Re: [cryptography] MS PPTP MPPE only as secure as *single* DES (UPDATE)

[Harald Hanche-Olsen]

This story is on Ars Technica today, where it might get a bit more exposure:

http://arstechnica.com/security/2012/07/broken-microsoft-sheme-exposes-traffic/

- Harald
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography

Re: [cryptography] MS PPTP MPPE only as secure as *single* DES (UPDATE)

[Marsh Ray]

On 04/03/2012 02:29 PM, Marsh Ray wrote:


Therefore, from any packet capture of a PPTP session which includes the
initial handshake, a brute force of the response  yields the complete NT
hash with complexity 2^57.

The NT hash is a password-equivalent, and it represents the only secret
material that goes into the MPPE encryption key derivation.

So MS PPTP + MS-CHAPv2 + MPPE can be no better than single DES, and a
break discloses your login credentials for use with other services.


An update:

Moxie Marlinspike and David Hulton have improved the attack from 2^57 to 
2^56.


Two days ago at Defcon 20 they released open source software for parsing 
network captures for any MS-CHAPv2 handshakes and an online service 
using a Pico Computing FPGA cluster to reverse the NT hash. This allows 
decrypting a captured PPTP session or logging in as the user in about 
half a day on average.


https://www.defcon.org/html/defcon-20/dc-20-speakers.html#Marlinspike
https://www.cloudcracker.com/blog/2012/07/29/cracking-ms-chap-v2/

On Monday, Jacob Applebaum and I will be presenting our "vpwns: Virtual 
Pwned Networks" paper at Usenix FOCI '12. It discusses the limitations 
of off-the-shelf VPN systems when used for user anonymity and censorship 
resistance. PPTP is a common choice for these systems, so we'll take the 
opportunity to reiterate the inherent weakness in MS-CHAPv2.


https://www.usenix.org/conference/foci12/vpwns-virtual-pwned-networks

This is a good opportunity for everyone to make a contribution to 
practical crypto. Anyone that can pitch in, let's do a full-court press 
on lobbying for the wholesale replacement for MS-CHAPv2 and to raise 
awareness of the decryptability of PPTP. We could use blog posts, press 
articles, tweets, etc.


Let's make this the week that the whole industry realizes that vendors 
shipping these protocols are continuing to sell crummy sub-standard 
single-DES crypto products which don't conform to modern security 
requirements.


- Marsh

___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography

Re: [cryptography] MS PPTP MPPE only as secure as *single* DES (UPDATE)

[Marsh Ray]

On 04/03/2012 02:29 PM, Marsh Ray wrote:


Therefore, from any packet capture of a PPTP session which includes the
initial handshake, a brute force of the response  yields the complete NT
hash with complexity 2^57.

The NT hash is a password-equivalent, and it represents the only secret
material that goes into the MPPE encryption key derivation.

So MS PPTP + MS-CHAPv2 + MPPE can be no better than single DES, and a
break discloses your login credentials for use with other services.


An update:

Moxie Marlinspike and David Hulton have improved the attack from 2^57 to 
2^56.


Two days ago at Defcon 20 they released open source software for parsing 
network captures for any MS-CHAPv2 handshakes and an online service 
using a Pico Computing FPGA cluster to reverse the NT hash. This allows 
decrypting a captured PPTP session or logging in as the user in about 
half a day on average.


https://www.defcon.org/html/defcon-20/dc-20-speakers.html#Marlinspike
https://www.cloudcracker.com/blog/2012/07/29/cracking-ms-chap-v2/

On Monday, Jacob Applebaum and I will be presenting our "vpwns: Virtual 
Pwned Networks" paper at Usenix FOCI '12. It discusses the limitations 
of off-the-shelf VPN systems when used for user anonymity and censorship 
resistance. PPTP is a common choice for these systems, so we'll take the 
opportunity to reiterate the inherent weakness in MS-CHAPv2.


https://www.usenix.org/conference/foci12/vpwns-virtual-pwned-networks

This is a good opportunity for everyone to make a contribution to 
practical crypto. Anyone that can pitch in, let's do a full-court press 
on lobbying for the wholesale replacement for MS-CHAPv2 and to raise 
awareness of the decryptability of PPTP. We could use blog posts, press 
articles, tweets, etc.


Let's make this the week that the whole industry realizes that vendors 
shipping these protocols are continuing to sell crummy sub-standard 
single-DES crypto products which don't conform to modern security 
requirements.


- Marsh

___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography

Re: [cryptography] MS PPTP MPPE only as secure as *single* DES

[ianG]

On 9/04/12 13:33 PM, James A. Donald wrote:

On 2012-04-09 10:17 AM, Steven Bellovin wrote:

I'd put most of it down to conflicting agendas -- even people
you regard as "evil" don't see themselves that way; they
simply have a different definition -- agenda -- for "good".


An agenda which requires them to lie about what they believe, stack
committees, falsify the evidence, and personally destroy, Alinsky style,
those who mention inconvenient truths.



I think there is a widespread misconception about committees.  People 
think they are there to create good results.  I think that is wrong.  I 
think they are there to stop outright wars in foisting bad results on an 
unwitting public.


As a step up from outright commercial war, if they can be kept polite 
and safe then that's as much as we can expect.  The fact that companies 
are likely to send their best (cough) "politicians" into the committee 
to get their deals is a given.


It's what they get paid for.  You asking for something different is 
perhaps your error.




One can disagree on the likelihood or
impact of a vulnerability, but generally not its existence,
until the audience is politicians.


The probability that the audience is politicians tends to increase with
the size of the meeting.



Even a committee of 2 requires delicate political skills... :)  Beyond 
2, calling it "political" is perhaps being overly polite with the truth.




iang

___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography

Re: [cryptography] MS PPTP MPPE only as secure as *single* DES

[James A. Donald]

On 2012-04-09 10:17 AM, Steven Bellovin wrote:

I'd put most of it down to conflicting agendas -- even people
you regard as "evil" don't see themselves that way; they
simply have a different definition -- agenda -- for "good".


An agenda which requires them to lie about what they believe, stack 
committees, falsify the evidence, and personally destroy, Alinsky style, 
those who mention inconvenient truths.



One can disagree on the likelihood or
impact of a vulnerability, but generally not its existence,
until the audience is politicians.


The probability that the audience is politicians tends to increase with 
the size of the meeting.

___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography

Re: [cryptography] MS PPTP MPPE only as secure as *single* DES

[Steven Bellovin]

On Apr 8, 2012, at 7:49 04PM, James A. Donald wrote:

> On 2012-04-09 9:15 AM, Steven Bellovin wrote:
> > Yes, the algorithms and protocols can be very important,
> > especially if you have serious enemies. They're also more
> > fun for many folks (myself included) than the really hard
> > engineering and development work to make the thing usable.
> > They're orders of magnitude more fun than the arguments in
> > standards bodies to agree on what is really necessary as an
> > option, as opposed to something that most people don't want
> > but some vendor insists has to be there for 2.71828% of
> > their customer base.
> 
> Seems to me that most crypto failure is usability failure.
> The only massive protocol and algorithm failure is wifi.

Yup.  Even there, the problem that got most of the attention
-- the fact that RC4 (as used in WEP) can be cryptanalyzed --
wasn't knowable at the time.  The avoidable errors -- the
misuse of a stream cipher, and the lack of a standardized
key management layer -- were not enough to prompt a change
in the standard.
> 
> Also, anything that comes out of a committee, particularly a
> large committee containing conflicting agendas, evil people,
> stupid people, and crazy people, is apt to be a massive
> usability fail, and the only reason why it is usually not
> also a massive algorithm and protocol fail is that the
> stupid, the crazy, and the evil have difficulty following the
> protocol and algorithm discussion.

I'd put most of it down to conflicting agendas -- even people
you regard as "evil" don't see themselves that way; they
simply have a different definition -- agenda -- for "good".
Craziness doesn't generally survive, nor stupidity.  Granted,
some folks with different agendas may (or may not) understand
certain details, but if they don't it's because that isn't
important to their employers' agendas.

