Re: pptp vpn
Patrick Hsieh <pahud@ezplay.tv> writes:
>
> 1. Is pptp+mppe any insecure? Why? Since the pptpd server can force the
> connection to use mppe encryption with the client. How come pptp+mppe is
> insecure? Is it because the encryption algorithm or lack of the public key
> infrastructure?
For a good critical review of PPTP security, see:
http://www.counterpane.com/pptp.html
In short, Microsoft's original implementation of PPTP had numerous,
very serious flaws both in the authentication (MS-CHAP) and encryption
(MPPE) protocols that could allow it to be easily compromised in
several different ways.
In an upgraded implementation, Microsoft introduced a new
authentication protocol MS-CHAPv2 and fixed some of the problems with
MPPE (when it's used with the new authentication protocol and in
"stateless" mode). Unfortunately, serious flaws still remain:
- Data packets are encrypted using an OFB stream cipher and not
authenticated in any way, making them susceptible to simple
bit-flipping attacks.
- Not all data is encrypted, only packets for certain protocols. For
example, while IP traffic is encrypted, many of the control packets
for the underlying PPP session are not. For example, it's feasible
you wouldn't want a passive attacker to see the user's login name
and the internal IP address handed to the client: both of these are
visible in unencrypted packets.
- The authentication and encryption protocols permit passive
dictionary attacks against the user's password.
- The MS-CHAPv2 authentication leaks the last 2 bytes of the user's
16-byte NT password hash, speeding a dictionary attack on the
password by a factor of 2^16. In fact, it only requires the
breaking of two *independent* DES encryptions of a known challenge
value (a brute-force effort of at most 2^57 encryptions) to recover
the remaining 14 bytes of the NT hash. Since it is this hash, and
not the user's original password, that authenticates the user and
encrypts every session, the effective key size for any PPTP session
is really 57 bits, even when MPPE-128 is used.
--
Kevin <buhr@telus.net>
Reply to: