Key derivation with non-ASCII characters
jhutz at cmu.edu
Wed Sep 1 14:59:52 EDT 2004
On Wednesday, September 01, 2004 07:20:00 -0700 Frank Taylor
<FrankSTaylor at gmail.com> wrote:
>> No, although an explanation of why the problem is hard and why in
>> general you may not be able to solve it is in
>> draft-ietf-krb-wg-kerberos-clarifications (successor to RFC 1510).
> Thanks for the pointer... I have now found: Encryption and Checksum
> Specifications for Kerberos 5 (draft-ietf-krb-wg-crypto-07.txt). I
> like the way the standard was changed to agree with the
> implementations of DES string-to-key rather than the other way around!
>> Microsoft will expect you to encode things as UTF8. I don't know what
>> your implementation actually does.
> The clarified draft explicitly states that the input strings (password
> and salt) to string-to-key must be in UTF-8.
Careful here. The crypto document does require the use of UTF-8 encoding.
However, in the updated specification (as in RFC1510), these strings are
actually restricted to 7-bit US-ASCII. Implementations which use non-ASCII
characters (and most do) violate RFC1510. To the extent that this happens,
these implementations are not interoperable -- to do the right thing with
non-ASCII characters, you must know a priori what the implementation you're
talking to will expect. There is an extensive discussion of this issue in
section 5.2.1 of the kerberos-clarifications document.
Sam has explained what the existing (pre-kerberos-clarifications) Microsoft
implemenetation will actually do -- it will expect you to encode all
strings as UTF-8, and does not perform any normalization.
You haven't said what enctype the key in question is, or how you're
determining whether you have the "right" key (what command or function are
you using, and what error/exception do you get?).
Note that the salt string affects the output of the string-to-key
operation, so if you don't use the right salt, you're not going to get the
-- Jeffrey T. Hutzelman (N3NHS) <jhutz+ at cmu.edu>
Sr. Research Systems Programmer
School of Computer Science - Research Computing Facility
Carnegie Mellon University - Pittsburgh, PA
More information about the Kerberos