One more thing: algorithm and protocol failures are often a
matter of fact, not opinion, and most people are reluctant
to argue for something that everyone else can see is factually
incorrect.  I recall one incident when I was Security Area Director
in the IETF when I blocked some SIP documents because of a
cut-and-paste attack.  I had a very hostile meeting with a fair
number of the proponents of those documents -- until I pulled
out my laptop and showed exactly how the attack worked.  End
of discussion, period.  One can disagree on the likelihood or
impact of a vulnerability, but generally not its existence,
until the audience is politicians.  (The disagreements, circa
the late 1970s, on the susceptibility of DES to an economically
feasible brute force attack come to mind.)  The trouble comes
when it gets to matters of taste and judgment, and what adding
17.3 new features to the protocol will do to the software's
correctness and comprehensibility.


--Steve Bellovin, https://www.cs.columbia.edu/~smb





___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography

Re: [cryptography] MS PPTP MPPE only as secure as *single* DES

[James A. Donald]

On 2012-04-09 9:15 AM, Steven Bellovin wrote:
> Yes, the algorithms and protocols can be very important,
> especially if you have serious enemies. They're also more
> fun for many folks (myself included) than the really hard
> engineering and development work to make the thing usable.
> They're orders of magnitude more fun than the arguments in
> standards bodies to agree on what is really necessary as an
> option, as opposed to something that most people don't want
> but some vendor insists has to be there for 2.71828% of
> their customer base.

Seems to me that most crypto failure is usability failure.
The only massive protocol and algorithm failure is wifi.

Also, anything that comes out of a committee, particularly a
large committee containing conflicting agendas, evil people,
stupid people, and crazy people, is apt to be a massive
usability fail, and the only reason why it is usually not
also a massive algorithm and protocol fail is that the
stupid, the crazy, and the evil have difficulty following the
protocol and algorithm discussion.
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography

Re: [cryptography] MS PPTP MPPE only as secure as *single* DES

[Steven Bellovin]

On Apr 8, 2012, at 7:30 43AM, ianG wrote:

> On 6/04/12 10:57 AM, Steven Bellovin wrote:
>> 
>> On Apr 5, 2012, at 5:51 10PM, James A. Donald wrote:
> 
>>> So I think that pretty much everyone has already heard that MS PPTP is 
>>> insecure.  Every time I set up a vpn, I am re-reminded, just in case.
>> 
>> 
>> "Don't use cryptographic overkill.  Even bad crypto is usually the strong 
>> part of the system."  Adi Shamir, 1995.  
>> (http://www.ieee-security.org/Cipher/ConfReports/conf-rep-Crypto95.html)
> 
> 
> All hail the great A5/1 and lesser spawn.
> 
> Seriously though, we suffer tremendously in this industry from overkill.  
> Studying the biases in the field would make a great cross-over PhD in 
> psych-CS-crypto-business.  Is there anyone amongst us who hasn't chortled 
> with glibbity and glee when some despised crypto system falls to a pernickity 
> academic attack?


Sure -- and I (and many others on this list) have worked hard for good, secure 
crypto standards. But thinks like PPTP, even when flawed, have survived for a 
reason.  Often, the reason is that they're far more *usable* than the stronger 
alternatives.  Let's take openvpn, which some others have spoken favorably of 
in this thread.  Consider 
http://openvpn.net/index.php/open-source/documentation/howto.html (and 
especially 
http://openvpn.net/index.php/open-source/documentation/howto.html#examples), 
the "official" starting points.  Then contrast that with what a typical 
sysadmin has to know to set up PPTP.  Yes, I understand why openvpn has a 
harder job, though I do think that a fair amount of the complexity could be 
hidden by (a) a bit more management software, and (b) the developers making 
certain decisions (and hence taking them away from the sysadmin).  Both of 
those take a great deal of taste to do correctly, of course.

