[pptp-server] PPTP Protocol insecurity

Pete Starzewski pstarzew at gbp.com
Tue Jul 24 08:06:07 CDT 2001 

Dear fellows, ;-)

I know that this discussion might be really held a 1000 times
but since I read an article regarding the possible
MSCHAPv2 exploit today, I'd like to ask you people
for your opinion.

The paper I read is:
http://mopo.informatik.uni-freiburg.de/pptp_mschapv2/
It is in English so go ahead.

It describes how relatively easy MSCHAPv2 might be
exploited. So the question that I have to you is:

Do you worry about it? What do you tell your customers
and are there good or any alternatives? Ok we could
put some firewall rules in front of it but that's
not a solution for most of the dialup-users.

We could use PPTP on top of IPSEC (like freeswan) but
that's not really "smooth" and I never tried this
with a Mac. The problem why we don't want to use
IPSEC thingies is because of the easy to use PPTP
features (like assigning IP-addresses, DNS and whatever).

Anyone?

Regards,
Sascha

Sascha,

Yes.  It is a risk, but not necessarily because it is MS.  Any kind of 
password authentication has the same set of risks.  That is one of the 
reasons that IPSEC does not use user/password combinations to authenticate 
peers.

I don't think anyone here is saying that PoPToP has a superior 
authentication/security scheme.  I think the most common reason to use 
PoPToP is that it is.... A) cheap B) the client is built into MS products 
which eliminates the need to install client software on all the peers. C) 
Designed more specifically for Client to Network connections.

Just about all of the IPSEC Dists. I've seen are specifically for Network 
to Network ie FreeSWAN, CISCO Intel et al.  Yes, they do have clients you 
can load on PCs, but from what I have seen they are cumbersome and leave 
something to be desired in the performance area.

The paper you linked to was interesting for some of the assumptions it 
makes.  As far as I can tell, PoPToP is NOT restricted to 8 characters for 
a password (and contrary to the authors assumptions, most UNIX isn't and 
hasn't been for quite a while).  I'm not sure what the limitation on 
Windows is.  If they are using the C2 standards, it should be 250.

It looks like the author's equations are exponential, therefore if you 
doubled the password length from 8 chars to 16 chars you would go from 16 
hours of computing time to 256 hours. This assumes they are correct in the 
first place.

All in all, any security is only as good as the people that administer 
it.  Enforce password restrictions, monitor your servers and use a good 
firewall.

I'll get off my soap box now.

Pete

More information about the pptp-server mailing list