[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Counterpane Cracks MS's PPTP




This is a good paper. It covered almost all of the failures of MS PPTP.  
However, I think it missed a big one.
It is possible to recover all the clear text from a PPTP session,
even if most of the traffic is going in one direction only.
The failure is in MPPE.  When MPPE gets a sequenceing error, it
resets the key.  This causes the cipher stream to be reset.  It is
partially covered in section 5.4 .
Since RC4 is a stream cipher, it generates the same
cipher stream for a given key.  This cipher stream is XORed with the clear
text.
To recover the clear text, an attacker just needs to force a
resyncronization by
sending a packet that has a bogus coherency count.  
If the attacker captures the original stream and the resynchronized stream
a simple XOR of the two streams results in an XOR of the cleartext.
While compression does make it harder to determine what the cleartext is,
It is likely that a determined attacker can decrypt and decompress the
XORed result.  
Brad
Brad Kemp
Indus River Networks, Inc.                   [email protected]
31 Nagog Park						 978-266-8122
Acton, MA 01720                              fax 978-266-8111