|
|
5.3.2. Authenticators
Connected: An Internet Encyclopedia
5.3.2. Authenticators
Up:
Connected: An Internet Encyclopedia
Up:
Requests For Comments
Up:
RFC 1510
Up:
5. Message Specifications
Up:
5.3. Tickets and Authenticators
Prev: 5.3.1. Tickets
Next: 5.4. Specifications for the AS and TGS exchanges
5.3.2. Authenticators
5.3.2. Authenticators
An authenticator is a record sent with a ticket to a server to
certify the client's knowledge of the encryption key in the ticket,
to help the server detect replays, and to help choose a "true session
key" to use with the particular session. The encoding is encrypted
in the ticket's session key shared by the client and the server:
-- Unencrypted authenticator
Authenticator ::= [APPLICATION 2] SEQUENCE {
authenticator-vno[0] INTEGER,
crealm[1] Realm,
cname[2] PrincipalName,
cksum[3] Checksum OPTIONAL,
cusec[4] INTEGER,
ctime[5] KerberosTime,
subkey[6] EncryptionKey OPTIONAL,
seq-number[7] INTEGER OPTIONAL,
authorization-data[8] AuthorizationData OPTIONAL
}
- authenticator-vno
-
This field specifies the version number for the
format of the authenticator. This document specifies
version 5.
- crealm and cname
-
These fields are the same as those described for the
ticket in section 5.3.1.
- cksum
-
This field contains a checksum of the the application data
that accompanies the KRB_AP_REQ.
- cusec
-
This field contains the microsecond part of the client's
timestamp. Its value (before encryption) ranges from 0 to
999999. It often appears along with ctime. The two fields
are used together to specify a reasonably accurate
timestamp.
- ctime
-
This field contains the current time on the client's host.
- subkey
-
This field contains the client's choice for an encryption
key which is to be used to protect this specific
application session. Unless an application specifies
otherwise, if this field is left out the session key from
the ticket will be used.
- seq-number
-
This optional field includes the initial sequence number
to be used by the KRB_PRIV or KRB_SAFE messages when
sequence numbers are used to detect replays (It may also be
used by application specific messages). When included in
the authenticator this field specifies the initial sequence
number for messages from the client to the server. When
included in the AP-REP message, the initial sequence number
is that for messages from the server to the client. When
used in KRB_PRIV or KRB_SAFE messages, it is incremented by
one after each message is sent.
For sequence numbers to adequately support the detection of
replays they should be non-repeating, even across
connection boundaries. The initial sequence number should
be random and uniformly distributed across the full space
of possible sequence numbers, so that it cannot be guessed
by an attacker and so that it and the successive sequence
numbers do not repeat other sequences.
- authorization-data
-
This field is the same as described for the ticket
in section 5.3.1. It is optional and will only appear when
additional restrictions are to be placed on the use of a
ticket, beyond those carried in the ticket itself.
Next: 5.4. Specifications for the AS and TGS exchanges
Connected: An Internet Encyclopedia
5.3.2. Authenticators
|
|
|
 |
|
|
|
Protect yourself from cyberstalkers, identity thieves, and those who would snoop on you.
| |
Stop spam from invading your inbox without losing the mail you want. We give you more control over your e-mail than any other service.
| |
Block popups, ads, and malicious scripts while you surf the net through our anonymous proxies.
| |
Participate in Usenet, host your web files, easily send anonymous messages, and more, much more.
| |
All private, all encrypted, all secure, all in an easy to use service, and all for only $5.95 a month!
|
|
Service Details
|
|
|
|
