ARDP Security Context Format

This document reflects the implementation of the security context as of March 18, 1996. A current version of this document may be found via the ARDP home page, at URL http://gost.isi.edu/info/ardp. The current format is implemented in ardp_rec_security.c in the ARDP source distribution. The ARDP v1 protocol specification has a section describing how the security context is applied to an ARDP message.

The first four bytes of the security context are the length of the entire security context in bytes or octets. They represent a four-byte unsigned integer in network byte order. This count includes the four bytes that specify the length of the context.

The rest of the security context is composed of zero or more blocks. These blocks may cross packet boundaries. Each security context block starts with one byte, the service byte. The bits of the service byte are allocated as follows:

Bits of the Service Byte
Bit Number Meaning Additional Information
7 Criticality bit If this bit is set and the recipient either does not understand this security service and mechanism, or some aspect of processing it fails (e.g., unable to verify a checksum), then the recipient should refuse the message with ARDP option 9.
If the criticality bit is not set in a block of the security context, the context's recipient may ignore any part of that block that is not understood.
6 Me This block contains security context information that the originator generated.
5 You The recipient is requested to generate a security context block with this service and mechanism.
4--0 Service Code A numeric code representing a security service.

Bits of the Service Byte
Bit Number	Meaning	Additional Information
7	Criticality bit	If this bit is set and the recipient either does not understand this security service and mechanism, or some aspect of processing it fails (e.g., unable to verify a checksum), then the recipient should refuse the message with ARDP option 9. If the criticality bit is not set in a block of the security context, the context's recipient may ignore any part of that block that is not understood.
6	Me	This block contains security context information that the originator generated.
5	You	The recipient is requested to generate a security context block with this service and mechanism.
4--0	Service Code	A numeric code representing a security service.

The currently defined security services are PAYMENT, INTEGRITY, AUTHENTICATION, ENCRYPTION. and CLASS-OF-SERVICE.

Most security services can be performed by different algorithms or mechanisms. For example, authentication may be done, among other means, via Kerberos or via simple passwords (as FTP and TELNET do). The second octet of a security context block indicates the particular mechanism implementing the service specified by the first octet.

The numeric codes for security services and mechanisms are defined in the table below. They may also be seen in the ARDP source code, in ardp_sec.h.

The next four bytes are the length of the arguments to this block. This is an unsigned integer in network byte order. Some security contexts (especially ones being requested but not sent, where the you bit is set but the me bit is not) will have no arguments.

After this length count, that many bytes of arguments are present. The arguments and their format are interpreted by each security service and mechanism.

Defined Security Context Services and Mechanisms
Mechanism (value) Service (value) C Identifier Argument Format
INTEGRITY (2) INTEGRITY_CHECKSUM (0x01) integrity_checksum If the ME bit is set, the argument is four bytes long. It is the four-byte CRC checksum of the payload. If the ME bit is not set, the arguments field has zero length.
If the you bit is set, the sender expects that the response it receives will contain a 4-byte CRC checksum for the payload.
INTEGRITY (2) INTEGRITY_KERBEROS (0x22) integrity_kerberos From the client to the server, the argument is:

A four byte count in network byte order, x.
Next is an XXXXXX structure, as defined in the Kerberos v5 protocol spec. The XXXXXX structure is x bytes long. The XXXXXX structure is the same as the output of the Kerberos v5 library call krb5_mk_req().
Next is a Kerberos YYYYYY structure, the same as the output of krb5_mk_safe(). The length of the YYYYYY structure is implicitly encoded by the total length of the arguments minus x.

From the server to the client, the argument is:

A four-byte unsigned integer in network byte order, depends-on-authenticator-number.This is a reference to the Kerberos authenticator that was used to produce the krb5_mk_safe().
A four-byte count in network byte order, x.
Next is a Kerberos protocol ZZZZZZ structure. (Implementors: This structure is the same as the output of the Kerberos v5 library call krb5_mk_rep(), x bytes long.)
Next is a Kerberos protocol YYYYYY structure (Implementers: This is the output of krb5_mk_safe().)

AUTHENTICATION (3) AUTHENTICATION_KERBEROS (0x01) authentication_kerberos From the client to the server, the argument is the authenticator produced as the output of the krb5_mk_req() Kerberos library call. The length of the authenticator is known because it is the same as the length of the total argument.
The authenticator is all that is required for Kerberos authentication.
CLASS_OF_SERVICE (5) CLASS_OF_SERVICE_TAGS (0x00) class_of_service_tags The arguments are two null-terminated ASCII strings. They represent tag/value pairs. The first string is the name of the tag. The second is the tag's value.

Defined Security Context Services and Mechanisms
Mechanism (value)	Service (value)	C Identifier	Argument Format
INTEGRITY (2)	INTEGRITY_CHECKSUM (0x01)	`integrity_checksum`	If the ME bit is set, the argument is four bytes long. It is the four-byte CRC checksum of the payload. If the ME bit is not set, the arguments field has zero length. If the you bit is set, the sender expects that the response it receives will contain a 4-byte CRC checksum for the payload.
INTEGRITY (2)	INTEGRITY_KERBEROS (0x22)	`integrity_kerberos`	From the client to the server, the argument is: A four byte count in network byte order, x. Next is an XXXXXX structure, as defined in the Kerberos v5 protocol spec. The XXXXXX structure is x bytes long. The XXXXXX structure is the same as the output of the Kerberos v5 library call `krb5_mk_req()`. Next is a Kerberos YYYYYY structure, the same as the output of `krb5_mk_safe()`. The length of the YYYYYY structure is implicitly encoded by the total length of the arguments minus x. From the server to the client, the argument is: A four-byte unsigned integer in network byte order, depends-on-authenticator-number.This is a reference to the Kerberos authenticator that was used to produce the krb5_mk_safe(). A four-byte count in network byte order, x. Next is a Kerberos protocol ZZZZZZ structure. (Implementors: This structure is the same as the output of the Kerberos v5 library call `krb5_mk_rep()`, x bytes long.) Next is a Kerberos protocol YYYYYY structure (Implementers: This is the output of `krb5_mk_safe()`.)
AUTHENTICATION (3)	AUTHENTICATION_KERBEROS (0x01)	`authentication_kerberos`	From the client to the server, the argument is the authenticator produced as the output of the krb5_mk_req() Kerberos library call. The length of the authenticator is known because it is the same as the length of the total argument. The authenticator is all that is required for Kerberos authentication.
CLASS_OF_SERVICE (5)	CLASS_OF_SERVICE_TAGS (0x00)	`class_of_service_tags`	The arguments are two null-terminated ASCII strings. They represent tag/value pairs. The first string is the name of the tag. The second is the tag's value.

References

The Kerberos v5 protocol specification may be found in Internet RFC-QQQQQQ

Authors: Katia Obraczka <katia@ISI.EDU>; Steve Augart <swa@ISI.EDU>.