dragonblood a security analysis
play

Dragonblood: A Security Analysis of WPA3s SAE Handshake Mathy - PowerPoint PPT Presentation

Jul 31, 2023 •341 likes •1.04k views

Dragonblood: A Security Analysis of WPA3s SAE Handshake Mathy Vanhoef and Eyal Ronen WAC Workshop @ CRYPTO, Santa Barbara, 17 August 2019. Background: Dragonfly in WPA3 and EAP-pwd = Password Authenticated Key Exchange (PAKE) Negotiate

  1. Dragonblood: A Security Analysis of WPA3’s SAE Handshake Mathy Vanhoef and Eyal Ronen WAC Workshop @ CRYPTO, Santa Barbara, 17 August 2019.

  2. Background: Dragonfly in WPA3 and EAP-pwd = Password Authenticated Key Exchange (PAKE) Negotiate Provide mutual session key authentication Forward secrecy Protect against & prevent offline server compromise dictionary attacks 2

  3. Dragonfly 3

  4. Dragonfly Convert password to Convert password to group element P group element P 4

  5. Dragonfly Convert password to Convert password to group element P group element P Commit phase 5

  6. Dragonfly Convert password to Convert password to group element P group element P Commit phase Negotiate shared key 6

  7. Dragonfly Convert password to Convert password to group element P group element P Commit phase Negotiate shared key Confirm phase 7

  8. Dragonfly Convert password to Convert password to group element P group element P Commit phase Negotiate shared key Confirm phase Confirm peer negotiated same key 8

  9. Dragonfly Convert password to Convert password to group element P group element P Supports two crypto groups: Commit phase 1. MODP groups 2. Elliptic curves Confirm phase 9

  10. Dragonfly Convert password to Convert password to group element P group element P Supports two crypto groups: Commit phase 1. MODP groups 2. Elliptic curves Confirm phase 10

  11. What are MODP groups? Operations performed on integers x where: › x < 𝑞 with 𝑞 a prime › 𝑦 𝑟 mod 𝑞 = 1 must hold › 𝑟 = #elements in the group  All operations are MOD ulo the P rime (= MODP) 11

  12. Convert password to MODP element for (counter = 1; counter < 256; counter++) value = hash(pw, counter, addr1, addr2) if value >= p: continue P = 𝑤𝑏𝑚𝑣𝑓 (𝑞−1)/𝑟 return P 12

  13. Convert password to MODP element for (counter = 1; counter < 256; counter++) value = hash(pw, counter, addr1, addr2) if value >= p: continue P = 𝑤𝑏𝑚𝑣𝑓 (𝑞−1)/𝑟 return P Convert value to a MODP element 13

  14. Convert password to MODP element for (counter = 1; counter < 256; counter++) value = hash(pw, counter, addr1, addr2) if value >= p: continue P = 𝑤𝑏𝑚𝑣𝑓 (𝑞−1)/𝑟 return P Problem for groups 22-24: high chance that value >= p 14

  15. Convert password to MODP element for (counter = 1; counter < 256; counter++) value = hash(pw, counter, addr1, addr2) if value >= p: ??? P = 𝑤𝑏𝑚𝑣𝑓 (𝑞−1)/𝑟 return P 15

  16. Convert password to MODP element for (counter = 1; counter < 256; counter++) value = hash(pw, counter, addr1, addr2) if value >= p: continue P = 𝑤𝑏𝑚𝑣𝑓 (𝑞−1)/𝑟 return P 16

  17. Convert password to MODP element for (counter = 1; counter < 256; counter++) value = hash(pw, counter, addr1, addr2) if value >= p: continue #iterations depends on password P = 𝑤𝑏𝑚𝑣𝑓 (𝑞−1)/𝑟 return P 17

  18. Convert password to MODP element for (counter = 1; counter < 256; counter++) value = hash(pw, counter, addr1, addr2) if value >= p: continue #iterations depends on password P = 𝑤𝑏𝑚𝑣𝑓 (𝑞−1)/𝑟 return P No timing leak countermeasures, despite warnings by IETF & CFRG! 18

  19. IETF mailing list in 2010 “ [..] susceptible to side channel (timing) attacks and may leak the shared password. I'd therefore recommend [excluding the MAC addresses]. ” “ not so sure how important that is [..] doesn't leak the shared password [..] not a trivial attack.” 19

  20. Leaked information: #iterations needed Client address addrA Measured 20

  21. Leaked information: #iterations needed Client address addrA Measured Password 1 Password 2 Password 3 21

  22. Leaked information: #iterations needed Client address addrA Measured Password 1 Password 2 Password 3 22

  23. What information is leaked? for (counter = 1; counter < 256; counter++) value = hash(pw, counter, addr1, addr2) if value >= p: continue Spoof client address to obtain P = 𝑤𝑏𝑚𝑣𝑓 (𝑞−1)/𝑟 different execution & leak new data 23

  24. Leaked information: #iterations needed Client address addrA addrB Measured Password 1 Password 2 Password 3 24

  25. Leaked information: #iterations needed Client address addrA addrB Measured Password 1 Password 2 Password 3 25

  26. Leaked information: #iterations needed Client address addrA addrB addrC Measured Password 1 Password 2 Password 3 26

  27. Leaked information: #iterations needed Client address addrA addrB addrC Measured Password 1 Password 2 Need ~17 addresses to determine password in RockYou ( ~𝟐𝟏 𝟖 ) dump Password 3 27

  28. Leaked information: #iterations needed Client address addrA addrB addrC Measured Forms a signature of the password Password 1 Password 2 Need ~17 addresses to determine password in RockYou ( ~𝟐𝟏 𝟖 ) dump Password 3 28

  29. Raspberry Pi 1 B+: differences are measurable Hostap AP: ~75 measurements / address 29

  30. What about elliptic curves? Operations performed on points (x, y) where: › x < 𝑞 and y < 𝑞 with 𝑞 a prime › 𝑧 2 = 𝑦 3 + 𝑏𝑦 + 𝑐 mod 𝑞 must hold  Need to convert password to point (x,y) on the curve 30

  31. Hash-to-curve: EAP-pwd for (counter = 1; counter < 40; counter++) x = hash(pw, counter, addr1, addr2) if x >= p: continue if square_root_exists(x) and not P: return (x, 𝑦 3 + 𝑏𝑦 + 𝑐 ) EAP-pwd: similar timing leak with elliptic curves 31

  32. Hash-to-curve: WPA3 for (counter = 1; counter < 40 ; counter++) x = hash(pw, counter, addr1, addr2) if x >= p: continue if square_root_exists(x) and not P : P = (x, 𝑦 3 + 𝑏𝑦 + 𝑐 ) pw = rand() WPA3: always do 40 return P loops & return first P 32

  33. Hash-to-curve: WPA3 for (counter = 1; counter < 40; counter++) x = hash(pw, counter, addr1, addr2) if x >= p: continue if square_root_exists(x) and not P: P = (x, 𝑦 3 + 𝑏𝑦 + 𝑐 ) pw = rand() return P Extra iterations based on random password 33

  34. Hash-to-curve: WPA3 for (counter = 1; counter < 40; counter++) x = hash(pw, counter, addr1, addr2) if x >= p: continue if square_root_exists(x) and not P: P = (x, 𝑦 3 + 𝑏𝑦 + 𝑐 ) pw = rand() Problem for Bainpool curves: return P high chance that x >= p 34

  35. Hash-to-curve: WPA3 for (counter = 1; counter < 40; counter++) x = hash(pw, counter, addr1, addr2) if x >= p: continue if square_root_exists(x) and not P: P = (x, 𝑦 3 + 𝑏𝑦 + 𝑐 ) pw = rand() return P 35

  36. Hash-to-curve: WPA3 for (counter = 1; counter < 40; counter++) x = hash(pw, counter, addr1, addr2) if x >= p: continue if square_root_exists(x) and not P: P = (x, 𝑦 3 + 𝑏𝑦 + 𝑐 ) pw = rand() return P Code may be skipped 36

  37. Hash-to-curve: WPA3 for (counter = 1; counter < 40; counter++) x = hash(pw, counter, addr1, addr2) if x >= p: continue if square_root_exists(x) and not P: P = (x, 𝑦 3 + 𝑏𝑦 + 𝑐 ) pw = rand() return P #Times skipped depends on password 37

  38. Hash-to-curve: WPA3 for (counter = 1; counter < 40; counter++) x = hash(pw, counter, addr1, addr2) if x >= p: continue if square_root_exists(x) and not P: P = (x, 𝑦 3 + 𝑏𝑦 + 𝑐 ) pw = rand() return P #Times skipped depends on password & random password in extra itreations 38

  39. Hash-to-curve: WPA3 for (counter = 1; counter < 40; counter++) x = hash(pw, counter, addr1, addr2) if x >= p: continue if square_root_exists(x) and not P: P = (x, 𝑦 3 + 𝑏𝑦 + 𝑐 ) pw = rand() return P Variance ~ when password element was found 39

