Dragonblood: Attacking the Dragonfly Handshake of WPA3 · Handshake can be performed with multiple...
Transcript of Dragonblood: Attacking the Dragonfly Handshake of WPA3 · Handshake can be performed with multiple...
![Page 1: Dragonblood: Attacking the Dragonfly Handshake of WPA3 · Handshake can be performed with multiple curves ›Initiator proposes curve & responder accepts/rejects ›Spoof reject messages](https://reader034.fdocuments.us/reader034/viewer/2022051811/60274a602f7a3051f0087c7c/html5/thumbnails/1.jpg)
Dragonblood: Attacking the Dragonfly
Handshake of WPA3
Mathy Vanhoef and Eyal Ronen
Black Hat USA. Las Vegas, 7 August 2019.
![Page 2: Dragonblood: Attacking the Dragonfly Handshake of WPA3 · Handshake can be performed with multiple curves ›Initiator proposes curve & responder accepts/rejects ›Spoof reject messages](https://reader034.fdocuments.us/reader034/viewer/2022051811/60274a602f7a3051f0087c7c/html5/thumbnails/2.jpg)
Background: Dragonfly in WPA3 and EAP-pwd
2
Negotiate
session keyProvide mutual
authentication
Forward secrecy & prevent offline dictionary attacks
Protect against
server compromise
= Password Authenticated Key Exchange (PAKE)
![Page 3: Dragonblood: Attacking the Dragonfly Handshake of WPA3 · Handshake can be performed with multiple curves ›Initiator proposes curve & responder accepts/rejects ›Spoof reject messages](https://reader034.fdocuments.us/reader034/viewer/2022051811/60274a602f7a3051f0087c7c/html5/thumbnails/3.jpg)
Dragonfly
3
Convert password to
group element P
Convert password to
group element P
Commit phase
Confirm phase
Negotiate shared key
Confirm peer negotiated same key
![Page 4: Dragonblood: Attacking the Dragonfly Handshake of WPA3 · Handshake can be performed with multiple curves ›Initiator proposes curve & responder accepts/rejects ›Spoof reject messages](https://reader034.fdocuments.us/reader034/viewer/2022051811/60274a602f7a3051f0087c7c/html5/thumbnails/4.jpg)
Dragonfly
4
Convert password to
group element P
Convert password to
group element P
Commit phase
Confirm phase
Supports two crypto groups:
1. MODP groups
2. Elliptic curves
![Page 5: Dragonblood: Attacking the Dragonfly Handshake of WPA3 · Handshake can be performed with multiple curves ›Initiator proposes curve & responder accepts/rejects ›Spoof reject messages](https://reader034.fdocuments.us/reader034/viewer/2022051811/60274a602f7a3051f0087c7c/html5/thumbnails/5.jpg)
What are MODP groups?
All operations are MODulo the Prime (= MODP)
5
Operations performed on integers x where:
› x < 𝑝 with 𝑝 a prime
› 𝑥𝑞 mod 𝑝 = 1 must hold
› 𝑞 = #elements in the group
![Page 6: Dragonblood: Attacking the Dragonfly Handshake of WPA3 · Handshake can be performed with multiple curves ›Initiator proposes curve & responder accepts/rejects ›Spoof reject messages](https://reader034.fdocuments.us/reader034/viewer/2022051811/60274a602f7a3051f0087c7c/html5/thumbnails/6.jpg)
Convert password to MODP element
for (counter = 1; counter < 256; counter++)
value = hash(pw, counter, addr1, addr2)
if value >= p: continue
P = 𝑣𝑎𝑙𝑢𝑒(𝑝−1)/𝑞
return P
6
Convert value to a MODP element
![Page 7: Dragonblood: Attacking the Dragonfly Handshake of WPA3 · Handshake can be performed with multiple curves ›Initiator proposes curve & responder accepts/rejects ›Spoof reject messages](https://reader034.fdocuments.us/reader034/viewer/2022051811/60274a602f7a3051f0087c7c/html5/thumbnails/7.jpg)
Convert password to MODP element
for (counter = 1; counter < 256; counter++)
value = hash(pw, counter, addr1, addr2)
if value >= p: continue
P = 𝑣𝑎𝑙𝑢𝑒(𝑝−1)/𝑞
return P
7
Problem for groups 22-24:
high chance that value >= p
![Page 8: Dragonblood: Attacking the Dragonfly Handshake of WPA3 · Handshake can be performed with multiple curves ›Initiator proposes curve & responder accepts/rejects ›Spoof reject messages](https://reader034.fdocuments.us/reader034/viewer/2022051811/60274a602f7a3051f0087c7c/html5/thumbnails/8.jpg)
Convert password to MODP element
for (counter = 1; counter < 256; counter++)
value = hash(pw, counter, addr1, addr2)
if value >= p: ???
