Microsoft Challenge Handshake Authentication Protocol

Document Sample
Microsoft Challenge Handshake Authentication Protocol Powered By Docstoc
					Microsoft Challenge Handshake
    Authentication Protocol


              CS265 Spring 2005
              ChungShun Wei
Private Network

   Restrict from outside
    access
   Highly secure if no bad            File Server          Email Server

    guy has access to the
    physical LAN
   But you are also
    blocked if not locally
   Even Internet will not
                            Internet
    help

                                            Your notebook
Virtual Private Network (VPN)

   Through VPN
    server
   Remote user can
    connect to intranet
    through public
    internet
VPN Authentication

   Password Authentication Protocol (PAP)
    –   Username & password in clear text
    –   Use it only when VPN server only support PAP
   Challenge Handshake Authentication
    Protocol (CHAP)
    –   Encrypt password
Microsoft Challenge Handshake
Authentication Protocol (MS-CHAP)

   Base on CHAP
   MS-CHAP version 1
    and version 2
   MS-CHAP v2 is an
    improvement over
    MS-CHAP v1
Request Login Challenge




           Request login challenge


  Client
                16-byte random challenge   VPN Server
Generate 8-byte Challenge

Client     Random
                            Peer
                        Authenticator
          challenge      Challenge
          (16 bytes)     (16 bytes)      Client’s
         Generated by   Generated by    username
            Server         Client


                        concatenate



                           Hash
                          (SHA-1)




                         Challenge
                         (the first 8
                           bytes)
                                    password


                                      input

Generate 24-byte                       NT

MS-CHAP Reply                         hash


                                     Output
                                   (16 bytes)

                                   16 bytes is
                                  padded to 21
 Client                            bytes with 0




                                   21-byte output
                           split into 3 7-byte DES keys



                                                          DES key 3
              DES key 1            DES key 2
                                                           (7 bytes)
               (7 bytes)            (7 bytes)
                                                          (xx00000)

               encrypt               encrypt               cncrypt


              challenge             challenge             challenge
              (8 bytes)             (8 bytes)             (8 bytes)



                                  concatenate


                                   MS-CHAP
                                     reply
                                   (24 bytes)
Retrieve Password From DB
          24-byte reply & Peer
          Authenticator Challenge &
          client’s username

                                                       Password
 Client                               VPN Server

                                 Client
                                 username


                                                   Password Database
                                                                       password


                                                                         input




Authenticate                                                              NT
                                                                         hash


                                                                        Output
                                                                      (16 bytes)

VPN Server                                                            16 bytes is
                    Peer                                             padded to 21
   Random       Authenticator                                         bytes with 0
  challenge      Challenge
  (16 bytes)     (16 bytes)      Client’s
 Generated by   Generated by    username
    Server         Client                                             21-byte output
                                                              split into 3 7-byte DES keys

                concatenate
                                                                                             DES key 3
                                             DES key 1                DES key 2
                                                                                              (7 bytes)
                                              (7 bytes)                (7 bytes)
                   Hash                                                                      (xx00000)
                  (SHA-1)
                                               decrypt                  decrypt               decrypt

                                                                                             MS-CHAP
                                             MS-CHAP                  MS-CHAP
                                                                                               reply
                                                 reply                    reply
                                                                                             (17th-24th
                 Challenge                  (1st-8th bytes)         (9th-16th bytes)
                 (the first 8                                                                  bytes)
                   bytes)
                                Match
                                             challenge                 challenge             challenge
                                             (8 bytes)                 (8 bytes)             (8 bytes)
Authenticator Response


                      20-byte Authenticator
                      Response                VPN Server
     Client




  -VPN Server will use 16-byte Peer Authenticator Challenge
  and Client’s hashed password to create 20-byte
  Authenticator Response
  -Client computes its own Authenticator Response to
  compare with Server’s. If match, server is authenticated
Find Out 8-byte Challenge

   Although 8-byte challenge                          Peer
    did not send through in clear     Random
                                     challenge
                                                   Authenticator
                                                    Challenge
    text                             (16 bytes)
                                    Generated by
                                                    (16 bytes)
                                                   Generated by
                                                                    Client’s
                                                                   username
                                       Server         Client
   Attack can easily compute 8-
    byte challenge by listening                    concatenate

    16-byte random challenge
    from server, Peer                                 Hash
                                                     (SHA-1)
    Authenticator Challenge,
    and client’s username
                                                    Challenge
                                                    (the first 8
                                                      bytes)
                                                               password


                                                                 input


                                                                  NT

 Analysis MS-CHAP Reply                                          hash


                                                                Output
                                                              (16 bytes)

                                                              16 bytes is
            sanjose                                          padded to 21
                                                              bytes with 0
                  NT hash
                                                              21-byte output
    askjKeL35h2k49kj (16 byte)                        split into 3 7-byte DES keys

                 Pad with 0 to 21 byte
                                                                                     DES key 3
                                         DES key 1            DES key 2
                                                                                      (7 bytes)
 askjKeL35h2k49kj00000 (21 byte)          (7 bytes)            (7 bytes)
                                                                                     (xx00000)

                                          encrypt               encrypt               cncrypt

askjKeL      35h2k49        kj00000
                                         challenge             challenge             challenge
                                         (8 bytes)             (8 bytes)             (8 bytes)
         Encrypt challenge
Iwe652nW   n8mxhUw0 xjO82nzx                                 concatenate


                                                              MS-CHAP
                                                                reply
                                                              (24 bytes)
  Iwe652nWn8mxhUw0xjO82nzx
  Attack on MS-CHAP Reply

      Iwe652nWn8mxhUw0xjO82nzx                            sanjose
                                                               NT hash
Iwe652nW      n8mxhUw0       xjO82nzx             askjKeL35h2k49kj (16 byte)
     Encrypt challenge     Encrypt challenge
 xxxxxxx       xxxxxxx                         askjKeL35h2k49kj00000 (21 byte)
                             xx00000
 256 tries     256 tries     216 tries
                                           askjKeL         35h2k49       kj00000

     Attackers do not need                       Encrypt challenge
      2192 effort                        Iwe652nW   n8mxhUw0 xjO82nzx

     But 256 + 256 + 216 ≈ 257
                                                Iwe652nWn8mxhUw0xjO82nzx