5. Message Specifications
Overview
This section provides detailed specifications for all Kerberos protocol messages using Abstract Syntax Notation One (ASN.1). All Kerberos messages are encoded using Distinguished Encoding Rules (DER).
Message Categories
Basic Types
- KerberosString - String encoding rules
- Realm and PrincipalName - Principal identification
- KerberosTime - Timestamp format
- HostAddress - Network address representation
- AuthorizationData - Authorization information
Ticket Structures
- Ticket - The fundamental authentication credential
- EncTicketPart - Encrypted portion of ticket
KDC Exchange Messages
- KRB_AS_REQ/REP - Authentication Service exchange
- KRB_TGS_REQ/REP - Ticket-Granting Service exchange
- KRB_ERROR - Error responses
Client/Server Messages
- KRB_AP_REQ/REP - Application authentication
- KRB_SAFE - Integrity-protected messages
- KRB_PRIV - Encrypted messages
- KRB_CRED - Credential forwarding
ASN.1 Compatibility
Important Considerations
- Distinguished Encoding Rules (DER) must be used
- Optional integer fields handling
- Empty SEQUENCE OF types
- Unrecognized tag numbers handling
- Tag numbers greater than 30
Message Structure Overview
Each message type specifies:
- ASN.1 type definition
- Encoding rules
- Field descriptions and constraints
- Security considerations
- Processing requirements
Application Tag Numbers
Messages are identified by application tag numbers for routing and processing.
Related Sections
- 5.1. Specific Compatibility Notes on ASN.1
- 5.2. Basic Kerberos Types
- 5.3. Tickets
- 5.4. Specifications for the AS and TGS Exchanges
- 5.5. Client/Server (CS) Message Specifications
- 5.6. KRB_SAFE Message Specification
- 5.7. KRB_PRIV Message Specification
- 5.8. KRB_CRED Message Specification
- 5.9. Error Message Specification
- 5.10. Application Tag Numbers
Reference
For complete ASN.1 definitions and detailed message specifications, refer to: