[svlug] PPTP?

George Bonser george at shorelink.com
Sun Jul 22 12:23:01 PDT 2001


I am not claiminmg that PPTP is any good, I am just saying that sometimes
you are forced to operate with it and no amount of complaining is going to
make management change their stance. A decision has been reached where
they think the security provided by PPTP as offered with the Microsoft VPN
adapter is "good enough" in that it does not require them to add any
software or train anyone.

As for the 128-bit brute force ... if it is a government that is doing the
brute forcing, probably, yes.  Also, dont fall into the "distributed
net" model of thinking where you have standard computers running a program
to "crack" a cipher. It is much more efficient to build hardware dedicated
for that job. You can do things much faster in hardware.

The EFF ( not exactly the deepest pocketed cracker ) built a piece of
hardware that won RSA's DES Challange II in less than 3 days as opposed to
39 days by a network of tens of thousands of systems. I realize there is a
LOT of difference between a 56 and a 128 bit key. The point being here
that if someone is determined to get the data, they can build a piece of
hardware to do it much more efficiently than having a standard computer do
it.

The other point is that even 40 bit security is enough to keep a single PC
busy for a few years. The simple fact of the matter is that ANY encryption
probably safeguards against idle perusal of your data by a single
individual. It will not protect you against a concerted attack by a
wealthy adversary that is going to devote considerable resources to the
problem. No common data communications cipher is probably safe against a
government or pool of governments with first rate communications intercept
capabilities. 

On my long-haul VPN links I use a 128-bit key with blowfish. The key
changes every 15 minutes. If you record the data and crack the key, you
get to see 15 minutes worth before you have to start over again to get
another 15 minutes worth. We DONT use PPTP for those. These are the links
that interconnect the offices.

For people simply working at home and need to get their email on the
private network, PPTP is just fine.  It allows them access to the private
RFC1918 network space that is not otherwise reachable over the internet.

I think the answer to the original question is:

Currently there are no other VPN alternatives that are as easy to set up
for the Windows units as PPTP is. And most Linux PPTP stuff is rather
poorly documented or does not seem to interoperate well.  That points out
an area where someone could make a difference if they wanted to. If you
make a really robust client/server that works perfectly with Windows
clients/servers, even though it is a crappy protocol, you can get Linux
into more places than it is today. No sense arguing about the protocol,
PPTP is inferior but people are not particulary interested in the perfect
protocol, they want to get their work done withoug having to learn what a
packet is.


On Sun, 22 Jul 2001, Dan Martinez wrote:

> Uh... what? You're claiming that a properly-designed cipher with
> 128-bit key length can be brute-forced in a reasonable amount of time?
> 
> Dan







More information about the svlug mailing list