[pptp-server] Re: [pptp-server] poptop encryption and security issues
Matthew Ramsay
matthewr at moreton.com.au
Wed Jun 23 19:58:11 CDT 1999
the initial code came from here:
ftp://ftp.east.telecom.kz/pub/src/networking/ppp/multilink/
documentation and tips on setting this up do not exist yet (that i know
of).. i hope to have something organised soon.
-matt
> So where can we find this wonderful patch? Do you have any helpful hits or
> tips regarding the installation of this patch?
>
> Thank you,
> Ron MacNeil
>
> -----Original Message-----
> From: pptp-server-admin at lists.schulte.org
> [mailto:pptp-server-admin at lists.schulte.org] On Behalf Of Matthew Ramsay
> Sent: June 22, 1999 9:06 PM
> To: poptop
> Subject: [pptp-server] poptop encryption and security issues
>
> Hiya all,
>
> Yesterday, with the help of others, I successfully connected a win98
> PPTP client to my PoPToP server with 40 bit RC4 Microsoft data
> encryption :-) This was with a pppd patch which supports
> MSCHAP/MSCHAPv2/40 bit MPPE/128 bit MPPE.
>
> Now to address some security issues:
> First of all PoPToP relies on authentication and encryption FROM PPP!!!
> none of this comes from poptop itself.
>
> This addresses Bruce Schneier's page:
> (http://www.counterpane.com/pptp-pressrel.html)
>
> So what are the problems? from the press release page:
> 1. password hashing -- weak algorithms allow eavesdroppers to learn the
> user's password
> 2. Challenge/Reply Authentication Protocol -- a design flaw allows an
> attacker to masquerade as the server
> 3. encryption -- implementation mistakes allow encrypted data to be
> recovered
> 4. encryption key -- common passwords yield breakable keys, even for
> 128-bit encryption
> 5. control channel -- unauthenticated messages let attackers crash PPTP
> servers
>
> 1&2 are authentication issues.. MSCHAP is hopeless.. Windows clients
> support PAP/CHAP/MSCHAP and in the latest releases MSCHAPv2. MSCHAPv2
> supposedly *fixes* a lot of MSCHAP problems (i haven't heard much about
> it yet tho..?). The pppd patch i mentioned above supports MSCHAPv2. If
> you want MS Windows clients without extra 3rd party *EXPENSIVE* VPN
> clients this is as good as you get.... could MSCHAPv2 possible be secure
> though....? Anyone know much about MSCHAPv2's strengths (or weaknesses
> :-).
>
> 3&4 address encryption issues. the pppd patch above supports 40 and 128
> bit microsoft compatible encryption. I'm unsure on what implementation
> mistakes MS made?? anyone? the pppd patch follows the MPPE IETFs as far
> as i am aware... which are open for public scrutiny. Does the pppd patch
> suffer from the same problems.. dun know..
>
> 5 is a shocker and an obvious problem and exists in the current poptop
> implementation.. bad luck for now. IMO this is the only real problem
> with poptop.
>
> poptop is better than the NT pptp server.. but it does suffer from some
> of the same problems. It's good enough for me though.. i started poptop
> to do what it does right now! (i fear it wouldn't have got this far
> without Kevin and David though :-) I doubt we will be able to improve
> poptop without breaking windows client support.
>
> Comments on MSCHAPv2 and MPPE encryption sought after.
>
> cheers,
> -matt
>
> _______________________________________________
> pptp-server maillist - pptp-server at lists.schulte.org
> http://lists.schulte.org/mailman/listinfo/pptp-server
> List services provided by www.schulte.org!
More information about the pptp-server
mailing list