Attack against Microsoft scheme puts hundreds of crypto apps at risk.
Cloud-based service requires an average of 12 hours to decrypt VPN traffic.
by Dan Goodin
July 31 2012
Researchers have devised an attack against a Microsoft-developed
authentication scheme that makes it trivial to break the encryption used
by hundreds of anonymity and security services, including the iPredator
virtual private network offered to users of The Pirate Bay.
The attack, unveiled by Moxie Marlinspike and David Hulton, takes on
average just 12 hours to recover the secret key that iPredator and more
than 100 other VPN and wireless products use to encrypt sensitive data.
The technique, which has been folded into Marlinspike's CloudCracker
service, exploits weaknesses in version 2 of a Microsoft technology known
as MS-CHAP, short for Microsoft challenge-handshake authentication
protocol. It's widely used to log users into VPN and WPA2 networks and is
built into a variety of operating systems, including Windows and Ubuntu.
When a person has -- whether they knew it or not -- already
rejected the Truth, by what means do they discern a lie?