dragonblood: a security analysis of wpa3’s sae handshakedragonblood: a security analysis of...
TRANSCRIPT
![Page 1: Dragonblood: A Security Analysis of WPA3’s SAE HandshakeDragonblood: A Security Analysis of WPA3’s SAE Handshake Mathy Vanhoef and Eyal Ronen WAC Workshop @ CRYPTO, Santa Barbara,](https://reader035.vdocuments.us/reader035/viewer/2022081618/60af5eefaefb6f43ad3a0883/html5/thumbnails/1.jpg)
Dragonblood: A Security Analysis
of WPA3’s SAE HandshakeMathy Vanhoef and Eyal Ronen
WAC Workshop @ CRYPTO, Santa Barbara, 17 August 2019.
![Page 2: Dragonblood: A Security Analysis of WPA3’s SAE HandshakeDragonblood: A Security Analysis of WPA3’s SAE Handshake Mathy Vanhoef and Eyal Ronen WAC Workshop @ CRYPTO, Santa Barbara,](https://reader035.vdocuments.us/reader035/viewer/2022081618/60af5eefaefb6f43ad3a0883/html5/thumbnails/2.jpg)
Background: Dragonfly in WPA3 and EAP-pwd
2
Negotiate
session keyProvide mutual
authentication
Forward secrecy & prevent offline dictionary attacks
Protect against
server compromise
= Password Authenticated Key Exchange (PAKE)
![Page 3: Dragonblood: A Security Analysis of WPA3’s SAE HandshakeDragonblood: A Security Analysis of WPA3’s SAE Handshake Mathy Vanhoef and Eyal Ronen WAC Workshop @ CRYPTO, Santa Barbara,](https://reader035.vdocuments.us/reader035/viewer/2022081618/60af5eefaefb6f43ad3a0883/html5/thumbnails/3.jpg)
Dragonfly
3
![Page 4: Dragonblood: A Security Analysis of WPA3’s SAE HandshakeDragonblood: A Security Analysis of WPA3’s SAE Handshake Mathy Vanhoef and Eyal Ronen WAC Workshop @ CRYPTO, Santa Barbara,](https://reader035.vdocuments.us/reader035/viewer/2022081618/60af5eefaefb6f43ad3a0883/html5/thumbnails/4.jpg)
Dragonfly
4
Convert password to
group element P
Convert password to
group element P
![Page 5: Dragonblood: A Security Analysis of WPA3’s SAE HandshakeDragonblood: A Security Analysis of WPA3’s SAE Handshake Mathy Vanhoef and Eyal Ronen WAC Workshop @ CRYPTO, Santa Barbara,](https://reader035.vdocuments.us/reader035/viewer/2022081618/60af5eefaefb6f43ad3a0883/html5/thumbnails/5.jpg)
Dragonfly
5
Convert password to
group element P
Convert password to
group element P
Commit phase
![Page 6: Dragonblood: A Security Analysis of WPA3’s SAE HandshakeDragonblood: A Security Analysis of WPA3’s SAE Handshake Mathy Vanhoef and Eyal Ronen WAC Workshop @ CRYPTO, Santa Barbara,](https://reader035.vdocuments.us/reader035/viewer/2022081618/60af5eefaefb6f43ad3a0883/html5/thumbnails/6.jpg)
Dragonfly
6
Convert password to
group element P
Convert password to
group element P
Commit phase
Negotiate shared key
![Page 7: Dragonblood: A Security Analysis of WPA3’s SAE HandshakeDragonblood: A Security Analysis of WPA3’s SAE Handshake Mathy Vanhoef and Eyal Ronen WAC Workshop @ CRYPTO, Santa Barbara,](https://reader035.vdocuments.us/reader035/viewer/2022081618/60af5eefaefb6f43ad3a0883/html5/thumbnails/7.jpg)
Dragonfly
7
Convert password to
group element P
Convert password to
group element P
Commit phase
Confirm phase
Negotiate shared key
![Page 8: Dragonblood: A Security Analysis of WPA3’s SAE HandshakeDragonblood: A Security Analysis of WPA3’s SAE Handshake Mathy Vanhoef and Eyal Ronen WAC Workshop @ CRYPTO, Santa Barbara,](https://reader035.vdocuments.us/reader035/viewer/2022081618/60af5eefaefb6f43ad3a0883/html5/thumbnails/8.jpg)
Dragonfly
8
Convert password to
group element P
Convert password to
group element P
Commit phase
Confirm phase
Negotiate shared key
Confirm peer negotiated same key
![Page 9: Dragonblood: A Security Analysis of WPA3’s SAE HandshakeDragonblood: A Security Analysis of WPA3’s SAE Handshake Mathy Vanhoef and Eyal Ronen WAC Workshop @ CRYPTO, Santa Barbara,](https://reader035.vdocuments.us/reader035/viewer/2022081618/60af5eefaefb6f43ad3a0883/html5/thumbnails/9.jpg)
Dragonfly
9
Convert password to
group element P
Convert password to
group element P
Commit phase
Confirm phase
Supports two crypto groups:
1. MODP groups
2. Elliptic curves
![Page 10: Dragonblood: A Security Analysis of WPA3’s SAE HandshakeDragonblood: A Security Analysis of WPA3’s SAE Handshake Mathy Vanhoef and Eyal Ronen WAC Workshop @ CRYPTO, Santa Barbara,](https://reader035.vdocuments.us/reader035/viewer/2022081618/60af5eefaefb6f43ad3a0883/html5/thumbnails/10.jpg)
Dragonfly
10
Convert password to
group element P
Convert password to
group element P
Commit phase
Confirm phase
Supports two crypto groups:
1. MODP groups
2. Elliptic curves
![Page 11: Dragonblood: A Security Analysis of WPA3’s SAE HandshakeDragonblood: A Security Analysis of WPA3’s SAE Handshake Mathy Vanhoef and Eyal Ronen WAC Workshop @ CRYPTO, Santa Barbara,](https://reader035.vdocuments.us/reader035/viewer/2022081618/60af5eefaefb6f43ad3a0883/html5/thumbnails/11.jpg)
What are MODP groups?
