Tim Gustafson | 1 Aug 01:40 2012

Re: PPTP traffic should be considered unencrypted

> The user's password.  That is to say, the attack would have to be
> repeated if the user changed their PPTP password.

Actually, it occurs to me that I haven't seen this question asked or
answered so far either:

The vulnerability described does not seem to be related to EAP,
correct?  Is using EAP as an authentication method still viable?

I'm thinking something like EAP-TTLS.  As described on the Wikipedia
page, it seems like a viable option.  I get that it doesn't do MPPE
encryption, but as I mentioned before, I don't particularly care about
that.

--

-- 

Tim Gustafson
tjg <at> soe.ucsc.edu
831-459-5354
Baskin Engineering, Room 313A

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
James Cameron | 1 Aug 02:27 2012

Re: PPTP traffic should be considered unencrypted

On Tue, Jul 31, 2012 at 04:40:03PM -0700, Tim Gustafson wrote:
> > The user's password.  That is to say, the attack would have to be
> > repeated if the user changed their PPTP password.
> 
> Actually, it occurs to me that I haven't seen this question asked or
> answered so far either:
> 
> The vulnerability described does not seem to be related to EAP,
> correct?  Is using EAP as an authentication method still viable?

I agree, the vulnerability is specific to MSCHAP-v2.  I know nothing
useful about EAP, sorry.  I don't know if anybody has it working with
PPTP.  Yes, MPPE depends on MSCHAP-v2, I don't think it can be made to
depend on anything else, but that's a matter for the pppd guys, in
pptpd land we just ask pppd to do it.

--

-- 
James Cameron
http://quozl.linux.org.au/

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
Charlie Brady | 1 Aug 02:42 2012

Re: PPTP traffic should be considered unencrypted


On Tue, 31 Jul 2012, Tim Gustafson wrote:

> Actually, it occurs to me that I haven't seen this question asked or
> answered so far either:
> 
> The vulnerability described does not seem to be related to EAP,
> correct?  Is using EAP as an authentication method still viable?
> 
> I'm thinking something like EAP-TTLS.  As described on the Wikipedia
> page, it seems like a viable option.  I get that it doesn't do MPPE
> encryption, but as I mentioned before, I don't particularly care about
> that.

EAP-TLS doesn't preclude MPPE. See:

http://www.ietf.org/rfc/rfc3079.txt

--
Charlie

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
Phillip S. Davis | 1 Aug 03:58 2012

Re: PPTP traffic should be considered unencrypted

Oh no I meant the client and server setup... I'm trying IPSEC with LT2P as suggested. 

~Phil

----- Original Message -----
From: "James Cameron" <quozl <at> laptop.org>
To: "Phillip Davis" <pdavis <at> daviszone.org>
Cc: poptop-server <at> lists.sourceforge.net, pptpclient-devel <at> lists.sourceforge.net
Sent: Tuesday, July 31, 2012 4:18:47 PM
Subject: Re: [Poptop-server] PPTP traffic should be considered unencrypted

On Tue, Jul 31, 2012 at 09:11:05AM -0600, Phillip Davis wrote:
> All well and good, but what alternatives exist that are as easy to
> configure a poptop-server?

You probably mean client-side configuration?

I don't know, I've not done a study of client-side options.  But I've
always found OpenVPN to be easy to configure.  There exist many
clients pushed by the VPN provider market.  A list here:

http://en.wikipedia.org/wiki/OpenVPN#Client_software

--

-- 
James Cameron
http://quozl.linux.org.au/

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
(Continue reading)

Tim Gustafson | 1 Aug 05:25 2012

Re: MSCHAPv2 traffic should be considered unencrypted

> But I've always found OpenVPN to be easy to configure.  There exist
> many clients pushed by the VPN provider market.  A list here:
>
> http://en.wikipedia.org/wiki/OpenVPN#Client_software

And, as far as mobile devices go, all of those options require rooting
your phone.

The reason that PPTP is so nice is that pretty much EVERY device
supports it out-of-the-box.  That's a big deal for me.  My department
alone supports something like 500 active users, and the University as
a whole supports something like 30,000.  There's no way we're going to
convince all those people to root their phones, and even if we could I
wouldn't want to support all those clients after the fact - as soon as
we do something like that, everything that ever goes wrong with that
device again is "our fault" in our client's eyes.

As I understand it, most devices also support L2TP, but from what I
can tell that requires setting up a PKI and that is also just not
feasible.  Users know how to authenticate with their login names and
passwords.  The argument against this authentication model in the
documents I've read related to this MSCHAPv2 insecurity discussion is
that people pick easy-to-guess passwords.  That may be so, but
requiring users to use certificates for VPN connections when we don't
require them to use certificates for HTTPS or SSH connections is
seriously missing the point.  If an attacker can just bypass the VPN
and connect via HTTPS or SSH directly with a login name and password,
then there is no reason to require certificate authentication for VPN
connections.

(Continue reading)

James Cameron | 1 Aug 05:39 2012

Re: PPTP traffic should be considered unencrypted

On Tue, Jul 31, 2012 at 07:58:53PM -0600, Phillip S. Davis wrote:
> Oh no I meant the client and server setup... I'm trying IPSEC with
> LT2P as suggested.

