Post

Kerberos Study Notes

Kerberos

RFC4120

# Description
1 AS-REQ PA-ENC-TIMESTAMP padata timestamp, encrypted with the client key (Section 5.2.7.2)
2 AS-REP Ticket and TGS-REP Ticket (includes TGS session key or application session key), encrypted with the service key (Section 5.3)
3 AS-REP encrypted part (includes TGS session key or application session key), encrypted with the client key (Section 5.4.2)
4 TGS-REQ KDC-REQ-BODY AuthorizationData, encrypted with the TGS session key (Section 5.4.1)
5 TGS-REQ KDC-REQ-BODY AuthorizationData, encrypted with the TGS authenticator subkey (Section 5.4.1)
6 TGS-REQ PA-TGS-REQ padata AP-REQ Authenticator cksum, keyed with the TGS session key (Section 5.5.1)
7 TGS-REQ PA-TGS-REQ padata AP-REQ Authenticator (includes TGS authenticator subkey), encrypted with the TGS session key (Section 5.5.1)
8 TGS-REP encrypted part (includes application session key), encrypted with the TGS session key (Section 5.4.2)
9 TGS-REP encrypted part (includes application session key), encrypted with the TGS authenticator subkey (Section 5.4.2)
10 AP-REQ Authenticator cksum, keyed with the application session key (Section 5.5.1)
11 AP-REQ Authenticator (includes application authenticator subkey), encrypted with the application session key (Section 5.5.1)
12 AP-REP encrypted part (includes application session subkey), encrypted with the application session key (Section 5.5.2)
13 KRB-PRIV encrypted part, encrypted with a key chosen by the application (Section 5.7.1)
14 KRB-CRED encrypted part, encrypted with a key chosen by the application (Section 5.8.1)
15 KRB-SAFE cksum, keyed with a key chosen by the application (Section 5.6.1)
16-18 Reserved for future use in Kerberos and related protocols
19 AD-KDC-ISSUED checksum (ad-checksum in 5.2.6.4)
20-21 Reserved for future use in Kerberos and related protocols
22-25 Reserved for use in the Kerberos Version 5 GSS-API mechanisms [RFC4121]
26-511 Reserved for future use in Kerberos and related protocols
512-1023 Reserved for uses internal to a Kerberos implementation
1024 Encryption for application use in protocols that do not specify key usage values
1025 Checksums for application use in protocols that do not specify key usage values
1026-2047 Reserved for application use
Key Usage Number Description
1 AS-REQ PA-ENC-TIMESTAMP padata timestamp, encrypted with the client key (Section 5.2.7.2)
2 AS-REP Ticket and TGS-REP Ticket (includes TGS session key or application session key), encrypted with the service key (Section 5.3)
3 AS-REP encrypted part (includes TGS session key or application session key), encrypted with the client key (Section 5.4.2)
4 TGS-REQ KDC-REQ-BODY AuthorizationData, encrypted with the TGS session key (Section 5.4.1)
5 TGS-REQ KDC-REQ-BODY AuthorizationData, encrypted with the TGS authenticator subkey (Section 5.4.1)
6 TGS-REQ PA-TGS-REQ padata AP-REQ Authenticator checksum, keyed with the TGS session key (Section 5.5.1)
7 TGS-REQ PA-TGS-REQ padata AP-REQ Authenticator (includes TGS authenticator subkey), encrypted with the TGS session key (Section 5.5.1)
8 TGS-REP encrypted part (includes application session key), encrypted with the TGS session key (Section 5.4.2)
9 TGS-REP encrypted part (includes application session key), encrypted with the TGS authenticator subkey (Section 5.4.2)
10 AP-REQ Authenticator checksum, keyed with the application session key (Section 5.5.1)
11 AP-REQ Authenticator (includes application authenticator subkey), encrypted with the application session key (Section 5.5.1)
12 AP-REP encrypted part (includes application session subkey), encrypted with the application session key (Section 5.5.2)
13 KRB-PRIV encrypted part, encrypted with a key chosen by the application (Section 5.7.1)
14 KRB-CRED encrypted part, encrypted with a key chosen by the application (Section 5.8.1)
15 KRB-SAFE checksum, keyed with a key chosen by the application (Section 5.6.1)
16–18 Reserved for future use in Kerberos and related protocols
19 AD-KDC-ISSUED checksum (ad-checksum in 5.2.6.4)
20–21 Reserved for future use in Kerberos and related protocols
22–25 Reserved for use in the Kerberos Version 5 GSS-API mechanisms [RFC4121]
26–511 Reserved for future use in Kerberos and related protocols
512–1023 Reserved for uses internal to a Kerberos implementation
1024 Encryption for application use in protocols that do not specify key usage values
1025 Checksums for application use in protocols that do not specify key usage values
1026–2047 Reserved for application use
This post is licensed under CC BY 4.0 by the author.