From owner-cvs-all  Mon Jun 18 10:13:27 2001
Delivered-To: cvs-all@freebsd.org
Received: from Awfulhak.org (gw.Awfulhak.org [217.204.245.18])
	by hub.freebsd.org (Postfix) with ESMTP
	id 8588237B401; Mon, 18 Jun 2001 10:13:18 -0700 (PDT)
	(envelope-from brian@Awfulhak.org)
Received: from hak.lan.Awfulhak.org (root@hak.lan.Awfulhak.org [172.16.0.12])
	by Awfulhak.org (8.11.4/8.11.4) with ESMTP id f5IHDGF13631;
	Mon, 18 Jun 2001 18:13:16 +0100 (BST)
	(envelope-from brian@lan.Awfulhak.org)
Received: from hak.lan.Awfulhak.org (brian@localhost [127.0.0.1])
	by hak.lan.Awfulhak.org (8.11.4/8.11.4) with ESMTP id f5IHDGh07847;
	Mon, 18 Jun 2001 18:13:16 +0100 (BST)
	(envelope-from brian@hak.lan.Awfulhak.org)
Message-Id: <200106181713.f5IHDGh07847@hak.lan.Awfulhak.org>
X-Mailer: exmh version 2.3.1 01/18/2001 with nmh-1.0.4
To: Warner Losh <imp@village.org>
Cc: mi@aldan.algebra.com, kris@obsecurity.org, brian@FreeBSD.org,
	cvs-committers@FreeBSD.org, cvs-all@FreeBSD.org, brian@Awfulhak.org
Subject: Re: cvs commit: src/usr.sbin/ppp ccp.c ccp.h command.c deflate.c fsm.c fsm.h ip.c mppe.c ppp.8 pred.c 
In-Reply-To: Message from Warner Losh <imp@village.org> 
   of "Mon, 18 Jun 2001 11:01:31 MDT." <200106181701.f5IH1Vl57448@billy-club.village.org> 
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Date: Mon, 18 Jun 2001 18:13:16 +0100
From: Brian Somers <brian@Awfulhak.org>
Sender: owner-cvs-all@FreeBSD.ORG
Precedence: bulk
List-ID: <cvs-all.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo?subject=subscribe%20cvs-all>
List-Unsubscribe: <mailto:majordomo?subject=unsubscribe%20cvs-all>
X-Loop: FreeBSD.ORG

> In message <200106181644.f5IGig097507@misha.privatelabs.com> mi@aldan.algebra.com writes:
> : Well, I'm only planning to use the FreeBSD implementation of the
> : protocol, which, was done from scratch and audited. Or was it not?
> 
> I think Kris is saying that he's not sure that there might not be
> protocol weaknesses that would effectively render the encryption
> useless :-)

Not that I can see, although I'm no encryption expert and haven't 
examined the key-change algorithm.

The MPPE stuff starts with a secret derived from a shared secret 
(which is already used in the challenge-based CHAP 0x81 (MSCHAPv2) 
authentication layer).

The encryption dictionary is initialised using this secret.

The secret is re-generated either every packet (for stateless 
encryption) or every 256 packets (for stateful encryption), and the 
dictionary is re-initialised based on that changed secret.

Missing packets in stateful mode cause a CCP reset request resulting 
in the key being changed.

Sequence numbers wrap at 4096.

A cracker needs to know the initial secret and the initial challenge 
to be able to get in.  He needs to know how many times the sequence 
numbers have wrapped to be able to decrypt a data stream.  I think 
this is reasonable at this level.

With respect to screw-ups in the key-change code.... I can't comment 
as I haven't even looked at that, but it's rc4 based for what that's 
worth.

> Warner

-- 
Brian <brian@Awfulhak.org>                        <brian@[uk.]FreeBSD.org>
      <http://www.Awfulhak.org>                   <brian@[uk.]OpenBSD.org>
Don't _EVER_ lose your sense of humour !



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe cvs-all" in the body of the message