Bruce Schneier, Peter Mudge
e-mail: {schneier, mudge} @counterpane.com

Many organisations are not centralised. Branches, virtual corporations and moving employees do idea of creation of the allocated channel to any demanded point logically impossible. The concept of virtual networks provides the decision of the arisen problem by tunneling of united network space on other, intermediate and unsafe networks (for example, the Internet), thereby позвол to remote points to become local. The given decision does not demand investments on carrying out of the subscribed or allocated lines in any point. Such way sometimes name ' a tunnel '.

In process of the decision other problem has arisen virtual networks of problems of not centralised cars. The traffic which was in company limits earlier, is opened now for curious eyes from every corner of the globe. For maintenance not only fault tolerance, but also it is necessary for safety of the information to use mechanisms аутентификации and enciphering. As a result virtual network connections have united with cryptographic protection, and an end-product named Virtual Private Networks (VPN).

Safety VPN is based on safety of reports аутентификации and enciphering. If cryptography VPN is weak, protection degree not above, than in any other not private network of an information transfer on the Internet. As the companies hope that VPN will expand perimetre of internal security to remote office, break of system of protection of the tunnel corresponds to destruction of all systems of protection of internal perimetre. Break in VPN means practically the same, as break for firewall.

Report PPTP (the tunnel report of type a point-point) has been intended for the decision of a problem of creation and management VPN on public network TCP/IP with use of standard report РРР. Though the report reserves space for all possible types of enciphering and аутентификации, in the majority of commercial products the version of the given report for Windows NT is used. This realisation also is subjected the analysis in given article.

Мы have found out that the report аутентификации Microsoft is weak and vulnerable by attack under the dictionary; it is possible to open the majority of passwords within several hours. We have found out that ways of enciphering with use of 40 and 128-digit keys are equally weak and have opened a number of the unreasonable ideas put in realisation which allow to carry out other attacks to the given code number. We can open connections through firewall, breaking rules of negotiations РРTР, and we can spend various attacks of refusal in service on those who uses Microsoft PPTP.

Оставшаяся the work part is divided as follows: In paragraph 2 the report standard, and realisation Microsoft is considered РРТР, both. In paragraph 3 two functions хэширования passwords in Microsoft PPTP and ways of attack to them are considered. In paragraph 4 it is spent криптоанализ the report аутентификации Microsoft, and in paragraph 5 - криптоанализ the report of enciphering Microsoft. Other attacks on Microsoft РРТР are considered in paragraph 6. At last, in paragraph 7 some conclusions become.

РРТР - the report which allows to carry out tunneling of RRR-CONNECTIONS on an IP-network by creation VPN. Thus, the remote computer in network Х can туннелировать the traffic on a sluice in a network At and simulate connection, with the internal IP-address, to U.Shljuz's network receives the traffic for the internal IP-address and transfers to its remote car in H.Sushchestvujut's network two basic ways of use РРТР: on the Internet and on switched connections. Настояща article is focused on use РРТР as VPN at direct connection of the client to the Internet.

Functioning РРТР consists in инкапсулировании packages of a virtual network in packages РРР, which in turn, инкапсулируются in packages GRE (Generic Routing Incapsulation), transferred on IP from the client to a sluice - to server РРР and back. Together with the channel инкапсулированных the data there is an operating session on the basis of TCP. Packages of an operating session allow to request the status and to accompany the alarm information between the client and a server. The control path is initiated by the client on a server on TSR-PORT 1723. In most cases it is the two-forked channel on which the server sends inquiries about a server and on the contrary.

РРТР does not stipulate concrete algorithms аутентификации and reports; instead it provides a basis for discussion of concrete algorithms. Negotiations are not inherent only РРТР, they concern existing variants of negotiations РРР containing in the Soviet Socialist Republic, СНАР both other expansions and improvements РРР.

2.1 РРТР from Microsoft

Microsoft РРТР is a part of OS Windows NT Server, the given software can be received free of charge from Web-site Microsoft. Connection is carried out by means of the control panel and the editor of the register. Given realisation РРТР is widely used in commercial applications VPN, for example Aventail and Freegate just because OS Microsoft is a part.

Server Microsoft РРТР can exist only for Windows NT though the client software exists for Windows NT, some versions Windows and Windows 98. Realisation Microsoft supports three variants аутентификации:

1. The text password: the Client transfers to a server the password in an open kind.
2. The heshirovannyj password: the Client transfers to a server хэш the password (paragraph 3 see).
3. Call/response: Аутентификация a server and the client with use of report MS-CHAP (call/response) that is described in paragraph 4.

The third variant is called in the documentation for users as "Autentifikatsi Microsoft", for enciphering of packages РРТР he should be resolved. At a choice of any of two other variants enciphering is impracticable. Besides, enciphering possibility (40 or 128-digit) is guaranteed only in the event that the client uses Windows NT. Some clients Windows 95 cannot support the ciphered sessions.

In OS Microsoft Windows NT for protection of passwords two unidirectional hesh-functions are used: хэш Lan Manager and хэш Windows NT. Function хэша Lan Manager has been developed Microsoft for operating system IBM OS/2, it has been integrated in Windows for Workgroups and partially in Windows 3.1. The given function is used in some reports аутентификации before Windows NT. Хэш Windows NT has been developed specially for OS Microsoft Windows NT. Function хэша Lan Manager is based on algorithm DES; Function хэша Windows NT is based on unilateral hesh-function MD4. Both these functions are used in many reports аутентификации Windows NT, and not just in РРТР.

Function хэша Lan Manager is calculated as follows:

Transformation of the password into a 14-symbolical line by or отсечки longer passwords, or addition of short passwords with zero elements.

1. Replacement of all symbols of the bottom register by symbols of the top register. Figures and special symbols remain without changes.
2. Splitting of a 14-byte line into two seven-byte half.
3. Use of each half of line in roles of key DES, enciphering of the fixed constant by means of each key, reception of two 8-byte lines.
4. Merge of two lines for creation of one 16-digit value of hesh-function.

Dictionary attacks to function хэша Lan Manager easily achieve success for following reasons:

The majority of people is chosen by easily guessed passwords.

• All symbols will be transformed to the top register that limits and without that a small number of possible passwords.
• There is no individual binding (salt); two users with identical passwords will always have identical values of hesh-function. Thus, it is possible to make in advance the dictionary хэшированных passwords and to carry out search of the unknown password in it. At such approach from the point of view of the relation time/memory password testing can выполнятьс with speed of disk input/conclusion.
• Two seven-byte "half" of password хэшируются it is independent from each other. Thus, two half can steal up a method of rough selection independently from each other, and complexity of attack does not exceed complexity of attack against the seven-byte password. The passwords, which length exceeds seven symbols, not more strongly, than passwords with a length seven symbols. Besides, those passwords, which length does not exceed seven symbols very simply to distinguish, as second half хэша will be the same fixed constant: enciphering of the fixed constant by means of a key from seven zero.

Function хэша Windows NT is calculated as follows:

1. Password transformation, in the length to 14 symbols, with distinction of registers in Unicode.
2. Хэширование the password by means of MD4, reception of 16-symbolical value of hesh-function.

Хэш Windows NT possesses advantage in comparison with function хэша Lan Manager - registers differ, passwords can be longer than 14 symbols, хэширование the password as a whole instead of its splitting into small parts - though still there is no individuality. Thus, the people having identical passwords, will always have identical хэшированные passwords Windows NT. File comparison хэшированных passwords with in advance calculated dictionary хэшированных passwords can be rather effective attack.

Besides, the realisation problem essentially is more serious facilitates disclosing of passwords. Even though хэш Lan Manager has been included for reasons of compatibility with the previous versions, and it is not required in networks Windows NT, both values of hesh-functions always are transferred together. Hence, it is possible to execute rough selection of the password by means of weaker hesh-function Lan Manager and then to execute testing match case for selection of value of hesh-function Windows NT^.

РРР contains various ways of processing аутентификации. One of ways is the report аутентификации a call-hand shake (СНАР). Realisation PPP СНАР by company Microsoft (MS-CHAP) almost coincides with a method аутентификации, used for аутентификации clients in Windows-networks.

MS-CHAP Functions as follows:

1. The client requests a call of a network name.
2. The server returns an eight-byte casual call.
3. The client calculates hesh-function Lan Manager, adds five zero for creation of a 21-byte line and divides a line into three seven-byte keys. Each key is used for call encoding that leads to occurrence 24-digit шифрованного values. It comes back to a server as the response. The client carries out the same with hesh-function Windows NT.
4. The server searches for value of hesh-function in the database, ciphers inquiry by means of hesh-function and compares it with received шифрованными values. If they coincide, аутентификация comes to an end.
   The server can carry out comparison on hesh-function Windows NT or on hesh-function Lan Manager; results should coincide. Хэш, used by a server, depends on a concrete flag in a package. If the flag is established, the server carries out testing by means of hesh-function Windows NT; otherwise testing is carried out by means of hesh-function Lan Manager.

The call/response report is standard; use of a casual call of a name does impossible dictionary attacks on MS-CHAP and a file of the written down hesh-functions from passwords. At the same time, as even in Windows NT-networks both values of hesh-function are used, it is possible to attack weaker hesh-function Lan Manager in each case. As the answer of the client is broken into three parts, and each part is ciphered irrespective of others, it is possible to attack report MS-CHAP.

Last eight byte of hesh-function Lan Manager represent a constant in the event that the length of the password does not exceed seven symbols. It is true, despite a casual call. Hence, last eight byte of the response of the client will represent the call ciphered by means of the given constant. It is easy to check up, whether the length of the password of seven symbols exceeds. After the attacking finds value of hesh-function Lan Manager, it can use this information for restoration of hesh-function Windows NT.

Attack can be essentially accelerated at the expense of active use of preliminary calculations and careful research of weaknesses of hesh-function Lan Manager and report MS-CHAP. Further details of the optimised attack are resulted:

Р₀-Р₁₃ - Password bytes. Н₀-Н₁₅ - bytes of hesh-function Lan Manager which will be transformed to 21-byte key К₀-К₂₀. S - the fixed constant used in hesh-function Lan Manager. A call With and 24-byte response R_o-R₂3. The malefactor can know C and R and wishes to find the River

1. Try all possible combinations К₁₄, К₁₅. Correct value is allocated, when With turns in R₁₆..., R₂₃ with key К₁₄, К₁₅, 0,0,0,0,0. On it 2¹⁵ operations leave approximately.
2. Try probable values Р₇..., Р₁₃. Incorrect values can be rejected quickly by enciphering S and check of coincidence last two byte of the received value with К₁₄ and К₁₅. (So there is only one variant from everyone 2¹⁶). Each remained variant Р₇..., Р₁₃ value-candidate for К₈ gives..., К₁₃. To check up value-candidate, check up all possible values К₇ to see, whether is such at which With it is ciphered in R₈..., R₁₅ at value-candidate К₈..., К₁₅. If is such К₇, a guess for Р₇..., Р₁₃ almost it is for certain true. If is not present, it is necessary to choose other value for Р₇..., Р₁₃. If exist N probable variants Р₇..., Р₁₃ selection of true value can be spent for N test шифрований.
   Pay attention that as in the report there is no individual adjustment, this attack can be essentially accelerated by means of replacement time/memory. If is N in advance calculated test шифрований, restoration of true value Р₇..., Р₁₃ will demand N/2¹⁶ operations.
3. After finding Р₇..., Р₁₃, restoration Р₀..., Р₆ demands M of attempts, where M - number of probable values Р₀..., Р₆. Besides, as there is no individual adjustment, attack can be executed for N/2⁸ attempts at M preliminary calculated values.