All operations are MODulo the Prime (= MODP)
11
Operations performed on integers x where:
› x < 𝑝 with 𝑝 a prime
› 𝑥𝑞 mod 𝑝 = 1 must hold
› 𝑞 = #elements in the group
![Page 12: Dragonblood: A Security Analysis of WPA3’s SAE HandshakeDragonblood: A Security Analysis of WPA3’s SAE Handshake Mathy Vanhoef and Eyal Ronen WAC Workshop @ CRYPTO, Santa Barbara,](https://reader035.vdocuments.us/reader035/viewer/2022081618/60af5eefaefb6f43ad3a0883/html5/thumbnails/12.jpg)
Convert password to MODP element
for (counter = 1; counter < 256; counter++)
value = hash(pw, counter, addr1, addr2)
if value >= p: continue
P = 𝑣𝑎𝑙𝑢𝑒(𝑝−1)/𝑞
return P
12
![Page 13: Dragonblood: A Security Analysis of WPA3’s SAE HandshakeDragonblood: A Security Analysis of WPA3’s SAE Handshake Mathy Vanhoef and Eyal Ronen WAC Workshop @ CRYPTO, Santa Barbara,](https://reader035.vdocuments.us/reader035/viewer/2022081618/60af5eefaefb6f43ad3a0883/html5/thumbnails/13.jpg)
Convert password to MODP element
for (counter = 1; counter < 256; counter++)
value = hash(pw, counter, addr1, addr2)
if value >= p: continue
P = 𝑣𝑎𝑙𝑢𝑒(𝑝−1)/𝑞
return P
13
Convert value to a MODP element
![Page 14: Dragonblood: A Security Analysis of WPA3’s SAE HandshakeDragonblood: A Security Analysis of WPA3’s SAE Handshake Mathy Vanhoef and Eyal Ronen WAC Workshop @ CRYPTO, Santa Barbara,](https://reader035.vdocuments.us/reader035/viewer/2022081618/60af5eefaefb6f43ad3a0883/html5/thumbnails/14.jpg)
Convert password to MODP element
for (counter = 1; counter < 256; counter++)
value = hash(pw, counter, addr1, addr2)
if value >= p: continue
P = 𝑣𝑎𝑙𝑢𝑒(𝑝−1)/𝑞
return P
14
Problem for groups 22-24:
high chance that value >= p
![Page 15: Dragonblood: A Security Analysis of WPA3’s SAE HandshakeDragonblood: A Security Analysis of WPA3’s SAE Handshake Mathy Vanhoef and Eyal Ronen WAC Workshop @ CRYPTO, Santa Barbara,](https://reader035.vdocuments.us/reader035/viewer/2022081618/60af5eefaefb6f43ad3a0883/html5/thumbnails/15.jpg)
Convert password to MODP element
for (counter = 1; counter < 256; counter++)
value = hash(pw, counter, addr1, addr2)
if value >= p: ???
P = 𝑣𝑎𝑙𝑢𝑒(𝑝−1)/𝑞
return P
15
![Page 16: Dragonblood: A Security Analysis of WPA3’s SAE HandshakeDragonblood: A Security Analysis of WPA3’s SAE Handshake Mathy Vanhoef and Eyal Ronen WAC Workshop @ CRYPTO, Santa Barbara,](https://reader035.vdocuments.us/reader035/viewer/2022081618/60af5eefaefb6f43ad3a0883/html5/thumbnails/16.jpg)
Convert password to MODP element
for (counter = 1; counter < 256; counter++)
value = hash(pw, counter, addr1, addr2)
if value >= p: continue
P = 𝑣𝑎𝑙𝑢𝑒(𝑝−1)/𝑞
return P
16
![Page 17: Dragonblood: A Security Analysis of WPA3’s SAE HandshakeDragonblood: A Security Analysis of WPA3’s SAE Handshake Mathy Vanhoef and Eyal Ronen WAC Workshop @ CRYPTO, Santa Barbara,](https://reader035.vdocuments.us/reader035/viewer/2022081618/60af5eefaefb6f43ad3a0883/html5/thumbnails/17.jpg)
Convert password to MODP element
for (counter = 1; counter < 256; counter++)
value = hash(pw, counter, addr1, addr2)
if value >= p: continue
P = 𝑣𝑎𝑙𝑢𝑒(𝑝−1)/𝑞
return P
17
#iterations depends on password
![Page 18: Dragonblood: A Security Analysis of WPA3’s SAE HandshakeDragonblood: A Security Analysis of WPA3’s SAE Handshake Mathy Vanhoef and Eyal Ronen WAC Workshop @ CRYPTO, Santa Barbara,](https://reader035.vdocuments.us/reader035/viewer/2022081618/60af5eefaefb6f43ad3a0883/html5/thumbnails/18.jpg)
Convert password to MODP element
for (counter = 1; counter < 256; counter++)
value = hash(pw, counter, addr1, addr2)
if value >= p: continue
P = 𝑣𝑎𝑙𝑢𝑒(𝑝−1)/𝑞
return P
18
No timing leak countermeasures,
despite warnings by IETF & CFRG!
