Key derivation with non-ASCII characters

Ken Raeburn raeburn at MIT.EDU
Thu Sep 9 12:02:45 EDT 2004

On Sep 8, 2004, at 09:14, Frank Taylor wrote:
> The client code is jKrb5 (from
> with a
> few fixes and additions).

Uh.  I'm not used to people picking stuff up out of my random 
development spaces, but okay...  I picked that up a while ago, IIRC 
it's related to the stonesoup java kerberos work.  I have no idea if 
it's current, if they're doing more work, if other people have bug 
fixes, etc.  My copy certainly shouldn't be considered an authoritative 

> 5) Summary
> It seems that our client code is correct w.r.t. to the draft Kerberos
> and crypto specs, however MS AD is producing/expecting different keys
> for non-7-bit-ASCII passwords even though the salt is the same.
> Any ideas on where to go next?

If no MS people answer promptly, I'd try a few other permutations.  
Perhaps UTF-16 encodings for the password, or password and salt, for 
the case where a non-ASCII character is found.


More information about the Kerberos mailing list