MS-PPTP 1, 1. Abstract( )

Transcription

1 FS-TR00-06 Aug. 02, 2000 (26 pages) Technical Report MS-PPTP 1, ( ) {logic, chlim}@future.co.kr Abstract( ) PPTP(Point-to-Point Protocol) PPP encapsulation tunneling VPN. PPP. PPP PPTP RFC כ. MS-PPTP microsoft PPTP Window95/98/NT. MS-PPTP 1 2. ( ) Cryptography & Network Security Center, Future Systems, Inc. (

2 MS-PPTP 1, ( ), PPTP(Point-to-Point Protocol) PPP encapsulation tunneling VPN. PPP. PPP PPTP RFC כ. MS-PPTP microsoft PPTP Window95/98/NT. MS-PPTP PPP(Point-to-Point Protocol) Encapsulation LinkOperation LCP LCPConfigurationOption NCP(NetworkControlProtocol) IPCP PPTP(Point-to-Point Tunneling Protocol) ControlConnection Tunneling L2TP MS-PPTP v MS-CHAPv MS-CHAP v MPPE CCP MPPEPacket MPPEKeyDrivation MPPE v OtherAttack logic@future.co.kr i

3 5 PPTP v MS-CHAPv MS-CHAP v MPPEv MPPE v OtherAttack ii

4 1 PPTP(Point-to-Point Tunneling Protocol) PPP(Point-to-Point Protocol)frame IP datagram encapsulation VPN(Virtual Private Network). PPTP tunnel,, control connection TCP. TCP port Client PPTP. 1. PSTN/ISDN ISP network access server 2. LAN PPTP client PPP ISP PPP ISP PPTP PPTP כ. PPTP client PPTP. client LAN ISP כ PPTP PPTP. Client Internet Client PPTP server ISP client PPTP tunneling PPP. Micorsoft כ MS-PPTP Window 95/98/NT. protocol standard CHAP(Challenge Handshake Authentication Protocol) MS-CHAP RC4 stream cipher MPPE(Micorsoft Point-to-Point Encryption Protocol). PPP encapsulation GRE IP datagram encapsulation. GRE protocol encapsulation IP protocol 47. GRE GRE[18] enhanced GRE protocol [8].. PPP Header IP Header GRE Header PPP Header PPP Payload (IP /IPX / NetBEUI Frame) PPP Trailer MS-PPTP v1 [13] MS-PPTP v2. v1 v2. 1. MS-CHAP v1 v2 response dictionary attack. v1 Lan manager dictionary attack. 2. Control connection monitering. 1

5 3. MPPE key password random key כ. 4. rollback attack. PPTP MS-PPTP. 2 PPP(Point-to-Point Protocol) PPP PPP link multi-protocol datagram protocol Encapsulation, LCP(Link Control Protocol), NCP(Network Control Protocol).LCP PPP link protocol NCP network layer protocol protocol.ncp IP protocol IPCP(IP Control Protocol). 2.1 Encapsulation PPP [3] Protocol Information Padding 8/16 bits * * Protocol field Infomation data כ 1 2octet infomation field protocol. [1] Internet Protocol(IP) 002d Van Jacobson Compressed TCP/IP 002f Van Jacobson Uncompressed TCP/IP 8021 Internet Protocol Control Protocol(IPCP) c021 Link Control Protocol(LCP) c023 Password Authentication Protocol c025 Link Quality Report c223 Challenge Handshake Authentication Protocol(CHAP) Information protocol field Maximum Receive Unit(MRU) כ 1500 octets כ LCP. Padding. 2

6 PPP ISO HDLC [22] Flag Address Control Protocol Information Padding 8/16 bits * * FCS Flag Inter-frame Fill 16/32 bits or next Address Link Operation PPP link (configuration), (maintain) (terminate) (phase) כ [3]. Dead UP Establish OPENED Authenticate SUCCESS /NONE FAIL FAIL DOWN Terminate CLOSING Network Dead. physical layer Establish Link Control Protocol(LCP) configure LCP. Configure Option כ. option default. Authentication. authentication protocol Establish LCP authentication terminate. Network NCP(Network Control Protocol) network layer protocol (IP,IPX,Appletalk). PPP network layer. Terminate ( ) Terminate PPP. 3

