Thanks for the details. I'll talk with our crypto guys to see why they don't support it.
Thanks Max On Sep 2, 2009, at 7:56 AM, Nicolas Williams wrote: > On Tue, Sep 01, 2009 at 06:40:01PM -0500, Nicolas Williams wrote: >> As far as I can tell from the _specs_, the answer is yes, empty >> passwords are supported for the 1DES, 3DES and AES enctypes (I didn't >> look at arcfour). > > The relevant specs are: > > - RFC3961 for 1DES and 3DES enctypes (the password and salt are > concatenated, then padded to a multiple of the right size) > > - RFCs 3962, 2898 and 2104 for AES enctypes (empty passwords work > because HMAC allows empty keys, and the string-2-key function is > PBKDF2 with HMAC-SHA-1 as the PRF)
