Counterpane Cracks MS's PPTP
Brad Kemp
kemp at indusriver.com
Tue Jun 2 06:09:55 PDT 1998
This is a good paper. It covered almost all of the failures of MS PPTP.
However, I think it missed a big one.
It is possible to recover all the clear text from a PPTP session,
even if most of the traffic is going in one direction only.
The failure is in MPPE. When MPPE gets a sequenceing error, it
resets the key. This causes the cipher stream to be reset. It is
partially covered in section 5.4 .
Since RC4 is a stream cipher, it generates the same
cipher stream for a given key. This cipher stream is XORed with the clear
text.
To recover the clear text, an attacker just needs to force a
resyncronization by
sending a packet that has a bogus coherency count.
If the attacker captures the original stream and the resynchronized stream
a simple XOR of the two streams results in an XOR of the cleartext.
While compression does make it harder to determine what the cleartext is,
It is likely that a determined attacker can decrypt and decompress the
XORed result.
Brad
Brad Kemp
Indus River Networks, Inc. BradKemp at indusriver.com
31 Nagog Park 978-266-8122
Acton, MA 01720 fax 978-266-8111
More information about the cypherpunks-legacy
mailing list