Bugtraq mailing list archives
Re: PPTP Revisited
From: paulle () MICROSOFT COM (Paul Leach)
Date: Sat, 13 Feb 1999 15:39:05 -0800
Nice analysis. Correct as far as I can see with a quick review. I only have one quibble with it. See below...
-----Original Message----- From: aleph1 () UNDERGROUND ORG [mailto:aleph1 () UNDERGROUND ORG] Sent: Saturday, February 13, 1999 11:29 AM To: BUGTRAQ () NETSPACE ORG Subject: PPTP Revisited ยท MPPE does not provide true 128-bit or 40-bit security. This is still true. Under MSCHAPv2 the MPPE session keys continue to be derived from the user password, the challenges, and some magic numbers. All this information is public with the exception of the password, ergo the session key is only as strong at the password.
Some comments: The conclusion that the session key is only as strong as the password is true. I think it is somewhat misleading to conclude that the protocol doesn't offer "true" 40 or 128 bit security. It is easy to have a password that is more than 40 bits in strength. To give some context, it is equally true that Kerberos 5 does not provide "true" 40 or 128 bit security -- even though it generates random session keys, the ticket granting ticket containing the initial session key is encrypted with a key derived from the password. To my knowledge, the same will hold for any authentication and key exchange protocol that doesn't use public key technology. Paul
Current thread:
- PPTP Revisited aleph1 () UNDERGROUND ORG (Feb 13)
- <Possible follow-ups>
- Re: PPTP Revisited Paul Leach (Feb 13)
- Re: PPTP Revisited aleph1 () UNDERGROUND ORG (Feb 14)