For those of us who missed David Hulton and Moxie Marlinspike’s Defcon 20 presentation on cracking MS-CHAPv2, here is an overview:
1) All users and providers of PPTP VPN solutions should immediately start migrating to a different VPN protocol. PPTP traffic should be considered unencrypted.
2) Enterprises who are depending on the mutual authentication properties of MS-CHAPv2 for connection to their WPA2 Radius servers should immediately start migrating to something else.
That is all, have a nice day…
Wait a minute, “PPTP traffic should be considered unencrypted,” what???
A recently released article by Moxie explains in detail how they are able to crack MS-CHAPv2 communication, used in many PPTP based VPNs with a 100% success rate. But that is not all, the protocol is also used in WPA2 enterprise environments for connecting to Radius authentication servers.
When VPNs started to become popular I remember the constant mantra that remote VPN communication is safe because it uses PPTP, safely encapsulating your traffic before sending it over the web. Well, it looks like this may not be the case anymore.
From Moxie’s article the weakness lays in the user password hash and three DES keys used in the encoding operation:
“The hash we’re after, however, is used as the key material for three DES operations. DES keys are 7 bytes long, so each DES operation uses a 7 byte chunk of the MD4 hash output. This gives us an opportunity for a classic divide and conquer attack. Instead of brute forcing the MD4 hash output directly (a complexity of 2128), we can incrementally brute force 7 bytes of it at a time.“
The keys come from the output of the MD4 of the password, which is only 16 bytes. Microsoft fills in the difference by padding the last key with zeros:
In doing so, this can significantly reduce the cracking time. Moxie created a tool called Chapcrack that will pull the necessary information from a network packet capture and cracks the third DES key. But this still leaves the first two DES keys, which could take a long time to crack.
Unless, that is, you take the output from Chapcrack and upload it to CloudCracker.
Cloudhacker is an online password cracking service that connects to a mean FPGA based box built by Pico Computing that they claim can crack any DES key within 24 hours:
“They were able to build an FPGA box that implemented DES as a real pipeline, with one DES operation for each clock cycle. With 40 cores at 450mhz, that’s 18 billion keys/second. With 48 FPGAs, the Pico Computing DES cracking box gives us a worst case of ~23 hours for cracking a DES key, and an average case of about half a day.”
So basically, if you can get a network packet capture, you can use Chapcrack to pull the DES key from it, and then pass it to CloudCracker to crack it within 24 hours. Then you can decrypt the entire network packet capture, or login to the users VPN or radius server.
Looks like it is time to move on from MS-CHAPv2 based security products.