Recent discussions in some security newsgroups and a press release by Bruce Schneier, the author of the widely used book Applied Cryptography and a cryptographic consultant from Counterpane Systems, have raised some questions surrounding Microsoft's implementation of the standards-based Point to Point Tunneling Protocol (PPTP). This bulletin clarifies the issues raised by Mr. Schneier and recommends specific actions to customers of Windows® to insure they have a secure PPTP configuration.

Microsoft currently provides a very robust and secure virtual private networking (VPN) solution that is the most common used in the industry according to the most recent VPN market study by Infonetics Research. The specification for PPTP is the result of joint efforts with a host of respected networking vendors including Ascend Communications, 3Com/Primary Access, ECI Telematics, US Robotics and Microsoft. These companies constituted the PPTP Forum whose joint effort was made publicly available and submitted to the IETF standards organization in 1996. Today, Microsoft continues to improve and develop highly interoperable and secure enterprise wide communication solutions in conjunction with leading networking vendors, consultants and security specialists.

All networking communication and security specialists realize that in real world scenarios computer security is a function of several dynamic elements including technology, policy, and physical security. It is within this framework, and after careful evaluation of their resources, that each organization defines their level of acceptable risk and the solutions they deploy. PPTP plays a part of an overall operational plan for secure communications and is rooted in a pragmatic real world approach to security issues.

Within this real world context, Microsoft has not been contacted by any of its customers about a single case in which a Windows based VPN solution has been compromised. Microsoft's VPN solution combines the benefits of a broadly available open platform, full-featured networking, native Windows integration, and ease of use to deliver a highly programmable and flexible communications platform. A properly configured Windows-based system, using PPTP and Windows tools to enforce responsible password security policy, is an economical, reliable and secure VPN solution that delivers cost savings associated with Internet-based communications.

Notwithstanding the above, Microsoft takes security very seriously and takes action if questions are raised about the security of any of our products. We encourage review of our protocols and methods, and we appreciate the productive commentary that security experts provide to us to improve our products. In fact, Mr. Schneier's commentary is based on information gleaned from the open process we have in place for peer review, which includes the publishing of the Microsoft Point-to-Point Encryptions (MPPE) specification. The MPPE specification details how we implement encryption in our implementation of PPTP. As a result of continual expert review, and rapid technological advancements, the state of the art in encryption and network security constantly changes. For this reason Microsoft regularly provides prompt updates to its security services and products which rely on them. Customers charged with security policy should always be aware of the latest security enhancements available from Microsoft, and should be regular monitors of the Microsoft security web site at http://www.microsoft.com/security and the communications web site at http://www.microsoft.com/communications.

Description of the PPTP Issues and Microsoft's actions
The following is a list of some common areas of recent discussion around the Microsoft implementation of PPTP:

Use of the LM Hash protocol for authenticating the PPTP client - When Windows-based clients connect to a Windows NT-based PPTP server, they perform a challenge-response authentication using a technique called MS-CHAP. This technique uses a hashing function to obscure the Windows NT password (case sensitive, up to 14 characters, using the 16-bit UNICODE character set) in the response. Much of the discussion of issues with the authentication process centers on the use of passwords that have been obscured using a LM hashing function by Windows-based clients when they authenticate to the Windows NT PPTP server as opposed to the Windows NT Hash. LM passwords are not as complex as Windows NT passwords, and thus are more susceptible to brute force attacks.

For reasons of legacy compatibility Microsoft has continued to support both the LM-Hash and the Windows NT Hash. Microsoft recently released an update to the PPTP client and server components for Windows NT that provides administrators with the ability to configure the PPTP server so that it will only accept the stronger Windows NT password authentication. This update also allows the administrator to configure Windows NT PPTP clients such that they will never use LM authentication. Shortly, Microsoft will release an update to the Windows 95 PPTP client that will allow the Windows 95 client to be configured such that it will never use LM authentication when connecting to PPTP servers. Windows 98 already includes this updated functionality. Specific information regarding the update and how to configure Windows to mandate the use of the Windows NT-Hash is covered in the release notes of the upgrade software. Please see http://www.microsoft.com/ for information on the updated release for Windows 95, Windows NT, and the integrated Routing and Remote Access Services of Windows NT Server for server-to-server VPN.

