The Archaic Protocol at the Heart of Secure Wireless
At SecureW2, we develop a lot of technology for wireless security, more specifically 802.1X. If you’re not familiar 802.1X, it’s the basis of WPA2-Enterprise networks that corporations, colleges, and other large organizations use. And inside the vast majority of these networks is a little protocol called MSCHAPv2. MSCHAP has been around since before the iPhone, since before high-speed internet and Y2K. In a few months, MSCHAP will turn 17 years old, and it continues to see use today, despite being hacked, exploited, depreciated, and broken. It’s a fascinating story (for nerds like us) about the resilience of certain protocols able to live well past their point of usefulness.
MSCHAP began life in 1995, created by Microsoft as an improved version of MSCHAP, which in turn was their take on a proprietary version of CHAP: Challenge Handshake Authentication Protocol. It was easy to use, quick to implement, and safer than many of the alternatives. It was also 100% Microsoft integrated, which in the heady days of exploding corporate IT was definitely a plus. Anytime someone needed to prove their identity to a network, MSCHAP was there.
MSCHAP was crucial to the development of many enterprise authentication systems. This was also the time when dial-up was first taking off, and the handshake protocol was often the go-to way to hash and transmit passwords. Its most wide use ended up as being the authentication method for PPTP-based (Point to Point Tunneling Protocol) VPNs. Around this time, the earliest forms of secure wireless was being deployed, so authentication to networks was also something that needed taken care of.
How MSCHAP Works
At its simplest, MSCHAP is a “handshake” protocol. I want my computer to talk to a server, but the server needs to know how to talk to my computer before it will open a line of communication. An example of this is the squealing you used to hear from dial-up modems. That’s actually the sound of your modem “speaking the phone’s language” and telling it to set up a connection (there’s a very fascinating breakdown of that handshake here).
CHAP was a specific kind of handshake for authenticating users. The server asks me who I am (challenge), and my computer gives back my name and password (response). It improved upon previous systems by not actually requiring either of us to send the plain password over the air.
When building CHAP into their systems, Microsoft added some improvements. They gave the server more abilities to manage the connections. They made it so you could use hashed passwords instead of plaintext. And by version 2 (or MSCHAPv2), it even included mutual authentication so that both parties had to prove their identities when connecting.
How MSCHAPv2 Got Everywhere
Almost from the beginning, people were aware of the vulnerabilities of the protocol. In 1999, Bruce Schneider and Mudge, a pair of well-known security researchers, praised the improvements made over previous authentication protocols, but documented that it still remained highly vulnerable to dictionary attacks. That is to say, they would only prove as strong as the user’s password.
For the most part these warnings were headed by stiffening password policies. MSCHAPv2 continued to propagate as and industry backbone. By the time more sophisticated authorization mechanisms began coming to market, the protocol had developed enough critical mass to remain in place.
Years later when the WPA2-Enterprise protocol was being developed, Microsoft and several other major players came together to develop a proprietary authentication system for wireless (known as an EAP type). It consisted of a secure tunnel which encrypted all traffic between the device and the server. Inside of that tunnel were sent the user’s credentials in the form of MSCHAPv2. Today there are several different EAP types available, but PEAPv0/EAP-MSCHAPv2 (to save oxygen, people usually refer to it as just ‘PEAP’) quickly became the industry standard thanks to the speed it was developed and easy integration with existing systems.
PEAP has become so prevalent that if you use any type of secure wireless, odds are your password is being sent over the air in an MSCHAPv2 packet several times an hour. Like many tunneled protocols, PEAP is vulnerable to Man-in-the-Middle attacks. I pretend to be the network, your phone or laptop tries to connect with me, and I get your password. Preventing this requires the device (and its user) to check me for certificates and validate them. One of the advantages of PEAP was that even if your users failed to check the certificates, the attacker would collect encrypted handshakes, not the password itself (again, trusting the strength of the password).
Moxie Marlinspike Finally Kills MSCHAPv2
As the years wore on, MSCHAPv2 showed its age more and more. It became fairly common for hackers to “sniff” weak VPN keys out of handshakes. Rainbow tables also were also developed, making password hashes easier to duplicate. Security experts had long demanded the protocol be depreciated. As a precaution, some VPNs no longer allowed users to set their own password, relying on computer generated random bits instead. But the protocol was never truly broken until famed security expert and dreadlock proponent Moxie Marlinspike took to the stage at Defcon in 2012.
