Demystifying Windows NT 4.0's RAS security to answer this relevant question

You've probably seen the commercials in which businessmen and consumers alike are debating whether sending confidential information over the Internet is safe. You might even have pondered the issue as you were about to order flowers or send proprietary files over the Internet.

"Is it safe?" is a valid question, given that about 11 million Americans telecommute at least once a day. The increasing popularity of telecommuting is pressuring businesses to give employees and customers secure access to enterprise networks and the Internet. Network administrators and managers are spending thousands and even millions of dollars to secure their sites and networks.

In the past, companies often used clear text passwords for remote access connectivity. Although some Internet Service Providers (ISPs) still offer only clear text authentication, many are switching to more secure authentication methods, such as the one in Windows NT 4.0.

NT 4.0's Remote Access Service (RAS) offers much more than encrypted authentication. Microsoft claims that using NT RAS to dial in remotely is even more secure than logging on to a LAN file server. This claim carries some weight because RAS security features--such as authentication protocols, encryption standards, security hosts, and Point-to-Point Tunneling Protocol (PPTP)--are not usually available when you log on to a LAN.

Authentication Protocols
NT 4.0 uses various types of authentication protocols, including Password Authentication Protocol (PAP), Shiva Password Authentication Protocol (SPAP), Challenge Handshake Authentication Protocol (CHAP), and Microsoft CHAP (MS-CHAP). These protocols directly affect the type of encryption that remote access clients can use.

PAP and SPAP
PAP is the least sophisticated authentication protocol. PAP encrypts the password database but not the user ID or password.

Because PAP uses clear-text passwords, you use PAP in only two circumstances: when you're dialing in to a Point-to-Point Protocol (PPP) server that does not support encrypted authentication and when you're dialing into a Serial Line IP (SLIP) server. (SLIP servers understand only clear-text passwords.) In general, you use PAP only when the client and server cannot negotiate a more secure form of authentication.

SPAP is Shiva's proprietary version of PAP. SPAP is more secure than PAP because SPAP uses a two-way (reversible) authentication method that encrypts passwords. Thus, SPAP offers a medium level of security for remote access.

Shiva uses SPAP in its remote access client software. Thus, you can use SPAP to connect an NT client to a Shiva LanRover or a Shiva client to an NT server. You can also use SPAP when a Windows 95 (Win95) client is set up for user-level security using a Novell NetWare account.

CHAP and MS-CHAP
An important distinction exists between CHAP and MS-CHAP. CHAP is a widely accepted industry authentication protocol; MS-CHAP, a proprietary protocol, is not. You can, however, use MS-CHAP with CHAP.

CHAP provides a higher level of security for remote access than PAP. CHAP encrypts the user ID or password, but the CHAP password database is in clear text.

CHAP uses a three-way handshake to provide encrypted authentication. The authenticator first sends out a challenge to the client. The client responds with a one-way encrypted value. The authenticator checks to see whether the value matches. If it does, the authenticator acknowledges the authentication. CHAP then periodically verifies the client's identity. It changes the challenge value every time it sends out a message, which protects against playback attacks (i.e., a hacker records the exchange and plays back the message to obtain fraudulent access).

MS-CHAP, the most secure encryption algorithm that NT supports, is Microsoft's version of RSA Data Security's MD4 standard. MS-CHAP uses a one-way hash function to produce a message-digest algorithm. A hash function takes a variable-size input and returns a fixed-size 128-bit string. This type of algorithm produces a secure checksum for each message, making it almost impossible to change the message if you don't know the checksum. (For more information on hashed passwords, see Mark Minasi, "Windows NT Logons," June 1997.)

Both NT 4.0 and Win95 RAS clients use MS-CHAP to negotiate a PPP connection to an NT RAS server. MS-CHAP corresponds to the Require Microsoft Encrypted Authentication encryption setting on the RAS server. MS-CHAP uses RSA Data Security's RC4 algorithm to support RAS session user data encryption. Currently, NT uses two versions of the algorithm: 128-bit RC4 encryption for the US and Canada and 40-bit RC4 encryption for export. Microsoft cannot export the 128-bit version because US law prevents American companies from exporting software with an encryption scheme exceeding 40 bits. (Congress is currently debating HR 695, a bill that would let US companies export 56-bit encryption software. For more information on this bill's history, see Mark Smith's editorial, "The Key to the Kingdom," June 1997. For updates on where HR 695 is in Congress, go to http://www.privacy.org.)

With MS-CHAP, you can configure the RAS server so that users connecting to the server can send only encrypted data. However, some vendors do not support MS-CHAP in their products, and therefore, you probably could not connect to those products.

Encryption Standards
Data encryption software often uses two types of encryption algorithms: public-key algorithms and shared-key algorithms. Public-key algorithms use two different keys for encryption and decryption, which is why people often refer to them as asymmetric algorithms. The software owner keeps a private key, and users share a public key.

Public-key algorithms are painfully slow. Thus, vendors usually use them only to encrypt session keys or digitally sign messages. Pretty good privacy (PGP) is a popular encryption program that lets people exchange files and messages in a private and convenient way. PGP offers a highly secure implementation of public-key technology to the masses. It uses RSA public-key cryptosystem and is faster than most other implementations of public-key cryptography.

Shared-key algorithms use the same key for encryption and decryption, which is why people often refer to them as symmetric algorithms. Vendors use shared-key algorithms more often than public-key algorithms in their encryption software because shared-key algorithms work much faster, especially when you're encrypting a large amount of data. The shared key (also called the shared secret) is usually the user's password, as is the case with NT 4.0. Two commonly used shared-key encryption standards are MD5-CHAP and Data Encryption Standard (DES).

MD5-CHAP
MD5-CHAP is an encryption scheme from RSA Data Security. It produces a 128-bit hash code of an input file. On a 32-bit architecture, MD5-CHAP provides a fast and simple algorithm that can process input in 512-bit blocks.

Various PPP vendors use MD5-CHAP. Microsoft RAS clients can use MD5-CHAP when connecting to third-party remote access servers. Although MD5-CHAP is available on the client side, it is not available on NT RAS servers because it requires servers to use a clear-text password.

DES
NT and Win95 clients automatically use DES when they communicate with an NT server over RAS. DES is a 64-bit symmetric block cipher that has a fixed key length of 56-bits. DES, a standard developed by the National Institute of Standards and Technology (NIST), uses an encryption key that is a binary number with 72 quadrillion possible combinations. Because each session uses a randomly selected encryption key, DES is a very secure encryption standard. DES is also fast. The encryption speed for DES on a Pentium 120MHz system is more than 1MBps.

Because DES is a US government standard, most people consider it a strong encryption scheme. But in June 1997, in response to RSA Data Security's $10,000 challenge, cryptography ex-perts decoded a message protected by 56-bit DES encryption. They checked 18 quadrillion keys until they found the correct key that revealed the encrypted message: "The unknown message is: Strong cryptography makes the world a safer place." Thus, cryptography experts believe that the 56-bit DES is not strong enough and recommend using 128-bit encryption instead. The 128-bit encryption requires 4.7 trillion billion times as much work as breaking 56-bit encryption.

NT 4.0 Options for Data Encryption
Microsoft recently released Routing and Remote Access Service (RRAS--formerly code-named Steelhead), which adds new capabilities to NT 4.0's RAS. (For more information about the differences between RAS and RRAS, see Mark Minasi, "Steelhead Swims into the Mainstream," August 1997, and Douglas Toombs, "Create a Virtual Private Network with RRAS," November 1997.) RRAS supports 256 simultaneous remote access connections, 48 demand-dial interfaces, and 16 LAN interfaces. Table 1 describes the authentication and encryption settings in NT 4.0 under RRAS.

One new capability that RRAS brings to NT 4.0 is the Require strong data encryption option. As Screen 1 shows, when you select the Require Microsoft encrypted authentication box, you can choose from two levels of encryption: Require data encryption or Require strong data encryption.

Require data encryption ensures that only encrypted data travels between the client and the server. RSA Data Security's RC4 algorithm provides this encryption. The clients must support MS-CHAP to take advantage of data encryption feature.

Require strong data encryption lets you use the strongest possible encryption scheme on your system. Thus, if you have 128-bit encryption on your system, this option forces you and those to whom you are connecting to use it. Therefore, you must make sure that the PC on the other end of your connection can negotiate a 128-bit encryption; otherwise, you will not be able to connect to the PC. Similarly, RAS clients and other routers must use the Require strong data encryption option if they want to connect with your system. RRAS does not support third parties' strong encryption options.

Another new capability is support for Remote Authentication Dial-In User Service. RADIUS is a protocol that provides remote authentication and accounting of dial-in users. A RADIUS database stores a profile of each user in the network. The profile contains permission, routing, packet-filtering, billing, and other data.