Ah, okay, so poptop-server is far too easy to setup.  I shall have to
avoid making it any easier, and over the next few years hopefully
other technologies will become easier, and will overtake poptop-server
in ease-of-setup.  ;-}

--

-- 
James Cameron
http://quozl.linux.org.au/

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
Jan Just Keijser | 1 Aug 09:34 2012
Picon

Re: [Poptop-server] PPTP traffic should be considered unencrypted

James Cameron wrote:
On Tue, Jul 31, 2012 at 04:40:03PM -0700, Tim Gustafson wrote:
The user's password. That is to say, the attack would have to be repeated if the user changed their PPTP password.
Actually, it occurs to me that I haven't seen this question asked or answered so far either: The vulnerability described does not seem to be related to EAP, correct? Is using EAP as an authentication method still viable?
I agree, the vulnerability is specific to MSCHAP-v2. I know nothing useful about EAP, sorry. I don't know if anybody has it working with PPTP. Yes, MPPE depends on MSCHAP-v2, I don't think it can be made to depend on anything else, but that's a matter for the pppd guys, in pptpd land we just ask pppd to do it.
FWIW: a long time ago I wrote a patch for pppd to do just this:
  http://www.nikhef.nl/~janjust/ppp/
it adds EAP-TLS support (including MPPE+MPPC) to pppd, which in turn can be used to secure a PPTP VPN using X509 certs. The patch has not made it into the pppd mainstream code yet (mostly due to me) but the patch has been adopted by RedHat, Suse and Debian.

HTH,

JJK

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
pptpclient-devel mailing list
pptpclient-devel@...
https://lists.sourceforge.net/lists/listinfo/pptpclient-devel
Kosztyu András | 1 Aug 11:18 2012
Picon

Re: MSCHAPv2 traffic should be considered unencrypted

2012/8/1 Tim Gustafson <tjg <at> soe.ucsc.edu>
>
> > But I've always found OpenVPN to be easy to configure.  There exist
> > many clients pushed by the VPN provider market.  A list here:
> >
> > http://en.wikipedia.org/wiki/OpenVPN#Client_software
>
> And, as far as mobile devices go, all of those options require rooting
> your phone.
>
> The reason that PPTP is so nice is that pretty much EVERY device
> supports it out-of-the-box.  That's a big deal for me.  My department
> alone supports something like 500 active users, and the University as
> a whole supports something like 30,000.  There's no way we're going to
> convince all those people to root their phones, and even if we could I
> wouldn't want to support all those clients after the fact - as soon as
> we do something like that, everything that ever goes wrong with that
> device again is "our fault" in our client's eyes.
>
> As I understand it, most devices also support L2TP, but from what I
> can tell that requires setting up a PKI and that is also just not
> feasible.  Users know how to authenticate with their login names and
> passwords.  The argument against this authentication model in the
> documents I've read related to this MSCHAPv2 insecurity discussion is
> that people pick easy-to-guess passwords.  That may be so, but
> requiring users to use certificates for VPN connections when we don't
> require them to use certificates for HTTPS or SSH connections is
> seriously missing the point.  If an attacker can just bypass the VPN
> and connect via HTTPS or SSH directly with a login name and password,
> then there is no reason to require certificate authentication for VPN
> connections.
>
> Also, I think we should change the title of this thread to "MSCHAPv2
> traffic should be considered unencrypted", so I have done so in this
> reply.
>
> And, it's worth nothing that this strongly suggests that WPA and WPA2
> authentication models are also equally insecure, as those both rely on
> MSCHAPv2 as well.
>
> --
>
> Tim Gustafson
> tjg <at> soe.ucsc.edu
> 831-459-5354
> Baskin Engineering, Room 313A
>
>
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and
> threat landscape has changed and how IT managers can respond. Discussions
> will include endpoint security, mobile security and the latest in malware
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> _______________________________________________
> Poptop-server mailing list
> Poptop-server <at> lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/poptop-server

Actually on most android devices you can use openvpn without rooting
it with featvpn which uses the builtin l2tp somehow to hack the tun
connection. Also on 4.x android there is a builtin vpn api, which will
be able to natively support openvpn.
My company is providing public vpn service and we are finishing our
pptp product as soon as we introduce the final version of our sstp
server; still some testing ahead but most likely with mikrotik.

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
Charlie Brady | 1 Aug 02:44 2012

Re: PPTP traffic should be considered unencrypted


On Tue, 31 Jul 2012, James Cameron wrote:

> > The vulnerability described does not seem to be related to EAP,
> > correct?  Is using EAP as an authentication method still viable?
> 
> I agree, the vulnerability is specific to MSCHAP-v2.  I know nothing
> useful about EAP, sorry.  I don't know if anybody has it working with
> PPTP. 

I posted a link to patches earlier.

> Yes, MPPE depends on MSCHAP-v2, I don't think it can be made to
> depend on anything else, but that's a matter for the pppd guys, in
> pptpd land we just ask pppd to do it.

MPPE session keys can be derived from EAP-TLS authentication. See the rfc 
(and presumably the patches, which I haven't studied).

--
Charlie

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
Nick Owen | 1 Aug 18:42 2012

Re: PPTP traffic should be considered unencrypted

On Tue, Jul 31, 2012 at 6:26 PM, James Cameron <quozl <at> laptop.org> wrote:
> On Tue, Jul 31, 2012 at 09:00:25AM -0700, Tim Gustafson wrote:
>> > http://www.theregister.co.uk/2012/07/31/ms_chapv2_crack/
>> >
>> > "Marlinspike says that MS-CHAPv2 should be purged from the Internet,
>> > advising that PPTP traffic ???should be considered unencrypted???, and
>> > that MS-CHAPv2 enterprise users should begin migrating ??? now."
>>
>> I was just reading about this the other day, and I was hoping someone
>> could clarify something for me:
>>
>> Is the attack against the user's password, or the user's session
>> key?
>
> The user's password.  That is to say, the attack would have to be
> repeated if the user changed their PPTP password.

I'm curious about the impact of using one-time passwords.  If the
attacker knows you are using a 6-digit number, then it would take a
lot less time to break.  Still it might be longer than your session.

Nick

--
Nick Owen
WiKID Systems, Inc.
http://www.wikidsystems.com
Commercial/Open Source Two-Factor Authentication

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/

Gmane