Problem solve Get help with specific problems with your technologies, process and projects.

How can I view the authenticated and encrypted keys used in Win2k?

How can I view the authenticated and encrypted keys used in Win2k? After IKE negotiation, how can I view the keys used by IPsec for authentication and encryption algorithm in Win2k?
I'm not sure what you are asking here. You seem to be saying you would like to identify the session keys used during IPsec for Phase II or Quick Mode, as well as the authentication keys. Do you want to be able to know the key? Are you thinking "How easy would it be for an attacker to determine these keys and thus use them in an attack?" You also ask about authentication keys. As you know, multiple keys are involved. Let's talk about authentication first.

IKE Main Mode Authentication can be either with Kerberos, certificates or shared key. If Kerberos is selected, it's the computer password that is used. An encrypted copy of the password is stored in the Kerberos database on every domain controller. I know of no attack which can determine this key. Even the famed "Lophtcrack" (now produced as LC4) does not crack computer account passwords.

The computer keeps another encrypted copy of this password in the LSA secrets. If authentication is with certificates, each computer will have to have a certificate.

As is normal, the public key of the key pair is stored with the certificate in the local computer certificate store. You can use the MMC snap-in, "Certificates" to examine the certificates and import/export certificates and private keys. Click here for more information on certificate stores.

If the authentication is by shared secret, you can view the secret by viewing the IPsec policy. It can also be viewed by using troubleshooting tools. KB articles Q257225Q259335 provide more information on troubleshooting tools.

You also ask about the keys used for encryption. As you know, a master key is created during Phase I or Main Mode. This key is never passed across the network, but is used in Phase II or Quick Mode to generate the session keys. Depending on the settings in the IPsec policy, the master key may be regenerated during or after multiple sessions, for each session, or within the session. Session keys are also generated depending on settings in the policy. These keys are not viewable; they are not passed across the network and thus cannot be captured. I am unaware of any attack that recovers these keys from the computer and thus makes them "viewable."

Dig Deeper on Windows legacy operating systems

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.