'Re: L0pht Releases PPTP Sniffer'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       vpn
Subject:    Re: L0pht Releases PPTP Sniffer
From:       "Paul E. Baclace" <peb () baclace ! net>
Date:       1998-08-08 8:22:41
[Download RAW message or body]

At 09:04 PM 8/5/98 -0400, raf wrote:
>Hi,
>
>I know about Counterpane posting the security flaw issue AND the Microsoft
>countered with a paper of their own.  However, someone had
>respnded back at MS point be point, showing how their response was
>still flawed... Anyone know where I can find a copy of the "rebuttal"??

I was researching this recently...

The Microsoft response http://www.microsoft.com/communications/pptpfinal.htm 
(in very small type, I might add) to http://www.counterpane.com/pptp.html 
addresses only the one most glaring weaknesses--allowing the Lan Manager (LM) 
hash, which converts passwords to all uppercase (!) and pads them with nul characters (!)  
to 14 bytes.  The patch allows the server admin to disallow this in favor of the "NT Hash".
A patched win95 PPTP client allows the LM hash to be turned off too.  The previous 
implementation always transmitted both kinds of hashes, even in the NT to NT case,
which compromises the NT hash.  It is not clear whether these patches prevent the
LM hash from being sent, versus merely changing acceptance policy, but I assume they
are no longer sending both.

Another patch fixes a denial-of-service attack, but not a crypto weakness.

The other paragraphs (including the one mentioning changing keys every 256 packets) are
only creative verbal damage control, not substantive changes.  
 
I am not aware of any "rebuttal" or evaluation of the new patches by Counterpane, but they
point out in the report that (1) the PPTP protocol has an unencrypted control channel
that exposes considerable information that could be used to crack a code with the known 
plaintext attack; (2) spoofing scenarios; (3) weakness due to using the same session key 
in both directions; (4) strength of the encryption is extremely sensitive to password length;
(5) a resynchronization attack.

None of these were addressed in the patches and only item (4) includes new information
where Microsoft points out that the 128 version session key "includes a function [of] the 
[random] challenge."  Since the challenge is sent in-the-clear, that doesn't extend password 
length.

Microsoft essentially says the 40 bit version of even the patched PPTP is breakable
and only recommends the patched 128 bit version.  

A recent in-depth, though not necessarily comprehensive or formal, analysis was found here:

http://www.nfr.net/firewall-wizards/mail-archive/1998/May/0027.html

where the resynchronization attack is detailed.  The article says that the 
resynchronization attack is eliminated by the future implementation in which keys 
are changed every packet, but that brings with it a simple denial-of-service attack.  
It states that a man-in-the-middle attack is still possible in the future version.

After researching PPTP in order to set up a secure tunnel for a server-client application
(not a VPN tunneling LAN), I settled on C2Net's SafePassage because the SSL protocol
has withstood critical analysis well and because the software was developed outside the U.S.
so no export occurs (they even pay the RSA royalties).  There are other implementations
of SSL from outside the U.S., but C2Net's solution appeared to be the most straight-forward
and reasonably-priced solution that works with Unix (desired, but not required in this case) and NT.   

That said, adding additional authentication/crypto to Microsoft's PPTP or using a different 
PPTP implemention is another matter.



Paul E. Baclace ------>   peb@baclace.net    Baclace.Net, Inc.    http://www.baclace.net
                                            Java        Design        Development        Documentation

****************************************************************
TO POST A MESSAGE on this list, send it to vpn@listserv.iegroup.com

We are currently experiencing "unsubscribe" difficulties.  If you
wish to unsubscribe, please send a message containing the single line
"unsubscribe vpn your-e-mail-address" to owner-vpn@listserv.iegroup.com

****************************************************************

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic