We analyze the consequences of hacking MS-CHAPv2 for Wi-Fi (WPA / WPA2-Enterprise)

At the last DEFCON, hacking of the authentication protocol MS-CHAPv2 was demonstrated (long time ago). As a result, many media outlets burst out with information that “thousands of VPNs and WPA2 devices are in danger.” Let's consider how this statement is true for a Wi-Fi network that implements WPA2.
Scandals? Intrigue? Investigations?


In order not to produce essence without the need, I’ve squeezed out there with the basic facts and conclusions, as well as links to the primary sources for those who are interested in the details.

Scandals

Initial information: blog of authors of the attack . It is claimed that MS-CHAPv2 is hacked with a 100% success rate. Details are given that show that you need to intercept the exchange using the MS-CHAPv2 protocol, after which, using encryption vulnerabilities, you can calculate the user's details. It is claimed that MS-CHAPv2 is used in VPN and WPA2-Enterprise systems. At the same time, both VPN and WPA2 are mentioned in the context of AAA servers, which is very logical, because it is there that plaintext MS-CHAP is caught. So yes, MS-CHAPv2 is hacked. If you intercept the MS-CHAPv2 exchange between the client and the AAA server, you can calculate the user details.

Intrigue

After that, articles like this one started to appear , where WPA2 is already in use outside the context of AAA servers. At the same time, quite serious statements are made: “Users who want to crack the key protecting a target's VPN- or WPA2-protected traffic need only capture a single login attempt” (for hacking VPN / WPA2 it is enough to intercept one login attempt) and up to “people should immediately stop using VPN and WPA2 products that rely on MS-CHAP " (people should stop using VPN / WPA2 with MS-CHAP immediately).

Investigations

Well, for starters, remember that WPA2 exists in two forms: WPA2-Personal (PSK) and WPA2-Enterprise (802.1x / EAP). MS-CHAPv2 is used only in Enterprise, so PSK users can sleep peacefully.
In Enterprise, MS-CHAPv2 is just one of the possible EAP methods (there are still quite popular GTC, TTLS, etc.). The popularity of MS-CHAPv2 is due to the fact that it is the easiest method for integration with Microsoft products (IAS, AD, etc.).

However, at least someone saw the implementation of WPA2-Enterprise with clean EAP / MS-CHAPv2? I don’t remember ... Anyone who knows can say that there should be another tunnel (PEAP or TLS). So, if there is a tunnel, interception of the MS-CHAPv2 session is no longer possible, because First, you need to crack the tunnel encryption, so the sensation is canceled.

However, it’s too early to relax. A tunnel is built between the client and the access point. If you impersonate the access point, you can easily get both the client and its “clean” MS-CHAPv2 session with all the consequences. Hence the conclusion from the category “have told the world so many times”: put certificates on access points and enable certificate verification on clients .

Thus, for a well-built wireless network with WPA2-Enterprise based on PEAP / MS-CHAPv2 new attack is not scary. Is it possible to wedge into the channel between the authenticator (AP, controller) and the AAA server, but this does not apply to WPA.

Details, illustrations and recommendations for tuning can be found at two reputable industry experts: Andrew VonNagy and Devin Akin .

More examples of marketing and journalism (see tags):