PPTP: Point-to-Point Tunneling Protocol

For authentication, PPTP supports MS-CHAP, MS-CHAP v2, and EAP-TLS. The MS-CHAP and MS-CHAP v2 protocols make use of usernames and passwords. The EAP-TLS protocol uses client and server certificates, which require a PKI infrastructure. MS-CHAP v2 is much stronger than MS-CHAP and offers mutual authentication. When used with strong passwords, MS-CHAP v2 is generally regarded as an acceptable option if you are unable to deploy a more secure solution, such as IPSec. If you use MS-CHAP v2, the key is to enforce strong password rules (i.e., eight or more characters and a mixture of upper case, lower case, punctuation, numbers, and special characters). EAP-TLS relies on certificates for authentication, providing the strongest method of authentication.

On the client side, EAP-TLS is supported only by Windows XP and 2000. MS-CHAP v2, on the other hand, is supported by Windows XP, 2000, NT 4.0, ME, 98, 95, and CE 3.0 (PocketPC 2002). Note that Windows NT 4.0 clients require at least Service Pack 4 and Windows 95 clients require the Windows Dial-Up Networking 1.3 or later Performance and Security Update.

For encryption, PPTP uses Microsoft Point to Point Encryption (MPPE), a stream cipher based on RC4. Key lengths are either 40, 56, or 128 bits. Encryption begins after the PPP authentication and link establishment. Therefore, attackers who can sniff this traffic can use the session for offline dictionary attacks. This is why strong passwords are so important.