2.6.1 PAC_CREDENTIAL_INFO

The PAC_CREDENTIAL_INFO structure serves as the header for the credential information. The PAC_CREDENTIAL_INFO header indicates the encryption algorithm that was used to encrypt the data that follows it. The data that follows is an encrypted, IDL-serialized PAC_CREDENTIAL_DATA structure that contains the user's actual credentials. Note that this structure cannot be used by protocols other than the [MS-KILE] protocol; the encryption method relies on the encryption key currently in use by the Kerberos AS-REQ ([RFC4120] section 3.1 and [MS-KILE]) message.<9>

A PAC_CREDENTIAL_INFO structure contains the user's encrypted  credentials. The Key Usage Number [RFC4120] used in the encryption is KERB_NON_KERB_SALT (16) [MS-KILE] section 3.1.5.9. The encryption key used is the AS reply key. The PAC credentials buffer is included only when PKINIT [RFC4556] is used. Therefore, the AS reply key is derived based on PKINIT.


0


1


2


3


4


5


6


7


8


9

1
0


1


2


3


4


5


6


7


8


9

2
0


1


2


3


4


5


6


7


8


9

3
0


1

Version

EncryptionType

SerializedData (variable)

...

Version (4 bytes): A 32-bit unsigned integer in little-endian format that defines the version. MUST be 0x00000000.

EncryptionType (4 bytes): A 32-bit unsigned integer in little-endian format that indicates the Kerberos encryption type used to encode the SerializedData array. This value MUST be one of the following encryption types, which are a subset of the possible encryption types supported in Kerberos authentication (as specified in [RFC4120], [RFC4757], and [RFC4556]). Note that the Key Usage Number ([RFC4120] sections 4 and 7.5.1) is KERB_NON_KERB_SALT (16) [MS-KILE] section 3.1.5.9.<10>

Value

Meaning

0x00000001

Data Encryption Standard (DES) in cipher block chaining (CBC) mode with cyclic redundancy check (CRC).

0x00000003

DES in CBC mode with MD5.

0x00000011

AES128_CTS_HMAC_SHA1_96 (128-bit encryption key in clear to send (CTS) encryption mode with integrity check algorithm HMAC_SHA1_96).<11>

0x00000012

AES256_CTS_HMAC_SHA1_96 (256-bit encryption key in CTS encryption mode with integrity check algorithm HMAC_SHA1_96).<12>

0x00000017

RC4 with hashed message authentication code (HMAC) key.

SerializedData (variable): A variable length PAC_CREDENTIAL_DATA structure that contains credentials encrypted using the mechanism specified by the EncryptionType field. The byte array of encrypted data is computed according to the procedures specified in [RFC3961].