Cryptanalysis of Microsoft’s Point-to-Point Tunneling Protocol 6 Mar. 2007 Amit Golander.

Slides:

Advertisements

Similar presentations

Encrypting Wireless Data with VPN Techniques

Advertisements

Socket Layer Security. In this Presentation: need for web security SSL/TLS transport layer security protocols HTTPS secure shell (SSH)

1 Chapter 2: Networking Protocol Design Designs That Include TCP/IP Essential TCP/IP Design Concepts TCP/IP Data Protection TCP/IP Optimization.

Microsoft Windows Server 2003 TCP/IP Protocols and Services Technical Reference Slide: 1 Lesson 4 Point to Point Protocol (PPP)

Virtual Private Networks. Why VPN Fast, secure and reliable communication between remote locations –Use leased lines to maintain a WAN. –Disadvantages.

Internet Security CSCE 813 Network Access Layer Security Protocols.

CN1260 Client Operating System Kemtis Kunanuraksapong MSIS with Distinction MCT, MCITP, MCTS, MCDST, MCP, A+

Hands-On Microsoft Windows Server 2003 Administration Chapter 11 Administering Remote Access Services.

Ariel Eizenberg PPP Security Features Ariel Eizenberg

Encapsulation Security Payload Protocol Lan Vu. OUTLINE 1.Introduction and terms 2.ESP Overview 3.ESP Packet Format 4.ESP Fields 5.ESP Modes 6.ESP packet.

SSH : The Secure Shell By Rachana Maheswari CS265 Spring 2003.

Chapter 8: Configuring Network Connectivity. Installing Network Adapters Network adapter cards connect a computer to a network. Installation –Plug and.

Georgy Melamed Eran Stiller

VPN – Virtual Private Networking. VPN A Virtual Private Network (VPN) connects the components of one network over another network. VPNs accomplish this.

Virtual Private Networks Shamod Lacoul CS265 What is a Virtual Private Network (VPN)? A Virtual Private Network is an extension of a private network.

Network Security. Contents Security Requirements and Attacks Confidentiality with Conventional Encryption Message Authentication and Hash Functions Public-Key.

Remote Networking Architectures

Point-to-Point Protocol (PPP) Security Connecting to remote access servers (RASs) PPP authentication PPP confidentiality Point-to-Point Tunneling Protocol.

Microsoft Challenge Handshake Authentication Protocol CS265 Spring 2005 ChungShun Wei.

Virtual Private Network (VPN) © N. Ganesan, Ph.D..

VPN TUNNELING PROTOCOLS PPTP, L2TP, L2TP/IPsec Ashkan Yousefpour Amirkabir University of Technology.

Module 11: Supporting Remote Users. Overview Establishing Remote Access Connections Connecting to Virtual Private Networks Configuring Authentication.

NetComm Wireless VPN Functionality Feature Spotlight.

1 Microsoft Windows NT 4.0 Authentication Protocols Password Authentication Protocol (PAP) Challenge Handshake Authentication Protocol (CHAP) Microsoft.

VPN Wireless Security at Penn State Rich Cropp Senior Systems Engineer Information Technology Services The Pennsylvania State University © All rights.

 It defines the format of the frame to be exchanged between devices.  It defines how two devices can negotiate the establishment of the link and the.

Virtual Private Networks Alberto Pace. IT/IS Technical Meeting – January 2002 What is a VPN ? u A technology that allows to send confidential data securely.

Microsoft Windows Server 2003 TCP/IP Protocols and Services Technical Reference Slide: 1 Lesson 23 Virtual Private Networks (VPNs)

Network Security. An Introduction to Cryptography The encryption model (for a symmetric-key cipher).

SYSTEM ADMINISTRATION Chapter 13 Security Protocols.

Virtual Private Network (VPN) SCSC 455. VPN A virtual private network that is established over, in general, the Internet – It is virtual because it exists.

Mobile and Wireless Communication Security By Jason Gratto.

