Exhaust all of DES and crack any MS-CHAPv2-based VPN for a mere $20


8 Responses to “Exhaust all of DES and crack any MS-CHAPv2-based VPN for a mere $20”

  1. Andy Reilly says:

    I get that this is their brute force way to get people to stop using a flawed protocol, but do they know for sure that they are not actually putting anyone’s life in danger by offering this service? The brashness of it seems pretty ivory-tower.

    • fuzzyfuzzyfungus says:

      Odds are, the minerals refined to build the cracker, and the energy resources employed to run it have a greater likelihood of putting lives in danger than will the additional cryptoanalysis…

      I agree that it isn’t impossible; but once you start branching out into modest indirect probabilities, the list of people you might have helped kill gets pretty long.

    • Cory Doctorow says:

       Yes. The notional cost of doing this at the “full rate” is $200. Anyone in a position to threaten someone’s life (a state actor, organized crime) has both $200 and the nous to crack DES. The only thing these folks are doing is making it obvious — unmistakable — that the protocols underlying MSCHAPv2 are unsafe at any speed and need to be taken out of service NOW.

  2. teapot says:

    So the real question is: what VPNs are using encryption that is still safe?

  3. Victor Rajewski says:

    Another real question: where to for orgs using MSCHAPv2 for enterprise wifi? I believe this is standard for Active Directory deployments…

    • dragonfrog says:

      PEAP-MSCHAPv2 for WiFi is still relatively safe (at least, compared to MSCHAPv2 directly observable by attackers).  The first P in PEAP stands for “Protected” – the client first establishes an SSL tunnel, and then does the MSCHAPv2 exchange inside that tunnel.

      As long as all the attacker can see is the SSL tunnel, you could just send plaintext passwords with and be alright (and now it should be clear that MSCHAPv2 should now be considered equivalent to plaintext).

  4. pgt says:


    I’m the guy who proposed the RSA Symmetric Key Challenges back in 1996, and I helped set up the contests (which were the impetus for the EFF building Deep Crack). It tickles me to the core to see that work on naming and shaming weak crypto is still underway. The contests were a factor in the relaxing of US export policies on crypto in 2000; lets now hope MS rapidly sunsets MSCHAP V2.

    The core of the problem is that MSCHAP V2 is using single DES, albeit three times (this is NOT ‘triple DES’, which remains secure). The Challenges first brute forced single DES back in 1997, and a decade (!) later, it was officially deprecated by NIST.

    However, the protocol is embedded in the firmware of uncounted access control devices; replacing it will be a major expense.


Leave a Reply