4.4 AES 128 Key Creation

The following values are used during AES 128 key creation:

User or computer password:

 0000000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff   ................ 
 0000010: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff   ................  
 0000020: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff   ................  
 0000030: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff   ................  
 0000040: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff   ................  
 0000050: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff   ................  
 0000060: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff   ................  
 0000070: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff   ................  
 0000080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff   ................  
 0000090: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff   ................  
 00000a0: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff   ................  
 00000b0: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff   ................  
 00000c0: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff   ................  
 00000d0: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff   ................  
 00000e0: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff   ................

Salt:

 0000000: 44 00 4f 00 4d 00 41 00 49 00 4e 00 2e 00 43 00   D•O•M•A•I•N•.•C•
 0000010: 4f 00 4d 00 68 00 6f 00 73 00 74 00 63 00 6c 00   O•M•h•o•s•t•c•l•
 0000020: 69 00 65 00 6e 00 74 00 2e 00 64 00 6f 00 6d 00   i•e•n•t•.•d•o•m•
 0000030: 61 00 69 00 6e 00 2e 00 63 00 6f 00 6d 00         a•i•n•.•c•o•m•

IterationCount:

 0000000: 00 00 00 00 00 00 03 e8                           ........

The AES 128 key is created by first converting the password from a Unicode (UTF16) string to a UTF8 string ([UNICODE], chapter 3.9).

UTF8String:

 0000000: ef bf bf ef bf bf ef bf bf ef bf bf ef bf bf ef   ................
 0000010: bf bf ef bf bf ef bf bf ef bf bf ef bf bf ef bf   ................
 0000020: bf ef bf bf ef bf bf ef bf bf ef bf bf ef bf bf   ................
 0000030: ef bf bf ef bf bf ef bf bf ef bf bf ef bf bf ef   ................
 0000040: bf bf ef bf bf ef bf bf ef bf bf ef bf bf ef bf   ................
 0000050: bf ef bf bf ef bf bf ef bf bf ef bf bf ef bf bf   ................
 0000060: ef bf bf ef bf bf ef bf bf ef bf bf ef bf bf ef   ................
 0000070: bf bf ef bf bf ef bf bf ef bf bf ef bf bf ef bf   ................
 0000080: bf ef bf bf ef bf bf ef bf bf ef bf bf ef bf bf   ................
 0000090: ef bf bf ef bf bf ef bf bf ef bf bf ef bf bf ef   ................
 00000a0: bf bf ef bf bf ef bf bf ef bf bf ef bf bf ef bf   ................
 00000b0: bf ef bf bf ef bf bf ef bf bf ef bf bf ef bf bf   ................
 00000c0: ef bf bf ef bf bf ef bf bf ef bf bf ef bf bf ef   ................
 00000d0: bf bf ef bf bf ef bf bf ef bf bf ef bf bf ef bf   ................
 00000e0: bf ef bf bf ef bf bf ef bf bf ef bf bf ef bf bf   ................
 00000f0: ef bf bf ef bf bf ef bf bf ef bf bf ef bf bf ef   ................
 0000100: bf bf ef bf bf ef bf bf ef bf bf ef bf bf ef bf   ................
 0000110: bf ef bf bf ef bf bf ef bf bf ef bf bf ef bf bf   ................
 0000120: ef bf bf ef bf bf ef bf bf ef bf bf ef bf bf ef   ................
 0000130: bf bf ef bf bf ef bf bf ef bf bf ef bf bf ef bf   ................
 0000140: bf ef bf bf ef bf bf ef bf bf ef bf bf ef bf bf   ................
 0000150: ef bf bf ef bf bf ef bf bf ef bf bf ef bf bf ef   ................
 0000160: bf bf ef bf bf ef bf bf                           ........ 

The salt is converted from a Unicode (UTF16) string to a UTF8 string ([UNICODE] section 3.9).

UTF8Salt:

 0000000: 44 4f 4d 41 49 4e 2e 43 4f 4D 68 6f 73 74 63 6c   DOMAIN.COMhostcl
 0000010: 69 65 6e 74 2e 64 6f 6d 61 69 6e 2e 63 6f 6d      ient.domain.com

Next, the UTF8 string is converted to the key ([RFC3962] section 4). When calculating the AES base 128 key, using the values above, then random2key(PBKDF2(UTF8String, UTF8Salt, IterationCount, 128)) is:

 0000000: c7 73 0d aa 23 52 1b c1 6a b8 3c be e3 b3 7f 41   .s..#R..j.<....A

The Kerberos key is then created using the AES 128 key above in DK(AES 128 key, "kerberos") ([RFC3962] section 4).

This results in a 128-bit key:

 0000000: b8 2e e1 22 53 1c 2d 94 82 1a c7 55 bc cb 58 79   ..."S.-....U..Xy