dragonblood analyzing the dragonfly
play

Dragonblood: Analyzing the Dragonfly Handshake of WPA3 and EAP-pwd - PowerPoint PPT Presentation

Oct 06, 2022 •570 likes •1.04k views

Dragonblood: Analyzing the Dragonfly Handshake of WPA3 and EAP-pwd Mathy Vanhoef and Eyal Ronen ANRW. Montreal, Canada, 22 July 2019. Background: Dragonfly in WPA3 = Password Authenticated Key Exchange (PAKE) Negotiate Provide mutual session

  1. Dragonblood: Analyzing the Dragonfly Handshake of WPA3 and EAP-pwd Mathy Vanhoef and Eyal Ronen ANRW. Montreal, Canada, 22 July 2019.

  2. Background: Dragonfly in WPA3 = Password Authenticated Key Exchange (PAKE) Negotiate Provide mutual session key authentication Forward secrecy Protect against & prevent offline server compromise dictionary attacks 2

  3. Dragonfly Convert password to Convert password to elliptic curve point P elliptic curve point P Commit phase Confirm phase 3

  4. With MODP groups: hash-to-group for (counter = 1; counter < 256; counter++) value = hash(pw, counter, addr1, addr2) if value >= p: continue P = 𝑤𝑏𝑚𝑣𝑓 (𝑞−1)/𝑟 if P > 1: return P 4

  5. With MODP groups: hash-to-group for (counter = 1; counter < 256; counter++) value = hash(pw, counter, addr1, addr2) if value >= p: continue P = 𝑤𝑏𝑚𝑣𝑓 (𝑞−1)/𝑟 if P > 1: return P In practice always true 5

  6. With MODP groups: hash-to-group for (counter = 1; counter < 256; counter++) value = hash(pw, counter, addr1, addr2) if value >= p: continue Problem: value >= p P = 𝑤𝑏𝑚𝑣𝑓 (𝑞−1)/𝑟 if P > 1: return P In practice always true 6

  7. With MODP groups: hash-to-group for (counter = 1; counter < 256; counter++) value = hash(pw, counter, addr1, addr2) if value >= p: continue P = 𝑤𝑏𝑚𝑣𝑓 (𝑞−1)/𝑟 if P > 1: return P 7

  8. With MODP groups: hash-to-group for (counter = 1; counter < 256; counter++) value = hash(pw, counter, addr1, addr2) if value >= p: continue P = 𝑤𝑏𝑚𝑣𝑓 (𝑞−1)/𝑟 if P > 1: return P 8

  9. With MODP groups: hash-to-group for (counter = 1; counter < 256; counter++) value = hash(pw, counter, addr1, addr2) if value >= p: continue P = 𝑤𝑏𝑚𝑣𝑓 (𝑞−1)/𝑟 if P > 1: return P No timing leak countermeasures despite warnings by IETF & CFRG! 9

  10. With MODP groups: hash-to-group for (counter = 1; counter < 256; counter++) value = hash(pw, counter, addr1, addr2) if value >= p: continue WPA3: spoof client address P = 𝑤𝑏𝑚𝑣𝑓 (𝑞−1)/𝑟 to obtain different executions if P > 1: return P No timing leak countermeasures despite warnings by IETF & CFRG! 10

  11. Raspberry Pi 1 B+: differences are measurable 11

  12. Raspberry Pi 1 B+: differences are measurable Hostap (WPA3): ~75 measurements / address iwd (EAP-pwd): ~30 measurements / address 12

  13. Leaked information: #iterations needed Client address addrA Measured 13

  14. Leaked information: #iterations needed Client address addrA Measured Password 1 Password 2 Password 3 14

  15. Leaked information: #iterations needed Client address addrA Measured Password 1 Password 2 Password 3 15

  16. Leaked information: #iterations needed Client address addrA addrB Measured Password 1 Password 2 Password 3 16

  17. Leaked information: #iterations needed Client address addrA addrB Measured Password 1 Password 2 Password 3 17

  18. Leaked information: #iterations needed Client address addrA addrB addrC Measured Password 1 Password 2 Password 3 18

  19. Leaked information: #iterations needed Client address addrA addrB addrC Measured forms a signature of the password Password 1 Password 2 Need ~17 addresses to test ~ 10 7 passwords Password 3 19

  20. What about elliptic curves? Hash-to-group with elliptic curves also affected? › By default Dragonfly uses NIST curves › Timing leaks for NIST curves are mitigated Dragonfly also supports Brainpool curves › After our initial disclosure, the Wi-Fi Alliace private created guidelines that mention these are secure to use › Bad news: Brainpool curves in Dragonfly are insecure 20

