Network Working Group G. S. Pall Internet-Draft Microsoft Corporation Category: Informational G. Zorn Updates: RFC 2118 Microsoft Corporation April 1998 Microsoft Point-To-Point Encryption (MPPE) Protocol 1. Status of this Memo This document is an Internet-Draft. Internet-Drafts are working docu- ments of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working doc- uments as Internet-Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as ``work in progress''. To view the entire list of current Internet-Drafts, please check the "1id-abstracts.txt" listing contained in the Internet-Drafts Shadow Directories on ftp.is.co.za (Africa), ftp.nordu.net (Northern Europe), ftp.nis.garr.it (Southern Europe), munnari.oz.au (Pacific Rim), ftp.ietf.org (US East Coast), or ftp.isi.edu (US West Coast). This memo provides information for the Internet community. This memo does not specify an Internet standard of any kind. The distribution of this memo is unlimited. It is filed as and expires October 3, 1998. Please send comments to the PPP Extensions Working Group mailing list (ietf-ppp@merit.edu) or to the authors (gur- deep@microsoft.com and glennz@microsoft.com). 2. Abstract The Point-to-Point Protocol (PPP) [1] provides a standard method for transporting multi-protocol datagrams over point-to-point links. The PPP Compression Control Protocol [2] provides a method to negotiate and utilize compression protocols over PPP encapsulated links. This document describes the use of the Microsoft Point to Point Encryp- tion (MPPE) to enhance the confidentiality of encrypted PPP-encapsulated packets. Pall & Zorn [Page 1] INTERNET-DRAFT MPPE April 1998 3. Introduction The Microsoft Point to Point Encryption scheme is a means of represent- ing Point to Point Protocol (PPP) packets in an encrypted form. MPPE uses the RSA RC4 [3] algorithm to provide data confidentiality. The length of the session key to be used for initializing encryption tables can be negotiated. MPPE currently supports 40-bit and 128-bit session keys. MPPE session keys are changed frequently; the exact frequency depends upon the options negotiated, but may be every packet. MPPE is negotiated within option 18 [4] in the Compression Control Pro- tocol. 4. Specification of Requirements In this document, the key words "MAY", "MUST, "MUST NOT", "optional", "recommended", "SHOULD", and "SHOULD NOT" are to be interpreted as described in [5]. 5. Configuration Option Format Description The CCP Configuration Option negotiates the use of MPPE on the link. By default, no encryption is used. If, however, MPPE negotiation is attempted and fails, the link SHOULD be terminated. A summary of the CCP Configuration Option format is shown below. The fields are transmitted from left to right. 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type | Length | Supported Bits | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Supported Bits | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Type 18 Length Pall & Zorn [Page 2] INTERNET-DRAFT MPPE April 1998 6 Supported Bits This field is 4 octets, most significant octet first. 3 2 1 1 0 9 8 7 6 5 4 3 2 1 0 9 8 7 6 5 4 3 2 1 0 9 8 7 6 5 4 3 2 1 0 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | |H| |N| |S|L| |C| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ The 'C' bit is used by MPPC [4] and is not discussed further in this memo. If the 'L' bit is set (corresponding to a value of 0x20 in the least significant octet), this indicates the desire of the sender to negotiate the use of 40-bit session keys, derived from the LanManager password. If the 'S' bit is set (corresponding to a value of 0x40 in the least significant octet), this indicates the desire of the sender to negotiate the use of 128-bit session keys. If the 'N' bit is set (corresponding to a value of 0x01 in the second least significant octet), this indicates that the sender wants to negotiate the use of 40-bit session keys derived from the Windows NT password hash. If the 'H' bit is set (corresponding to a value of 0x01 in the most sig- nificant octet), this indicates that the sender wishes to negotiate the use of stateless mode, in which the session key is changed after the transmission of each packet (see section 7.6, below). In the following discussion, the 'N', 'S' and 'L' bits are sometimes referred to collectively as "encryption options". All other bits are reserved and MUST be set to 0. 