#iterations depends on password
![Page 19: Dragonblood: A Security Analysis of WPA3’s SAE HandshakeDragonblood: A Security Analysis of WPA3’s SAE Handshake Mathy Vanhoef and Eyal Ronen WAC Workshop @ CRYPTO, Santa Barbara,](https://reader035.vdocuments.us/reader035/viewer/2022081618/60af5eefaefb6f43ad3a0883/html5/thumbnails/19.jpg)
IETF mailing list in 2010
19
“[..] susceptible to side channel (timing) attacks
and may leak the shared password. I'd therefore
recommend [excluding the MAC addresses].”
“not so sure how important that is [..] doesn't leak
the shared password [..] not a trivial attack.”
![Page 20: Dragonblood: A Security Analysis of WPA3’s SAE HandshakeDragonblood: A Security Analysis of WPA3’s SAE Handshake Mathy Vanhoef and Eyal Ronen WAC Workshop @ CRYPTO, Santa Barbara,](https://reader035.vdocuments.us/reader035/viewer/2022081618/60af5eefaefb6f43ad3a0883/html5/thumbnails/20.jpg)
Leaked information: #iterations needed
20
Client address addrA
Measured
![Page 21: Dragonblood: A Security Analysis of WPA3’s SAE HandshakeDragonblood: A Security Analysis of WPA3’s SAE Handshake Mathy Vanhoef and Eyal Ronen WAC Workshop @ CRYPTO, Santa Barbara,](https://reader035.vdocuments.us/reader035/viewer/2022081618/60af5eefaefb6f43ad3a0883/html5/thumbnails/21.jpg)
Leaked information: #iterations needed
21
Client address addrA
Measured
Password 1
Password 2
Password 3
![Page 22: Dragonblood: A Security Analysis of WPA3’s SAE HandshakeDragonblood: A Security Analysis of WPA3’s SAE Handshake Mathy Vanhoef and Eyal Ronen WAC Workshop @ CRYPTO, Santa Barbara,](https://reader035.vdocuments.us/reader035/viewer/2022081618/60af5eefaefb6f43ad3a0883/html5/thumbnails/22.jpg)
Leaked information: #iterations needed
22
Client address addrA
Measured
Password 1
Password 2
Password 3
![Page 23: Dragonblood: A Security Analysis of WPA3’s SAE HandshakeDragonblood: A Security Analysis of WPA3’s SAE Handshake Mathy Vanhoef and Eyal Ronen WAC Workshop @ CRYPTO, Santa Barbara,](https://reader035.vdocuments.us/reader035/viewer/2022081618/60af5eefaefb6f43ad3a0883/html5/thumbnails/23.jpg)
What information is leaked?
for (counter = 1; counter < 256; counter++)
value = hash(pw, counter, addr1, addr2)
if value >= p: continue
P = 𝑣𝑎𝑙𝑢𝑒(𝑝−1)/𝑞
23
Spoof client address to obtain
different execution & leak new data
![Page 24: Dragonblood: A Security Analysis of WPA3’s SAE HandshakeDragonblood: A Security Analysis of WPA3’s SAE Handshake Mathy Vanhoef and Eyal Ronen WAC Workshop @ CRYPTO, Santa Barbara,](https://reader035.vdocuments.us/reader035/viewer/2022081618/60af5eefaefb6f43ad3a0883/html5/thumbnails/24.jpg)
Leaked information: #iterations needed
24
Client address addrA addrB
Measured
Password 1
Password 2
Password 3
![Page 25: Dragonblood: A Security Analysis of WPA3’s SAE HandshakeDragonblood: A Security Analysis of WPA3’s SAE Handshake Mathy Vanhoef and Eyal Ronen WAC Workshop @ CRYPTO, Santa Barbara,](https://reader035.vdocuments.us/reader035/viewer/2022081618/60af5eefaefb6f43ad3a0883/html5/thumbnails/25.jpg)
Leaked information: #iterations needed
25
Client address addrA addrB
Measured
Password 1
Password 2
Password 3
![Page 26: Dragonblood: A Security Analysis of WPA3’s SAE HandshakeDragonblood: A Security Analysis of WPA3’s SAE Handshake Mathy Vanhoef and Eyal Ronen WAC Workshop @ CRYPTO, Santa Barbara,](https://reader035.vdocuments.us/reader035/viewer/2022081618/60af5eefaefb6f43ad3a0883/html5/thumbnails/26.jpg)
Leaked information: #iterations needed
26
Client address addrA addrB addrC
Measured
Password 1
Password 2
Password 3
![Page 27: Dragonblood: A Security Analysis of WPA3’s SAE HandshakeDragonblood: A Security Analysis of WPA3’s SAE Handshake Mathy Vanhoef and Eyal Ronen WAC Workshop @ CRYPTO, Santa Barbara,](https://reader035.vdocuments.us/reader035/viewer/2022081618/60af5eefaefb6f43ad3a0883/html5/thumbnails/27.jpg)
Leaked information: #iterations needed
27
Client address addrA addrB addrC
Measured
Password 1
Password 2
Password 3
Need ~17 addresses to determine
password in RockYou (~𝟏𝟎𝟕) dump
![Page 28: Dragonblood: A Security Analysis of WPA3’s SAE HandshakeDragonblood: A Security Analysis of WPA3’s SAE Handshake Mathy Vanhoef and Eyal Ronen WAC Workshop @ CRYPTO, Santa Barbara,](https://reader035.vdocuments.us/reader035/viewer/2022081618/60af5eefaefb6f43ad3a0883/html5/thumbnails/28.jpg)
Leaked information: #iterations needed
28
Client address addrA addrB addrC
Measured
Password 1
Password 2
Password 3
Forms a signature of the password
Need ~17 addresses to determine
password in RockYou (~𝟏𝟎𝟕) dump
![Page 29: Dragonblood: A Security Analysis of WPA3’s SAE HandshakeDragonblood: A Security Analysis of WPA3’s SAE Handshake Mathy Vanhoef and Eyal Ronen WAC Workshop @ CRYPTO, Santa Barbara,](https://reader035.vdocuments.us/reader035/viewer/2022081618/60af5eefaefb6f43ad3a0883/html5/thumbnails/29.jpg)
Raspberry Pi 1 B+: differences are measurable
29
Hostap AP: ~75 measurements / address
![Page 30: Dragonblood: A Security Analysis of WPA3’s SAE HandshakeDragonblood: A Security Analysis of WPA3’s SAE Handshake Mathy Vanhoef and Eyal Ronen WAC Workshop @ CRYPTO, Santa Barbara,](https://reader035.vdocuments.us/reader035/viewer/2022081618/60af5eefaefb6f43ad3a0883/html5/thumbnails/30.jpg)
What about elliptic curves?
