From daw@CS.BERKELEY.EDU Tue Jul 13 16:50:16 PDT 1999 Article: 8135 of isaac.lists.bugtraq Path: news.isaac.cs.berkeley.edu!not-for-mail From: David Wagner Newsgroups: isaac.lists.bugtraq Subject: Re: MS Chap v2 analysis Date: 13 Jul 1999 15:56:00 -0700 Organization: A poorly-installed InterNetNews site Lines: 19 Sender: daemon@abraham.cs.berkeley.edu Approved: mail2news@news.isaac.cs.berkeley.edu Distribution: isaac Message-ID: <7mel4r$t4d$1@blowfish.isaac.cs.berkeley.edu> References: Reply-To: David Wagner NNTP-Posting-Host: abraham.cs.berkeley.edu Approved-By: aleph1@SECURITYFOCUS.COM Delivered-To: bugtraq@securityfocus.com X-To: bugtraq@securityfocus.com Xref: joseph.cs.berkeley.edu isaac.lists.bugtraq:8135 If I understand the MS Chap v2 key derivation process correctly, there is a serious weakness in the way 40 bit keys are derived. In particular, they incorporate absolutely no randomness ("salt"). (Compare to SSL, which hashes in 88 bits of salt with 40 bits of key.) Thus, MS Chap v2 appears vulnerable to a time-space tradeoff, if you can find some short segment of known plaintext. Consider Hellman's time-space tradeoff. You need to do a 2^40 precomputation, and you need 2^26 space (a CD-ROM or a small hard disk). Then, you can break each subsequent session key with only 2^26 work, much weaker than you'd expect from a 40-bit key. In other words, the export-weakened protocol appears crackable in near-realtime, with a single computer! Sounds like a NSA wet dream, if I'm following the algorithm correctly. Please tell me I'm misunderstanding something here. Surely the protocol can't be this broken...can it?