June 1, 1998
Jump Start Communications, LLC
SECURITY FLAWS FOUND IN MICROSOFT'S IMPLEMENTATION OF POINT-TO-POINT-TUNNELING PROTOCOL (PPTP)
Companies using Microsoft products to implement their Virtual Private Networks (VPNs) may find that their networks are not so private
MINNEAPOLIS, MN, June 1, 1998. Counterpane Systems today announced that it has discovered flaws in Microsoft's implementation of a communications protocol used in many commercial VPNs. These flaws lead to password compromise, disclosure of private information, and server inoperability in VPNs running under Windows NT and 95.
"PPTP is an Internet protocol designed to provide the security needed to create and maintain a VPN over a public Transmission Control Protocol/Interface Protocol (TCP/IP) network. This raises serious concerns as most commercial products use Microsoft's Windows NT version of the protocol. While no flaws were found in PPTP itself, several serious flaws were found in the Microsoft implementation of it.
"Microsoft's implementation is seriously flawed on several levels," according to Bruce Schneier, President of Counterpane Systems. "It uses weak authentication and poor encryption. For example, they use the user's password as an encryption key instead of using any of the well-known and more secure alternatives," explained Schneier.
"VPN implementations using PPTP products require management control software at both ends of the tunnel, as well as a cryptographic analysis of the system," said Wray West, Chief Technology Officer of Indus River Networks, a supplier of remote access VPNs. "Most implementors do not have the specific in-house cryptographic expertise to discern the subtleties that are often the root of security breaches in today's commercial servers. They rely on their vendors and information security providers to build robust, secured products," observed West.
According to the team that did the cryptanalysis, there are at least five major flaws in this implementation. They are:
- password hashing -- weak algorithms allow eavesdroppers to learn the user's password
- Challenge/Reply Authentication Protocol -- a design flaw allows an attacker to masquerade as the server
- encryption -- implementation mistakes allow encrypted data to be recovered
- encryption key -- common passwords yield breakable keys, even for 128-bit encryption
- control channel -- unauthenticated messages let attackers crash PPTP servers
A host of additional attacks were identified including bit flipping, packet resynchronization, passive monitoring of Microsoft's PPTP, and PPP (point-to-point protocol) packet negotiation spoofing -- all further compromise the intended security of any VPN. The cryptanalysis work on Microsoft's implementation of PPTP was conducted by Bruce Schneier of Counterpane Systems and expert hacker Peter Mudge.
According to Mark Chen, CTO of VeriGuard, Inc, a Menlo Park based computer security company, "The flaws in this implementation are quite amateurish." Chen continued, "A competent cryptographic review would have prevented the product from shipping in this form."
"This should serve as a caution to VPN implementors and users," said David Wagner, graduate student of University of California at Berkeley. "There are a lot of corporate security officers out there who will be very glad the 'good guys' found this first," continued Wagner. Last year, Wagner, along with Bruce Schneier and John Kelsey of Counterpane Systems, discovered a major flaw in the privacy protection used in cell phones.
Counterpane Systems is a Minneapolis, MN-based consulting firm providing expert consulting in cryptography and computer security issues. The firm has consulted for clients on five continents. Counterpane's president, Bruce Schneier, invented the Blowfish encryption algorithm, which remains unbroken after almost four years of public testing. Blowfish has been incorporated into dozens of products, including Symantec's Your Eyes Only and McAfee's PCCrypto. Schneier is also the author of five books on cryptography and computer security, including Applied Cryptography, the definitive work in this field. He has written dozens of magazine articles, presented papers at major international conferences, and lectured widely on cryptography, computer security, and privacy.
- 30 -
Photo of Bruce Schneier by Per Ervland.
Schneier on Security is a personal website. Opinions expressed are not necessarily those of Resilient Systems, Inc..