7 2.2.1 LCP Configure-Request, Configure-Ack, Configure-Nak, Configure- Reject Terminate-Request, Terminate-Ack Code-Reject, Protocol-Reject, Echo-Request, Echo-Reply, Discard-Request [3] Code Identifier Length Data Code LCP 1 11 (e.g, Configure-Request : 1, Configure-Ack : 2, etc). Identifier request reply matching.length Code MRU. Datafield Code field LCP Configuration Option LCP Data כ כ Configure Option.Data Type Length Data Type 0 : reserved, 1 : Maximum-Receive-Unit, 3 : Authentication-Protocol, 4 : Quality-Protocol, 5 : Magic-Number, 7 : Protocol-Field-Compression, 8 : Address-and-Control-Field-Comprssion Length Type. Data Type length כ. Type כ Authentication-Protocol MS-CHAP Type Length Authentication-Protocol Data Type 3, Length>=4, Authentication-Protocol field 0xc023 : Password Authentication Protocol, 0xc027 : Shiva Password Authentication Protocol, 0xc223 : Challenge Handshake Authentication Protocol, 0xc281 : Proprietary Authentication Protocol, 0xc481 : Proprietary Node ID Authentication Protocol [1]. 4

8 2.3 NCP(Network Control Protocol) PPP link LCP network layer protocol NCP. network layer. IP(Internet Protocol) NCP IPCP (IP Control Protocol) [2] IPCP IPCP LCP. IPCP PPP encapsulation Protocol field 0x8021. Code field 1 7(Configure-Request, Configure-Act, Configure-Nak, Configure-Reject, Termanate- Ack, Code-Reject). LCP network layer phase IPCP. IPCP LCP Configuration Option. Type כ [2]. 1 IP-Addresses : 2 IP-Compression-Protocol : compression protocol (e.g, Van Jacobson Compressed TCP/IP) 3 IP-Address : end link IP Address IPCP opened state IP PPP encapsulation. PPP Protocol field IP 0x PPTP(Point-to-Point Tunneling Protocol) PPP כ PPP IP network tunneling protocol PPTP [8]. NAS(Network Access Server). 1. PSTN ISDN interfacing /terminal adapter 2. PPP LCP 3. PPP authentication protocol 4. PPP multilink Protocol 5. PPP NCP 6. NAS interface multiprotocol routing bridging 1 2(3), (3)4 6 PAC(PPTP Access Concentrator), PNS(PPTP Network Server)., 3 PAC, PNS. Tunneling PAC PNS tunneling protocol GRE(Generic Routing Encapsulation)[18, 19] enhanced GRE protocol[8]. PPTP 1) PNS-PAC control connection 2) PNS-PAC tunneling 5

9 PPTP tunneling PNS internet USER ppp PAC PPTP tunneling PNS 3.1 Control Connection Control Connection message tunneling PAC-PNS PPTP,, TCP. destination port 1723 source port port. Control Connection PNS,PAC.. [8] Length PPTP Message Type Magic Cookie Control Message Type Reserved0 Length, Type 1(Control Message) 2(Management Message), Magic כCode Cookie 0x1A2B3C4D. Control Message Type Message. Control Message Message Code (Control Connection Management) Start-Control-Connection-Request 1 Start-Control-Connection-Reply 2 Stop-Control-Connection-Request 3 Stop-Control-Connection-Reply 4 Echo-Request 5 Echo-Reply 6 (Call Management) Outgoing-Call-Request 7 6

