A recent debate of MSCHAPv2 security, sparked by (arguably) new exploits and cracking services announced at DEFCON 20 in August 20, leads us to a wider discussion of security in 802.1x / EAP.
In what follows, i repost two short articles first posted on
the summmary, one might agree or disagree with (in which case i m grateful for comments), is:
we should consider current wireless security with EAP/802.1x completely broken / obsolete.
Quoting this DEFCON 20 article
"MS-CHAPv2 is used quite heavily in WPA2 Enterprise environments.
In their 1999 analysis of the protocol, Bruce Schneier and Mudge conclude "Microsoft has improved PPTP to correct the major security weaknesses described in [SM98]. However, the fundamental weakness of the authentication and encryption protocol is that it is only as secure as the password chosen by the user." http://www.schneier.com/paper-pptpv2.html
"This, along with other writings, has led both service providers and users to conclude that they can use MS-CHAPv2 in the form of PPTP VPNs and mutually authenticating WPA2 Enterprise servers safely, if they choose good passphrases."
Is there anything new in the attack reported here, then?
The attack focusses not on a library or guessing attack on the password but, instead on recovering the MD4 hash of the user's password.
A detailed look into the problem shows that what looks like a 2**128 crack job is really just a 2**56 - due to redundancies, shared bases and zero padding. In other words, a single round DES crack.
The actual crack work is performed by a dedicated piece of hardware, "an FPGA box that implemented DES as a real pipeline, with one DES operation for each clock cycle. With 40 cores at 450mhz, that's 18 billion keys/second. With 48 FPGAs, the Pico Computing DES cracking box gives us a worst case of ~23 hours for cracking a DES key, and an average case of about half a day."
This cracking engine is made accessible via "the cloud" (no comment on the cloud meme here) - an API and helper tool, free for download.
The article concludes:
"Enterprises who are depending on the mutual authentication properties of MS-CHAPv2 for connection to their WPA2 Radius servers should immediately start migrating to something else. "
On Schneier' blog, a comment has been requested:
"@Bruce - Can we get a comment / response to the work presented at Defcon on MS-CHAPv2 only being as secure as a single round of DES?"
But, for something that sounds like it s going to bring down most of this planets enterprise wireless, it doesnt seem to make an awful lot of waves. Why not?
As far as wireless security (and only that!) is concerned,
does this discovery mean we need to stop using MSCHAPv2 or maybe even EAP-TLS/PEAP/802.1x altogether, and "use something else" - as the article somewhat vaguely says?
Simplified, it doesnt matter much to Enterprise WiFi if MSCHAPv2 is broken, as we are only using it inside protected tunnels.
Andrew von Nagy explains this much better than i could:
"What is the Impact to Wi-Fi Network Security? Specifically, does this make much of an impact for Wi-Fi networks where 802.1X authentication is employed where MS-CHAPv2 is used (namely EAP-PEAPv0 and EAP-TTLS)? Answer - No, it really does NOT. The impact is essentially zero."
Much more of a problem in real life wireless is the fact that on the networks i have seen, almost nobody enforces strict certificate validation.
Also, keep in mind that certificates are bound to hosts/domains/organizations, but in no way to SSIDs (whether ESSID or BSSID) or APs.
Thus, a realistic attack scenario is quite simple:
i will deploy a rogue AP and Radius server that supplies some (!) certificate (which will never be checked for validity!), and own the EAP-TLS tunnel and hence all communication inside it, harvesting usernames and passwords as people connect.
Now THAT is a problem.
The fact that i speak open inside the tunnel is not a problem, really, as long as we know who owns the tunnel.
So, we can more or less ignore the MSCHAPv2 hack and focus on certificates instead.
ps. Thanks NSRC colleagues for heads up and thanks to my colleague Felix here at ITU, for discussion!
Second comment to the security debate, e.g. here
So MSCHAPv2 is completely broken. No problem.
For EAP/802.1x wireless security, that should not matter, as we only use it inside a tunnel (TTLS, PEAP) (SSL protected).
Popular EAP/802.1x-methods: PEAP+MSCHAPv2 or TTLS+PAP or TTLS+MSCHAPv2
In most networks, on most clients, certificate validation is largely absent and difficult to enforce across all clients (BYOD!).
Moreover, many user guidelines explicitly ask clients to NOT validate the certificate.
A very simple, realistic attack scenario:
Place a rogue AP with the right SSID and connected to a fake RADIUS server in the target building/area, and harvest logons at leisure. No client has any chance to even notice the attack.
So, the tunnel is broken.
The fact that MSCHAPv2 is broken - it does not even really matter: the attacker lures the client into talking to their rogue RADIUS server, and of course can read all user credentials, regardless of encryption.
This is NOT a little irrelevant side note to the discussion of MSCHAPv2, which is, i agree, more intellectually interesting. The MSCHAPv2 discussion unfortunately is an interesting academic but irrelevant side note to the fact that our de-facto wireless security practices render EAP/802.1x broken.
Unless the certificate validation problem is addressed, we should consider current wireless security with EAP/802.1x completely broken / obsolete.
Agreed - it would not have to be, but it is.