Network Working Group                                            G. Zorn
Request for Comments: 3079                                 cisco Systems
Category: Informational                                       March 2001
        
Network Working Group                                            G. Zorn
Request for Comments: 3079                                 cisco Systems
Category: Informational                                       March 2001
        

Deriving Keys for use with Microsoft Point-to-Point Encryption (MPPE)

派生用于Microsoft点对点加密(MPPE)的密钥

Status of this Memo

本备忘录的状况

This memo provides information for the Internet community. It does not specify an Internet standard of any kind. Distribution of this memo is unlimited.

本备忘录为互联网社区提供信息。它没有规定任何类型的互联网标准。本备忘录的分发不受限制。

Copyright Notice

版权公告

Copyright (C) The Internet Society (2001). All Rights Reserved.

版权所有(C)互联网协会(2001年)。版权所有。

Abstract

摘要

The Point-to-Point Protocol (PPP) provides a standard method for transporting multi-protocol datagrams over point-to-point links.

点到点协议(PPP)提供了通过点到点链路传输多协议数据报的标准方法。

The PPP Compression Control Protocol provides a method to negotiate and utilize compression protocols over PPP encapsulated links.

PPP压缩控制协议提供了一种通过PPP封装链路协商和利用压缩协议的方法。

Microsoft Point to Point Encryption (MPPE) is a means of representing PPP packets in an encrypted form. MPPE uses the RSA RC4 algorithm to provide data confidentiality. The length of the session key to be used for initializing encryption tables can be negotiated. MPPE currently supports 40-bit, 56-bit and 128-bit session keys. MPPE session keys are changed frequently; the exact frequency depends upon the options negotiated, but may be every packet. MPPE is negotiated within option 18 in the Compression Control Protocol.

Microsoft点对点加密(MPPE)是一种以加密形式表示PPP数据包的方法。MPPE使用RSA RC4算法来提供数据机密性。可以协商用于初始化加密表的会话密钥的长度。MPPE目前支持40位、56位和128位会话密钥。MPPE会话密钥频繁更改;确切的频率取决于协商的选项,但可能是每个数据包。MPPE在压缩控制协议的选项18内协商。

This document describes the method used to derive initial MPPE session keys from a variety of credential types. It is expected that this memo will be updated whenever Microsoft defines a new key derivation method for MPPE, since its primary purpose is to provide an open, easily accessible reference for third-parties wishing to interoperate with Microsoft products.

本文档描述了用于从各种凭证类型派生初始MPPE会话密钥的方法。由于本备忘录的主要目的是为希望与Microsoft产品进行互操作的第三方提供一个开放、易于访问的参考,因此,每当Microsoft为MPPE定义新的密钥派生方法时,本备忘录都将更新。

MPPE itself (including the protocol used to negotiate its use, the details of the encryption method used and the algorithm used to change session keys during a session) is described in RFC 3078.

RFC 3078中描述了MPPE本身(包括用于协商其使用的协议、所用加密方法的细节以及用于在会话期间更改会话密钥的算法)。

Table of Contents

目录

   1.  Specification of Requirements ............................... 2
   2.  Deriving Session Keys from MS-CHAP Credentials .............. 2
   2.1.  Generating 40-bit Session Keys ............................ 3
   2.2.  Generating 56-bit Session Keys ............................ 3
   2.3.  Generating 128-bit Session Keys ........................... 4
   2.4.  Key Derivation Functions .................................. 5
   2.5.  Sample Key Derivations .................................... 6
   2.5.1.  Sample 40-bit Key Derivation ............................ 6
   2.5.2.  Sample 56-bit Key Derivation ............................ 6
   2.5.3.  Sample 128-bit Key Derivation ........................... 7
   3.  Deriving Session Keys from MS-CHAP-2 Credentials ............ 7
   3.1.  Generating 40-bit Session Keys ............................ 8
   3.2.  Generating 56-bit Session Keys ............................ 9
   3.3.  Generating 128-bit Session Keys ...........................10
   3.4.  Key Derivation Functions ..................................11
   3.5.  Sample Key Derivations ....................................13
   3.5.1.  Sample 40-bit Key Derivation ............................13
   3.5.2.  Sample 56-bit Key Derivation ............................14
   3.5.3.  Sample 128-bit Key Derivation ...........................15
   4.  Deriving MPPE Session Keys from TLS Session Keys ............16
   4.1.  Generating 40-bit Session Keys ............................16
   4.2.  Generating 56-bit Session Keys ............................17
   4.3.  Generating 128-bit Session Keys ...........................17
   5.  Security Considerations .....................................18
   5.1.  MS-CHAP Credentials .......................................18
   5.2.  EAP-TLS Credentials .......................................19
   6.  References ..................................................19
   7.  Acknowledgements ............................................20
   8.  Author's Address ............................................20
   9.  Full Copyright Statement ....................................21
        
   1.  Specification of Requirements ............................... 2
   2.  Deriving Session Keys from MS-CHAP Credentials .............. 2
   2.1.  Generating 40-bit Session Keys ............................ 3
   2.2.  Generating 56-bit Session Keys ............................ 3
   2.3.  Generating 128-bit Session Keys ........................... 4
   2.4.  Key Derivation Functions .................................. 5
   2.5.  Sample Key Derivations .................................... 6
   2.5.1.  Sample 40-bit Key Derivation ............................ 6
   2.5.2.  Sample 56-bit Key Derivation ............................ 6
   2.5.3.  Sample 128-bit Key Derivation ........................... 7
   3.  Deriving Session Keys from MS-CHAP-2 Credentials ............ 7
   3.1.  Generating 40-bit Session Keys ............................ 8
   3.2.  Generating 56-bit Session Keys ............................ 9
   3.3.  Generating 128-bit Session Keys ...........................10
   3.4.  Key Derivation Functions ..................................11
   3.5.  Sample Key Derivations ....................................13
   3.5.1.  Sample 40-bit Key Derivation ............................13
   3.5.2.  Sample 56-bit Key Derivation ............................14
   3.5.3.  Sample 128-bit Key Derivation ...........................15
   4.  Deriving MPPE Session Keys from TLS Session Keys ............16
   4.1.  Generating 40-bit Session Keys ............................16
   4.2.  Generating 56-bit Session Keys ............................17
   4.3.  Generating 128-bit Session Keys ...........................17
   5.  Security Considerations .....................................18
   5.1.  MS-CHAP Credentials .......................................18
   5.2.  EAP-TLS Credentials .......................................19
   6.  References ..................................................19
   7.  Acknowledgements ............................................20
   8.  Author's Address ............................................20
   9.  Full Copyright Statement ....................................21
        
1. Specification of Requirements
1. 需求说明

In this document, the key words "MAY", "MUST, "MUST NOT", "optional", "recommended", "SHOULD", and "SHOULD NOT" are to be interpreted as described in [6].

在本文件中,关键词“可能”、“必须”、“不得”、“可选”、“建议”、“应该”和“不应该”的解释如[6]所述。

2. Deriving Session Keys from MS-CHAP Credentials
2. 从MS-CHAP凭据派生会话密钥

The Microsoft Challenge-Handshake Authentication Protocol (MS-CHAP-1) [2] is a Microsoft-proprietary PPP [1] authentication protocol, providing the functionality to which LAN-based users are accustomed while integrating the encryption and hashing algorithms used on Windows networks.

Microsoft Challenge Handshake身份验证协议(MS-CHAP-1)[2]是Microsoft专有的PPP[1]身份验证协议,在集成Windows网络上使用的加密和哈希算法的同时,提供基于LAN的用户习惯的功能。

The following sections detail the methods used to derive initial session keys (40-, 56- and 128-bit) from MS-CHAP-1 credentials.

以下各节详细介绍了用于从MS-CHAP-1凭据派生初始会话密钥(40、56和128位)的方法。

Implementation Note

实施说明

The initial session key in both directions is derived from the credentials of the peer that initiated the call and the challenge used (if any) is the challenge from the first authentication. This is true for both unilateral and bilateral authentication, as well as for each link in a multilink bundle. In the multi-chassis multilink case, implementations are responsible for ensuring that the correct keys are generated on all participating machines.

两个方向上的初始会话密钥来自发起呼叫的对等方的凭据,使用的质询(如果有)是来自第一次身份验证的质询。这适用于单边和双边身份验证,以及多链路捆绑包中的每个链路。在多机箱多链路情况下,实现负责确保在所有参与机器上生成正确的密钥。

2.1. Generating 40-bit Session Keys
2.1. 生成40位会话密钥

MPPE uses a derivative of the peer's LAN Manager password as the 40- bit session key used for initializing the RC4 encryption tables.