  21. Hash-to-curve for (counter = 1; counter < k or not x; counter++) value = hash(pw, counter, addr1, addr2) if value >= p: continue y_sqr = value^3 + a * value + b if is_quadratic_residue(y_sqr) and not x: x = value pw = random() y = sqrt(x^3 + a * x + b) return (x, y) 21

  22. Hash-to-curve for (counter = 1; counter < k or not x; counter++) value = hash(pw, counter, addr1, addr2) if value >= p: continue y_sqr = value^3 + a * value + b Problem: no solution for y if is_quadratic_residue(y_sqr) and not x: x = value pw = random() y = sqrt(x^3 + a * x + b) return (x, y) 22

  23. Hash-to-curve for (counter = 1; counter < k or not x; counter++) value = hash(pw, counter, addr1, addr2) if value >= p: continue y_sqr = value^3 + a * value + b if is_quadratic_residue(y_sqr) and not x: x = value pw = random() y = sqrt(x^3 + a * x + b) return (x, y) 23

  24. Hash-to-curve for (counter = 1; counter < k or not x; counter++) value = hash(pw, counter, addr1, addr2) if value >= p: continue y_sqr = value^3 + a * value + b if is_quadratic_residue(y_sqr) and not x: x = value pw = random() y = sqrt(x^3 + a * x + b) return (x, y) 24

  25. Hash-to-curve for (counter = 1; counter < k or not x; counter++) value = hash(pw, counter, addr1, addr2) if value >= p: continue y_sqr = value^3 + a * value + b Problem: different passwords if is_quadratic_residue(y_sqr) and not x: have different execution time x = value pw = random() y = sqrt(x^3 + a * x + b) return (x, y) 25

  26. Hash-to-curve for (counter = 1; counter < k or not x; counter++) value = hash(pw, counter, addr1, addr2) if value >= p: continue y_sqr = value^3 + a * value + b if is_quadratic_residue(y_sqr) and not x : x = value pw = random()  Always execute at y = sqrt(x^3 + a * x + b) least k iterations return (x, y) 26

  27. Hash-to-curve for (counter = 1; counter < k or not x; counter++) value = hash(pw, counter, addr1, addr2) if value >= p: continue y_sqr = value^3 + a * value + b if is_quadratic_residue(y_sqr) and not x : x = value In case quadratic test pw = random() is not constant time y = sqrt(x^3 + a * x + b) return (x, y) 27

  28. Hash-to-curve for (counter = 1; counter < k or not x; counter++) value = hash(pw, counter, addr1, addr2) if value >= p: continue y_sqr = value^3 + a * value + b Problem: value >= p if is_quadratic_residue(y_sqr) and not x: x = value pw = random() y = sqrt(x^3 + a * x + b) return (x, y) 28

  29. Hash-to-curve May be true for for (counter = 1; counter < k or not x; counter++) Brainpool curves! value = hash(pw, counter, addr1, addr2) if value >= p: continue y_sqr = value^3 + a * value + b if is_quadratic_residue(y_sqr) and not x: x = value pw = random() y = sqrt(x^3 + a * x + b) return (x, y) 29

  30. Hash-to-curve May be true for for (counter = 1; counter < k or not x; counter++) Brainpool curves! value = hash(pw, counter, addr1, addr2) if value >= p: continue y_sqr = value^3 + a * value + b if is_quadratic_residue(y_sqr) and not x: x = value Quadratic test may be skipped pw = random() y = sqrt(x^3 + a * x + b) return (x, y) 30

  31. Hash-to-curve May be true for for (counter = 1; counter < k or not x; counter++) Brainpool curves! value = hash(pw, counter, addr1, addr2) if value >= p: continue y_sqr = value^3 + a * value + b if is_quadratic_residue(y_sqr) and not x: x = value Quadratic test may be skipped pw = random() y = sqrt(x^3 + a * x + b) A random #(extra iterations) return (x, y) have a too big hash output 31

  32. Influence of extra iterations Execution 1 32

  33. Influence of extra iterations Execution 1 Execution 2 Execution 3 Execution 4 33

  34. Influence of extra iterations Execution 1 Execution 2 Execution 3 Execution 4 34

  35. Influence of extra iterations Execution 1 Execution 2 Execution 3 Execution 4 Variance ~ when password element was found 35

  36. Influence of extra iterations Execution 1 Execution 2 Execution 3 Execution 4 Variance ~ when password element was found Average ~ when found and #iterations with big hash 36

  37. Influence of extra iterations Execution 1 Execution 2 Execution 3 Execution 4 Variance ~ when password element was found Average ~ when found and #iterations with big hash  Again forms a signature of the password 37