As Figure 1 shows, here is how RADIUS authentication works:

    1. A remote access client dials in to a RAS server.
    2. The RAS server passes the request to the RADIUS server.
    3. The RADIUS server verifies the user's logon ID and passes the request to the NT authentication server.
    4. The NT authentication server responds to the RADIUS server.
    5. The RADIUS server forwards that response and the user's profile (which is in the RADIUS server's database) to the RAS server.
    6. The RAS server grants or denies the user access to the network based on the user's profile.

When you install RRAS, you can select either NT or RADIUS as the authentication provider. If you check the RADIUS box, your NT system acts as a RADIUS client and connects to a RADIUS server.

Win95 Client Options for Data Encryption
Win95 clients, by default, do not require encrypted authentication. You can enable encryption by going to Connection Properties and selecting the Server Types tab. If you check the Allow any authentication including clear text box on the NT RAS server and leave the Require encrypted password box unchecked on the Win95 client, the client will use DES encryption because both the client and server are using RAS. If you dial in to another server (such as an ISP), the Win95 client can use clear text (PAP) authentication.

Win95 supports PAP and MS-CHAP but not CHAP. If you are using devices that do not support MS-CHAP (e.g., 3COM's ISDN modems), you must leave the Require encrypted password box unchecked for Win95 clients, as shown in Screen 2. You must also leave the Require Microsoft encrypted authentication box unchecked for the NT client. If the PPP server you are dialing in to supports CHAP, you need to select Require encrypted authentication for the NT client. If the server does not support encryption, you need to select Allow any authentication including clear text.

Security Hosts
A security host is a third-party authentication device that verifies whether a remote access client has authorization to connect to the RAS server. Various types of security hosts are available. One type of security host requires that the user enter the security host's account name and password before gaining access to the RAS server. The security host checks the account name and the password against its database. If the user is authenticated, he or she can then connect to the RAS server for further authentication and access to the network resources. The security host's account name and password do not have to match the RAS server's username and password.

Another type of security host consists of two hardware devices: a security host and a security card. The security host, which sits between the RAS server and its modem, calculates a different access number every minute. The host synchronizes the access number with the number displayed on the security card. The card, which looks like a pocket calculator, remains with the user. When user calls in, he or she enters the number displayed on the security card. If the number matches, the security host lets the user connect to the RAS server. (For an example of this type of security host, see Ben Rothke, "Token-Based Security Add-Ons," June 1997.)

Security host verification does not bypass, but rather augments, NT RAS security. The security host usually sits between the client and the RAS server. It uses a hardware key for authentication. When clients dial in, the security host must authenticate them before they can reach the RAS server. After the security host authenticates clients, the RAS server must also authenticate them.

PPTP and PPP
PPTP creates a secure tunnel between a RAS client and the RAS server. PPTP uses PPP--a popular industry protocol for dial-up access services that includes authentication and encryption standards--to provide compressed and encrypted communication.

PPTP lets clients use the Internet to access a private network. The re-mote access client uses a modem or ISDN line to connect to the local ISP. The remote access client then makes a second RAS connection (this time using PPTP over TCP/IP) to establish a secure connection to the PPTP RAS server. This arrangement is a Virtual Private Network (VPN). (For more information about PPTP, see Douglas Toombs, "Point-to-Point Tunneling Protocol," June 1997.)

An option on the RAS server enables PPTP packet filtering. This option enhances security because it accepts and routes packets from authenticated users only. As Screen 3 shows, the Enable PPTP Filtering option is on the RAS server in the Advanced IP Addressing screen. When you select this option, the server disables all protocols except PPTP on the network adapter.

With PPTP packet filtering and PPP's encryption standards, only secure, authorized, encrypted data can enter or leave your VPN. If hackers manage to capture your IP datagrams when they're traveling over the Internet, the hackers will not find much useful information to decipher. They might capture information such as IP headers, media headers, and PPP packets of encrypted data, but this information will not jeopardize network security.

In addition to using PPTP filtering, you can take advantage of the Enable Security option. This option lets you control the type of TCP/IP network traffic that reaches your NT server. You can select which TCP ports, User Datagram Protocol (UDP) ports, and IP protocols you allow to access your NT server.

PPTP uses TCP port 1723, and the IP protocol uses ID 47. You can use PPTP with most firewalls and routers. You route traffic destined to port 1723 through the firewall or router. PPTP supports TCP/IP, IPX, and NetBEUI protocols. (Although you can encapsulate all three, you can use only IP as the transport.)

It's Safe
RAS in NT offers a high level of security. RAS can ease any fears that you might have about remotely accessing a private network, even if you use the Internet to make that connection. When you use RAS security features and third-party offerings, remote access is a secure and reliable method to telecommute.