  40. Hash-to-curve: WPA3 for (counter = 1; counter < 40; counter++) x = hash(pw, counter, addr1, addr2) if x >= p: continue if square_root_exists(x) and not P: P = (x, 𝑦 3 + 𝑏𝑦 + 𝑐 ) pw = rand() return P Variance ~ when password element was found Average ~ when found & #iterations code skipped 40

  41. Raspberry Pi 1 B+ Hostap (WPA3): ~300 measurements / address 41

  42. Cache Attacks 42

  43. NIST Elliptic Curves for (counter = 1; counter < 40; counter++) x = hash(pw, counter, addr1, addr2) if x >= p: continue if square_root_exists(x) and not P: P = (x, 𝑦 3 + 𝑏𝑦 + 𝑐 ) pw = rand() NIST curves: use Flush+Reload to return P detect when code is executed 43

  44. NIST Elliptic Curves Monitor using Flush+Reload to know in which iteration we are for (counter = 1; counter < 40; counter++) x = hash(pw, counter, addr1, addr2) if x >= p: continue if square_root_exists(x) and not P: P = (x, 𝑦 3 + 𝑏𝑦 + 𝑐 ) pw = rand() NIST curves: use Flush+Reload to return P detect when code is executed 44

  45. Bainpool Elliptic Curves Monitor using Flush+Reload to know in which iteration we are for (counter = 1; counter < 40; counter++) x = hash(pw, counter, addr1, addr2) if x >= p: continue if square_root_exists(x) and not P: P = (x, 𝑦 3 + 𝑏𝑦 + 𝑐 ) pw = rand() Brainpool curves: use Flush+Reload return P to detect when code is executed 45

Recommend

Dragonblood: Analyzing the Dragonfly Handshake of WPA3 and EAP-pwd Mathy Vanhoef and Eyal Ronen

Dragonblood: Analyzing the Dragonfly Handshake of WPA3 and EAP-pwd Mathy Vanhoef and Eyal Ronen

Dragonblood: Analyzing the Dragonfly Handshake of WPA3 and EAP-pwd Mathy Vanhoef and Eyal Ronen ANRW. Montreal, Canada, 22 July 2019. Background: Dragonfly in WPA3 = Password Authenticated Key Exchange (PAKE) Negotiate Provide mutual session

1.04k views • 45 slides
Dragonblood : Weaknesses in WPA3s Dragonfly Handshake Mathy Vanhoef and Eyal Ronen BruCON.

Dragonblood : Weaknesses in WPA3s Dragonfly Handshake Mathy Vanhoef and Eyal Ronen BruCON.

Dragonblood : Weaknesses in WPA3s Dragonfly Handshake Mathy Vanhoef and Eyal Ronen BruCON. Belgium, 11 October 2019. 2 Background: Dragonfly in WPA3 and EAP-pwd = Password Authenticated Key Exchange (PAKE) Negotiate Provide mutual

1.97k views • 56 slides
Dragonblood : Attacking the Dragonfly Handshake of WPA3 Mathy Vanhoef and Eyal Ronen Black Hat

Dragonblood : Attacking the Dragonfly Handshake of WPA3 Mathy Vanhoef and Eyal Ronen Black Hat

Dragonblood : Attacking the Dragonfly Handshake of WPA3 Mathy Vanhoef and Eyal Ronen Black Hat USA. Las Vegas, 7 August 2019. Background: Dragonfly in WPA3 and EAP-pwd = Password Authenticated Key Exchange (PAKE) Negotiate Provide mutual

532 views • 50 slides
Dragonfly Handshake of WPA3 and EAP-pwd Mathy Vanhoef and Eyal Ronen Background: Wi-Fi Security

Dragonfly Handshake of WPA3 and EAP-pwd Mathy Vanhoef and Eyal Ronen Background: Wi-Fi Security

Dragonblood : Analyzing the Dragonfly Handshake of WPA3 and EAP-pwd Mathy Vanhoef and Eyal Ronen Background: Wi-Fi Security 1999: Wired Equivalent Privacy (WEP) RC4 with 40 (!) or 104 bits key Broken in 2001 [FMS01] Deprecated 2004 2

1.58k views • 105 slides
Analysis of Security Protocols Gavin Lowe Analysis of Security Protocols 02 Overview Brief

Analysis of Security Protocols Gavin Lowe Analysis of Security Protocols 02 Overview Brief

Analysis of Security Protocols 01 Analysis of Security Protocols Gavin Lowe Analysis of Security Protocols 02 Overview Brief introduction to security protocols; Model checking of security protocols, particularly using the process

