The ThreatPost security news service from Kaspersky Labs has an article reporting on a new password cracking tool developed by the security researcher whose nom de déposé is Moxie Marlinspike. The tool, ChapCrack, which was described in a presentation by Marlinspike and David Hulton at the DefCon 20 security conference last weekend, is designed to crack passwords used in the MS-CHAPv2 (Microsoft Challenge Handshake Authentication Protocol version 2) protocol. It provides a tool that can extract credentials from a protocol negotiation “handshake”; the credentials can then be submitted to a cloud-based service to extract the passwords.
Marlinspike’s ChapCrack tool has the ability to take packet captures that include an MS-CHAPv2 network handshake–the back-and-forth negotiation that sets up the secure connection between machines–and remove the relevant credentials from the capture. The user can then submit the encrypted credentials to CloudCracker and will eventually receive in return an encrypted packet that he can insert into ChapCrack again. The tool then will crack the password.
The protocol is used as part of Microsoft’s PPTP tunneling protocol for implementing VPNs (Virtual Private Networks). It has been available as a component of Windows since Windows 95, and has been quite popular, even though it has some known security vulnerabilities; Bruce Schneier and Mudge analyzed the protocol in 1999. In his blog post discussing the attack in detail, Marlinspike says that the protocol is still widely used in two cases:
- PPTP-based VPNs
- Enterprise WPA2 wireless networks
He claims a success rate of 100% in recovering passwords. The cloud-based component of the attack uses a specialized piece of hardware for cracking DES keys, built by Pico Computing.
David Hulton’s company, Pico Computing, specializes in building FPGA hardware for cryptography applications. They were able to build an FPGA box that implemented DES as a real pipeline, with one DES operation for each clock cycle. With 40 cores at 450mhz, that’s 18 billion keys/second. With 48 FPGAs, the Pico Computing DES cracking box gives us a worst case of ~23 hours for cracking a DES key, and an average case of about half a day.
(This, incidentally, shows that the push to replace DES, the Data Encryption Standard, with the newer AES was not alarmist — Moore’s Law, and all that.)
Marlinspike concludes his blog post with these recommendations:
1) All users and providers of PPTP VPN solutions should immediately start migrating to a different VPN protocol. PPTP traffic should be considered unencrypted.
2) Enterprises who are depending on the mutual authentication properties of MS-CHAPv2 for connection to their WPA2 Radius servers should immediately start migrating to something else.
As I’ve mentioned before, it is a truism of security that attacks always get better.
Update Wednesday, 1 August, 11:29 EDT
Ars Technica has an article that discusses this attack, and its implications, in some detail.