© SANS Institute 2000 - 200
5
, Author retains full rights.
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
© SANS Institute 2000 - 200
5
Author retains full rights.
12
Vulnerable to “Reset-Request” attack
•
Does not encrypt NCP (Network Control Protocol) PPP packets
•
Does not verify that the server is authentic
•
Encryption is not truly 40 or 128 bit
•
The vulnerability to “bit-flipping” attacks is caused by the use of RC4.
Because of the use of a stream cipher (in this case RC4), the data can be
changed at the bit level, and since the checksum method is weak for this
standard, the message could be modified by an attacker, and the checksum
data kept to appear valid, so that the recipient ends up with a slightly or
completely different message than was sent and the recipient is none the wiser
that data was changed. It is trivial for the attacker to cycle through “flipping a bit”
and comparing data, to compromise RC4 “protected” information.
Because of the use of RC4 and the use of the same key on both sides of
the connection (server and client) if an attacker can capture two (or more)
“ciphertexts” and compare them, if the attacker knows the basic structure of the
data, it is trivial for the attacker to then obtain the clear text information.
XOR, an exclusive OR (whereas OR is considered an “inclusive” OR), is a
Boolean method to determine true or false results. It is true only if just one of it's
operands is true. Whereas an inclusive OR is true if either or both of it's
operands are true.
Based on information from pages 13 through 15 of Applied Cryptography
2
nd
Edition by Bruce Schneier, an XOR attack is carried out as follows:
Discover the length of the key (trivial since this is well published
1.
information)
Shift the ciphertext (encrypted information) by that length and XOR it
2.
with itself. This will remove the key and reveal the plain text
information.
The vulnerability to “Reset-Request” is a weakness in the MPPE protocol
that allows an attacker to keep sending reset requests to the client or server so
that the encryption key doesn't change. This happens because the attack
interferes with the normal incrementing of packet counts. The following excerpt
is an excellent description of such an attack, from the Phrack Volume 8, Issue
53, article “The Crumbling Tunnel – A Menagerie of PPTP Vulnerabilities” by
Aleph1 describing the MPPE Reset-Request weakness and attack:
“...
MPPE being a sub-protocol of PPP, a datagram protocol, does not expect a
reliable link. Instead it maintains a 12-bit coherency count that is
increased for each packet to keep the encryption tables synchronized. Each
time the low order byte of the coherency count equals 0xFF (every 256 packets)
the session key is regenerated based on the original session key and the
current session key.
If MPPE ever sees a packet with a coherency that it is not expecting it
sends a CCP Reset-Request packet to the other end. The other end, upon
seeing this packet, will re-initialize the RC4 tables using the current session key.
0
Do'stlaringiz bilan baham: |