Skip to main content

5.4. Specifications for the AS and TGS Exchanges

Overview

This section defines the message structures for the Authentication Service (AS) and Ticket-Granting Service (TGS) exchanges. These exchanges share a common message structure with minor variations.

5.4.1. KRB_KDC_REQ Definition

The request message structure is shared between AS and TGS:

Common Structure

Both KRB_AS_REQ and KRB_TGS_REQ use the KDC-REQ structure containing:

  • pvno - Protocol version number (5)
  • msg-type - Message type (AS-REQ or TGS-REQ)
  • padata - Pre-authentication data (sequence)
  • req-body - Request body with detailed parameters

Request Body (KDC-REQ-BODY)

Contains:

  • kdc-options - Flags indicating requested options
  • cname - Client name (optional in TGS-REQ)
  • realm - Service realm
  • sname - Service name (optional)
  • from - Requested start time (optional)
  • till - Requested end time
  • rtime - Requested renew-till time (optional)
  • nonce - Random value for replay protection
  • etype - Requested encryption types (sequence)
  • addresses - Client addresses (optional)
  • enc-authorization-data - Encrypted authorization data (optional)
  • additional-tickets - Additional tickets (optional, for TGS-REQ)

KDC Options Flags

Available options include:

  • FORWARDABLE, FORWARDED
  • PROXIABLE, PROXY
  • ALLOW-POSTDATE, POSTDATED
  • RENEWABLE, RENEWABLE-OK
  • ENC-TKT-IN-SKEY
  • RENEW, VALIDATE
  • And others

5.4.2. KRB_KDC_REP Definition

The reply message structure is shared between AS and TGS:

Common Structure

Both KRB_AS_REP and KRB_TGS_REP use the KDC-REP structure:

  • pvno - Protocol version number (5)
  • msg-type - Message type (AS-REP or TGS-REP)
  • padata - Pre-authentication data (optional)
  • crealm - Client realm
  • cname - Client name
  • ticket - The issued ticket
  • enc-part - Encrypted part of reply

Encrypted Part (EncKDCRepPart)

Contains (encrypted for client):

  • key - Session key
  • last-req - Last request information
  • nonce - From request (for matching)
  • key-expiration - When client's key expires (optional)
  • flags - Ticket flags
  • authtime - Time of initial authentication
  • starttime - When ticket becomes valid (optional)
  • endtime - Ticket expiration time
  • renew-till - Renewable expiration (optional)
  • srealm - Service realm
  • sname - Service name
  • caddr - Client addresses (optional)
  • encrypted-pa-data - Encrypted pre-auth data (optional)

Processing Requirements

Request Processing

  • Validate request structure
  • Verify pre-authentication
  • Check policy and constraints
  • Generate session key
  • Issue ticket with appropriate flags
  • Encrypt reply for client

Reply Processing

  • Decrypt reply using appropriate key
  • Verify nonce matches
  • Extract session key and ticket
  • Validate ticket properties
  • Store for later use

Differences Between AS and TGS

AS Exchange

  • Client authenticates with long-term key
  • Pre-authentication often required
  • Issues initial TGT

TGS Exchange

  • Client authenticates with TGT
  • Uses session key from TGT
  • Issues service tickets
  • Supports ticket renewal and validation

Reference

For complete message specifications, refer to RFC 4120 Section 5.4.

Last updated on