5.1. Option Negotiation MPPE options are negotiated as described in [2]. In particular, the negotiation initiator SHOULD request all of the options it supports. The responder SHOULD NAK with a single encryption option (note that stateless mode may always be negotiated, independent of and in addition to an encryption option). If the responder supports more than one encryption option in the set requested by the initiator, the option selected SHOULD be the "strongest" option offered. Informally, the strength of the MPPE encryption options may be characterized as follows: STRONGEST 128-bit encryption ('S' bit set) 40-bit encryption ('N' bit set) 40-bit encryption ('L' bit set) WEAKEST Pall & Zorn [Page 3] INTERNET-DRAFT MPPE April 1998 This characterization takes into account the generally accepted strength of both the cipher and the key derivation method. The initiator SHOULD then either send another request containing the same option(s) as the responder's NAK or cancel the negotiation, drop- ping the connection. 6. MPPE Packets Before any MPPE packets are transmitted, PPP MUST reach the Network- Layer Protocol phase and the CCP Control Protocol MUST reach the Opened state. Exactly one MPPE datagram is encapsulated in the PPP Information field. The PPP Protocol field indicates type 0x00FD for all encrypted data- grams. The maximum length of the MPPE datagram transmitted over a PPP link is the same as the maximum length of the Information field of a PPP encap- sulated packet. Only packets with PPP Protocol numbers in the range 0x0021 to 0x00FA are encrypted. Other packets are not passed thru the MPPE processor and are sent with their original PPP Protocol numbers. Padding It is recommended that padding not be used with MPPE. If the sender uses padding it MUST negotiate the Self-Describing-Padding Configuration option during LCP phase and use self-describing pads. Reliability and Sequencing The MPPE scheme does not require a reliable link. Instead, it relies on a 12-bit coherency count in each packet to keep the encryption tables synchronized. If stateless mode has not been negotiated and the coherency count in the received packet does not match the expected count, the receiver MUST send a CCP Reset- Request packet to cause the resynchronization of the RC4 tables. MPPE expects the packets to be delivered in sequence. MPPE MAY be used over a reliable link, as described in "PPP Reli- able Transmision" [6], but this typically just adds unnecessary overhead since only the coherency count is required. Pall & Zorn [Page 4] INTERNET-DRAFT MPPE April 1998 Data Expansion The MPPE scheme does not expand or compress data. The number of octets input to and output from the MPPE processor are the same. 6.1. Packet Format A summary of the MPPE packet format is shown below. The fields are transmitted from left to right. 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | PPP Protocol |A|B|C|D| Coherency Count | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Encrypted Data... +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ PPP Protocol The PPP Protocol field is described in the Point-to-Point Protocol Encapsulation [1]. When MPPE is successfully negotiated by the PPP Compression Control Protocol, the value of this field is 0x00FD. This value MAY be com- pressed when Protocol-Field-Compression is negotiated. Bit A This bit indicates that the encryption tables were initialized before this packet was generated. The receiver MUST re-initialize its tables with the current session key before decrypting this packet. This bit is referred to as the FLUSHED bit in this document. If the stateless option has been negotiated, this bit MUST be set on every encrypted packet. Note that MPPC and MPPE both recognize the FLUSHED bit; therefore, if the stateless option is negotiated, it applies to both MPPC and MPPE. Bit B This bit does not have any significance in MPPE. Bit C This bit does not have any significance in MPPE. Bit D Pall & Zorn [Page 5] INTERNET-DRAFT MPPE April 1998 This bit set to 1 indicates that the packet is encrypted. This bit set to 0 means that this packet is not encrypted. Coherency Count The coherency count is used to assure that the packets are sent in proper order and that no packet has been dropped. It is a monotoni- cally increasing counter which incremented by 1 for each packet sent. When the counter reaches 4095 (0x0FFF), it is reset to 0. Encrypted Data The encrypted data begins with the protocol field. For example, in case of an IP packet (0x0021 followed by an IP header), the MPPE pro- cessor will first encrypt the protocol field and then encrypt the IP header. If the packet contains header compression, the MPPE processor is applied AFTER header compression is performed and MUST be applied to the compressed header as well. For example, if a packet contained the protocol type 0x002D (for a compressed TCP/IP header), the MPPE processor would first encrypt 0x002D and then it would encrypt the compressed Van-Jacobsen TCP/IP header. Implementation Notes Microsoft supports MPPE negotiation only if MS-CHAP [7] authentica- tion was used. This is not an inherent limitation of the MPPE proto- col, however; MPPE may be supported with other authentication proto- cols in the future. If both MPPE and MPPC are negotiated on the same link, the MPPE pro- cessor MUST be invoked after the MPPC processor by the sender and the MPPE processor MUST be invoked before the MPPC processor by the receiver. 