IPsec is often worse.  Take a look at, say, 
http://www.freebsd.org/doc/en_US.ISO8859-1/articles/checkpoint/racoon.html, or 
the man page at http://www.linuxmanpages.com/man5/racoon.conf.5.php .  There's 
a fearsome amount you have to wade through just to decide that you don't need 
to touch, say, the "nonce_size" option.  More substantively, how many hours 
will it take the typical sysadmin to understand the description of the 
"generate_policy" option?

So -- you're the typical sysadmin.  You can spend many hours trying to 
understand all that stuff, or you can click through a very few screens and get 
crypto that will certainly deter the casual adversary at the local hotspot, 
will block even the NSA's vacuum cleaners -- and if you're targeted, might not 
be the weak point after all, since exploiting bad crypto depends at a minimum 
on actually picking up the traffic of interested, while a host exploit is 
always there.

Yes, the algorithms and protocols can be very important, especially if you have 
serious enemies. They're also more fun for many folks (myself included) than 
the really hard engineering and development work to make the thing usable.  
They're orders of magnitude more fun than the arguments in standards bodies to 
agree on what is really necessary as an option, as opposed to something that 
most people don't want but some vendor insists has to be there for 2.71828% of 
their customer base.



--Steve Bellovin, https://www.cs.columbia.edu/~smb





___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography

Re: [cryptography] MS PPTP MPPE only as secure as *single* DES

[ianG]

On 6/04/12 10:57 AM, Steven Bellovin wrote:


On Apr 5, 2012, at 5:51 10PM, James A. Donald wrote:



So I think that pretty much everyone has already heard that MS PPTP is 
insecure.  Every time I set up a vpn, I am re-reminded, just in case.



"Don't use cryptographic overkill.  Even bad crypto is usually the strong part of 
the system."  Adi Shamir, 1995.  
(http://www.ieee-security.org/Cipher/ConfReports/conf-rep-Crypto95.html)



All hail the great A5/1 and lesser spawn.

Seriously though, we suffer tremendously in this industry from overkill. 
 Studying the biases in the field would make a great cross-over PhD in 
psych-CS-crypto-business.  Is there anyone amongst us who hasn't 
chortled with glibbity and glee when some despised crypto system falls 
to a pernickity academic attack?


In order to replace the myth that crypto must be perfect, maybe we need 
a countervailing myth?  Something like (whiteboarding here):


   A finely balanced choice is as much an opportunity
   to measure ones attacker [0], as a way to preserve and
   reward a future generation of architects.

Call it the easter egg theory of crypto-plumbing?  Gotta lay down some 
chocolate to keep new bunnies hopping...




iang



[0] Dan Geer's delta argument.
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography

Re: [cryptography] MS PPTP MPPE only as secure as *single* DES

[Ondrej Mikle]

On 04/06/2012 03:23 AM, Peter Maxwell wrote:
> On 5 April 2012 18:06, Marsh Ray  > wrote:
> 
> On 04/05/2012 04:12 AM, Ralf-Philipp Weinmann wrote:
> 
> 
> Do you have statistics on that? I remember newer Microsoft and Apple
> operating systems supporting L2Sec quite well. And then there
> are the
> Cisco abominanations of IPSec that are quite common. But maybe
> not as
> common as SSL VPNs. And let's not forget OpenVPN for the geek
> faction. Where did you get the data that PPTP still is "one of the
> most commonly-used VPN protocols".
> 
> 
> Honestly, it's been years since I messed with VPNs and I have not
> done methodical research. I suspect VPN industry studies are likely
> to to be skewed by selection bias (IT departments who are likely to
> spend spend money on a real VPN).
> 
> 
> There's two reasons I haven't commented on this (despite it being good
> work):
> 
> i. I'm not familiar enough with PPTP, and always avoided it like the
> plague anyway (and that was 10 years ago).  Does dial-up not still
> generally use MS-CHAPv2?

Not sure about dialup, but in 802.1x the combination of PEAP/MSCHAPv2 is
still quite common (last seen about a week ago). Though without MitM-ing
the outer layer (PEAP) it'd be difficult to use the MSCHAPv2 attack
because the challenge is not in the clear, I guess.

