Re: Gauntlet & NTLM (PPTP weekness)

[Chris Boscolo <chris.boscolo () watchguard com>]

Ge' Weijers wrote:

> MPPE is somewhat flawed:
>
> - 40 bit encryption is not enough for high security
> - MD4 has been successfully cryptanalized, though that research may not be
>   relevant because MD4 is not used as a MAC here
> - if the key is ever compromized all old traffic can be decrypted
>
> MPPE it is not trivial to crack, though. RC4 is a decent cipher, known
> weak keys are avoided, and the key is changed at regular intervals. I
> would not recommend it to customers who are afraid of (industrial)
> espionage by wealthy competitors, though, especially not the 40-bit
> version. It all depends on what you're trying to protect.
>
> Ge'

One thing to note, the cipher alone is not what makes an encryption
protocol good or bad.  MPPE has an interesting weekness for
man-in-the-middle type attacks.  Here's the scoop.

With RC4 the data is XOR'd with the pseudo-random sequence seeded with
the password.  If you encrypt two blocks of data with a reinitialized
RC4 context, and you can make some guess at the original data, you can
decrypt the second block, and every block following.  (if they too were
ecrypted with a reinitialized context.

The way mppe deals with this is by sending a coherency count with each
packet.  So, when you receive a packet you check its coherency count,
and if it is one greater than the last packet received, then you use
your existing RC4 context.  This is safe.  The problem arises if a
packet is dropped.  When this happens, the receiver of the packet sends
back a CCP Reset-Request.  The sender then reinitialzes its RC4 context.

There are a couple of ways to attack based on this.  One is that you
could forge CCP Reset-Requests back to a client, causing it to continue
to send packets out with a reinitialized RC4 context.

        - chrisb
--
 Chris Boscolo               chris.boscolo () WatchGuard com
 WatchGuard Technologies     (206) 521-8348