The Wiert Corner – irregular stream of stuff

Jeroen W. Pluimers on .NET, C#, Delphi, databases, and personal interests

  • My work

  • My badges

  • Twitter Updates

  • My Flickr Stream

  • Pages

  • All categories

  • Enter your email address to subscribe to this blog and receive notifications of new posts by email.

    Join 1,797 other followers

Don’t use PPTP, and don’t use IPSEC-PSK either (via: CloudCracker blog)

Posted by jpluimers on 2013/06/24

A while ago, I had to connect to secure data over PPTP.

It reminded me of  this post from about a year ago: via Divide and Conquer: Cracking MS-CHAPv2 with a 100% success rate (now archived at the wayback machine).

Their main point:

MS-CHAPv2 can be cracked within less than a day (and that time will only get less).

Their short conclusion “basically PPTP is dead, and IPSEC-PSK is worse” leads to the recommendation:

This leaves either an OpenVPN configuration, or IPSEC in certificate rather than PSK mode.

Longer quote:

  1. All users and providers of PPTP VPN solutions should immediately start migrating to a different VPN protocol. PPTP traffic should be considered unencrypted.
  2. Enterprises who are depending on the mutual authentication properties of MS-CHAPv2 for connection to their WPA2 Radius servers should immediately start migrating to something else.

In many cases, larger enterprises have opted to use IPSEC-PSK over PPTP. While PPTP is now clearly broken, IPSEC-PSK is arguably worse than PPTP ever was for a dictionary-based attack vector. PPTP at least requires an attacker to obtain an active network capture in order to employ an offline dictionary attack, while IPSEC-PSK VPNs in aggressive mode will actually hand out hashes to any connecting attacker.

In terms of currently available solutions, deploying something securely requires some type of certificate validation. This leaves either an OpenVPN configuration, or IPSEC in certificate rather than PSK mode.

–jeroen

via: Divide and Conquer: Cracking MS-CHAPv2 with a 100% success rate.

3 Responses to “Don’t use PPTP, and don’t use IPSEC-PSK either (via: CloudCracker blog)”

  1. […] But preferably I should follow Don’t use PPTP, and don’t use IPSEC-PSK either (via: CloudCracker blog) […]

  2. […] Although: I should follow Don’t use PPTP, and don’t use IPSEC-PSK either (via: CloudCracker blog) […]

  3. […] Later: indeed, I should follow Don’t use PPTP, and don’t use IPSEC-PSK either (via: CloudCracker blog) […]

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
%d bloggers like this: