Presentation is loading. Please wait.

Presentation is loading. Please wait.

Cryptanalysis of Microsoft’s Point-to-Point Tunneling Protocol 6 Mar. 2007 Amit Golander.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Cryptanalysis of Microsoft’s Point-to-Point Tunneling Protocol 6 Mar. 2007 Amit Golander."— Presentation transcript:

1 Cryptanalysis of Microsoft’s Point-to-Point Tunneling Protocol 6 Mar. 2007 Amit Golander

2 Page 2 Topics in Information Security 2007 Tel-Aviv University Mainly based on: Cryptanalysis of MS-PPTP (Point-to-Point Tunneling Protocol) Schneier and Mudge, Proceedings of the 5th Conference on Computer and Communications Security (1998) Cited 41 times (according to scholar.google)

3 Page 3 Topics in Information Security 2007 Tel-Aviv University Outline : Background Authentication Encryption Other attacks Follow-up

4 Page 4 Topics in Information Security 2007 Tel-Aviv University Alice Bob Eve Motivation Point-to-Point Tunneling Protocol (PPTP) Wikipedia: …PPTP is popular because it is easy to configure and it was the first VPN protocol that was supported by Microsoft…

5 Page 5 Topics in Information Security 2007 Tel-Aviv University PPTP Uses Generic Routing Encapsulation (GRE) and allows tunneling of PPP datagrams over IP networks IPGRE TCP UDP Application DataIPPPP Creating a client-server tunnel: –Establishing control connection. Negotiate algorithms for authentication and encryption –Establishing tunnel connection

6 Page 6 Topics in Information Security 2007 Tel-Aviv University What is the paper about? The paper analyzes Microsoft's Windows NT implementation of PPTP It shows how to: Break the authentication protocols (including challenge/response MS-CHAP) Break the RC4 encryption protocol (MPPE) Attack the control channel The story is about bad architecture and terrible design…

7 Page 7 Topics in Information Security 2007 Tel-Aviv University Outline : Background Authentication Encryption Other attacks Follow-up

8 Page 8 Topics in Information Security 2007 Tel-Aviv University Authentication Authentication options in Microsoft implementation: 1.Clear Password Security hash function h=H(F) F h H 2.Hashed Password Supports two hash functions: a.LANMAN (Lan Manager) b.Windows NT hash 3.MS-CHAP challenge/response protocol

9 Page 9 Topics in Information Security 2007 Tel-Aviv University 2a. LANMAN Hash Function 1.Turn the password into a 14-character string 2.Convert all lowercase characters to uppercase 3.Split the 14B string into two 7B halves Zer4You2______ZER4YOU2______ ZER4YOU 2______ DES Constant Bytes: 0..7 8..15 4.Using each half as a DES key, encrypt a fixed constant 5.Concatenate to create a single 16-byte hash value

10 Page 10 Topics in Information Security 2007 Tel-Aviv University 2a. LANMAN - Drawbacks Dictionary Attacks are easy: Most people choose easily guessable passwords Brute force is also reasonable: No lower case The same password will always have the same hashed password => Can pre-compute a dictionary of hashed passwords. Halves are hashed independently => Can be brute-forced independently (7B complexity at most) => Passwords of seven characters or less can be immediately recognized.

11 Page 11 Topics in Information Security 2007 Tel-Aviv University 2b. Windows NT Hash Construction: 1.The password is converted to Unicode 2.The password is hashed using MD4 yielding 16B Drawbacks: Always sent along side the older LAN Manager hash value… + Fixed older drawbacks of upper case and hashing halves. Did not fix the vulnerability to dictionary attacks and pre-computation Weaknesses in MD4 were demonstrated in 1991

12 Page 12 Topics in Information Security 2007 Tel-Aviv University 3. MS-CHAP Challenge Handshake Authentication Protocol (CHAP) 1.Calculate the hash (16B) 2.Pad to create a 21B string 3.Partition to three 7B keys. Each key is used to encrypt the challenge. Look up the hash Do steps 2+3 Compare result Login request 8B random challenge 24B result

13 Page 13 Topics in Information Security 2007 Tel-Aviv University MS-CHAP - Drawbacks Same hash weaknesses, but pre-computing is not feasible MS_CHAP client reply divided to thirds Server is not authenticated DES C hallenge P assword 0..13 H ashed 0..15 R esult 0..23 C hallenge 0..7 LANMAN S constant P 0..6 H 0.. 7 H 0.. 6 H 7.. 13 H 14,15,pads R 0.. 7, 8..15, 16..23 P 7..13 H 8.. 15

