[9572] in bugtraq
Re: PPTP Revisited
daemon@ATHENA.MIT.EDU (aleph1@UNDERGROUND.ORG)
Sun Feb 14 13:52:52 1999
Date: Sun, 14 Feb 1999 11:34:48 -0800
Reply-To: aleph1@UNDERGROUND.ORG
From: aleph1@UNDERGROUND.ORG
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <CB6657D3A5E0D111A97700805FFE65870B48DDA0@RED-MSG-51>; from Paul
Leach on Sat, Feb 13, 1999 at 03:39:05PM -0800
On Sat, Feb 13, 1999 at 03:39:05PM -0800, Paul Leach wrote:
> Nice analysis. Correct as far as I can see with a quick review. I onl=
y have
> one quibble with it. See below...
>
> > -----Original Message-----
> > From: aleph1@UNDERGROUND.ORG [mailto:aleph1@UNDERGROUND.ORG]
> > Sent: Saturday, February 13, 1999 11:29 AM
> > To: BUGTRAQ@NETSPACE.ORG
> > Subject: PPTP Revisited
> >
> >
> > =B7 MPPE does not provide true 128-bit or 40-bit security.
> >
> > This is still true. Under MSCHAPv2 the MPPE session keys
> > continue to be
> > derived from the user password, the challenges, and some
> > magic numbers. All
> > this information is public with the exception of the
> > password, ergo the
> > session key is only as strong at the password.
> >
>
> Some comments:
> The conclusion that the session key is only as strong as the password=
is
> true. I think it is somewhat misleading to conclude that the protocol
> doesn't offer "true" 40 or 128 bit security. It is easy to have a pas=
sword
> that is more than 40 bits in strength.
>
> To give some context, it is equally true that Kerberos 5 does not pro=
vide
> "true" 40 or 128 bit security -- even though it generates random sess=
ion
> keys, the ticket granting ticket containing the initial session key i=
s
> encrypted with a key derived from the password.
That is correct. That is why you can perform a dictionary attack againt=
s
Kerberos. Given this I don't see why you consider it missleading. I wou=
ld
consider missleading claiming that Kerberos offers 40 or 128 bit securi=
ty.
>
> To my knowledge, the same will hold for any authentication and key ex=
change
> protocol that doesn't use public key technology.
Well technically it is true for any protocol where the keys are not der=
ived
from true random sources, the problem is having both parties agree to t=
he
key. This can normally can be acomplished via public key technology. Bu=
t
as you point out above even password based schemes like PPTP's can prov=
ide
40 or 128-bit security, if they pasword itself provides 40 or 128-bit s=
ecurity
its simply that for the average password this is not true.
> Paul
>
--
Aleph One / aleph1@underground.org
http://underground.org/
KeyID 1024/948FD6B5
Fingerprint EE C9 E8 AA CB AF 09 61 8C 39 EA 47 A8 6A B8 01
