[10971] in bugtraq
Re: MS Chap v2 analysis
daemon@ATHENA.MIT.EDU (Paul Leach)
Thu Jul 8 03:22:38 1999
Message-Id: <CB6657D3A5E0D111A97700805FFE65870B48E463@RED-MSG-51>
Date: Wed, 7 Jul 1999 16:20:09 -0700
Reply-To: Paul Leach <paulle@MICROSOFT.COM>
From: Paul Leach <paulle@MICROSOFT.COM>
X-To: Burton Rosenberg <burtonr@citrix.com>, BUGTRAQ@SECURITYFOCUS.COM
To: BUGTRAQ@SECURITYFOCUS.COM
> -----Original Message-----
> From: Burton Rosenberg [mailto:burtonr@citrix.com]
> Sent: Wednesday, July 07, 1999 3:16 PM
> To: Paul Leach; BUGTRAQ@SECURITYFOCUS.COM
> Cc: 'schneier@counterpane.com'; 'mudge@l0pht.com'
> Subject: RE: MS Chap v2 analysis
>
>
>
> the parallel structure of generating the challenge response (function
> ChallengeResponse() in
> www.ietf.org/internet-drafts/draft-ietf-pppext-mschap-v2-03.te
> x) cuts down
> the strength of
> the PasswordHash from 16 to 14 bytes.
>
> this should have been addressed in version 2.
>
> given challenge C of 8 bytes (or the "hidden challenge" of version 2),
> password hash P of 16 bytes,
> the response is:
> < DES_{P1} ( C ) | DES_{P2}(C) | DES_{P3}( C ) >
> where, P1 is the first 7 bytes of P, P2 is the second 7 bytes
> of P, and P3
> is the last 2 bytes
> of P followed by 5 bytes of zeros.
>
> Break P3 by solving C' = DES_X( C ) for X given known C and
> C' by brute
> force over small number
> ( 2^16 ) of possibilities for X. This gives the last two bytes of P.
Correct. But since the best attack is against the passwords themselves, the
reduction from 16 bytes to 14 bytes of strength from the password hash isn't
the primary issue.
Don't get me wrong -- I'm not going to claim that the MASCHAPv2 is the best
password based challenge/response protocol in the world.
Paul