P = 𝑣𝑎𝑙𝑢𝑒(𝑝−1)/𝑞
return P
8
![Page 9: Dragonblood: Attacking the Dragonfly Handshake of WPA3 · Handshake can be performed with multiple curves ›Initiator proposes curve & responder accepts/rejects ›Spoof reject messages](https://reader034.fdocuments.us/reader034/viewer/2022051811/60274a602f7a3051f0087c7c/html5/thumbnails/9.jpg)
Convert password to MODP element
for (counter = 1; counter < 256; counter++)
value = hash(pw, counter, addr1, addr2)
if value >= p: continue
P = 𝑣𝑎𝑙𝑢𝑒(𝑝−1)/𝑞
return P
9
![Page 10: Dragonblood: Attacking the Dragonfly Handshake of WPA3 · Handshake can be performed with multiple curves ›Initiator proposes curve & responder accepts/rejects ›Spoof reject messages](https://reader034.fdocuments.us/reader034/viewer/2022051811/60274a602f7a3051f0087c7c/html5/thumbnails/10.jpg)
Convert password to MODP element
for (counter = 1; counter < 256; counter++)
value = hash(pw, counter, addr1, addr2)
if value >= p: continue
P = 𝑣𝑎𝑙𝑢𝑒(𝑝−1)/𝑞
return P
10
#iterations depends on password
![Page 11: Dragonblood: Attacking the Dragonfly Handshake of WPA3 · Handshake can be performed with multiple curves ›Initiator proposes curve & responder accepts/rejects ›Spoof reject messages](https://reader034.fdocuments.us/reader034/viewer/2022051811/60274a602f7a3051f0087c7c/html5/thumbnails/11.jpg)
Convert password to MODP element
for (counter = 1; counter < 256; counter++)
value = hash(pw, counter, addr1, addr2)
if value >= p: continue
P = 𝑣𝑎𝑙𝑢𝑒(𝑝−1)/𝑞
return P
11
No timing leak countermeasures,
despite warnings by IETF & CFRG!
#iterations depends on password
![Page 12: Dragonblood: Attacking the Dragonfly Handshake of WPA3 · Handshake can be performed with multiple curves ›Initiator proposes curve & responder accepts/rejects ›Spoof reject messages](https://reader034.fdocuments.us/reader034/viewer/2022051811/60274a602f7a3051f0087c7c/html5/thumbnails/12.jpg)
IETF mailing list in 2010
12
“[..] susceptible to side channel (timing) attacks
and may leak the shared password.”
“not so sure how important that is [..] doesn't leak
the shared password [..] not a trivial attack.”
![Page 13: Dragonblood: Attacking the Dragonfly Handshake of WPA3 · Handshake can be performed with multiple curves ›Initiator proposes curve & responder accepts/rejects ›Spoof reject messages](https://reader034.fdocuments.us/reader034/viewer/2022051811/60274a602f7a3051f0087c7c/html5/thumbnails/13.jpg)
Leaked information: #iterations needed
13
Client address addrA
Measured
![Page 14: Dragonblood: Attacking the Dragonfly Handshake of WPA3 · Handshake can be performed with multiple curves ›Initiator proposes curve & responder accepts/rejects ›Spoof reject messages](https://reader034.fdocuments.us/reader034/viewer/2022051811/60274a602f7a3051f0087c7c/html5/thumbnails/14.jpg)
Leaked information: #iterations needed
14
Client address addrA
Measured
Password 1
Password 2
Password 3
![Page 15: Dragonblood: Attacking the Dragonfly Handshake of WPA3 · Handshake can be performed with multiple curves ›Initiator proposes curve & responder accepts/rejects ›Spoof reject messages](https://reader034.fdocuments.us/reader034/viewer/2022051811/60274a602f7a3051f0087c7c/html5/thumbnails/15.jpg)
Leaked information: #iterations needed
15
Client address addrA
Measured
Password 1
Password 2
Password 3
![Page 16: Dragonblood: Attacking the Dragonfly Handshake of WPA3 · Handshake can be performed with multiple curves ›Initiator proposes curve & responder accepts/rejects ›Spoof reject messages](https://reader034.fdocuments.us/reader034/viewer/2022051811/60274a602f7a3051f0087c7c/html5/thumbnails/16.jpg)
What information is leaked?
