Network Working Group G. Pall Request for Comments: 3078 Microsoft Corporation Category: Informational G. Zorn Updates: 2118 cisco Systems March 2001 Microsoft Point-To-Point Encryption (MPPE) Protocol Status of this Memo This memo provides information for the Internet community. It does not specify an Internet standard of any kind. Distribution of this memo is unlimited. Copyright Notice Copyright (C) The Internet Society (2001). All Rights Reserved.
AbstractThe Point-to-Point Protocol (PPP) provides a standard method for transporting multi-protocol datagrams over point-to-point links. The PPP Compression Control Protocol provides a method to negotiate and utilize compression protocols over PPP encapsulated links. This document describes the use of the Microsoft Point to Point Encryption (MPPE) to enhance the confidentiality of PPP-encapsulated packets. Specification of Requirements In this document, the key words "MAY", "MUST, "MUST NOT", "optional", "recommended", "SHOULD", and "SHOULD NOT" are to be interpreted as described in . 3] algorithm to provide data confidentiality. The length of the session key to be used for initializing encryption tables can be negotiated. MPPE currently supports 40-bit and 128-bit session keys.
MPPE session keys are changed frequently; the exact frequency depends upon the options negotiated, but may be every packet. MPPE is negotiated within option 18  in the Compression Control Protocol.
The 'C' bit is used by MPPC  and is not discussed further in this memo. The 'D' bit is obsolete; although some older peers may attempt to negotiate this option, it SHOULD NOT be accepted. If the 'L' bit is set (corresponding to a value of 0x20 in the least significant octet), this indicates the desire of the sender to negotiate the use of 40-bit session keys. If the 'S' bit is set (corresponding to a value of 0x40 in the least significant octet), this indicates the desire of the sender to negotiate the use of 128-bit session keys. If the 'M' bit is set (corresponding to a value of 0x80 in the least significant octet), this indicates the desire of the sender to negotiate the use of 56-bit session keys. If the 'H' bit is set (corresponding to a value of 0x01 in the most significant octet), this indicates that the sender wishes to negotiate the use of stateless mode, in which the session key is changed after the transmission of each packet (see section 10, below). In the following discussion, the 'S', 'M' and 'L' bits are sometimes referred to collectively as "encryption options". All other bits are reserved and MUST be set to 0. 2]. In particular, the negotiation initiator SHOULD request all of the options it supports. The responder SHOULD NAK with a single encryption option (note that stateless mode may always be negotiated, independent of and in addition to an encryption option). If the responder supports more than one encryption option in the set requested by the initiator, the option selected SHOULD be the "strongest" option offered. Informally, the strength of the MPPE encryption options may be characterized as follows: STRONGEST 128-bit encryption ('S' bit set) 56-bit encryption ('M' bit set) 40-bit encryption ('L' bit set) WEAKEST This characterization takes into account the generally accepted strength of the cipher. The initiator SHOULD then either send another request containing the same option(s) as the responder's NAK or cancel the negotiation, dropping the connection.
10] during LCP phase and use self-describing pads. Reliability and Sequencing The MPPE scheme does not require a reliable link. Instead, it relies on a 12-bit coherency count in each packet to keep the encryption tables synchronized. If stateless mode has not been negotiated and the coherency count in the received packet does not match the expected count, the receiver MUST send a CCP Reset-Request packet to cause the resynchronization of the RC4 tables. MPPE expects packets to be delivered in sequence. MPPE MAY be used over a reliable link, as described in "PPP Reliable Transmission" , but this typically just adds unnecessary overhead since only the coherency count is required. Data Expansion The MPPE scheme does not expand or compress data. The number of octets input to and output from the MPPE processor are the same.
1]. When MPPE is successfully negotiated by the PPP Compression Control Protocol, the value of this field is 0x00FD. This value MAY be compressed when Protocol-Field-Compression is negotiated. Bit A This bit indicates that the encryption tables were initialized before this packet was generated. The receiver MUST re- initialize its tables with the current session key before decrypting this packet. This bit is referred to as the FLUSHED bit in this document. If the stateless option has been negotiated, this bit MUST be set on every encrypted packet. Note that MPPC and MPPE both recognize the FLUSHED bit; therefore, if the stateless option is negotiated, it applies to both MPPC and MPPE. Bit B This bit does not have any significance in MPPE. Bit C This bit does not have any significance in MPPE. Bit D This bit set to 1 indicates that the packet is encrypted. This bit set to 0 means that this packet is not encrypted.
