yikes

directly from the ISC

Moxie Marlinspike and David Hulton gave a talk at Defcon 20 on a presentation on cracking MS-CHAPv2 with 100% success rate. This protocol is still very much in use with PPTP VPNs, and WPA2 Enterprise environments for authentication.

Moxie's recommendations [1]:

1- All users and providers of PPTP VPN solutions should immediately start migrating to a different VPN protocol. PPTP traffic should be considered unencrypted.
2- Enterprises who are depending on the mutual authentication properties of MS-CHAPv2 for connection to their WPA2 Radius servers should immediately start migrating to something else.

Knowing that MS-CHAPv2 can now be cracked, what alternatives are you considering to secure your now insecure communications? The two alternatives suggested by Moxie are "[...] OpenVPN configuration, or IPSEC in certificate rather than PSK mode."

[1] https://www.cloudcracker.com/blog/2012/ ... s-chap-v2/
[2] https://github.com/moxie0/chapcrack

_________________
"If you're good at anticipating the human mind. It leaves nothing to chance."
-Jigsaw

Thanks for the info. Smart thinking there.

_________________
http://reggle.wordpress.com

Would this effect WPA if you are using EAP-PEAP? Wouldn't the the MS-CHAPv2 negotiation be encrypted by TLS which shouldn't be a problem as long as server certificate validation is configured properly?

Correct. The crack does not affect MS-CHAPv2 that is encrypted with TLS in a EAP\PEAP session.