microsoft challenge handshake authentication protocol cs265 spring 2005 chungshun wei
TRANSCRIPT
Microsoft Challenge Handshake Authentication Protocol
CS265 Spring 2005
ChungShun Wei
Private Network
Restrict from outside access
Highly secure if no bad guy has access to the physical LAN
But you are also blocked if not locally
Even Internet will not help
Your notebook
Internet
File Server Email Server
Virtual Private Network (VPN)
Through VPN server
Remote user can connect to intranet through public internet
VPN Authentication
Password Authentication Protocol (PAP)– Username & password in clear text– Use it only when VPN server only support PAP
Challenge Handshake Authentication Protocol (CHAP)– Encrypt password
Microsoft Challenge Handshake Authentication Protocol (MS-CHAP)
Base on CHAP MS-CHAP version 1
and version 2 MS-CHAP v2 is an
improvement over MS-CHAP v1
Request Login Challenge
Request login challenge
16-byte random challengeClient VPN Server
Generate 8-byte Challenge
Random challenge(16 bytes)
Generated by Server
Peer Authenticator
Challenge(16 bytes)
Generated by Client
Challenge(the first 8
bytes)
Hash(SHA-1)
concatenate
Client’s username
Client
Generate 24-byte MS-CHAP Reply
password
DES key 1(7 bytes)
input
NT hash
DES key 2(7 bytes)
DES key 3(7 bytes)
(xx00000)
21-byte outputsplit into 3 7-byte DES keys
challenge(8 bytes)
challenge(8 bytes)
challenge(8 bytes)
encrypt encrypt cncrypt
MS-CHAP reply
(24 bytes)
concatenate
Output(16 bytes)
16 bytes is padded to 21 bytes with 0Client
Retrieve Password From DB
Client VPN Server
24-byte reply & Peer Authenticator Challenge & client’s username
Password Database
Client username
Password
Authenticate
Random challenge(16 bytes)
Generated by Server
Peer Authenticator
Challenge(16 bytes)
Generated by Client
Challenge(the first 8
bytes)
Hash(SHA-1)
concatenate
Client’s username
VPN Server
Match
password
DES key 1(7 bytes)
input
NT hash
DES key 2(7 bytes)
DES key 3(7 bytes)
(xx00000)
21-byte outputsplit into 3 7-byte DES keys
challenge(8 bytes)
challenge(8 bytes)
challenge(8 bytes)
decrypt decrypt decrypt
MS-CHAP reply
(1st-8th bytes)
Output(16 bytes)
16 bytes is padded to 21 bytes with 0
MS-CHAP reply
(9th-16th bytes)
MS-CHAP reply
(17th-24th bytes)
Authenticator Response
ClientVPN Server
20-byte Authenticator Response
-VPN Server will use 16-byte Peer Authenticator Challenge and Client’s hashed password to create 20-byte Authenticator Response
-Client computes its own Authenticator Response to compare with Server’s. If match, server is authenticated
Find Out 8-byte Challenge
Although 8-byte challenge did not send through in clear text
Attack can easily compute 8-byte challenge by listening 16-byte random challenge from server, Peer Authenticator Challenge, and client’s username
Random challenge(16 bytes)
Generated by Server
Peer Authenticator
Challenge(16 bytes)
Generated by Client
Challenge(the first 8
bytes)
Hash(SHA-1)
concatenate
Client’s username
Analysis MS-CHAP Reply
password
DES key 1(7 bytes)
input
NT hash
DES key 2(7 bytes)
DES key 3(7 bytes)
(xx00000)
21-byte outputsplit into 3 7-byte DES keys
challenge(8 bytes)
challenge(8 bytes)
challenge(8 bytes)
encrypt encrypt cncrypt
MS-CHAP reply
(24 bytes)
concatenate
Output(16 bytes)
16 bytes is padded to 21 bytes with 0
sanjose
askjKeL35h2k49kj (16 byte)
NT hash
askjKeL35h2k49kj00000 (21 byte)
Pad with 0 to 21 byte
askjKeL 35h2k49 kj00000
Iwe652nWn8mxhUw0xjO82nzx
Encrypt challenge
n8mxhUw0Iwe652nW xjO82nzx
Attack on MS-CHAP Reply
Attackers do not need 2192 effort
But 256 + 256 + 216 ≈ 257
Iwe652nWn8mxhUw0xjO82nzx
askjKeL35h2k49kj (16 byte)
NT hash
askjKeL35h2k49kj00000 (21 byte)
askjKeL 35h2k49 kj00000
Encrypt challenge
Iwe652nWn8mxhUw0xjO82nzx
Iwe652nW
n8mxhUw0
xjO82nzx
Iwe652nW xjO82nzx
n8mxhUw0
xx00000
216 tries
Encrypt challengeEncrypt challenge
xxxxxxx
256 tries
xxxxxxx
256 tries
sanjose