<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>KDC cookie format — MIT Kerberos Documentation</title>
<link rel="stylesheet" href="../_static/agogo.css" type="text/css" />
<link rel="stylesheet" href="../_static/pygments.css" type="text/css" />
<link rel="stylesheet" href="../_static/kerb.css" type="text/css" />
<script type="text/javascript">
var DOCUMENTATION_OPTIONS = {
URL_ROOT: '../',
VERSION: '1.15.1',
COLLAPSE_INDEX: false,
FILE_SUFFIX: '.html',
HAS_SOURCE: true
};
</script>
<script type="text/javascript" src="../_static/jquery.js"></script>
<script type="text/javascript" src="../_static/underscore.js"></script>
<script type="text/javascript" src="../_static/doctools.js"></script>
<link rel="author" title="About these documents" href="../about.html" />
<link rel="index" title="Index" href="../genindex.html" />
<link rel="search" title="Search" href="../search.html" />
<link rel="copyright" title="Copyright" href="../copyright.html" />
<link rel="top" title="MIT Kerberos Documentation" href="../index.html" />
<link rel="up" title="Protocols and file formats" href="index.html" />
<link rel="next" title="MIT Kerberos features" href="../mitK5features.html" />
<link rel="prev" title="Keytab file format" href="keytab_file_format.html" />
</head>
<body role="document">
<div class="header-wrapper">
<div class="header">
<h1><a href="../index.html">MIT Kerberos Documentation</a></h1>
<div class="rel">
<a href="../index.html" title="Full Table of Contents"
accesskey="C">Contents</a> |
<a href="keytab_file_format.html" title="Keytab file format"
accesskey="P">previous</a> |
<a href="../mitK5features.html" title="MIT Kerberos features"
accesskey="N">next</a> |
<a href="../genindex.html" title="General Index"
accesskey="I">index</a> |
<a href="../search.html" title="Enter search criteria"
accesskey="S">Search</a> |
<a href="mailto:krb5-bugs@mit.edu?subject=Documentation__KDC cookie format">feedback</a>
</div>
</div>
</div>
<div class="content-wrapper">
<div class="content">
<div class="document">
<div class="documentwrapper">
<div class="bodywrapper">
<div class="body" role="main">
<div class="section" id="kdc-cookie-format">
<h1>KDC cookie format<a class="headerlink" href="#kdc-cookie-format" title="Permalink to this headline">¶</a></h1>
<p><span class="target" id="index-0"></span><a class="rfc reference external" href="https://tools.ietf.org/html/rfc6113.html"><strong>RFC 6113</strong></a> section 5.2 specifies a pa-data type PA-FX-COOKIE, which
clients are required to reflect back to the KDC during
pre-authentication. The MIT krb5 KDC uses the following formats for
cookies.</p>
<div class="section" id="trivial-cookie-version-0">
<h2>Trivial cookie (version 0)<a class="headerlink" href="#trivial-cookie-version-0" title="Permalink to this headline">¶</a></h2>
<p>If there is no pre-authentication mechanism state information to save,
a trivial cookie containing the value “MIT” is used. A trivial cookie
is needed to indicate that the conversation can continue.</p>
</div>
<div class="section" id="secure-cookie-version-1">
<h2>Secure cookie (version 1)<a class="headerlink" href="#secure-cookie-version-1" title="Permalink to this headline">¶</a></h2>
<p>In release 1.14 and later, a secure cookie can be sent if there is any
mechanism state to save for the next request. A secure cookie
contains the concatenation of the following:</p>
<ul class="simple">
<li>the four bytes “MIT1”</li>
<li>a four-byte big-endian kvno value</li>
<li>an <span class="target" id="index-1"></span><a class="rfc reference external" href="https://tools.ietf.org/html/rfc3961.html"><strong>RFC 3961</strong></a> ciphertext</li>
</ul>
<p>The ciphertext is encrypted in the cookie key with key usage
number 513. The cookie key is derived from a key in the local krbtgt
principal entry for the realm (e.g. <code class="docutils literal"><span class="pre">krbtgt/KRBTEST.COM@KRBTEST.COM</span></code>
if the request is to the <code class="docutils literal"><span class="pre">KRBTEST.COM</span></code> realm). The first krbtgt key
for the indicated kvno value is combined with the client principal as
follows:</p>
<div class="highlight-default"><div class="highlight"><pre><span></span><span class="n">cookie</span><span class="o">-</span><span class="n">key</span> <span class="o"><-</span> <span class="n">random</span><span class="o">-</span><span class="n">to</span><span class="o">-</span><span class="n">key</span><span class="p">(</span><span class="n">PRF</span><span class="o">+</span><span class="p">(</span><span class="n">tgt</span><span class="o">-</span><span class="n">key</span><span class="p">,</span> <span class="s2">"COOKIE"</span> <span class="o">|</span> <span class="n">client</span><span class="o">-</span><span class="n">princ</span><span class="p">))</span>
</pre></div>
</div>
<p>where <strong>random-to-key</strong> is the <span class="target" id="index-2"></span><a class="rfc reference external" href="https://tools.ietf.org/html/rfc3961.html"><strong>RFC 3961</strong></a> random-to-key operation for
