Re: PPP Encryption ?(was old thread Gauntlet & NTLM)

[Aleph One <aleph1 () dfw net>]

> SO my question (statement) is:
>
> PPTP draft points to PPP for the encryption support. The PPP RFC does NOT
> address encryption. There are other RFC's (i.e. MPPE) which use the PPP
> compression field to support encryption over PPP links.
>
> Please someone correct any problems with the above statement.

PPTP uses MPPE (Microsoft Point-to-Point Encryption). Only God knows why
they decided to use the compression field. MPPE uses RC4. The 40-bit
version of MPPE does not do challenge/responce. It hashes an obfustaced
password using DES (LANMAN style). The 128-bit version does do NT style
challenge/responce. Since RC4 is a stream cypher and the 40-bit version
always uses the same key it means you can simply xor two captured sessions
together to obtain the key. As has mentioned before you can also shutdown
the session by killing the control connection. It was also noted that you
can spoof a PPP CCP Reset-Request packet which will reinitialize the
encryption tables with the obvious vulnerabilities that allowing an
attacker to select when or what to encrypt with a given key using a
stream cipher implies. To add insult to injury here is a litte quote
from the MPPE RFC:

Security Considerations

   Security issues are not discussed in this memo.

I think that pretty much sums it up.

> TIA,
>
> Phil Cox
>
>
> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
> Computer Incident Advisory Capability (CIAC)    Philip C. Cox
> (510)422-8193                                   (510)422-8564
> ciac () llnl gov                                   pcc () llnl gov
> -------------------------------------------------------------------
> PGP Fingerprint : F76C F6B8 E2D4 7796 119A  6263 89A9 3714 E646 93CC

Aleph One / aleph1 () dfw net
http://underground.org/
KeyID 1024/948FD6B5 
Fingerprint EE C9 E8 AA CB AF 09 61  8C 39 EA 47 A8 6A B8 01