Breaking PPTP VPNs via RADIUS Encryption

  • Matthias Horst
  • Martin Grothe
  • Tibor Jager
  • Jörg Schwenk
Conference paper

DOI: 10.1007/978-3-319-48965-0_10

Volume 10052 of the book series Lecture Notes in Computer Science (LNCS)
Cite this paper as:
Horst M., Grothe M., Jager T., Schwenk J. (2016) Breaking PPTP VPNs via RADIUS Encryption. In: Foresti S., Persiano G. (eds) Cryptology and Network Security. CANS 2016. Lecture Notes in Computer Science, vol 10052. Springer, Cham

Abstract

We describe an efficient cross-protocol attack, which enables an attacker to learn the VPN session key shared between a victim client and a VPN endpoint. The attack recovers the key which is used to encrypt and authenticate VPN traffic. It leverages a weakness of the RADIUS protocol executed between a VPN endpoint and a RADIUS server, and allows an “insider” attacker to read the VPN traffic of other users or to escalate its own privileges with significantly smaller effort than previously known attacks on MS-CHAPv2.

Copyright information

© Springer International Publishing AG 2016

Authors and Affiliations

  • Matthias Horst
    • 1
  • Martin Grothe
    • 1
  • Tibor Jager
    • 1
  • Jörg Schwenk
    • 1
  1. 1.Horst Görtz InstituteRuhr-University BochumBochumGermany