Re: Microsoft credential cache for 802.1x authentication

My answer is actually an educated guess based on what I've seen in other MS
implementations. I suspect the data in the reg key is protected (encrypted)
using DPAPI and the user's password (from the LSA cache) for additional
entropy. That said, however it is stored in the registry it has to be
reversible encryption, not a hash, or it would not be able to use the MS
CHAP v2 in PEAP as the challenge is always different.

This means, to me, that it would be possible to pull the credentials from
the registry. This is the case with nearly all stored credentials.

Hope this helps a little,

--
Mark Gamache
Certified Security Solutions
http://www.css-security.com



"Richard Edell" <Richard Edell@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:A5960150-657F-473E-A8E2-9E5E20DE1CAD@xxxxxxxxxxxxxxxx
> We've got a proof-of-concept implementation of wireless 802.1x
> authentication
> (PEAP/EAP-MSCHAPv2) back-ended by an MIT Kerberos database. We'd like to
> use
> something like this to control access to our wireless and wired
> infrastructure, but we've hit a snag. It seems that Microsoft XP (and
> likely
> other MSFT operating systems) caches some form of end user credentials in
> the
> registry. (See MSFT knowledge base article #823731.) While this is great
> for
> usability ("I don't have to keep reauthenticating to the network"), I'm
> concerned that a future virus/worm/whatnot will exploit this registry
> data.(*)
>
> Does anyone here know the format of these binary-blobs stored under
> HKEY_CURRENT_USER\Software\Microsoft\Eapol\UserEapInfo ? Specifically, is
> the MD4 hash of the password stored in those binary-bobs? Is it further
> encrypted with some key & with what key?
>
> What have other institutions done with 802.1x authentication via
> PEAP/EAP-MSCHAPv2?
>
> Thank you,
> Richard Edell
>
>
> (*) Note: the 802.1x supplicant must know the MD4 hash of the user's
> password to perform authentication/reauthentication; and that hash value
> can
> be used to authenticate as the user. I suppose the best-case scenario,
> given
> that the MD4 hash of the user password is in the registry, is that this
> hash
> is encrypted with a key only known within the OS.
>
>


.

Relevant Pages

  • Re: how password is stored and check the authentication??
    ... consider a simple email logon authentication in a hash ... > The hash_function will hash my password to some number. ... > Then Correct Password ... about security or encryption. ...
    (sci.crypt)
  • Re: Encryption and authentication
    ... have encryption without authentication? ... it seems that encryption couldn't exist without authentication. ... and example is asymmetric key cryptography technology. ... http://www.garlic.com/~lynn/aadsm24.htm#7 Naked Payments IV - let's all go naked ...
    (comp.security.firewalls)
  • RE: Signing before Encryption and Signing after Encryption
    ... The property that a hash match is supposed to verify (is this ... Signing before Encryption and Signing after Encryption ... Signing with symmetric keys is a lot more ...
    (Security-Basics)
  • Re: Signatures and encryption headers
    ... breached when an attacker can modify the message received? ... But I see how the lack of authentication can cause the receiver to act ... not for the iv or other encryption ... A create a payload, S signs it with public key crypto (most likely ...
    (sci.crypt)
  • Re: Ciphers and their effect on the size of data
    ... We have a security-sensitive client that is wants common authentication between a J2EE environment and a "fat windows client". ... we'll also be facing 4/3 expansion of the payload after encryption. ... This password field will include a digital signature, or the digital signature will be in another XML element in that document. ...
    (sci.crypt)
Quantcast