Presentation is loading. Please wait.

Presentation is loading. Please wait.

Cryptanalysis of Microsoft’s Point-to-Point Tunneling Protocol 6 Mar. 2007 Amit Golander.

Similar presentations


Presentation on theme: "Cryptanalysis of Microsoft’s Point-to-Point Tunneling Protocol 6 Mar. 2007 Amit Golander."— Presentation transcript:

1 Cryptanalysis of Microsoft’s Point-to-Point Tunneling Protocol 6 Mar. 2007 Amit Golander

2 Page 2 Topics in Information Security 2007 Tel-Aviv University Mainly based on: Cryptanalysis of MS-PPTP (Point-to-Point Tunneling Protocol) Schneier and Mudge, Proceedings of the 5th Conference on Computer and Communications Security (1998) Cited 41 times (according to scholar.google)

3 Page 3 Topics in Information Security 2007 Tel-Aviv University Outline : Background Authentication Encryption Other attacks Follow-up

4 Page 4 Topics in Information Security 2007 Tel-Aviv University Alice Bob Eve Motivation Point-to-Point Tunneling Protocol (PPTP) Wikipedia: …PPTP is popular because it is easy to configure and it was the first VPN protocol that was supported by Microsoft…

5 Page 5 Topics in Information Security 2007 Tel-Aviv University PPTP Uses Generic Routing Encapsulation (GRE) and allows tunneling of PPP datagrams over IP networks IPGRE TCP UDP Application DataIPPPP Creating a client-server tunnel: –Establishing control connection. Negotiate algorithms for authentication and encryption –Establishing tunnel connection

6 Page 6 Topics in Information Security 2007 Tel-Aviv University What is the paper about? The paper analyzes Microsoft's Windows NT implementation of PPTP It shows how to: Break the authentication protocols (including challenge/response MS-CHAP) Break the RC4 encryption protocol (MPPE) Attack the control channel The story is about bad architecture and terrible design…

7 Page 7 Topics in Information Security 2007 Tel-Aviv University Outline : Background Authentication Encryption Other attacks Follow-up

8 Page 8 Topics in Information Security 2007 Tel-Aviv University Authentication Authentication options in Microsoft implementation: 1.Clear Password Security hash function h=H(F) F h H 2.Hashed Password Supports two hash functions: a.LANMAN (Lan Manager) b.Windows NT hash 3.MS-CHAP challenge/response protocol

9 Page 9 Topics in Information Security 2007 Tel-Aviv University 2a. LANMAN Hash Function 1.Turn the password into a 14-character string 2.Convert all lowercase characters to uppercase 3.Split the 14B string into two 7B halves Zer4You2______ZER4YOU2______ ZER4YOU 2______ DES Constant Bytes: 0..7 8..15 4.Using each half as a DES key, encrypt a fixed constant 5.Concatenate to create a single 16-byte hash value

10 Page 10 Topics in Information Security 2007 Tel-Aviv University 2a. LANMAN - Drawbacks Dictionary Attacks are easy: Most people choose easily guessable passwords Brute force is also reasonable: No lower case The same password will always have the same hashed password => Can pre-compute a dictionary of hashed passwords. Halves are hashed independently => Can be brute-forced independently (7B complexity at most) => Passwords of seven characters or less can be immediately recognized.

11 Page 11 Topics in Information Security 2007 Tel-Aviv University 2b. Windows NT Hash Construction: 1.The password is converted to Unicode 2.The password is hashed using MD4 yielding 16B Drawbacks: Always sent along side the older LAN Manager hash value… + Fixed older drawbacks of upper case and hashing halves. Did not fix the vulnerability to dictionary attacks and pre-computation Weaknesses in MD4 were demonstrated in 1991

12 Page 12 Topics in Information Security 2007 Tel-Aviv University 3. MS-CHAP Challenge Handshake Authentication Protocol (CHAP) 1.Calculate the hash (16B) 2.Pad to create a 21B string 3.Partition to three 7B keys. Each key is used to encrypt the challenge. Look up the hash Do steps 2+3 Compare result Login request 8B random challenge 24B result

13 Page 13 Topics in Information Security 2007 Tel-Aviv University MS-CHAP - Drawbacks Same hash weaknesses, but pre-computing is not feasible MS_CHAP client reply divided to thirds Server is not authenticated DES C hallenge P assword 0..13 H ashed 0..15 R esult 0..23 C hallenge 0..7 LANMAN S constant P 0..6 H 0.. 7 H 0.. 6 H 7.. 13 H 14,15,pads R 0.. 7, 8..15, 16..23 P 7..13 H 8.. 15

