Key derivation with non-ASCII characters
Frank Taylor
FrankSTaylor at gmail.com
Wed Sep 1 10:20:00 EDT 2004
> No, although an explanation of why the problem is hard and why in
> general you may not be able to solve it is in
> draft-ietf-krb-wg-kerberos-clarifications (successor to RFC 1510).
Thanks for the pointer... I have now found: Encryption and Checksum
Specifications for Kerberos 5 (draft-ietf-krb-wg-crypto-07.txt). I
like the way the standard was changed to agree with the
implementations of DES string-to-key rather than the other way around!
> Microsoft will expect you to encode things as UTF8. I don't know what
> your implementation actually does.
The clarified draft explicitly states that the input strings (password
and salt) to string-to-key must be in UTF-8.
I have updated my string-to-key function to use UTF-8, but it still
does not generate the same keys as MS AD is expecting. Something else
must be going on. A different algorithm for passwords with
non-7-bit-ASCII characters (horrible!)?
The search continues...
Frank.
More information about the Kerberos
mailing list