Analysis of Microsoft PPTP Version 2

Counterpane Labs and L0pht Heavy Industries

The full paper can be found at http://www.schneier.com/paper-pptpv2.html. Details are below.

This page and the PPTPv2 paper are available in French translations by Fernandes Gilbert.

See also: Exploiting known security holes in Microsoft's PPTP Authentication Extensions (MS-CHAPv2) by Jochen Eisinger

In 1998, Bruce Schneier and Mudge released an analysis of Microsoft PPTP. We found serious flaws in the following areas:

  • password hashing -- weak algorithms allow eavesdroppers to learn the user's password
  • Challenge/Reply Authentication Protocol -- a design flaw allows an attacker to masquerade as the server
  • encryption -- implementation mistakes allow encrypted data to be recovered
  • encryption key -- common passwords yield breakable keys, even for 128-bit encryption
  • control channel -- unauthenticated messages let attackers crash PPTP servers

Details of the 1998 analysis are in our press release and FAQ.

Since our analysis, Microsoft released an upgrade to the protocol. This upgrade is available for Windows 95, Windows 98, and Windows NT as DUN 1.3. Microsoft has made the following security upgrades to the protocol.

  • The weaker LAN Manager hash is no longer sent along with the stronger Windows NT hash. This is to prevent automatic password crackers like L0phtcrack (http://www.l0pht.com/l0phtcrack) from first breaking the weaker LAN Manager hash and then using that information to break the stronger NT hash.
  • An authentication scheme for the server has been introduced. This is to prevent malicious servers from masquerading as legitimate servers.
  • The change password packets from MS-CHAPv1 have been replaced by a single change password packet in MS-CHAPv2. This is to prevent the active attack of spoofing MS-CHAP failure packets.

MPPE uses unique keys in each direction. This is to prevent the trivial cryptanalytic attack of XORing the text stream in each direction to remove the effects of the encryption.

The software is more robust against denial-of-service attacks, and does not leak as much information about its status.

These changes address most of the major security weaknesses of the orginal protocol. However, the revised protocol is still vulnerable to offline password-guessing attacks from hacker tools such as L0phtcrack. At this point we still do not recommend Microsoft PPTP for applications where security is a factor.

Press Coverage of PPTP Version 2 Crack:

SmartReseller

Press Coverage of PPTP Version 1 Crack:

EE Times
Wired.com
USA Today
ZDNet
CNet News.com

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..