RE: Gauntlet & NTLM

[Craig Brozefsky <craig () onshore com>]

On Mon, 13 Oct 1997, Ge' Weijers wrote:

> On Mon, 13 Oct 1997, Craig Brozefsky wrote:
>
> > 3.  The encryption is laughable 40 bit RSA WITHOUT EVER RENEGOTIATING
> > KEYS!!!!!  This means I now have tons of data encrypted with the same lame
> > 40 but key, and because of all the encapsulation a good percentage of that
> > is known plaintext from the packet headers (IP/GRE/PPP/IP/TCP).  40 bit is
> > bad enough but without key negotiation over the lifetime of the connection
> > it's severly degraded.
>
> The key is changed every 256 packets, whenever the low byte of MPPE
> frame's serial number hits 0. All the keys are derived from the original
> (MS-)CHAP exchange, though, so you do not get perfect forward
> secrecy. The amount of data sent with one key is limited to 256 * MTU, a
> couple hundred Kbytes at the most.

Where is that documented, if anywhere?  The information I read from MS 
website states that the key is derived from the user credentials.  It's 
pushed thru some permutation of MD4 and there is no mention of key 
regeneration.  Other sources, arguably competitors, state that it does 
not regenerate keys.  The draft itself makes NO mention of encryption, so 
it is even less an issue now of PPTP, but more of MS's implementation,
drawing us ever further into the realm of hacks and tomfoolery MS has 
called cryptography.



Craig Brozefsky              craig () onshore com
onShore Inc.                 http://www.onshore.com/~craig
Development Team             p_priority=PFUN+(p_work/4)+(2*p_cash)
I hear my inside, the mechanized hum of another world - Steely Dan