On the other hand, there's only a handful of people that supply the
server cert for 802.1x, so MitM-ing shouldn't be hard in practice.

Ondrej
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography

Re: [cryptography] MS PPTP MPPE only as secure as *single* DES

[Peter Maxwell]

On 5 April 2012 18:06, Marsh Ray  wrote:

> On 04/05/2012 04:12 AM, Ralf-Philipp Weinmann wrote:
>
>>
>> Do you have statistics on that? I remember newer Microsoft and Apple
>> operating systems supporting L2Sec quite well. And then there are the
>> Cisco abominanations of IPSec that are quite common. But maybe not as
>> common as SSL VPNs. And let's not forget OpenVPN for the geek
>> faction. Where did you get the data that PPTP still is "one of the
>> most commonly-used VPN protocols".
>>
>
> Honestly, it's been years since I messed with VPNs and I have not done
> methodical research. I suspect VPN industry studies are likely to to be
> skewed by selection bias (IT departments who are likely to spend spend
> money on a real VPN).
>

There's two reasons I haven't commented on this (despite it being good
work):

i. I'm not familiar enough with PPTP, and always avoided it like the plague
anyway (and that was 10 years ago).  Does dial-up not still generally use
MS-CHAPv2?

ii. There's only been once I've seen a company use PPTP for a VPN, and I
responded as any self-respecting sys-admin would... I laughed, took the
piss a bit, then fixed it.  Anything else I've seen has been Cisco (IPSec
or SSL afaik), Checkpoint (IPSec?), more bog-standard IPSec setups and
OpenVPN.  For that matter, I've seen companies use the sshd socks proxy as
a "VPN".
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography

Re: [cryptography] MS PPTP MPPE only as secure as *single* DES

[Steven Bellovin]

On Apr 5, 2012, at 5:51 10PM, James A. Donald wrote:

> On 2012-04-05 6:55 PM, Marsh Ray wrote:
> > So I point out that one of the most commonly-used VPN protocols is
> > completely ineffective and this is the reaction I get? Gee I expected
> > more from you guys. :-)
> >
> > Perhaps I just phrased it wrong. Let me try again:
> >
> > Hey yall!
> > There's this here NSA backdoor still lingering around from the 1990's!
> > I guess we know what they wanted that big ole datacenter now for huh?
> 
> One of the most commonly-used VPN protocols is completely ineffective. Also, 
> the pope is Catholic, and bears shit in the wood.
> 
> When I set up a vpn, what usually happens is that the package offers me two 
> protocols, one that it deprecates as insecure (MS PPTP), and openvpn
> 
> The setup info or the web page tells me that MS PPTP has the great advantage 
> that it is built in to Microsoft, and the great disadvantage that it is not 
> secure.
> 
> So I think that pretty much everyone has already heard that MS PPTP is 
> insecure.  Every time I set up a vpn, I am re-reminded, just in case.


"Don't use cryptographic overkill.  Even bad crypto is usually the strong part 
of the system."  Adi Shamir, 1995.  
(http://www.ieee-security.org/Cipher/ConfReports/conf-rep-Crypto95.html)

--Steve Bellovin, https://www.cs.columbia.edu/~smb





___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography

Re: [cryptography] MS PPTP MPPE only as secure as *single* DES

[Brian Keefer]

On Apr 5, 2012, at 2:51 PM, James A. Donald wrote:

> On 2012-04-05 6:55 PM, Marsh Ray wrote:
> > So I point out that one of the most commonly-used VPN protocols is
> > completely ineffective and this is the reaction I get? Gee I expected
> > more from you guys. :-)
> >
> > Perhaps I just phrased it wrong. Let me try again:
> >
> > Hey yall!
> > There's this here NSA backdoor still lingering around from the 1990's!
> > I guess we know what they wanted that big ole datacenter now for huh?
> 
> One of the most commonly-used VPN protocols is completely ineffective. Also, 
> the pope is Catholic, and bears shit in the wood.
> 
> When I set up a vpn, what usually happens is that the package offers me two 
> protocols, one that it deprecates as insecure (MS PPTP), and openvpn
> 
> The setup info or the web page tells me that MS PPTP has the great advantage 
> that it is built in to Microsoft, and the great disadvantage that it is not 
> secure.
> 
> So I think that pretty much everyone has already heard that MS PPTP is 
> insecure.  Every time I set up a vpn, I am re-reminded, just in case.

