Frequently Asked Questions about Microsoft's PPTP Implementation
1. What did Bruce Schneier and Mudge actually do?
They found security flaws in Microsoft PPTP that allow attacks to sniff passwords across the network, break the encryption scheme and read confidential data, and mount denial of service attacks against PPTP servers. They did not find flaws in PPTP, only in Microsoft's implementation of it.
2. What is PPTP?
PPTP stands for point-to-point tunneling protocol. It is an Internet protocol commonly used in Virtual Private Network (VPN) products. Windows NT supports PPTP server, and both Windows NT and Windows 95 support PPTP client.
3. How bad is it?
Very. Microsoft PPTP is very broken, and there's no real way to fix it without taking the whole thing down and starting over. This isn't just one problem, but six different problems, any one of which breaks the protocol.
4. Doesn't Microsoft know better?
You'd think they would. The mistakes they made are not subtle; they're "kindergarten cryptographer" mistakes. The encryption is used in a way that completely negates its effectiveness. The documentation claims 128-bit keys, even though nothing remotely close to that key length is actually used. Passwords are protected by hash functions so badly that most can be easily recovered. And the control channel is so sloppily designed that anyone can cause a Microsoft PPTP server to go belly up.
Well, anyone who can see the server. If it's inside a firewall, it might be safe. But the point of these servers is to act as VPNs; users outside the firewall use Microsoft PPTP to tunnel inside the network. So if the server is set up in this manner, it can be kicked over from anywhere in the world.
6. What's the answer?
Don't use Microsoft PPTP. Again, this attack is against Microsoft PPTP, not PPTP in general. PPTP allows all sorts of encryption and authentication schemes; Microsoft just invented some really lousy ones. Even better, if you are a VPN user, use IPSec. This is a much more robust protocol.
7. Are there alternatives?
The main alternative is IPSec. It is an open standard, designed under the direction of the IETF. It has been developed completely in public, and is not owned by any one company. It will be used in future VPN products. The gross cryptographic mistakes that we found in Microsoft's PPTP only happen with proprietary protocols, not with public ones such as IPSec.
8. Have you pointed these flaws out to Microsoft?
Microsoft has been aware for over a year that the Windows NT password protocol is insecure; L0phtcrack has been publicly available for that long. Their reaction has been to either ignore the vulnerabilities or belittle them. We've found that Microsoft doesn't take a security problem seriously until it is reported in the press, and even then they are much more likely to generate a misleading press release. Their strategy seems to be to simply wait until the public eye moves elsewhere.
9. What does Microsoft have to say about your discovered flaws?
We have not received any response from Microsoft, yet.
10. Did you work with Microsoft?
No. We worked with Microsoft products. Everything we found was based on our own testing on our own test network.
11. Who paid you to do the cryptanalysis?
We were retained by a client who was considering using Microsoft PPTP in their VPN product. Their needs were much more general than the analysis we did, and we completed the detailed analysis on our own time because it was interesting.
12. How significant is the economic impact of using Microsoft's PPTP implementation?
It depends on your data. But if you're relying on Microsoft PPTP to protect your network, then you're leaving yourself wide open to attack.
13. Is there a way to fix the current MS-PPTP implementation?
No. Well, Microsoft could rewrite the whole thing from scratch if they wanted to. Customers have no way of fixing it; they can either use it or not.The best thing to do is to use an IPSec VPN. There are several on the market, and there will be more.
14. Why didn't Microsoft have a thorough cryptographic review done of this protocol before they released it?
We haven't a clue. It would have been the right thing to do.
15. Can you replace MS-PPTP with IPSec or another tunneling protocol easily in NT or does it have to come directly from Microsoft?
Someone who is developing a VPN product can, but individual users cannot. IPSec is fast becoming the preferred protocol for VPNs.
16. I have heard of prior security-flawed products such as Netscape's Navigator browser and yet it didn't seem to have much real economic effect on the marketplace. Isn't this likely to be the case here as well?
Yes. Most people seem to downplay the importance of good security. Products that are buzzword compliant—that have strong algorithms and long keylengths and meet standards—do very well in the marketplace even though they may be completely insecure.
17. How certain are you that what you say about MS-PPTP is true?
All the analysis has been verified in the labs of Counterpane Systems. We stand by our work.
Photo of Bruce Schneier by Per Ervland.
Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.