There is no Diffie-Hellman in the PPTP handshake. AFICT, the MS-CHAPv2
hashes are sent in the clear.
Per
http://www.schneier.com/paper-pptpv2.html
http://www.schneier.com/paper-pptpv2.pdf pg 5
4
MS-CHAPv2: Deriving the 24-byte Response
Both MS-CHAPv1 and MS-CHAPv2 use the same procedure to derive a 24-byte
response from the 8-byte challenge and the 16-byte NT password hash:
1. The 16-byte NT hash is padded to 21 bytes by appending five zero bytes.
2. Let X, Y, Z be the three consecutive 7-byte blocks of this 21-byte value,
and let C be the 8-byte challenge. The 24-byte response R is calculated
as R = DESX (C), DESY (C), DESZ (C) .
The RFC seems to confirm this description.
https://tools.ietf.org/html/rfc2759#section-8.5 :
DesEncrypt(
IN 8-octet Clear,
IN 7-octet Key,
OUT 8-octet Cypher )
...
ChallengeResponse(
IN 8-octet Challenge,
IN 16-octet PasswordHash,
OUT 24-octet Response )
{
Set ZPasswordHash to PasswordHash zero-padded to 21 octets
DesEncrypt( Challenge,
1st 7-octets of ZPasswordHash,
giving 1st 8-octets of Response )
DesEncrypt( Challenge,
2nd 7-octets of ZPasswordHash,
giving 2nd 8-octets of Response )
DesEncrypt( Challenge,
3rd 7-octets of ZPasswordHash,
giving 3rd 8-octets of Response )
}
Therefore, from any packet capture of a PPTP session which includes the
initial handshake, a brute force of the response
1DES(nthash[0..6], c)
|| 1DES(nthash[7..13], c)
|| 1DES(nthash[14..15] || '0' x 5, c)
yields the complete NT hash with complexity 2^57.
The NT hash is a password-equivalent, and it represents the only secret
material that goes into the MPPE encryption key derivation.
So MS PPTP + MS-CHAPv2 + MPPE can be no better than single DES, and a
break discloses your login credentials for use with other services.
Is anyone aware of this protocol having been fixed since the 1999 paper?
- Marsh
_______________________________________________
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography
