On Tue, Sep 01, 2009 at 06:40:01PM -0500, Nicolas Williams wrote: > As far as I can tell from the _specs_, the answer is yes, empty > passwords are supported for the 1DES, 3DES and AES enctypes (I didn't > look at arcfour).
The relevant specs are: - RFC3961 for 1DES and 3DES enctypes (the password and salt are concatenated, then padded to a multiple of the right size) - RFCs 3962, 2898 and 2104 for AES enctypes (empty passwords work because HMAC allows empty keys, and the string-2-key function is PBKDF2 with HMAC-SHA-1 as the PRF)
