MS-CHAPv2 is an aging but still widely used challenge-handshake protocol. It is used by PPTP and appears in many internet VPNs – such as IPredator: “The Pirate Bay's VPN service, which is presumably designed to protect communication from state-level observation,” he says. But he goes on to show that it won’t.
Marlinspike blames the prevalence of PPTP not directly on Bruce Schneier but on the industry’s interpretation of a Schneier analysis dating back to 1999. At that time Schneier and Mudge (Peiter Zatko, then with L0pht and CDC, but more recently with DARPA) wrote that “the fundamental weakness of the authentication and encryption protocol is that it is only as secure as the password chosen by the user.”
The industry seems to have taken that to mean that PPTP is secure provided it uses a strong password; but what Marlinspike has now demonstrated is that any password can be readily cracked. In his blog post headed ‘Divide and Conquer’ he provides a technical overview of CHAPv2 showing a weakpoint in the system that can be exploited by divide and conquer. “The hash we're after,” he writes, “is used as the key material for three DES operations. DES keys are 7 bytes long, so each DES operation uses a 7 byte chunk of the MD4 hash output. This gives us an opportunity for a classic divide and conquer attack.”
It would still be difficult but for the implementation of the third DES key. Each DES key is 7 bytes in length. But the total length is drawn from the MD4 hash (the password) which is only 16 bytes. Microsoft’s solution was to pad out the third key with zeros, meaning that the third key is effectively just 2 bytes in length – and can be brute forced “in a matter of seconds.” That still leaves two DES keys to be cracked; but the “interesting thing about the remaining unknowns is that both of the remaining DES operations are over the same plaintext, only with different keys... This means that, effectively, the security of MS-CHAPv2 can be reduced to the strength of a single DES encryption.” And DES has long been crackable.
Enter the co-presenter, David Hulton. Hulton’s company, Pico Computing, has developed a specialist DES cracking box that, says Marlinspike, “gives us a worst case of ~23 hours for cracking a DES key, and an average case of about half a day.” The two have now integrated this box into CloudCracker, “An online password cracking service for penetration testers and network auditors.” As a result, MS-CHAPv2 should be considered broken.
Marlinspike doesn’t hesitate in his motivation. “We hope that by making this service available, we can effectively end the use of MS-CHAPv2 on the internet once and for all.” Instead, he advocates a move to “either an OpenVPN configuration, or IPSEC in certificate rather than PSK mode.”