The purpose of PPTP is to allow remote users to set up a Point-To-Point (PPP) connection to a local Internet Service Provider (ISP) and create a secure VPN connection to a destination server. It was the original de-facto standard for allowing PPP data to be transferred across a network infrastructure that did not necessarily understand the PPP protocol. The data could be sent across any network that supported this protocol by encapsulating the PPP data in a PPTP wrapper. In the early days of the internet, this enabled Transmission Control Protocol/Internet Protocol (TCP/IP) data to be sent over the telephone network, bringing internet access into the home.
User data is encapsulated using the PPP protocol and then re-encapsulated using the PPTP, comprising a Generic Encapsulation Routing (GRE) header that is encapsulated in an IP header. PPTP tunnels are created using TCP Port 1723, the tunnel being a virtual path that allows the secure transfer of data across a network. This makes it easy for a network device to identify that the data is probably associated with a VPN connection. This knowledge is useful for service providers such as geographically-based licensing broadcast streaming services to block any traffic hiding its location.
The security of the connection is based on authentication of the PPTP tunnel to ensure only authorized users and services have access and encryption of the data sent along the tunnel once communications are established. The PPP data is encrypted using Microsoft Point-to-Point Encryption (MPPE) based on either MS-CHAP or EAP-TLS. MS-CHAP is Microsoft’s implementation of a Challenge-Handshake Authentication Protocol (CHAP). This the process that allows a user to authenticate with an ISP server. Details of the implementation of this handshake protocol are available from Microsoft. EAP-TLS is the Extensible Authentication Protocol (EAP) Transport Layer Security (TLS), which is an open standard handshake protocol and considered one of the more secure options available. Details of this handshake protocol’s implementation are available from the Internet Engineering Task Force (IETF) open standards organization. The encryption algorithm keys are generated automatically during the authentication process between the client device and the server.
- The client device attempts to connect to a server.
- The server challenges the client device to provide a valid identity.
- The client sends a hash value of a shared password to the server using the MD4 or MD5 message-digest algorithm.
- The server compares the received hash value with its own calculated hash value of the same shared password.
- If the two hash values are the same, the connection is authentication.
- Data is then encrypted using the RC4 algorithm and a 128-bit key. Rivest Cipher 4 is also known as ARC4 or ARCFOUR.
The security of this authentication process relies on the secrecy of the shared password. This password is never communicated in an unencrypted form and cannot be deduced by reverse-engineering the transmitted hash value.
Microsoft provides a useful guide for configuring user-level PPTP authentication to use EAP-TLS or MS-CHAP v2 here.
Microsoft’s participation in PPTP development means that it has been integrated as a standard feature in all versions of Microsoft operating systems since the 1990s. This makes it readily available and straightforward to set up, requiring no additional software, which has boosted its adoption across a broad range of applications.
One benefit of using a protocol with a relatively simple encryption algorithm is the fast encryption speed, which minimizes bandwidth and latency impact. This makes this protocol attractive where large data throughput is required for non-sensitive information such as multimedia content streaming and online interactive gaming.
Disadvantages and Vulnerabilities
The RC4 encryption algorithm, developed in the 1980s, was used for many standard applications because of its speed and simplicity. Applications included the Wired Equivalent Privacy (WEP) and Wi-Fi Protected Access (WPA) protocols. However, numerous vulnerabilities in the algorithm have made it insufficiently secure for most cryptography applications. It is no longer approved for use in Secure Sockets Layer/Transport Layer Security (SSL/TLS), and Microsoft no longer supports its use for web browsers. A research paper that presents the weaknesses and possible attacks on the RC4 stream cipher is available here.
The hashing function’s implementation is flawed, meaning that passwords can be deduced by monitoring data as it is transmitted and looking for patterns that can allow the shared password to be uncovered. The handshake process itself involves the transmission of potentially useful information such as usernames in plain text. Passwords are also vulnerable to dictionary attacks with modern processing capabilities within a few days. The encrypted data can also be intercepted and deciphered within 24 hours using publicly available cracking tools, making it unsuitable for use in protecting sensitive information. Microsoft has published details of a number of vulnerabilities. PPTP is known to have been broken by the US National Security Agency (NSA).
For more detailed information, the SANS Institute has produced a useful guide covering the vulnerabilities and exploits for PPTP here.
The RC4 stream cipher has no inbuilt authentication mechanism to detect corruption of the transmitted data. This means that it is vulnerable to bit-flipping attacks where the data in transit is deliberately changed by an attacker to either corrupt the message as a denial of service attack or change the stream cipher’s content to alter the message being sent.
Another downside of PPTP is that it will only work over IP networks which limited its application. This led to the development of the Layer Two Tunneling Protocol (L2TP) as a replacement that could be used across a broader range of networks.
PPTP is one of the older VPN encryption standards that are still popular despite known vulnerabilities that mean it is not sufficiently secure. Its popularity is down to its fast speed, its availability as a pre-installed function in most common operating systems, and its simplicity to set up and use. However, the security flaws and vulnerabilities mean that they should not be used for protecting sensitive information.