Need to convert password to point (x,y) on the curve
30
Operations performed on points (x, y) where:
› x < 𝑝 and y < 𝑝 with 𝑝 a prime
› 𝑦2 = 𝑥3 + 𝑎𝑥 + 𝑏 mod 𝑝 must hold
![Page 31: Dragonblood: A Security Analysis of WPA3’s SAE HandshakeDragonblood: A Security Analysis of WPA3’s SAE Handshake Mathy Vanhoef and Eyal Ronen WAC Workshop @ CRYPTO, Santa Barbara,](https://reader035.vdocuments.us/reader035/viewer/2022081618/60af5eefaefb6f43ad3a0883/html5/thumbnails/31.jpg)
Hash-to-curve: EAP-pwd
for (counter = 1; counter < 40; counter++)
x = hash(pw, counter, addr1, addr2)
if x >= p: continue
if square_root_exists(x) and not P:
return (x, 𝑥3 + 𝑎𝑥 + 𝑏)
31
EAP-pwd: similar timing
leak with elliptic curves
![Page 32: Dragonblood: A Security Analysis of WPA3’s SAE HandshakeDragonblood: A Security Analysis of WPA3’s SAE Handshake Mathy Vanhoef and Eyal Ronen WAC Workshop @ CRYPTO, Santa Barbara,](https://reader035.vdocuments.us/reader035/viewer/2022081618/60af5eefaefb6f43ad3a0883/html5/thumbnails/32.jpg)
Hash-to-curve: WPA3
for (counter = 1; counter < 40; counter++)
x = hash(pw, counter, addr1, addr2)
if x >= p: continue
if square_root_exists(x) and not P:
P = (x, 𝑥3 + 𝑎𝑥 + 𝑏)
pw = rand()
return P
32
WPA3: always do 40
loops & return first P
![Page 33: Dragonblood: A Security Analysis of WPA3’s SAE HandshakeDragonblood: A Security Analysis of WPA3’s SAE Handshake Mathy Vanhoef and Eyal Ronen WAC Workshop @ CRYPTO, Santa Barbara,](https://reader035.vdocuments.us/reader035/viewer/2022081618/60af5eefaefb6f43ad3a0883/html5/thumbnails/33.jpg)
Hash-to-curve: WPA3
for (counter = 1; counter < 40; counter++)
x = hash(pw, counter, addr1, addr2)
if x >= p: continue
if square_root_exists(x) and not P:
P = (x, 𝑥3 + 𝑎𝑥 + 𝑏)
pw = rand()
return P
33
Extra iterations based
on random password
![Page 34: Dragonblood: A Security Analysis of WPA3’s SAE HandshakeDragonblood: A Security Analysis of WPA3’s SAE Handshake Mathy Vanhoef and Eyal Ronen WAC Workshop @ CRYPTO, Santa Barbara,](https://reader035.vdocuments.us/reader035/viewer/2022081618/60af5eefaefb6f43ad3a0883/html5/thumbnails/34.jpg)
Hash-to-curve: WPA3
for (counter = 1; counter < 40; counter++)
x = hash(pw, counter, addr1, addr2)
if x >= p: continue
if square_root_exists(x) and not P:
P = (x, 𝑥3 + 𝑎𝑥 + 𝑏)
pw = rand()
return P
34
Problem for Bainpool curves:
high chance that x >= p
![Page 35: Dragonblood: A Security Analysis of WPA3’s SAE HandshakeDragonblood: A Security Analysis of WPA3’s SAE Handshake Mathy Vanhoef and Eyal Ronen WAC Workshop @ CRYPTO, Santa Barbara,](https://reader035.vdocuments.us/reader035/viewer/2022081618/60af5eefaefb6f43ad3a0883/html5/thumbnails/35.jpg)
Hash-to-curve: WPA3
for (counter = 1; counter < 40; counter++)
x = hash(pw, counter, addr1, addr2)
if x >= p: continue
if square_root_exists(x) and not P:
P = (x, 𝑥3 + 𝑎𝑥 + 𝑏)
pw = rand()
return P
35
![Page 36: Dragonblood: A Security Analysis of WPA3’s SAE HandshakeDragonblood: A Security Analysis of WPA3’s SAE Handshake Mathy Vanhoef and Eyal Ronen WAC Workshop @ CRYPTO, Santa Barbara,](https://reader035.vdocuments.us/reader035/viewer/2022081618/60af5eefaefb6f43ad3a0883/html5/thumbnails/36.jpg)
Hash-to-curve: WPA3
for (counter = 1; counter < 40; counter++)
x = hash(pw, counter, addr1, addr2)
if x >= p: continue
if square_root_exists(x) and not P:
P = (x, 𝑥3 + 𝑎𝑥 + 𝑏)
pw = rand()
return P
36
Code may be skipped
![Page 37: Dragonblood: A Security Analysis of WPA3’s SAE HandshakeDragonblood: A Security Analysis of WPA3’s SAE Handshake Mathy Vanhoef and Eyal Ronen WAC Workshop @ CRYPTO, Santa Barbara,](https://reader035.vdocuments.us/reader035/viewer/2022081618/60af5eefaefb6f43ad3a0883/html5/thumbnails/37.jpg)
Hash-to-curve: WPA3
for (counter = 1; counter < 40; counter++)
x = hash(pw, counter, addr1, addr2)
if x >= p: continue
if square_root_exists(x) and not P:
P = (x, 𝑥3 + 𝑎𝑥 + 𝑏)
pw = rand()
return P
37
#Times skipped depends on password
