On 04/03/2012 02:29 PM, Marsh Ray wrote:

Therefore, from any packet capture of a PPTP session which includes the initial handshake, a brute force of the response yields the complete NT hash with complexity 2^57.

The NT hash is a password-equivalent, and it represents the only secret material that goes into the MPPE encryption key derivation.

So MS PPTP + MS-CHAPv2 + MPPE can be no better than single DES, and a break discloses your login credentials for use with other services.

An update: Moxie Marlinspike and David Hulton have improved the attack from 2^57 to 2^56. Two days ago at Defcon 20 they released open source software for parsing network captures for any MS-CHAPv2 handshakes and an online service using a Pico Computing FPGA cluster to reverse the NT hash. This allows decrypting a captured PPTP session or logging in as the user in about half a day on average. https://www.defcon.org/html/defcon-20/dc-20-speakers.html#Marlinspike https://www.cloudcracker.com/blog/2012/07/29/cracking-ms-chap-v2/ On Monday, Jacob Applebaum and I will be presenting our "vpwns: Virtual Pwned Networks" paper at Usenix FOCI '12. It discusses the limitations of off-the-shelf VPN systems when used for user anonymity and censorship resistance. PPTP is a common choice for these systems, so we'll take the opportunity to reiterate the inherent weakness in MS-CHAPv2. https://www.usenix.org/conference/foci12/vpwns-virtual-pwned-networks This is a good opportunity for everyone to make a contribution to practical crypto. Anyone that can pitch in, let's do a full-court press on lobbying for the wholesale replacement for MS-CHAPv2 and to raise awareness of the decryptability of PPTP. We could use blog posts, press articles, tweets, etc. Let's make this the week that the whole industry realizes that vendors shipping these protocols are continuing to sell crummy sub-standard single-DES crypto products which don't conform to modern security requirements. - Marsh _______________________________________________ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography ----- End forwarded message ----- -- Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE