The Kerberos Network Authentication Service (V5)
RFC 1510

Document Type RFC - Historic (September 1993; Errata)
Obsoleted by RFC 4120, RFC 6649
Last updated 2013-03-02
Stream IETF
Formats plain text html pdf htmlized with errata bibtex
Stream WG state (None)
Document shepherd No shepherd assigned
IESG IESG state RFC 1510 (Historic)
Consensus Boilerplate Unknown
Telechat date
Responsible AD (None)
Send notices to (None)
Network Working Group                                            J. Kohl
Request for Comments: 1510                 Digital Equipment Corporation
                                                               C. Neuman
                                                                     ISI
                                                          September 1993

            The Kerberos Network Authentication Service (V5)

Status of this Memo

   This RFC specifies an Internet standards track protocol for the
   Internet community, and requests discussion and suggestions for
   improvements.  Please refer to the current edition of the "Internet
   Official Protocol Standards" for the standardization state and status
   of this protocol.  Distribution of this memo is unlimited.

Abstract

   This document gives an overview and specification of Version 5 of the
   protocol for the Kerberos network authentication system. Version 4,
   described elsewhere [1,2], is presently in production use at MIT's
   Project Athena, and at other Internet sites.

Overview

   Project Athena, Athena, Athena MUSE, Discuss, Hesiod, Kerberos,
   Moira, and Zephyr are trademarks of the Massachusetts Institute of
   Technology (MIT).  No commercial use of these trademarks may be made
   without prior written permission of MIT.

   This RFC describes the concepts and model upon which the Kerberos
   network authentication system is based. It also specifies Version 5
   of the Kerberos protocol.

   The motivations, goals, assumptions, and rationale behind most design
   decisions are treated cursorily; for Version 4 they are fully
   described in the Kerberos portion of the Athena Technical Plan [1].
   The protocols are under review, and are not being submitted for
   consideration as an Internet standard at this time.  Comments are
   encouraged.  Requests for addition to an electronic mailing list for
   discussion of Kerberos, kerberos@MIT.EDU, may be addressed to
   kerberos-request@MIT.EDU.  This mailing list is gatewayed onto the
   Usenet as the group comp.protocols.kerberos.  Requests for further
   information, including documents and code availability, may be sent
   to info-kerberos@MIT.EDU.

Kohl & Neuman                                                   [Page 1]
RFC 1510                        Kerberos                  September 1993

Background

   The Kerberos model is based in part on Needham and Schroeder's
   trusted third-party authentication protocol [3] and on modifications
   suggested by Denning and Sacco [4].  The original design and
   implementation of Kerberos Versions 1 through 4 was the work of two
   former Project Athena staff members, Steve Miller of Digital
   Equipment Corporation and Clifford Neuman (now at the Information
   Sciences Institute of the University of Southern California), along
   with Jerome Saltzer, Technical Director of Project Athena, and
   Jeffrey Schiller, MIT Campus Network Manager.  Many other members of
   Project Athena have also contributed to the work on Kerberos.
   Version 4 is publicly available, and has seen wide use across the
   Internet.

   Version 5 (described in this document) has evolved from Version 4
   based on new requirements and desires for features not available in
   Version 4.  Details on the differences between Kerberos Versions 4
   and 5 can be found in [5].

Table of Contents

   1. Introduction .......................................    5
   1.1. Cross-Realm Operation ............................    7
   1.2. Environmental assumptions ........................    8
   1.3. Glossary of terms ................................    9
   2. Ticket flag uses and requests ......................   12
   2.1. Initial and pre-authenticated tickets ............   12
   2.2. Invalid tickets ..................................   12
   2.3. Renewable tickets ................................   12
   2.4. Postdated tickets ................................   13
   2.5. Proxiable and proxy tickets ......................   14
   2.6. Forwardable tickets ..............................   15
   2.7. Other KDC options ................................   15
   3. Message Exchanges ..................................   16
   3.1. The Authentication Service Exchange ..............   16
   3.1.1. Generation of KRB_AS_REQ message ...............   17
   3.1.2. Receipt of KRB_AS_REQ message ..................   17
   3.1.3. Generation of KRB_AS_REP message ...............   17
   3.1.4. Generation of KRB_ERROR message ................   19
   3.1.5. Receipt of KRB_AS_REP message ..................   19
   3.1.6. Receipt of KRB_ERROR message ...................   20
   3.2. The Client/Server Authentication Exchange ........   20
   3.2.1. The KRB_AP_REQ message .........................   20
   3.2.2. Generation of a KRB_AP_REQ message .............   20
   3.2.3. Receipt of KRB_AP_REQ message ..................   21
   3.2.4. Generation of a KRB_AP_REP message .............   23
Show full document text