Perhaps we're overlooking the fact that vast majority of Small & Medium 
Business VPN implementations are done by hassled IT people, not security 
experts who care enough to sign up for encryption mailing lists.

Perhaps someone should Scan The Internet(TM) for PPTP (1723/TCP). I assure you 
it's still very much alive.

Edit: Just did a string search on Shodan (free account) and it returned 240 
results for "pptp." Keep in mind that's just in http/ftp server 
headers/banners, snmp attributes, etc. SFAIK it doesn't index other ports.

PS People "know" passwords are insecure too, but 'password1' is everywhere.

--
bk


___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography

Re: [cryptography] MS PPTP MPPE only as secure as *single* DES

[James A. Donald]

On 2012-04-05 6:55 PM, Marsh Ray wrote:
> So I point out that one of the most commonly-used VPN protocols is
> completely ineffective and this is the reaction I get? Gee I expected
> more from you guys. :-)
>
> Perhaps I just phrased it wrong. Let me try again:
>
> Hey yall!
> There's this here NSA backdoor still lingering around from the 1990's!
> I guess we know what they wanted that big ole datacenter now for huh?

One of the most commonly-used VPN protocols is completely ineffective. 
Also, the pope is Catholic, and bears shit in the wood.


When I set up a vpn, what usually happens is that the package offers me 
two protocols, one that it deprecates as insecure (MS PPTP), and openvpn


The setup info or the web page tells me that MS PPTP has the great 
advantage that it is built in to Microsoft, and the great disadvantage 
that it is not secure.


So I think that pretty much everyone has already heard that MS PPTP is 
insecure.  Every time I set up a vpn, I am re-reminded, just in case.


___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography

Re: [cryptography] MS PPTP MPPE only as secure as *single* DES

[Marsh Ray]

On 04/05/2012 04:12 AM, Ralf-Philipp Weinmann wrote:


Do you have statistics on that? I remember newer Microsoft and Apple
operating systems supporting L2Sec quite well. And then there are the
Cisco abominanations of IPSec that are quite common. But maybe not as
common as SSL VPNs. And let's not forget OpenVPN for the geek
faction. Where did you get the data that PPTP still is "one of the
most commonly-used VPN protocols".


Honestly, it's been years since I messed with VPNs and I have not done 
methodical research. I suspect VPN industry studies are likely to to be 
skewed by selection bias (IT departments who are likely to spend spend 
money on a real VPN).


Here's why I think PPTP is still in common use.

* PPTP is supported by Windows XP without any special client software. 
So is L2TP/IPsec PSK, but that's not the kind of VPN that users log in 
to. Most other solutions seem to involve the admin setting up a PKI 
infrastructure. We all know how much fun that is.


* There's a plethora of HOWTO pages for VPNs that use PPTP. E.g.
http://www . chicagotech . net/vpnsetup.htm

* Some sources even treat PPTP as synonymous with VPNs:
http://www . sevenforums . 
com/tutorials/4517-virtual-private-network-vpn-enable-incoming-vpn-connections.html
"How to Configure your Computer to Accept Incoming VPN Connections in 
Windows 7 [...] Information This will show you how to configure your 
computer to accept VPN connection and router settings to allow 
Point-to-Point Tunneling Protocol (PPTP) on your Network in Windows 7."


* http://bandwidthcontroller . com/applicationPorts.html
"This table lists the ports used by some of the more popular applications."
PPTP is listed, L2TP/IPsec is not even mentioned.