14 Page 14 Topics in Information Security 2007 Tel-Aviv University Breaking MS-CHAP DES C hallenge P assword 0..13 H ashed 0..15 R esult 0..23 C hallenge 0..7 LANMAN S constant P 0..6 H 0.. 7 H 0.. 6 H 7.. 13 H 14,15,pads R 0.. 7, 8..15, 16..23 1. C and R are known, so try avg. 2 15 values of H 14.. 15 P 7..13 H 8.. 15 2. S and H 14..15 are known, so filter possible values of P 7..13 (N/2 16 ) Concatenate the possible to all values of H 7 (*<2 8 ) until equals R 8..15 3. Similarly, H 7 is known, so filter possible values of P 0..6 (M/2 8 )

15 Page 15 Topics in Information Security 2007 Tel-Aviv University Outline : Background Authentication Encryption Other attacks Follow-up

16 Page 16 Topics in Information Security 2007 Tel-Aviv University Encryption Microsoft Point-to-Point Encryption (MPPE) MPPE uses a RC4 stream cipher (output feedback) Determining the key: Key C i = P i + Z i RC4 ZiZi ZiZi Key NT hash P 0..13 LANMAN P 0..13 H 0.. 15 MS-CHAP challenge 0.. 15 SHA-0 H 0.. 15 SHA-0 0xD1269E 40 bits 128 bits

17 Page 17 Topics in Information Security 2007 Tel-Aviv University Encryption - Drawbacks Not all PPP packets are encrypted Key calculated from password (< 40/128-bit key) Can pre-compute 40-bit key streams -> Dictionary of cipher text PPP headers Key stream is reused over and over again: –By the client and server –During the same session (resync) –For the 40-bit version, on different sessions as well C i = P i + Z i C i + C` i = P i + Z i + P` i + Z` i Synchronization manipulation Vulnerable to bit flip attacks

18 Page 18 Topics in Information Security 2007 Tel-Aviv University Outline : Background Authentication Encryption Other attacks Follow-up

19 Page 19 Topics in Information Security 2007 Tel-Aviv University Other Attacks PPTP control channel is not encrypted and contains too much information, example: Number of PPTP virtual tunnels the server has available PPP configuration packets are not encrypted and not authenticated, example: Modify the internal DNS address handed to the client DoS attacks

20 Page 20 Topics in Information Security 2007 Tel-Aviv University Outline : Background Authentication Encryption Other attacks Follow-up

21 Page 21 Topics in Information Security 2007 Tel-Aviv University Summary The paper analyzes Microsoft's Windows NT implementation of PPTP It shows how to: Break the authentication protocols (including challenge/response MS-CHAP) Break the RC4 encryption protocol (MPPE) Attack the control channel The story is about bad architecture and terrible design…

22 Page 22 Topics in Information Security 2007 Tel-Aviv University 90 days later… http://www.microsoft.com/technet/security/bulletin/ms98-012.asp http://www.microsoft.com/technet/security/bulletin/ms98-012.asp –MS-CHAPv2 created LANMAN is no longer sent along the stronger Win NT hash Server is authenticated as well Spoofing (Change password packets) Windows Vista drops support for MS-CHAPv1 –MPPE updated MPPE uses unique keys in each direction. Follow-up 1

23 Page 23 Topics in Information Security 2007 Tel-Aviv University 1999 - Schneier, Mudge and Wagner: Cryptanalysis of Microsoft's PPTP Authentication Extensions (MS-CHAPv2) Objective: “Assess the improvements and remaining weaknesses in MS-PPTP” Conclusion: Some things were fixed, but… Need authentication and key-exchange protocols which do not allow dictionary attacks against the user's password. PPTP -> IPSec Follow-up 2

24 Page 24 Topics in Information Security 2007 Tel-Aviv University 1999 - L2TP (Layer 2 Tunneling Protocol) IP UDP packet security provided by IPSec Control and data TCP UDP Application DataUDPIP IPSECL2TPPPPIPSEC IPSec DES or 3DES encrypted Follow-up 3 Windows 2000/3 Choices: PPTP L2TP/IPSec IPSec Tunnel Mode Simplicity Low Cost Advanced Security

25 Page 25 Topics in Information Security 2007 Tel-Aviv University Thank You Questions and Discussions amigos@eng.tau.ac.il amigos@eng.tau.ac.il

26 Page 26 Topics in Information Security 2007 Tel-Aviv University Home Assignment 1.What is PPTP used for? 2.In one line, define the terms: RC4, MD5, SHA, GRE. 3.Demonstrate the “Lan Manager hash function” using a password which is your first name. Assume DES does nothing when the key is all zeroes. 4.The paper was published in 1998. Shortly (2-3 lines) describe how Microsoft solved the problems presented by this paper.


Download ppt "Cryptanalysis of Microsoft’s Point-to-Point Tunneling Protocol 6 Mar. 2007 Amit Golander."

Similar presentations


Ads by Google