7. Session Keys In the current implementation, session keys are derived from peer cre- dentials; however, other derivation methods are possible. For example, some authentication methods (such as Kerberos [11] and TLS [12]) produce session keys as side effects of authentication; these keys may be used by MPPE in the future. The techniques used to derive session keys from peer credentials are described in the following sections. Implementation Note Pall & Zorn [Page 6] INTERNET-DRAFT MPPE April 1998 For session keys derived from peer credentials (as described below), the initial session key in both directions is derived from the cre- dentials of the peer that initiated the call and the challenge used (if any) is the challenge from the first authentication. This is true for both unilateral and mutual authentication, as well as for each link in a multilink bundle. In the multi-chassis multilink case, implementations are responsible for ensuring that the correct keys are generated on all participating machines. 7.1. Generating 40-bit Session Keys MPPE uses a derivative of the peer's credentials as the 40-bit session key used for initializing the RC4 encryption tables. The actual key derivation process used depends upon the the encryption option negoti- ated. The steps involved in the generation of 40-bit session keys from both the Windows NT password hash (if the 'N' bit was negotiated) and the LM password hash (if the 'L' bit was negotiated) are described in the following sections. 7.1.1. Generating 40-bit Keys from the LM Password Hash The first step is to obfuscate the peer's password using the LmPassword- Hash() function (described in [7]). The first 8 octets of the result, say H, are used as the basis for the session key generated in the fol- lowing way: /* * H is the basis for the session key * H' is a copy of H and is the generative session key * 8 is the length (in octets) of the key to be generated. * */ Get_Key(H, H', 8) /* * The result of Get_Key() stored in H' is then salted as follows: * */ H'[0] = 0xD1 ; H'[1] = 0x26 ; H'[2] = 0x9E ; Pall & Zorn [Page 7] INTERNET-DRAFT MPPE April 1998 7.1.2. Generating 40-bit Keys from the Windows NT Password Hash The first step is to obfuscate the peer's password using the NtPassword- Hash() function (as described in [7]). The first 16 octets of the result are then hashed again using the same MD4 algorithm. The first 16 octets of the second hash, say H, are used as the basis for the session key generated in the following way: /* * Challenge (as described in [7]) is sent by the PPP peer during * authentication and is 8 octets long. * H is the basis for the session key. On return, H contains the * start key to be used. */ Get_Start_Key(Challenge, H) /* * H' is a copy of H and is the generative session key. * Length (in octets) of the key to generate is 8. * */ Get_Key(H, H', 8) /* * The result of Get_Key() stored in H' is then salted as follows: * */ H'[0] = 0xD1 ; H'[1] = 0x26 ; H'[2] = 0x9E ; 7.2. Generating 128-bit Session Keys MPPE uses a derivative of the peer's credentials as the 128-bit session key used for initializing encryption tables. The first step is to obfuscate the peer's password using NtPassword- Hash() function as described in [7]. The first 16 octets of the result are then hashed again using the same MD4 algorithm. The first 16 octets of the second hash, say H, are used as the basis for the session key generated in the following way: /* * Challenge as described in [7] is sent by the PPP peer during * authentication and is 8 octets long. * H is the basis for the session key. On return, H contains the * start key to be used. Pall & Zorn [Page 8] INTERNET-DRAFT MPPE April 1998 */ Get_Start_Key(Challenge, H) /* * H' is a copy of H and is the generative session key. * Length (in octets) of the key to generate is 16. * */ Get_Key(H, H', 16) 7.3. Key Derivation Functions The following procedures are used to derive the session