Ask the Expert

How can I view the authenticated and encrypted keys used in Win2k?

How can I view the authenticated and encrypted keys used in Win2k? After IKE negotiation, how can I view the keys used by IPsec for authentication and encryption algorithm in Win2k?
I'm not sure what you are asking here. You seem to be saying you would like to identify the session keys used during IPsec for Phase II or Quick Mode, as well as the authentication keys. Do you want to be able to know the key? Are you thinking "How easy would it be for an attacker to determine these keys and thus use them in an attack?" You also ask about authentication keys. As you know, multiple keys are involved. Let's talk about authentication first.

IKE Main Mode Authentication can be either with Kerberos, certificates or shared key. If Kerberos is selected, it's the computer password that is used. An encrypted copy of the password is stored in the Kerberos database on every domain controller. I know of no attack which can determine this key. Even the famed "Lophtcrack" (now produced as LC4) does not crack computer account passwords.

The computer keeps another encrypted copy of this password in the LSA secrets. If authentication is with certificates, each computer will have to have a certificate.

As is normal, the public key of the key pair is stored with the certificate in the local computer certificate store. You can use the MMC snap-in, "Certificates" to examine the certificates and import/export certificates and private keys. Click here for more information on certificate stores.

If the authentication is by shared secret, you can view the secret by viewing the IPsec policy. It can also be viewed by using troubleshooting tools. KB articles Q257225Q259335 provide more information on troubleshooting tools.

You also ask about the keys used for encryption. As you know, a master key is created during Phase I or Main Mode. This key is never passed across the network, but is used in Phase II or Quick Mode to generate the session keys. Depending on the settings in the IPsec policy, the master key may be regenerated during or after multiple sessions, for each session, or within the session. Session keys are also generated depending on settings in the policy. These keys are not viewable; they are not passed across the network and thus cannot be captured. I am unaware of any attack that recovers these keys from the computer and thus makes them "viewable."

This was first published in September 2002

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: