The nail in the coffin of PPTP... {Computerworld | DefCon}

Quote :

Tools released at Defcon can crack widely used PPTP encryption in under a day
New tool and service can decrypt any PPTP and WPA2 wireless sessions using MS-CHAPv2 authentication

By Lucian Constantin

July 29, 2012 10:05 AM - Security researchers released two tools at the Defcon security conference that can be used to crack the encryption of any PPTP (Point-to-Point Tunneling Protocol) and WPA2-Enterprise (Wireless Protected Access) sessions that use MS-CHAPv2 for authentication.

MS-CHAPv2 is an authentication protocol created by Microsoft and introduced in Windows NT 4.0 SP4. Despite its age, it is still used as the primary authentication mechanism by most PPTP virtual private network (VPN) clients.

MS-CHAPv2 has been known to be vulnerable to dictionary-based brute force attacks since 1999, when a cryptanalysis of the protocol was published by cryptographer Bruce Schneier and other researchers.

However, the common belief on the Internet is that if you have a strong password then it's ok, said Moxie Marlinspike, the security researcher who developed ChapCrack, one of the tools released at Defcon. "What we demonstrated is that it doesn't matter. There's nothing you can do."

ChapCrack can take captured network traffic that contains a MS-CHAPv2 network handshake (PPTP VPN or WPA2 Enterprise handshake) and reduce the handshake's security to a single DES (Data Encryption Standard) key.

This DES key can then be submitted to CloudCracker.com -- a commercial online password cracking service that runs on a special FPGA cracking box developed by David Hulton of Pico Computing -- where it will be decrypted in under a day.

The CloudCracker output can then be used with ChapCrack to decrypt an entire session captured with WireShark or other similar network sniffing tools.

PPTP is commonly used by small and medium-size businesses -- large corporations use other VPN technologies like those provided by Cisco -- and it's also widely used by personal VPN service providers, Marlinspike said.

The researcher gave the example of IPredator, a VPN service from the creators of The Pirate Bay, which is marketed as a solution to evade ISP tracking, but only supports PPTP.

Marlinspike's advice to businesses and VPN providers was to stop using PPTP and switch to other technologies like IPsec or OpenVPN. Companies with wireless network deployments that use WPA2 Enterprise security with MS-CHAPv2 authentication should also switch to an alternative.

Quote :

PPTP traffic should be considered unencrypted

01 August 2012

This is the view of Moxie Marlinspike, who along with David Hulton first presented his method for cracking Microsoft’s CHAPv2 at Defcon, and has now described the process on CloudCracker.

MS-CHAPv2 is an aging but still widely used challenge-handshake protocol. It is used by PPTP and appears in many internet VPNs – such as IPredator: “The Pirate Bay's VPN service, which is presumably designed to protect communication from state-level observation,” he says. But he goes on to show that it won’t.

Marlinspike blames the prevalence of PPTP not directly on Bruce Schneier but on the industry’s interpretation of a Schneier analysis dating back to 1999. At that time Schneier and Mudge (Peiter Zatko, then with L0pht and CDC, but more recently with DARPA) wrote that “the fundamental weakness of the authentication and encryption protocol is that it is only as secure as the password chosen by the user.”

The industry seems to have taken that to mean that PPTP is secure provided it uses a strong password; but what Marlinspike has now demonstrated is that any password can be readily cracked. In his blog post headed ‘Divide and Conquer’ he provides a technical overview of CHAPv2 showing a weakpoint in the system that can be exploited by divide and conquer. “The hash we're after,” he writes, “is used as the key material for three DES operations. DES keys are 7 bytes long, so each DES operation uses a 7 byte chunk of the MD4 hash output. This gives us an opportunity for a classic divide and conquer attack.”

It would still be difficult but for the implementation of the third DES key. Each DES key is 7 bytes in length. But the total length is drawn from the MD4 hash (the password) which is only 16 bytes. Microsoft’s solution was to pad out the third key with zeros, meaning that the third key is effectively just 2 bytes in length – and can be brute forced “in a matter of seconds.” That still leaves two DES keys to be cracked; but the “interesting thing about the remaining unknowns is that both of the remaining DES operations are over the same plaintext, only with different keys... This means that, effectively, the security of MS-CHAPv2 can be reduced to the strength of a single DES encryption.” And DES has long been crackable.

Enter the co-presenter, David Hulton. Hulton’s company, Pico Computing, has developed a specialist DES cracking box that, says Marlinspike, “gives us a worst case of ~23 hours for cracking a DES key, and an average case of about half a day.” The two have now integrated this box into CloudCracker, “An online password cracking service for penetration testers and network auditors.” As a result, MS-CHAPv2 should be considered broken.

