Dragonblood: A Security Analysis of WPA3’s SAE Handshake Mathy Vanhoef and Eyal Ronen WAC Workshop @ CRYPTO, Santa Barbara, 17 August 2019.
Background: Dragonfly in WPA3 and EAP-pwd = Password Authenticated Key Exchange (PAKE) Negotiate Provide mutual session key authentication Forward secrecy Protect against & prevent offline server compromise dictionary attacks 2
Dragonfly 3
Dragonfly Convert password to Convert password to group element P group element P 4
Dragonfly Convert password to Convert password to group element P group element P Commit phase 5
Dragonfly Convert password to Convert password to group element P group element P Commit phase Negotiate shared key 6
Dragonfly Convert password to Convert password to group element P group element P Commit phase Negotiate shared key Confirm phase 7
Dragonfly Convert password to Convert password to group element P group element P Commit phase Negotiate shared key Confirm phase Confirm peer negotiated same key 8
Dragonfly Convert password to Convert password to group element P group element P Supports two crypto groups: Commit phase 1. MODP groups 2. Elliptic curves Confirm phase 9
Dragonfly Convert password to Convert password to group element P group element P Supports two crypto groups: Commit phase 1. MODP groups 2. Elliptic curves Confirm phase 10
What are MODP groups? Operations performed on integers x where: › x < 𝑞 with 𝑞 a prime › 𝑦 𝑟 mod 𝑞 = 1 must hold › 𝑟 = #elements in the group All operations are MOD ulo the P rime (= MODP) 11
Convert password to MODP element for (counter = 1; counter < 256; counter++) value = hash(pw, counter, addr1, addr2) if value >= p: continue P = 𝑤𝑏𝑚𝑣𝑓 (𝑞−1)/𝑟 return P 12
Convert password to MODP element for (counter = 1; counter < 256; counter++) value = hash(pw, counter, addr1, addr2) if value >= p: continue P = 𝑤𝑏𝑚𝑣𝑓 (𝑞−1)/𝑟 return P Convert value to a MODP element 13
Convert password to MODP element for (counter = 1; counter < 256; counter++) value = hash(pw, counter, addr1, addr2) if value >= p: continue P = 𝑤𝑏𝑚𝑣𝑓 (𝑞−1)/𝑟 return P Problem for groups 22-24: high chance that value >= p 14
Convert password to MODP element for (counter = 1; counter < 256; counter++) value = hash(pw, counter, addr1, addr2) if value >= p: ??? P = 𝑤𝑏𝑚𝑣𝑓 (𝑞−1)/𝑟 return P 15
Convert password to MODP element for (counter = 1; counter < 256; counter++) value = hash(pw, counter, addr1, addr2) if value >= p: continue P = 𝑤𝑏𝑚𝑣𝑓 (𝑞−1)/𝑟 return P 16
Convert password to MODP element for (counter = 1; counter < 256; counter++) value = hash(pw, counter, addr1, addr2) if value >= p: continue #iterations depends on password P = 𝑤𝑏𝑚𝑣𝑓 (𝑞−1)/𝑟 return P 17
Convert password to MODP element for (counter = 1; counter < 256; counter++) value = hash(pw, counter, addr1, addr2) if value >= p: continue #iterations depends on password P = 𝑤𝑏𝑚𝑣𝑓 (𝑞−1)/𝑟 return P No timing leak countermeasures, despite warnings by IETF & CFRG! 18
IETF mailing list in 2010 “ [..] susceptible to side channel (timing) attacks and may leak the shared password. I'd therefore recommend [excluding the MAC addresses]. ” “ not so sure how important that is [..] doesn't leak the shared password [..] not a trivial attack.” 19
Leaked information: #iterations needed Client address addrA Measured 20
Leaked information: #iterations needed Client address addrA Measured Password 1 Password 2 Password 3 21
Leaked information: #iterations needed Client address addrA Measured Password 1 Password 2 Password 3 22
What information is leaked? for (counter = 1; counter < 256; counter++) value = hash(pw, counter, addr1, addr2) if value >= p: continue Spoof client address to obtain P = 𝑤𝑏𝑚𝑣𝑓 (𝑞−1)/𝑟 different execution & leak new data 23
Leaked information: #iterations needed Client address addrA addrB Measured Password 1 Password 2 Password 3 24
Leaked information: #iterations needed Client address addrA addrB Measured Password 1 Password 2 Password 3 25
Leaked information: #iterations needed Client address addrA addrB addrC Measured Password 1 Password 2 Password 3 26