  38. Raspberry Pi 1 B+ 38

  39. Raspberry Pi 1 B+ Hostap (WPA3): ~300 measurements / address 39

  40. Cache Attacks 40

  41. Hash-to-curve: Quadratic Residue for (counter = 1; counter < k or not x; counter++) value = hash(pw, counter, addr1, addr2) if value >= p: continue y_sqr = value^3 + a * value + b if is_quadratic_residue(y_sqr) and not x: x = value pw = random() NIST curves: use Flush+Reload to y = sqrt(x^3 + a * x + b) detect if code is executed in 1 st iteration return (x, y) 41

  42. Hash-to-curve: Quadratic Residue Use as clock to detect in which iteration we are for (counter = 1; counter < k or not x; counter++) value = hash(pw, counter, addr1, addr2) if value >= p: continue y_sqr = value^3 + a * value + b if is_quadratic_residue(y_sqr) and not x: x = value pw = random() NIST curves: use Flush+Reload to y = sqrt(x^3 + a * x + b) detect if code is executed in 1 st iteration return (x, y) 42

Recommend

Dragonblood : Weaknesses in WPA3s Dragonfly Handshake Mathy Vanhoef and Eyal Ronen BruCON.

Dragonblood : Weaknesses in WPA3s Dragonfly Handshake Mathy Vanhoef and Eyal Ronen BruCON.

Dragonblood : Weaknesses in WPA3s Dragonfly Handshake Mathy Vanhoef and Eyal Ronen BruCON. Belgium, 11 October 2019. 2 Background: Dragonfly in WPA3 and EAP-pwd = Password Authenticated Key Exchange (PAKE) Negotiate Provide mutual

1.97k views • 56 slides
Dragonblood : Attacking the Dragonfly Handshake of WPA3 Mathy Vanhoef and Eyal Ronen Black Hat

Dragonblood : Attacking the Dragonfly Handshake of WPA3 Mathy Vanhoef and Eyal Ronen Black Hat

Dragonblood : Attacking the Dragonfly Handshake of WPA3 Mathy Vanhoef and Eyal Ronen Black Hat USA. Las Vegas, 7 August 2019. Background: Dragonfly in WPA3 and EAP-pwd = Password Authenticated Key Exchange (PAKE) Negotiate Provide mutual

532 views • 50 slides
Dragonfly Handshake of WPA3 and EAP-pwd Mathy Vanhoef and Eyal Ronen Background: Wi-Fi Security

Dragonfly Handshake of WPA3 and EAP-pwd Mathy Vanhoef and Eyal Ronen Background: Wi-Fi Security

Dragonblood : Analyzing the Dragonfly Handshake of WPA3 and EAP-pwd Mathy Vanhoef and Eyal Ronen Background: Wi-Fi Security 1999: Wired Equivalent Privacy (WEP) RC4 with 40 (!) or 104 bits key Broken in 2001 [FMS01] Deprecated 2004 2

1.58k views • 105 slides
Dragonfly Handshake of WPA3 and EAP-pwd Mathy Vanhoef and Eyal Ronen Real World Crypto, New

Dragonfly Handshake of WPA3 and EAP-pwd Mathy Vanhoef and Eyal Ronen Real World Crypto, New

Dragonblood : Analyzing the Dragonfly Handshake of WPA3 and EAP-pwd Mathy Vanhoef and Eyal Ronen Real World Crypto, New York, 10 January 2020. Background: Wi-Fi Security 1999: Wired Equivalent Privacy (WEP) Broken in 2001 [FMS01] 2003:

818 views • 62 slides
Dragonblood: A Security Analysis of WPA3s SAE Handshake Mathy Vanhoef and Eyal Ronen WAC

Dragonblood: A Security Analysis of WPA3s SAE Handshake Mathy Vanhoef and Eyal Ronen WAC

Dragonblood: A Security Analysis of WPA3s SAE Handshake Mathy Vanhoef and Eyal Ronen WAC Workshop @ CRYPTO, Santa Barbara, 17 August 2019. Background: Dragonfly in WPA3 and EAP-pwd = Password Authenticated Key Exchange (PAKE) Negotiate

1.04k views • 69 slides
Goals Understand use of Dragonfly from game Dragonfly programmers perspective Mostly,

Goals Understand use of Dragonfly from game Dragonfly programmers perspective Mostly,

2/7/2012 Goals Understand use of Dragonfly from game Dragonfly programmers perspective Mostly, Project 1 Provide overview of Dragonfly architecture Class diagrams Discuss details needed to fully implement Dragonfly classes