14 Page 14 Topics in Information Security 2007 Tel-Aviv University Breaking MS-CHAP DES C hallenge P assword 0..13 H ashed 0..15 R esult 0..23 C hallenge 0..7 LANMAN S constant P 0..6 H 0.. 7 H 0.. 6 H 7.. 13 H 14,15,pads R 0.. 7, 8..15, 16..23 1. C and R are known, so try avg. 2 15 values of H 14.. 15 P 7..13 H 8.. 15 2. S and H 14..15 are known, so filter possible values of P 7..13 (N/2 16 ) Concatenate the possible to all values of H 7 (*<2 8 ) until equals R 8..15 3. Similarly, H 7 is known, so filter possible values of P 0..6 (M/2 8 )

15 Page 15 Topics in Information Security 2007 Tel-Aviv University Outline : Background Authentication Encryption Other attacks Follow-up

16 Page 16 Topics in Information Security 2007 Tel-Aviv University Encryption Microsoft Point-to-Point Encryption (MPPE) MPPE uses a RC4 stream cipher (output feedback) Determining the key: Key C i = P i + Z i RC4 ZiZi ZiZi Key NT hash P 0..13 LANMAN P 0..13 H 0.. 15 MS-CHAP challenge 0.. 15 SHA-0 H 0.. 15 SHA-0 0xD1269E 40 bits 128 bits

17 Page 17 Topics in Information Security 2007 Tel-Aviv University Encryption - Drawbacks Not all PPP packets are encrypted Key calculated from password (< 40/128-bit key) Can pre-compute 40-bit key streams -> Dictionary of cipher text PPP headers Key stream is reused over and over again: –By the client and server –During the same session (resync) –For the 40-bit version, on different sessions as well C i = P i + Z i C i + C` i = P i + Z i + P` i + Z` i Synchronization manipulation Vulnerable to bit flip attacks

18 Page 18 Topics in Information Security 2007 Tel-Aviv University Outline : Background Authentication Encryption Other attacks Follow-up

19 Page 19 Topics in Information Security 2007 Tel-Aviv University Other Attacks PPTP control channel is not encrypted and contains too much information, example: Number of PPTP virtual tunnels the server has available PPP configuration packets are not encrypted and not authenticated, example: Modify the internal DNS address handed to the client DoS attacks

20 Page 20 Topics in Information Security 2007 Tel-Aviv University Outline : Background Authentication Encryption Other attacks Follow-up

21 Page 21 Topics in Information Security 2007 Tel-Aviv University Summary The paper analyzes Microsoft's Windows NT implementation of PPTP It shows how to: Break the authentication protocols (including challenge/response MS-CHAP) Break the RC4 encryption protocol (MPPE) Attack the control channel The story is about bad architecture and terrible design…

22 Page 22 Topics in Information Security 2007 Tel-Aviv University 90 days later… http://www.microsoft.com/technet/security/bulletin/ms98-012.asp http://www.microsoft.com/technet/security/bulletin/ms98-012.asp –MS-CHAPv2 created LANMAN is no longer sent along the stronger Win NT hash Server is authenticated as well Spoofing (Change password packets) Windows Vista drops support for MS-CHAPv1 –MPPE updated MPPE uses unique keys in each direction. Follow-up 1

23 Page 23 Topics in Information Security 2007 Tel-Aviv University 1999 - Schneier, Mudge and Wagner: Cryptanalysis of Microsoft's PPTP Authentication Extensions (MS-CHAPv2) Objective: “Assess the improvements and remaining weaknesses in MS-PPTP” Conclusion: Some things were fixed, but… Need authentication and key-exchange protocols which do not allow dictionary attacks against the user's password. PPTP -> IPSec Follow-up 2

24 Page 24 Topics in Information Security 2007 Tel-Aviv University 1999 - L2TP (Layer 2 Tunneling Protocol) IP UDP packet security provided by IPSec Control and data TCP UDP Application DataUDPIP IPSECL2TPPPPIPSEC IPSec DES or 3DES encrypted Follow-up 3 Windows 2000/3 Choices: PPTP L2TP/IPSec IPSec Tunnel Mode Simplicity Low Cost Advanced Security

25 Page 25 Topics in Information Security 2007 Tel-Aviv University Thank You Questions and Discussions amigos@eng.tau.ac.il amigos@eng.tau.ac.il

26 Page 26 Topics in Information Security 2007 Tel-Aviv University Home Assignment 1.What is PPTP used for? 2.In one line, define the terms: RC4, MD5, SHA, GRE. 3.Demonstrate the “Lan Manager hash function” using a password which is your first name. Assume DES does nothing when the key is all zeroes. 4.The paper was published in 1998. Shortly (2-3 lines) describe how Microsoft solved the problems presented by this paper.

Download ppt "Cryptanalysis of Microsoft’s Point-to-Point Tunneling Protocol 6 Mar. 2007 Amit Golander."

