Biz & IT —

Attack against Microsoft scheme puts hundreds of crypto apps at risk

Cloud-based service requires an average of 12 hours to decrypt VPN traffic.

An overview of the MS-CHAPv2 used by hundreds of VPN- and WPA2-based security products.
An overview of the MS-CHAPv2 used by hundreds of VPN- and WPA2-based security products.

Researchers have devised an attack against a Microsoft-developed authentication scheme that makes it trivial to break the encryption used by hundreds of anonymity and security services, including the iPredator virtual private network offered to users of The Pirate Bay.

The attack, unveiled by Moxie Marlinspike and David Hulton, takes on average just 12 hours to recover the secret key that iPredator and more than 100 other VPN and wireless products use to encrypt sensitive data. The technique, which has been folded into Marlinspike's CloudCracker service, exploits weaknesses in version 2 of a Microsoft technology known as MS-CHAP, short for Microsoft challenge-handshake authentication protocol. It's widely used to log users into VPN and WPA2 networks and is built into a variety of operating systems, including Windows and Ubuntu.

"We hope that by making this service available, we can effectively end the use of MS-CHAPv2 on the Internet once and for all," the researchers wrote in a blog post published over the weekend. "We find many popular VPN products are susceptible to a variety of practical user deanonymization attacks. Weaknesses stem from lack of security analysis of the composition of VPNs, applications, and the TCP/IP stack on each respective operating system."

Microsoft officials are "actively investigating the issue and will take the necessary steps to help protect customers," the company said in a brief statement.

MS-CHAP is the widely used authentication component of several encryption technologies including the PPTP, or Point to Point Tunneling Protocol, which is used by many VPN programs to implement secure functionality. The Microsoft technology uses the MD4 cryptographic function to convert user-selected passwords into a one-way hash that is then broken up into three smaller chunks.

Each chunk forms a Data Encryption Standard key that's used in a separate encryption operation. Exhausting every possible combination of the entire MD4 hash requires 2128 attempts, making such brute-force attacks infeasible. But by breaking the key into three keys—the first two consisting of 7 bytes and the third of just 2 bytes—they become susceptible to what cryptographers call a "divide and conquer" attack.

There are only 65,535 possible combinations for the last key, requiring just a few seconds to crack it using brute-force methods. Cracking the first 14 bytes of the MD4 hash would normally require enough work to make most attacks infeasible, but the researchers found a way to significantly reduce the overhead. Because the two remaining unknown keys are used to encrypt the same plaintext, the cracking routine for each can be consolidated into a single iteration through the possible keyspace. That translates into just 256 possible combinations, which is the same complexity offered by a single DES encryption.

"Since the third DES key is only two bytes long, a keyspace of 216, we can immediately see the effectiveness of [a] divide-and-conquer approach by brute forcing the third key in a matter of seconds, giving us the last two bytes of the MD4 hash," the researchers wrote. "We're left trying to find the remaining 14 bytes of the MD4 hash, but can divide-and-conquer those in two 7 byte chunks, for a total complexity of 257."

The service added to CloudCracker relies on powerful hardware sold by Hulton's Pico Computing firm. It uses FPGA, or field-programmable gate array, technology to quickly cycle through each possible combination until the right one is found. Users who want to crack the key protecting a target's VPN- or WPA2-protected traffic need only capture a single login attempt and then upload the packets to the online service. It takes a maximum of 23 hours to crack the key, with the average crack requiring just half a day.

The divide-and-conquer technique is a vast improvement over an attack first described in 1999 by Bruce Schneier and a researcher known as Mudge. That exploit made it easy to decrypt communications that were protected by weak passwords. In the years that followed, many services that relied on MS-CHAP responded by requiring users to use long, randomly generated passwords. VPN services offered by riseup.net, for example, selected a 21-character password on behalf of the user that used a combination of 96 different numbers, symbols, and upper- and lower-case letters to withstand such attacks. MS-CHAP is also used in the iPredator VPN used to decrypt traffic between The Pirate Bay and its end users, Marlinspike said.

"What we're doing is giving you a 100-percent success rate," Marlinspike told Ars. "It doesn't matter what password you choose. We demonstrate that [MS-CHAP] is never secure."

Other cryptographers agreed that the new attack is significant.

"Once you have something that can crack DES in half a day, it's kind of like having a master key for DES," Matthew Green, a professor specializing in cryptography in the computer science department at Johns Hopkins University, told Ars. "And at that point, any protocol that works like MS-CHAP is going to just fall apart."

Marlinspike said people should immediately stop using VPN and WPA2 products that rely on MS-CHAP. They should instead rely on certificate-based authentication methods, such as OpenVPN, SSL VPN, or certain types of IPsec, as long as it doesn't use a pre-shared key for authentication.

Listing image by Riseup.net

Channel Ars Technica