MS PPTP - PowerPoint PPT Presentation

1 / 15

About This Presentation

Title:

MS PPTP

Description:

Number of Views:124

Avg rating:3.0/5.0

Slides: 16

Provided by: and6165

Category:

Tags: pptp | concatenate

Transcript and Presenter's Notes

Title: MS PPTP

1
MS PPTP

Cryptanalysis of Microsoft's Point-to-Point
Tunneling Protocol (PPTP), B. Schneier and Mudge
PPTP does not specify specific algorithms for
authentication and encryption instead it
provides a framework for negotiating particular
algorithms.

2
MS PPTP

Three authentication in MS implementation
Clear Password The client sends the server a
password in the clear.
Hashed Password The client sends the server a
hash of the password
Challenge/Response The client and the server
authenticate using the MS-CHAP challenge/response
protocol

3
MS PPTP

LAN Manager Hash
Turn the password into a 14-character string,
either by truncating longer passwords or padding
shorter passwords with nulls.
Convert all lowercase characters to uppercase.
Numbers and non-alphanumerics remain unaffected.
Split the 14-byte string into two seven-byte
halves.
Using each seven-byte string as a DES key,
encrypt a fixed constant with each key, yielding
two 8-byte encrypted strings.
Concatenate the two strings together to create a
single 16-byte hash value.

4
MS PPTP

Dictionary Attacks
Most people choose easily guessable passwords
All characters are converted to upper case,
making the number of possible passwords even
smaller.
There is no salt two users with the same
password will always have the same hashed
password. Thus, it is possible to precompute a
dictionary of hashed passwords and compare an
unknown password against the dictionary. With
this time/memory trade-o, passwords can be tested
as fast as disk I/O allows.
The two seven-byte \halves" of the password are
hashed independently. Thus, the two halves can be
brute-forced independently, and the complexity of
the attack is at most the complexity against a
seven-byte password. Passwords longer than seven
characters are no stronger than seven-character
passwords. Additionally, passwords of seven
characters or less can be immediately recognized
since the second half of the hash is always the
same constant encryption of the fixed constant
with seven nulls as the key.

5
MS PPTP

Windows NT Hash
The password, up to 14 characters long and case
sensitive, is converted to Unicode.
The password is hashed using MD4, yielding a 16
byte hash value.
The LAN Manager and Windows NT hash are always
sent together

6
MS PPTP

MS-CHAP
Client requests a login challenge.
Server sends back an eight-byte random challenge.
The client calculates the Lan Manager hash, and
adds five nulls to create a 21-byte string, and
partitions the string into three seven-byte keys.
Each key is used to encrypt the challenge,
resulting in a 24-byte encrypted value. This is
returned to the Server as a response. The client
does the same with the Windows NT hash.
Server looks up the hash in its database,
encrypts the challenge with the hash, and
compares it with the encrypted hashes it
received. If they match, the authentication
completes.

7
MS PPTP

In MPPE, the 40-bit RC4 key is determined as
follows
Generate a deterministic 64-bit key from a Lan
Manager hash of the user's password (shared by
both the user and the host) using SHA
Set the high-order 24 bits of the key to
0xD1269E.
The 128-bit RC4 key is determined as follows
Concatenate the Windows NT hash of the user's
password and a 64-bit random nonce created by the
host during the MS-CHAP protocol. This nonce was
sent to the client during the protocol, so is
known by both the client and the server.
Generate a deterministic 128-bit key from the
results of the previous step using SHA.

8
MS PPTP

9
MS-PPTP

10
Content Scrambling System
11
Content Scrambling System

Make a guess on k5
B(5) xor( F( A(5) ) , A(4) , k5 )
B(4) xor( F( B(5) ) , C(5), k5 )
k4 xor( F( A(4) ) , A(3) , B(4) )
B(3) xor( F( B(4) ) , C(4), k4 )
k3 xor( F( A(3) ) , A(2) , B(3) )
B(2) xor( F( B(3) ) , C(3), k3 )
k2 xor( F( A(2) ) , A(1) , B(2) )
B(1) xor( F( B(2) ) , C(2), k2 )
k1 xor( F( A(1) ) , B(5) , B(1) )
verify by checking C(1) xor ( F( B(1) , k1 )

12
Content Scrambling System

Attacking the hash (complexity 225)
A(1..5) is known
Try all possible k2, B(1), resulting in C(2)
Make a table with B(1), C(2), resulting in k2
Guess the start state of LFSR1, calculate O1( i
1,2,3,4,5 ) . Next guess B(1) and complete the
following calculations
k1 xor( F( B( 1 ) ) , C(1) ) C(1,2) is
known, they are the start state of LFSR1
B(5) xor( F( A(1) ) , B(1), k1)
k5 xor( F( A(5) ) , A(4), B(5) )

13
Content Scrambling System

Through the table indexed by C(2) and B(1) all
permissible k2 can be found, there can be from
0-8 , on average 1. For all permissible k2
calculate
O2(1) , O2(2), and 2 possible O2(5). This is
possible since k1,2,5 are found.
For every legal initial state of LFSR2 there
exists a one to one mapping to O2(1,2,5) , by
generating a table with 224 entries the start
state of LFSR2 can be found. Thus C(1,2,3,4,5) is
potentially known.
B(4) xor( F( B(5) ) , C(5), k5 )
k4 xor( F( A(4) ) , A(3) , B(4) )
B(3) xor( F( B(4) ) , C(4), k4 )
k3 xor( F( A(3) ) , A(2) , B(3) )
B(2) xor( F( B(3) ) , C(3), k3 )
verify k2 xor( F( A(2) ) , A(1) , B(2) ) , this
holds for 1 / 256 tries ( 217 altogether ) and if
the test holds, the key C(1,2,3,4,5) can be
tested by eqn. (2). If eqn (2) holds, then a key
has been found that will satisfy the hash.