key. /* * Pads used in key derivation */ SHApad1[40] = {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}; SHApad2[40] = {0xF2, 0xF2, 0xF2, 0xF2, 0xF2, 0xF2, 0xF2, 0xF2, 0xF2, 0xF2, 0xF2, 0xF2, 0xF2, 0xF2, 0xF2, 0xF2, 0xF2, 0xF2, 0xF2, 0xF2, 0xF2, 0xF2, 0xF2, 0xF2, 0xF2, 0xF2, 0xF2, 0xF2, 0xF2, 0xF2, 0xF2, 0xF2, 0xF2, 0xF2, 0xF2, 0xF2, 0xF2, 0xF2, 0xF2, 0xF2}; /* * SHAInit(), SHAUpdate() and SHAFinal() functions are an * implementation of Secure Hash Algorithm (SHA-1) [10]. These are * available in public domain or can be licensed from * RSA Data Security, Inc. * * 1) H is 8 octets long for 40 bit session keys. * 2) H is 16 octets long for 128 bit session keys. * 3) H' is same as H when this routine is called for the first time * for the session. * 4) The generated key is returned in H'. This is the "current" key. */ Get_Key(H, H', Length_Of_Desired_Key) { SHAInit(Context) SHAUpdate(Context, H, Length_Of_Desired_Key) SHAUpdate(Context, SHAPad1, 40) Pall & Zorn [Page 9] INTERNET-DRAFT MPPE April 1998 SHAUpdate(Context, H', Length_Of_Desired_Key) SHAUpdate(Context, SHAPad2, 40) SHAFinal(Context, Digest) memcpy(H', Digest, Length_Of_Desired_Key) } Get_Start_Key(Challenge, H) { SHAInit(Context) SHAUpdate(Context, H, 16) /* * H+Challenge is H concatenated with the challenge. * For example, if H == "12" and Challenge == "34", * then H+Challenge == "1234" */ SHAUpdate(Context, H+Challenge, 24) SHAFinal(Context, Digest) memcpy(H, Digest, 16) } 7.4. Initializing RC4 Using a Session Key Once H' is derived, the RC4 context is initialized as follows: /* * rc4_key() library can be licensed from RSA Data Security, Inc. */ rc4_key(RC4Key, Length_Of_Key, H') 7.5. Encrypting Data Once initialized, data is encrypted using the following function and transmitted with the CCP and MPPE headers. /* * rc4() can be licensed from RSA Data Security, Inc. */ EncryptedData = rc4(RC4Key, Length_Of_Data, Data) 7.6. Changing Keys If stateless encryption has been negotiated, the session key changes every time the coherency count changes; i.e., on every packet. Other- wise, the sender MUST change its key before encrypting and transmitting any packet in which the low order octet of the coherency count equals 0xFF (the "flag" packet), and the receiver MUST change its key after receiving, but before decrypting, a "flag" packet (see Pall & Zorn [Page 10] INTERNET-DRAFT MPPE April 1998 "Synchronization", below). The following method is used to change keys: /* * H is the original key. * H' is current key. * Length_Of_Key: 8 for 40 bit keys and 16 for 128 bit session keys. * * On return H' is changed to the new key. */ Get_Key(H, H', Length_Of_Key) Tables are re-initialized using the RC4 function: /* * rc4() can be licensed from RSA Data Security, Inc. */ rc4_key(RC4Key, Length_Of_Key, H') H' is encrypted using the new tables to produce a new H': /* * rc4() can be licensed from RSA Data Security, Inc. */ H' = rc4(RC4Key, Length_Of_Key, H') For 40-bit session keys the first three octets of H' are set to 0xD1, 0x26 and 0x9E respectively. Finally, tables are re-initialized using the RC4 function: /* * rc4() can be licensed from RSA Data Security, Inc. */ rc4_key(RC4Key, Length_Of_Key, H') 7.7. Synchronization Packets may be lost during transfer. The following sections describe synchronization for both the stateless and stateful cases. 7.7.1. Stateless Synchronization If stateless encryption has been negotiated and the coherency count in the received packet (C1) is greater than the coherency count in the last Pall & Zorn [Page 11] INTERNET-DRAFT MPPE April 1998 packet previously received (C2), the receiver MUST perform N = C1 - C2 key changes before decrypting the packet, in order to ensure that its session key is synchronized with the session key of the sender. Nor- mally, the value of N will be 1; if intervening packets have been lost, N may be greater than 1, however. For example, if C1 = 5 and C2 = 02 then N = 3 key changes are required. Since the FLUSHED bit is set on every packet if stateless encryption was negotiated, the transmission of CCP Reset-Request packets is not required for synchronization. 