MPPE使用对等方LAN Manager密码的派生密码作为40位会话密钥,用于初始化RC4加密表。

The first step is to obfuscate the peer's password using the LmPasswordHash() function (described in [2]). The first 8 octets of the result are used as the basis for the session key generated in the following way:

第一步是使用LmPasswordHash()函数(如[2]所述)混淆对等方的密码。结果的前8个八位字节用作以下方式生成的会话密钥的基础:

/*
* PasswordHash is the basis for the session key
* SessionKey is a copy of PasswordHash and is the generative session key
* 8 is the length (in octets) of the key to be generated.
*
*/
Get_Key(PasswordHash, SessionKey, 8)
        
/*
* PasswordHash is the basis for the session key
* SessionKey is a copy of PasswordHash and is the generative session key
* 8 is the length (in octets) of the key to be generated.
*
*/
Get_Key(PasswordHash, SessionKey, 8)
        
/*
* The effective length of the key is reduced to 40 bits by
* replacing the first three bytes as follows:
*/
SessionKey[0] = 0xd1 ;
SessionKey[1] = 0x26 ;
SessionKey[2] = 0x9e ;
        
/*
* The effective length of the key is reduced to 40 bits by
* replacing the first three bytes as follows:
*/
SessionKey[0] = 0xd1 ;
SessionKey[1] = 0x26 ;
SessionKey[2] = 0x9e ;
        
2.2. Generating 56-bit Session Keys
2.2. 生成56位会话密钥

MPPE uses a derivative of the peer's LAN Manager password as the 56- bit session key used for initializing the RC4 encryption tables.

MPPE使用对等方LAN Manager密码的派生密码作为56位会话密钥,用于初始化RC4加密表。

The first step is to obfuscate the peer's password using the LmPasswordHash() function (described in [2]). The first 8 octets of the result are used as the basis for the session key generated in the following way:

第一步是使用LmPasswordHash()函数(如[2]所述)混淆对等方的密码。结果的前8个八位字节用作以下方式生成的会话密钥的基础:

/*
* PasswordHash is the basis for the session key
* SessionKey is a copy of PasswordHash and is the generative session key
* 8 is the length (in octets) of the key to be generated.
*
*/
Get_Key(PasswordHash, SessionKey, 8)
        
/*
* PasswordHash is the basis for the session key
* SessionKey is a copy of PasswordHash and is the generative session key
* 8 is the length (in octets) of the key to be generated.
*
*/
Get_Key(PasswordHash, SessionKey, 8)
        
/*
* The effective length of the key is reduced to 56 bits by
* replacing the first byte as follows:
*/
SessionKey[0] = 0xd1 ;
        
/*
* The effective length of the key is reduced to 56 bits by
* replacing the first byte as follows:
*/
SessionKey[0] = 0xd1 ;
        
2.3. Generating 128-bit Session Keys
2.3. 生成128位会话密钥

MPPE uses a derivative of the peer's Windows NT password as the 128- bit session key used for initializing encryption tables.

MPPE使用对等方的Windows NT密码的衍生物作为用于初始化加密表的128位会话密钥。

The first step is to obfuscate the peer's password using NtPasswordHash() function as described in [2]. The first 16 octets of the result are then hashed again using the MD4 algorithm. The first 16 octets of the second hash are used as the basis for the session key generated in the following way:

第一步是使用[2]中描述的NtPasswordHash()函数混淆对等方的密码。然后使用MD4算法再次散列结果的前16个八位字节。第二散列的前16个八位字节用作以下方式生成的会话密钥的基础:

/*
* Challenge (as described in [9]) is sent by the PPP authenticator
* during authentication and is 8 octets long.
* NtPasswordHashHash is the basis for the session key.
* On return, InitialSessionKey contains the initial session
* key to be used.
*/
Get_Start_Key(Challenge, NtPasswordHashHash, InitialSessionKey)
        
/*
* Challenge (as described in [9]) is sent by the PPP authenticator
* during authentication and is 8 octets long.
* NtPasswordHashHash is the basis for the session key.
* On return, InitialSessionKey contains the initial session
* key to be used.
*/
Get_Start_Key(Challenge, NtPasswordHashHash, InitialSessionKey)
        
/*
* CurrentSessionKey is a copy of InitialSessionKey
* and is the generative session key.
* Length (in octets) of the key to generate is 16.
*
*/
Get_Key(InitialSessionKey, CurrentSessionKey, 16)
        
/*
* CurrentSessionKey is a copy of InitialSessionKey
* and is the generative session key.
* Length (in octets) of the key to generate is 16.
*
*/
Get_Key(InitialSessionKey, CurrentSessionKey, 16)
        
2.4. Key Derivation Functions
2.4. 键导函数

The following procedures are used to derive the session key.

以下过程用于派生会话密钥。

/*
 * Pads used in key derivation
 */
        
/*
 * Pads used in key derivation
 */
        

SHApad1[40] = {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00};

SHApad1[40]={0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00};

SHApad2[40] = {0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2};

SHApad2[40]={0xf2,0xf2,0xf2,0xf2,0xf2,0xf2,0xf2,0xf2,0xf2,0xf2,0xf2,0xf2,0xf2,0xf2,0xf2,0xf2,0xf2,0xf2,0xf2,0xf2,0xf2,0xf2,0xf2,0xf2,0xf2,0xf2,0xf2,0xf2,0xf2,0xf2,0xf2,0xf2};

/*
 * SHAInit(), SHAUpdate() and SHAFinal() functions are an
 * implementation of Secure Hash Algorithm (SHA-1) [7]. These are
 * available in public domain or can be licensed from
 * RSA Data Security, Inc.
 *
 * 1) InitialSessionKey is 8 octets long for 56- and 40-bit
 *    session keys, 16 octets long for 128 bit session keys.
 * 2) CurrentSessionKey is same as InitialSessionKey when this
 *    routine is called for the first time for the session.
 */
        
/*
 * SHAInit(), SHAUpdate() and SHAFinal() functions are an
 * implementation of Secure Hash Algorithm (SHA-1) [7]. These are
 * available in public domain or can be licensed from
 * RSA Data Security, Inc.
 *
 * 1) InitialSessionKey is 8 octets long for 56- and 40-bit
 *    session keys, 16 octets long for 128 bit session keys.
 * 2) CurrentSessionKey is same as InitialSessionKey when this
 *    routine is called for the first time for the session.
 */
        
Get_Key(
IN     InitialSessionKey,
IN/OUT CurrentSessionKey
IN     LengthOfDesiredKey )
{
   SHAInit(Context)
   SHAUpdate(Context, InitialSessionKey, LengthOfDesiredKey)
   SHAUpdate(Context, SHAPad1, 40)
   SHAUpdate(Context, CurrentSessionKey, LengthOfDesiredKey)
   SHAUpdate(Context, SHAPad2, 40)
   SHAFinal(Context, Digest)
   memcpy(CurrentSessionKey, Digest, LengthOfDesiredKey)
}
        
Get_Key(
IN     InitialSessionKey,
IN/OUT CurrentSessionKey
IN     LengthOfDesiredKey )
{
   SHAInit(Context)
   SHAUpdate(Context, InitialSessionKey, LengthOfDesiredKey)
   SHAUpdate(Context, SHAPad1, 40)
   SHAUpdate(Context, CurrentSessionKey, LengthOfDesiredKey)
   SHAUpdate(Context, SHAPad2, 40)
   SHAFinal(Context, Digest)
   memcpy(CurrentSessionKey, Digest, LengthOfDesiredKey)
}
        

Get_Start_Key( IN Challenge,

获取开始键(在挑战中,

IN  NtPasswordHashHash,
OUT InitialSessionKey)
{
   SHAInit(Context)
   SHAUpdate(Context, NtPasswordHashHash, 16)
   SHAUpdate(Context, NtPasswordHashHash, 16)
   SHAUpdate(Context, Challenge, 8)
   SHAFinal(Context, Digest)
   memcpy(InitialSessionKey, Digest, 16)
}
        
IN  NtPasswordHashHash,
OUT InitialSessionKey)
{
   SHAInit(Context)
   SHAUpdate(Context, NtPasswordHashHash, 16)
   SHAUpdate(Context, NtPasswordHashHash, 16)
   SHAUpdate(Context, Challenge, 8)
   SHAFinal(Context, Digest)
   memcpy(InitialSessionKey, Digest, 16)
}
        
2.5. Sample Key Derivations
2.5. 示例键派生

The following sections illustrate 40-, 56- and 128-bit key derivations. All intermediate values are in hexadecimal.