10 Outgoing-Call-Reply 8 Incoming-Call-Request 9 Incoming-Call-Reply 10 Incoming-Call-Connected 11 Call-Clear-Request 12 Call-Disconnect-Notify 13 (Error Reporting) WAN-Error-Notify 14 (PPP Session Control) Set-Link-Info Tunneling End link user PPP PNS PAC PNS כ tunneling. PPP GRE (enhanced GRE header) encapsulation IP PAC-PNS [18, 15]. Media Header IP Header GRE Header PPP packet enhanced GRE [8] C R K S s Recur A Flags Ver Protocol Type Key (HW) Payload Length Key (LW) Call ID Sequence Number (Optional) Acknowledgment Number (Optional) 0 15 bit : [8]. Protocol Type : 0x880B(PPP) Payload Length : GRE payload. Call ID : session peer Call ID. Sequence Number : Payload sequence number S bit setting. Acknowledgment Number : GRE sequence number A bit setting. PPTP remote access LAN [15]. 7

11 Client Client Application GRE TCP 1 2 output packet PPTP encapsulation IP PPP 3 to remote network or to local area network PPTP Communication Device Ethernet Internet PPTP Server PPTP Server 3.3 L2TP PPTP L2TP(Layer Two Tunneling Protocol[20]) [21].. 1. L2TP LAC(PAC ) LNS(PNS ) LCP authentication L2F(Layer Two Forwarding Protocol). PPTP PNS PAC tunnel PPP. 2. PPTP tunnel start request start response L2TP three-way handshake. PPTP tunnel 2 L2TP reliable delivery. PPTP control reliable delivery TCP. 3. L2TP, L2F, PPTP GRE. PPTP control channel TCP/IP GRE/IP encapsulation channel L2TP channel flag control. 4. L2TP IP IPsec PPTP control message data IPsec., IPsec transport PPTP control message IPsec tunneled data control message authentication, data authentication encryption. 4 MS-PPTP v1 PPP PPTP Microsoft MS-PPTP 8

12 . 4.1 MS-CHAP v1 PPP Establishment phase LCP Network phase Authenticate phase Configuration Option. CHAP(Challenge-Handshake Authentication Protocol), MS כ MS-CHAP. MS-CHAP standard CHAP. standard CHAP. LCP Configuration Option standard CHAP [5]. Type Length Authentication-Protocol Algorithm Type Authentication-Protocol 3, Length 0x05, Authentication-protocol 0xc223(CHAP), Algorithm MD5 CHAP 0x05. MS-CAHP Algorithm field 0x05 0x80. CHAP. CHAP PPP encapsulation protocol field 0xc223 [7]. Code Identifier Length Data Code 1:Challenge, 2:Response, 3:Success, 4:Failure, Identifier challenges/responses/replies matching, Length Code, Data Code field. MS MS-CHAP [7, 12]. MS-CHAP DES Lan Manager hash MD4 Window NT hash. DesEncrypt(IN 8-octet Clear, IN 7-octet Key, OUT 8-octet Cipher ) // DES block cipher DesHash(IN 7-octet Clear, OUT 8-octet Cipher ){ DesEncrypt( StdText, Clear, giving Cipher ) } // StdText={KGS!@#$%} LmPasswordHash(IN 0-to-14-oem-char Password, OUT 16-octet PasswordHash ){ DesHash( 1st 7-octets of UcasePassword, giving 1st 8-octets of PasswordHash ) DesHash( 2nd 7-octets of UcasePassword, 9

13 } giving 2nd 8-octets of PasswordHash ) NtPasswordHash(IN 0-to-256-unicode-char Password, OUT 16-octet PasswordHash ) // MD4. Lan Manager hash 1. password padding 14 byte string byte 7byte DES key constant 8byte byte כ. window NT hash 14 byte password MD4 16 byte כ. MS-CHAP. 4 client. 1. client login challenge. כ 2. 8byte challenge client. 3. client password Lan Manager hash NT hash 16 byte כ כ 5byte 0 padding 21 byte. 7byte 3 DES key 8 byte challenge. 24 byte (response). flag window NT response flag 1, LanManage 0 setting. 4. client כ DES client כ. MS-CHAP PPP LCP [12]. Client -> Server c c [extra negotiation 10 bytes removed] 0xc021 - LCP packet 0x01 - configure Request 0x00 - ID 0 0x length 19 bytes 0x03 - Authentication 0x05 - CHAP option length 5 bytes 0xc223 - CHAP 0x80 - MS-CHAP 10

14 - Server->Client c d 08 cf 4f 0e b 0c 0xc223 - CHAP packet 0x01 - challenge 0x00 - ID 0 0x000d - length 13 bytes 0x08 - value size of the challenge 0xcf4f0e b0c - challenge value - Client response C b d1 d fd d3 8e 4d 68 aa 24 6f 0c d b 8c 9a c a0 d0 4a 47 7a 36 a1 8a 57 8e 76 c a f d 69 6e f 72 0xc223 - CHAP 0x02 - response 0x00 - ID 0x length 53 bytes [The ascii string has been changed to protect the innocent] 0x31 - Value length of challenge response 0x bd1d86068fdd38e4d68aa246f0cd695347b8c9a31 - LANMAN response 0x196c a0d04a477a36a18a578e76c63678a114790f - NT response 0x01- use Windows NT compatible challenge response flag "Administrator" - account name Change Password Packet Change Password Packet standard CHAP MS-CHAP v1 כ כ [7]. Change Password Packet authenticator( ) ERROR PASSWORD EXPIRED CHAP failure.. 1 octet : Code (=5) 1 octet : Identifier 2 octets: Length (=72) 16 octets: Encrypted LAN Manager Old password Hash 16 octets: Encrypted LAN Manager New Password Hash 16 octets: Encrypted Windows NT Old Password Hash 16 octets: Encrypted Windows NT New Password Hash 2 octets: Password Length 2 octets: Flags 11

15 - 16 octets field password password Lan Manager hash Window NT hash כ 8 challenge key DES encryption כ. - passive monitering challenge password כ.. Window NT 3.51/4.0 ( [7] ) Windows octet : Code 1 octet : Identifier 2 octets : Length 516 octets : Password Encrypted with Old NT Hash 16 octets : Old NT Hash Encrypted with New NT Hash 516 octets : Password Encrypted with Old LM Hash 16 octets : Old LM Hash Encrypted With New NT Hash 24 octets : LAN Manager compatible challenge response 24 octets : Windows NT compatible challenge response 2 octets : Flags - PasswordEncryptedwithOldNTHash password NT hash כ key password window NT כ RC4. - Old NT Hash Encrypted with New NT Hash כ password NT hash כ key password NT כ RC4. - PasswordEncryptedwithOldLMHashOld LM Hash Encrypted With New NT Hash field 0., Flags 1 field. - password כ RC4 password כ password כ decrypt כ. - Mallory DNS hijacking RIP spoofing PPTP client password כ. Mallory client ERROR PASSWD EXPIRE. password כ PPTP client [14]. 4.2 MS-CHAP v1 MS-CHAP 24byte response client Lan Manager hash NT hash כ. כ flag. כ. Lan Manager hash. L0phtcrack automatic password cracker Lan Manager hash password NT hash. Lan Manager hash 14 byte password 7byte key 12

16 security. password 7 כ 8byte password 7. Lan Manager hash MS-CHAP security כ. Lan Manager hash response [12]. P : password, K : key, H : hash value, R : response, C : challenge, S : StdText 1. P0,..., P6, P7,..., P13 2. H0,..., H7, H8,..., H14, H15 <- P 3. K0,..., K7, K8,..., K14, K15,0,0,0,0,0 <- 0 padding 4. K0,..., K6, K7, K8...,K13 K14,K15,0,0,0,0,0 <- 7byte. 5. R0,...,R7, R8,..., R15, R16,...,R23 <- C K PPTP challenge C(8 byte) client response R(24 byte). 1. K14, K15 C R16,...,R23 כ K14,K15. ( 2 15 operation כ.) כkey S כ כ. 2. K14, K15 H14, H15,, table כ 2byte H14, H15 P7,..., P13.. K8,..., K13 כ. K7 כ כ. כ C כ R8,..., R15 P7,...,P13 כ P7,...,P13. P7,..., P13 K7. כ כ, P0,...,P6 byte H7 2. K7 3. כ N N/2 8 P0,...,P6. Lan manager hash MS-CHAP. 4.3 MPPE MPPE(Microsoft Point-To-Point Encryption) PPP [10]. RC4 stream cipher RC4 encryption table 40 bit, 56 bit 128 bit key. key option. MPPE CCP CCP CCP(Compression Control Protocol) PPP link [4]. CCP PPP protocol field 0x80FD כ Network-Layer Protocol phase. LCP. 13

