Is RAS Safe?

Demystifying Windows NT 4.0's RAS security to answer this relevant question

You've probably seen the commercials in which businessmen and consumers alike are debating whether sending confidential information over the Internet is safe. You might even have pondered the issue as you were about to order flowers or send proprietary files over the Internet.

"Is it safe?" is a valid question, given that about 11 millionAmericans telecommute at least once a day. The increasing popularity oftelecommuting is pressuring businesses to give employees and customers secure access to enterprise networks and the Internet. Network administrators and managers are spending thousands and even millions of dollars to secure their sites and networks.

In the past, companies often used clear text passwords for remote accessconnectivity. Although some Internet Service Providers (ISPs) still offer only clear text authentication, many are switching to more secure authentication methods, such as the one in Windows NT 4.0.

NT 4.0's Remote Access Service (RAS) offers much more than encryptedauthentication. Microsoft claims that using NT RAS to dial in remotely is even more secure than logging on to a LAN file server. This claim carries some weight because RAS security features--such as authentication protocols, encryption standards, security hosts, and Point-to-Point Tunneling Protocol (PPTP)--are not usually available when you log on to a LAN.

Authentication Protocols
NT 4.0 uses various types of authentication protocols, including PasswordAuthentication Protocol (PAP), Shiva Password Authentication Protocol (SPAP),Challenge Handshake Authentication Protocol (CHAP), and Microsoft CHAP(MS-CHAP). These protocols directly affect the type of encryption that remoteaccess clients can use.

PAP and SPAP
PAP is the least sophisticated authentication protocol. PAP encrypts thepassword database but not the user ID or password.

Because PAP uses clear-text passwords, you use PAP in only twocircumstances: when you're dialing in to a Point-to-Point Protocol (PPP) serverthat does not support encrypted authentication and when you're dialing into aSerial Line IP (SLIP) server. (SLIP servers understand only clear-textpasswords.) In general, you use PAP only when the client and server cannotnegotiate a more secure form of authentication.

SPAP is Shiva's proprietary version of PAP. SPAP is more secure than PAPbecause SPAP uses a two-way (reversible) authentication method that encryptspasswords. Thus, SPAP offers a medium level of security for remote access.

Shiva uses SPAP in its remote access client software. Thus, you can useSPAP to connect an NT client to a Shiva LanRover or a Shiva client to an NTserver. You can also use SPAP when a Windows 95 (Win95) client is set up foruser-level security using a Novell NetWare account.

CHAP and MS-CHAP
An important distinction exists between CHAP and MS-CHAP. CHAP is a widelyaccepted industry authentication protocol; MS-CHAP, a proprietary protocol, isnot. You can, however, use MS-CHAP with CHAP.

CHAP provides a higher level of security for remote access than PAP. CHAPencrypts the user ID or password, but the CHAP password database is in cleartext.

CHAP uses a three-way handshake to provide encrypted authentication. Theauthenticator first sends out a challenge to the client. The client respondswith a one-way encrypted value. The authenticator checks to see whether thevalue matches. If it does, the authenticator acknowledges the authentication.CHAP then periodically verifies the client's identity. It changes the challengevalue every time it sends out a message, which protects against playback attacks(i.e., a hacker records the exchange and plays back the message to obtainfraudulent access).

MS-CHAP, the most secure encryption algorithm that NT supports, isMicrosoft's version of RSA Data Security's MD4 standard. MS-CHAP uses a one-wayhash function to produce a message-digest algorithm. A hash function takes avariable-size input and returns a fixed-size 128-bit string. This type ofalgorithm produces a secure checksum for each message, making it almostimpossible to change the message if you don't know the checksum. (For moreinformation on hashed passwords, see Mark Minasi, "Windows NT Logons,"June 1997.)

Both NT 4.0 and Win95 RAS clients use MS-CHAP to negotiate a PPP connectionto an NT RAS server. MS-CHAP corresponds to the Require Microsoft EncryptedAuthentication encryption setting on the RAS server. MS-CHAP uses RSA DataSecurity's RC4 algorithm to support RAS session user data encryption. Currently,NT uses two versions of the algorithm: 128-bit RC4 encryption for the US andCanada and 40-bit RC4 encryption for export. Microsoft cannot export the 128-bitversion because US law prevents American companies from exporting software withan encryption scheme exceeding 40 bits. (Congress is currently debating HR 695,a bill that would let US companies export 56-bit encryption software. For moreinformation on this bill's history, see Mark Smith's editorial, "The Key tothe Kingdom," June 1997. For updates on where HR 695 is in Congress, go tohttp://www.privacy.org.)

