[9571] in bugtraq
Re: PPTP Revisited
daemon@ATHENA.MIT.EDU (Paul Leach)
Sun Feb 14 13:26:51 1999
Date: Sat, 13 Feb 1999 15:39:05 -0800
Reply-To: Paul Leach <paulle@MICROSOFT.COM>
From: Paul Leach <paulle@MICROSOFT.COM>
X-To: "aleph1@UNDERGROUND.ORG" <aleph1@UNDERGROUND.ORG>
To: BUGTRAQ@NETSPACE.ORG
Nice analysis. Correct as far as I can see with a quick review. I only =
have
one quibble with it. See below...
> -----Original Message-----
> From: aleph1@UNDERGROUND.ORG [mailto:aleph1@UNDERGROUND.ORG]
> Sent: Saturday, February 13, 1999 11:29 AM
> To: BUGTRAQ@NETSPACE.ORG
> Subject: PPTP Revisited
>
>
> =B7 MPPE does not provide true 128-bit or 40-bit security.
>
> This is still true. Under MSCHAPv2 the MPPE session keys
> continue to be
> derived from the user password, the challenges, and some
> magic numbers. All
> this information is public with the exception of the
> password, ergo the
> session key is only as strong at the password.
>
Some comments:
The conclusion that the session key is only as strong as the password i=
s
true. I think it is somewhat misleading to conclude that the protocol
doesn't offer "true" 40 or 128 bit security. It is easy to have a passw=
ord
that is more than 40 bits in strength.
To give some context, it is equally true that Kerberos 5 does not provi=
de
"true" 40 or 128 bit security -- even though it generates random sessio=
n
keys, the ticket granting ticket containing the initial session key is
encrypted with a key derived from the password.
To my knowledge, the same will hold for any authentication and key exch=
ange
protocol that doesn't use public key technology.
Paul
