Microsoft Point-To-Point Encryption Protocol

from Wikipedia, the free encyclopedia

Microsoft Point-To-Point Encryption (MPPE) is a network protocol for encrypting data that is transmitted using the Point-to-Point Protocol . It was developed by Microsoft and Cisco and published as RFC 3078 in March 2001 .

function

Negotiation

MPPE uses the RC4 algorithm from RSA Security for encryption . The length of the session keys can be specified during connection negotiation. 40 bits, 56 bits or 128 bits are allowed. The negotiations and administration are handled via the Compression Control Protocol . MPPE is negotiated within option 18 in the CCP.

CCP uses a length of 6 bits: 

 3 3 2 2 2 2 2 2 2 2 2 2 1 1 1 1 1 1 1 1 1 1
 1 0 9 8 7 6 5 4 3 2 1 0 9 8 7 6 5 4 3 2 1 0 9 8 7 6 5 4 3 2 1 0
├─┴─┴─┴─┴─┴─┴─┼─┼─┴─┴─┴─┴─┴─┴─┴─┴─┴─┴─┴─┴─┴─┴─┴─┼─┼─┼─┼─┼─┴─┴─┼─┤
│             │H│                               │M│S│L│D│     │C│
└─────────────┴─┴───────────────────────────────┴─┴─┴─┴─┴─────┴─┘
  • C = is used by MPPC (compression)
  • D = obsolete, but some older clients still support it
  • L = 40 bit session key
  • S = 128 bit session key
  • M = 56 bit session key
  • H = stateless mode is used. The key is changed after each transmitted packet.

Before MPPE can send a packet, PPP must have reached the "Network-Layer Protocol" phase, and CCP must reach the so-called "Open State". So the key negotiations have to be completed.

transmission 

                     1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3
 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
├─┴─┴─┴─┴─┴─┴─┴─┴─┴─┴─┴─┴─┴─┴─┴─┼─┼─┼─┼─┼─┴─┴─┴─┴─┴─┴─┴─┴─┴─┴─┴─┤
│          PPP Protocol         │A│B│C│D│    Coherency Count    │
├───────────────────────────────┴─┴─┴─┴─┴───────────────────────┘
│     Verschlüsselte Daten...
└────────────────────────────────
  • PPP Protocol = PPP protocol number of the transmitted protocol. 00FD is used for MPPE = compressed datagram.
  • A = The encryption table was initialized before the packet was generated. The recipient must also reinitialize the table before the packet is decrypted.
  • B = no meaning for MPPE
  • C = no meaning for MPPE
  • D = Here it is indicated whether the packet is encrypted or unencrypted.
  • Coherency Count = This ensures that the packets were transmitted in the correct order and that no packets were lost en route.
  • Encrypted data = The packet begins with the protocol field. First the protocol field is decrypted and then the header of the protocol sent (e.g. the IP header). Then the content of the packet is decrypted.

Web links