With MS-CHAP, you can configure the RAS server so that users connecting tothe server can send only encrypted data. However, some vendors do not supportMS-CHAP in their products, and therefore, you probably could not connect tothose products.

Encryption Standards
Data encryption software often uses two types of encryption algorithms:public-key algorithms and shared-key algorithms. Public-key algorithms use twodifferent keys for encryption and decryption, which is why people often refer tothem as asymmetric algorithms. The software owner keeps a private key, and usersshare a public key.

Public-key algorithms are painfully slow. Thus, vendors usually use themonly to encrypt session keys or digitally sign messages. Pretty good privacy(PGP) is a popular encryption program that lets people exchange files andmessages in a private and convenient way. PGP offers a highly secureimplementation of public-key technology to the masses. It uses RSA public-keycryptosystem and is faster than most other implementations of public-keycryptography.

Shared-key algorithms use the same key for encryption and decryption, whichis why people often refer to them as symmetric algorithms. Vendors useshared-key algorithms more often than public-key algorithms in their encryptionsoftware because shared-key algorithms work much faster, especially when you'reencrypting a large amount of data. The shared key (also called the sharedsecret) is usually the user's password, as is the case with NT 4.0. Two commonlyused shared-key encryption standards are MD5-CHAP and Data Encryption Standard(DES).

MD5-CHAP
MD5-CHAP is an encryption scheme from RSA Data Security. It produces a128-bit hash code of an input file. On a 32-bit architecture, MD5-CHAP providesa fast and simple algorithm that can process input in 512-bit blocks.

Various PPP vendors use MD5-CHAP. Microsoft RAS clients can use MD5-CHAPwhen connecting to third-party remote access servers. Although MD5-CHAP isavailable on the client side, it is not available on NT RAS servers because itrequires servers to use a clear-text password.

DES
NT and Win95 clients automatically use DES when they communicate with an NTserver over RAS. DES is a 64-bit symmetric block cipher that has a fixed keylength of 56-bits. DES, a standard developed by the National Institute ofStandards and Technology (NIST), uses an encryption key that is a binary numberwith 72 quadrillion possible combinations. Because each session uses a randomlyselected encryption key, DES is a very secure encryption standard. DES is alsofast. The encryption speed for DES on a Pentium 120MHz system is more than1MBps.

Because DES is a US government standard, most people consider it a strongencryption scheme. But in June 1997, in response to RSA Data Security's $10,000challenge, cryptography ex-perts decoded a message protected by 56-bit DESencryption. They checked 18 quadrillion keys until they found the correct keythat revealed the encrypted message: "The unknown message is: Strongcryptography makes the world a safer place." Thus, cryptography expertsbelieve that the 56-bit DES is not strong enough and recommend using 128-bitencryption instead. The 128-bit encryption requires 4.7 trillion billion timesas much work as breaking 56-bit encryption.

NT 4.0 Options for Data Encryption
Microsoft recently released Routing and Remote Access Service(RRAS--formerly code-named Steelhead), which adds new capabilities to NT 4.0'sRAS. (For more information about the differences between RAS and RRAS, see MarkMinasi, "Steelhead Swims into the Mainstream," August 1997, andDouglas Toombs, "Create a Virtual Private Network with RRAS," November1997.) RRAS supports 256 simultaneous remote access connections, 48 demand-dial interfaces, and 16 LAN interfaces. Table 1 describes the authentication and encryption settings in NT 4.0 under RRAS.

One new capability that RRAS brings to NT 4.0 is the Require strongdata encryption option. As Screen 1 shows, when you select the RequireMicrosoft encrypted authentication box, you can choose from two levels ofencryption: Require data encryption or Require strong dataencryption.

Require data encryption ensures that only encrypted data travelsbetween the client and the server. RSA Data Security's RC4 algorithm providesthis encryption. The clients must support MS-CHAP to take advantage of dataencryption feature.

Require strong data encryption lets you use the strongest possibleencryption scheme on your system. Thus, if you have 128-bit encryption on yoursystem, this option forces you and those to whom you are connecting to use it.Therefore, you must make sure that the PC on the other end of your connectioncan negotiate a 128-bit encryption; otherwise, you will not be able to connectto the PC. Similarly, RAS clients and other routers must use the Requirestrong data encryption option if they want to connect with your system. RRASdoes not support third parties' strong encryption options.

Another new capability is support for Remote Authentication Dial-In UserService. RADIUS is a protocol that provides remote authentication and accountingof dial-in users. A RADIUS database stores a profile of each user in thenetwork. The profile contains permission, routing, packet-filtering, billing,and other data.