for (counter = 1; counter < 256; counter++)
value = hash(pw, counter, addr1, addr2)
if value >= p: continue
P = 𝑣𝑎𝑙𝑢𝑒(𝑝−1)/𝑞
16
Spoof client address to obtain
different execution & leak new data
![Page 17: Dragonblood: Attacking the Dragonfly Handshake of WPA3 · Handshake can be performed with multiple curves ›Initiator proposes curve & responder accepts/rejects ›Spoof reject messages](https://reader034.fdocuments.us/reader034/viewer/2022051811/60274a602f7a3051f0087c7c/html5/thumbnails/17.jpg)
Leaked information: #iterations needed
17
Client address addrA addrB
Measured
Password 1
Password 2
Password 3
![Page 18: Dragonblood: Attacking the Dragonfly Handshake of WPA3 · Handshake can be performed with multiple curves ›Initiator proposes curve & responder accepts/rejects ›Spoof reject messages](https://reader034.fdocuments.us/reader034/viewer/2022051811/60274a602f7a3051f0087c7c/html5/thumbnails/18.jpg)
Leaked information: #iterations needed
18
Client address addrA addrB
Measured
Password 1
Password 2
Password 3
![Page 19: Dragonblood: Attacking the Dragonfly Handshake of WPA3 · Handshake can be performed with multiple curves ›Initiator proposes curve & responder accepts/rejects ›Spoof reject messages](https://reader034.fdocuments.us/reader034/viewer/2022051811/60274a602f7a3051f0087c7c/html5/thumbnails/19.jpg)
Leaked information: #iterations needed
19
Client address addrA addrB addrC
Measured
Password 1
Password 2
Password 3
![Page 20: Dragonblood: Attacking the Dragonfly Handshake of WPA3 · Handshake can be performed with multiple curves ›Initiator proposes curve & responder accepts/rejects ›Spoof reject messages](https://reader034.fdocuments.us/reader034/viewer/2022051811/60274a602f7a3051f0087c7c/html5/thumbnails/20.jpg)
Leaked information: #iterations needed
20
Client address addrA addrB addrC
Measured
Password 1
Password 2
Password 3
![Page 21: Dragonblood: Attacking the Dragonfly Handshake of WPA3 · Handshake can be performed with multiple curves ›Initiator proposes curve & responder accepts/rejects ›Spoof reject messages](https://reader034.fdocuments.us/reader034/viewer/2022051811/60274a602f7a3051f0087c7c/html5/thumbnails/21.jpg)
Leaked information: #iterations needed
21
Client address addrA addrB addrC
Measured
Password 1
Password 2
Password 3
Forms a signature of the password
Need ~17 addresses to determine
password in RockYou dump
![Page 22: Dragonblood: Attacking the Dragonfly Handshake of WPA3 · Handshake can be performed with multiple curves ›Initiator proposes curve & responder accepts/rejects ›Spoof reject messages](https://reader034.fdocuments.us/reader034/viewer/2022051811/60274a602f7a3051f0087c7c/html5/thumbnails/22.jpg)
Raspberry Pi 1 B+: differences are measurable
22
![Page 23: Dragonblood: Attacking the Dragonfly Handshake of WPA3 · Handshake can be performed with multiple curves ›Initiator proposes curve & responder accepts/rejects ›Spoof reject messages](https://reader034.fdocuments.us/reader034/viewer/2022051811/60274a602f7a3051f0087c7c/html5/thumbnails/23.jpg)
Raspberry Pi 1 B+: differences are measurable
23
Hostap AP: ~75 measurements / address
![Page 24: Dragonblood: Attacking the Dragonfly Handshake of WPA3 · Handshake can be performed with multiple curves ›Initiator proposes curve & responder accepts/rejects ›Spoof reject messages](https://reader034.fdocuments.us/reader034/viewer/2022051811/60274a602f7a3051f0087c7c/html5/thumbnails/24.jpg)
What about elliptic curves?
