Download presentation
Presentation is loading. Please wait.
1
Cryptanalysis of Microsoft’s Point-to-Point Tunneling Protocol 6 Mar. 2007 Amit Golander
2
Page 2 Topics in Information Security 2007 Tel-Aviv University Mainly based on: Cryptanalysis of MS-PPTP (Point-to-Point Tunneling Protocol) Schneier and Mudge, Proceedings of the 5th Conference on Computer and Communications Security (1998) Cited 41 times (according to scholar.google)
3
Page 3 Topics in Information Security 2007 Tel-Aviv University Outline : Background Authentication Encryption Other attacks Follow-up
4
Page 4 Topics in Information Security 2007 Tel-Aviv University Alice Bob Eve Motivation Point-to-Point Tunneling Protocol (PPTP) Wikipedia: …PPTP is popular because it is easy to configure and it was the first VPN protocol that was supported by Microsoft…
5
Page 5 Topics in Information Security 2007 Tel-Aviv University PPTP Uses Generic Routing Encapsulation (GRE) and allows tunneling of PPP datagrams over IP networks IPGRE TCP UDP Application DataIPPPP Creating a client-server tunnel: –Establishing control connection. Negotiate algorithms for authentication and encryption –Establishing tunnel connection
6
Page 6 Topics in Information Security 2007 Tel-Aviv University What is the paper about? The paper analyzes Microsoft's Windows NT implementation of PPTP It shows how to: Break the authentication protocols (including challenge/response MS-CHAP) Break the RC4 encryption protocol (MPPE) Attack the control channel The story is about bad architecture and terrible design…
7
Page 7 Topics in Information Security 2007 Tel-Aviv University Outline : Background Authentication Encryption Other attacks Follow-up
8
Page 8 Topics in Information Security 2007 Tel-Aviv University Authentication Authentication options in Microsoft implementation: 1.Clear Password Security hash function h=H(F) F h H 2.Hashed Password Supports two hash functions: a.LANMAN (Lan Manager) b.Windows NT hash 3.MS-CHAP challenge/response protocol
9
Page 9 Topics in Information Security 2007 Tel-Aviv University 2a. LANMAN Hash Function 1.Turn the password into a 14-character string 2.Convert all lowercase characters to uppercase 3.Split the 14B string into two 7B halves Zer4You2______ZER4YOU2______ ZER4YOU 2______ DES Constant Bytes: 0..7 8..15 4.Using each half as a DES key, encrypt a fixed constant 5.Concatenate to create a single 16-byte hash value
10
Page 10 Topics in Information Security 2007 Tel-Aviv University 2a. LANMAN - Drawbacks Dictionary Attacks are easy: Most people choose easily guessable passwords Brute force is also reasonable: No lower case The same password will always have the same hashed password => Can pre-compute a dictionary of hashed passwords. Halves are hashed independently => Can be brute-forced independently (7B complexity at most) => Passwords of seven characters or less can be immediately recognized.
11
Page 11 Topics in Information Security 2007 Tel-Aviv University 2b. Windows NT Hash Construction: 1.The password is converted to Unicode 2.The password is hashed using MD4 yielding 16B Drawbacks: Always sent along side the older LAN Manager hash value… + Fixed older drawbacks of upper case and hashing halves. Did not fix the vulnerability to dictionary attacks and pre-computation Weaknesses in MD4 were demonstrated in 1991
12
Page 12 Topics in Information Security 2007 Tel-Aviv University 3. MS-CHAP Challenge Handshake Authentication Protocol (CHAP) 1.Calculate the hash (16B) 2.Pad to create a 21B string 3.Partition to three 7B keys. Each key is used to encrypt the challenge. Look up the hash Do steps 2+3 Compare result Login request 8B random challenge 24B result
13
Page 13 Topics in Information Security 2007 Tel-Aviv University MS-CHAP - Drawbacks Same hash weaknesses, but pre-computing is not feasible MS_CHAP client reply divided to thirds Server is not authenticated DES C hallenge P assword 0..13 H ashed 0..15 R esult 0..23 C hallenge 0..7 LANMAN S constant P 0..6 H 0.. 7 H 0.. 6 H 7.. 13 H 14,15,pads R 0.. 7, 8..15, 16..23 P 7..13 H 8.. 15
14