900 views • 42 slides
Threads and DragonFly BSD Improving Thread Performance on DragonFly BSD Conduits for program

Threads and DragonFly BSD Improving Thread Performance on DragonFly BSD Conduits for program

Threads and DragonFly BSD Improving Thread Performance on DragonFly BSD Conduits for program execution Concurrency A property that allows several vessels of execution to be run without a predefined order. Parallelism A property that

625 views • 23 slides
Adaptive Routing in Dragonfly Networks Peyman Faizian , ShafayatRahman Scott Pakin AtiqulMollah,

Adaptive Routing in Dragonfly Networks Peyman Faizian , ShafayatRahman Scott Pakin AtiqulMollah,

Traffic Pattern-based C Adaptive Routing in Dragonfly Networks Peyman Faizian , ShafayatRahman Scott Pakin AtiqulMollah, Xin Yuan Mike Lang Florida State University Los Alamos National Laboratory Motivation Dragonfly has been known as a

491 views • 33 slides
On the Provable Security of the Dragonfly protocol Jean Lancrenon 1 Marjan krobot 1 1

On the Provable Security of the Dragonfly protocol Jean Lancrenon 1 Marjan krobot 1 1

PAKEs Dragonfly Results Conclusion On the Provable Security of the Dragonfly protocol Jean Lancrenon 1 Marjan krobot 1 1 Interdisciplinary Centre for Security, Reliability and Trust University of Luxembourg ISC 2015 1 / 18 PAKEs

915 views • 65 slides
Dragonfly June 2012 IndieCrews Photo??? Paperclip https:/ /github.com/thoughtbot/paperclip

Dragonfly June 2012 IndieCrews Photo??? Paperclip https:/ /github.com/thoughtbot/paperclip

Dragonfly June 2012 IndieCrews Photo??? Paperclip https:/ /github.com/thoughtbot/paperclip Dinosaur / Dragon ? Dragonfly CarrierWave Anyone? GitHub stats CarrierWave - 3046 watchers, 390 forks Paperclip - 4294 watchers, 877 forks

658 views • 22 slides
Introducing Stet the frog &amp; Drago the dragonfly Drago did you know that Rotoruas

Introducing Stet the frog &amp; Drago the dragonfly Drago did you know that Rotoruas

Introducing Stet the frog &amp; Drago the dragonfly Drago did you know that Rotoruas Water Supply is from springs? Wow thats why its so clean! Then what happens after people use it? PUMP STATION &amp; TREATMENT Well Drago.

364 views • 13 slides
PRESENTER OUTLINE Edward Schmalfeld II, P.E. PRESENTER OVERVIEW Owner of Dragonfly

PRESENTER OUTLINE Edward Schmalfeld II, P.E. PRESENTER OVERVIEW Owner of Dragonfly

11/18/2019 MISSISSIPPI SWANA DRONES &amp; SOLID WASTE Presented By: Edward Schmalfeld, P.E. PRESENTER OUTLINE Edward Schmalfeld II, P.E. PRESENTER OVERVIEW Owner of Dragonfly AeroSolutions Headquartered in Jacksonville, Florida

287 views • 8 slides
Seabird abundance project update F . Thompson, E. Abraham &amp; M. Oliver Dragonfly CSP/NPOA

Seabird abundance project update F . Thompson, E. Abraham &amp; M. Oliver Dragonfly CSP/NPOA

Seabird abundance project update F . Thompson, E. Abraham &amp; M. Oliver Dragonfly CSP/NPOA Seabirds Technical Working Group 5 October 2009 Outline Data collection and grooming 1 Diaries and forms Data entry Reconciliation Summary

220 views • 20 slides
Citizen Scientists Study Mercury in Dragonfly Larvae from National Parks Colleen Flanagan,

Citizen Scientists Study Mercury in Dragonfly Larvae from National Parks Colleen Flanagan,

Citizen Scientists Study Mercury in Dragonfly Larvae from National Parks Colleen Flanagan, Ecologist, National Park Service Air Resources Dr. Sarah Nelson, Associate Professor, University of Maine National Association of Interpretation

639 views • 24 slides
Dragonfly: A PAKE Scheme Dan Harkins IETF 83 Paris, France The Rise of Password Protocols in

Dragonfly: A PAKE Scheme Dan Harkins IETF 83 Paris, France The Rise of Password Protocols in

Dragonfly: A PAKE Scheme Dan Harkins IETF 83 Paris, France The Rise of Password Protocols in the IETF EAP-GPSK, TLS-SRP, TLS-PSK EAP-pwd PAP! Plaintext passwords (1986 to 1995 or so) PAP-like exchange completely broken

