[pptp-server] PPTP Vulnerabilities (Or are they?)
Ray Dzek
rdzek at specialized.com
Thu Jul 27 14:57:33 CDT 2000
Please bare with me on this as I am new to the PPTP security
model, and I am trying to understand a few points.
1) In all my research to date, the password hash seems to be the
biggest issue with key-pair generation. My understanding of this is
that as long as you force strong passwords, there is plenty of
randomness generated for a good key-set.
2) You should force the use of MS-CHAPv2 on the PPTP server to
take advantage of the stronger NT handshaking procedure.
3) Key sets are randomly generated for each session. So, in an
instance where you are using PPTP to support mobile users for
"dial-up" access via the internet, even if somebody where to sniff
enough data to get a key to crack - presumably the session would
be over long before the key was cracked. Since the key pair is only
valid for the duration of the session, a hacker would have to start all
over again for each "dial-up" session. This leads me to believe that
cracking keys is truly only usefull when cracking VPN's that are set
up in a WAN environment when the connection is of long enough
duration to actually use the cracked key pair for that session.
Thanks in advance for your replies.
Ray
More information about the pptp-server
mailing list