![Page 38: Dragonblood: A Security Analysis of WPA3’s SAE HandshakeDragonblood: A Security Analysis of WPA3’s SAE Handshake Mathy Vanhoef and Eyal Ronen WAC Workshop @ CRYPTO, Santa Barbara,](https://reader035.vdocuments.us/reader035/viewer/2022081618/60af5eefaefb6f43ad3a0883/html5/thumbnails/38.jpg)
Hash-to-curve: WPA3
for (counter = 1; counter < 40; counter++)
x = hash(pw, counter, addr1, addr2)
if x >= p: continue
if square_root_exists(x) and not P:
P = (x, 𝑥3 + 𝑎𝑥 + 𝑏)
pw = rand()
return P
38
#Times skipped depends on password
& random password in extra itreations
![Page 39: Dragonblood: A Security Analysis of WPA3’s SAE HandshakeDragonblood: A Security Analysis of WPA3’s SAE Handshake Mathy Vanhoef and Eyal Ronen WAC Workshop @ CRYPTO, Santa Barbara,](https://reader035.vdocuments.us/reader035/viewer/2022081618/60af5eefaefb6f43ad3a0883/html5/thumbnails/39.jpg)
Hash-to-curve: WPA3
for (counter = 1; counter < 40; counter++)
x = hash(pw, counter, addr1, addr2)
if x >= p: continue
if square_root_exists(x) and not P:
P = (x, 𝑥3 + 𝑎𝑥 + 𝑏)
pw = rand()
return P
39
Variance ~ when password element was found
![Page 40: Dragonblood: A Security Analysis of WPA3’s SAE HandshakeDragonblood: A Security Analysis of WPA3’s SAE Handshake Mathy Vanhoef and Eyal Ronen WAC Workshop @ CRYPTO, Santa Barbara,](https://reader035.vdocuments.us/reader035/viewer/2022081618/60af5eefaefb6f43ad3a0883/html5/thumbnails/40.jpg)
Hash-to-curve: WPA3
for (counter = 1; counter < 40; counter++)
x = hash(pw, counter, addr1, addr2)
if x >= p: continue
if square_root_exists(x) and not P:
P = (x, 𝑥3 + 𝑎𝑥 + 𝑏)
pw = rand()
return P
40
Variance ~ when password element was found
Average ~ when found & #iterations code skipped
![Page 41: Dragonblood: A Security Analysis of WPA3’s SAE HandshakeDragonblood: A Security Analysis of WPA3’s SAE Handshake Mathy Vanhoef and Eyal Ronen WAC Workshop @ CRYPTO, Santa Barbara,](https://reader035.vdocuments.us/reader035/viewer/2022081618/60af5eefaefb6f43ad3a0883/html5/thumbnails/41.jpg)
Raspberry Pi 1 B+
41
Hostap (WPA3):
~300 measurements / address
![Page 42: Dragonblood: A Security Analysis of WPA3’s SAE HandshakeDragonblood: A Security Analysis of WPA3’s SAE Handshake Mathy Vanhoef and Eyal Ronen WAC Workshop @ CRYPTO, Santa Barbara,](https://reader035.vdocuments.us/reader035/viewer/2022081618/60af5eefaefb6f43ad3a0883/html5/thumbnails/42.jpg)
42
Cache
Attacks
![Page 43: Dragonblood: A Security Analysis of WPA3’s SAE HandshakeDragonblood: A Security Analysis of WPA3’s SAE Handshake Mathy Vanhoef and Eyal Ronen WAC Workshop @ CRYPTO, Santa Barbara,](https://reader035.vdocuments.us/reader035/viewer/2022081618/60af5eefaefb6f43ad3a0883/html5/thumbnails/43.jpg)
NIST Elliptic Curves
for (counter = 1; counter < 40; counter++)
x = hash(pw, counter, addr1, addr2)
if x >= p: continue
if square_root_exists(x) and not P:
P = (x, 𝑥3 + 𝑎𝑥 + 𝑏)
pw = rand()
return P
43
NIST curves: use Flush+Reload to
detect when code is executed
![Page 44: Dragonblood: A Security Analysis of WPA3’s SAE HandshakeDragonblood: A Security Analysis of WPA3’s SAE Handshake Mathy Vanhoef and Eyal Ronen WAC Workshop @ CRYPTO, Santa Barbara,](https://reader035.vdocuments.us/reader035/viewer/2022081618/60af5eefaefb6f43ad3a0883/html5/thumbnails/44.jpg)
NIST Elliptic Curves
for (counter = 1; counter < 40; counter++)
x = hash(pw, counter, addr1, addr2)
if x >= p: continue
if square_root_exists(x) and not P:
P = (x, 𝑥3 + 𝑎𝑥 + 𝑏)
pw = rand()
return P
44
NIST curves: use Flush+Reload to
detect when code is executed
Monitor using Flush+Reload to
know in which iteration we are
![Page 45: Dragonblood: A Security Analysis of WPA3’s SAE HandshakeDragonblood: A Security Analysis of WPA3’s SAE Handshake Mathy Vanhoef and Eyal Ronen WAC Workshop @ CRYPTO, Santa Barbara,](https://reader035.vdocuments.us/reader035/viewer/2022081618/60af5eefaefb6f43ad3a0883/html5/thumbnails/45.jpg)
Bainpool Elliptic Curves
for (counter = 1; counter < 40; counter++)
x = hash(pw, counter, addr1, addr2)
if x >= p: continue
if square_root_exists(x) and not P:
P = (x, 𝑥3 + 𝑎𝑥 + 𝑏)
pw = rand()
return P
45
