5.7. KRB_PRIV Message Specification

5.7. KRB_PRIV Message Specification

This section specifies the format of a message that can be used by either side (client or server) of an application to send a message to its peer securely and privately. It presumes that a session key has previously been exchanged (for example, by using the KRB_AP_REQ/KRB_AP_REP messages).

5.7.1. KRB_PRIV Definition

The KRB_PRIV message contains user data encrypted in the Session Key. The message fields are as follows:

   KRB-PRIV        ::= [APPLICATION 21] SEQUENCE {
           pvno            [0] INTEGER (5),
           msg-type        [1] INTEGER (21),
                           -- NOTE: there is no [2] tag
           enc-part        [3] EncryptedData -- EncKrbPrivPart
   }

   EncKrbPrivPart  ::= [APPLICATION 28] SEQUENCE {
           user-data       [0] OCTET STRING,
           timestamp       [1] KerberosTime OPTIONAL,
           usec            [2] Microseconds OPTIONAL,
           seq-number      [3] UInt32 OPTIONAL,
           s-address       [4] HostAddress -- sender's addr --,
           r-address       [5] HostAddress OPTIONAL -- recip's addr
   }

pvno and msg-type

These fields are described above in Section 5.4.1. msg-type is

KRB_PRIV.

enc-part

This field holds an encoding of the EncKrbPrivPart sequence

encrypted under the session key, with a key usage value of 13.

This encrypted encoding is used for the enc-part field of the

KRB-PRIV message.

user-data, timestamp, usec, s-address, and r-address

These fields are described above in Section 5.6.1.

seq-number

This field is described above in Section 5.3.2.