Need to convert password to point (x,y) on the curve
24
Operations performed on points (x, y) where:
› x < 𝑝 and y < 𝑝 with 𝑝 a prime
› 𝑦2 = 𝑥3 + 𝑎𝑥 + 𝑏 mod 𝑝 must hold
![Page 25: Dragonblood: Attacking the Dragonfly Handshake of WPA3 · Handshake can be performed with multiple curves ›Initiator proposes curve & responder accepts/rejects ›Spoof reject messages](https://reader034.fdocuments.us/reader034/viewer/2022051811/60274a602f7a3051f0087c7c/html5/thumbnails/25.jpg)
Hash-to-curve: EAP-pwd
for (counter = 1; counter < 40; counter++)
x = hash(pw, counter, addr1, addr2)
if x >= p: continue
if square_root_exists(x) and not P:
return (x, 𝑥3 + 𝑎𝑥 + 𝑏)
25
EAP-pwd: similar timing
leak with elliptic curves
![Page 26: Dragonblood: Attacking the Dragonfly Handshake of WPA3 · Handshake can be performed with multiple curves ›Initiator proposes curve & responder accepts/rejects ›Spoof reject messages](https://reader034.fdocuments.us/reader034/viewer/2022051811/60274a602f7a3051f0087c7c/html5/thumbnails/26.jpg)
Hash-to-curve: WPA3 (simplified)
for (counter = 1; counter < 40; counter++)
x = hash(pw, counter, addr1, addr2)
if x >= p: continue
if square_root_exists(x) and not P:
P = (x, 𝑥3 + 𝑎𝑥 + 𝑏)
return P
26
WPA3: always do 40
loops & return first P
![Page 27: Dragonblood: Attacking the Dragonfly Handshake of WPA3 · Handshake can be performed with multiple curves ›Initiator proposes curve & responder accepts/rejects ›Spoof reject messages](https://reader034.fdocuments.us/reader034/viewer/2022051811/60274a602f7a3051f0087c7c/html5/thumbnails/27.jpg)
Hash-to-curve: WPA3 (simplified)
for (counter = 1; counter < 40; counter++)
x = hash(pw, counter, addr1, addr2)
if x >= p: continue
if square_root_exists(x) and not P:
P = (x, 𝑥3 + 𝑎𝑥 + 𝑏)
return P
27
Problem for Bainpool curves:
high chance that x >= p
![Page 28: Dragonblood: Attacking the Dragonfly Handshake of WPA3 · Handshake can be performed with multiple curves ›Initiator proposes curve & responder accepts/rejects ›Spoof reject messages](https://reader034.fdocuments.us/reader034/viewer/2022051811/60274a602f7a3051f0087c7c/html5/thumbnails/28.jpg)
Hash-to-curve: WPA3 (simplified)
for (counter = 1; counter < 40; counter++)
x = hash(pw, counter, addr1, addr2)
if x >= p: continue
if square_root_exists(x) and not P:
P = (x, 𝑥3 + 𝑎𝑥 + 𝑏)
return P
28
Code may be skipped!