Monitor using Flush+Reload to
know in which iteration we are
Brainpool curves: use Flush+Reload
to detect when code is executed
![Page 46: Dragonblood: A Security Analysis of WPA3’s SAE HandshakeDragonblood: A Security Analysis of WPA3’s SAE Handshake Mathy Vanhoef and Eyal Ronen WAC Workshop @ CRYPTO, Santa Barbara,](https://reader035.vdocuments.us/reader035/viewer/2022081618/60af5eefaefb6f43ad3a0883/html5/thumbnails/46.jpg)
Cache-attacks in practice
Requires powerfull adversary:
› Run unpriviliged code on victim’s machine
› Act as malicious client/AP within range of victim
46
Abuse leaked info to recover the password
› Spoof various client addresses similar to timing attack
› Use resulting password signature in dictionary attack
![Page 47: Dragonblood: A Security Analysis of WPA3’s SAE HandshakeDragonblood: A Security Analysis of WPA3’s SAE Handshake Mathy Vanhoef and Eyal Ronen WAC Workshop @ CRYPTO, Santa Barbara,](https://reader035.vdocuments.us/reader035/viewer/2022081618/60af5eefaefb6f43ad3a0883/html5/thumbnails/47.jpg)
Attack Optimizations
Timing & cache attack result in password signature
› Both use the same brute-force algorithm
Improve performance using GPU code:
› We can brute-force 𝟏𝟎𝟏𝟎 passwords for $1
› MODP / Brainpool: all 8 symbols costs $67
› NIST curves: all 8 symbols costs $14k
47
![Page 48: Dragonblood: A Security Analysis of WPA3’s SAE HandshakeDragonblood: A Security Analysis of WPA3’s SAE Handshake Mathy Vanhoef and Eyal Ronen WAC Workshop @ CRYPTO, Santa Barbara,](https://reader035.vdocuments.us/reader035/viewer/2022081618/60af5eefaefb6f43ad3a0883/html5/thumbnails/48.jpg)
Detailed Analysis: See Paper
› Estimate required #(spoofed MAC addresses):
48
› Offline brute-force cost:
![Page 49: Dragonblood: A Security Analysis of WPA3’s SAE HandshakeDragonblood: A Security Analysis of WPA3’s SAE Handshake Mathy Vanhoef and Eyal Ronen WAC Workshop @ CRYPTO, Santa Barbara,](https://reader035.vdocuments.us/reader035/viewer/2022081618/60af5eefaefb6f43ad3a0883/html5/thumbnails/49.jpg)
Implementation
Inspection
49
![Page 50: Dragonblood: A Security Analysis of WPA3’s SAE HandshakeDragonblood: A Security Analysis of WPA3’s SAE Handshake Mathy Vanhoef and Eyal Ronen WAC Workshop @ CRYPTO, Santa Barbara,](https://reader035.vdocuments.us/reader035/viewer/2022081618/60af5eefaefb6f43ad3a0883/html5/thumbnails/50.jpg)
Invalid Curve Attack
50
Commit(x’, y’)
Point isn’t on curve
![Page 51: Dragonblood: A Security Analysis of WPA3’s SAE HandshakeDragonblood: A Security Analysis of WPA3’s SAE Handshake Mathy Vanhoef and Eyal Ronen WAC Workshop @ CRYPTO, Santa Barbara,](https://reader035.vdocuments.us/reader035/viewer/2022081618/60af5eefaefb6f43ad3a0883/html5/thumbnails/51.jpg)
Invalid Curve Attack
51
Commit(x’, y’)
Commit reply
Point isn’t on curve
Negotiated key
is predictable
![Page 52: Dragonblood: A Security Analysis of WPA3’s SAE HandshakeDragonblood: A Security Analysis of WPA3’s SAE Handshake Mathy Vanhoef and Eyal Ronen WAC Workshop @ CRYPTO, Santa Barbara,](https://reader035.vdocuments.us/reader035/viewer/2022081618/60af5eefaefb6f43ad3a0883/html5/thumbnails/52.jpg)
Invalid Curve Attack
52
Commit(x’, y’)
Commit reply
Point isn’t on curve
Negotiated key
is predictable
Guess key and
send confirm
Confirm phase
![Page 53: Dragonblood: A Security Analysis of WPA3’s SAE HandshakeDragonblood: A Security Analysis of WPA3’s SAE Handshake Mathy Vanhoef and Eyal Ronen WAC Workshop @ CRYPTO, Santa Barbara,](https://reader035.vdocuments.us/reader035/viewer/2022081618/60af5eefaefb6f43ad3a0883/html5/thumbnails/53.jpg)
Invalid Curve Attack
53
Commit(x’, y’)
Commit reply
Point isn’t on curve
Negotiated key
is predictable
Guess key and
send confirm
Confirm phase
Bypasses authentication
EAP-pwd: all implementations affected
WPA3: only iwd is vulnerable
![Page 54: Dragonblood: A Security Analysis of WPA3’s SAE HandshakeDragonblood: A Security Analysis of WPA3’s SAE Handshake Mathy Vanhoef and Eyal Ronen WAC Workshop @ CRYPTO, Santa Barbara,](https://reader035.vdocuments.us/reader035/viewer/2022081618/60af5eefaefb6f43ad3a0883/html5/thumbnails/54.jpg)
