RE: Gauntlet & NTLM

["Magossa'nyi A'rpa'd" <mag () bunuel tii matav hu>]

On Tue, 14 Oct 1997, Marcus J. Ranum wrote:

> > PPTP uses PPP's security extensions to encrypt the tunnel. You should
> > be looking at the PPP RFC's or drafts.
>
> Ah! That's an interesting situation. Does anyone actually *implement*
> the PPP RFCs for security? I know that there are all kinds of useful
> things in the RFC but I don't think, for example, that my W95 PPP
> stack supports encryption.
I should confess that I don't know which RFCs deal with PPP security.
Any pointers?
I did implement M$ MPPE (for linux)which is not RFC, and does not deal with
security. They specifically say that security issues aren't addressed.
It does however encription, and your win95 knows about it.
It is implemented in the compression layer (which is at least odd for a
protocol which expands data), it knows 40 bit RC4, and 128 if you go for it.
It makes the keys from the password, which is -according to the L0pth
people- cryptographically weak.
I regard it to be a hype rather than a security solution.
If you want security with PPP, you better use ssh within, or encapsulate it
in ssh as I did in my vpn package.

---
GNU GPL: csak tiszta forrásból