Key derivation with non-ASCII characters

Frank Taylor FrankSTaylor at
Wed Sep 1 10:20:00 EDT 2004

> No, although an explanation of why the problem is hard and why in
> general you may not be able to solve it is in
> draft-ietf-krb-wg-kerberos-clarifications (successor to RFC 1510).

Thanks for the pointer... I have now found: Encryption and Checksum
Specifications for Kerberos 5 (draft-ietf-krb-wg-crypto-07.txt). I
like the way the standard was changed to agree with the
implementations of DES string-to-key rather than the other way around!

> Microsoft will expect you to encode things as UTF8.  I don't know what
> your implementation actually does.

The clarified draft explicitly states that the input strings (password
and salt) to string-to-key must be in  UTF-8.

I have updated my string-to-key function to use UTF-8, but it still
does not generate the same keys as MS AD is expecting. Something else
must be going on. A different algorithm for passwords with
non-7-bit-ASCII characters (horrible!)?

The search continues...


More information about the Kerberos mailing list