Microsoft credential cache for 802.1x authentication

Microsoft credential cache for 802.1x authentication

Post by UmljaGFyZC » Wed, 18 May 2005 05:54:09

We've got a proof-of-concept implementation of wireless 802.1x authentication
(PEAP/EAP-MSCHAPv2) back-ended by an MIT Kerberos database. We'd like to use
something like this to control access to our wireless and wired
infrastructure, but we've hit a snag. It seems that Microsoft XP (and likely
other MSFT operating systems) caches some form of end user credentials in the
registry. (See MSFT knowledge base article #823731.) While this is great for
usability ("I don't have to keep reauthenticating to the network"), I'm
concerned that a future virus/worm/whatnot will exploit this registry data.(*)

Does anyone here know the format of these binary-blobs stored under
HKEY_CURRENT_USER\Software\Microsoft\Eapol\UserEapInfo ? Specifically, is
the MD4 hash of the password stored in those binary-bobs? Is it further
encrypted with some key & with what key?

What have other institutions done with 802.1x authentication via

Thank you,
Richard Edell

(*) Note: the 802.1x supplicant must know the MD4 hash of the user's
password to perform authentication/reauthentication; and that hash value can
be used to authenticate as the user. I suppose the best-case scenario, given
that the MD4 hash of the user password is in the registry, is that this hash
is encrypted with a key only known within the OS.

Microsoft credential cache for 802.1x authentication

Post by Mark Gamac » Sat, 11 Jun 2005 03:37:47

My answer is actually an educated guess based on what I've seen in other MS
implementations. I suspect the data in the reg key is protected (encrypted)
using DPAPI and the user's password (from the LSA cache) for additional
entropy. That said, however it is stored in the registry it has to be
reversible encryption, not a hash, or it would not be able to use the MS
CHAP v2 in PEAP as the challenge is always different.

This means, to me, that it would be possible to pull the credentials from
the registry. This is the case with nearly all stored credentials.

Hope this helps a little,

Mark Gamache
Certified Security Solutions