Кроме that, the given report allows to execute аутентификацию only the client. Attacking, carrying out connection substitution, can is trivial to mask under a server. If enciphering is authorised, attacking cannot send and accept the message (yet will not crack the code number), however using old value of a call it can receive two sessions of the text ciphered by one key (attacks see further).

5.1 Description МРРЕ

The enciphering report in одноранговых networks (МРРЕ) provides methodology for enciphering of packages РРТР. He assumes existence of the confidential key, connection known to both participants, and uses line code number RC4 with 40 or a 128-digit key. Such method of installation of use МРРЕ is one of functions of the report of management by compression РРР (Soviet Socialist Republic) and is described in operating mode S.Posle's appendix of installation session РРР on transfer of packages of the ciphered data begins. It is important to notice that those packages РРР which numbers of reports lie in a range 0x0021-0x00fa are ciphered only. All other packages are transferred without enciphering even if enciphering is authorised. Types of the packages, which enciphering it is carried out/not is carried out, regulated by document RFC 1700. For any packages it is not provided аутентификация.

In МРРЕ 40-bit key RC4 is defined as follows:

1. Generation of a defining 64-bit key from hesh-function Lan Manager of the password of the user (known to the user and a server) by means of SHA.
2. Installation of the senior 24 bits of a key in value 0xD1269E.

128-bit key RC4 is defined as follows:

1. Association хэша Windows NT and the 64-bit casual value which have been given out by a server at work under report MS-CHAP. The given number is sent to the client under the exchange report therefore it is known both to the client, and a server.
2. Generation of a defining 128-bit key from results of the previous stage by means of SHA.

The rezultirujushchy key is used for initialization RC4 by usual way, and then for enciphering byte of the data. After each 256 packages - МРРЕ supports the counter in which the number of packages is fixed - new key RC4 on conforming to the rules is generated:

1. Generation of a defining key - 64-bit for 40-bit enciphering and 128-bit for 128-bit enciphering - a way хэширования the previous key and an initial key by means of SHA.
2. If the 40-bit key, installation of the senior 24 bits of a key in value 0xD1269E is required.

The length of typical package РРТР makes 200 byte, including heading.

At synchronisation loss occurs реинициализация RC4 to use of a current key. There is also a possibility of updating of key RC4 after each package; this possibility reduces efficiency of enciphering approximately half as on performance of planned changes of key RC4 time is required.

5.2 Restoration of a key

In МРРЕ degree of protection of a key does not exceed degree of protection of the password. The most part of passwords has essentially less than 40 bits of safety and reveal by means of dictionary attacks. Hesh-function Lan Manager still боле is vulnerable: taking into account the maximum length of the portion, the limited alphabet and absence of symbols of the bottom register, it is impossible to generate a 128-bit key even if the user wishes to make it. In the documentation on МРРЕ the flag for calculation of 40-bit key RC4 on the basis of hesh-function Windows NT, instead of Lan Manager is described, but this function is not realised yet. There are no ways of calculation of 128-bit key RC4 on the basis of hesh-function Windows NT though such variant would be more safe (though essentially less safe, than a 128-bit casual key.)

In any case, the general degree of protection makes not 40 or 128 bits, and quantity of bats of entropy of the password. On the basis of experimental data it is received that entropy of 1,3 bits on a symbol is peculiar to English language. Changes of the register, figures and special symbols essentially raise this value. Any attack which uses the dictionary of weak passwords, can be capable to read ciphered МРРРЕ the traffic. Besides, the stylised headings in package РРР facilitate gathering of known texts and base for check of the guessed key.

40-bit algorithm RC4 is subject to more serious уязвимостям. As the individual adjustment is not provided, attacking can prepare the dictionary of ciphered headings РРР, and then quickly to find the given ciphered text in the dictionary. By search of places in packages МРРЕ where not ciphered text can contain, attacking can take advantage of set of communications on SMB and NetBIOS which occur at standard connections Microsoft.