7.7.2. Stateful Synchronization If stateful encryption has been negotiated, the sender MUST change its key before encrypting and transmitting any packet in which the low order octet of the coherency count equals 0xFF (the "flag" packet), and the receiver MUST change its key after receiving, but before decrypting, a "flag" packet. However, the "flag" packet may be lost. If this hap- pens, the low order octet of the coherency count in the received packet will be less than that in the last packet previously received. In this case, the receiver MUST perform a key change before decrypting the newly received packet, (since the sender will have changed its key before transmitting the packet), then send a CCP Reset-Request packet (see below). It is possible that 256 or more consecutive packets could be lost; the receiver SHOULD detect this condition and perform the number of key changes necessary to resynchronize with the sender. If packet loss is detected while using stateful encryption, the receiver MUST drop the packet and send a CCP Reset-Request packet without data. After transmitting the CCP Reset-Request packet, the receiver SHOULD silently discard all packets until a packet is received with the FLUSHED bit set. On receiving a packet with the FLUSHED bit set, the receiver MUST set its coherency count to the one received in that packet and re- initialize its RC4 tables using an RC4 function: /* * H' is the current session key * rc4() can be licensed from RSA Data Security, Inc. */ rc4_key(RC4Key, Length_Of_Key, H') When the sender receives a CCP Reset-Request packet, it MUST re-initial- ize its own RC4 tables using the same function and set the FLUSHED bit in the next packet sent. Thus synchronization is achieved without a CCP Reset-Ack packet. Pall & Zorn [Page 12] INTERNET-DRAFT MPPE April 1998 8. Security Considerations Because of the way that the RC4 tables are reinitialized when packets are lost, it is possible that two packets may be encrypted using the same key. For this reason, the stateless mode SHOULD always be used in lossy network environments (e.g., layer two tunnels on the Internet). Because of the way in which 40-bit keys are derived, the initial 40-bit session key will be identical in all sessions established under the same peer credentials. For this reason, and because RC4 with a 40-bit key length is believed to be a relatively weak cipher, peers SHOULD NOT negotiate the 'L' bit if it can be avoided. 9. References [1] Simpson, W., "The Point-to-Point Protocol (PPP)", STD 51, RFC 1661, July 1994 [2] Rand, D., "The PPP Compression Control Protocol (CCP)", RFC 1962, June 1996 [3] RC4 is a proprietary encryption algorithm available under license from RSA Data Security Inc. For licensing information, contact: RSA Data Security, Inc. 100 Marine Parkway Redwood City, CA 94065-1031 [4] Pall, G., "Microsoft Point-to-Point Compression (MPPC) Protocol", RFC 2118, March 1997 [5] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997 [6] Rand, D., "PPP Reliable Transmission", RFC 1663, July 1994 [7] Cobb, S. and Zorn, G., "Microsoft PPP CHAP Extensions", draft-ietf- pppext-mschap-00.txt (work in progress), March 1998 [8] "Data Encryption Standard (DES)", Federal Information Processing Standard Publication 46-2, National Institute of Standards and Technology, December 1993 [9] "DES Modes of Operation", Federal Information Processing Standards Publication 81, National Institute of Standards and Technology, December 1980 Pall & Zorn [Page 13] INTERNET-DRAFT MPPE April 1998 [10] "Secure Hash Standard", Federal Information Processing Standards Publication 180-1, National Institute of Standards and Technology, April 1995 [11] Kohl, J. and Neuman, C., "The Kerberos Network Authentication Sys- tem (V5)", RFC 1510, September 1993 [12] Dierks, T. and Allen, C., "The TLS Protocol Version 1.0", draft- ietf-tls-protocol-05.txt (work in progress), November 1997 10. Acknowledgements Anthony Bell, Richard B. Ward, Terence Spies and Thomas Dimitri, all of Microsoft Corporation, significantly contributed to the design and development of MPPE. Additional thanks to Robert Friend (rfriend@hifn.com), Joe Davies (josephd@microsoft.com), Jody Terrill (jodyt@extendsys.com), Archie Cobbs (archie@whistle.com), Mark Deuser (deuser@us.ibm.com), and Jeff Haag (jeff_haag@3com.com) for useful feedback. 11. Chair's Address The PPP Extensions Working Group can be contacted via the current chair: Karl Fox Ascend Communications 3518 Riverside Drive Suite 101 Columbus, OH 43221 Phone: +1 614 326 6841 Email: karl@ascend.com 12. Authors' Addresses Questions about this memo ican also be directed to: Gurdeep Singh Pall Microsoft Corporation One Microsoft Way Redmond, Washington 98052 Phone: +1 425 882 8080 Pall & Zorn [Page 14] INTERNET-DRAFT MPPE April 1998 FAX: +1 425 936 7329 EMail: gurdeep@microsoft.com Glen Zorn Microsoft Corporation One Microsoft Way Redmond, Washington 98052 Phone: +1 425 703 1559 FAX: +1 425 936 7329 EMail: glennz@microsoft.com 13. Expiration Date This memo is filed as and expires on October 3, 1998. Pall & Zorn [Page 15]