Wireless security & privacy Authors: M. Borsc and H. Shinde Source: IEEE International Conference on Personal Wireless Communications 2005 (ICPWC 2005),

12-Sep-15 Virtual Private Network. Why the need To transmit files securely without disclosing sensitive information to others in the Internet.

Secure Socket Layer (SSL)

Remote Access Chapter 4. Learning Objectives Understand implications of IEEE 802.1x and how it is used Understand VPN technology and its uses for securing.

Remote Access Chapter 4. Learning Objectives Understand implications of IEEE 802.1x and how it is used Understand VPN technology and its uses for securing.

11 SECURING COMMUNICATIONS Chapter 7. Chapter 7: SECURING COMMUNICATIONS2 CHAPTER OBJECTIVES  Explain how to secure remote connections.  Describe how.

Remote Access Chapter 4. IEEE 802.1x An internet standard created to perform authentication services for remote access to a central LAN. An internet standard.

1 Chapter 8 Panko, Corporate Computer and Network Security Copyright 2004 Prentice-Hall Cryptographic Systems: SSL/TLS, VPNs, and Kerberos.

Behzad Akbari Spring 2012 (These slides are based on lecture slides by Lawrie Brown)

1 Chapter 8 Copyright 2003 Prentice-Hall Cryptographic Systems: SSL/TLS, VPNs, and Kerberos.

1 Chapter 8 Panko, Corporate Computer and Network Security Copyright 2004 Prentice-Hall Cryptographic Systems: SSL/TLS, VPNs, and Kerberos.

Cosc 4765 SSL/TLS and VPN. SSL and TLS We can apply this generally, but also from a prospective of web services. Multi-layered: –S-http (secure http),

VIRTUAL PRIVATE NETWORK By: Tammy Be Khoa Kieu Stephen Tran Michael Tse.

Point-to-Point Tunneling Protocol [PPTP] Team: Invincibles Deepak Tripathi Habibeh Deyhim Karthikeyan Gopal Satish Madiraju Tusshar RakeshNLN.

Abdullah Alshalan Garrett Drown Team 3 CSE591: Virtualization and Cloud Computing.

EPipe 2344 Product Introduction. Protocols and Bandwidth Control Protocols TCP/IP, RIP, DHCP, TFTP, PPP, PPPoE, IPoE Bandwidth control (site-site) Multilink.

11.59 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 11: Introducing WINS, DNS,

Hands-On Microsoft Windows Server Introduction to Remote Access Routing and Remote Access Services (RRAS) –Enable routing and remote access through.

Network Security David Lazăr.

IPsec IPsec (IP security) Security for transmission over IP networks –The Internet –Internal corporate IP networks –IP packets sent over public switched.

Abusing : Weaknesses in LEAP Challenge/Response – Defcon 2003 Slide 1 Weaknesses in LEAP Challenge/Response Joshua Wright

Virtual Private Network. VPN In the most basic definition, VPN is a connection which allows 2 computers or networks to communicate with each other across.

Virtual Private Network. ATHENA Main Function of VPN  Privacy  Authenticating  Data Integrity  Antireplay.

Virtual Private Network Chapter 4. Lecturer : Trần Thị Ngọc Hoa2 Objectives  VPN Overview  Tunneling Protocol  Deployment models  Lab Demo.

V IRTUAL P RIVATE N ETWORKS K ARTHIK M OHANASUNDARAM W RIGHT S TATE U NIVERSITY.

Virtual Private Networks Ed Wagner CS Overview Introduction Types of VPNs Encrypting and Tunneling Pro/Cons the VPNs Conclusion.

IP Security (IPSec) Matt Hermanson. What is IPSec? It is an extension to the Internet Protocol (IP) suite that creates an encrypted and secure conversation.

Windows Vista Configuration MCTS : Advanced Networking.

