Re: pptp vpn

To: Patrick Hsieh <pahud@ezplay.tv>
Cc: debian-user@lists.debian.org
Subject: Re: pptp vpn
From: Kevin Buhr <buhr@telus.net>
Date: 19 Nov 2002 13:32:12 -0800
Message-id: <[🔎] 874rad5jqb.fsf@saurus.asaurus.invalid>
In-reply-to: <[🔎] 200211190901.22975.pahud@ezplay.tv>
References: <[🔎] 995771F915C81C4E89108C16990236E9038A1F@exchange.eits.info> <[🔎] 20021115195126.GB788@asgardsrealm.net> <[🔎] 200211190901.22975.pahud@ezplay.tv>

Patrick Hsieh <pahud@ezplay.tv> writes:
> 
> 1. Is pptp+mppe any insecure? Why? Since the pptpd server can force the 
> connection to use mppe encryption with the client. How come pptp+mppe is 
> insecure? Is it because the encryption algorithm or lack of the public key 
> infrastructure?

For a good critical review of PPTP security, see:

        http://www.counterpane.com/pptp.html

In short, Microsoft's original implementation of PPTP had numerous,
very serious flaws both in the authentication (MS-CHAP) and encryption
(MPPE) protocols that could allow it to be easily compromised in
several different ways.

In an upgraded implementation, Microsoft introduced a new
authentication protocol MS-CHAPv2 and fixed some of the problems with
MPPE (when it's used with the new authentication protocol and in
"stateless" mode).  Unfortunately, serious flaws still remain:

- Data packets are encrypted using an OFB stream cipher and not
  authenticated in any way, making them susceptible to simple
  bit-flipping attacks.

- Not all data is encrypted, only packets for certain protocols.  For
  example, while IP traffic is encrypted, many of the control packets
  for the underlying PPP session are not.  For example, it's feasible
  you wouldn't want a passive attacker to see the user's login name
  and the internal IP address handed to the client: both of these are
  visible in unencrypted packets.

- The authentication and encryption protocols permit passive
  dictionary attacks against the user's password.

- The MS-CHAPv2 authentication leaks the last 2 bytes of the user's
  16-byte NT password hash, speeding a dictionary attack on the
  password by a factor of 2^16.  In fact, it only requires the
  breaking of two *independent* DES encryptions of a known challenge
  value (a brute-force effort of at most 2^57 encryptions) to recover
  the remaining 14 bytes of the NT hash.  Since it is this hash, and
  not the user's original password, that authenticates the user and
  encrypts every session, the effective key size for any PPTP session
  is really 57 bits, even when MPPE-128 is used.

-- 
Kevin <buhr@telus.net>

Reply to:

References:
- RE: pptp vpn
  - From: Mikael Jirari <Mikael@eits.info>
- Re: pptp vpn
  - From: "Jamin W. Collins" <jcollins@asgardsrealm.net>
- Re: pptp vpn
  - From: Patrick Hsieh <pahud@ezplay.tv>

Prev by Date: Re: odd behaviour with harddisk
Next by Date: Re: odd behaviour with harddisk
Previous by thread: Re: pptp vpn
Next by thread: RE: pptp vpn
Index(es):
- Date
- Thread