On stage, Moxie demonstrated that at the heart of the encryption in MSCHAPv2 is a complex looking, but in reality redundant, set of algorithms. When you remove all of the redundancies, the whole handshake was really only as strong as a single DES encryption. Then David Hulton demonstrated a special DES cracking machine with the capability to crack any MSCHAPv2 handshake in less than a day.
To demonstrate that virtually anyone can crack the protocol, the duo integrated the DES cracking machine with CloudCracker, an online password cracking service. They then announced that for just a few dollars, you can effectively decrypt the entire network capture and use it to log in to the user’s VPN service or WPA2-Enterprise RADIUS server. To get their point across, they then ran a list of names of every VPN that still relied on MSCHAPv2 to authenticate.
You can watch their DEF CON presentation on YouTube.
MSCHAPv2 Lives On
The message became very clear. Almost overnight, the security-conscience VPNs began updating their protocols. Microsoft themselves acknowledged the weakness, and began recommending that VPN’s secure the handshakes inside additional tunnels. But they said nothing about PEAP, arguing that inside a tunnel the MSCHAPv2 packet remained safe.
That did not stop people from continuing to look for ways to exploit WPA2-Enterprise. If MSCHAPv2 is already broken, then the only problems that remain is in finding ways to collect the handshakes. As previously stated, tunneled connections like PEAP are only secure if the certificates are in order. But we’ve found that the vast majority of users will accept any certificate presented to. Or worse, their device is set to automatically accept all certificates presented to them. In either case, it’s a simple matter of just setting up a duplicate network.
Many security experts have since taken to the stage and demonstrated different kinds of honeypot traps or Man-In-The-Middle attacks to do so. The only real limitation compared to other forms network espionage is proximity: you actually have to deploy a fake network on or near the real network. But even that has been stretched thin as hackers deploy more clever ways to capture passwords. Deploy a fake network in the parking lot of the target location. Deploy at the favorite coffee shop used by the target. Attach a wireless beacon to a drone and fly across the target location. Some advanced techniques even involve setting up multiple target SSIDs to rotate on a single network beacon and driving around town. Any smartphone with one of the SSIDs is likely to connect automatically.
Hackers in these scenarios aren’t really looking for free wireless. More often than not, the same username and password that connects users to secure networks is the same that connects them to email, VPN, company resources, etc. My alma mater was set up the same way, my password could have gotten an attacker my SSN, credit card information, addresses, even my mother’s maiden name and previous addresses. And these styles of attacks are almost impossible to detect, unless they happen right in the range of the network infrastructure.
How Long Does MSCHAP Survive?
You really do have to respect the longevity of some protocols. MSCHAP is 17 years old, created for a time of dial-up connections and desktop PCs. But MSCHAP is an enterprise solution, and enterprise systems are especially slow to change. It’s hard to justify the extensive cost if they need to be upgraded regularly. PEAP is also still the most popular WPA2-Enteprise configuration, with the broadest device support.
But that may be changing soon. At SecureW2, we’re seeing a trend towards technologies that may finally see the sun set on MSCHAP:
- EAP-TLS: This is actually a very old protocol for authenticating to wireless networks, but was always difficult to implement. You no longer need a password to connect to the network (so it’s much safer), but it is replaced by a one-of-a-kind certificate you need to put on every single device you want connected. This involved some extra infrastructure on the back end, as well as some IT manpower. One of the things we at SecureW2 have done is create a hybrid cloud system which simplifies the process dramatically, to the point where it is easier to manage than PEAP with many added benefits beside. We’re really seeing this technology make huge gains across the industry, especially for BYOD networks.
- Passpoint: AKA Hotspot 2.0, this is a protocol still in development that is aimed at replacing the spotty network of Wi-Fi hotspots. Instead of connecting to a single unsecured access point, you would authenticate to a service provider and set up a secure connection to an entire network of access points. Signing up for the access points, handling certificates, establishing identity is all done through software built into a device. This represents the first real change wireless has made since before cell phones were even a thing, and has potential to change things everywhere, including enterprise networks.
Over the next 5–10 years (What can I say? Protocol change is slow) we expect to see the majority of secure networks using some combination of the two above. The huge growth in BYOD is certainly acting as catalyst; the demands on wireless have never been higher, but the current lineup of devices has never been harder to accommodate. But even in that 5–10 year horizon, we still expect MSCHAP to be out there, somewhere, doing its MSCHAP thing.
Originally published at www.securew2.com on July 17, 2015.
