Re: PPTP Revisited

[paulle () MICROSOFT COM (Paul Leach)]

Nice analysis. Correct as far as I can see with a quick review. I only have
one quibble with it. See below...

> -----Original Message-----
> From: aleph1 () UNDERGROUND ORG [mailto:aleph1 () UNDERGROUND ORG]
> Sent: Saturday, February 13, 1999 11:29 AM
> To: BUGTRAQ () NETSPACE ORG
> Subject: PPTP Revisited
>
>
> · MPPE does not provide true 128-bit or 40-bit security.
>
> This is still true. Under MSCHAPv2 the MPPE session keys
> continue to be
> derived from the user password, the challenges, and some
> magic numbers. All
> this information is public with the exception of the
> password, ergo the
> session key is only as strong at the password.

Some comments:
The conclusion that the session key is only as strong as the password is
true. I think it is somewhat misleading to conclude that the protocol
doesn't offer "true" 40 or 128 bit security. It is easy to have a password
that is more than 40 bits in strength.

To give some context, it is equally true that Kerberos 5 does not provide
"true" 40 or 128 bit security -- even though it generates random session
keys, the ticket granting ticket containing the initial session key is
encrypted with a key derived from the password.

To my knowledge, the same will hold for any authentication and key exchange
protocol that doesn't use public key technology.

Paul