1.28k views • 110 slides
Program Analysis with PREfast &amp; SAL Erik Poll Digital Security group Radboud University

Program Analysis with PREfast &amp; SAL Erik Poll Digital Security group Radboud University

Software Security Program Analysis with PREfast &amp; SAL Erik Poll Digital Security group Radboud University Nijmegen 1 Static analysis aka source code analysis Automated analysis at compile time to find potential bugs Broad range of

499 views • 36 slides
Improvements in Transportation Security Analysis from a Complex Risk Mitigation Framework for the

Improvements in Transportation Security Analysis from a Complex Risk Mitigation Framework for the

Improvements in Transportation Security Analysis from a Complex Risk Mitigation Framework for the Security of International Spent Nuclear Fuel Transportation Adam D. Williams Global Security Research &amp; Analysis Sandia National Laboratories

505 views • 13 slides
Security and Emo0on: Sen0ment Analysis of Security Discussions

Security and Emo0on: Sen0ment Analysis of Security Discussions

Security and Emo0on: Sen0ment Analysis of Security Discussions on GitHub @DanielPletea @b_vasilescu @aserebrenik Eindhoven University of Technology, NL SEC NEG :

204 views • 7 slides
Security Planning and Risk Analysis CS461/ECE422 Computer Security I Fall 2010 Slide #1

Security Planning and Risk Analysis CS461/ECE422 Computer Security I Fall 2010 Slide #1

Security Planning and Risk Analysis CS461/ECE422 Computer Security I Fall 2010 Slide #1 Overview Elements of Risk Analysis Quantitative vs Qualitative Analysis One Risk Analysis framework Slide #2 Reading Material Chapter

706 views • 32 slides
Security Planning and Risk Analysis CS461/ECE422 Computer Security I Fall 2009 Slide #1

Security Planning and Risk Analysis CS461/ECE422 Computer Security I Fall 2009 Slide #1

Security Planning and Risk Analysis CS461/ECE422 Computer Security I Fall 2009 Slide #1 Overview Elements of Risk Analysis Quantitative vs Qualitative Analysis One Risk Analysis framework Slide #2 Reading Material Chapter

793 views • 32 slides
Using Z-Ray for Lightning Fast Security Analysis Martin Bednorz ZendCon Las Vegas 2018 1

Using Z-Ray for Lightning Fast Security Analysis Martin Bednorz ZendCon Las Vegas 2018 1

Using Z-Ray for Lightning Fast Security Analysis Martin Bednorz ZendCon Las Vegas 2018 1 Introduction 10+ years of web development experience IT security background Web application security Incremental static code analysis

881 views • 73 slides
Complex Security Policy? A Longitudinal Analysis of Deployed Content Security Policies Sebastian

Complex Security Policy? A Longitudinal Analysis of Deployed Content Security Policies Sebastian

Complex Security Policy? A Longitudinal Analysis of Deployed Content Security Policies Sebastian Roth , Timothy Barron, Stefano Calzavara, Nick Nikiforakis &amp; Ben Stock Network and Distributed System Security Symposium (NDSS '20) Cross-Site

878 views • 31 slides
Cryptographic Analysis of TLS Kenny Paterson FOSAD 2013 Information Security Group 1 Outline

Cryptographic Analysis of TLS Kenny Paterson FOSAD 2013 Information Security Group 1 Outline

Cryptographic Analysis of TLS Kenny Paterson FOSAD 2013 Information Security Group 1 Outline TLS overview TLS Record Protocol Theory Attacks Security analysis TLS Handshake Protocol Security analysis Discussion 2

1.78k views • 173 slides
NetFlow Analysis Jonzy Data Security Analysis, Sr. Information Security Office NetFlow Analysis

NetFlow Analysis Jonzy Data Security Analysis, Sr. Information Security Office NetFlow Analysis

NetFlow Analysis Jonzy Data Security Analysis, Sr. Information Security Office NetFlow Analysis Intrusion Detection, Protection, and Usage Reporting NetFlow is a cornucopia of information that allows for: Intrusion Detection, Bandwidth usage,

665 views • 17 slides
Mathy Vanhoef Public PhD Defense A Security Analysis of the WPA- TKIP and TLS Security Protocols

Mathy Vanhoef Public PhD Defense A Security Analysis of the WPA- TKIP and TLS Security Protocols

Mathy Vanhoef Public PhD Defense A Security Analysis of the WPA- TKIP and TLS Security Protocols Data handled by computers: Banking details Emails Messaging Adult websites Private files Mobile devices 2 Goal of dissertation Is the