Similar presentations

Encrypting Wireless Data with VPN Techniques

Encrypting Wireless Data with VPN Techniques
Socket Layer Security. In this Presentation: need for web security SSL/TLS transport layer security protocols HTTPS secure shell (SSH)

Socket Layer Security. In this Presentation: need for web security SSL/TLS transport layer security protocols HTTPS secure shell (SSH)
1 Chapter 2: Networking Protocol Design Designs That Include TCP/IP Essential TCP/IP Design Concepts TCP/IP Data Protection TCP/IP Optimization.

1 Chapter 2: Networking Protocol Design Designs That Include TCP/IP Essential TCP/IP Design Concepts TCP/IP Data Protection TCP/IP Optimization.
Microsoft Windows Server 2003 TCP/IP Protocols and Services Technical Reference Slide: 1 Lesson 4 Point to Point Protocol (PPP)

Microsoft Windows Server 2003 TCP/IP Protocols and Services Technical Reference Slide: 1 Lesson 4 Point to Point Protocol (PPP)
Virtual Private Networks. Why VPN Fast, secure and reliable communication between remote locations –Use leased lines to maintain a WAN. –Disadvantages.

Virtual Private Networks. Why VPN Fast, secure and reliable communication between remote locations –Use leased lines to maintain a WAN. –Disadvantages.
Internet Security CSCE 813 Network Access Layer Security Protocols.

Internet Security CSCE 813 Network Access Layer Security Protocols.
CN1260 Client Operating System Kemtis Kunanuraksapong MSIS with Distinction MCT, MCITP, MCTS, MCDST, MCP, A+

CN1260 Client Operating System Kemtis Kunanuraksapong MSIS with Distinction MCT, MCITP, MCTS, MCDST, MCP, A+
Hands-On Microsoft Windows Server 2003 Administration Chapter 11 Administering Remote Access Services.

Hands-On Microsoft Windows Server 2003 Administration Chapter 11 Administering Remote Access Services.
Ariel Eizenberg arielez@cs.huji.ac.il PPP Security Features Ariel Eizenberg arielez@cs.huji.ac.il.

Ariel Eizenberg PPP Security Features Ariel Eizenberg
Encapsulation Security Payload Protocol Lan Vu. OUTLINE 1.Introduction and terms 2.ESP Overview 3.ESP Packet Format 4.ESP Fields 5.ESP Modes 6.ESP packet.

Encapsulation Security Payload Protocol Lan Vu. OUTLINE 1.Introduction and terms 2.ESP Overview 3.ESP Packet Format 4.ESP Fields 5.ESP Modes 6.ESP packet.
SSH : The Secure Shell By Rachana Maheswari CS265 Spring 2003.

SSH : The Secure Shell By Rachana Maheswari CS265 Spring 2003.
Chapter 8: Configuring Network Connectivity. Installing Network Adapters Network adapter cards connect a computer to a network. Installation –Plug and.

Chapter 8: Configuring Network Connectivity. Installing Network Adapters Network adapter cards connect a computer to a network. Installation –Plug and.
Georgy Melamed Eran Stiller

Georgy Melamed Eran Stiller
VPN – Virtual Private Networking. VPN A Virtual Private Network (VPN) connects the components of one network over another network. VPNs accomplish this.

VPN – Virtual Private Networking. VPN A Virtual Private Network (VPN) connects the components of one network over another network. VPNs accomplish this.
Virtual Private Networks Shamod Lacoul CS265 What is a Virtual Private Network (VPN)? A Virtual Private Network is an extension of a private network.

Virtual Private Networks Shamod Lacoul CS265 What is a Virtual Private Network (VPN)? A Virtual Private Network is an extension of a private network.
Network Security. Contents Security Requirements and Attacks Confidentiality with Conventional Encryption Message Authentication and Hash Functions Public-Key.

Network Security. Contents Security Requirements and Attacks Confidentiality with Conventional Encryption Message Authentication and Hash Functions Public-Key.
Remote Networking Architectures

Remote Networking Architectures
Point-to-Point Protocol (PPP) Security Connecting to remote access servers (RASs) PPP authentication PPP confidentiality Point-to-Point Tunneling Protocol.

Point-to-Point Protocol (PPP) Security Connecting to remote access servers (RASs) PPP authentication PPP confidentiality Point-to-Point Tunneling Protocol.
Microsoft Challenge Handshake Authentication Protocol CS265 Spring 2005 ChungShun Wei.

Microsoft Challenge Handshake Authentication Protocol CS265 Spring 2005 ChungShun Wei.
Virtual Private Network (VPN) © N. Ganesan, Ph.D..

Virtual Private Network (VPN) © N. Ganesan, Ph.D..

Similar presentations

Ads by Google