At 6:17 PM +0300 7/12/99, Ivars Suba wrote:
>In MS-CHAPv.1 data encryption technique named MPPE (MS Point-to-Point
>Encryption), which exploit RC-40 OFB encryption mode (with constant salt!) ,
>is vulnerable resynchronization attack (http:/www.counterpane.com) from two
>sessions encrypted with same key, because initial session key are obtained
>from 64-bit LM hash determining first tree bytes with 0X1226DE
>http://www.ietf.org/internet-drafts/draft-ietf-pppext-mschapv1-keys-00.txt .
>If we replace RC-40 OFB with DES-40 CBC with same provision, new DES-40 CBC
>wil not to be vulnerable to same attack.
>
My comparison of RC4 and DES based systems assumed competent
implimentations of both. A good implementation of DES-ECB beats a broken
implementation of anything else. And MS-CHAPv.1 is clearly broken, as the
Counterpane folks point out. It is true that RC4, being a stream cipher, is
less tolerant of bad implimentation than a block cipher like DES, but it
isn't that hard to get it right. Was Microsoft under NSA pressure when
they designed this stuff or if they came up with it all on their own? (I
can't decide which scenario scares me more.)
Also, I was assuming "40-bit RC4" meant 128 bit RC4 with 88 randomly
generated key bits revealed. For what it is worth, a friend of mine
recently attended a digital showing of "Star Wars Episode 1" at a theater
in NJ. The movie was stored on a 300GB RAID which he said was about the
size of a milk crate. A complete dictionary attack on a 40 bit code only
requires about a dozen times that much disk space. So when digital movie
distribution becomes commonplace, your favorite 12-screen suburban
cinimaplex will have enough computing capacity to break salt-free 40 bit
codes like MPPE in real time.
All this only goes to show that terms like "56-bit" and "40-bit" and even
"128-bit" are not enough to specify what level of security a system
provides. The details matter and good standards are vital.
Arnold Reinhold
