|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: MS Chap v2 analysis
David Wagner (daw
CS.BERKELEY.EDU)
Mon, 12 Jul 1999 23:08:27 -0700
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
- Next message: Joel Eriksson: "Re: PGP 6.5.1 has been released"
- Previous message: David Wagner: "Re: MS Chap v2 analysis"
- In reply to: Paul Leach: "Re: MS Chap v2 analysis"
If I understand the MS Chap v2 key derivation process correctly,
there is a serious weakness in the way 40 bit keys are derived.
In particular, they incorporate absolutely no randomness ("salt").
(Compare to SSL, which hashes in 88 bits of salt with 40 bits of
key.) Thus, MS Chap v2 appears vulnerable to a time-space tradeoff,
if you can find some short segment of known plaintext.
Consider Hellman's time-space tradeoff. You need to do a 2^40
precomputation, and you need 2^26 space (a CD-ROM or a small hard
disk). Then, you can break each subsequent session key with only
2^26 work, much weaker than you'd expect from a 40-bit key.
In other words, the export-weakened protocol appears crackable in
near-realtime, with a single computer! Sounds like a NSA wet dream,
if I'm following the algorithm correctly.
Please tell me I'm misunderstanding something here. Surely the
protocol can't be this broken...can it?
- Next message: Joel Eriksson: "Re: PGP 6.5.1 has been released"
- Previous message: David Wagner: "Re: MS Chap v2 analysis"
- In reply to: Paul Leach: "Re: MS Chap v2 analysis"
This archive was generated by hypermail 2.0b3 on Tue Jul 13 1999 - 01:28:50 CDT