2.6.1 PAC_CREDENTIAL_INFO
The PAC_CREDENTIAL_INFO structure serves as the header for the credential information. The PAC_CREDENTIAL_INFO header indicates the encryption algorithm that was used to encrypt the data that follows it. The data that follows is an encrypted, IDL-serialized PAC_CREDENTIAL_DATA structure that contains the user's actual credentials. Note that this structure cannot be used by protocols other than the [MS-KILE] protocol; the encryption method relies on the encryption key currently in use by the Kerberos AS-REQ ([RFC4120] section 3.1 and [MS-KILE]) message.<13>
A PAC_CREDENTIAL_INFO structure contains the user's encrypted credentials. The Key Usage Number [RFC4120] used in the encryption is KERB_NON_KERB_SALT [16] [MS-KILE] section 3.1.5.9. The encryption key used is the AS reply key. The PAC credentials buffer is included only when PKINIT [RFC4556] is used. Therefore, the AS reply key is derived based on PKINIT.
The PAC_CREDENTIAL_INFO structure is defined as follows.
typedef struct _PAC_CREDENTIAL_INFO {
ULONG Version;
ULONG EncryptionType;
UCHAR SerializedData[1];
} PAC_CREDENTIAL_INFO, *PPAC_CREDENTIAL_INFO;
The format of the PAC_CREDENTIAL_INFO structure is defined as follows.
|
|
|
|
|
|
|
|
|
|
1 |
|
|
|
|
|
|
|
|
|
2 |
|
|
|
|
|
|
|
|
|
3 |
|
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
Version |
|||||||||||||||||||||||||||||||
|
EncryptionType |
|||||||||||||||||||||||||||||||
|
SerializedData (variable) |
|||||||||||||||||||||||||||||||
|
... |
|||||||||||||||||||||||||||||||
Version (4 bytes): A 32-bit unsigned integer in little-endian format that defines the version. MUST be 0x00000000.
EncryptionType (4 bytes): A 32-bit unsigned integer in little-endian format that indicates the Kerberos encryption type used to encode the SerializedData array. This value MUST be one of the following encryption types, which are a subset of the possible encryption types supported in Kerberos authentication (as specified in [RFC4120], [RFC4757], and [RFC4556]). Note that the Key Usage Number ([RFC4120] sections 4 and 7.5.1) is KERB_NON_KERB_SALT [16] [MS-KILE] section 3.1.5.9.<14>
-
Value
Meaning
0x00000001
Data Encryption Standard (DES) in cipher block chaining (CBC) mode with cyclic redundancy check (CRC).
0x00000003
DES in CBC mode with MD5.
0x00000011
AES128_CTS_HMAC_SHA1_96 (128-bit encryption key in clear to send (CTS) encryption mode with integrity check algorithm HMAC_SHA1_96).<15>
0x00000012
AES256_CTS_HMAC_SHA1_96 (256-bit encryption key in CTS encryption mode with integrity check algorithm HMAC_SHA1_96).<16>
0x00000017
RC4 with hashed message authentication code (HMAC) key.
SerializedData (variable): A variable length PAC_CREDENTIAL_DATA structure that contains credentials encrypted using the mechanism specified by the EncryptionType field. The byte array of encrypted data is computed according to the procedures specified in [RFC3961].