9

PPTP is not an open, ratified standard the way that, for example, SSL/TLS is. (see: http://en.wikipedia.org/wiki/Transport_Layer_Security#TLS_1.2 and http://datatracker.ietf.org/doc/rfc5246/ )

The most popular (most widely deployed) implementation of PPTP came from Microsoft, in WinNT. This implementation was also used in many 3rd party applications designed to work with WinNT and its successors.

The MS implementation of PPTP (with MS-CHAP authentication) was publicly demonstrated to be cryptographically broken in 1998 (see https://www.schneier.com/paper-pptp.html ). And there are utilities available to sniff for MS-CHAP authentication sessions and automatically extract passwords from them (L0phtCrack v2.0, released 1997).

So, the question is: Does anyone know the details of the DD-WRT implementation of PPTP? I see that PPTP Server in "v24-sp2 mini" uses "MPPE Encryption" and stores "CHAP Secrets". Does it have the same vulnerabilities as PPTP/MS-CHAP did in 1997? Is this implementation of the protocol any better than it was 16yrs ago?
Or, for a home-grown VPN, do I need to I upgrade my hardware and firmware to use OpenVPN?

(Reposted from superuser.com/questions, following a user recommendation.)

Simon
  • 3,182
  • 4
  • 26
  • 38
MSE
  • 91
  • 1
  • 1
  • 3
  • Hi MSE, welcome to [security.se]! In the future, please do not cross-post - a moderator can migrate the question across. But yeah - asking about the vulnerabilities is better here. – AviD Dec 23 '13 at 09:03

1 Answers1

16

PPTP is thoroughly broken. At this point nobody who cares in the least about the communications they intend to protect should be using it. And it's not a matter of choosing someone's implementation over another; its most serious flaws are in the protocol design and cannot be fixed.

MSCHAPv1 was broken 15 years ago, as you noted in your question. Its replacement, MSCHAPv2, has been known to be weak for nearly as long; now it can be brute forced in a matter of hours; this was demonstrated at last year's DEFCON and you can now use an online service to break it.

You can use EAP-TLS authentication with PPTP, though this requires a full public key infrastructure and isn't something you're necessarily going to put effort into unless you're building an enterprise VPN. There are a lot of moving parts, so it's not something you are likely to do for a personal project.

And then, the above only deals with authentication. The encryption, MPPE, uses RC4. But, there is no message authentication, so it is possible for an attacker to modify your traffic in transit, quite possibly without it being detected. And RC4 is getting weaker by the day (which is a whole other topic)...

Microsoft, for their part, recommend using L2TP or IPSec or SSTP. OpenVPN is also a possibility, especially if you are dealing with non-Microsoft systems.

Finally, the implementers of PoPToP, the Linux implementation of PPTP, recommend against using it, and have done so for almost a decade.

Michael Hampton
  • 3,877
  • 1
  • 22
  • 32