![Page 29: Dragonblood: Attacking the Dragonfly Handshake of WPA3 · Handshake can be performed with multiple curves ›Initiator proposes curve & responder accepts/rejects ›Spoof reject messages](https://reader034.fdocuments.us/reader034/viewer/2022051811/60274a602f7a3051f0087c7c/html5/thumbnails/29.jpg)
Hash-to-curve: WPA3 (simplified)
for (counter = 1; counter < 40; counter++)
x = hash(pw, counter, addr1, addr2)
if x >= p: continue
if square_root_exists(x) and not P:
P = (x, 𝑥3 + 𝑎𝑥 + 𝑏)
return P
29
#Times skipped depends on password
![Page 30: Dragonblood: Attacking the Dragonfly Handshake of WPA3 · Handshake can be performed with multiple curves ›Initiator proposes curve & responder accepts/rejects ›Spoof reject messages](https://reader034.fdocuments.us/reader034/viewer/2022051811/60274a602f7a3051f0087c7c/html5/thumbnails/30.jpg)
Hash-to-curve: WPA3 (simplified)
for (counter = 1; counter < 40; counter++)
x = hash(pw, counter, addr1, addr2)
if x >= p: continue
if square_root_exists(x) and not P:
P = (x, 𝑥3 + 𝑎𝑥 + 𝑏)
return P
30
simplified, execution time for several client MAC
addresses forms a signature of the password.
![Page 31: Dragonblood: Attacking the Dragonfly Handshake of WPA3 · Handshake can be performed with multiple curves ›Initiator proposes curve & responder accepts/rejects ›Spoof reject messages](https://reader034.fdocuments.us/reader034/viewer/2022051811/60274a602f7a3051f0087c7c/html5/thumbnails/31.jpg)
31
Cache
Attacks
![Page 32: Dragonblood: Attacking the Dragonfly Handshake of WPA3 · Handshake can be performed with multiple curves ›Initiator proposes curve & responder accepts/rejects ›Spoof reject messages](https://reader034.fdocuments.us/reader034/viewer/2022051811/60274a602f7a3051f0087c7c/html5/thumbnails/32.jpg)
NIST Elliptic Curves
for (counter = 1; counter < 40; counter++)
x = hash(pw, counter, addr1, addr2)
if x >= p: continue
if square_root_exists(x) and not P:
P = (x, 𝑥3 + 𝑎𝑥 + 𝑏)
return P
32
Monitor using Flush+Reload to
know in which iteration we are
NIST curves: use Flush+Reload to
detect when code is executed
![Page 33: Dragonblood: Attacking the Dragonfly Handshake of WPA3 · Handshake can be performed with multiple curves ›Initiator proposes curve & responder accepts/rejects ›Spoof reject messages](https://reader034.fdocuments.us/reader034/viewer/2022051811/60274a602f7a3051f0087c7c/html5/thumbnails/33.jpg)
Bainpool Elliptic Curves
for (counter = 1; counter < 40; counter++)
x = hash(pw, counter, addr1, addr2)
if x >= p: continue
if square_root_exists(x) and not P:
P = (x, 𝑥3 + 𝑎𝑥 + 𝑏)
return P
33
Monitor using Flush+Reload to
know in which iteration we are
Brainpool curves: use Flush+Reload
to detect when code is executed
![Page 34: Dragonblood: Attacking the Dragonfly Handshake of WPA3 · Handshake can be performed with multiple curves ›Initiator proposes curve & responder accepts/rejects ›Spoof reject messages](https://reader034.fdocuments.us/reader034/viewer/2022051811/60274a602f7a3051f0087c7c/html5/thumbnails/34.jpg)
Cache-attacks in practice
Requires powerfull adversary:
› Run unpriviliged code on victim’s machine
› Act as malicious client/AP within range of victim
34
Abuse leaked info to recover the password
› Spoof various client addresses similar to timing attack
› Use resulting password signature in dictionary attack
![Page 35: Dragonblood: Attacking the Dragonfly Handshake of WPA3 · Handshake can be performed with multiple curves ›Initiator proposes curve & responder accepts/rejects ›Spoof reject messages](https://reader034.fdocuments.us/reader034/viewer/2022051811/60274a602f7a3051f0087c7c/html5/thumbnails/35.jpg)
Attack Optimizations
Timing & cache attack result in password signature
› Both use the same brute-force algorithm
Improve performance using GPU code:
› We can brute-force 𝟏𝟎𝟏𝟎 passwords for $1
› MODP / Brainpool: all 8 symbols costs $67