Leaked information: #iterations needed Client address addrA addrB addrC Measured Password 1 Password 2 Need ~17 addresses to determine password in RockYou ( ~𝟐𝟏 𝟖 ) dump Password 3 27
Leaked information: #iterations needed Client address addrA addrB addrC Measured Forms a signature of the password Password 1 Password 2 Need ~17 addresses to determine password in RockYou ( ~𝟐𝟏 𝟖 ) dump Password 3 28
Raspberry Pi 1 B+: differences are measurable Hostap AP: ~75 measurements / address 29
What about elliptic curves? Operations performed on points (x, y) where: › x < 𝑞 and y < 𝑞 with 𝑞 a prime › 𝑧 2 = 𝑦 3 + 𝑏𝑦 + 𝑐 mod 𝑞 must hold Need to convert password to point (x,y) on the curve 30
Hash-to-curve: EAP-pwd for (counter = 1; counter < 40; counter++) x = hash(pw, counter, addr1, addr2) if x >= p: continue if square_root_exists(x) and not P: return (x, 𝑦 3 + 𝑏𝑦 + 𝑐 ) EAP-pwd: similar timing leak with elliptic curves 31
Hash-to-curve: WPA3 for (counter = 1; counter < 40 ; counter++) x = hash(pw, counter, addr1, addr2) if x >= p: continue if square_root_exists(x) and not P : P = (x, 𝑦 3 + 𝑏𝑦 + 𝑐 ) pw = rand() WPA3: always do 40 return P loops & return first P 32
Hash-to-curve: WPA3 for (counter = 1; counter < 40; counter++) x = hash(pw, counter, addr1, addr2) if x >= p: continue if square_root_exists(x) and not P: P = (x, 𝑦 3 + 𝑏𝑦 + 𝑐 ) pw = rand() return P Extra iterations based on random password 33
Hash-to-curve: WPA3 for (counter = 1; counter < 40; counter++) x = hash(pw, counter, addr1, addr2) if x >= p: continue if square_root_exists(x) and not P: P = (x, 𝑦 3 + 𝑏𝑦 + 𝑐 ) pw = rand() Problem for Bainpool curves: return P high chance that x >= p 34
Hash-to-curve: WPA3 for (counter = 1; counter < 40; counter++) x = hash(pw, counter, addr1, addr2) if x >= p: continue if square_root_exists(x) and not P: P = (x, 𝑦 3 + 𝑏𝑦 + 𝑐 ) pw = rand() return P 35
Hash-to-curve: WPA3 for (counter = 1; counter < 40; counter++) x = hash(pw, counter, addr1, addr2) if x >= p: continue if square_root_exists(x) and not P: P = (x, 𝑦 3 + 𝑏𝑦 + 𝑐 ) pw = rand() return P Code may be skipped 36
Hash-to-curve: WPA3 for (counter = 1; counter < 40; counter++) x = hash(pw, counter, addr1, addr2) if x >= p: continue if square_root_exists(x) and not P: P = (x, 𝑦 3 + 𝑏𝑦 + 𝑐 ) pw = rand() return P #Times skipped depends on password 37
Hash-to-curve: WPA3 for (counter = 1; counter < 40; counter++) x = hash(pw, counter, addr1, addr2) if x >= p: continue if square_root_exists(x) and not P: P = (x, 𝑦 3 + 𝑏𝑦 + 𝑐 ) pw = rand() return P #Times skipped depends on password & random password in extra itreations 38
Hash-to-curve: WPA3 for (counter = 1; counter < 40; counter++) x = hash(pw, counter, addr1, addr2) if x >= p: continue if square_root_exists(x) and not P: P = (x, 𝑦 3 + 𝑏𝑦 + 𝑐 ) pw = rand() return P Variance ~ when password element was found 39
Hash-to-curve: WPA3 for (counter = 1; counter < 40; counter++) x = hash(pw, counter, addr1, addr2) if x >= p: continue if square_root_exists(x) and not P: P = (x, 𝑦 3 + 𝑏𝑦 + 𝑐 ) pw = rand() return P Variance ~ when password element was found Average ~ when found & #iterations code skipped 40
Raspberry Pi 1 B+ Hostap (WPA3): ~300 measurements / address 41
Cache Attacks 42
NIST Elliptic Curves for (counter = 1; counter < 40; counter++) x = hash(pw, counter, addr1, addr2) if x >= p: continue if square_root_exists(x) and not P: P = (x, 𝑦 3 + 𝑏𝑦 + 𝑐 ) pw = rand() NIST curves: use Flush+Reload to return P detect when code is executed 43
NIST Elliptic Curves Monitor using Flush+Reload to know in which iteration we are for (counter = 1; counter < 40; counter++) x = hash(pw, counter, addr1, addr2) if x >= p: continue if square_root_exists(x) and not P: P = (x, 𝑦 3 + 𝑏𝑦 + 𝑐 ) pw = rand() NIST curves: use Flush+Reload to return P detect when code is executed 44
Bainpool Elliptic Curves Monitor using Flush+Reload to know in which iteration we are for (counter = 1; counter < 40; counter++) x = hash(pw, counter, addr1, addr2) if x >= p: continue if square_root_exists(x) and not P: P = (x, 𝑦 3 + 𝑏𝑦 + 𝑐 ) pw = rand() Brainpool curves: use Flush+Reload return P to detect when code is executed 45
Recommend
More recommend