PPTP again

[Tina Bird <tbird () iegroup com>]

Hi all -- AFAIK, the latest Microsoft patches to PPTP have not undergone the
same
level of Schneier et al. inspection that the NT 4.0 version has, but here's a
summary
(an ugly cut-and-paste from my VPN class, sorry):

** PPTP specification developed by Microsoft, Ascend, others
** originally designed as an encapsulation mechanism, to transport non-TCP/IP
    traffic over the Internet using GRE
**  security features added later

[The PPTP specification was originally developed by a consortium that included
Ascend Communications, 3Com/Primary Access, ECI Telematics, U.S. Robotics and
Microsoft.  The specification itself is fairly generic, and allows for a
variety of authentication mechanisms and encryption algorithms.  However, the
vast majority of PPTP users implement the Microsoft version.  The following
discussion of PPTP security issues are specific to the Microsoft
implementation.]

** PPTP server -- NT 4.0 or later
** PPTP clients -- Win 95/98/NT; WFW, Macintosh with 3rd party hardware
** Authentication/authorization mechanisms limited to NT domain security; 
   manage access to non-NT domain resources via network segregation, 
   RADIUS (maybe)

[If you are constructing a VPN system for Microsoft clients to connect into
Microsoft networks, PPTP may be a reasonable choice.  However, for those of you
with Novell systems, or road warriors with Linux laptops, it’s probably not so
useful.
PPTP can be used to control access to the private network via NT domain
security controls (user- and group-level access to domain resources), and by
segregating resources on the corporate network.  Use of PPTP requires that IP
forwarding be enabled on the NT server.
Setting up a PPTP system requires configuring the Remote Access Server
capability on the NT server, adding routing functionality to the RAS system,
applying several newly-released security patches, and configuring the
PPTP-specific registry keys.  And hardening the server itself.]

Security Concerns:
**  Flawed encryption mechanism -- non-random keys, session keys weak hash of
     user password, key lengths too short (non-configurable)
**  Bad password management in mixed Win95/NT environment; static
     passwords easily compromised

[The initial release of PPTP used the MSCHAP mechanism for end-user
authentication.  After numerous criticisms that MSCHAP was easily compromised,
especially in situations when Windows 95 was the client operating system,
Microsoft released a patch to the original authentication protocol.  To quote
the Microsoft WebSite: “This new protocol provides mutual authentication,
stronger initial data encryption keys, and different encryption keys for the
transmit and receive paths. To minimize the risk of password compromise during
MSCHAP exchanges, MSCHAP V2 drops support for the MSCHAP password change V1,
and will not transmit the LMHash encoding of the password. ...For VPN
connection requests, a Windows NT server will offer MSCHAP V2 before offering
the legacy MSCHAP. Updated Windows clients (all platforms) will accept MSCHAP
V2 when it is offered.” (August 18, 1998)
Microsoft also added a new registry key, SecureVPN, that forces incoming VPN
connection requests to use the new authentication mechanism.
These changes should prevent a PPTP client from indicating using the older,
LMHash mechanism.  However, the effectiveness of these patches has not yet been
verified by any independent reviewer.]

[Note that the dependence of PPTP authentication on MSCHAP makes it vulnerable
to attacks using l0phtcrack -- so it's the only VPN tool with its own l0pht 
hyperlink!]

**  Vulnerable to server spoofing attacks because packet authentication not
    implemented, easy denial-of-service attacks even inside firewalls
**   MS claims cryptographic weaknesses not yet exploited

[Also note that although Microsoft describes PPTP as using either 40-bit or
128-bit encryption, their use of the user’s password to create a session key,
rather than a randomly generated key, greatly reduces the strength of the
encryption process.  None of the recent security releases addresses this issue.
Microsoft claims to have improved the mechanism that generates session keys
(which is based on a hash of the user’s password).  If this is true, it helps
protect against hijacking attacks, as well as making brute force crypto attacks
harder.  
NB: even this enhancement does not improve the cryptographic weakness, which is
based on the flawed decision to use passwords to generate keys.  Remember, no
matter how strong an encryption algorithm is, it can be compromised via a
brute-force attack.  The only protection against brute force is a long key
length, with purely random keys - not what Microsoft has implemented.
And again, this enhancement has not been verified (as of November 1998) by any
third-party evaluator.]

And of course, there are potential issues with getting GRE through a lot of 
commercial firewalls, and lots of problems with technical support on a system
that
could rapidly become mission-critical.

Sorry for the length -- comments welcome -- Tina

> Date: Sat, 07 Nov 1998 21:35:40 +0000
> From: Crispin Cowan <crispin () cse ogi edu>
> Organization: Oregon Graduate Institute
> X-Mailer: Mozilla 4.5b2 [en] (X11; I; Linux 2.0.35 i586)
> X-Accept-Language: en
> To: Dennis Nwaigbo <dnwaig () ctp com>
> CC: firewall-wizards () nfr net
> Subject: Re: VPN implementation
> Sender: owner-firewall-wizards () nfr net
> Reply-To: Crispin Cowan <crispin () cse ogi edu>
>
> Dennis Nwaigbo wrote:
>
> > Hello gangs,
> >  I am building a VPN solution for our company.  What I am trying to do is
> > build a VPN through the internet so that my users can have a secure data
> > access at the corporate headquarters through the corporate WAN.  The
> > environment is purely NT shop. The intent is to use native PPTP for
> > connectivity.
> >
> > My questions are as follows:
> > *       I intend to use the native PPTP for connectivity.  What are the ups
> > and downs of this protocol for this solution?
> > *       What are the security ramifications for using PPTP instead of IPSec?
>
> Bruce Schneier has an excellent analysis of the security of PPTP here:
> http://www.counterpane.com/pptp.html
> Basically, it's dreadful.  From reading Schneier's analysis of PPTP, I would
> use something else.
>
> Crispin
> -----
> Crispin Cowan, Research Assistant Professor of Computer Science, OGI
>    NEW:  Protect Your Linux Host with StackGuard'd Programs  :FREE
>       http://www.cse.ogi.edu/DISC/projects/immunix/StackGuard/
>
>                 Support Justice:  Boycott Windows 98