Caching domain logon credentials for EAP PEAP/MSCHAP authentication: Security considerations
Recently, I have been investigating potential security implications when allowing windows supplicants to use the user's domain credentials (login/password) to preform EAP/802.1X authentication with the wireless infrastructure. This article outlines my findings and explains a security implications to take in consideration when deploying PEAP/MSCHAP.
Windows logon in secured wireless networks
In a previous article, I explained the Windows logon process in wireless networks implementing 802.11. Basically, in order to gain network access, the wireless supplicant can be configured to use the machine's credentials or user credentials. If user credentials are used, the supplicant can be configured with static login/password information or it can be instructed to use the login/password information entered by the user at the winlogon login box.
Enabling windows supplicants to re-use domain credentials
The re-use of domain credentials for EAP-PEAPv0/MSCHAPv2 authentication is enabled by checking the option “Automatically use my Windows logon name and password” when configuring the EAP-PEAPv0/MSCHAPv2 wireless authentication method (See image blow).
Alternatively, it can be remotely configured using the Wireless Network Policies Extension.
How does the windows supplicant obtain the user's domain credentials
According to Microsoft “when the user interface is used to manually configure 802.1x authentication, binary data is stored in the following registry subkey: [HKEY_LOCAL_MACHINE\Software\Microsoft\EAPOL\Parameters\Interfaces\{guid}\1]. In addition, Microsoft cannot provide any guidance on creating or using the binary data at this location of the registry.”
So according to this, I assume that when the “Automatically use my Windows logon name and password” option is checked in the PEAPv0/MSCHAPv2 configuration settings, windows will store the user's credentials in the above mentioned registry entry for the EAP supplicant to use when authentication with the wireless network is performed.
The security and safety of this way of storage can not be assessed since Microsoft does not tell how this data is protected. It does not say whether its method is based on standardized cryptographic algorithm nor does it provide any security assurance with regard to the possibility of the compromise of user credentials when this feature is used.
Conclusion
Security through obscurity has never been a good idea. As history have shown, malicious entities always end-up cracking into these obscure schemes. When the storage encryption method of the cached credentials is discovered, user-space programs will be able to extract the login/password credentials from the registry and whole IT systems may become corrupted.
It is worthwhile noting that in windows Vista, the new Wireless Single Sign On process with user credentials performs wireless authentication with user credentials before the the windows logon process. It is not clear whether the user credentials are left in the cache after user session is initiated.