17 CCP option LCP Option Type Length Supported Bits Supported Bits Type MPPE 18, Length 6, Supported Bits H M S L D C Cbit MPPC(Microsoft Point-to-Point Compression), Dbit, L,S,M bit setting 40,128,56bits session key. Hbit setting stateless mode session key. <CCP example> Client->Server 80 fd a x80fd - Compression Control Protocol 0x01 - Configure Request 0x05 - ID 5 0x000a - Length 10 0x12 - Type 18 MPPE 0x06 - Length 6 0x bit session key Server->Client 80 fd a x80fd - Compression Control Protocol 0x02 - Configure Acknowledgement 0x05 - ID 5 0x000a - Length 10 0x12 - Type 18 MPPE 0x06 - Length 6 0x bit session key MPPE Packet MPPE PPP Network-Layer Protocol phase CCP control protocol opened state. MPPE PPP encapsulation PPP protocol field 14

18 0x00FD. PPP protocol field 0x0021 0x00FA encapsulation. MPPE reliable link Coherency Count field. MPPE PPP Protocol A B C D Coherency Count Encrypted Data PPP Protocol:0x00FD, B,C bit, A bit(flushed bit) setting RC4 encryption table כ session key. stateless mode Abit setting. Dbit 1 0. Coherency Count (0x0FFF) 0 reset. Encrypted Data PPP protocol field. IP datagram 0x0021 IP MPPE Key Drivation MPPE, key RC4 stream cipher encryption table session key [11]. 40-bit Session Keys Generation 1. client password Lan manager hash כ SHA 64bit. Get_Key(PasswordHash, SessionKey, 8) // כ // PasswordHash LmPasswordHash(), 8 output string octets length 2. כ 40bit 24 bit 0xD1269E setting. SessionKey[0] = 0xd1 ; SessionKey[1] = 0x26 ; SessionKey[2] = 0x9e ; 56-bit Session Keys Generation 40 bit 56bit. 8bit 0xd1 setting. 128-bit Session Keys Generation 1. client password NT hash 16 byte כ. 2. כ MD4 16 byte כ. 3. כ MS-CHAP 8 byte challenge concatenate SHA 128 bit. 15

19 Get_Start_Key(Challenge, NtPasswordHashHash, InitialSessionKey) Get_Key(InitialSessionKey, CurrentSessionKey, 16) < > SHApad1[40] = {0x00,..., 0x00}; SHApad2[40] = {0xf2,..., 0xf2}; Get_Key( IN InitialSessionKey, IN/OUT CurrentSessionKey IN LengthOfDesiredKey ) { SHAInit(Context) SHAUpdate(Context, InitialSessionKey, LengthOfDesiredKey) SHAUpdate(Context, SHAPad1, 40) SHAUpdate(Context, CurrentSessionKey, LengthOfDesiredKey) SHAUpdate(Context, SHAPad2, 40) SHAFinal(Context, Digest) memcpy(currentsessionkey, Digest, LengthOfDesiredKey) } Get_Start_Key( IN Challenge, IN NtPasswordHashHash, OUT InitialSessionKey) { SHAInit(Context) SHAUpdate(Context, NtPasswordHashHash, 16) SHAUpdate(Context, NtPasswordHashHash, 16) SHAUpdate(Context, Challenge, 8) SHAFinal(Context, Digest) memcpy(initialsessionkey, Digest, 16) } <Example 128-bit Key Derivation> Initial Values Password = "clientpass" Challenge = 10 2d b5 df 08 5d Step 1: NtPasswordHash(Password, PasswordHash) PasswordHash = 44 eb ba 8d b8 d f ae Step 2: PasswordHashHash = MD4(PasswordHash) PasswordHashHash = 41 c0 0c 58 4b d2 d9 1c a2 a1 2f a5 9f 3f Step 3: GetStartKey(Challenge, PasswordHashHash, InitialSessionKey) 16