337 views • 12 slides
PerfMon redux: analyzing a CUDA application with the Windows PerfMon redux: analyzing a CUDA

PerfMon redux: analyzing a CUDA application with the Windows PerfMon redux: analyzing a CUDA

S6287 PerfMon redux: analyzing a CUDA application with the Windows PerfMon redux: analyzing a CUDA application with the Windows Performance Monitor Richard Wilton Department of Physics and Astronomy Johns Hopkins University S6287: Analyzing

279 views • 25 slides
Burst Buffer Simulation In Dragonfly Network Jian Peng, Michael Lang Illinois Institute of

Burst Buffer Simulation In Dragonfly Network Jian Peng, Michael Lang Illinois Institute of

Burst Buffer Simulation In Dragonfly Network Jian Peng, Michael Lang Illinois Institute of Technology, Los Alamos National Laboratory Purpose: Residing in the compute node network, and using solid state drives (SSD), burst buffers bring a

280 views • 16 slides
Wireshark network analyzing tool 19/03/2018 1 Wireshark network analyzing tool What?

Wireshark network analyzing tool 19/03/2018 1 Wireshark network analyzing tool What?

Wireshark network analyzing tool 19/03/2018 1 Wireshark network analyzing tool What? One of the best open source packet analyzers available today Captures network packets and tries to display content as detailed as possible

338 views • 5 slides
NGSS PRACTICE: ANALYZING AND INTERPRETING DATA SOUTHERN CT STATE UNIVERSITY ANALYZING DATA JULY

NGSS PRACTICE: ANALYZING AND INTERPRETING DATA SOUTHERN CT STATE UNIVERSITY ANALYZING DATA JULY

NGSS PRACTICE: ANALYZING AND INTERPRETING DATA SOUTHERN CT STATE UNIVERSITY ANALYZING DATA JULY 27, 2015 Dr. Marie Nabbout-Cheiban &amp; Dr. Adam Goldberg A CTIVITY 1: R OLLING THE DICE Please answer each of the following questions alone. Then,

257 views • 7 slides
B 0 D ( ) Analyzing New Physics in the decays Chien-Thang Tran a , b ,

B 0 D ( ) Analyzing New Physics in the decays Chien-Thang Tran a , b ,

Introduction Hadronic Matrix Elements and Form Factors Covariant Confined Quark Model Decay distribution and experimental constraints Analyzing New B 0 D ( ) Analyzing New Physics in the decays Chien-Thang Tran a , b

790 views • 27 slides
Wayne Snyder Computer Science Department Boston University Today: Analyzing Rhythm Analyzing

Wayne Snyder Computer Science Department Boston University Today: Analyzing Rhythm Analyzing

CS 591 S1 Computational Audio Wayne Snyder Computer Science Department Boston University Today: Analyzing Rhythm Analyzing rhythm: basic notions and motivations Onset detection, beat tracking Rhythm analysis Tempo Estimation Time

686 views • 65 slides
Analyzing with P Analyzing with P Delta y y g g Delta Presenter: Presenter: Deborah

Analyzing with P Analyzing with P Delta y y g g Delta Presenter: Presenter: Deborah

Analyzing with P Analyzing with P Delta y y g g Delta Presenter: Presenter: Deborah Penko, P.E. Deborah Penko, P.E. What? What? Wh ? Why? When? How? P Delta? Delta? Definition : Destabilizing moment equal to the force of gravity

917 views • 14 slides
GYRO: Analyzing new physics in record time M. Fahey and J. Candy ORNL, Oak Ridge, TN General

GYRO: Analyzing new physics in record time M. Fahey and J. Candy ORNL, Oak Ridge, TN General

GYRO: Analyzing new physics in record time M. Fahey GYRO: Analyzing new physics in record time M. Fahey and J. Candy ORNL, Oak Ridge, TN General Atomics, San Diego, CA 20 May 2004 Cray User Group Knoxville, TN QTYUIOP 1 GYRO: Analyzing

599 views • 24 slides
Analyzing Throughput of GPUs Analyzing Throughput of GPUs Exploiting Within-Die Core-to-Core

Analyzing Throughput of GPUs Analyzing Throughput of GPUs Exploiting Within-Die Core-to-Core

Analyzing Throughput of GPUs Analyzing Throughput of GPUs Exploiting Within-Die Core-to-Core Exploiting Within-Die Core-to-Core Frequency Variation Frequency Variation Jungseob Lee, Paritosh Ajgaonkar, Nam Sung Kim Apr 12, 2011 Department of

578 views • 20 slides

More recommend