› NIST curves: all 8 symbols costs $14k
35
![Page 36: Dragonblood: Attacking the Dragonfly Handshake of WPA3 · Handshake can be performed with multiple curves ›Initiator proposes curve & responder accepts/rejects ›Spoof reject messages](https://reader034.fdocuments.us/reader034/viewer/2022051811/60274a602f7a3051f0087c7c/html5/thumbnails/36.jpg)
Implementation
Inspection
36
![Page 37: Dragonblood: Attacking the Dragonfly Handshake of WPA3 · Handshake can be performed with multiple curves ›Initiator proposes curve & responder accepts/rejects ›Spoof reject messages](https://reader034.fdocuments.us/reader034/viewer/2022051811/60274a602f7a3051f0087c7c/html5/thumbnails/37.jpg)
Invalid Curve Attack
37
Commit(x’, y’)
Point isn’t on curve
Negotiated key
is predictable
![Page 38: Dragonblood: Attacking the Dragonfly Handshake of WPA3 · Handshake can be performed with multiple curves ›Initiator proposes curve & responder accepts/rejects ›Spoof reject messages](https://reader034.fdocuments.us/reader034/viewer/2022051811/60274a602f7a3051f0087c7c/html5/thumbnails/38.jpg)
Invalid Curve Attack
38
Commit(x’, y’)
Commit reply
Point isn’t on curve
Negotiated key
is predictable
Guess key and
send confirm
Confirm phase
![Page 39: Dragonblood: Attacking the Dragonfly Handshake of WPA3 · Handshake can be performed with multiple curves ›Initiator proposes curve & responder accepts/rejects ›Spoof reject messages](https://reader034.fdocuments.us/reader034/viewer/2022051811/60274a602f7a3051f0087c7c/html5/thumbnails/39.jpg)
Invalid Curve Attack
39
Commit(x’, y’)
Commit reply
Point isn’t on curve
Negotiated key
is predictable
Guess key and
send confirm
Confirm phase
Bypasses authentication
EAP-pwd: all implementations affected
WPA3: only iwd is vulnerable
![Page 40: Dragonblood: Attacking the Dragonfly Handshake of WPA3 · Handshake can be performed with multiple curves ›Initiator proposes curve & responder accepts/rejects ›Spoof reject messages](https://reader034.fdocuments.us/reader034/viewer/2022051811/60274a602f7a3051f0087c7c/html5/thumbnails/40.jpg)
Implementation Vulnerabilities II
40
Bad randomness:
› Can recover password element P
› Aruba’s EAP-pwd client for Windows is affected
› With WPA2 bad randomness has lower impact!
Side-channels:
› FreeRADIUS aborts if >10 iterations are needed
› Aruba’s EAP-pwd aborts if >30 are needed
› Can use leaked info to recover password
![Page 41: Dragonblood: Attacking the Dragonfly Handshake of WPA3 · Handshake can be performed with multiple curves ›Initiator proposes curve & responder accepts/rejects ›Spoof reject messages](https://reader034.fdocuments.us/reader034/viewer/2022051811/60274a602f7a3051f0087c7c/html5/thumbnails/41.jpg)
Wi-Fi Specific
Attacks
41
![Page 42: Dragonblood: Attacking the Dragonfly Handshake of WPA3 · Handshake can be performed with multiple curves ›Initiator proposes curve & responder accepts/rejects ›Spoof reject messages](https://reader034.fdocuments.us/reader034/viewer/2022051811/60274a602f7a3051f0087c7c/html5/thumbnails/42.jpg)
Denial-of-Service Attack
42
Convert password to
group element P
Convert password to
group element P
AP converts password to EC
point when client connects
› Conversion is computationally expensive (40 iterations)
› Forging 8 connections/sec saturates AP’s CPU
![Page 43: Dragonblood: Attacking the Dragonfly Handshake of WPA3 · Handshake can be performed with multiple curves ›Initiator proposes curve & responder accepts/rejects ›Spoof reject messages](https://reader034.fdocuments.us/reader034/viewer/2022051811/60274a602f7a3051f0087c7c/html5/thumbnails/43.jpg)
Downgrade Against WPA3-Transition
Transition mode: WPA2/3 use the same password
› WPA2’s handshake detects downgrades forward secrecy
› Performing partial WPA2 handshake dictionary attacks
Solution is to remember which networks support WPA3