Coherency Count The coherency count is used to assure that the packets are sent in proper order and that no packet has been dropped. It is a monotonically increasing counter which incremented by 1 for each packet sent. When the counter reaches 4095 (0x0FFF), it is reset to 0. Encrypted Data The encrypted data begins with the protocol field. For example, in case of an IP packet (0x0021 followed by an IP header), the MPPE processor will first encrypt the protocol field and then encrypt the IP header. If the packet contains header compression, the MPPE processor is applied AFTER header compression is performed and MUST be applied to the compressed header as well. For example, if a packet contained the protocol type 0x002D (for a compressed TCP/IP header), the MPPE processor would first encrypt 0x002D and then it would encrypt the compressed Van-Jacobsen TCP/IP header. Implementation Note If both MPPE and MPPC are negotiated on the same link, the MPPE processor MUST be invoked after the MPPC processor by the sender and the MPPE processor MUST be invoked before the MPPC processor by the receiver. 8] and TLS ) produce session keys as side effects of authentication; these keys may be used by MPPE in the future. For this reason, the techniques used to derive initial MPPE session keys are described in separate documents.
/* * SHAInit(), SHAUpdate() and SHAFinal() * are an implementation of the Secure * Hash Algorithm  */ SHAInit(Context); SHAUpdate(Context, StartKey, SessionKeyLength); SHAUpdate(Context, SHApad1, 40); SHAUpdate(Context, SessionKey, SessionKeyLength); SHAUpdate(Context, SHApad2, 40); SHAFinal(Context, Digest); MoveMemory(InterimKey, Digest, SessionKeyLength); } The RC4 tables are re-initialized using the newly created interim key: rc4_key(RC4Key, Length_Of_Key, InterimKey) Finally, the interim key is encrypted using the new tables to produce a new session key: SessionKey = rc4(RC4Key, Length_Of_Key, InterimKey) For 40-bit session keys the most significant three octets of the new session key are now set to 0xD1, 0x26 and 0x9E respectively; for 56- bit keys, the most significant octet is set to 0xD1. Finally, the RC4 tables are re-initialized using the new session key: rc4_key(RC4Key, Length_Of_Key, SessionKey)
Since the FLUSHED bit is set on every packet if stateless encryption was negotiated, the transmission of CCP Reset-Request packets is not required for synchronization.
Since the MPPE negotiation is not integrity protected, an active attacker could alter the strength of the keys used by modifying the Supported Bits field of the CCP Configuration Option packet. The effects of this attack can be minimized through appropriate peer configuration, however. Peers MUST NOT transmit user data until the MPPE negotiation is complete. It is possible that an active attacker could modify the coherency count of a packet, causing the peers to lose synchronization. An active denial-of-service attack could be mounted by methodically inverting the value of the 'D' bit in the MPPE packet header.  Simpson, W., Editor, "The Point-to-Point Protocol (PPP)", STD 51, RFC 1661, July 1994.  Rand, D., "The PPP Compression Control Protocol (CCP)", RFC 1962, June 1996.  RC4 is a proprietary encryption algorithm available under license from RSA Data Security Inc. For licensing information, contact: RSA Data Security, Inc. 100 Marine Parkway Redwood City, CA 94065-1031  Pall, G., "Microsoft Point-to-Point Compression (MPPC) Protocol", RFC 2118, March 1997.  Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997.  Rand, D., "PPP Reliable Transmission", RFC 1663, July 1994.  "Secure Hash Standard", Federal Information Processing Standards Publication 180-1, National Institute of Standards and Technology, April 1995.  Kohl, J. and C. Neuman "The Kerberos Network Authentication System (V5)", RFC 1510, September 1993.  Dierks, T. and C. Allen, "The TLS Protocol Version 1.0", RFC 2246, January 1999.
Acknowledgement Funding for the RFC Editor function is currently provided by the Internet Society.