Connected: An Internet Encyclopedia
5.3.2. Authenticators

Up: Connected: An Internet Encyclopedia
Up: Requests For Comments
Up: RFC 1510
Up: 5. Message Specifications
Up: 5.3. Tickets and Authenticators
Prev: 5.3.1. Tickets
Next: 5.4. Specifications for the AS and TGS exchanges

5.3.2. Authenticators

5.3.2. Authenticators

An authenticator is a record sent with a ticket to a server to certify the client's knowledge of the encryption key in the ticket, to help the server detect replays, and to help choose a "true session key" to use with the particular session. The encoding is encrypted in the ticket's session key shared by the client and the server:

-- Unencrypted authenticator
Authenticator ::=    [APPLICATION 2] SEQUENCE    {
               authenticator-vno[0]          INTEGER,
               crealm[1]                     Realm,
               cname[2]                      PrincipalName,
               cksum[3]                      Checksum OPTIONAL,
               cusec[4]                      INTEGER,
               ctime[5]                      KerberosTime,
               subkey[6]                     EncryptionKey OPTIONAL,
               seq-number[7]                 INTEGER OPTIONAL,
               authorization-data[8]         AuthorizationData OPTIONAL


This field specifies the version number for the format of the authenticator. This document specifies version 5.

crealm and cname

These fields are the same as those described for the ticket in section 5.3.1.


This field contains a checksum of the the application data that accompanies the KRB_AP_REQ.


This field contains the microsecond part of the client's timestamp. Its value (before encryption) ranges from 0 to 999999. It often appears along with ctime. The two fields are used together to specify a reasonably accurate timestamp.


This field contains the current time on the client's host.


This field contains the client's choice for an encryption key which is to be used to protect this specific application session. Unless an application specifies otherwise, if this field is left out the session key from the ticket will be used.


This optional field includes the initial sequence number to be used by the KRB_PRIV or KRB_SAFE messages when sequence numbers are used to detect replays (It may also be used by application specific messages). When included in the authenticator this field specifies the initial sequence number for messages from the client to the server. When included in the AP-REP message, the initial sequence number is that for messages from the server to the client. When used in KRB_PRIV or KRB_SAFE messages, it is incremented by one after each message is sent.

For sequence numbers to adequately support the detection of replays they should be non-repeating, even across connection boundaries. The initial sequence number should be random and uniformly distributed across the full space of possible sequence numbers, so that it cannot be guessed by an attacker and so that it and the successive sequence numbers do not repeat other sequences.


This field is the same as described for the ticket in section 5.3.1. It is optional and will only appear when additional restrictions are to be placed on the use of a ticket, beyond those carried in the ticket itself.

Next: 5.4. Specifications for the AS and TGS exchanges

Connected: An Internet Encyclopedia
5.3.2. Authenticators