› Similar to trust on first use of SSH & HSTS
› Implemented by Pixel 3 and Linux’s NetworkManager
43
![Page 44: Dragonblood: Attacking the Dragonfly Handshake of WPA3 · Handshake can be performed with multiple curves ›Initiator proposes curve & responder accepts/rejects ›Spoof reject messages](https://reader034.fdocuments.us/reader034/viewer/2022051811/60274a602f7a3051f0087c7c/html5/thumbnails/44.jpg)
Crypto Group Downgrade
Handshake can be performed with multiple curves
› Initiator proposes curve & responder accepts/rejects
› Spoof reject messages to downgrade used curve
44
= design flaw, all client & AP
implementations vulnerable
![Page 45: Dragonblood: Attacking the Dragonfly Handshake of WPA3 · Handshake can be performed with multiple curves ›Initiator proposes curve & responder accepts/rejects ›Spoof reject messages](https://reader034.fdocuments.us/reader034/viewer/2022051811/60274a602f7a3051f0087c7c/html5/thumbnails/45.jpg)
45
Disclosure
![Page 46: Dragonblood: Attacking the Dragonfly Handshake of WPA3 · Handshake can be performed with multiple curves ›Initiator proposes curve & responder accepts/rejects ›Spoof reject messages](https://reader034.fdocuments.us/reader034/viewer/2022051811/60274a602f7a3051f0087c7c/html5/thumbnails/46.jpg)
Disclosure process
Notified parties early with hope to influence WPA3
› Some initially sceptic, considered it implementation flaws
› Group downgrade: “was known, but forgot to warn about it”
Reaction of the Wi-Fi Alliance
› Privately created backwards-compatible security guidelines
› 2nd disclosure round to address Brainpool side-channels
46
![Page 47: Dragonblood: Attacking the Dragonfly Handshake of WPA3 · Handshake can be performed with multiple curves ›Initiator proposes curve & responder accepts/rejects ›Spoof reject messages](https://reader034.fdocuments.us/reader034/viewer/2022051811/60274a602f7a3051f0087c7c/html5/thumbnails/47.jpg)
Fundamental issue still unsolved
› On lightweight devices, doing 40 iterations is too costly
› Even powerfull devices are at risk: handshake might be
offloaded the lightweight Wi-Fi chip itself
47
!Wi-Fi standard now being updated
› Prevent crypto group downgrade attack
› Allow offline computation of password element
![Page 48: Dragonblood: Attacking the Dragonfly Handshake of WPA3 · Handshake can be performed with multiple curves ›Initiator proposes curve & responder accepts/rejects ›Spoof reject messages](https://reader034.fdocuments.us/reader034/viewer/2022051811/60274a602f7a3051f0087c7c/html5/thumbnails/48.jpg)
Additional upates to Wi-Fi standard
48
Elliptic curve groups:
› Restrict usage of weak elliptic curves
› Constant-time algo (simplified SWU)
MODP crypto groups:
› Restrict usage of weak MODP groups
› Constant-time algo (modulo intead of iterations)
![Page 49: Dragonblood: Attacking the Dragonfly Handshake of WPA3 · Handshake can be performed with multiple curves ›Initiator proposes curve & responder accepts/rejects ›Spoof reject messages](https://reader034.fdocuments.us/reader034/viewer/2022051811/60274a602f7a3051f0087c7c/html5/thumbnails/49.jpg)
Updates aren’t backwards-compatible
Might lead to WPA3.1?
› Not yet clear how this will be handled
› Risk of downgrade attacks to original WPA3
49
Will people be able to easily attack WPA3?
› No, WPA3 > WPA2 even with its flaws
› Timing leaks: non-trival to determine if vulnerable
![Page 50: Dragonblood: Attacking the Dragonfly Handshake of WPA3 · Handshake can be performed with multiple curves ›Initiator proposes curve & responder accepts/rejects ›Spoof reject messages](https://reader034.fdocuments.us/reader034/viewer/2022051811/60274a602f7a3051f0087c7c/html5/thumbnails/50.jpg)
Conclusion› WPA3 vulnerable to side-channels
› Countermeasures are costly
› Standard now being updated
› WPA3 > WPA2 & planned updates are strong
https://wpa3.mathyvanhoef.com
50