Re: [cryptography] MS PPTP MPPE only as secure as *single* DES (UPDATE)

Mon, 30 Jul 2012 19:23:06 -0700 

On 04/03/2012 02:29 PM, Marsh Ray wrote:


Therefore, from any packet capture of a PPTP session which includes the
initial handshake, a brute force of the response  yields the complete NT
hash with complexity 2^57.

The NT hash is a password-equivalent, and it represents the only secret
material that goes into the MPPE encryption key derivation.

So MS PPTP + MS-CHAPv2 + MPPE can be no better than single DES, and a
break discloses your login credentials for use with other services.


An update:


Moxie Marlinspike and David Hulton have improved the attack from 2^57 to 
2^56.



Two days ago at Defcon 20 they released open source software for parsing 
network captures for any MS-CHAPv2 handshakes and an online service 
using a Pico Computing FPGA cluster to reverse the NT hash. This allows 
decrypting a captured PPTP session or logging in as the user in about 
half a day on average.


https://www.defcon.org/html/defcon-20/dc-20-speakers.html#Marlinspike
https://www.cloudcracker.com/blog/2012/07/29/cracking-ms-chap-v2/


On Monday, Jacob Applebaum and I will be presenting our "vpwns: Virtual 
Pwned Networks" paper at Usenix FOCI '12. It discusses the limitations 
of off-the-shelf VPN systems when used for user anonymity and censorship 
resistance. PPTP is a common choice for these systems, so we'll take the 
opportunity to reiterate the inherent weakness in MS-CHAPv2.


https://www.usenix.org/conference/foci12/vpwns-virtual-pwned-networks


This is a good opportunity for everyone to make a contribution to 
practical crypto. Anyone that can pitch in, let's do a full-court press 
on lobbying for the wholesale replacement for MS-CHAPv2 and to raise 
awareness of the decryptability of PPTP. We could use blog posts, press 
articles, tweets, etc.



Let's make this the week that the whole industry realizes that vendors 
shipping these protocols are continuing to sell crummy sub-standard 
single-DES crypto products which don't conform to modern security 
requirements.


- Marsh

_______________________________________________
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography























					Reply via email to