以下部分说明40、56和128位密钥派生。所有中间值均为十六进制。

2.5.1. Sample 40-bit Key Derivation
2.5.1. 40位密钥派生示例

Initial Values Password = "clientPass"

初始值Password=“clientPass”

Step 1: LmPasswordHash(Password, PasswordHash) PasswordHash = 76 a1 52 93 60 96 d7 83 0e 23 90 22 74 04 af d2

步骤1:LmPasswordHash(Password,PasswordHash)PasswordHash=76 a1 52 93 60 96 d7 83 0e 23 90 22 74 04 af d2

Step 2: Copy PasswordHash to SessionKey SessionKey = 76 a1 52 93 60 96 d7 83 0e 23 90 22 74 04 af d2

步骤2:将密码哈希复制到SessionKey SessionKey=76 a1 52 93 60 96 d7 83 0e 23 90 22 74 04 af d2

Step 3: GetKey(PasswordHash, SessionKey, 8) SessionKey = d8 08 01 53 8c ec 4a 08

步骤3:GetKey(PasswordHash,SessionKey,8)SessionKey=d8 08 01 53 8c ec 4a 08

Step 4: Reduce the effective key length to 40 bits SessionKey = d1 26 9e 53 8c ec 4a 08

步骤4:将有效密钥长度减少到40位SessionKey=d1 26 9e 53 8c ec 4a 08

2.5.2. Sample 56-bit Key Derivation
2.5.2. 56位密钥派生示例

Initial Values Password = "clientPass"

初始值Password=“clientPass”

Step 1: LmPasswordHash(Password, PasswordHash) PasswordHash = 76 a1 52 93 60 96 d7 83 0e 23 90 22 74 04 af d2

步骤1:LmPasswordHash(Password,PasswordHash)PasswordHash=76 a1 52 93 60 96 d7 83 0e 23 90 22 74 04 af d2

Step 2: Copy PasswordHash to SessionKey SessionKey = 76 a1 52 93 60 96 d7 83 0e 23 90 22 74 04 af d2

步骤2:将密码哈希复制到SessionKey SessionKey=76 a1 52 93 60 96 d7 83 0e 23 90 22 74 04 af d2

Step 3: GetKey(PasswordHash, SessionKey, 8) SessionKey = d8 08 01 53 8c ec 4a 08

步骤3:GetKey(PasswordHash,SessionKey,8)SessionKey=d8 08 01 53 8c ec 4a 08

Step 4: Reduce the effective key length to 56 bits SessionKey = d1 08 01 53 8c ec 4a 08

步骤4:将有效密钥长度减少到56位SessionKey=d1 08 01 53 8c ec 4a 08

2.5.3. Sample 128-bit Key Derivation
2.5.3. 128位密钥派生示例

Initial Values Password = "clientPass" Challenge = 10 2d b5 df 08 5d 30 41

初始值Password=“clientPass”挑战=10 2d b5 df 08 5d 30 41

Step 1: NtPasswordHash(Password, PasswordHash) PasswordHash = 44 eb ba 8d 53 12 b8 d6 11 47 44 11 f5 69 89 ae

步骤1:NtPasswordHash(密码,PasswordHash)PasswordHash=44 eb ba 8d 53 12 b8 d6 11 47 44 11 f5 69 89 ae

Step 2: PasswordHashHash = MD4(PasswordHash)
   PasswordHashHash = 41 c0 0c 58 4b d2 d9 1c 40 17 a2 a1 2f a5 9f 3f
        
Step 2: PasswordHashHash = MD4(PasswordHash)
   PasswordHashHash = 41 c0 0c 58 4b d2 d9 1c 40 17 a2 a1 2f a5 9f 3f
        

Step 3: GetStartKey(Challenge, PasswordHashHash, InitialSessionKey) InitialSessionKey = a8 94 78 50 cf c0 ac ca d1 78 9f b6 2d dc dd b0

步骤3:GetStartKey(质询、密码哈希、InitialSessionKey)InitialSessionKey=a8 94 78 50 cf c0 ac ca d1 78 9f b6 2d dc dd b0

Step 4: Copy InitialSessionKey to CurrentSessionKey CurrentSessionKey = a8 94 78 50 cf c0 ac c1 d1 78 9f b6 2d dc dd b0

步骤4:将InitialSessionKey复制到CurrentSessionKey CurrentSessionKey=a8 94 78 50 cf c0 ac c1 d1 78 9f b6 2d dc dd b0

Step 5: GetKey(InitialSessionKey, CurrentSessionKey, 16) CurrentSessionKey = 59 d1 59 bc 09 f7 6f 1d a2 a8 6a 28 ff ec 0b 1e

步骤5:GetKey(InitialSessionKey,CurrentSessionKey,16)CurrentSessionKey=59 d1 59 bc 09 f7 6f 1d a2 a8 6a 28 ff ec 0b 1e

3. Deriving Session Keys from MS-CHAP-2 Credentials
3. 从MS-CHAP-2凭据派生会话密钥

Version 2 of the Microsoft Challenge-Handshake Authentication Protocol (MS-CHAP-2) [8] is a Microsoft-proprietary PPP authentication protocol, providing the functionality to which LAN-based users are accustomed while integrating the encryption and hashing algorithms used on Windows networks.

Microsoft Challenge Handshake身份验证协议(MS-CHAP-2)[8]的第2版是Microsoft专有的PPP身份验证协议,在集成Windows网络上使用的加密和哈希算法的同时,提供基于LAN的用户习惯的功能。

The following sections detail the methods used to derive initial session keys from MS-CHAP-2 credentials. 40-, 56- and 128-bit keys are all derived using the same algorithm from the authenticating peer's Windows NT password. The only difference is in the length of the keys and their effective strength: 40- and 56-bit keys are 8 octets in length, while 128-bit keys are 16 octets long. Separate keys are derived for the send and receive directions of the session.

以下各节详细介绍了用于从MS-CHAP-2凭据派生初始会话密钥的方法。40、56和128位密钥都是使用相同的算法从身份验证对等方的Windows NT密码派生的。唯一的区别在于键的长度及其有效强度:40位和56位键的长度为8个八位字节,而128位键的长度为16个八位字节。为会话的发送和接收方向派生单独的键。

Implementation Note

实施说明

The initial session keys in both directions are derived from the credentials of the peer that initiated the call and the challenges used are those from the first authentication. This is true as well for each link in a multilink bundle. In the multi-chassis multilink case, implementations are responsible for ensuring that the correct keys are generated on all participating machines.

两个方向上的初始会话密钥来自发起呼叫的对等方的凭据,使用的挑战来自第一次身份验证。多链接束中的每个链接也是如此。在多机箱多链路情况下,实现负责确保在所有参与机器上生成正确的密钥。

3.1. Generating 40-bit Session Keys
3.1. 生成40位会话密钥

When used in conjunction with MS-CHAP-2 authentication, the initial MPPE session keys are derived from the peer's Windows NT password.

当与MS-CHAP-2身份验证结合使用时,初始MPPE会话密钥来自对等方的Windows NT密码。

The first step is to obfuscate the peer's password using NtPasswordHash() function as described in [8].

第一步是使用NtPasswordHash()函数混淆对等方的密码,如[8]中所述。

NtPasswordHash(Password, PasswordHash)

NtPasswordHash(密码,PasswordHash)

The first 16 octets of the result are then hashed again using the MD4 algorithm.

然后使用MD4算法再次散列结果的前16个八位字节。

PasswordHashHash = md4(PasswordHash)

PasswordHashHash=md4(PasswordHash)

The first 16 octets of this second hash are used together with the NT- Response field from the MS-CHAP-2 Response packet [8] as the basis for the master session key:

第二个散列的前16个八位字节与MS-CHAP-2响应包[8]中的NT-响应字段一起用作主会话密钥的基础:

GetMasterKey(PasswordHashHash, NtResponse, MasterKey)

GetMasterKey(密码哈希、NtResponse、MasterKey)

Once the master key has been generated, it is used to derive two 40- bit session keys, one for sending and one for receiving:

生成主密钥后,它用于派生两个40位会话密钥,一个用于发送,一个用于接收:

GetAsymmetricStartKey(MasterKey, MasterSendKey, 8, TRUE, TRUE) GetAsymmetricStartKey(MasterKey, MasterReceiveKey, 8, FALSE, TRUE)

GetAsymmetricStartKey(MasterKey,MasterSendKey,8,TRUE,TRUE)GetAsymmetricStartKey(MasterKey,MasterReceiveKey,8,FALSE,TRUE)

The master session keys are never used to encrypt or decrypt data; they are only used in the derivation of transient session keys. The initial transient session keys are obtained by calling the function GetNewKeyFromSHA() (described in [3]):

主会话密钥从不用于加密或解密数据;它们仅用于派生临时会话密钥。通过调用函数GetNewKeyFromSHA()(如[3]所述)获得初始瞬态会话密钥:

GetNewKeyFromSHA(MasterSendKey, MasterSendKey, 8, SendSessionKey) GetNewKeyFromSHA(MasterReceiveKey, MasterReceiveKey, 8, ReceiveSessionKey)