Virtual Private Networks

Virtual Private Network (VPN)

Microsoft Windows NT 4.0 Authentication Protocols

PPP – Point to Point Protocol

Virtual Private Network (VPN)

Server-to-Client Remote Access and DirectAccess

Virtual Private Networks

Virtual Private Networks (VPN)

Virtual Private Network zswu

Presentation transcript:

Cryptanalysis of Microsoft’s Point-to-Point Tunneling Protocol 6 Mar Amit Golander

Page 2 Topics in Information Security 2007 Tel-Aviv University Mainly based on: Cryptanalysis of MS-PPTP (Point-to-Point Tunneling Protocol) Schneier and Mudge, Proceedings of the 5th Conference on Computer and Communications Security (1998) Cited 41 times (according to scholar.google)

Page 3 Topics in Information Security 2007 Tel-Aviv University Outline : Background Authentication Encryption Other attacks Follow-up

Page 4 Topics in Information Security 2007 Tel-Aviv University Alice Bob Eve Motivation Point-to-Point Tunneling Protocol (PPTP) Wikipedia: …PPTP is popular because it is easy to configure and it was the first VPN protocol that was supported by Microsoft…

Page 5 Topics in Information Security 2007 Tel-Aviv University PPTP Uses Generic Routing Encapsulation (GRE) and allows tunneling of PPP datagrams over IP networks IPGRE TCP UDP Application DataIPPPP Creating a client-server tunnel: –Establishing control connection. Negotiate algorithms for authentication and encryption –Establishing tunnel connection

Page 6 Topics in Information Security 2007 Tel-Aviv University What is the paper about? The paper analyzes Microsoft's Windows NT implementation of PPTP It shows how to: Break the authentication protocols (including challenge/response MS-CHAP) Break the RC4 encryption protocol (MPPE) Attack the control channel The story is about bad architecture and terrible design…

Page 7 Topics in Information Security 2007 Tel-Aviv University Outline : Background Authentication Encryption Other attacks Follow-up

Page 8 Topics in Information Security 2007 Tel-Aviv University Authentication Authentication options in Microsoft implementation: 1.Clear Password Security hash function h=H(F) F h H 2.Hashed Password Supports two hash functions: a.LANMAN (Lan Manager) b.Windows NT hash 3.MS-CHAP challenge/response protocol

Page 9 Topics in Information Security 2007 Tel-Aviv University 2a. LANMAN Hash Function 1.Turn the password into a 14-character string 2.Convert all lowercase characters to uppercase 3.Split the 14B string into two 7B halves Zer4You2______ZER4YOU2______ ZER4YOU 2______ DES Constant Bytes: Using each half as a DES key, encrypt a fixed constant 5.Concatenate to create a single 16-byte hash value

Page 10 Topics in Information Security 2007 Tel-Aviv University 2a. LANMAN - Drawbacks Dictionary Attacks are easy: Most people choose easily guessable passwords Brute force is also reasonable: No lower case The same password will always have the same hashed password => Can pre-compute a dictionary of hashed passwords. Halves are hashed independently => Can be brute-forced independently (7B complexity at most) => Passwords of seven characters or less can be immediately recognized.

Page 11 Topics in Information Security 2007 Tel-Aviv University 2b. Windows NT Hash Construction: 1.The password is converted to Unicode 2.The password is hashed using MD4 yielding 16B Drawbacks: Always sent along side the older LAN Manager hash value… + Fixed older drawbacks of upper case and hashing halves. Did not fix the vulnerability to dictionary attacks and pre-computation Weaknesses in MD4 were demonstrated in 1991

Page 12 Topics in Information Security 2007 Tel-Aviv University 3. MS-CHAP Challenge Handshake Authentication Protocol (CHAP) 1.Calculate the hash (16B) 2.Pad to create a 21B string 3.Partition to three 7B keys. Each key is used to encrypt the challenge. Look up the hash Do steps 2+3 Compare result Login request 8B random challenge 24B result

Page 13 Topics in Information Security 2007 Tel-Aviv University MS-CHAP - Drawbacks Same hash weaknesses, but pre-computing is not feasible MS_CHAP client reply divided to thirds Server is not authenticated DES C hallenge P assword H ashed R esult C hallenge 0..7 LANMAN S constant P 0..6 H H H H 14,15,pads R 0.. 7, 8..15, P H

