Cryptanalysis of Microsofts PointtoPoint Tunneling Protocol 6 Mar
- Slides: 26
Cryptanalysis of Microsoft’s Point-to-Point Tunneling Protocol 6 Mar. 2007 Amit Golander
Mainly based on: Cryptanalysis of MS-PPTP (Point-to-Point Tunneling Protocol) Schneier and Mudge, Proceedings of the 5 th Conference on Computer and Communications Security (1998) Cited 41 times (according to scholar. google) Tel-Aviv University Page 2 Topics in Information Security 2007
Outline: • Background • Authentication • Encryption • Other attacks • Follow-up Tel-Aviv University Page 3 Topics in Information Security 2007
Motivation Alice Eve Bob Point-to-Point Tunneling Protocol (PPTP) Wikipedia: …PPTP is popular because it is easy to configure and it was the first VPN protocol that was supported by Microsoft… Tel-Aviv University Page 4 Topics in Information Security 2007
PPTP • Uses Generic Routing Encapsulation (GRE) and allows tunneling of PPP datagrams over IP networks IP GRE PPP IP TCP UDP Application Data • Creating a client-server tunnel: – Establishing control connection. Negotiate algorithms for authentication and encryption – Establishing tunnel connection Tel-Aviv University Page 5 Topics in Information Security 2007
What is the paper about? The paper analyzes Microsoft's Windows NT implementation of PPTP It shows how to: • Break the authentication protocols (including challenge/response MS-CHAP) • Break the RC 4 encryption protocol (MPPE) • Attack the control channel The story is about bad architecture and terrible design… Tel-Aviv University Page 6 Topics in Information Security 2007
Outline: • Background • Authentication • Encryption • Other attacks • Follow-up Tel-Aviv University Page 7 Topics in Information Security 2007
Authentication options in Microsoft implementation: 1. Clear Password F H Security hash function 2. Hashed Password Supports two hash functions: h h=H(F) a. LANMAN (Lan Manager) b. Windows NT hash 3. MS-CHAP challenge/response protocol Tel-Aviv University Page 8 Topics in Information Security 2007
2 a. LANMAN Hash Function 1. Turn the password into a 14 -character string Z e r 4 Y o u 2 _ _ _ O U 2 _ _ _ 2. Convert all lowercase characters to uppercase Z E R 4 Y 3. Split the 14 B string into two 7 B halves 4. Using each half as a DES key, encrypt a fixed constant 5. Concatenate to create a single 16 -byte hash value Constant Z E R 4 Y O U DES Bytes: Tel-Aviv University Page 9 0. . 7 DES 2 _ _ _ 8. . 15 Topics in Information Security 2007
2 a. LANMAN - Drawbacks Dictionary Attacks are easy: • Most people choose easily guessable passwords Brute force is also reasonable: • No lower case • The same password will always have the same hashed password => Can pre-compute a dictionary of hashed passwords. • Halves are hashed independently => Can be brute-forced independently (7 B complexity at most) => Passwords of seven characters or less can be immediately recognized. Tel-Aviv University Page 10 Topics in Information Security 2007
2 b. Windows NT Hash Construction: 1. The password is converted to Unicode 2. The password is hashed using MD 4 yielding 16 B Drawbacks: • + • • Always sent along side the older LAN Manager hash value… Fixed older drawbacks of upper case and hashing halves. Did not fix the vulnerability to dictionary attacks and pre-computation Weaknesses in MD 4 were demonstrated in 1991 Tel-Aviv University Page 11 Topics in Information Security 2007
3. MS-CHAP Challenge Handshake Authentication Protocol (CHAP) Login request 8 B random challenge 1. 2. 3. Calculate the hash (16 B) Pad to create a 21 B string Partition to three 7 B keys. Each key is used to encrypt the challenge. Tel-Aviv University Page 12 24 B result • • • Look up the hash Do steps 2+3 Compare result Topics in Information Security 2007
MS-CHAP - Drawbacks • Same hash weaknesses, but pre-computing is not feasible • MS_CHAP client reply divided to thirds • Server is not authenticated Password 0. . 13 Hashed 0. . 15 P 0. . 6 S constant P 7. . 13 LANMAN Result 0. . 23 Challenge 0. . 7 Tel-Aviv University H 0. . 7 H 8. . 15 Challenge H 0. . 6 H 7. . 13 H 14, 15, pads DES R 0. . 7, 8. . 15, 16. . 23 Page 13 Topics in Information Security 2007
Breaking MS-CHAP 1. C and R are known, so try avg. 215 values of H 14. . 15 2. S and H 14. . 15 are known, so filter possible values of P 7. . 13 (N/216) Concatenate the possible to all values of H 7 (*<28) until equals R 8. . 15 3. Similarly, H 7 is known, so filter possible values of P 0. . 6 (M/28) Password 0. . 13 Hashed 0. . 15 P 0. . 6 S constant P 7. . 13 LANMAN Result 0. . 23 Challenge 0. . 7 Tel-Aviv University H 0. . 7 H 8. . 15 Challenge H 0. . 6 H 7. . 13 H 14, 15, pads DES R 0. . 7, 8. . 15, 16. . 23 Page 14 Topics in Information Security 2007