GetNewKeyFromSHA(MasterSendKey,MasterSendKey,8,SendSessionKey)GetNewKeyFromSHA(MasterReceiveKey,MasterReceiveKey,8,ReceiveSessionKey)

Next, the effective strength of both keys is reduced by setting the first three octets to known constants:

接下来,通过将前三个八位字节设置为已知常数来降低两个键的有效强度:

      SendSessionKey[0] = ReceiveSessionKey[0] = 0xd1
      SendSessionKey[1] = ReceiveSessionKey[1] = 0x26
      SendSessionKey[2] = ReceiveSessionKey[2] = 0x9e
        
      SendSessionKey[0] = ReceiveSessionKey[0] = 0xd1
      SendSessionKey[1] = ReceiveSessionKey[1] = 0x26
      SendSessionKey[2] = ReceiveSessionKey[2] = 0x9e
        

Finally, the RC4 tables are initialized using the new session keys:

最后,使用新的会话密钥初始化RC4表:

rc4_key(SendRC4key, 8, SendSessionKey) rc4_key(ReceiveRC4key, 8, ReceiveSessionKey)

rc4_键(SendRC4key,8,SendSessionKey)rc4_键(ReceiveRC4key,8,ReceiveSessionKey)

3.2. Generating 56-bit Session Keys
3.2. 生成56位会话密钥

When used in conjunction with MS-CHAP-2 authentication, the initial MPPE session keys are derived from the peer's Windows NT password.

当与MS-CHAP-2身份验证结合使用时,初始MPPE会话密钥来自对等方的Windows NT密码。

The first step is to obfuscate the peer's password using NtPasswordHash() function as described in [8].

第一步是使用NtPasswordHash()函数混淆对等方的密码,如[8]中所述。

NtPasswordHash(Password, PasswordHash)

NtPasswordHash(密码,PasswordHash)

The first 16 octets of the result are then hashed again using the MD4 algorithm.

然后使用MD4算法再次散列结果的前16个八位字节。

PasswordHashHash = md4(PasswordHash)

PasswordHashHash=md4(PasswordHash)

The first 16 octets of this second hash are used together with the NT-Response field from the MS-CHAP-2 Response packet [8] as the basis for the master session key:

此第二散列的前16个八位字节与来自MS-CHAP-2响应包[8]的NT响应字段一起用作主会话密钥的基础:

GetMasterKey(PasswordHashHash, NtResponse, MasterKey)

GetMasterKey(密码哈希、NtResponse、MasterKey)

Once the master key has been generated, it is used to derive two 56-bit session keys, one for sending and one for receiving:

生成主密钥后,它用于派生两个56位会话密钥,一个用于发送,一个用于接收:

GetAsymmetricStartKey(MasterKey, MasterSendKey, 8, TRUE, TRUE) GetAsymmetricStartKey(MasterKey, MasterReceiveKey, 8, FALSE, TRUE)

GetAsymmetricStartKey(MasterKey,MasterSendKey,8,TRUE,TRUE)GetAsymmetricStartKey(MasterKey,MasterReceiveKey,8,FALSE,TRUE)

The master session keys are never used to encrypt or decrypt data; they are only used in the derivation of transient session keys. The initial transient session keys are obtained by calling the function GetNewKeyFromSHA() (described in [3]):

主会话密钥从不用于加密或解密数据;它们仅用于派生临时会话密钥。通过调用函数GetNewKeyFromSHA()(如[3]所述)获得初始瞬态会话密钥:

GetNewKeyFromSHA(MasterSendKey, MasterSendKey, 8, SendSessionKey) GetNewKeyFromSHA(MasterReceiveKey, MasterReceiveKey, 8, ReceiveSessionKey)

GetNewKeyFromSHA(MasterSendKey,MasterSendKey,8,SendSessionKey)GetNewKeyFromSHA(MasterReceiveKey,MasterReceiveKey,8,ReceiveSessionKey)

Next, the effective strength of both keys is reduced by setting the first octet to a known constant:

接下来,通过将第一个八位组设置为已知常数来降低两个键的有效强度:

SendSessionKey[0] = ReceiveSessionKey[0] = 0xd1

SendSessionKey[0]=ReceiveSessionKey[0]=0xd1

Finally, the RC4 tables are initialized using the new session keys:

最后,使用新的会话密钥初始化RC4表:

rc4_key(SendRC4key, 8, SendSessionKey) rc4_key(ReceiveRC4key, 8, ReceiveSessionKey)

rc4_键(SendRC4key,8,SendSessionKey)rc4_键(ReceiveRC4key,8,ReceiveSessionKey)

3.3. Generating 128-bit Session Keys
3.3. 生成128位会话密钥

When used in conjunction with MS-CHAP-2 authentication, the initial MPPE session keys are derived from the peer's Windows NT password.

当与MS-CHAP-2身份验证结合使用时,初始MPPE会话密钥来自对等方的Windows NT密码。

The first step is to obfuscate the peer's password using NtPasswordHash() function as described in [8].

第一步是使用NtPasswordHash()函数混淆对等方的密码,如[8]中所述。

NtPasswordHash(Password, PasswordHash)

NtPasswordHash(密码,PasswordHash)

The first 16 octets of the result are then hashed again using the MD4 algorithm.

然后使用MD4算法再次散列结果的前16个八位字节。

PasswordHashHash = md4(PasswordHash)

PasswordHashHash=md4(PasswordHash)

The first 16 octets of this second hash are used together with the NT-Response field from the MS-CHAP-2 Response packet [8] as the basis for the master session key:

此第二散列的前16个八位字节与来自MS-CHAP-2响应包[8]的NT响应字段一起用作主会话密钥的基础:

GetMasterKey(PasswordHashHash, NtResponse, MasterKey)

GetMasterKey(密码哈希、NtResponse、MasterKey)

Once the master key has been generated, it is used to derive two 128-bit master session keys, one for sending and one for receiving:

生成主密钥后,它用于派生两个128位主会话密钥,一个用于发送,一个用于接收:

GetAsymmetricStartKey(MasterKey, MasterSendKey, 16, TRUE, TRUE) GetAsymmetricStartKey(MasterKey, MasterReceiveKey, 16, FALSE, TRUE)

GetAsymmetricStartKey(MasterKey,MasterSendKey,16,TRUE,TRUE)GetAsymmetricStartKey(MasterKey,MasterReceiveKey,16,FALSE,TRUE)

The master session keys are never used to encrypt or decrypt data; they are only used in the derivation of transient session keys. The initial transient session keys are obtained by calling the function GetNewKeyFromSHA() (described in [3]):

主会话密钥从不用于加密或解密数据;它们仅用于派生临时会话密钥。通过调用函数GetNewKeyFromSHA()(如[3]所述)获得初始瞬态会话密钥:

GetNewKeyFromSHA(MasterSendKey, MasterSendKey, 16, SendSessionKey) GetNewKeyFromSHA(MasterReceiveKey, MasterReceiveKey, 16, ReceiveSessionKey)

GetNewKeyFromSHA(MasterSendKey,MasterSendKey,16,SendSessionKey)GetNewKeyFromSHA(MasterReceiveKey,MasterReceiveKey,16,ReceiveSessionKey)

Finally, the RC4 tables are initialized using the new session keys:

最后,使用新的会话密钥初始化RC4表:

rc4_key(SendRC4key, 16, SendSessionKey) rc4_key(ReceiveRC4key, 16, ReceiveSessionKey)

rc4_键(SendRC4key,16,SendSessionKey)rc4_键(ReceiveRC4key,16,ReceiveSessionKey)

3.4. Key Derivation Functions
3.4. 键导函数

The following procedures are used to derive the session key.

