0
The title pretty much says it all. Note I'm talking about MS-CHAP v2, not v1. Also using EAP-TLS is not an option (that's why I'm asking this.)
MW2000
Posted 2010-08-03T05:30:16.170
Reputation: 3
MPPE - Forcing strong passwords enough to make PPTP secure?
Answers
0
Microsoft Point to Point Encryption (MPPE) uses RC4 as its base (40-128bit). But they made some modifications to overcome some previous problems from CHAPv1 and vulnerability perviously found. The MPPE keys are derived from CHAPv2 credentials with a different one for each transmission point (client and server) but with a catch: the SHA combination is truncated. Even through you can get a lot of space with 128-bit, the weakness still lies in the keys, hence the passwords. Therefore the more complicated you set the policy for passwords the more "secure" the tunnel should be.
In conclusion using MPPE over PPP should be good enough for everyday use, especially with complicated passwords.
Note: Most independent researchers and Microsoft suggest that a migration to IPSec or another encrypted key exchange protocol should take place to avoid this exact question.
Robert Leckie
Posted 2010-08-03T05:30:16.170
Reputation: 466
Thanks for the assurance. I thought as much (and knew about the past problems in v1) but just wanted to double check with someone else.
As far as IPSec and other protocols are concerned, I'd much rather use them but can't (especially OpenVPN.) PPTP support is so widely available (Computers, Phones, etc.) that it's my best option. And as long as strong passwords mean a "secure" tunnel I'm good. – MW2000 – 2010-08-03T08:42:44.407