20 InitialSessionKey = a cf c0 ac ca d1 78 9f b6 2d dc dd b0 Step 4: Copy InitialSessionKey to CurrentSessionKey CurrentSessionKey = a cf c0 ac c1 d1 78 9f b6 2d dc dd b0 Step 5: GetKey(InitialSessionKey, CurrentSessionKey, 16) CurrentSessionKey = 59 d1 59 bc 09 f7 6f 1d a2 a8 6a 28 ff ec 0b 1e 256 key. key, original key concatenate SHA 40 bit, 56 bit 128 bit key. Key 40bit 24 bit 0xD1269E setting. 4.4 MPPE v1 1. key 40 bit 128 bit security 40 bit 128 bit. key כ client password random כ כ security [12] bit salt PPP cipher text bit, PPTP key. 4. RC4 OFB mode stream cipher. cipher text. 5. MPPE coherency count field 1 coherency count CCP Reset-Request resynchronization message RC4 key. 256 key update key כ. key cipher text XOR plain text XOR כ. < example > Alice Bob [15]. RC4 key coherency count 0 setting כ. Alice -> Bob Alice Bob coherency count 0. Alice coherency count 1 setting, Bob decrypt coherency count 1 setting. Mallory(Bob) -> Alice Mallory Alice CCP Reset-Request coherency count 1. Alice -> Bob Alice RC4 key MPPE A bit setting. Mallory 256 key encryption. 17

21 4.5 Other Attack Passive monitering PPTP session / [13]. PPTP control connection message. monitering. PPTP START SESSION REQUEST [8]. Maximum Channels Firmware Revision + Host Name (64 octets) + + Vendor String (64 octets) + Maximum Channels PAC PPP session, Firmware Revision PAC firmware revision PNS PPTP driver version, Host Name PAC PNS DNS,VendorString PAC type PNS software. - client/server IP, client machine RAS version/netbios name, client/server vendor identification. - PPTP START SESSION REQUEST connection / Spoofing PPP negotiations PPP CCP negotiation,. Potential Client Information Leaks Windows 95 client buffer. PPTP PPTP START SESSION REQUEST Host Name Vendor String 0x00 padding window PPTP v2 [12] MS-PPTP v1 v2. MS-CHAP MS-CHAPv2 MPPE. security. [13]. -MS-CHAP Lan Manager hash כ MS-CHAPv2. - -MS-CHAP change password packet MS-CHAPv2 single change password packet. - MPPE key. 18

22 5.1 MS-CHAP v2 MS-CHAP v2 LCP option 3 CHAP field 0x81. MS-CHAPv2. client 8byte challenge [9, 13]. 1. client login challenge. כ byte random challenge. 3. client Peer Authenticator Challenge 16 byte random number Peer Authenticator Challenge challenge username concatenate כ SHA-1 כ 8byte challenge כ. ChallengeHash( IN 16-octet PeerChallenge, // client challenge IN 16-octet AuthenticatorChallenge, // server challenge IN 0-to-256-char UserName, // client user name OUT 8-octet Challenge // out strings (MS-CHAP 8byte challenge כ MS-CHAPv2 challenge.) 4. password NT hash 16byte NtPasswordHash( IN 0-to-256-unicode-char Password, OUT 16-octet PasswordHash ) 5. 4 כ byte MS-CHAP v1 24byte. 21byte 7byte 3 DES key challenge. ChallengeResponse( IN 8-octet Challenge, IN 16-octet PasswordHash, OUT 24-octet Response ) { DesEncrypt( Challenge, PasswordHash, Response ) DesEncrypt( Challenge, PasswordHash, Response ) DesEncrypt( Challenge, PasswordHash, Response ) } 6. 3 כ client client 24 byte response כ. GenerateNTResponse( IN 16-octet AuthenticatorChallenge, IN 16-octet PeerChallenge, IN 0-to-256-char UserName, 19