以下过程用于派生会话密钥。

/*
 * Pads used in key derivation
 */
        
/*
 * Pads used in key derivation
 */
        

SHSpad1[40] = {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00};

SHSpad1[40]={0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00};

SHSpad2[40] = {0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2};

SHSpad2[40]={0xf2,0xf2,0xf2,0xf2,0xf2,0xf2,0xf2,0xf2,0xf2,0xf2,0xf2,0xf2,0xf2,0xf2,0xf2,0xf2,0xf2,0xf2,0xf2,0xf2,0xf2,0xf2,0xf2,0xf2,0xf2,0xf2,0xf2,0xf2,0xf2,0xf2,0xf2,0xf2};

/*
 * "Magic" constants used in key derivations
 */
        
/*
 * "Magic" constants used in key derivations
 */
        

Magic1[27] = {0x54, 0x68, 0x69, 0x73, 0x20, 0x69, 0x73, 0x20, 0x74, 0x68, 0x65, 0x20, 0x4d, 0x50, 0x50, 0x45, 0x20, 0x4d, 0x61, 0x73, 0x74, 0x65, 0x72, 0x20, 0x4b, 0x65, 0x79};

Magic1[27]={0x54、0x68、0x69、0x73、0x20、0x69、0x73、0x20、0x74、0x68、0x65、0x20、0x4d、0x50、0x45、0x20、0x4d、0x61、0x73、0x74、0x65、0x72、0x20、0x4b、0x65、0x79};

Magic2[84] = {0x4f, 0x6e, 0x20, 0x74, 0x68, 0x65, 0x20, 0x63, 0x6c, 0x69, 0x65, 0x6e, 0x74, 0x20, 0x73, 0x69, 0x64, 0x65, 0x2c, 0x20, 0x74, 0x68, 0x69, 0x73, 0x20, 0x69, 0x73, 0x20, 0x74, 0x68, 0x65, 0x20, 0x73, 0x65, 0x6e, 0x64, 0x20, 0x6b, 0x65, 0x79, 0x3b, 0x20, 0x6f, 0x6e, 0x20, 0x74, 0x68, 0x65, 0x20, 0x73, 0x65, 0x72, 0x76, 0x65, 0x72, 0x20, 0x73, 0x69, 0x64, 0x65, 0x2c, 0x20, 0x69, 0x74, 0x20, 0x69, 0x73, 0x20, 0x74, 0x68, 0x65, 0x20, 0x72, 0x65, 0x63, 0x65, 0x69, 0x76, 0x65, 0x20, 0x6b, 0x65, 0x79, 0x2e};

Magic2[84]={0x4f、0x6e、0x20、0x74、0x68、0x65、0x20、0x63、0x6c、0x69、0x65、0x6e、0x74、0x73、0x69、0x64、0x65、0x2c、0x20、0x74、0x68、0x69、0x73、0x20、0x74、0x68、0x65、0x20、0x73、0x65、0x6e、0x64、0x20、0x6b、0x65、0x79、0x3b、0x20、0x6f、0x6e、0x6e、0x20、0x65、0x65、0x72、0x72,0x64、0x65、0x2c、0x20、0x69、0x74、0x20、0x69、0x73、0x20、0x74、0x68、0x65、0x20、0x72、0x65、0x63、0x65、0x69、0x76、0x65、0x20、0x6b、0x65、0x79、0x2e};

Magic3[84] = {0x4f, 0x6e, 0x20, 0x74, 0x68, 0x65, 0x20, 0x63, 0x6c, 0x69, 0x65, 0x6e, 0x74, 0x20, 0x73, 0x69, 0x64, 0x65, 0x2c, 0x20, 0x74, 0x68, 0x69, 0x73, 0x20, 0x69, 0x73, 0x20, 0x74, 0x68, 0x65, 0x20, 0x72, 0x65, 0x63, 0x65, 0x69, 0x76, 0x65, 0x20, 0x6b, 0x65, 0x79, 0x3b, 0x20, 0x6f, 0x6e, 0x20, 0x74, 0x68, 0x65, 0x20, 0x73, 0x65, 0x72, 0x76, 0x65, 0x72, 0x20, 0x73, 0x69, 0x64, 0x65, 0x2c, 0x20, 0x69, 0x74, 0x20, 0x69, 0x73,

Magic3[84]={0x4f、0x6e、0x20、0x74、0x68、0x65、0x20、0x63、0x6c、0x69、0x65、0x6e、0x74、0x73、0x69、0x64、0x65、0x2c、0x20、0x74、0x68、0x69、0x73、0x20、0x74、0x68、0x65、0x20、0x72、0x65、0x65、0x69、0x76、0x65、0x20、0x6b、0x65、0x79、0x3b、0x20、0x6f、0x60、0x65、0x65、0x65、0x65、0x72、0x72、0x65、0x72、0x65、0x65、0x72、0x72、0x65、0x65、0x65、0x65、0x65、0x72、0x65、0x65、0x72、0x65、0x65、0x65、0x65、0x65,0x20、0x73、0x69、0x64、0x65、0x2c、0x20、0x69、0x74、0x20、0x69、0x73,

0x20, 0x74, 0x68, 0x65, 0x20, 0x73, 0x65, 0x6e, 0x64, 0x20, 0x6b, 0x65, 0x79, 0x2e};

0x20、0x74、0x68、0x65、0x20、0x73、0x65、0x6e、0x64、0x20、0x6b、0x65、0x79、0x2e};

GetMasterKey( IN 16-octet PasswordHashHash, IN 24-octet NTResponse, OUT 16-octet MasterKey ) { 20-octet Digest

GetMasterKey(在16个八位字节的密码哈希中,在24个八位字节的NTResponse中,在16个八位字节的MasterKey中){20个八位字节摘要

      ZeroMemory(Digest, sizeof(Digest));
        
      ZeroMemory(Digest, sizeof(Digest));
        
      /*
       * SHSInit(), SHSUpdate() and SHSFinal()
       * are an implementation of the Secure Hash Standard [7].
       */
        
      /*
       * SHSInit(), SHSUpdate() and SHSFinal()
       * are an implementation of the Secure Hash Standard [7].
       */
        
      SHSInit(Context);
      SHSUpdate(Context, PasswordHashHash, 16);
      SHSUpdate(Context, NTResponse, 24);
      SHSUpdate(Context, Magic1, 27);
      SHSFinal(Context, Digest);
        
      SHSInit(Context);
      SHSUpdate(Context, PasswordHashHash, 16);
      SHSUpdate(Context, NTResponse, 24);
      SHSUpdate(Context, Magic1, 27);
      SHSFinal(Context, Digest);
        
      MoveMemory(MasterKey, Digest, 16);
   }
        
      MoveMemory(MasterKey, Digest, 16);
   }
        
   VOID
   GetAsymetricStartKey(
   IN   16-octet      MasterKey,
   OUT  8-to-16 octet SessionKey,
   IN   INTEGER       SessionKeyLength,
   IN   BOOLEAN       IsSend,
   IN   BOOLEAN       IsServer )
   {
        
   VOID
   GetAsymetricStartKey(
   IN   16-octet      MasterKey,
   OUT  8-to-16 octet SessionKey,
   IN   INTEGER       SessionKeyLength,
   IN   BOOLEAN       IsSend,
   IN   BOOLEAN       IsServer )
   {
        

20-octet Digest;

20八重奏文摘;

ZeroMemory(Digest, 20);

零内存(摘要,20);

      if (IsSend) {
         if (IsServer) {
            s = Magic3
         } else {
            s = Magic2
         }
      } else {
         if (IsServer) {
        
      if (IsSend) {
         if (IsServer) {
            s = Magic3
         } else {
            s = Magic2
         }
      } else {
         if (IsServer) {
        
            s = Magic2
         } else {
            s = Magic3
         }
      }
        
            s = Magic2
         } else {
            s = Magic3
         }
      }
        
      /*
       * SHSInit(), SHSUpdate() and SHSFinal()
       * are an implementation of the Secure Hash Standard [7].
       */
        
      /*
       * SHSInit(), SHSUpdate() and SHSFinal()
       * are an implementation of the Secure Hash Standard [7].
       */
        
      SHSInit(Context);
      SHSUpdate(Context, MasterKey, 16);
      SHSUpdate(Context, SHSpad1, 40);
      SHSUpdate(Context, s, 84);
      SHSUpdate(Context, SHSpad2, 40);
      SHSFinal(Context, Digest);
        
      SHSInit(Context);
      SHSUpdate(Context, MasterKey, 16);
      SHSUpdate(Context, SHSpad1, 40);
      SHSUpdate(Context, s, 84);
      SHSUpdate(Context, SHSpad2, 40);
      SHSFinal(Context, Digest);
        
      MoveMemory(SessionKey, Digest, SessionKeyLength);
   }
        
      MoveMemory(SessionKey, Digest, SessionKeyLength);
   }
        
3.5. Sample Key Derivations
3.5. 示例键派生

The following sections illustrate 40-, 56- and 128-bit key derivations. All intermediate values are in hexadecimal.

