Analysis of Microsoft PPTP Version 2
Counterpane Labs and L0pht Heavy Industries
The full paper can be found at http://www.schneier.com/paper-pptpv2.html. Details are below.
See also: Exploiting known security holes in Microsoft's PPTP Authentication Extensions (MS-CHAPv2) by Jochen Eisinger
- password hashing—weak algorithms allow eavesdroppers to learn the user's password
- Challenge/Reply Authentication Protocol—a design flaw allows an attacker to masquerade as the server
- encryption—implementation mistakes allow encrypted data to be recovered
- encryption key—common passwords yield breakable keys, even for 128-bit encryption
- control channel—unauthenticated messages let attackers crash PPTP servers
Since our analysis, Microsoft released an upgrade to the protocol. This upgrade is available for Windows 95, Windows 98, and Windows NT as DUN 1.3. Microsoft has made the following security upgrades to the protocol.
- The weaker LAN Manager hash is no longer sent along with the stronger Windows NT hash. This is to prevent automatic password crackers like L0phtcrack (http://www.l0pht.com/l0phtcrack) from first breaking the weaker LAN Manager hash and then using that information to break the stronger NT hash.
- An authentication scheme for the server has been introduced. This is to prevent malicious servers from masquerading as legitimate servers.
- The change password packets from MS-CHAPv1 have been replaced by a single change password packet in MS-CHAPv2. This is to prevent the active attack of spoofing MS-CHAP failure packets.
MPPE uses unique keys in each direction. This is to prevent the trivial cryptanalytic attack of XORing the text stream in each direction to remove the effects of the encryption.
The software is more robust against denial-of-service attacks, and does not leak as much information about its status.
These changes address most of the major security weaknesses of the orginal protocol. However, the revised protocol is still vulnerable to offline password-guessing attacks from hacker tools such as L0phtcrack. At this point we still do not recommend Microsoft PPTP for applications where security is a factor.
Press Coverage of PPTP Version 2 Crack:
Press Coverage of PPTP Version 1 Crack:
Photo of Bruce Schneier by Per Ervland.
Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.