23 IN 0-to-256-unicode-char Password, OUT 24-octet Response ) { 8-octet Challenge 16-octet PasswordHash ChallengeHash( PeerChallenge, AuthenticatorChallenge, UserName, giving Challenge) } NtPasswordHash( Password, giving PasswordHash ) ChallengeResponse( Challenge, PasswordHash, giving Response ) Server Authentication 1. client password NT כ, client 24byte response, Magic server to client constant concatenate SHA כ 20byte, client 8byte, Pad to make it do more than one iteration concatenate SHA כ client. GenerateAuthenticatorResponse( IN 0-to-256-unicode-char Password, IN 24-octet NT-Response, IN 16-octet PeerChallenge, IN 16-octet AuthenticatorChallenge, IN 0-to-256-char UserName, OUT 42-octet AuthenticatorResponse ) { /* Hash the password with MD4 */ NtPasswordHash( Password, giving PasswordHash ) /* Now hash the hash */ HashNtPasswordHash( PasswordHash, giving PasswordHashHash) SHAInit(Context) SHAUpdate(Context, PasswordHashHash, 16) SHAUpdate(Context, NTResponse, 24) SHAUpdate(Context, Magic1, 39) SHAFinal(Context, Digest) ChallengeHash( PeerChallenge, AuthenticatorChallenge, UserName, giving Challenge) SHAInit(Context) SHAUpdate(Context, Digest, 20) SHAUpdate(Context, Challenge, 8) 20

24 } SHAUpdate(Context, Magic2, 41) SHAFinal(Context, Digest) Change Password Packet MS-CHAP v2 change password authenticator( ) ER- ROR PASSWD EXPIRED. ( [9] ) Windows NT 4.0, Windows 95/98. [9]. 1 octet : Code 1 octet : Identifier 2 octets : Length 516 octets : Encrypted-Password 16 octets : Encrypted-Hash 16 octets : Peer-Challenge 8 octets : Reserved 24 octets : NT-Response 2-octet : Flags - Encrypted-Password field password window NT כ key password window NT כ כ. -Encrypted-Hash password window NT כ key password window NT כ כ. - MS-CHAP v1 Lan manager hash rollback כ. 5.2 MS-CHAP v2 Window NT password [13]. MS-CHAP MS-CHAPv2. MS-CHAP client NT כ Lan manager hash כ Lan manager hash. MS-CHAPv2 connection. 16 byte random client random כ user name public. כ concatenate SHA-1 8byte challenge C. client 24 byte response R. R R = <DESX(C), DESY(C), DESZ(C)>. X,Y,Z 14 byte password NT hash כ 0 5 padding 7byte כ. Z 2byte 2 כ 16. ( ). NT כ 2byte Z כ sorting MS-CHAP. standard dictionary attack N N/2 16. attack client response SHA-1(NT(C)) insecure. Server כ SHA כ כ security כ. 21

25 5.3 MPPE v2 MPPE v1 client RC4 key MPPE v2 כ key [11, 13]. master-master key key key. Master-master key password NT כ, 24byte response, 27 byte This is the MPPE Msater key SHA כ 16byte כ master-master key. 40 bit key generation 1. master-master key, 40 byte 0x00, 84 byte constant, 40 byte 0xF2 SHA כ 8byte. Magic constant client כ key כ כ bit 0xD1269E setting 40 bit key. <Example 40-bit Key Derivation> Initial Values UserName = "User" = Password = "clientpass" = C E AuthenticatorChallenge = 5B 5D 7C 7D 7B 3F 2F 3E 3C 2C PeerChallenge = E 26 2A F 2B 3A 33 7C 7E Challenge = D0 2E BC E NT-Response = E CD 8D 70 8B 5E A0 8F AA CD A 3D 85 D6 DF Step 1: NtPasswordHash(Password, PasswordHash) PasswordHash = 44 EB BA 8D B8 D F AE Step 2: PasswordHashHash = MD4(PasswordHash) PasswordHashHash = 41 C0 0C 58 4B D2 D9 1C A2 A1 2F A5 9F 3F Step 3: Derive the master key (GetMasterKey()) MasterKey = FD EC E3 71 7A 8C 83 8C B3 88 E5 27 AE 3C DD 31 Step 4: Derive the master send session key (GetAsymmetricStartKey()) SendStartKey40 = 8B 7C DC 14 9B 99 3A 1B Step 5: Derive the intial send session key (GetNewKeyFromSHA()) SendSessionKey40 = D1 26 9E C4 9F A6 2E 3E 22

