[cryptography] MS PPTP MPPE only as secure as *single* DES (UPDATE)

Marsh Ray marsh at extendedsubset.com
Mon Jul 30 15:12:53 PDT 2012 

On 04/03/2012 02:29 PM, Marsh Ray wrote:
>
> Therefore, from any packet capture of a PPTP session which includes the
> initial handshake, a brute force of the response  yields the complete NT
> hash with complexity 2^57.
>
> The NT hash is a password-equivalent, and it represents the only secret
> material that goes into the MPPE encryption key derivation.
>
> So MS PPTP + MS-CHAPv2 + MPPE can be no better than single DES, and a
> break discloses your login credentials for use with other services.

An update:

Moxie Marlinspike and David Hulton have improved the attack from 2^57 to  
2^56.

Two days ago at Defcon 20 they released open source software for parsing  
network captures for any MS-CHAPv2 handshakes and an online service using a 
Pico Computing FPGA cluster to reverse the NT hash. This allows decrypting 
a captured PPTP session or logging in as the user in about half a day on 
average.

https://www.defcon.org/html/defcon-20/dc-20-speakers.html#Marlinspike
https://www.cloudcracker.com/blog/2012/07/29/cracking-ms-chap-v2/

On Monday, Jacob Applebaum and I will be presenting our "vpwns: Virtual  
Pwned Networks" paper at Usenix FOCI '12. It discusses the limitations of 
off-the-shelf VPN systems when used for user anonymity and censorship  
resistance. PPTP is a common choice for these systems, so we'll take the  
opportunity to reiterate the inherent weakness in MS-CHAPv2.

https://www.usenix.org/conference/foci12/vpwns-virtual-pwned-networks

This is a good opportunity for everyone to make a contribution to  
practical crypto. Anyone that can pitch in, let's do a full-court press on 
lobbying for the wholesale replacement for MS-CHAPv2 and to raise  
awareness of the decryptability of PPTP. We could use blog posts, press  
articles, tweets, etc.

Let's make this the week that the whole industry realizes that vendors  
shipping these protocols are continuing to sell crummy sub-standard  
single-DES crypto products which don't conform to modern security  
requirements.

- Marsh

_______________________________________________
cryptography mailing list
cryptography at randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography

----- End forwarded message -----
-- 
Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org
______________________________________________________________
ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org
8B29F6BE: 099D 78BA 2FD3 B014 B08A  7779 75B0 2443 8B29 F6BE

More information about the Testlist mailing list