Moreover, the same 40-bit key RC4 is generated every time when the user initializes report РРТР. As RC4 represents a way of enciphering with a feedback on an exit simply to crack the code number for two sessions. Serious vulnerability is marked in большей parts of fresh specifications МРРЕ though it has disappeared from the previous version. In one version of documentation Microsoft it is not specified that the same key is used as in direct, and in the opposite direction that guarantees that for enciphering of two different texts the same stream of keys is used.

128-bit RC4 uses in the course of generation of keys a 64-bit random variable. Such approach does impractical dictionary attack. Still, the method of rough selection of the password is more effective, than a method of rough selection of space of keys. The random number also means that for two sessions with one password different 128-bit keys RC4 though for text enciphering in both directions the same key will be used will be used.

5.3 Attacks of revolution of bits

RC4 - The way of line enciphering with a feedback on an exit, thus is not provided аутентификация a text in code stream. As in МРРРЕ it is not provided other way аутентификации, attacking can imperceptibly change values of bats in the code number. If the report of the bottom level is sensitive to change of value of concrete bats - the permission/prohibition of any functions, a choice of variants, dump of parametres - this attack can be effective enough. Pay attention, for carrying out of this attack attacking it is not necessary to know a key of enciphering or the password of the client. Certainly, such attacks can be found out or prevented by top level reports.

5.4. Attack by a way ресинхронизации

If in the course of transfer the package is lost, or the package with incorrect number in heading МРРЕ occurs ресинхронизация a key comes. The party which has accepted an incorrect package, sends to the sender inquiry on ресинхронизацию. On acceptance of the given inquiry, the sender реинициализирует tables RC4 also establishes bit "is dumped" (flushed) in heading МРРЕ. If the system finds out the established bit in a package "is dumped", she реинициализирует the tables RC4 and establishes the counter of packages according to the received value.

So the problem when the attacking can or submit inquiries on ресинхронизацию is created, or throw packages МРРЕ with incorrect values of the counter of packages. If to carry out it it is constant before an exchange of 256th pact when there is a change of a session key the attacking can become successful - the session key will not be changed.

In spite of the fact that attacks to reports MS-CHAP and МРРЕ lead to a utility and safety MS PPTP complete negation, it is necessary to mention several interesting attacks.

6.1 Passive monitoring

The tremendous quantity of the information can be received if simply to observe of the traffic of session РРТР transferred on a network. Such information is invaluable for the traffic analysis, it should be protected. Nevertheless, the server gives out to all interested persons such data, as a maximum quantity of accessible channels. This information can be used for installation of the corresponding size of server РРТР and the control of its loading. If attacking regularly transfers packages PPTP_START_SESSION_REQUEST he can observe creation of new connections and closing of existing connections. In such a way attacking can collect the information on system and templates of its use, thus it does not need to be a number.

By installation of standard means of viewing and decoding of public communication lines from servers Microsoft PPTP the following information has been received:

• The IP-address of the client
• The server IP-address
• Quantity of virtual channels RRTR accessible on a server
• Version RAS of the client
• Name of client NetBIOS
• Identification of the manufacturer of the client
• Identification of the manufacturer of a server
• The IP-address of the client in the internal virtual tunnel
• Internal a DNS-server, serving the client
• Name of the user on the client
• There is enough information for reception of values of hesh-functions of passwords of users
• There is enough information for reception of initial value МРРЕ
• Current value шифрованного a package for the client before реинициализацией RC4
• Current value шифрованного a package for a server before реинициализацией RC4

In any case when the communication channel is ciphered also the user assumes some level of the confidentiality, the information listed above should not be accessible so easily. For Microsoft PPTP there is no easy way to cipher this information as leaks occur out of the channel supervised МРРЕ. In certain cases, these packages represent configuration and adjusting packages for enciphering within the limits of МРРЕ, and they should передаватьс prior to the beginning of enciphering. The unique decision is enciphering of a control path or sharp reduction of quantity of the information transferred on it.

