[2694] in cryptography@c2.net mail archive
Re: PPTP (in the People's Court)
daemon@ATHENA.MIT.EDU (Arnold G. Reinhold)
Thu May 14 11:24:19 1998
In-Reply-To: <3.0.5.16.19980514004119.096773b0@world.std.com>
Date: Thu, 14 May 1998 06:51:08 -0400
To: David Jablon <dpj@world.std.com>, cryptography@c2.net
From: "Arnold G. Reinhold" <reinhold@world.std.com>
Cc: Russ <Russ.Cooper@rc.on.ca>
At 12:41 AM -0400 5/14/98, David Jablon wrote:
[stuff about liability deleted -- let's get back to cryptography]
>
>I think a technical priority is the weakness of PPTP's session
>key generation.
>
>In an earlier post, Paul Leach addressed issues with
>"deprecated" modes, but a larger unaddressed problem
>is the indeterminate entropy of the session keys. We're not
>even talking 40 bits in many cases, as network cracking
>attacks on hashed-password-derived keys often
>succeed with a difficulty of less than 2^30.
>
>In setting priorities, I'd say that that reliable
>session key generation is at least as important as
>problems with re-use or mis-use of these keys in a
>cipher.
>
I certainly support strong key generation and share your concern about
hashed-password-derived keys. But a PPTP user can at least adopt procedures
for creating strong passwords without much trouble if they want. (See my
http://www.hayom.com/diceware.html). The reuse of RC4 keys completely
strips away any security associated with the keys -- 30 bits, 40 bits, 128
bits, it doesn't matter. The cipher protection is gone instantly.
Both problems are serious and deserve attention.
It would seem to me that there is a simple way to fix the RC4 key reuse
problem: just include the sender's
host name in the PPTP session key hash. The only impact on performance I
can see would be the additional RC4 key setup time, but that is inescapable
if RC4 is used properly. Am I missing something?
Arnold Reinhold
