[174] in Kerberos_V5_Development
TGS_REQ, AP_REQ, chickens, and eggs.
wesommer@ATHENA.MIT.EDU (wesommer@ATHENA.MIT.EDU)
Mon Feb 5 15:19:28 1990
There's a chicken and egg problem of sorts with the current ASN.1
encoding of the TGS request, which I discovered when attempting to
write code which generates one.
The TGS request starts with a normal application request, presumably
generated with krb5_mk_req or krb5_mk_req_extended. It contains an
encrypted authenticator, which contains an application checksum. In
this case, the "application" is the ticket granting service, and the
checksum should be a checksum of the rest of the tgs request.
You can't checksum an arbitrary data structure; you can only checksum
a byte stream, so you have to do the checksum *after* encoding the TGS
request. But the checksum is part of the as_request, which is the
first field of the TGS request..
I'd redefine the TGS-REQ as follows:
TGS-REQ ::= [APPLICATION 5] SEQUENCE {
authenticator[0] OCTET STRING,
tgs_request[1] OCTET STRING -- containing encoded TGS-REQ-1
}
TGS-REQ-1 ::= SEQUENCE {
pvno[0] INTEGER,
msg-type[1] INTEGER,
kdc-options[2] KDCOptions,
from[3] UTCTime,
till[4] UTCTime,
rtime[5] UTCTime OPTIONAL,
ctime[6] UTCTime,
etype[7] INTEGER, -- EncryptionType
sname[8] PrincipalName,
addresses[9] HostAddresses,
enc-part[10] EncryptedData OPTIONAL -- EncTgsReqPart
}
Note that this would not have been a problem to do had we not been
using ASN.1.
- Bill
