[2645] in cryptography@c2.net mail archive
Re: PPTP (again)
daemon@ATHENA.MIT.EDU (Arnold G. Reinhold)
Sun May 10 15:24:13 1998
In-Reply-To: <v04003a0fb1757a06ce95@[198.115.179.81]>
Date: Fri, 8 May 1998 05:08:42 -0400
To: "Paul Leach" <paulle@microsoft.com>, cryptography@c2.net
From: "Arnold G. Reinhold" <reinhold@world.std.com>
Cc: firewall-wizards@nfr.com, NTSECURITY@LISTSERV.NTBUGTRAQ.COM
At 10:24 PM -0400 5/5/98, Paul Leach wrote:
>[Responses to a number of other criticisms deleted]
>
>As Alan pointed out, the same key is used in each direction, so that
>the Nth packet in each direction will use the same key. (Similar to
>what you pointed out in the context of the CPP-reset attack.) That
>means that if you can predict the contents of the Nth packet in one
>direction, you can decrypt the packet going in the other direction.
>That's not good, but it's better than having being able to crack the
>packet if you can predict that value of any of 256 packets....
>
>This is mitigated by the fact that the packets are compressed in such
>a way that unpredicted data early in the packet ruins the ability to
>predict data later in the packet.
>
While Mr. Leach addresses many of the concerns raised about PPTP, the two
paragraphs above concern me greatly. Any deliberate reuse of a stream
cipher key is an unacceptable security flaw. This is a fundamental rule,
not because cryptographers are a bunch of nit-picking, party-pooping fuddy
duds, but because doing so destroys the security of the cipher.
An attacker who captures the packet streams in both directions can
eliminate the RC4 encryption entirely. He will then have the xor of the two
data streams. As Mr. Leach points out, if he knows or can guess one of the
streams, he can recover the other stream easily. But even if he knows
neither, the protocol is still not secure.
If for example, the packets contain uncompressed English text, the
encryption is equivalent to a book cipher, which is generally solvable. The
only hope left then for security is the compression scheme. Essentially
this is a variant of a book cipher where both the book and the plaintext
are first compressed. The US Army broke a system like this in the 1940's --
without computers.
The security of this protocol does not appear to meet the most minimal
standards of modern cryptographic practice. A properly implemented 40-bit
key system would be far more secure. This protocol will be used to
transmit medical records, lawyer-client meeting notes, new product plans,
merger negotiations, and other sensitive internal communications. Do
Microsoft's attorneys realize the company's potential exposure here? Can
you say "class action lawsuit," "punitive damages," "strict liability,"
"criminal negligence," "deep pockets?"
Arnold Reinhold