Page 14 Topics in Information Security 2007 Tel-Aviv University Breaking MS-CHAP DES C hallenge P assword 0..13 H ashed 0..15 R esult 0..23 C hallenge 0..7 LANMAN S constant P 0..6 H 0.. 7 H 0.. 6 H 7.. 13 H 14,15,pads R 0.. 7, 8..15, 16..23 1. C and R are known, so try avg. 2 15 values of H 14.. 15 P 7..13 H 8.. 15 2. S and H 14..15 are known, so filter possible values of P 7..13 (N/2 16 ) Concatenate the possible to all values of H 7 (*<2 8 ) until equals R 8..15 3. Similarly, H 7 is known, so filter possible values of P 0..6 (M/2 8 )
15
Page 15 Topics in Information Security 2007 Tel-Aviv University Outline : Background Authentication Encryption Other attacks Follow-up
16
Page 16 Topics in Information Security 2007 Tel-Aviv University Encryption Microsoft Point-to-Point Encryption (MPPE) MPPE uses a RC4 stream cipher (output feedback) Determining the key: Key C i = P i + Z i RC4 ZiZi ZiZi Key NT hash P 0..13 LANMAN P 0..13 H 0.. 15 MS-CHAP challenge 0.. 15 SHA-0 H 0.. 15 SHA-0 0xD1269E 40 bits 128 bits
17
Page 17 Topics in Information Security 2007 Tel-Aviv University Encryption - Drawbacks Not all PPP packets are encrypted Key calculated from password (< 40/128-bit key) Can pre-compute 40-bit key streams -> Dictionary of cipher text PPP headers Key stream is reused over and over again: –By the client and server –During the same session (resync) –For the 40-bit version, on different sessions as well C i = P i + Z i C i + C` i = P i + Z i + P` i + Z` i Synchronization manipulation Vulnerable to bit flip attacks
18
Page 18 Topics in Information Security 2007 Tel-Aviv University Outline : Background Authentication Encryption Other attacks Follow-up
19
Page 19 Topics in Information Security 2007 Tel-Aviv University Other Attacks PPTP control channel is not encrypted and contains too much information, example: Number of PPTP virtual tunnels the server has available PPP configuration packets are not encrypted and not authenticated, example: Modify the internal DNS address handed to the client DoS attacks
20
Page 20 Topics in Information Security 2007 Tel-Aviv University Outline : Background Authentication Encryption Other attacks Follow-up
21
Page 21 Topics in Information Security 2007 Tel-Aviv University Summary The paper analyzes Microsoft's Windows NT implementation of PPTP It shows how to: Break the authentication protocols (including challenge/response MS-CHAP) Break the RC4 encryption protocol (MPPE) Attack the control channel The story is about bad architecture and terrible design…
22
Page 22 Topics in Information Security 2007 Tel-Aviv University 90 days later… http://www.microsoft.com/technet/security/bulletin/ms98-012.asp http://www.microsoft.com/technet/security/bulletin/ms98-012.asp –MS-CHAPv2 created LANMAN is no longer sent along the stronger Win NT hash Server is authenticated as well Spoofing (Change password packets) Windows Vista drops support for MS-CHAPv1 –MPPE updated MPPE uses unique keys in each direction. Follow-up 1
23
Page 23 Topics in Information Security 2007 Tel-Aviv University 1999 - Schneier, Mudge and Wagner: Cryptanalysis of Microsoft's PPTP Authentication Extensions (MS-CHAPv2) Objective: “Assess the improvements and remaining weaknesses in MS-PPTP” Conclusion: Some things were fixed, but… Need authentication and key-exchange protocols which do not allow dictionary attacks against the user's password. PPTP -> IPSec Follow-up 2
24
Page 24 Topics in Information Security 2007 Tel-Aviv University 1999 - L2TP (Layer 2 Tunneling Protocol) IP UDP packet security provided by IPSec Control and data TCP UDP Application DataUDPIP IPSECL2TPPPPIPSEC IPSec DES or 3DES encrypted Follow-up 3 Windows 2000/3 Choices: PPTP L2TP/IPSec IPSec Tunnel Mode Simplicity Low Cost Advanced Security
25
Page 25 Topics in Information Security 2007 Tel-Aviv University Thank You Questions and Discussions amigos@eng.tau.ac.il amigos@eng.tau.ac.il
26
Page 26 Topics in Information Security 2007 Tel-Aviv University Home Assignment 1.What is PPTP used for? 2.In one line, define the terms: RC4, MD5, SHA, GRE. 3.Demonstrate the “Lan Manager hash function” using a password which is your first name. Assume DES does nothing when the key is all zeroes. 4.The paper was published in 1998. Shortly (2-3 lines) describe how Microsoft solved the problems presented by this paper.
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.