The ciphertext is simply the plaintext. Once the accompanying ticket has been decrypted, the user-supplied checksum in the Authenticator must be verified against the contents of the request, and the message rejected if the checksums do not match (with an error code of KRBAPERRMODIFIED) or if the checksum is not keyed or not collision-proof (with an error code of KRBAPERRINAPPCKSUM). subkey This field contains the client's choice for an encryption key which is to be used to protect this specific application session. A Ticket contains the following information: Ticket ::= [APPLICATION 1] SEQUENCE { tkt-vno[0] INTEGER, realm[1] Realm, sname[2] PrincipalName, enc-part[3] EncryptedData } -- Encrypted part of ticket EncTicketPart ::= [APPLICATION 3] SEQUENCE { flags[0] TicketFlags, key[1] EncryptionKey, crealm[2] Realm, cname[3] PrincipalName, transited[4] TransitedEncoding, authtime[5] KerberosTime, starttime[6] KerberosTime OPTIONAL, endtime[7] KerberosTime, renew-till[8] KerberosTime OPTIONAL, caddr[9] HostAddresses OPTIONAL, authorization-data[10] AuthorizationData OPTIONAL } -- encoded Transited field TransitedEncoding ::= SEQUENCE { tr-type[0] INTEGER, -- must be registered contents[1] OCTET STRING } The encoding of EncTicketPart is encrypted in the key shared by Kerberos and the end server (the server's secret key). Kerberos to client KRBASREP or 5.4.2 KRBERROR 5.9.1 The Authentication Service (AS) Exchange between the client and the Kerberos Authentication Server is usually initiated by a client when it wishes to obtain authentication credentials for a given server but currently holds no credentials. 24 (8), pp. DES cipher-block chained checksum alternative (des-mac-k) . KRBCRED definition . Message B: Ticket-Granting-Ticket (TGT, which includes the client ID, client network address, ticket validity period, and the client/TGS session key) encrypted using the secret key of the TGS. If it is five (5), then the lr-value subfield is the time of last request (of any type).


Schroeder, "Using Encryption for Authentication in Large Networks of Computers", Communications of the ACM, Vol. Ticket addresses and flags All KDC's must pass on tickets that carry no addresses (i.e., if a TGT contains no addresses, the KDC will return derivative tickets), but each realm may set its own policy for issuing such tickets, and each application server will set its own policy with respect to accepting them. Find out more about mitigating an old, unpatchable Kerberos vulnerability found in Windows. These are the addresses from which the ticket can be used. Invalid tickets . SearchEnterpriseDesktop New Windows 10 features aim to prevent productivity delays In an update to the OS next year, Microsoft looks to stop Windows 10 from crashing, prevent restarts from automatic updates and . Receipt of KRBAPREP message . crealm, cname, srealm and sname These fields are the same as those described for the ticket in section 5.3.1.


KRBKDCREP definition The KRBKDCREP message format is used for the reply from the KDC for either an initial (AS) request or a subsequent (TGS) request. The message is first checked by verifying that the protocol version and type fields match the current version and KRBSAFE, respectively. A failed match for either case generates a KRBAPERRBADADDR error. This checksum is tamper-proof and believed to be collision-proof. A failed match for either case generates a KRBAPERRBADADDR error. 5d80d7912b

