RE: Gauntlet & NTLM

["Ge' Weijers" <ge () progressive-systems com>]

On Mon, 13 Oct 1997, Craig Brozefsky wrote:

> Where is that documented, if anywhere?  

The specs can be found at 

ftp://ftp.microsoft.com/developr/rfc/draft-ietf-pppext-mppe-00.txt

MPPE = Microsoft Point-to-Point Encryption.

Related documents can also be found here (MS-CHAP and mppc).


> The draft itself makes NO mention of encryption, so 
> it is even less an issue now of PPTP, but more of MS's implementation,
> drawing us ever further into the realm of hacks and tomfoolery MS has 
> called cryptography.

The draft does not mention encryption because the encryption is not
PPTP-specific. PPTP tunnels PPP frames, and PPP has its own ways to do
encryption. MPPE is a non-standard one, but others can be added. Single
DES is standardized, for instance. There's also an RFC that explains
how to add proprietary schemes.

Your encrypted traffic looks like this:

         .--- GRE --------------.
         | .--- PPP ----------. |
         | | .--- MPPE -----. | |
         | | | .----------. | | |
         | | | | Payload  | | | |
         | | | '----------' | | |
         | | '--------------' | |
         | '------------------' |
         '----------------------'

MPPE is somewhat flawed:

- 40 bit encryption is not enough for high security
- MD4 has been successfully cryptanalized, though that research may not be
  relevant because MD4 is not used as a MAC here
- if the key is ever compromized all old traffic can be decrypted

MPPE it is not trivial to crack, though. RC4 is a decent cipher, known
weak keys are avoided, and the key is changed at regular intervals. I
would not recommend it to customers who are afraid of (industrial)
espionage by wealthy competitors, though, especially not the 40-bit
version. It all depends on what you're trying to protect.

Ge'