HostedDB - Dedicated UNIX Servers
-->
Internet Security Professional Reference:Kerberos
Previous Table of Contents Next


KRB_CRED Definition

The KRB_CRED message contains a sequence of tickets to be sent and information needed to use the tickets, including the session key from each. The information needed to use the tickets is encrypted under an encryption key previously exchanged. The message fields are as follows: 

   KRB-CRED = {
               pvno[0]                INTEGER,
               msg-type[1]            INTEGER, -- KRB_CRED
               tickets[2]             SEQUENCE OF Ticket,
               enc-part[3]            EncryptedData
              }

   EncKrbCredPart = {
               ticket-info[0]         SEQUENCE OF KrbCredInfo,
               nonce[1]               INTEGER OPTIONAL,
               timestamp[2]           KerberosTime OPTIONAL,
               usec[3]                INTEGER OPTIONAL,
               s-address[4]           HostAddress OPTIONAL,
               r-address[5]           HostAddress OPTIONAL
                    }

   KrbCredInfo = {
               key[0]                 EncryptionKey,
               prealm[1]              Realm OPTIONAL,
               pname[2]               PrincipalName OPTIONAL,
               flags[3]               TicketFlags OPTIONAL,
               authtime[4]            KerberosTime OPTIONAL,
               starttime[5]           KerberosTime OPTIONAL,
               endtime[6]             KerberosTime OPTIONAL
               renew-till[7]          KerberosTime OPTIONAL,
               srealm[8]              Realm OPTIONAL,
               sname[9]               PrincipalName OPTIONAL,
               caddr[10]              HostAddresses OPTIONAL
                 }

Table 9.11 describes the fields in this message.

Table 9.11
KRB_CRED Message Fields
Field Description
pvno and msg-type Described earlier. msg-type is KRB_CRED.
tickets The tickets obtained from the Key Distribution Center specifically for use by the intended recipient. Successive tickets are paired with the corresponding KrbCredInfo sequence from the enc-part of the KRB-CRED message.
enc-part Holds an encoding of the EncKrbCredPart sequence encrypted under the session key shared between the sender and the intended recipient. This encrypted encoding is used for the enc-part field of the KRB-CRED message.
nonce If practical, an application may require the inclusion of a nonce generated by the recipient of the message. If the same value is included as the nonce in the message, it provides evidence that the message is fresh and has not been replayed by an attacker. A nonce must never be reused.
timestamp and usec Specifies the time that the KRB-CRED message was generated. The time is used to provide assurance that the message is fresh.
s-address and r-address Described earlier. Used to provide additional assurance of the integrity of the KRB-CRED message.
key Exists in the corresponding ticket passed by the KRB-CRED message and is used to pass the session key from the sender to the intended recipient.

The following fields are optional. If present, they can be associated with the credentials in the remote ticket file. If left out, it is assumed that the recipient of the credentials already knows their value.

Field Description
prealm and pname The name and realm of the delegated principal identity.
lags, authtime, starttime, endtime, renew-till, srealm, sname, and caddr Contain the values of the corresponding fields from the ticket found in the ticket field. Descriptions of sname, and caddr. The fields are identical to the descriptions in the KDC-REP message.


Previous Table of Contents Next