Reflection Attack: EAP-pwd example
54
Commit(x, y)
Commit(x, y)
Reflect frame
association
![Page 55: Dragonblood: A Security Analysis of WPA3’s SAE HandshakeDragonblood: A Security Analysis of WPA3’s SAE Handshake Mathy Vanhoef and Eyal Ronen WAC Workshop @ CRYPTO, Santa Barbara,](https://reader035.vdocuments.us/reader035/viewer/2022081618/60af5eefaefb6f43ad3a0883/html5/thumbnails/55.jpg)
Reflection Attack: EAP-pwd example
55
Commit(x, y)
Commit(x, y)
Reflect frame
Confirm
Confirm
Reflect frame
association
![Page 56: Dragonblood: A Security Analysis of WPA3’s SAE HandshakeDragonblood: A Security Analysis of WPA3’s SAE Handshake Mathy Vanhoef and Eyal Ronen WAC Workshop @ CRYPTO, Santa Barbara,](https://reader035.vdocuments.us/reader035/viewer/2022081618/60af5eefaefb6f43ad3a0883/html5/thumbnails/56.jpg)
Reflection Attack: EAP-pwd example
56
Commit(x, y)
Commit(x, y)
Reflect frame
Confirm
Confirm
Reflect frame
association
Authenticate as victim
EAP-pwd: all servers are vulnerable
WPA3: old wpa_supplicants affected
![Page 57: Dragonblood: A Security Analysis of WPA3’s SAE HandshakeDragonblood: A Security Analysis of WPA3’s SAE Handshake Mathy Vanhoef and Eyal Ronen WAC Workshop @ CRYPTO, Santa Barbara,](https://reader035.vdocuments.us/reader035/viewer/2022081618/60af5eefaefb6f43ad3a0883/html5/thumbnails/57.jpg)
Other Implementation Vulnerabilities
57
Bad randomness:
› Can recover password element P
› Aruba’s EAP-pwd client for Windows is affected
› With WPA2 bad randomness has lower impact!
Side-channels:
› FreeRADIUS aborts if >10 iterations are needed
› Aruba’s EAP-pwd aborts if >30 are needed
› Can use leaked info to recover password
![Page 58: Dragonblood: A Security Analysis of WPA3’s SAE HandshakeDragonblood: A Security Analysis of WPA3’s SAE Handshake Mathy Vanhoef and Eyal Ronen WAC Workshop @ CRYPTO, Santa Barbara,](https://reader035.vdocuments.us/reader035/viewer/2022081618/60af5eefaefb6f43ad3a0883/html5/thumbnails/58.jpg)
Wi-Fi Specific
Attacks
58
![Page 59: Dragonblood: A Security Analysis of WPA3’s SAE HandshakeDragonblood: A Security Analysis of WPA3’s SAE Handshake Mathy Vanhoef and Eyal Ronen WAC Workshop @ CRYPTO, Santa Barbara,](https://reader035.vdocuments.us/reader035/viewer/2022081618/60af5eefaefb6f43ad3a0883/html5/thumbnails/59.jpg)
Denial-of-Service Attack
59
Convert password to
group element P
Convert password to
group element P
AP converts password to EC
point when client connects
› Conversion is computationally expensive (40 iterations)
› Forging 8 connections/sec saturates AP’s CPU
![Page 60: Dragonblood: A Security Analysis of WPA3’s SAE HandshakeDragonblood: A Security Analysis of WPA3’s SAE Handshake Mathy Vanhoef and Eyal Ronen WAC Workshop @ CRYPTO, Santa Barbara,](https://reader035.vdocuments.us/reader035/viewer/2022081618/60af5eefaefb6f43ad3a0883/html5/thumbnails/60.jpg)
Downgrade Against WPA3-Transition
Transition mode: WPA2/3 use the same password
› WPA2’s handshake detects downgrades forward secrecy
› Performing partial WPA2 handshake dictionary attacks
Solution is to remember which networks support WPA3
› Similar to trust on first use of SSH & HSTS
› Implemented by Pixel 3 and Linux’s NetworkManager
60
![Page 61: Dragonblood: A Security Analysis of WPA3’s SAE HandshakeDragonblood: A Security Analysis of WPA3’s SAE Handshake Mathy Vanhoef and Eyal Ronen WAC Workshop @ CRYPTO, Santa Barbara,](https://reader035.vdocuments.us/reader035/viewer/2022081618/60af5eefaefb6f43ad3a0883/html5/thumbnails/61.jpg)
Crypto Group Downgrade
Handshake can be performed with multiple curves
› Initiator proposes curve & responder accepts/rejects
› Spoof reject messages to downgrade used curve
61
= design flaw, all client & AP
implementations vulnerable
![Page 62: Dragonblood: A Security Analysis of WPA3’s SAE HandshakeDragonblood: A Security Analysis of WPA3’s SAE Handshake Mathy Vanhoef and Eyal Ronen WAC Workshop @ CRYPTO, Santa Barbara,](https://reader035.vdocuments.us/reader035/viewer/2022081618/60af5eefaefb6f43ad3a0883/html5/thumbnails/62.jpg)