Flaw in the Challenge/Response Authentication Protocol - If an attacker could position a machine between the client and their target server, the machine in the middle could attempt to impersonate the subject PPTP server and accept the traffic from the client. The vulnerability to "man-in-the-middle" attacks exists with any non-mutual challenge response authentication protocol, and is therefore not specific to Microsoft's products. However, in the case of Windows NT data encryption is simply enabled, after which time all communication between the client and the server is fully protected and cannot be read by the machine in the middle that lacks the necessary key to decrypt information transmitted.

Using the control channel to crash a PPTP server – A bug found and reported to Microsoft several months ago would have allowed a malicious attacker to send flawed information to the PPTP server over what is called the control channel. This code, if constructed properly, could potentially have caused the PPTP server to crash. Microsoft released a publicly available fix for this bug about three months ago. This fix provided more extensive parameter checking on data passed to the control channel to ensure that data in the control channel can not crash the PPTP server. This fix is also included in the recently released PPTP updates for Windows NT. Find and read Microsoft Knowledge Base article Q179107 for more information about this resolved bug.

After this fix, the worst result of an attack of this type would be the dropping of an active PPTP session. To eliminate such attacks, Microsoft will further enhance the control channel in a future update to fully authenticate each control channel packet sent to a PPTP server.

Use of common passwords yields breakable keys - In Microsoft's 40-bit encryption algorithm, during the initial session setup between the PPTP client and the PPTP server, a function of the user's password is used to generate the initial encryption keys. Theoretically, knowledge of the user's password could allow a malicious attacker who was able to sniff the network between the client and server to decrypt the data in the encrypted PPTP session.

This attack is a variant of a common hacker's trick - guessing a password based on knowledge of the user, or the use of "dictionary attacks" that test a set commonly used passwords. Microsoft recommends that customers enforce the use of strong (complex) passwords on their networks using the Windows tools that enable an administrator to do so. A good password policy that specifies minimum character lengths, combinations of different character sets, and regular updating is part of any good security policy. Windows NT can easily enforce such a password policy. Service Pack 2 for Windows NT 4.0 (and subsequent service pack releases) provides tools for Windows NT administrators to enforce better security policy via improved password management. See Microsoft Knowledge Base article Q161990 for details, located at. This article covers more information about enabling strong passwords policy within your organization. Good password policy management makes any password based solution exponentially more difficult to compromise. Complex passwords, good technology, and the constraints of the physical world all combined to make Windows a very secure real world VPN solution.

Please also note that, in Microsoft's 128-bit encryption algorithm, the encryption key is not a function of just a complex password, but includes a function on the challenge as well. This algorithm makes an attack much more difficult. Microsoft recommends the use of 128-bit encryption keys for North America as a matter of policy not just for protection against an attack, but also because 40-bit keys have been shown to be susceptible to brute force attacks under controlled conditions.

Encryption key weaknesses - PPTP uses the RSA RC4 encryption algorithm, operating at the strongest encryption level allowed by the US Government - using 128-bit keys in North America, and 40-bit keys elsewhere. To make things more difficult for an attacker, the encryption key is changed every 256 packets. In an upcoming release, security will be further enhanced by enabling the changing of keys on every single packet. This makes even well resourced brute force attacks nearly impossible. It has also been noted that in the current implementation of the PPTP protocol on Windows NT and Windows 95, Microsoft uses the same RC4 encryption key in both directions. In a near-term release separate keys will be negotiated for each direction to improve security further.

North American customer should continue to use the strong 128-bit version of PPTP on their networks. Customers should also update to the latest Service Pack 3 for Windows NT and install the following PPTP hotfixs.

ftp://ftp.microsoft.com/bussys/winnt/winnt-public/fixes/usa/NT40/hotfixes-postSP3/pptp2-fix/

Customers running the Routing and Remote Access Service should install the hotfix above, followed by

ftp://ftp.microsoft.com/bussys/winnt/winnt-public/fixes/usa/NT40/hotfixes-postSP3/RRAS20-fix/

In general, customers should regularly review the Microsoft security web site at http://www.microsoft.com/security Customers should then load and use the latest security information , advisories, and updates for both the Routing and Remote Access Services that enable server-to-server and the latest dial-up networking upgrades client-to-server VPNs. Users should then make sure that their organization uses the tools provided to enforce a responsible security policy. Properly configured Windows-based systems, combined with a good security policy insure that you can reap all the benefits of a secure VPN solution.