PPTP Secure?
Rick Smith
rick_smith at SECURECOMPUTING.COM
Wed Aug 30 19:01:28 EDT 2000
>Patrick Bryan asked:
> > Can someone tell me, for day to day business use, is M$'s PPTP v2.0
> > implementation secure?
Sandy Harris replied:
>No.
>http://www.counterpane.com/pptp.html
To cut to the chase, you can use l0phtcrack to intercept Microsoft CHAP
packets and crack the passwords they carry. In addition, the paper at
Counterpane outlines other attacks.
So, if in "day to day business use" your computers manipulate valuable
assets, then there's a risk someone might take the time to pick your
cryptographic lock.
At the moment, I don't see any off-the-shelf PPTP cracking programs out
there. For example, it doesn't look to me as if l0phtcrack will crack PPTP
passwords right out of the box -- rather, it's designed to sniff the hashed
credentials in plaintext SMB packets. Folks on the list -- does anyone else
know of such a tool?
The point of the Counterpane paper is that someone *might* build a cracking
tool directed at PPTP. Or, some criminal enterprise may have done so and
kept it to themselves. This is enough of a risk to make lots of people
nervous. On the other hand, a court would probably say you were taking "due
care" if you use cryptography to protect your traffic, regardless of
whether it's weak or not. The courts seem to be tolerating weak encryption
and demonizing the cracking tools this season.
Rick.
smith at securecomputing.com roseville, minnesota
"Internet Cryptography" at http://www.visi.com/crypto/
VPN is sponsored by SecurityFocus.COM
More information about the VPN
mailing list