As Figure 1 shows, here is how RADIUS authentication works:

When you install RRAS, you can select either NT or RADIUS as theauthentication provider. If you check the RADIUS box, your NT system acts as aRADIUS client and connects to a RADIUS server.

Win95 Client Options for Data Encryption
Win95 clients, by default, do not require encrypted authentication. You canenable encryption by going to Connection Properties and selecting the ServerTypes tab. If you check the Allow any authentication including clear textbox on the NT RAS server and leave the Require encrypted password boxunchecked on the Win95 client, the client will use DES encryption because boththe client and server are using RAS. If you dial in to another server (such asan ISP), the Win95 client can use clear text (PAP) authentication.

Win95 supports PAP and MS-CHAP but not CHAP. If you are using devices thatdo not support MS-CHAP (e.g., 3COM's ISDN modems), you must leave the Requireencrypted password box unchecked for Win95 clients, as shown in Screen 2.You must also leave the Require Microsoft encrypted authentication boxunchecked for the NT client. If the PPP server you are dialing in to supportsCHAP, you need to select Require encrypted authentication for the NTclient. If the server does not support encryption, you need to select Allowany authentication including clear text.

Security Hosts
A security host is a third-party authentication device that verifies whethera remote access client has authorization to connect to the RAS server. Varioustypes of security hosts are available. One type of security host requires thatthe user enter the security host's account name and password before gainingaccess to the RAS server. The security host checks the account name and thepassword against its database. If the user is authenticated, he or she can thenconnect to the RAS server for further authentication and access to the networkresources. The security host's account name and password do not have to matchthe RAS server's username and password.

Another type of security host consists of two hardware devices: a securityhost and a security card. The security host, which sits between the RAS serverand its modem, calculates a different access number every minute. The hostsynchronizes the access number with the number displayed on the security card.The card, which looks like a pocket calculator, remains with the user. When usercalls in, he or she enters the number displayed on the security card. If thenumber matches, the security host lets the user connect to the RAS server. (Foran example of this type of security host, see Ben Rothke, "Token-BasedSecurity Add-Ons," June 1997.)

Security host verification does not bypass, but rather augments, NT RASsecurity. The security host usually sits between the client and the RAS server.It uses a hardware key for authentication. When clients dial in, the securityhost must authenticate them before they can reach the RAS server. After thesecurity host authenticates clients, the RAS server must also authenticate them.

PPTP and PPP
PPTP creates a secure tunnel between a RAS client and the RAS server. PPTPuses PPP--a popular industry protocol for dial-up access services that includesauthentication and encryption standards--to provide compressed and encryptedcommunication.

PPTP lets clients use the Internet to access a private network. The re-moteaccess client uses a modem or ISDN line to connect to the local ISP. The remoteaccess client then makes a second RAS connection (this time using PPTP overTCP/IP) to establish a secure connection to the PPTP RAS server. Thisarrangement is a Virtual Private Network (VPN). (For more information aboutPPTP, see Douglas Toombs, "Point-to-Point Tunneling Protocol," June1997.)

An option on the RAS server enables PPTP packet filtering. This optionenhances security because it accepts and routes packets from authenticated usersonly. As Screen 3 shows, the Enable PPTP Filtering option is on the RAS serverin the Advanced IP Addressing screen. When you select this option, the serverdisables all protocols except PPTP on the network adapter.

With PPTP packet filtering and PPP's encryption standards, only secure,authorized, encrypted data can enter or leave your VPN. If hackers manage tocapture your IP datagrams when they're traveling over the Internet, the hackerswill not find much useful information to decipher. They might captureinformation such as IP headers, media headers, and PPP packets of encrypteddata, but this information will not jeopardize network security.

In addition to using PPTP filtering, you can take advantage of the EnableSecurity option. This option lets you control the type of TCP/IP network trafficthat reaches your NT server. You can select which TCP ports, User DatagramProtocol (UDP) ports, and IP protocols you allow to access your NT server.

PPTP uses TCP port 1723, and the IP protocol uses ID 47. You can use PPTP with most firewalls and routers. You route traffic destined to port 1723 through the firewall or router. PPTP supports TCP/IP, IPX, and NetBEUI protocols. (Although you can encapsulate all three, you can use only IP as the transport.)

It's Safe
RAS in NT offers a high level of security. RAS can ease any fears that youmight have about remotely accessing a private network, even if you use theInternet to make that connection. When you use RAS security features andthird-party offerings, remote access is a secure and reliable method totelecommute.