Outline: • Background • Authentication • Encryption • Other attacks • Follow-up Tel-Aviv University Page 15 Topics in Information Security 2007
Encryption • Microsoft Point-to-Point Encryption (MPPE) • MPPE uses a RC 4 stream cipher (output feedback) • Determining the key: 40 bits P 0. . 13 LANMAN H 0. . 15 SHA-0 0 x. D 1269 E Key RC 4 Zi 128 bits Ci = P i + Z i P 0. . 13 NT hash H 0. . 15 SHA-0 MS-CHAP challenge 0. . 15 Tel-Aviv University Page 16 Key RC 4 Zi Topics in Information Security 2007
Encryption - Drawbacks • Not all PPP packets are encrypted • Key calculated from password (< 40/128 -bit key) • Can pre-compute 40 -bit key streams -> Dictionary of cipher text PPP headers • Key stream is reused over and over again: – By the client and server – During the same session (resync) – For the 40 -bit version, on different sessions as well Ci = P i + Z i Ci + C`i = Pi + Zi + P`i + Z`i • Synchronization manipulation • Vulnerable to bit flip attacks Tel-Aviv University Page 17 Topics in Information Security 2007
Outline: • Background • Authentication • Encryption • Other attacks • Follow-up Tel-Aviv University Page 18 Topics in Information Security 2007
Other Attacks • PPTP control channel is not encrypted and contains too much information, example: Number of PPTP virtual tunnels the server has available • PPP configuration packets are not encrypted and not authenticated, example: Modify the internal DNS address handed to the client • Do. S attacks Tel-Aviv University Page 19 Topics in Information Security 2007
Outline: • Background • Authentication • Encryption • Other attacks • Follow-up Tel-Aviv University Page 20 Topics in Information Security 2007
Summary The paper analyzes Microsoft's Windows NT implementation of PPTP It shows how to: • Break the authentication protocols (including challenge/response MS-CHAP) • Break the RC 4 encryption protocol (MPPE) • Attack the control channel The story is about bad architecture and terrible design… Tel-Aviv University Page 21 Topics in Information Security 2007
Follow-up 1 90 days later… – – MS-CHAPv 2 created • • • LANMAN is no longer sent along the stronger Win NT hash Server is authenticated as well Spoofing (Change password packets) • Windows Vista drops support for MS-CHAPv 1 MPPE updated • Tel-Aviv University http: //www. microsoft. com/technet/security/bulletin/ms 98 -012. asp MPPE uses unique keys in each direction. Page 22 Topics in Information Security 2007
Follow-up 2 1999 - Schneier, Mudge and Wagner: Cryptanalysis of Microsoft's PPTP Authentication Extensions (MS-CHAPv 2) Objective: “Assess the improvements and remaining weaknesses in MS-PPTP” Conclusion: • Some things were fixed, but… • Need authentication and key-exchange protocols which do not allow dictionary attacks against the user's password. • PPTP -> IPSec Tel-Aviv University Page 23 Topics in Information Security 2007
Follow-up 3 1999 - L 2 TP (Layer 2 Tunneling Protocol) • • IP UDP packet security provided by IPSec Control and data IPSec DES or 3 DES encrypted IP IPSEC UDP L 2 TP PPP IP TCP UDP Application Data IPSEC Windows 2000/3 Choices: Simplicity Low Cost PPTP Tel-Aviv University Page 24 Advanced Security L 2 TP/IPSec Tunnel Mode Topics in Information Security 2007
Thank You Questions and Discussions amigos@eng. tau. ac. il Tel-Aviv University Page 25 Topics in Information Security 2007
Home Assignment 1. What is PPTP used for? 2. In one line, define the terms: RC 4, MD 5, SHA, GRE. 3. Demonstrate the “Lan Manager hash function” using a password which is your first name. Assume DES does nothing when the key is all zeroes. 4. The paper was published in 1998. Shortly (2 -3 lines) describe how Microsoft solved the problems presented by this paper. Tel-Aviv University Page 26 Topics in Information Security 2007
- Apa hubungannya cryptanalysis dengan cryptology?
- Linear cryptanalysis
- Applied cryptanalysis
- Differentiate between linear and differential cryptanalysis
- Cryptanalysis
- Cryptology cryptography cryptanalysis
- What are cryptography and cryptanalysis
- Affine cipher brute force
- "@" inurl:market= market; cryptanalysis;
- Linear cryptanalysis
- Dns tunneling android
- Tunneling effect
- Tunneling
- Qm tunneling
- Scanning tunneling microscope
- Azure load balancer
- Scanning tunneling microscope history
- Define scanning tunneling microscope
- Virginia woolf father
- Wsn tunneling
- Mtj tmr
- Vpn tunneling
- How is carbon dioxide found in "quick breads"?
- Scanning tunneling microscope
- Quantum tunneling
- Santa monica rent control information sheet
- Cadena trofica en el mar