Friday, 3 August 2012

Severe Security Issues with MSChapV2


Those of you who went to or follow the Defcon conference in vegas may have seen Moxie Marlinspike's work on MSChapV2. This is the auth scheme i recommended for the raspberry pi pptp vpn. Ie, when the client connects to the VPN, it is the scheme by which the client proves it knows the password without sending the password in cleartext.

A problem i was aware of with MSChapV2 was that the password is bruteforceable, ie if an attacker can capture you connecting to your VPN (ie in a wifi cafe) then they can attempt to crack your password. If the password is weak and they are successful, they can decrypt all of your traffic and also connect to the the network themselves.

However, Moxie analysed MSChapV2 and found a significant design flaw, that is worth reading about:
in short, he found that the whole protocol can be reduced down to a single (56bit) DES encryption, and if you can crack that you can crack MSChapV2. He then worked with David Hulton, an FPGA wiz, to crack DES in under 24 hours. He has made this service available on his website


So, in summary, if you use a PPTP VPN with MSChapV2 (as i described), someone could intercept that traffic and decrypt all of it 100% reliably and potentially provide access to your network. This is obviously very bad.


Now the risk talk. If you're an average individual, you're unlikely to be on a network with an attacker capable and motivated enough to do it. The risk is very real, but i would say fairly low for now. The VPN will certainly make you safer against a certain level of attacker (ie someone just sniffing open wifi points). This is clearly not a perfect strategy so i will be working on a second guide to use the RasPi as a IPSEC VPN endpoint as this is also supported by the iDevices and is currently believed to be stronger.

Thanks to Moxie for making this public and providing such an entertaining talk!