以下部分说明40、56和128位密钥派生。所有中间值均为十六进制。

3.5.1. Sample 40-bit Key Derivation
3.5.1. 40位密钥派生示例

Initial Values UserName = "User" = 55 73 65 72

初始值UserName=“User”=55 73 65 72

Password = "clientPass" = 63 00 6C 00 69 00 65 00 6E 00 74 00 50 00 61 00 73 00 73 00

Password = "clientPass" = 63 00 6C 00 69 00 65 00 6E 00 74 00 50 00 61 00 73 00 73 00translate error, please retry

AuthenticatorChallenge = 5B 5D 7C 7D 7B 3F 2F 3E 3C 2C 60 21 32 26 26 28 PeerChallenge = 21 40 23 24 25 5E 26 2A 28 29 5F 2B 3A 33 7C 7E

验证者挑战=5B 5D 7C 7D 7B 3F 2F 3E 3C 60 21 32 26 26 28对等挑战=21 40 23 24 25 5E 26 2A 28 29 5F 2B 3A 33 7C 7E

   Challenge = D0 2E 43 86 BC E9 12 26
        
   Challenge = D0 2E 43 86 BC E9 12 26
        

NT-Response = 82 30 9E CD 8D 70 8B 5E A0 8F AA 39 81 CD 83 54 42 33 11 4A 3D 85 D6 DF

NT响应=82 30 9E CD 8D 70 8B 5E A0 8F AA 39 81 CD 83 54 42 33 11 4A 3D 85 D6 DF

Step 1: NtPasswordHash(Password, PasswordHash) PasswordHash = 44 EB BA 8D 53 12 B8 D6 11 47 44 11 F5 69 89 AE

步骤1:NtPasswordHash(密码,PasswordHash)PasswordHash=44 EB BA 8D 53 12 B8 D6 11 47 44 11 F5 69 89 AE

Step 2: PasswordHashHash = MD4(PasswordHash)
   PasswordHashHash = 41 C0 0C 58 4B D2 D9 1C 40 17 A2 A1 2F A5 9F 3F
        
Step 2: PasswordHashHash = MD4(PasswordHash)
   PasswordHashHash = 41 C0 0C 58 4B D2 D9 1C 40 17 A2 A1 2F A5 9F 3F
        

Step 3: Derive the master key (GetMasterKey()) MasterKey = FD EC E3 71 7A 8C 83 8C B3 88 E5 27 AE 3C DD 31

步骤3:派生主密钥(GetMasterKey())主密钥=FD EC E3 71 7A 8C 83 8C B3 88 E5 27 AE 3C DD 31

Step 4: Derive the master send session key (GetAsymmetricStartKey()) SendStartKey40 = 8B 7C DC 14 9B 99 3A 1B

步骤4:派生主发送会话密钥(GetAsymmetricStartKey())SendStartKey40=8B 7C DC 14 9B 99 3A 1B

Step 5: Derive the initial send session key (GetNewKeyFromSHA()) SendSessionKey40 = D1 26 9E C4 9F A6 2E 3E

步骤5:派生初始发送会话密钥(GetNewKeyFromSHA())SendSessionKey40=D1 26 9E C4 9F A6 2E 3E

Sample Encrypted Message rc4(SendSessionKey40, "test message") = 92 91 37 91 7E 58 03 D6 68 D7 58 98

示例加密消息rc4(SendSessionKey40,“测试消息”)=92 91 37 91 7E 58 03 D6 68 D7 58 98

3.5.2. Sample 56-bit Key Derivation
3.5.2. 56位密钥派生示例

Initial Values UserName = "User" = 55 73 65 72

初始值UserName=“User”=55 73 65 72

Password = "clientPass" = 63 00 6C 00 69 00 65 00 6E 00 74 00 50 00 61 00 73 00 73 00

Password=“clientPass”=63 00 6C 00 69 00 65 00 6E 00 74 00 50 00 61 00 73 00 73 00

AuthenticatorChallenge = 5B 5D 7C 7D 7B 3F 2F 3E 3C 2C 60 21 32 26 26 28 PeerChallenge = 21 40 23 24 25 5E 26 2A 28 29 5F 2B 3A 33 7C 7E

验证者挑战=5B 5D 7C 7D 7B 3F 2F 3E 3C 60 21 32 26 26 28对等挑战=21 40 23 24 25 5E 26 2A 28 29 5F 2B 3A 33 7C 7E

   Challenge = D0 2E 43 86 BC E9 12 26
        
   Challenge = D0 2E 43 86 BC E9 12 26
        

NT-Response = 82 30 9E CD 8D 70 8B 5E A0 8F AA 39 81 CD 83 54 42 33 11 4A 3D 85 D6 DF

NT响应=82 30 9E CD 8D 70 8B 5E A0 8F AA 39 81 CD 83 54 42 33 11 4A 3D 85 D6 DF

Step 1: NtPasswordHash(Password, PasswordHash) PasswordHash = 44 EB BA 8D 53 12 B8 D6 11 47 44 11 F5 69 89 AE

步骤1:NtPasswordHash(密码,PasswordHash)PasswordHash=44 EB BA 8D 53 12 B8 D6 11 47 44 11 F5 69 89 AE

Step 2: PasswordHashHash = MD4(PasswordHash)
   PasswordHashHash = 41 C0 0C 58 4B D2 D9 1C 40 17 A2 A1 2F A5 9F 3F
        
Step 2: PasswordHashHash = MD4(PasswordHash)
   PasswordHashHash = 41 C0 0C 58 4B D2 D9 1C 40 17 A2 A1 2F A5 9F 3F
        

Step 3: Derive the master key (GetMasterKey()) MasterKey = FD EC E3 71 7A 8C 83 8C B3 88 E5 27 AE 3C DD 31

步骤3:派生主密钥(GetMasterKey())主密钥=FD EC E3 71 7A 8C 83 8C B3 88 E5 27 AE 3C DD 31

Step 4: Derive the master send session key (GetAsymmetricStartKey()) SendStartKey56 = 8B 7C DC 14 9B 99 3A 1B

步骤4:派生主发送会话密钥(GetAsymmetricStartKey())SendStartKey56=8B 7C DC 14 9B 99 3A 1B

Step 5: Derive the initial send session key (GetNewKeyFromSHA()) SendSessionKey56 = D1 5C 00 C4 9F A6 2E 3E

步骤5:派生初始发送会话密钥(GetNewKeyFromSHA())SendSessionKey56=D1 5C 00 C4 9F A6 2E 3E

Sample Encrypted Message rc4(SendSessionKey40, "test message") = 3F 10 68 33 FA 44 8D A8 42 BC 57 58

示例加密消息rc4(SendSessionKey40,“测试消息”)=3F 10 68 33 FA 44 8D A8 42 BC 57 58

3.5.3. Sample 128-bit Key Derivation
3.5.3. 128位密钥派生示例

Initial Values UserName = "User" = 55 73 65 72

初始值UserName=“User”=55 73 65 72

Password = "clientPass" = 63 00 6C 00 69 00 65 00 6E 00 74 00 50 00 61 00 73 00 73 00

Password=“clientPass”=63 00 6C 00 69 00 65 00 6E 00 74 00 50 00 61 00 73 00 73 00

AuthenticatorChallenge = 5B 5D 7C 7D 7B 3F 2F 3E 3C 2C 60 21 32 26 26 28

认证挑战=5B 5D 7C 7D 7B 3F 2F 3E 3C 2C 60 21 32 26 28

PeerChallenge = 21 40 23 24 25 5E 26 2A 28 29 5F 2B 3A 33 7C 7E

PeerChallenge=21 40 23 24 25 5E 26 2A 28 29 5F 2B 3A 33 7C 7E

   Challenge = D0 2E 43 86 BC E9 12 26
        
   Challenge = D0 2E 43 86 BC E9 12 26
        

NT-Response = 82 30 9E CD 8D 70 8B 5E A0 8F AA 39 81 CD 83 54 42 33 11 4A 3D 85 D6 DF

NT响应=82 30 9E CD 8D 70 8B 5E A0 8F AA 39 81 CD 83 54 42 33 11 4A 3D 85 D6 DF

Step 1: NtPasswordHash(Password, PasswordHash) PasswordHash = 44 EB BA 8D 53 12 B8 D6 11 47 44 11 F5 69 89 AE

步骤1:NtPasswordHash(密码,PasswordHash)PasswordHash=44 EB BA 8D 53 12 B8 D6 11 47 44 11 F5 69 89 AE

Step 2: PasswordHashHash = MD4(PasswordHash)
   PasswordHashHash = 41 C0 0C 58 4B D2 D9 1C 40 17 A2 A1 2F A5 9F 3F
        
Step 2: PasswordHashHash = MD4(PasswordHash)
   PasswordHashHash = 41 C0 0C 58 4B D2 D9 1C 40 17 A2 A1 2F A5 9F 3F
        

Step 2: Derive the master key (GetMasterKey()) MasterKey = FD EC E3 71 7A 8C 83 8C B3 88 E5 27 AE 3C DD 31

步骤2:派生主密钥(GetMasterKey())主密钥=FD EC E3 71 7A 8C 83 8C B3 88 E5 27 AE 3C DD 31

Step 3: Derive the send master session key (GetAsymmetricStartKey())

步骤3:派生发送主会话密钥(GetAsymmetricStartKey())

SendStartKey128 = 8B 7C DC 14 9B 99 3A 1B A1 18 CB 15 3F 56 DC CB

SendStartKey128=8B 7C DC 14 9B 99 3A 1B A1 18 CB 15 3F 56 DC CB

Step 4: Derive the initial send session key (GetNewKeyFromSHA()) SendSessionKey128 = 40 5C B2 24 7A 79 56 E6 E2 11 00 7A E2 7B 22 D4

