Features Podcasts Family Video Comics Music Tech Science Books Film & TV Games ✚

Jill

Exhaust all of DES and crack any MS-CHAPv2-based VPN for a mere $20

Cory Doctorow at 4:31 pm Mon, Sep 24, 2012

— FEATURED —

Feature

Eurovision 2013: An American in London

Book Review

The Twelve-Fingered Boy - mesmerizing YA horror novel

Book Review

Black Code: how spies, cops and crims are making cyberspace unfit for human habitation

— FOLLOW US —

Boing Boing is on Twitter and Facebook. Subscribe to our RSS feed or daily email.

 

— POLICIES —

Except where indicated, Boing Boing is licensed under a Creative Commons License permitting non-commercial sharing with attribution

 

— FONTS —

Tweet
Kindle


Moxie Marlinspike and David Hulton's Divide and Conquer: Cracking MS-CHAPv2 with a 100% success rate presentation from Defcon is now a reality. If you want to crack a MS-CHAPv2 PPTP authentication handshake (like the one I use when I connect to IPREDator, the secure proxy I favor), they'll exhaust all of the DES keyspace for you for a mere $20, usually in less than a day.

Basically, MS-CHAPv2-based VPNs should now be considered insecure and not fit for purpose. Plus Moxie and David can brute force all of DES for $20. Yowza.

A Week Of Discounted Cracking

For this week (9/23/2012), we will be offering deeply discounted MS-CHAPv2 cracking jobs by reducing the price from $200 to $20. This means that any PPTP VPN connection or intercepted MS-CHAPv2 WPA Enterprise wireless credentials can be cracked and decrypted with a 100% success rate for only $20.

The one major caveat is that an influx of additional jobs might increase the pending queue depth and cause MS-CHAPv2 jobs to take slightly longer than ususal, but we'll see how it goes.

Cheaper MS-CHAPv2 Cracking (via Hacker News)

I write books. My latest is a YA science fiction novel called Homeland (it's the sequel to Little Brother). More books: Rapture of the Nerds (a novel, with Charlie Stross); With a Little Help (short stories); and The Great Big Beautiful Tomorrow (novella and nonfic). I speak all over the place and I tweet and tumble, too.

MORE:  Business • crypto • moore's law • passwords • security

More at Boing Boing

Eurovision 2013: An American in London

The technology that links taxonomy and Star Trek

  • Andy Reilly

    I get that this is their brute force way to get people to stop using a flawed protocol, but do they know for sure that they are not actually putting anyone’s life in danger by offering this service? The brashness of it seems pretty ivory-tower.

    • fuzzyfuzzyfungus

      Odds are, the minerals refined to build the cracker, and the energy resources employed to run it have a greater likelihood of putting lives in danger than will the additional cryptoanalysis…

      I agree that it isn’t impossible; but once you start branching out into modest indirect probabilities, the list of people you might have helped kill gets pretty long.

    • Cory Doctorow

       Yes. The notional cost of doing this at the “full rate” is $200. Anyone in a position to threaten someone’s life (a state actor, organized crime) has both $200 and the nous to crack DES. The only thing these folks are doing is making it obvious — unmistakable — that the protocols underlying MSCHAPv2 are unsafe at any speed and need to be taken out of service NOW.

  • teapot

    So the real question is: what VPNs are using encryption that is still safe?

    • bigidiot

      Some of these use OpenVPN https://torrentfreak.com/which-vpn-providers-really-take-anonymity-seriously-111007/  

  • Victor Rajewski

    Another real question: where to for orgs using MSCHAPv2 for enterprise wifi? I believe this is standard for Active Directory deployments…

    • dragonfrog

      PEAP-MSCHAPv2 for WiFi is still relatively safe (at least, compared to MSCHAPv2 directly observable by attackers).  The first P in PEAP stands for “Protected” – the client first establishes an SSL tunnel, and then does the MSCHAPv2 exchange inside that tunnel.

      As long as all the attacker can see is the SSL tunnel, you could just send plaintext passwords with and be alright (and now it should be clear that MSCHAPv2 should now be considered equivalent to plaintext).

  • pgt

     Cory:

    I’m the guy who proposed the RSA Symmetric Key Challenges back in 1996, and I helped set up the contests (which were the impetus for the EFF building Deep Crack). It tickles me to the core to see that work on naming and shaming weak crypto is still underway. The contests were a factor in the relaxing of US export policies on crypto in 2000; lets now hope MS rapidly sunsets MSCHAP V2.

    The core of the problem is that MSCHAP V2 is using single DES, albeit three times (this is NOT ‘triple DES’, which remains secure). The Challenges first brute forced single DES back in 1997, and a decade (!) later, it was officially deprecated by NIST.

    However, the protocol is embedded in the firmware of uncounted access control devices; replacing it will be a major expense.

    pgt