MS-CHAP is the Microsoft version of the Challenge-Handshake Authentication Protocol and is described in RFC2759. A recent presentation by Moxie Marlinspike  has revealed a breakthrough which reduces the security of MS-CHAPv2 to a single DES encryption (2^56) regardless of the password length. Today, we published Security Advisory 2743314 with recommendations to mitigate the effects of this issue.
Any potential attack would require a man in the middle situation in which a third party can get all the traffic between the client and authenticator during the authentication.
Without going into much detail about the MS-CHAPv2 protocol, we will just discuss the part that would be affected by this type of attack: the challenge and response authentication. This is how the client responds to the challenge sent by the authenticator:
- The authenticator sends a 16 byte challenge: CS
- The client generates a 16 byte challenge: CC
- The client hash the authenticator challenge, client challenge, username and create an 8 byte block: C
- The client uses the MD4 algorithm to hash the password: H
- The clients pad H with 5 null byte to obtain a block of 21 bytes and breaks it into 3 DES keys: K1,K2,K3.
- The client encrypts the block C with each one of K1,K2 and K3 to create the response: R.
- The client send back R,C and the username.
K1|K2|K3=P|5 byte of 0
There are several issues in this algorithm that combined together can result in the success of this type of attack.
First, all elements of the challenge and response beside the MD4 of the password are sent in clear over the wire or could be easily calculated from items that are sent over the wire. This means that for a man in the middle attacker, the gain of the password hash will be enough to re-authenticate.
Secondly, the key derivation is particularly weak. Padding with 5 bytes of zero means that the last DES key has only a key space of 2^16.
Lastly, the same plaintext is encrypted with K1 and K2, which means a single key search of 2^56 is enough to break both K1 and K2.
Once the attacker has K1, K2 and K3 he has the MD4 of the password which is enough to re-authenticate.
- Ali Rahbar, MSRC Engineering