6.2 Interception of negotiations РРР

Packages of negotiations РРР are transferred prior to the beginning of enciphering and after its termination. As the method ресинхронизации keys is carried out with use of packages РРР the Soviet Socialist Republic, these communication channels cannot be ciphered in the same way. We will add that real аутентификация the given packages it is not carried out. The configuration stage is completely open for attack.

Substitution of the configuration package describing a DNS-server, allows to direct all system of recognition of names on a false server of names.

In the same way, substitution of the package containing the internal tunnel IP-address, allows to bypass файрволы, carrying out a filtration of packages by rules as the client will be connected to external cars from the internal protected network.

6.3 Control path and refusal in service on a server

In given article the most part is devoted control path РРТР not too. Partially because it is not clear, what for this channel exists. Everything that is realised by means of this additional channel, it is possible to carry out on channels RRR or to involve not used fragments of heading GRE.

Realisation Microsoft of a control path was other reason. We have quickly found out what simply to break working capacity of car Windows NT with server РРТР, sometimes it led to occurrence of "the blue screen". Actually, it is difficult to hold testing of a control path and not to break work of server РРТР. It is so difficult that the most part of attacks, предпринимавшихс for studying of theoretical problems of safety of a control path, led to infringement of work of a server earlier, than attacks could work. Further the small part of the tests leading to infringement of work Windows NT Server with established Service Pack 3 is described:

• Cycle on packages PPTP_CLEAR_CALL_REQUEST to pass 16-digit space of identifiers of a call.
• Search of all possible and impossible values which can contain in the field Type of a package of heading of package РРТР.
• Transfer of inadmissible values to heading of a package of management РРТР.

All above-stated packages can go on server РРТР because of файрвола, without everyone аутентификации. It is supposed that there is no configuration файрвола, allowing to transfer РРТР to server РРТР from certain IP-addresses or networks. However, if users have a possibility to address to server РРТР from any point of the world attacking too should have possibility to send inquiry from any point of the world.

6.4. Potential information leakages on the client.

Client Windows 95 does not carry out demanded clearing of buffers and consequently information leakage in report messages is supposed. Though in documentation РРТР it is told that in package PPTP_START_SESSION_REQUEST symbols after a computer and manufacturer name should be dumped in 0х00, Windows 95 it do not do.

080: 0000 6c6f 6361 6c00 0000 3e1e 02c1 0000. local...>.....

096: 0000 85c4 03c1 acd9 3fc1 121e 02c1 2e00........?.......

112: 0000 2e00 0000 9c1b 02c1 0000 0000 0000................

128: 0000 88ed 3ac1 2026 02c1 1049 05c1 0b00....:. &...I....

144: 0000 3978 00c0 280e 3dc1 9c1b 02c1 041e. 9x. (. =.......

160: 02c1 0e00 0000 121e 02c1 2e00 0000 2e00................

176: 0000 3dad 06c1 74ed 3ac1 1c53 05c1 9c1b. =... t.:. S....

192: 02c1 041e 02c1 0e00 0000 121e 02c1 2e00................

208: 0000.

The symbols containing after a name of the computer and lines of the manufacturer are above shown. In bytes 82-86 the name of the computer which for client Windows 95 always equals "local" contains. Byte 113 - that place where the line of the manufacturer should содержатьс. At viewing of similar package Windows NT it is revealed that all symbols of "dust" are dumped in 0х00.

Существует obvious possibility of information leakage depending on that as well as where structures of the data are used and take places and that occurs on client system. For an estimation of the given information leakage it is necessary to carry out the further analysis of code Windows 95.

Realisation РРТР from Microsoft is vulnerable from the point of view of realisation, and possesses serious lacks from the point of view of the report. The report аутентификации has known vulnerability in which it was specified not only here, but also in groups, for example, L0pht. Enciphering is executed incorrectly, in the given realisation the line code number with a feedback on an exit though "code number-block chain" (CBC) would be more pertinent блоковый the code number is used. To connect weak аутентификацию with bad enciphering Microsoft has set an enciphering key as function from the password of the user instead of use of strong algorithm of an exchange by keys of type of Diffi-Hellmana or ЕКЕ. At last, the control path not аутентифицируется also is not strongly protected.

