On 04/03/2012 02:29 PM, Marsh Ray wrote:
Therefore, from any packet capture of a PPTP session which includes the
initial handshake, a brute force of the response yields the complete NT
hash with complexity 2^57.
The NT hash is a password-equivalent, and it represents the only secret
material that goes into the MPPE encryption key derivation.
So MS PPTP + MS-CHAPv2 + MPPE can be no better than single DES, and a
break discloses your login credentials for use with other services.
An update:
Moxie Marlinspike and David Hulton have improved the attack from 2^57 to
2^56.
Two days ago at Defcon 20 they released open source software for parsing
network captures for any MS-CHAPv2 handshakes and an online service
using a Pico Computing FPGA cluster to reverse the NT hash. This allows
decrypting a captured PPTP session or logging in as the user in about
half a day on average.
https://www.defcon.org/html/defcon-20/dc-20-speakers.html#Marlinspike
https://www.cloudcracker.com/blog/2012/07/29/cracking-ms-chap-v2/
On Monday, Jacob Applebaum and I will be presenting our "vpwns: Virtual
Pwned Networks" paper at Usenix FOCI '12. It discusses the limitations
of off-the-shelf VPN systems when used for user anonymity and censorship
resistance. PPTP is a common choice for these systems, so we'll take the
opportunity to reiterate the inherent weakness in MS-CHAPv2.
https://www.usenix.org/conference/foci12/vpwns-virtual-pwned-networks
This is a good opportunity for everyone to make a contribution to
practical crypto. Anyone that can pitch in, let's do a full-court press
on lobbying for the wholesale replacement for MS-CHAPv2 and to raise
awareness of the decryptability of PPTP. We could use blog posts, press
articles, tweets, etc.
Let's make this the week that the whole industry realizes that vendors
shipping these protocols are continuing to sell crummy sub-standard
single-DES crypto products which don't conform to modern security
requirements.
- Marsh
_______________________________________________
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography