Re: PPTP Revisited

From: aleph1at_private
Date: Sun Feb 14 1999 - 11:34:48 PST

Next message: tqbf: "Re: Comments re: Vulnerability Analysis"

Previous message: Paul Leach: "Re: PPTP Revisited"
Maybe in reply to: aleph1at_private: "PPTP Revisited"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Sat, Feb 13, 1999 at 03:39:05PM -0800, Paul Leach wrote:
> Nice analysis. Correct as far as I can see with a quick review. I only have
> one quibble with it. See below...
>
> > -----Original Message-----
> > From: aleph1at_private [mailto:aleph1at_private]
> > Sent: Saturday, February 13, 1999 11:29 AM
> > To: BUGTRAQat_private
> > Subject: PPTP Revisited
> >
> >
> > · MPPE does not provide true 128-bit or 40-bit security.
> >
> > This is still true. Under MSCHAPv2 the MPPE session keys
> > continue to be
> > derived from the user password, the challenges, and some
> > magic numbers. All
> > this information is public with the exception of the
> > password, ergo the
> > session key is only as strong at the password.
> >
>
> Some comments:
> The conclusion that the session key is only as strong as the password is
> true. I think it is somewhat misleading to conclude that the protocol
> doesn't offer "true" 40 or 128 bit security. It is easy to have a password
> that is more than 40 bits in strength.
>
> To give some context, it is equally true that Kerberos 5 does not provide
> "true" 40 or 128 bit security -- even though it generates random session
> keys, the ticket granting ticket containing the initial session key is
> encrypted with a key derived from the password.

That is correct. That is why you can perform a dictionary attack againts
Kerberos. Given this I don't see why you consider it missleading. I would
consider missleading claiming that Kerberos offers 40 or 128 bit security.

>
> To my knowledge, the same will hold for any authentication and key exchange
> protocol that doesn't use public key technology.

Well technically it is true for any protocol where the keys are not derived
from true random sources, the problem is having both parties agree to the
key. This can normally can be acomplished via public key technology. But
as you point out above even password based schemes like PPTP's can provide
40 or 128-bit security, if they pasword itself provides 40 or 128-bit security
its simply that for the average password this is not true.

> Paul
>

--
Aleph One / aleph1at_private
http://underground.org/
KeyID 1024/948FD6B5
Fingerprint EE C9 E8 AA CB AF 09 61  8C 39 EA 47 A8 6A B8 01

Next message: tqbf: "Re: Comments re: Vulnerability Analysis"
Previous message: Paul Leach: "Re: PPTP Revisited"
Maybe in reply to: aleph1at_private: "PPTP Revisited"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:34:37 PDT