We have not spent a lot of time for studying of mechanisms of maintenance of local IP-addresses of clients and how Microsoft tried and whether it could consider vulnerability of representation of the client with two addresses. Nevertheless, we have found out problems with non-standard masks подсети and the internal traffic of the tunnel sent from РРТР of a server. Developers, be attentive!

At last, it would be desirable to underline that криптоанализ did not call in question report РРТР (?), but only realisation of the report from Microsoft. Though Microsoft uses own expansions (MS-CHAP, МРРЕ, МРРС) in РРР sections РРТР, standard РРТР does not demand it. Manufacturers can include expansions Microsoft in the products for compatibility reasons, but they are not obliged ограничиватьс by their use and, probably, realise more safe decisions. Certainly, new expansions for correct work should be supported both the client, and a server.

¹В a course of experiments it was found out that some clients Windows 95 support аутентификацию Microsoft, and some - are not present. We could not estimate distinction or define the ways, allowing to understand, whether given system Windows 95 аутентификацию Microsoft supports. If the report is not supported, the point in a dialogue window is inaccessible. This restriction corresponds to statement Microsoft that Windows 95 does not provide safety, and that those users to whom it is necessary, should pass on NT. Nevertheless, Microsoft declared that Windows 95 does not process хэш Windows NT, and uses хэш Lan Manager. However clients Windows 95 transfer both hesh-functions. From our analysis of code Windows 95 it is not clear, why enciphering cannot be realised in clients Windows 95.

²В documentation Microsoft it is told that the length of passwords Windows NT can reach 128 symbols, and hesh-function Windows NT accepts passwords of such length. However, the dispatcher of users limits length of passwords to 14 symbols. In documentation MS-СНАР this restriction which has proved to be true during experiments also is mentioned.

³ hackers Known means, L0pthcrack, process of selection of the password on its hesh-value automates. On Pentium Pro 200, L0phtcrack 2.0 can check up a file with 200 passwords for a minute with use 8 мегабaйтного the dictionary of passwords.

⁴ We did not investigate neither the generator of pseudo-random numbers, nor its cryptographic firmness.

[Ave98] Aventail Corp., 1998. http://www.aventail.com.

[BV98] L. Blunk and J. Vollbrecht, ` ` PPP Extensible Authentication Protocol (EAP), "Network Working Group, RFC 2284, Mar 1998. ftp://ftp.isi.edu/in-notes/rfc2284.txt.

[CK78] T.M. Cover and R.C. King, ` ` A Convergent Gambling Estimate of Entropy, "IEEE Transactions on Information Theory V. IT 24, n. 4, Jul 1978, pp. 413 - 421.

[Fre98] FreeGate Corp., 1998. http://www.freegate.com.

[HLFT94] S. Hanks, T. Li, D. Farinacci, and P. Traina, ` ` Generic Routing Encapsulation (GRE), "Network Working Group, RFC 1701, Oct. 1994. ftp://ftp.isi.edu/in-notes/rfc1701.txt.

[Hob97] Hobbit, ` ` CIFS: Common Insecurities Fail Scrutiny, "Avian Research, Jan 1997.

[HPV+97] K. Hamzeh, G.S. Pall, W. Verthein, J. Taarud, and W.A. Little, ` ` Point-to-Point Tunneling Protocol, "Internet Draft, IETF, Jul 1997.

[KSWH98] J. Kelsey, B. Schneier, D. Wagner, and C. Hall, ` ` Cryptanalytic Attacks on Pseudorandom Number Generators, "Fast Software Encryption: 5th International Workshop, Springer-Verlag, 1998, pp. 168-188

[Kle90] D.V. Klein, ` ` Foiling the Cracker: A Security of, and Implications to, Password Security, "Proceedings of the USENIX UNIX Security Workshop, Aug 1990, pp. 5 - 14.

