No, although an explanation of why the problem is hard and why in general you may not be able to solve it is in draft-ietf-krb-wg-kerberos-clarifications (successor to RFC 1510).
Thanks for the pointer... I have now found: Encryption and Checksum Specifications for Kerberos 5 (draft-ietf-krb-wg-crypto-07.txt). I like the way the standard was changed to agree with the implementations of DES string-to-key rather than the other way around!
Microsoft will expect you to encode things as UTF8. I don't know what your implementation actually does.
The clarified draft explicitly states that the input strings (password and salt) to string-to-key must be in UTF-8.
Careful here. The crypto document does require the use of UTF-8 encoding.
However, in the updated specification (as in RFC1510), these strings are actually restricted to 7-bit US-ASCII. Implementations which use non-ASCII characters (and most do) violate RFC1510. To the extent that this happens, these implementations are not interoperable -- to do the right thing with non-ASCII characters, you must know a priori what the implementation you're talking to will expect. There is an extensive discussion of this issue in section 5.2.1 of the kerberos-clarifications document.
Sam has explained what the existing (pre-kerberos-clarifications) Microsoft implemenetation will actually do -- it will expect you to encode all strings as UTF-8, and does not perform any normalization.
You haven't said what enctype the key in question is, or how you're determining whether you have the "right" key (what command or function are you using, and what error/exception do you get?).
Note that the salt string affects the output of the string-to-key operation, so if you don't use the right salt, you're not going to get the right key.
-- Jeffrey T. Hutzelman (N3NHS) <[EMAIL PROTECTED]> Sr. Research Systems Programmer School of Computer Science - Research Computing Facility Carnegie Mellon University - Pittsburgh, PA
________________________________________________ Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos
