RFC 1510 (rfc1510) - Page 2 of 112


The Kerberos Network Authentication Service (V5)



Alternative Format: Original Text Document



RFC 1510                        Kerberos                  September 1993


Background

   The Kerberos model is based in part on Needham and Schroeder's
   trusted third-party authentication protocol [3] and on modifications
   suggested by Denning and Sacco [4].  The original design and
   implementation of Kerberos Versions 1 through 4 was the work of two
   former Project Athena staff members, Steve Miller of Digital
   Equipment Corporation and Clifford Neuman (now at the Information
   Sciences Institute of the University of Southern California), along
   with Jerome Saltzer, Technical Director of Project Athena, and
   Jeffrey Schiller, MIT Campus Network Manager.  Many other members of
   Project Athena have also contributed to the work on Kerberos.
   Version 4 is publicly available, and has seen wide use across the
   Internet.

   Version 5 (described in this document) has evolved from Version 4
   based on new requirements and desires for features not available in
   Version 4.  Details on the differences between Kerberos Versions 4
   and 5 can be found in [5].

Table of Contents

   1. Introduction .......................................    5
   1.1. Cross-Realm Operation ............................    7
   1.2. Environmental assumptions ........................    8
   1.3. Glossary of terms ................................    9
   2. Ticket flag uses and requests ......................   12
   2.1. Initial and pre-authenticated tickets ............   12
   2.2. Invalid tickets ..................................   12
   2.3. Renewable tickets ................................   12
   2.4. Postdated tickets ................................   13
   2.5. Proxiable and proxy tickets ......................   14
   2.6. Forwardable tickets ..............................   15
   2.7. Other KDC options ................................   15
   3. Message Exchanges ..................................   16
   3.1. The Authentication Service Exchange ..............   16
   3.1.1. Generation of KRB_AS_REQ message ...............   17
   3.1.2. Receipt of KRB_AS_REQ message ..................   17
   3.1.3. Generation of KRB_AS_REP message ...............   17
   3.1.4. Generation of KRB_ERROR message ................   19
   3.1.5. Receipt of KRB_AS_REP message ..................   19
   3.1.6. Receipt of KRB_ERROR message ...................   20
   3.2. The Client/Server Authentication Exchange ........   20
   3.2.1. The KRB_AP_REQ message .........................   20
   3.2.2. Generation of a KRB_AP_REQ message .............   20
   3.2.3. Receipt of KRB_AP_REQ message ..................   21
   3.2.4. Generation of a KRB_AP_REP message .............   23
   3.2.5. Receipt of KRB_AP_REP message ..................   23



Kohl & Neuman