Stronger PPTP?

Chris Carlson carlsonmail at YAHOO.COM
Thu Jan 20 16:37:04 EST 2000 

AFAIK, Microsoft has always had 128-bit PPTP, but you
had to register for it on their web site since export
is controlled.  They had a version available back in
the Win95 days.

The issue of Microsoft's implementation of the PPTP
protocol isn't the strength/length of the encryption
key, it's the fact that they use a crappy hash based
on the LanMan authentication sequence.  You can read
more about it at:

http://www.counterpane.com/pptp.html

Microsoft should have addressed this better in their
PPTPv2 release, but some people say no.  Third party
companies like Network Telesystems (www.nts.com) makes
PPTP clients for Windows and Mac that has a better
authentication mechanism than Microsoft's
implementation.

Microsoft is still supporting PPTP in Windows2000.  I
tested it for functionality, not security.  A white
paper on Windows2000 security a few months ago said
that Microsoft is focusing on encrypting L2TP packets
with IPSec as their future direction.  That way they
can have the "approved" encryption/authentication of
IPSec with the multi-protocol support of L2TP.  If
this doesn't speak of a totally non-standard
implementation, I don't know what does.

Hope I've been useful!

Chris
--
--- Dave Elfering <elfering at TCONL.COM> wrote:
> Has Microsoft increased the strength of PPTP's
> crypto? A network
> engineer friend of mine asked if the encryption has
> been raised to 128
> bits, and I had no answer as I've never seriously
> considered PPTP.
>
> Has this beast been strengthened the process that
> used a user-supplied
> password at the client to derive the MD4 hash?
>
> I gather MS raised the encryption level that will
> ship with Windows 2000
> to 128 bits, so does this mean PPTP gets bumped a
> notch too? I'd thought
> it was going away in favor of IPSec.
>
> Regards,
>
> Dave Elfering
>
> VPN is sponsored by SecurityFocus.COM
>
__________________________________________________
Do You Yahoo!?
Talk to your friends online with Yahoo! Messenger.
http://im.yahoo.com

VPN is sponsored by SecurityFocus.COM

More information about the VPN mailing list