26 56-bit Session Keys Generation 40 bit 56bit. 8bit 0xd1 setting. 128 bit key generation 40 bit כ 16 byte. 5.4 MPPE v2 1. MPPE v1 client server key v2 key key security password. key כ key constant כ key. RC4 128 bit entropy. 2. [13] 40bit 0xD1269E setting key stream 1,2 0x09 0x /256= key schedule S[1]=0x09, S[2]=0x /e. 40bit bit 0xD1269E כ security. 5.5 Other Attack Version Rollback Attacks MS negotiation MS-CHAPv2 fail MS-CHAPv1 [13] client MS-CHAPv2 fail MS-CHAPv1 version rollback attack. 6 PPTP MS MS-PPTP. PPTP control connection. MS PPTP v1 v2 כ. CHAP dictionary attack כ, v2 window NT Lan manager. version roll back. MPPE RC4 key password constant security. [1] Reynolds, J. and J. Postel, Assigned Numbers, RFC1700, October [2] G. McGregor, The PPP Internet Protocol Control Protocol (IPCP), RFC1172, May [3] W. Simpson, Editor, The Point-to-Point Protocol (PPP), RFC1661, July [4] D. Rand, The PPP Compression Control Protocol (CCP),,RFC1962, June

27 [5] W. Simpson, PPP Challenge Handshake Authentication Protocol (CHAP), RFC1994, August [6] G. Pall, Microsoft Point-To-Point Compression (MPPC) Protocol, RFC2118, March [7] G. Zorn, S. Cobb, Microsoft PPP CHAP Extensions, RFC2433, October [8] K. Hamzeh, G. Pall, W. Verthein, J. Taarud, W. Little, G. Zorn, Point-to-Point Tunneling Protocol (PPTP), RFC2637, July [9] G. Zorn, Microsoft PPP CHAP Extensions, Version 2, RFC2759, January [10] G. S. Pall, G. Zorn Microsoft Point-To-Point Encryption (MPPE) Protocol, <draft-ietf-pppextmppe-04.txt>,october [11] G. Zorn, MPPE Key Derivation <draft-ietf-pppext-mppe-keys-02.txt>, September [12] Bruce Schneier, Mudge Cryptanalysis of Microsoft s Point-to-Point Tunneling Protocol(PPTP), [13] Bruce Schneier, Mudge Cryptanalysis of Microsoft s PPTP Authentication Extensions(MS- CHAPv2) [14] Analysis by Aleph ftp://ftp.rubyriver.com/pub/jhardin/masquerade/ip masq vpn.html [15] Understanding Point-to-Point Tunneling Protocol(PPTP) PPTP.htm [16] W. Simpson, PPP in HDLC-like Framing, RFC1662, July [17] G. McGregor, The PPP Internet Protocol Control Protocol (IPCP), RFC1332, May [18] S. Hanks, T. Li, D. Farinacci, P. Traina, Generic Routing Encapsulation(GRE), RFC1701, October [19] S. Hanks, T. Li, D. Farinacci, P. Traina, Generic Routing Encapsulation over IPv4 networks, RFC1702, October [20] W. Townsley, A. Valencia, A. Rubens, G. Pall, G. Zorn, B. Palter, Layer Two Tunneling Protocol(L2TP),RFC2661, August [21] R. Shea, L2TP Implementation and Operation, Addison-Wisley, [22] W. Simpson, PPP in HDLC-like Framing, RFC1662, July