystem-Related Types
  • 5.3. Tickets
  • 5.4. Specifications for the AS and TGS Exchanges
    • 5.4.1. KRB_KDC_REQ Definition
    • 5.4.2. KRB_KDC_REP Definition
  • 5.5. Client/Server (CS) Message Specifications
    • 5.5.1. KRB_AP_REQ Definition
    • 5.5.2. KRB_AP_REP Definition
    • 5.5.3. Error Message Reply
  • 5.6. KRB_SAFE Message Specification
    • 5.6.1. KRB_SAFE definition
  • 5.7. KRB_PRIV Message Specification
    • 5.7.1. KRB_PRIV Definition
  • 5.8. KRB_CRED Message Specification
    • 5.8.1. KRB_CRED Definition
  • 5.9. Error Message Specification
    • 5.9.1. KRB_ERROR Definition
  • 5.10. Application Tag Numbers
• 6. Naming Constraints
  • 6.1. Realm Names
  • 6.2. Principal Names
    • 6.2.1. Name of Server Principals
• 7. Constants and Other Defined Values
  • 7.1. Host Address Types
  • 7.2. KDC Messaging: IP Transports
    • 7.2.1. UDP/IP transport
    • 7.2.2. TCP/IP Transport
    • 7.2.3. KDC Discovery on IP Networks
  • 7.3. Name of the TGS
  • 7.4. OID Arc for KerberosV5
  • 7.5. Protocol Constants and Associated Values
    • 7.5.1. Key Usage Numbers
    • 7.5.2. PreAuthentication Data Types
    • 7.5.3. Address Types
    • 7.5.4. Authorization Data Types
    • 7.5.5. Transited Encoding Types
    • 7.5.6. Protocol Version Number
    • 7.5.7. Kerberos Message Types
    • 7.5.8. Name Types
    • 7.5.9. Error Codes
• 8. Interoperability Requirements
  • 8.1. Specification 2
  • 8.2. Recommended KDC Values
• 9. IANA Considerations
• 10. Security Considerations
• 11. Acknowledgements
• Appendix A. ASN.1 Module
• Appendix B. Changes since RFC 1510
• Normative References
• Informative References

Document Information

• RFC Number: 4120
• Obsoletes: RFC 1510
• Category: Standards Track
• Published: July 2005
• Authors: C. Neuman, T. Yu, S. Hartman, K. Raeburn
• Organization: USC-ISI, MIT