5.5. Client/Server (CS) Message Specifications

Overview

This section defines the message structures used for direct client-server authentication, including application requests and optional mutual authentication.

5.5.1. KRB_AP_REQ Definition

The application request message structure contains:

pvno - Protocol version number
msg-type - Message type (AP-REQ)
ap-options - Application options flags
ticket - Service ticket from TGS
authenticator - Encrypted authenticator

AP Options

MUTUAL-REQUIRED - Request mutual authentication
USE-SESSION-KEY - Encrypt ticket in session key

Authenticator Structure

Encrypted in session key, contains:

authenticator-vno - Version number
crealm, cname - Client identity
cksum - Optional checksum
cusec, ctime - Timestamp with microseconds
subkey - Optional sub-session key
seq-number - Optional sequence number
authorization-data - Optional authorization data

5.5.2. KRB_AP_REP Definition

The application reply message (for mutual authentication):

pvno - Protocol version number
msg-type - Message type (AP-REP)
enc-part - Encrypted part

Encrypted Part

Contains:

ctime, cusec - Timestamp from authenticator
subkey - Optional sub-session key
seq-number - Optional sequence number

5.5.3. Error Message Reply

See Section 5.9 for KRB_ERROR message specification.

Reference

For complete message specifications, refer to RFC 4120 Section 5.5.

Overview​

5.5.1. KRB_AP_REQ Definition​

AP Options​

Authenticator Structure​

5.5.2. KRB_AP_REP Definition​

Encrypted Part​

5.5.3. Error Message Reply​

Reference​