the krbtgt key’s encryption type, <strong>PRF+</strong> is defined in <span class="target" id="index-3"></span><a class="rfc reference external" href="https://tools.ietf.org/html/rfc6113.html"><strong>RFC 6113</strong></a>,
and <code class="docutils literal"><span class="pre">|</span></code> denotes concatenation. <em>client-princ</em> is the request client
principal name with realm, marshalled according to <span class="target" id="index-4"></span><a class="rfc reference external" href="https://tools.ietf.org/html/rfc1964.html"><strong>RFC 1964</strong></a> section
2.1.1.</p>
<p>The plain text of the encrypted part of a cookie is the DER encoding
of the following ASN.1 type:</p>
<div class="highlight-default"><div class="highlight"><pre><span></span><span class="n">SecureCookie</span> <span class="p">::</span><span class="o">=</span> <span class="n">SEQUENCE</span> <span class="p">{</span>
<span class="n">time</span> <span class="n">INTEGER</span><span class="p">,</span>
<span class="n">data</span> <span class="n">SEQUENCE</span> <span class="n">OF</span> <span class="n">PA</span><span class="o">-</span><span class="n">DATA</span><span class="p">,</span>
<span class="o">...</span>
<span class="p">}</span>
</pre></div>
</div>
<p>The time field represents the cookie creation time; for brevity, it is
encoded as an integer giving the POSIX timestamp rather than as an
ASN.1 GeneralizedTime value. The data field contains one element for
each pre-authentication type which requires saved state. For
mechanisms which have separate request and reply types, the request
type is used; this allows the KDC to determine whether a cookie is
relevant to a request by comparing the request pa-data types to the
cookie data types.</p>
</div>
</div>
</div>
</div>
</div>
</div>
<div class="sidebar">
<h2>On this page</h2>
<ul>
<li><a class="reference internal" href="#">KDC cookie format</a><ul>
<li><a class="reference internal" href="#trivial-cookie-version-0">Trivial cookie (version 0)</a></li>
<li><a class="reference internal" href="#secure-cookie-version-1">Secure cookie (version 1)</a></li>
</ul>
</li>
</ul>
<br/>
<h2>Table of contents</h2>
<ul class="current">
<li class="toctree-l1"><a class="reference internal" href="../user/index.html">For users</a></li>
<li class="toctree-l1"><a class="reference internal" href="../admin/index.html">For administrators</a></li>
<li class="toctree-l1"><a class="reference internal" href="../appdev/index.html">For application developers</a></li>
<li class="toctree-l1"><a class="reference internal" href="../plugindev/index.html">For plugin module developers</a></li>
<li class="toctree-l1"><a class="reference internal" href="../build/index.html">Building Kerberos V5</a></li>
<li class="toctree-l1"><a class="reference internal" href="../basic/index.html">Kerberos V5 concepts</a></li>
<li class="toctree-l1 current"><a class="reference internal" href="index.html">Protocols and file formats</a><ul class="current">
<li class="toctree-l2"><a class="reference internal" href="ccache_file_format.html">Credential cache file format</a></li>
<li class="toctree-l2"><a class="reference internal" href="keytab_file_format.html">Keytab file format</a></li>
<li class="toctree-l2 current"><a class="current reference internal" href="#">KDC cookie format</a></li>
</ul>
</li>
<li class="toctree-l1"><a class="reference internal" href="../mitK5features.html">MIT Kerberos features</a></li>
<li class="toctree-l1"><a class="reference internal" href="../build_this.html">How to build this documentation from the source</a></li>
<li class="toctree-l1"><a class="reference internal" href="../about.html">Contributing to the MIT Kerberos Documentation</a></li>
<li class="toctree-l1"><a class="reference internal" href="../resources.html">Resources</a></li>
</ul>
<br/>
<h4><a href="../index.html">Full Table of Contents</a></h4>
<h4>Search</h4>
<form class="search" action="../search.html" method="get">
<input type="text" name="q" size="18" />
<input type="submit" value="Go" />
<input type="hidden" name="check_keywords" value="yes" />
<input type="hidden" name="area" value="default" />
</form>
</div>
<div class="clearer"></div>
</div>
</div>
<div class="footer-wrapper">
<div class="footer" >
<div class="right" ><i>Release: 1.15.1</i><br />
© <a href="../copyright.html">Copyright</a> 1985-2017, MIT.
</div>
<div class="left">
<a href="../index.html" title="Full Table of Contents"
>Contents</a> |
<a href="keytab_file_format.html" title="Keytab file format"
>previous</a> |
<a href="../mitK5features.html" title="MIT Kerberos features"
>next</a> |
<a href="../genindex.html" title="General Index"
>index</a> |
<a href="../search.html" title="Enter search criteria"
>Search</a> |
<a href="mailto:krb5-bugs@mit.edu?subject=Documentation__KDC cookie format">feedback</a>
</div>
</div>
</div>
</body>
</html>
distrib
>
Mageia
>
6
>
x86_64
>
media
>
core-updates
>
by-pkgid
>
4c7d3d98a00376c49e0d408dc27ffab8
>
files
>
119