[Kli98] S. Klinger, ` ` Microsoft PPTP and RRAS for Windows NT Server 4.0, "LAN Times, Feb??, 1998.

[L97a] L0pht Heavy Industries Inc, L0phtcrack, 1997.

[L97b] L0pht Heavy Industries Inc, ` ` A L0phtCrack Technical Rant, "Jul 1997. http://www.l0pht.com/l0phtcrack/rant.php.

[LS92] B. Lloyd and W. Simpson, ` ` PPP Authentication Protocols, "Network Working Group, RFC 1334, Oct 1992. ftp://ftp.isi.edu/in-notes/rfc1334.txt.

[Mey96] G. Meyer, ` ` The PPP Encryption Control Protocol (ECP), "Network Working Group, RFC 1968, Jun 1996. ftp://ftp.isi.edu/in-notes/rfc1968.txt.

[Mic96a] Microsoft Corpotation, Advanced Windows NT Concepts, New Riders Publishing, 1996. Relevent chapter at http://www.microsoft.com/communications/nrpptp.html.

[Mic96b] Microsoft Corporation, ` ` Pont-to-Point Tunneling Protocol (PPTP) Frequently Asked Questions, "Jul 1996.

[Mic97] Microsoft Corporation, ` ` Response to Security Issues Raised by the L0phtcrack Tool, "Apr 1997.

[Mic98] Microsoft Corporation, ` ` Clarification on the L0phtcrack 2.0 Tool. "Mar 1998.

[MB97] P. Mudge and Y. Benjamin, ` ` Deja Vu All Over Again, "Byte, Nov 1997.

http://www.byte.com/art/9711/sec6/art3.html.

[NBS77] National Bureau of Standards, NBS FIPS PUB 46, ` ` Data Encryption Standard, "National Bureau of Standards, U.S. Department of Commerce, Jan 1977.

[NIST93] National Institute of Standards and Technology, ` ` Secure Hash Standard, "U.S. Department of Commerce, May 93.

[Pal96a] G.S. Pall, ` ` Microsoft Point-to-Point Compression (MPPC) Protocol, "Network Working Group Internet Draft, Jul 1996.

[Pal96b] G.S. Pall, ` ` Microsoft Point-to-Point Encryption (MPPE) Protocol, "Network Working Group Internet Draft, Jul 1996.

[PZ98] G.S. Pall and G. Zorn, ` ` Microsoft Point-to-Point Encryption (MPPE) Protocol, "Network Working Group, Internet Draft, IETF, Mar 1998.

[Ran96] D. Rand, ` ` The PPP Compression Control Protocol (CCP), "Network Working Group, RFC 1962, Jun 1996. ftp://ftp.isi.edu/in-notes/rfc1962.txt.

[RP94] J. Reynolds and J. Postel, ` ` Assigned Numbers, "Networking Group, Std 2, RFC 1700, Oct 1994. ftp://ftp.isi.edu/in-notes/rfc1700.txt.

[Riv91] R.L. Rivest, ` ` The MD4 Message Digest Algorithm, "Advances in Cryptology - - CRYPTO ' 90 Proceedings, Springer-Verlag, 1991, pp. 303 - 311.

[Sch96] B. Schneier Applied Cryptography, 2nd Edition, John Wiley AND Sons, 1996.

[Sim94] W. Simpson, ` ` The Point-to-Point Protocol (PPP), "Network Working Group, STD 51, RFC 1661, Jul 1994. ftp://ftp.isi.edu/in-notes/rfc1661.txt.

[Sim96] W. Simpson, ` ` PPP Challenge Handshake Authentication Protocol (CHAP) "Network Working Group, RFC 1334, Aug 1996. ftp://ftp.isi.edu/in-notes/rfc1994.txt.

[ZC98] G. Zorn and S. Cobb, ` ` Microsoft PPP CHAP Extensions, "Network Working Group Internet Draft, Mar 1998.