3.5. The KRB_PRIV Exchange

Overview

The KRB_PRIV message provides both confidentiality and integrity protection for application data exchanged between principals. The user data is encrypted and integrity-protected.

Purpose

KRB_PRIV is used when:

Both confidentiality and integrity protection are required
Sensitive data must be protected from eavesdropping
Complete security for the data exchange is needed

Message Structure

KRB_PRIV contains:

Encrypted data including:
- User data
- Timestamp (for replay detection)
- Sequence number (optional)
- Sender and recipient addresses (optional)

Generation of KRB_PRIV Message

Sender:

Constructs plaintext message with user data
Adds timestamp and optional sequence number
Encrypts entire message using shared key
Transmits encrypted message

Receipt of KRB_PRIV Message

Receiver:

Decrypts message using shared key
Verifies timestamp (replay protection)
Checks sequence number if used
Extracts user data

Security Properties

Confidentiality: Encryption protects data from eavesdropping
Integrity: Encryption scheme provides integrity protection
Replay Protection: Timestamp and sequence number
Complete Protection: Both confidentiality and integrity

Comparison with KRB_SAFE

KRB_PRIV provides confidentiality; KRB_SAFE does not
KRB_PRIV has higher computational overhead
KRB_SAFE may be preferred when confidentiality is not required

Reference

For complete technical details, refer to RFC 4120 Section 3.5.

Overview​

Purpose​

Message Structure​

Generation of KRB_PRIV Message​

Receipt of KRB_PRIV Message​

Security Properties​

Comparison with KRB_SAFE​

Reference​