datatracker.ietf.org
Sign in
Version 5.4.0, 2014-04-22
Report a bug

The Kerberos Network Authentication Service (V5)
RFC 4120

Document type: RFC - Proposed Standard (July 2005)
Obsoletes RFC 1510
Document stream: IETF
Last updated: 2013-03-02
Other versions: plain text, pdf, html

IETF State: (None)
Consensus: Unknown
Document shepherd: No shepherd assigned

IESG State: RFC 4120 (Proposed Standard)
Responsible AD: Russ Housley
Send notices to: <jhutz+@cmu.edu>

Network Working Group                                          C. Neuman
Request for Comments: 4120                                       USC-ISI
Obsoletes: 1510                                                    T. Yu
Category: Standards Track                                     S. Hartman
                                                              K. Raeburn
                                                                     MIT
                                                               July 2005

            The Kerberos Network Authentication Service (V5)

Status of This Memo

   This document specifies an Internet standards track protocol for the
   Internet community, and requests discussion and suggestions for
   improvements.  Please refer to the current edition of the Internet
   Official Protocol Standards" (STD 1) for the standardization state
   and status of this protocol.  Distribution of this memo is unlimited.

Copyright Notice

   Copyright (C) The Internet Society (2005).

Abstract

   This document provides an overview and specification of Version 5 of
   the Kerberos protocol, and it obsoletes RFC 1510 to clarify aspects
   of the protocol and its intended use that require more detailed or
   clearer explanation than was provided in RFC 1510.  This document is
   intended to provide a detailed description of the protocol, suitable
   for implementation, together with descriptions of the appropriate use
   of protocol messages and fields within those messages.

Neuman, et al.              Standards Track                     [Page 1]
RFC 4120                      Kerberos V5                      July 2005

Table of Contents

   1. Introduction ....................................................5
      1.1. The Kerberos Protocol ......................................6
      1.2. Cross-Realm Operation ......................................8
      1.3. Choosing a Principal with Which to Communicate .............9
      1.4. Authorization .............................................10
      1.5. Extending Kerberos without Breaking Interoperability ......11
           1.5.1. Compatibility with RFC 1510 ........................11
           1.5.2. Sending Extensible Messages ........................12
      1.6. Environmental Assumptions .................................12
      1.7. Glossary of Terms .........................................13
   2. Ticket Flag Uses and Requests ..................................16
      2.1. Initial, Pre-authenticated, and
           Hardware-Authenticated Tickets ............................17
      2.2. Invalid Tickets ...........................................17
      2.3. Renewable Tickets .........................................17
      2.4. Postdated Tickets .........................................18
      2.5. Proxiable and Proxy Tickets ...............................19
      2.6. Forwardable Tickets .......................................19
      2.7. Transited Policy Checking .................................20
      2.8. OK as Delegate ............................................21
      2.9. Other KDC Options .........................................21
           2.9.1. Renewable-OK .......................................21
           2.9.2. ENC-TKT-IN-SKEY ....................................22
           2.9.3. Passwordless Hardware Authentication ...............22
   3. Message Exchanges ..............................................22
      3.1. The Authentication Service Exchange .......................22
           3.1.1. Generation of KRB_AS_REQ Message ...................24
           3.1.2. Receipt of KRB_AS_REQ Message ......................24
           3.1.3. Generation of KRB_AS_REP Message ...................24
           3.1.4. Generation of KRB_ERROR Message ....................27
           3.1.5. Receipt of KRB_AS_REP Message ......................27
           3.1.6. Receipt of KRB_ERROR Message .......................28
      3.2. The Client/Server Authentication Exchange .................29
           3.2.1. The KRB_AP_REQ Message .............................29
           3.2.2. Generation of a KRB_AP_REQ Message .................29
           3.2.3. Receipt of KRB_AP_REQ Message ......................30
           3.2.4. Generation of a KRB_AP_REP Message .................33
           3.2.5. Receipt of KRB_AP_REP Message ......................33
           3.2.6. Using the Encryption Key ...........................33
      3.3. The Ticket-Granting Service (TGS) Exchange ................34
           3.3.1. Generation of KRB_TGS_REQ Message ..................35
           3.3.2. Receipt of KRB_TGS_REQ Message .....................37
           3.3.3. Generation of KRB_TGS_REP Message ..................38
           3.3.4. Receipt of KRB_TGS_REP Message .....................42

[include full document text]