Lines Matching +full:inside +full:- +full:secure

4 :rfc:`6113` section 5.2 specifies a pa-data type PA-FX-COOKIE, which
6 pre-authentication.  The MIT krb5 KDC uses the following formats for
11 --------------------------
13 If there is no pre-authentication mechanism state information to save,
18 Secure cookie (version 1)
19 -------------------------
21 In release 1.14 and later, a secure cookie can be sent if there is any
22 mechanism state to save for the next request.  A secure cookie
26 * a four-byte big-endian kvno value
36     cookie-key <- random-to-key(PRF+(tgt-key, "COOKIE" | client-princ))
38 where **random-to-key** is the :rfc:`3961` random-to-key operation for
40 and ``|`` denotes concatenation.  *client-princ* is the request client
49         data     SEQUENCE OF PA-DATA,
56 each pre-authentication type which requires saved state.  For
59 relevant to a request by comparing the request pa-data types to the
63 -------------------------------
65 Inside the SecureCookie wrapper, a data value of type 151 contains
66 state for SPAKE pre-authentication.  This data is the concatenation of
69 * a two-byte big-endian version number with the value 1
70 * a two-byte big-endian stage number
71 * a four-byte big-endian group number
72 * a four-byte big-endian length and data for the SPAKE value
73 * a four-byte big-endian length and data for the transcript hash
75   - a four-byte big-endian second-factor type
76   - a four-byte big-endian length and data
84 For a stage-0 cookie, the SPAKE value is the KDC private key,
89 For a stage-0 cookie, the transcript hash is the intermediate hash
93 For a stage-0 cookie, there may be any number of second-factor
94 records, including none; a second-factor type need not create a state
95 field if it does not need one, and no record is created for SF-NONE.
96 For other cookies, there must be exactly one second-factor record