The Kerberos Network Authentication Service (V5)
RFC 4120
Document | Type |
RFC - Proposed Standard
(July 2005; Errata)
Updated by RFC 6111, RFC 8553, RFC 6806, RFC 6649, RFC 4537, RFC 8129, RFC 5896, RFC 7751, RFC 6113, RFC 6112, RFC 8062, RFC 5021, RFC 8429
Obsoletes RFC 1510
|
|
---|---|---|---|
Authors | Clifford Neuman , Sam Hartman , Kenneth Raeburn , Taylor Yu | ||
Last updated | 2015-06-26 | ||
Stream | Internet Engineering Task Force (IETF) | ||
Formats | plain text html pdf htmlized (tools) htmlized bibtex | ||
Stream | WG state | (None) | |
Document shepherd | No shepherd assigned | ||
IESG | IESG state | RFC 4120 (Proposed Standard) | |
Action Holders |
(None)
|
||
Consensus Boilerplate | Unknown | ||
Telechat date | |||
Responsible AD | Russ Housley | ||
Send notices to | <jhutz+@cmu.edu> |
Network Working Group C. Neuman Request for Comments: 4120 USC-ISI Obsoletes: 1510 T. Yu Category: Standards Track S. Hartman K. Raeburn MIT July 2005 The Kerberos Network Authentication Service (V5) Status of This Memo This document specifies an Internet standards track protocol for the Internet community, and requests discussion and suggestions for improvements. Please refer to the current edition of the Internet Official Protocol Standards" (STD 1) for the standardization state and status of this protocol. Distribution of this memo is unlimited. Copyright Notice Copyright (C) The Internet Society (2005). Abstract This document provides an overview and specification of Version 5 of the Kerberos protocol, and it obsoletes RFC 1510 to clarify aspects of the protocol and its intended use that require more detailed or clearer explanation than was provided in RFC 1510. This document is intended to provide a detailed description of the protocol, suitable for implementation, together with descriptions of the appropriate use of protocol messages and fields within those messages. Neuman, et al. Standards Track [Page 1] RFC 4120 Kerberos V5 July 2005 Table of Contents 1. Introduction ....................................................5 1.1. The Kerberos Protocol ......................................6 1.2. Cross-Realm Operation ......................................8 1.3. Choosing a Principal with Which to Communicate .............9 1.4. Authorization .............................................10 1.5. Extending Kerberos without Breaking Interoperability ......11 1.5.1. Compatibility with RFC 1510 ........................11 1.5.2. Sending Extensible Messages ........................12 1.6. Environmental Assumptions .................................12 1.7. Glossary of Terms .........................................13 2. Ticket Flag Uses and Requests ..................................16 2.1. Initial, Pre-authenticated, and Hardware-Authenticated Tickets ............................17 2.2. Invalid Tickets ...........................................17 2.3. Renewable Tickets .........................................17 2.4. Postdated Tickets .........................................18 2.5. Proxiable and Proxy Tickets ...............................19 2.6. Forwardable Tickets .......................................19 2.7. Transited Policy Checking .................................20 2.8. OK as Delegate ............................................21 2.9. Other KDC Options .........................................21 2.9.1. Renewable-OK .......................................21 2.9.2. ENC-TKT-IN-SKEY ....................................22 2.9.3. Passwordless Hardware Authentication ...............22 3. Message Exchanges ..............................................22 3.1. The Authentication Service Exchange .......................22 3.1.1. Generation of KRB_AS_REQ Message ...................24 3.1.2. Receipt of KRB_AS_REQ Message ......................24 3.1.3. Generation of KRB_AS_REP Message ...................24 3.1.4. Generation of KRB_ERROR Message ....................27 3.1.5. Receipt of KRB_AS_REP Message ......................27 3.1.6. Receipt of KRB_ERROR Message .......................28 3.2. The Client/Server Authentication Exchange .................29 3.2.1. The KRB_AP_REQ Message .............................29 3.2.2. Generation of a KRB_AP_REQ Message .................29 3.2.3. Receipt of KRB_AP_REQ Message ......................30 3.2.4. Generation of a KRB_AP_REP Message .................33 3.2.5. Receipt of KRB_AP_REP Message ......................33 3.2.6. Using the Encryption Key ...........................33 3.3. The Ticket-Granting Service (TGS) Exchange ................34 3.3.1. Generation of KRB_TGS_REQ Message ..................35 3.3.2. Receipt of KRB_TGS_REQ Message .....................37 3.3.3. Generation of KRB_TGS_REP Message ..................38 3.3.4. Receipt of KRB_TGS_REP Message .....................42 Neuman, et al. Standards Track [Page 2] RFC 4120 Kerberos V5 July 2005Show full document text