Researchers have devised an attack against a Microsoft-developed authentication scheme that makes it trivial to break the encryption used by hundreds of anonymity and security services, including the iPredator virtual private network offered to users of The Pirate Bay.
The attack, unveiled by Moxie Marlinspike and David Hulton, takes on average just 12 hours to recover the secret key that iPredator and more than 100 other VPN and wireless products use to encrypt sensitive data
. The technique, which has been folded into Marlinspike's CloudCracker service, exploits weaknesses in version 2 of a Microsoft technology known as MS-CHAP, short for Microsoft challenge-handshake authentication protocol. It's widely used to log users into VPN and WPA2 networks and is built into a variety of operating systems, including Windows and Ubuntu.
"We hope that by making this service available, we can effectively end the use of MS-CHAPv2 on the Internet once and for all," the researchers wrote in a blog post published over the weekend. "We find many popular VPN products are susceptible to a variety of practical user deanonymization attacks. Weaknesses stem from lack of security analysis of the composition of VPNs, applications, and the TCP/IP stack on each respective operating system."
Microsoft officials are "actively investigating the issue and will take the necessary steps to help protect customers," the company said in a brief statement. (...)
Other cryptographers agreed that the new attack is significant.
"Once you have something that can crack DES in half a day, it's kind of like having a master key for DES," Matthew Green, a professor specializing in cryptography in the computer science department at Johns Hopkins University, told Ars. "And at that point, any protocol that works like MS-CHAP is going to just fall apart."
Marlinspike said people should immediately stop using VPN and WPA2 products that rely on MS-CHAP. They should instead rely on certificate-based authentication methods, such as OpenVPN, SSL VPN, or certain types of IPsec, as long as it doesn't use a pre-shared key for authentication.