MS-CHAPv2 cracks for WPA2-Enterprise?

Hi Steve, In the answers on mentioned article the comment by Yuhong "This only affects WPA-Enterprise with PEAP-MSCHAPv2, and can be stopped by verifying the certificate" is imho correct. But I will keep a close watch on the several Wi-Fi blogs to make sure. See also chapter 4 page 132 of the CWSP official study guide (highly recommended). BR, Kees Pronk Netwerk admin & engineer Avans Hogeschool Diensteenheid ICT en Facilitaire Dienst (DIF) - ICT-Beheer Bezoekadres: Hogeschoollaan 1, Kamer HG204 4818 CR Breda Postadres: Postbus 90116 4800 RA Breda E: cl.pronk@avans.nl T: 076-5238054 >>> Steve Bohrer 7/30/2012 10:45 >>> I'm hoping that people with crypto-clue can comment on the the recently introduced ChapCrack tool with respect to 802.1x WPA2- Enterprise wifi using PEAP/MS-CHAPv2. So far all I've found is "magazine level" references, e.g.: http://news.cnet.com/8301-1009_3-57481855-83/tools-boast-easy-cracking-o... The vulnerabilities seem to be with MS-CHAPv2 on Microsoft's PPTP VPNs, but the articles also mention WPA2-Enterprise wireless. Do these tools work against PEAP/MS-CHAPv2 as well as against PPTP implementations? (That is, I don't really know how PEAP is similar/ dissimilar to PPTP.) As it happens, until very recently we were using TTLS/PAP for our 802.1x authentication, but it is a pain for users to initially connect: On Windows, they have to install the SecureW2 supplicant, and Mac/iPhone/iEtc devices need to install a custom wireless config file (or, on older Macs, specify the 802.1x configuration manually). We've just added support for PEAP/MS-CHAP, which is much easier for users in that it pretty much "just works": you enter your username and password, and accept our RADIUS server's certificate, and you are on. It would be a drag if we just swapped to a much more vulnerable protocol. Thanks for any clarifications you can offer. Steve Bohrer Network Admin Bard College at Simon's Rock 413-528-7645 ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. --------------------------------------------------------------------------- Op deze e-mail zijn de volgende voorwaarden van toepassing: The following conditions apply to this e-mail: http://emaildisclaimer.avans.nl --------------------------------------------------------------------------- ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.

Message from cwieri39@calvin.edu

It is possibly to do WPA2-Enterprise with only EAP-MSCHAPv2 authentication, and this is what would be considered completely vulnerable now. Don't do this anymore if you are doing it. AFAIK, if you are using WPA2-Enterprise with PEAP/EAP-MSCHAPv2 you should still be fine. While you could break the EAP-MSCHAPv2 authentication, you can only do it if you can decrypt the PEAP tunnel. The PEAP tunnel is a TLS tunnel; so it is important to make sure wireless clients specify which certificate authorities they trust for the PEAP tunnel and verify the presented server's certificate. At that point you can be reasonably sure that your traffic is not being intercepted and decrypted with a fake certificate and that your EAP-MSCHAPv2 conversation has not been intercepted. Chris Wieringa >>> On 7/30/2012 at 5:19 PM, Kees Pronk wrote: > Hi Steve, > > In the answers on mentioned article the comment by Yuhong "This only affects > WPA-Enterprise with PEAP-MSCHAPv2, and can be stopped by verifying the > certificate" > is imho correct. But I will keep a close watch on the several Wi-Fi blogs to > make sure. > See also chapter 4 page 132 of the CWSP official study guide (highly > recommended). > > BR, Kees Pronk > > > Netwerk admin & engineer > > Avans Hogeschool > Diensteenheid ICT en Facilitaire Dienst (DIF) - ICT-Beheer > > Bezoekadres: > Hogeschoollaan 1, Kamer HG204 > 4818 CR Breda > > Postadres: > Postbus 90116 > 4800 RA Breda > > E: cl.pronk@avans.nl > T: 076-5238054 > > >>>> Steve Bohrer 7/30/2012 10:45 >>> > I'm hoping that people with crypto-clue can comment on the the > recently introduced ChapCrack tool with respect to 802.1x WPA2- > Enterprise wifi using PEAP/MS-CHAPv2. So far all I've found is > "magazine level" references, e.g.: > > http://news.cnet.com/8301-1009_3-57481855-83/tools-boast-easy-cracking-o... > t-crypto-for-businesses/ > > The vulnerabilities seem to be with MS-CHAPv2 on Microsoft's PPTP > VPNs, but the articles also mention WPA2-Enterprise wireless. Do these > tools work against PEAP/MS-CHAPv2 as well as against PPTP > implementations? (That is, I don't really know how PEAP is similar/ > dissimilar to PPTP.) > > As it happens, until very recently we were using TTLS/PAP for our > 802.1x authentication, but it is a pain for users to initially > connect: On Windows, they have to install the SecureW2 supplicant, and > Mac/iPhone/iEtc devices need to install a custom wireless config file > (or, on older Macs, specify the 802.1x configuration manually). > > We've just added support for PEAP/MS-CHAP, which is much easier for > users in that it pretty much "just works": you enter your username and > password, and accept our RADIUS server's certificate, and you are on. > > It would be a drag if we just swapped to a much more vulnerable > protocol. Thanks for any clarifications you can offer. > > Steve Bohrer > Network Admin > Bard College at Simon's Rock > 413-528-7645 > > ********** > Participation and subscription information for this EDUCAUSE Constituent > Group discussion list can be found at http://www.educause.edu/groups/. > > --------------------------------------------------------------------------- > Op deze e-mail zijn de volgende voorwaarden van toepassing: > The following conditions apply to this e-mail: > http://emaildisclaimer.avans.nl > --------------------------------------------------------------------------- > > ********** > Participation and subscription information for this EDUCAUSE Constituent > Group discussion list can be found at http://www.educause.edu/groups/. -- -- Chris Wieringa cwieri39@calvin.edu Sr. Systems Engineer Calvin Information Technology ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.

Here is a good article from Andrews Wifi-Blog addressing this topic: http://revolutionwifi.blogspot.de/2012/07/is-wpa2-security-broken-due-to... Conclusion: PEAP security now only rely on the certificates used for the TLS tunnel. It's important to enable certificate verification on client-side. Greetings Hartmut Sachse Systems Engineer ______________________________________________________________________________ pdv-systeme Sachsen GmbH Zur Wetterwarte 4, 01109 Dresden Telefon +49 351 28888-0 Telefax +49 351 28888-333 E-Mail: Sachse@pdv-sachsen.net http://www.pdv-sachsen.net Handelsregister: Amtsgericht Dresden, HRB 1632 Geschäftsführer: Gerald Gruhl, Lutz Dähne -----Ursprüngliche Nachricht----- Von: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] Im Auftrag von Steve Bohrer Gesendet: Montag, 30. Juli 2012 22:46 An: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Betreff: [WIRELESS-LAN] MS-CHAPv2 cracks for WPA2-Enterprise? I'm hoping that people with crypto-clue can comment on the the recently introduced ChapCrack tool with respect to 802.1x WPA2- Enterprise wifi using PEAP/MS-CHAPv2. So far all I've found is "magazine level" references, e.g.: http://news.cnet.com/8301-1009_3-57481855-83/tools-boast-easy-cracking-o... The vulnerabilities seem to be with MS-CHAPv2 on Microsoft's PPTP VPNs, but the articles also mention WPA2-Enterprise wireless. Do these tools work against PEAP/MS-CHAPv2 as well as against PPTP implementations? (That is, I don't really know how PEAP is similar/ dissimilar to PPTP.) As it happens, until very recently we were using TTLS/PAP for our 802.1x authentication, but it is a pain for users to initially connect: On Windows, they have to install the SecureW2 supplicant, and Mac/iPhone/iEtc devices need to install a custom wireless config file (or, on older Macs, specify the 802.1x configuration manually). We've just added support for PEAP/MS-CHAP, which is much easier for users in that it pretty much "just works": you enter your username and password, and accept our RADIUS server's certificate, and you are on. It would be a drag if we just swapped to a much more vulnerable protocol. Thanks for any clarifications you can offer. Steve Bohrer Network Admin Bard College at Simon's Rock 413-528-7645 ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.

Unfortunately... you can enable cert verification, but not enforce on the client side unless you strictly manage the client.

In addition, if you are using WPA2-Enterprise, you need to decrypt the AES encrypted stream before you get to PEAP (You should not be using TKIP). Just because MS-CHAPv2 VPNs are broken does not mean that WPA2-Enterprise is broken. Bruce Osborne Network Engineer IT Network Services   (434) 592-4229   LIBERTY UNIVERSITY Training Champions for Christ since 1971

Earlier, I posted that you need to decrypt the AES encrypted stream before you get to PEAP. I forgot that the PEAP authentication happens before the WAP2 4-way handshake. Here is an explanation from another user. If the attacker can get inside the PEAP exchange, regardless of your choice of TKIP or AES-CCMP, then they can also get the PMK, which allows them to get the PTK and all future key rotation operations for the duration of the PMK (which can change depending on your AP hardware, roaming configuration, 802.11r support, etc.). At Liberty, we have certificates on our RADIUS serves that are issued by a trusted CA. Our client machines and 802.1X configuration tool set up the clients to only trust certificates from that specific root CA and to only use specific named RADIUS servers. We also load-balance our RADIUS servers, with different certificates on each. To compromise this, an attacker would need to get or spoof a certificate for a specific RADIUS server from a specific CA. Even then, they would only affect a portion of our users unless they spoof all our RADIUS servers. Bruce Osborne Network Engineer IT Network Services   (434) 592-4229   LIBERTY UNIVERSITY Training Champions for Christ since 1971

Microsoft just released a security advisory about MSCHAPv2, and listed PEAP /MSCHAPv2 as a solution to the problem for people who only use MSCHAPv2 for PPTP vpn tunnels. So, I feel more comfortable that the standard secure wireless PEAP/MSCHAPv2 is still safe. That's a good thing, because it's the only protocol native to windows wireless that only requires a digital cert for the server end. http://technet.microsoft.com/en-us/security/advisory/2743314 thanks john