The KRB_SAFE message contains user data along with a collision-proof checksum keyed with the session key. The message fields are:
KRB-SAFE ::= [APPLICATION 20] SEQUENCE { pvno[0] INTEGER, msg-type[1] INTEGER, safe-body[2] KRB-SAFE-BODY, cksum[3] Checksum } KRB-SAFE-BODY ::= SEQUENCE { user-data[0] OCTET STRING, timestamp[1] KerberosTime OPTIONAL, usec[2] INTEGER OPTIONAL, seq-number[3] INTEGER OPTIONAL, s-address[4] HostAddress, r-address[5] HostAddress OPTIONAL }
These fields are described above in section 5.4.1. msg-type is KRB_SAFE.
This field is a placeholder for the body of the KRB-SAFE message. It is to be encoded separately and then have the checksum computed over it, for use in the cksum field.
This field contains the checksum of the application data. Checksum details are described in section 6.4. The checksum is computed over the encoding of the KRB-SAFE-BODY sequence.
This field is part of the KRB_SAFE and KRB_PRIV messages and contain the application specific data that is being passed from the sender to the recipient.
This field is part of the KRB_SAFE and KRB_PRIV messages. Its contents are the current time as known by the sender of the message. By checking the timestamp, the recipient of the message is able to make sure that it was recently generated, and is not a replay.
This field is part of the KRB_SAFE and KRB_PRIV headers. It contains the microsecond part of the timestamp.
This field is described above in section 5.3.2.
This field specifies the address in use by the sender of the message.
This field specifies the address in use by the recipient of the message. It may be omitted for some uses (such as broadcast protocols), but the recipient may arbitrarily reject such messages. This field along with s-address can be used to help detect messages which have been incorrectly or maliciously delivered to the wrong recipient.