Marlinspike doesn’t hesitate in his motivation. “We hope that by making this service available, we can effectively end the use of MS-CHAPv2 on the internet once and for all.” Instead, he advocates a move to “either an OpenVPN configuration, or IPSEC in certificate rather than PSK mode.”

So why the hell is cryptocloud still using pptp with this being noted? Doesnt this look to all of us like a huge security flaw for our mobile communications on android and iOS as well as our PC users?

I am no security expert at all but i would think that if pptp could be broken within a day it would probably be an emergency security issue within not only the vpn community but the corporate and enterprise communities as well!

Just imagine everyone who uses pptp that doesnt know how exposed they are to this security risk exchanging sensitive business information, it could lose them millions of dollars from corporate espionage and data theft, and for us regular users who expect privacy and security out of this outdated encryption method/algorithm i think would have unequivocal concern about the data integrity of this network outside of OpenVPN.

I think what needs to happen for the mobile end users of this service is an upgrade from this dated, flawed, now useless encryption method to something more secure, perhaps an IPSEC VPN(also compatible with android, iOS and PC).

Or as another alternative, a company built app that installs an OpenVPN architecture within the Operating System of the mobile device so every time the phone is turned on or used whether it be data, voice, or text the connection is always 100% secured without any extra hassle or worry that the connection may leak your real IP without you noticing as the case in point of pptp.

Just my 2 cents on the matter, hopefully my ideas will be taken seriously and the security of this wonderful network ive been with for 3 years will be strengthened and improved, its something i can only wish for.

CyberNinja wrote:

Just my 2 cents on the matter, hopefully my ideas will be taken seriously and the security of this wonderful network ive been with for 3 years will be strengthened and improved, its something i can only wish for.

For what it's worth, I agree with you 100%. Personally, I've been shitting all over PPTP for almost a decade now - not that I'm some genius, but rather I simply read Schneier's scathing dismissal of this proprietary garback from back in the 1990s (!!!) and realized he was, as usual, right. So there's no magic here - just keeping abreast of smart folks in the security world.

That said, the deal is this: until quite recently (and even that's provisional - more below), there's simply been no substantive non-PPTP VPN option for *nix (i.e. Android and iGadgets... which are both at core *nix flavors, albeit highly diverged) devices. Those that exist have either required full rooting of the hardware (which most folks simply won't/can't do) or were unstable enough to be essentially ineffective. As I said, that's changing rapidly right now - there's a few OpenVPN clients that are making claims that - if substantiated - might just be the big step forward on which everyone has been waiting. They're all essentially beta at this point, even so.

Given that, it's really been the following decision fork: for smartphones, either use PPTP-based VPN or use nothing at all. To me, that's an easy decision: something is better than nothing, ceteris paribus. However, there's a big caveat: users of flawed "security" protocols like PPTP must be fully and aggressively informed of the limitations of the protocol, so that they can make informed decisions on just how far - and in what use scenarios, against which attack vectors - they can be trusted. The worst-case scenario here, to my mind, is using a security procedure or technique without knowing its structural limitations - ignorance is NOT bliss in such situations. Indeed, one is much - much, much - better off not using any security technology than one is in relying heavily on security technology without understanding its limitations. The reason is simple: if one knows one is unprotected in a communications channel, one can take precautions in terms of what one discusses - and doesn't discuss. However, if one falsely believes one is "protected" and goes ahead to open the proverbial kimono fully - and then gets raped because that "protection" was ephemeral - one is in a terrible place indeed.

In this regard, I don't think there's been enough honest, upfront, aggressive communication of PPTP's structural limitations by Cryptocloud. I'll say that right upfront. I believe they understand the limits, and that in offering PPTP for smartphone users - at no additional cost, mind you - they are providing a (potentially) useful extelsion to the real security offered by their OpenVPN-based secure network. But that's only true if there is an effort to over-communicate the constraints inherent in PPTP. Which I don't think has been happening, imho.

And which, as a result, I'm doing right now - in this thread. That over-communication will continue, until someone stops me (good luck!), or until everyone's bored with hearing me say it. Any other suggestions on how to make this particular message clear and widely heard are, as always, much encouraged and appreciated.

Tally ho,

Pt_Jd

I am excited by the dialogue on pptp and stimulated by the exposure it has been getting. We as a company debated adding pptp to the network long and hard prior to adding it as a free service to our world class openvpn service. Since its addition we have been tinkering and playing with ideas to enhance its security and I am hopeful we will roll something out in the near future. The product works well with handheld devices and that we feel is a positive, it is better than going naked while using those devices.