758 views • 51 slides
Applying F(I)MEA Technique for SDN/OpenFlow Security Analysis Green Kim greenkim@konkuk.ac.kr

Applying F(I)MEA Technique for SDN/OpenFlow Security Analysis Green Kim greenkim@konkuk.ac.kr

Applying F(I)MEA Technique for SDN/OpenFlow Security Analysis Green Kim greenkim@konkuk.ac.kr Contents 1. Introduction 1.1 Motivation 1.2 Related Works Analysis 1.2.1 OpenFlow: A Security Analysis 1.2.2 OpenFlow Vulnerability Assessment

345 views • 30 slides
EAP-SIM Security Analysis Mobility Solutions Keyspace and Mutual Authentication Weaknesses Uri

EAP-SIM Security Analysis Mobility Solutions Keyspace and Mutual Authentication Weaknesses Uri

EAP-SIM Security Analysis Mobility Solutions Keyspace and Mutual Authentication Weaknesses Uri Blumenthal (analysis done by Sarvar Patel) Member of Technical Staff EAP-SIM Draft and its Security Claims Current EAP-SIM provides

342 views • 7 slides
Com puter Security Part Tw o Previously Introduction Threat analysis Threats

Com puter Security Part Tw o Previously Introduction Threat analysis Threats

Com puter Security Part Tw o Previously Introduction Threat analysis Threats Policy Specification Design Implementation Operation and Maintenance Now Multilateral and Multilevel security Security policies

355 views • 24 slides
Kick-off: Software Security Analysis Chair for IT Security / I20 Prof. Dr. Claudia Eckert

Kick-off: Software Security Analysis Chair for IT Security / I20 Prof. Dr. Claudia Eckert

Kick-off: Software Security Analysis Chair for IT Security / I20 Prof. Dr. Claudia Eckert Technical University of Munich Dr. Julian Schtte julian.schuette@aisec.fraunhofer.de 5.2.2020 1 / 46 Outline 1. Organization 2. Time Table 3.

755 views • 46 slides
OpenBSC network-side GSM stack A tool for GSM protocol level security analysis Harald Welte

OpenBSC network-side GSM stack A tool for GSM protocol level security analysis Harald Welte

GSM/3G security Implementing GSM protocols Security analysis Summary OpenBSC network-side GSM stack A tool for GSM protocol level security analysis Harald Welte gnumonks.org gpl-violations.org OpenBSC airprobe.org hmw-consulting.de SSTIC

1.16k views • 34 slides
Dragonfly Handshake of WPA3 and EAP-pwd Mathy Vanhoef and Eyal Ronen Real World Crypto, New

Dragonfly Handshake of WPA3 and EAP-pwd Mathy Vanhoef and Eyal Ronen Real World Crypto, New

Dragonblood : Analyzing the Dragonfly Handshake of WPA3 and EAP-pwd Mathy Vanhoef and Eyal Ronen Real World Crypto, New York, 10 January 2020. Background: Wi-Fi Security 1999: Wired Equivalent Privacy (WEP) Broken in 2001 [FMS01] 2003:

818 views • 62 slides
CS161 Midterm 1 Review Midterm 1: March 4, 18:30- 20:00 Same room as lecture Security Analysis

CS161 Midterm 1 Review Midterm 1: March 4, 18:30- 20:00 Same room as lecture Security Analysis

CS161 Midterm 1 Review Midterm 1: March 4, 18:30- 20:00 Same room as lecture Security Analysis and Threat Model Basic security properties CIA Threat model A. We want perfect security B. Security is about risk analysis and

426 views • 29 slides
Program Analysis for Web Application Security Presented by Justin Samuel For UW CSE 504, Spring

Program Analysis for Web Application Security Presented by Justin Samuel For UW CSE 504, Spring

Program Analysis for Web Application Security Presented by Justin Samuel For UW CSE 504, Spring 10 Instructor: Ben Livshits Finding Security Vulnerabilities in Java Applications with Static Analysis V. Benjamin Livshits and Monica S. Lam

743 views • 34 slides
High Speed Traffic Analysis for High-Speed Traffic Analysis for Security: Challenges &amp;

High Speed Traffic Analysis for High-Speed Traffic Analysis for Security: Challenges &amp;

High Speed Traffic Analysis for High-Speed Traffic Analysis for Security: Challenges &amp; Approaches Security: Challenges &amp; Approaches C-DAC Asia-Pacific Advanced Network 32 nd Meeting, India Habitat Centre, New Delhi APAN 32nd Meeting,

647 views • 28 slides

More recommend