Page 14 Topics in Information Security 2007 Tel-Aviv University Breaking MS-CHAP DES C hallenge P assword H ashed R esult C hallenge 0..7 LANMAN S constant P 0..6 H H H H 14,15,pads R 0.. 7, 8..15, C and R are known, so try avg values of H P H S and H are known, so filter possible values of P (N/2 16 ) Concatenate the possible to all values of H 7 (*<2 8 ) until equals R Similarly, H 7 is known, so filter possible values of P 0..6 (M/2 8 )

Page 15 Topics in Information Security 2007 Tel-Aviv University Outline : Background Authentication Encryption Other attacks Follow-up

Page 16 Topics in Information Security 2007 Tel-Aviv University Encryption Microsoft Point-to-Point Encryption (MPPE) MPPE uses a RC4 stream cipher (output feedback) Determining the key: Key C i = P i + Z i RC4 ZiZi ZiZi Key NT hash P LANMAN P H MS-CHAP challenge SHA-0 H SHA-0 0xD1269E 40 bits 128 bits

Page 17 Topics in Information Security 2007 Tel-Aviv University Encryption - Drawbacks Not all PPP packets are encrypted Key calculated from password (< 40/128-bit key) Can pre-compute 40-bit key streams -> Dictionary of cipher text PPP headers Key stream is reused over and over again: –By the client and server –During the same session (resync) –For the 40-bit version, on different sessions as well C i = P i + Z i C i + C` i = P i + Z i + P` i + Z` i Synchronization manipulation Vulnerable to bit flip attacks

Page 18 Topics in Information Security 2007 Tel-Aviv University Outline : Background Authentication Encryption Other attacks Follow-up

Page 19 Topics in Information Security 2007 Tel-Aviv University Other Attacks PPTP control channel is not encrypted and contains too much information, example: Number of PPTP virtual tunnels the server has available PPP configuration packets are not encrypted and not authenticated, example: Modify the internal DNS address handed to the client DoS attacks

Page 20 Topics in Information Security 2007 Tel-Aviv University Outline : Background Authentication Encryption Other attacks Follow-up

Page 21 Topics in Information Security 2007 Tel-Aviv University Summary The paper analyzes Microsoft's Windows NT implementation of PPTP It shows how to: Break the authentication protocols (including challenge/response MS-CHAP) Break the RC4 encryption protocol (MPPE) Attack the control channel The story is about bad architecture and terrible design…

Page 22 Topics in Information Security 2007 Tel-Aviv University 90 days later… –MS-CHAPv2 created LANMAN is no longer sent along the stronger Win NT hash Server is authenticated as well Spoofing (Change password packets) Windows Vista drops support for MS-CHAPv1 –MPPE updated MPPE uses unique keys in each direction. Follow-up 1

Page 23 Topics in Information Security 2007 Tel-Aviv University Schneier, Mudge and Wagner: Cryptanalysis of Microsoft's PPTP Authentication Extensions (MS-CHAPv2) Objective: “Assess the improvements and remaining weaknesses in MS-PPTP” Conclusion: Some things were fixed, but… Need authentication and key-exchange protocols which do not allow dictionary attacks against the user's password. PPTP -> IPSec Follow-up 2

Page 24 Topics in Information Security 2007 Tel-Aviv University L2TP (Layer 2 Tunneling Protocol) IP UDP packet security provided by IPSec Control and data TCP UDP Application DataUDPIP IPSECL2TPPPPIPSEC IPSec DES or 3DES encrypted Follow-up 3 Windows 2000/3 Choices: PPTP L2TP/IPSec IPSec Tunnel Mode Simplicity Low Cost Advanced Security

Page 25 Topics in Information Security 2007 Tel-Aviv University Thank You Questions and Discussions

Page 26 Topics in Information Security 2007 Tel-Aviv University Home Assignment 1.What is PPTP used for? 2.In one line, define the terms: RC4, MD5, SHA, GRE. 3.Demonstrate the “Lan Manager hash function” using a password which is your first name. Assume DES does nothing when the key is all zeroes. 4.The paper was published in Shortly (2-3 lines) describe how Microsoft solved the problems presented by this paper.