Re: MS Chap v2 analysis

[daw () CS BERKELEY EDU (David Wagner)]

If I understand the MS Chap v2 key derivation process correctly,
there is a serious weakness in the way 40 bit keys are derived.

In particular, they incorporate absolutely no randomness ("salt").
(Compare to SSL, which hashes in 88 bits of salt with 40 bits of
key.)  Thus, MS Chap v2 appears vulnerable to a time-space tradeoff,
if you can find some short segment of known plaintext.

Consider Hellman's time-space tradeoff.  You need to do a 2^40
precomputation, and you need 2^26 space (a CD-ROM or a small hard
disk).  Then, you can break each subsequent session key with only
2^26 work, much weaker than you'd expect from a 40-bit key.

In other words, the export-weakened protocol appears crackable in
near-realtime, with a single computer!  Sounds like a NSA wet dream,
if I'm following the algorithm correctly.

Please tell me I'm misunderstanding something here.  Surely the
protocol can't be this broken...can it?