步骤4:派生初始发送会话密钥(GetNewKeyFromSHA())SendSessionKey128=40 5C B2 24 7A 79 56 E6 E2 11 00 7A E2 7B 22 D4

Sample Encrypted Message rc4(SendSessionKey128, "test message") = 81 84 83 17 DF 68 84 62 72 FB 5A BE

示例加密消息rc4(SendSessionKey128,“测试消息”)=81 84 83 17 DF 68 84 62 72 FB 5A BE

4. Deriving MPPE Session Keys from TLS Session Keys
4. 从TLS会话密钥派生MPPE会话密钥

The Extensible Authentication Protocol (EAP) [10] is a PPP extension that provides support for additional authentication methods within PPP. Transport Level Security (TLS) [11] provides for mutual authentication, integrity-protected ciphersuite negotiation and key exchange between two endpoints. EAP-TLS [12] is an EAP authentication type which allows the use of TLS within the PPP authentication framework. The following sections describe the methods used to derive initial session keys from TLS session keys. 56-, 40- and 128-bit keys are derived using the same algorithm. The only difference is in the length of the keys and their effective strength: 56- and 40-bit keys are 8 octets in length, while 128-bit keys are 16 octets long. Separate keys are derived for the send and receive directions of the session.

可扩展认证协议(EAP)[10]是一个PPP扩展,它为PPP中的其他认证方法提供支持。传输级安全性(TLS)[11]提供了相互认证、完整性保护的密码套件协商以及两个端点之间的密钥交换。EAP-TLS[12]是一种EAP认证类型,允许在PPP认证框架内使用TLS。以下各节描述了用于从TLS会话密钥派生初始会话密钥的方法。56、40和128位密钥使用相同的算法导出。唯一的区别在于键的长度及其有效强度:56位和40位键的长度为8个八位字节,而128位键的长度为16个八位字节。为会话的发送和接收方向派生单独的键。

4.1. Generating 40-bit Session Keys
4.1. 生成40位会话密钥

When MPPE is used in conjunction with EAP-TLS authentication, the TLS master secret is used as the master session key.

当MPPE与EAP-TLS认证结合使用时,TLS主密钥用作主会话密钥。

The algorithm used to derive asymmetrical master session keys from the TLS master secret is described in [12]. The master session keys are never used to encrypt or decrypt data; they are only used in the derivation of transient session keys.

[12]中描述了用于从TLS主密钥导出非对称主会话密钥的算法。主会话密钥从不用于加密或解密数据;它们仅用于派生临时会话密钥。

Implementation Note

实施说明

If the asymmetrical master keys are less than 8 octets in length, they MUST be padded on the left with zeroes before being used to derive the initial transient session keys. Conversely, if the asymmetrical master keys are more than 8 octets in length, they must be truncated to 8 octets before being used to derive the initial transient session keys.

如果非对称主密钥的长度小于8个八位字节,则在用于导出初始瞬态会话密钥之前,必须在左侧用零填充它们。相反,如果非对称主密钥的长度超过8个八位字节,则必须将其截断为8个八位字节,然后才能用于导出初始瞬态会话密钥。

The initial transient session keys are obtained by calling the function GetNewKeyFromSHA() (described in [3]):

The initial transient session keys are obtained by calling the function GetNewKeyFromSHA() (described in [3]):translate error, please retry

GetNewKeyFromSHA(MasterSendKey, MasterSendKey, 8, SendSessionKey) GetNewKeyFromSHA(MasterReceiveKey, MasterReceiveKey, 8, ReceiveSessionKey)

GetNewKeyFromSHA(MasterSendKey,MasterSendKey,8,SendSessionKey)GetNewKeyFromSHA(MasterReceiveKey,MasterReceiveKey,8,ReceiveSessionKey)

Next, the effective strength of both keys is reduced by setting the first three octets to known constants:

接下来,通过将前三个八位字节设置为已知常数来降低两个键的有效强度:

      SendSessionKey[0] = ReceiveSessionKey[0] = 0xD1
      SendSessionKey[1] = ReceiveSessionKey[1] = 0x26
      SendSessionKey[2] = ReceiveSessionKey[2] = 0x9E
        
      SendSessionKey[0] = ReceiveSessionKey[0] = 0xD1
      SendSessionKey[1] = ReceiveSessionKey[1] = 0x26
      SendSessionKey[2] = ReceiveSessionKey[2] = 0x9E
        

Finally, the RC4 tables are initialized using the new session keys:

最后,使用新的会话密钥初始化RC4表:

rc4_key(SendRC4key, 8, SendSessionKey) rc4_key(ReceiveRC4key, 8, ReceiveSessionKey)

rc4_键(SendRC4key,8,SendSessionKey)rc4_键(ReceiveRC4key,8,ReceiveSessionKey)

4.2. Generating 56-bit Session Keys
4.2. 生成56位会话密钥

When MPPE is used in conjunction with EAP-TLS authentication, the TLS master secret is used as the master session key.

当MPPE与EAP-TLS认证结合使用时,TLS主密钥用作主会话密钥。

The algorithm used to derive asymmetrical master session keys from the TLS master secret is described in [12]. The master session keys are never used to encrypt or decrypt data; they are only used in the derivation of transient session keys.

[12]中描述了用于从TLS主密钥导出非对称主会话密钥的算法。主会话密钥从不用于加密或解密数据;它们仅用于派生临时会话密钥。

Implementation Note

实施说明

If the asymmetrical master keys are less than 8 octets in length, they MUST be padded on the left with zeroes before being used to derive the initial transient session keys. Conversely, if the asymmetrical master keys are more than 8 octets in length, they must be truncated to 8 octets before being used to derive the initial transient session keys.

如果非对称主密钥的长度小于8个八位字节,则在用于导出初始瞬态会话密钥之前,必须在左侧用零填充它们。相反,如果非对称主密钥的长度超过8个八位字节,则必须将其截断为8个八位字节,然后才能用于导出初始瞬态会话密钥。

The initial transient session keys are obtained by calling the function GetNewKeyFromSHA() (described in [3]):

通过调用函数GetNewKeyFromSHA()(如[3]所述)获得初始瞬态会话密钥:

GetNewKeyFromSHA(MasterSendKey, MasterSendKey, 8, SendSessionKey) GetNewKeyFromSHA(MasterReceiveKey, MasterReceiveKey, 8, ReceiveSessionKey)

GetNewKeyFromSHA(MasterSendKey,MasterSendKey,8,SendSessionKey)GetNewKeyFromSHA(MasterReceiveKey,MasterReceiveKey,8,ReceiveSessionKey)

Next, the effective strength of both keys is reduced by setting the initial octet to a known constant:

接下来,通过将初始八位组设置为已知常数来降低两个键的有效强度:

SendSessionKey[0] = ReceiveSessionKey[0] = 0xD1

SendSessionKey[0]=ReceiveSessionKey[0]=0xD1

Finally, the RC4 tables are initialized using the new session keys:

最后,使用新的会话密钥初始化RC4表:

rc4_key(SendRC4key, 8, SendSessionKey) rc4_key(ReceiveRC4key, 8, ReceiveSessionKey)

rc4_键(SendRC4key,8,SendSessionKey)rc4_键(ReceiveRC4key,8,ReceiveSessionKey)

4.3. Generating 128-bit Session Keys
4.3. 生成128位会话密钥

When MPPE is used in conjunction with EAP-TLS authentication, the TLS master secret is used as the master session key.

当MPPE与EAP-TLS认证结合使用时,TLS主密钥用作主会话密钥。

The algorithm used to derive asymmetrical master session keys from the TLS master secret is described in [12]. Note that the send key on one side is the receive key on the other.

[12]中描述了用于从TLS主密钥导出非对称主会话密钥的算法。请注意,一侧的发送键是另一侧的接收键。

The master session keys are never used to encrypt or decrypt data; they are only used in the derivation of transient session keys.

主会话密钥从不用于加密或解密数据;它们仅用于派生临时会话密钥。

Implementation Note

实施说明

If the asymmetrical master keys are less than 16 octets in length, they MUST be padded on the left with zeroes before being used to derive the initial transient session keys. Conversely, if the asymmetrical master keys are more than 16 octets in length, they must be truncated to 16 octets before being used to derive the initial transient session keys.

