Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Gauntlet & NTLM (PPTP weekness)

From: "Ge' Weijers" <ge () progressive-systems com>
Date: Tue, 14 Oct 1997 15:13:01 -0400 (EDT)
Chris,


The way mppe deals with this is by sending a coherency count with each
packet.  So, when you receive a packet you check its coherency count,
and if it is one greater than the last packet received, then you use
your existing RC4 context.  This is safe.  The problem arises if a
packet is dropped.  When this happens, the receiver of the packet sends
back a CCP Reset-Request.  The sender then reinitialzes its RC4 context.

There are a couple of ways to attack based on this.  One is that you
could forge CCP Reset-Requests back to a client, causing it to continue
to send packets out with a reinitialized RC4 context.


I have to agree with you on this one. I had not read the specs closely
enough. If a congested WAN link causes retransmissions even a passive
snooper may learn things. An active attack is very simple, just flood
the net with CCP Reset packets. PP[T]P definitely needs a better
encryption protocol.

Doing it right would have been so trivial: in stead of using a coherency
count they could have used the actual offset in the stream,
mod. 2^N. No reset messages would have been necessary.

Ge'
Previous By Date Next
Previous By Thread Next

Current thread: