5.8. KRB_CRED Message Specification
5.8. KRB_CRED Message Specification
This section specifies the format of a message that can be used to send Kerberos credentials from one principal to another. It is presented here to encourage a common mechanism to be used by applications when forwarding tickets or providing proxies to subordinate servers. It presumes that a session key has already been exchanged, perhaps by using the KRB_AP_REQ/KRB_AP_REP messages.
5.8.1. KRB_CRED Definition
The KRB_CRED message contains a sequence of tickets to be sent and information needed to use the tickets, including the session key from each. The information needed to use the tickets is encrypted under an encryption key previously exchanged or transferred alongside the KRB_CRED message. The message fields are as follows:
KRB-CRED ::= [APPLICATION 22] SEQUENCE {
pvno [0] INTEGER (5),
msg-type [1] INTEGER (22),
tickets [2] SEQUENCE OF Ticket,
enc-part [3] EncryptedData -- EncKrbCredPart
}
EncKrbCredPart ::= [APPLICATION 29] SEQUENCE {
ticket-info [0] SEQUENCE OF KrbCredInfo,
nonce [1] UInt32 OPTIONAL,
timestamp [2] KerberosTime OPTIONAL,
usec [3] Microseconds OPTIONAL,
s-address [4] HostAddress OPTIONAL,
r-address [5] HostAddress OPTIONAL
}
KrbCredInfo ::= SEQUENCE {
key [0] EncryptionKey,
prealm [1] Realm OPTIONAL,
pname [2] PrincipalName OPTIONAL,
flags [3] TicketFlags OPTIONAL,
authtime [4] KerberosTime OPTIONAL,
starttime [5] KerberosTime OPTIONAL,
endtime [6] KerberosTime OPTIONAL,
renew-till [7] KerberosTime OPTIONAL,
srealm [8] Realm OPTIONAL,
sname [9] PrincipalName OPTIONAL,
caddr [10] HostAddresses OPTIONAL
}
pvno and msg-type
These fields are described above in Section 5.4.1. msg-type is
KRB_CRED.
tickets
These are the tickets obtained from the KDC specifically for use
by the intended recipient. Successive tickets are paired with the
corresponding KrbCredInfo sequence from the enc-part of the KRB-
CRED message.
enc-part
This field holds an encoding of the EncKrbCredPart sequence
encrypted under the session key shared by the sender and the
intended recipient, with a key usage value of 14. This encrypted
encoding is used for the enc-part field of the KRB-CRED message.
Implementation note: Implementations of certain applications, most
notably certain implementations of the Kerberos GSS-API mechanism,
do not separately encrypt the contents of the EncKrbCredPart of
the KRB-CRED message when sending it. In the case of those GSS-
API mechanisms, this is not a security vulnerability, as the
entire KRB-CRED message is itself embedded in an encrypted
message.
nonce
If practical, an application MAY require the inclusion of a nonce
generated by the recipient of the message. If the same value is
included as the nonce in the message, it provides evidence that
the message is fresh and has not been replayed by an attacker. A
nonce MUST NEVER be reused.
timestamp and usec
These fields specify the time that the KRB-CRED message was
generated. The time is used to provide assurance that the message
is fresh.
s-address and r-address
These fields are described above in Section 5.6.1. They are used
optionally to provide additional assurance of the integrity of the
KRB-CRED message.
key
This field exists in the corresponding ticket passed by the KRB-
CRED message and is used to pass the session key from the sender
to the intended recipient. The field's encoding is described in
Section 5.2.9.
The following fields are optional. If present, they can be associated with the credentials in the remote ticket file. If left out, then it is assumed that the recipient of the credentials already knows their values.
prealm and pname
The name and realm of the delegated principal identity.
flags, authtime, starttime, endtime, renew-till, srealm, sname, and caddr
These fields contain the values of the corresponding fields from
the ticket found in the ticket field. Descriptions of the fields
are identical to the descriptions in the KDC-REP message.