如果非对称主密钥的长度小于16个八位字节,则在用于导出初始瞬态会话密钥之前,必须在左侧用零填充它们。相反,如果非对称主密钥的长度超过16个八位字节,则必须将其截断为16个八位字节,然后才能用于导出初始瞬态会话密钥。

The initial transient session keys are obtained by calling the function GetNewKeyFromSHA() (described in [3]):

通过调用函数GetNewKeyFromSHA()(如[3]所述)获得初始瞬态会话密钥:

GetNewKeyFromSHA(MasterSendKey, MasterSendKey, 16, SendSessionKey) GetNewKeyFromSHA(MasterReceiveKey, MasterReceiveKey, 16, ReceiveSessionKey)

GetNewKeyFromSHA(MasterSendKey,MasterSendKey,16,SendSessionKey)GetNewKeyFromSHA(MasterReceiveKey,MasterReceiveKey,16,ReceiveSessionKey)

Finally, the RC4 tables are initialized using the new session keys:

最后,使用新的会话密钥初始化RC4表:

rc4_key(SendRC4key, 16, SendSessionKey) rc4_key(ReceiveRC4key, 16, ReceiveSessionKey)

rc4_键(SendRC4key,16,SendSessionKey)rc4_键(ReceiveRC4key,16,ReceiveSessionKey)

5. Security Considerations
5. 安全考虑
5.1. MS-CHAP Credentials
5.1. MS-CHAP凭据

Because of the way in which 40-bit keys are derived from MS-CHAP-1 credentials, the initial 40-bit session key will be identical in all sessions established under the same peer credentials. For this reason, and because RC4 with a 40-bit key length is believed to be a relatively weak cipher, peers SHOULD NOT use 40-bit keys derived from the LAN Manager password hash (as described above) if it can be avoided.

由于40位密钥是从MS-CHAP-1凭据派生的,因此初始40位会话密钥在相同对等凭据下建立的所有会话中都是相同的。出于这个原因,并且由于具有40位密钥长度的RC4被认为是相对较弱的密码,对等方不应使用从LAN Manager密码散列(如上所述)派生的40位密钥(如果可以避免的话)。

Since the MPPE session keys are derived from user passwords (in the MS- CHAP-1 and MS-CHAP-2 cases), care should be taken to ensure the selection of strong passwords and passwords should be changed frequently.

由于MPPE会话密钥来自用户密码(在MS-CHAP-1和MS-CHAP-2情况下),因此应注意确保选择强密码,并且应经常更改密码。

5.2. EAP-TLS Credentials
5.2. EAP-TLS凭据

The strength of the session keys is dependent upon the security of the TLS protocol.

会话密钥的强度取决于TLS协议的安全性。

The EAP server may be on a separate machine from the PPP authenticator; if this is the case, adequate care must be taken in the transmission of the EAP-TLS master keys to the authenticator.

EAP服务器可以位于与PPP认证器分离的机器上;如果是这种情况,则在将EAP-TLS主密钥传输到验证器时必须格外小心。

6. References
6. 工具书类

[1] Simpson, W., "The Point-to-Point Protocol (PPP)", STD 51, RFC 1661, July 1994.

[1] 辛普森,W.,“点对点协议(PPP)”,STD 51,RFC 1661994年7月。

[2] Zorn, G. and S. Cobb, "Microsoft PPP CHAP Extensions", RFC 2433, October 1998.

[2] Zorn,G.和S.Cobb,“微软PPP CHAP扩展”,RFC 2433,1998年10月。

[3] Pall, G. and G. Zorn, "Microsoft Point-to-Point Encryption (MPPE) RFC 3078, March 2001.

[3] Pall,G.和G.Zorn,“微软点对点加密(MPPE)RFC 3078,2001年3月。

[4] RC4 is a proprietary encryption algorithm available under license from RSA Data Security Inc. For licensing information, contact: RSA Data Security, Inc. 100 Marine Parkway Redwood City, CA 94065-1031

[4] RC4是一种专有加密算法,在RSA Data Security Inc.的许可下可获得许可信息,联系方式:RSA Data Security,Inc.100 Marine Parkway Redwood City,CA 94065-1031

[5] Pall, G., "Microsoft Point-to-Point Compression (MPPC) Protocol", RFC 2118, March 1997.

[5] 《微软点对点压缩(MPPC)协议》,RFC21181997年3月。

[6] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997.

[6] Bradner,S.,“RFC中用于表示需求水平的关键词”,BCP 14,RFC 2119,1997年3月。

[7] "Secure Hash Standard", Federal Information Processing Standards Publication 180-1, National Institute of Standards and Technology, April 1995.

[7] “安全散列标准”,联邦信息处理标准出版物180-1,国家标准与技术研究所,1995年4月。

[8] Zorn, G., "Microsoft PPP CHAP Extensions, Version 2", RFC 2759, January 2000.

[8] Zorn,G.,“微软PPP CHAP扩展,第2版”,RFC 2759,2000年1月。

[9] Simpson, W., "PPP Challenge Handshake Authentication Protocol (CHAP)", RFC 1994, August 1996.

[9] 辛普森,W.,“PPP挑战握手认证协议(CHAP)”,RFC 1994,1996年8月。

[10] Blunk, L. and J. Vollbrecht, "PPP Extensible Authentication Protocol (EAP)", RFC 2284, March 1998.

[10] Blunk,L.和J.Vollbrecht,“PPP可扩展认证协议(EAP)”,RFC 2284,1998年3月。

[11] Dierks, T. and C. Allen, "The TLS Protocol Version 1.0", RFC 2246, January 1999.

[11] Dierks,T.和C.Allen,“TLS协议1.0版”,RFC 2246,1999年1月。

[12] Aboba, B. and D. Simon, "PPP EAP TLS Authentication Protocol", RFC 2716, October 1999.

[12] Aboba,B.和D.Simon,“PPP EAP TLS认证协议”,RFC 2716,1999年10月。

7. Acknowledgements
7. 致谢

Anthony Bell, Richard B. Ward, Terence Spies and Thomas Dimitri, all of Microsoft Corporation, significantly contributed to the design and development of MPPE.

微软公司的Anthony Bell、Richard B.Ward、Terence Spies和Thomas Dimitri对MPPE的设计和开发做出了重大贡献。

Additional thanks to Robert Friend, Joe Davies, Jody Terrill, Archie Cobbs, Mark Deuser, Vijay Baliga, Brad Robel-Forrest and Jeff Haag for useful feedback.

还要感谢罗伯特·弗里德、乔·戴维斯、乔迪·泰瑞尔、阿奇·科布斯、马克·道瑟、维杰·巴利加、布拉德·罗伯尔·福雷斯特和杰夫·哈格提供了有用的反馈。

The technical portions of this memo were completed while the author was employed by Microsoft Corporation.

本备忘录的技术部分是在作者受雇于微软公司时完成的。

8. Author's Address
8. 作者地址

Questions about this memo can also be directed to:

有关本备忘录的问题,请联系:

Glen Zorn cisco Systems 500 108th Avenue N.E. Suite 500 Bellevue, Washington 98004 USA

格伦佐恩思科系统500美国华盛顿贝尔维尤第108大道北500号套房,邮编:98004

   Phone: +1 425 438 8218
   FAX:   +1 425 438 1848
   EMail: gwz@cisco.com
        
   Phone: +1 425 438 8218
   FAX:   +1 425 438 1848
   EMail: gwz@cisco.com
        
9. Full Copyright Statement
9. 完整版权声明

Copyright (C) The Internet Society (2001). All Rights Reserved.

版权所有(C)互联网协会(2001年)。版权所有。

This document and translations of it may be copied and furnished to others, and derivative works that comment on or otherwise explain it or assist in its implementation may be prepared, copied, published and distributed, in whole or in part, without restriction of any kind, provided that the above copyright notice and this paragraph are included on all such copies and derivative works. However, this document itself may not be modified in any way, such as by removing the copyright notice or references to the Internet Society or other Internet organizations, except as needed for the purpose of developing Internet standards in which case the procedures for copyrights defined in the Internet Standards process must be followed, or as required to translate it into languages other than English.

本文件及其译本可复制并提供给他人,对其进行评论或解释或协助其实施的衍生作品可全部或部分编制、复制、出版和分发,不受任何限制,前提是上述版权声明和本段包含在所有此类副本和衍生作品中。但是,不得以任何方式修改本文件本身,例如删除版权通知或对互联网协会或其他互联网组织的引用,除非出于制定互联网标准的需要,在这种情况下,必须遵循互联网标准过程中定义的版权程序,或根据需要将其翻译成英语以外的其他语言。

The limited permissions granted above are perpetual and will not be revoked by the Internet Society or its successors or assigns.

上述授予的有限许可是永久性的,互联网协会或其继承人或受让人不会撤销。

This document and the information contained herein is provided on an "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

本文件和其中包含的信息是按“原样”提供的,互联网协会和互联网工程任务组否认所有明示或暗示的保证,包括但不限于任何保证,即使用本文中的信息不会侵犯任何权利,或对适销性或特定用途适用性的任何默示保证。

Acknowledgement

确认

Funding for the RFC Editor function is currently provided by the Internet Society.

RFC编辑功能的资金目前由互联网协会提供。