Implementation-specific downgrades
› Clone WPA3-only network & advertise it only supports WPA2
› Galaxy S10 & iwd connected using the WPA3-only password
› Results in trivial dictionary attack
62
iwd
![Page 63: Dragonblood: A Security Analysis of WPA3’s SAE HandshakeDragonblood: A Security Analysis of WPA3’s SAE Handshake Mathy Vanhoef and Eyal Ronen WAC Workshop @ CRYPTO, Santa Barbara,](https://reader035.vdocuments.us/reader035/viewer/2022081618/60af5eefaefb6f43ad3a0883/html5/thumbnails/63.jpg)
63
Disclosure
![Page 64: Dragonblood: A Security Analysis of WPA3’s SAE HandshakeDragonblood: A Security Analysis of WPA3’s SAE Handshake Mathy Vanhoef and Eyal Ronen WAC Workshop @ CRYPTO, Santa Barbara,](https://reader035.vdocuments.us/reader035/viewer/2022081618/60af5eefaefb6f43ad3a0883/html5/thumbnails/64.jpg)
Disclosure process
Notified parties early with hope to influence WPA3
› Some initially sceptic, considered it implementation flaws
› Group downgrade: “was known, but forgot to warn about it”
Reaction of the Wi-Fi Alliance
› Privately created backwards-compatible security guidelines
› 2nd disclosure round to address Brainpool side-channels
64
![Page 65: Dragonblood: A Security Analysis of WPA3’s SAE HandshakeDragonblood: A Security Analysis of WPA3’s SAE Handshake Mathy Vanhoef and Eyal Ronen WAC Workshop @ CRYPTO, Santa Barbara,](https://reader035.vdocuments.us/reader035/viewer/2022081618/60af5eefaefb6f43ad3a0883/html5/thumbnails/65.jpg)
Fundamental issue still unsolved
› On lightweight devices, doing 40 iterations is too costly
› Even powerfull devices are at risk: handshake might be
offloaded the lightweight Wi-Fi chip itself
65
!Wi-Fi standard now being updated
› Prevent crypto group downgrade attack
› Allow offline computation of password element
![Page 66: Dragonblood: A Security Analysis of WPA3’s SAE HandshakeDragonblood: A Security Analysis of WPA3’s SAE Handshake Mathy Vanhoef and Eyal Ronen WAC Workshop @ CRYPTO, Santa Barbara,](https://reader035.vdocuments.us/reader035/viewer/2022081618/60af5eefaefb6f43ad3a0883/html5/thumbnails/66.jpg)
Additional upates to Wi-Fi standard
66
Elliptic curve groups:
› Restrict usage of weak elliptic curves
› Constant-time algo (simplified SWU)
MODP crypto groups:
› Restrict usage of weak MODP groups
› Constant-time algo (modulo intead of iterations)
![Page 67: Dragonblood: A Security Analysis of WPA3’s SAE HandshakeDragonblood: A Security Analysis of WPA3’s SAE Handshake Mathy Vanhoef and Eyal Ronen WAC Workshop @ CRYPTO, Santa Barbara,](https://reader035.vdocuments.us/reader035/viewer/2022081618/60af5eefaefb6f43ad3a0883/html5/thumbnails/67.jpg)
Updates aren’t backwards-compatible
Might lead to WPA3.1?
› Not yet clear how this will be handled
› Risk of downgrade attacks to original WPA3
67
Will people be able to easily attack WPA3?
› No, WPA3 > WPA2 even with its flaws
› Timing leaks: non-trival to determine if vulnerable
![Page 68: Dragonblood: A Security Analysis of WPA3’s SAE HandshakeDragonblood: A Security Analysis of WPA3’s SAE Handshake Mathy Vanhoef and Eyal Ronen WAC Workshop @ CRYPTO, Santa Barbara,](https://reader035.vdocuments.us/reader035/viewer/2022081618/60af5eefaefb6f43ad3a0883/html5/thumbnails/68.jpg)
Conclusion› WPA3 vulnerable to side-channels
› Countermeasures are costly
› Standard now being updated
› Issues could have been avoided!
https://wpa3.mathyvanhoef.com
68
![Page 69: Dragonblood: A Security Analysis of WPA3’s SAE HandshakeDragonblood: A Security Analysis of WPA3’s SAE Handshake Mathy Vanhoef and Eyal Ronen WAC Workshop @ CRYPTO, Santa Barbara,](https://reader035.vdocuments.us/reader035/viewer/2022081618/60af5eefaefb6f43ad3a0883/html5/thumbnails/69.jpg)
Thank you! Questions?› WPA3 vulnerable to side-channels
› Countermeasures are costly
› Standard now being updated
› Issues could have been avoided!
https://wpa3.mathyvanhoef.com
69