* http://whatismyipaddress . com/vpn-service
"PPTP is the most common VPN protocol. It uses TCP port 1723 and Generic 
Routing Encapsulation (GRE) to secure packets. The main advantage of 
PPTP is that all major operating systems and many smartphones can 
natively use PPTP without any additional software."


* http://www.wilderssecurity.com/showpost.php?p=1565325&postcount=19
"I'm reading and the only thing I've come across is that MS CHAP v1 is 
badly broken and MS CHAP v2 is susceptible to dictionary attacks because 
the keys are derived deterministically from the password."


* http://www.sans.org/security-resources/malwarefaq/pptp-vpn.php


Hey yall! There's this here NSA backdoor still lingering around
from the 1990's! I guess we know what they wanted that big ole
datacenter now for huh?


Marsh, sorry, but that is ridiculous.


Yes, it was a bit silly I admit :-)


A high-school kid with a couple
of hard drives filled with rainbow tables will do as a valid stand-in
for the attacker in your threat model. Heck, I'd guess there's even a
Russian "cloud service" for this by now.


I disagree.

There are users who are careful to choose really good passwords. There 
are smart folks who are expecting this protocol to provide security 
equivalent to the password, at least up to 128 bits. I have talked with 
a few of them.


Here's a random example from the web:

http://www . net . princeton . edu/vpn/pptp.html
"If you connect using MS-CHAPv2 and are using a weak password, attackers 
can use this tool to discover your password. As this tool relies on a 
dictionary search, it should be possible to defend against it by 
selecting an extremely strong OIT Windows password."


- Marsh
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography

Re: [cryptography] MS PPTP MPPE only as secure as *single* DES

[Ralf-Philipp Weinmann]

On Apr 5, 2012, at 10:55 AM, Marsh Ray wrote:

> 
> Wow the crickets are deafening tonight. :-)
> 
> On 04/03/2012 02:29 PM, Marsh Ray wrote:
>> 
>> yields the complete NT hash with complexity 2^57.
>> 
>> The NT hash is a password-equivalent, and it represents the only secret
>> material that goes into the MPPE encryption key derivation.
> 
> So I point out that one of the most commonly-used VPN protocols is completely 
> ineffective and this is the reaction I get? Gee I expected more from you 
> guys. :-) It must be college basketball season or something.

Do you have statistics on that? I remember newer Microsoft and Apple operating 
systems supporting L2Sec quite well. And then there are the Cisco 
abominanations of IPSec that are quite common. But maybe not as common as SSL 
VPNs. And let's not forget OpenVPN for the geek faction. Where did you get the 
data that PPTP still is "one of the most commonly-used VPN protocols".

PPTP might be the path of least resistance in terms of setup, but I'm unsure 
about its current deployment rate.

> Perhaps I just phrased it wrong. Let me try again:
> 
> Hey yall!
> There's this here NSA backdoor still lingering around from the 1990's!
> I guess we know what they wanted that big ole datacenter now for huh?

Marsh, sorry, but that is ridiculous. A high-school kid with a couple of hard 
drives filled with rainbow tables will do as a valid stand-in for the attacker 
in your threat model. Heck, I'd guess there's even a Russian "cloud service" 
for this by now.

-Ralf
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography

Re: [cryptography] MS PPTP MPPE only as secure as *single* DES

[Marsh Ray]

Wow the crickets are deafening tonight. :-)

On 04/03/2012 02:29 PM, Marsh Ray wrote:


yields the complete NT hash with complexity 2^57.

The NT hash is a password-equivalent, and it represents the only secret
material that goes into the MPPE encryption key derivation.


So I point out that one of the most commonly-used VPN protocols is 
completely ineffective and this is the reaction I get? Gee I expected 
more from you guys. :-) It must be college basketball season or something.


Perhaps I just phrased it wrong. Let me try again:

Hey yall!
There's this here NSA backdoor still lingering around from the 1990's!
I guess we know what they wanted that big ole datacenter now for huh?

And the 51st state (Canada) is launchin a challenger to Bitcoin
http://developer.mintchipchallenge.com/index.php

Coincidence? Ha!

:-)

- Marsh
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography