RE: PPTP viability (was RE: Gauntlet & NTLM)

[Russ <Russ.Cooper () rc on ca>]

> The Microsoft version is not. Microsoft Point-to-Point Encryption is
> very flawed, as I found out yesterday. It uses the RC4 stream cipher
> with the _same_ key every time. Stream ciphers can't be used like
> that.

The 40-bit version of MPPE (Microsoft Point-to-Point Encryption) uses an
obfuscated version of the user's password hashed using the LanManager
method as a session key. There is no challenge/response here, hence the
value will be identical every time its used. (since w95 and lower don't
do c/r, this is the only method they'd understand).

> The 128 bit version does not do that

The 128-bit version does do challenge/response, as well as the NT method
of hashing, so the session key will be different every time. The
challenge, used with the hash to create the session key, should also be
different every time and should be generated according to normal CHAP
challenge generation rules.

> but enough flaws remain not to bet the company on it.
> (I suspect they use the same key for traffic in both directions).

Probably true, however I wonder which key is used when callback is
enabled with Routing and RAS.

L2TP is available for use with NT 5.0 beta 1 from the same
ftp://ftp.microsoft.com/developr/rfc directory.

Cheers,
Russ