Microsoft credential cache for 802.1x authentication
- From: "Richard Edell" <Richard Edell@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Mon, 16 May 2005 13:54:09 -0700
We've got a proof-of-concept implementation of wireless 802.1x authentication
(PEAP/EAP-MSCHAPv2) back-ended by an MIT Kerberos database. We'd like to use
something like this to control access to our wireless and wired
infrastructure, but we've hit a snag. It seems that Microsoft XP (and likely
other MSFT operating systems) caches some form of end user credentials in the
registry. (See MSFT knowledge base article #823731.) While this is great for
usability ("I don't have to keep reauthenticating to the network"), I'm
concerned that a future virus/worm/whatnot will exploit this registry data.(*)
Does anyone here know the format of these binary-blobs stored under
HKEY_CURRENT_USER\Software\Microsoft\Eapol\UserEapInfo ? Specifically, is
the MD4 hash of the password stored in those binary-bobs? Is it further
encrypted with some key & with what key?
What have other institutions done with 802.1x authentication via
PEAP/EAP-MSCHAPv2?
Thank you,
Richard Edell
(*) Note: the 802.1x supplicant must know the MD4 hash of the user's
password to perform authentication/reauthentication; and that hash value can
be used to authenticate as the user. I suppose the best-case scenario, given
that the MD4 hash of the user password is in the registry, is that this hash
is encrypted with a key only known within the OS.
.
- Prev by Date: Re: Changing IP address on Radius server breaks Radius?
- Next by Date: Re: Linksys WAP54G WPA Radius auth
- Previous by thread: IAS 2000 with win 2003 CA server
- Next by thread: Re: Linksys WAP54G WPA Radius auth
- Index(es):
