Firewall Wizards mailing list archives

RE: VPN through DSL - On the subject of PPTP

From: Patrick Darden <darden () armc org>
Date: Thu, 14 Mar 2002 08:56:30 -0500 (EST)


In addition, unless it has changed, PPTP uses a 40 bit session key....
Trivial to crack in real time.

IPSEC allows use of 3DES at 156 bits (effectively.)

--
--Patrick Darden                Internetworking Manager             
--                              706.475.3312    darden () armc org
--                              Athens Regional Medical Center


On Wed, 13 Mar 2002, Peter Lukas wrote:

On Wed, 13 Mar 2002, Behm, Jeffrey L. wrote:

I am assuming you are using ipsec instead of a severely
flawed protocol
like PPTP.

I hear people say this from time to time, but I have heard no one ever name
an exploit that has taken advantage of the PPTP protocol (other than an
exploit that takes advantage *before* the data is encypted, or *after* it is
encrypted at the endpoints)

Not that I am a Bill Gates fan, in fact, far from it, but what are the
severe flaws that have been exploited?


The original Microsoft PPTP attempt left much to be desired, and the
second revision was fairly improved. It is by no means "perfect" in the
peanut-gallery sense of the word, but has a number of advantages going for
it, namely it's native to most every version of Windows and as simple for
an end-user to set up as a dialup connection. Of course, it's subject to
the same NAT problems as other VPN methods out there.

The original problem was more with Microsoft's interpretation of PPTP and
it's meager authentication scheme (MSCHAP). Dig the counterpane
cryptanalysis here:
http://www.counterpane.com/pptp.html

The second attempt (MSCHAPv2) addressed the original concerns, but is
still subject to similar security weaknesses as in most other plain
vanilla passworded VPN mechanisms out there.

When comparing PPTP to ipsec, they both do similar things. PPTP isn't
best used at a gateway and much better for deployment across multiple
end-users. Using a car analogy, it's like choosing to carpool with a Pinto
or a Volvo.

Peter

_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards


_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards

Current thread:

Re: VPN through DSL, (continued)
- Re: VPN through DSL Yang Lee (Mar 13)
- RE: VPN through DSL Behm, Jeffrey L. (Mar 13)
  - RE: VPN through DSL Peter Lukas (Mar 13)
    - RE: VPN through DSL R. DuFresne (Mar 13)
    - RE: VPN through DSL Peter Lukas (Mar 13)
    - RE: VPN through DSL R. DuFresne (Mar 13)
    - Re[2]: VPN through DSL Jason Ostrom (Mar 13)
  - RE: VPN through DSL Tina Bird (Mar 13)
- RE: VPN through DSL Behm, Jeffrey L. (Mar 13)
  - RE: VPN through DSL - On the subject of PPTP Peter Lukas (Mar 13)
    - RE: VPN through DSL - On the subject of PPTP Patrick Darden (Mar 14)
- RE: VPN through DSL rob . roberson (Mar 13)
  - RE: VPN through DSL Peter Lukas (Mar 13)
  - RE: VPN through DSL Joe Keegan (Mar 13)
    - RE: VPN through DSL Frederick M Avolio (Mar 15)
- RE: VPN through DSL Ames, Neil (Mar 13)
- VPN through DSL Harris, John P (Mar 14)
- RE: VPN through DSL Behm, Jeffrey L. (Mar 14)
- RE: VPN through DSL Litscher, Mark (Mar 14)
- Re[2]: VPN through DSL Thomas Ray (Mar 15)