[Cialug] Windoze -> Linux VPN
Zachary Kotlarek
zach at kotlarek.com
Thu Jun 10 22:25:28 CDT 2010
On Jun 10, 2010, at 4:53 PM, Matthew Nuzum wrote:
> Regarding the security, I was under the impression that newer versions of Windows supported authentication and encryption methods with pptp that improved it. Maybe I've mis-understood or maybe "better" = "still a big fail."
If you use EAP-TLS (i.e. pubkey) authentication it should be okay. There may be other secure EAP modes too; I don't know what Windows currently supports.
And Vista+ has disabled MS-CHAPv1, which is good, since it relies on the LanMan password hashing algorithm, which is very weak.
But while MS-CHAPv2 is an improvement over v1 it is still vulnerable to some serious attacks -- it uses only the user password as an entropy source for authentication. That might seem trivial since the user password is the authenticator in such systems, but the MPEE key (i.e. session key) is derived from the CHAP credentials, so determining the user password hash would allow you to decrypt any sessions that have been or will be captured while the user had the same password with a totally passive, undetectable attack, in addition to the obvious attack of creating new sessions with the stolen credentials.
Zach
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2746 bytes
Desc: not available
Url : http://cialug.org/pipermail/cialug/attachments/20100610/fdbdd5f0/attachment.bin
More information about the Cialug
mailing list