Firewall Wizards mailing list archives
PPTP again
From: Tina Bird <tbird () iegroup com>
Date: Mon, 09 Nov 1998 21:13:53 -0600
Hi all -- AFAIK, the latest Microsoft patches to PPTP have not undergone the same level of Schneier et al. inspection that the NT 4.0 version has, but here's a summary (an ugly cut-and-paste from my VPN class, sorry): ** PPTP specification developed by Microsoft, Ascend, others ** originally designed as an encapsulation mechanism, to transport non-TCP/IP traffic over the Internet using GRE ** security features added later [The PPTP specification was originally developed by a consortium that included Ascend Communications, 3Com/Primary Access, ECI Telematics, U.S. Robotics and Microsoft. The specification itself is fairly generic, and allows for a variety of authentication mechanisms and encryption algorithms. However, the vast majority of PPTP users implement the Microsoft version. The following discussion of PPTP security issues are specific to the Microsoft implementation.] ** PPTP server -- NT 4.0 or later ** PPTP clients -- Win 95/98/NT; WFW, Macintosh with 3rd party hardware ** Authentication/authorization mechanisms limited to NT domain security; manage access to non-NT domain resources via network segregation, RADIUS (maybe) [If you are constructing a VPN system for Microsoft clients to connect into Microsoft networks, PPTP may be a reasonable choice. However, for those of you with Novell systems, or road warriors with Linux laptops, its probably not so useful. PPTP can be used to control access to the private network via NT domain security controls (user- and group-level access to domain resources), and by segregating resources on the corporate network. Use of PPTP requires that IP forwarding be enabled on the NT server. Setting up a PPTP system requires configuring the Remote Access Server capability on the NT server, adding routing functionality to the RAS system, applying several newly-released security patches, and configuring the PPTP-specific registry keys. And hardening the server itself.] Security Concerns: ** Flawed encryption mechanism -- non-random keys, session keys weak hash of user password, key lengths too short (non-configurable) ** Bad password management in mixed Win95/NT environment; static passwords easily compromised [The initial release of PPTP used the MSCHAP mechanism for end-user authentication. After numerous criticisms that MSCHAP was easily compromised, especially in situations when Windows 95 was the client operating system, Microsoft released a patch to the original authentication protocol. To quote the Microsoft WebSite: This new protocol provides mutual authentication, stronger initial data encryption keys, and different encryption keys for the transmit and receive paths. To minimize the risk of password compromise during MSCHAP exchanges, MSCHAP V2 drops support for the MSCHAP password change V1, and will not transmit the LMHash encoding of the password. ...For VPN connection requests, a Windows NT server will offer MSCHAP V2 before offering the legacy MSCHAP. Updated Windows clients (all platforms) will accept MSCHAP V2 when it is offered. (August 18, 1998) Microsoft also added a new registry key, SecureVPN, that forces incoming VPN connection requests to use the new authentication mechanism. These changes should prevent a PPTP client from indicating using the older, LMHash mechanism. However, the effectiveness of these patches has not yet been verified by any independent reviewer.] [Note that the dependence of PPTP authentication on MSCHAP makes it vulnerable to attacks using l0phtcrack -- so it's the only VPN tool with its own l0pht hyperlink!] ** Vulnerable to server spoofing attacks because packet authentication not implemented, easy denial-of-service attacks even inside firewalls ** MS claims cryptographic weaknesses not yet exploited [Also note that although Microsoft describes PPTP as using either 40-bit or 128-bit encryption, their use of the users password to create a session key, rather than a randomly generated key, greatly reduces the strength of the encryption process. None of the recent security releases addresses this issue. Microsoft claims to have improved the mechanism that generates session keys (which is based on a hash of the users password). If this is true, it helps protect against hijacking attacks, as well as making brute force crypto attacks harder. NB: even this enhancement does not improve the cryptographic weakness, which is based on the flawed decision to use passwords to generate keys. Remember, no matter how strong an encryption algorithm is, it can be compromised via a brute-force attack. The only protection against brute force is a long key length, with purely random keys - not what Microsoft has implemented. And again, this enhancement has not been verified (as of November 1998) by any third-party evaluator.] And of course, there are potential issues with getting GRE through a lot of commercial firewalls, and lots of problems with technical support on a system that could rapidly become mission-critical. Sorry for the length -- comments welcome -- Tina
Date: Sat, 07 Nov 1998 21:35:40 +0000 From: Crispin Cowan <crispin () cse ogi edu> Organization: Oregon Graduate Institute X-Mailer: Mozilla 4.5b2 [en] (X11; I; Linux 2.0.35 i586) X-Accept-Language: en To: Dennis Nwaigbo <dnwaig () ctp com> CC: firewall-wizards () nfr net Subject: Re: VPN implementation Sender: owner-firewall-wizards () nfr net Reply-To: Crispin Cowan <crispin () cse ogi edu> Dennis Nwaigbo wrote:Hello gangs, I am building a VPN solution for our company. What I am trying to do is build a VPN through the internet so that my users can have a secure data access at the corporate headquarters through the corporate WAN. The environment is purely NT shop. The intent is to use native PPTP for connectivity. My questions are as follows: * I intend to use the native PPTP for connectivity. What are the ups and downs of this protocol for this solution? * What are the security ramifications for using PPTP instead of IPSec?Bruce Schneier has an excellent analysis of the security of PPTP here: http://www.counterpane.com/pptp.html Basically, it's dreadful. From reading Schneier's analysis of PPTP, I would use something else. Crispin ----- Crispin Cowan, Research Assistant Professor of Computer Science, OGI NEW: Protect Your Linux Host with StackGuard'd Programs :FREE http://www.cse.ogi.edu/DISC/projects/immunix/StackGuard/ Support Justice: Boycott Windows 98
Current thread:
- PPTP again Tina Bird (Nov 10)