Dragonblood : Weaknesses in WPA3βs Dragonfly Handshake Mathy Vanhoef and Eyal Ronen BruCON. Belgium, 11 October 2019.
2
Background: Dragonfly in WPA3 and EAP-pwd = Password Authenticated Key Exchange (PAKE) Negotiate Provide mutual session key authentication Forward secrecy Protect against & prevent offline server compromise dictionary attacks 3
Dragonfly Convert password to Convert password to group element P group element P Commit phase Negotiate shared key 4
Dragonfly Convert password to Convert password to group element P group element P Commit phase Negotiate shared key Confirm phase Confirm peer negotiated same key 5
Dragonfly Convert password to Convert password to group element P group element P Supports two crypto groups: Commit phase 1. MODP groups 2. Elliptic curves Confirm phase 6
Dragonfly Convert password to Convert password to group element P group element P Supports two crypto groups: Commit phase 1. MODP groups 2. Elliptic curves Confirm phase 7
What are MODP groups? Operations performed on integers x where: βΊ x < π with π a prime βΊ π¦ π mod π = 1 must hold βΊ π = #elements in the group ο All operations are MOD ulo the P rime (= MODP) 8
Convert password to MODP element for (counter = 1; counter < 256; counter++) value = hash(pw, counter, addr1, addr2) if value >= p: continue P = π€πππ£π (πβ1)/π return P 9
Convert password to MODP element for (counter = 1; counter < 256; counter++) value = hash(pw, counter, addr1, addr2) if value >= p: continue P = π€πππ£π (πβ1)/π return P Convert value to a MODP element 10
Convert password to MODP element for (counter = 1; counter < 256; counter++) value = hash(pw, counter, addr1, addr2) if value >= p: continue P = π€πππ£π (πβ1)/π return P Problem for groups 22-24: high chance that value >= p 11
Convert password to MODP element for (counter = 1; counter < 256; counter++) value = hash(pw, counter, addr1, addr2) if value >= p: ??? P = π€πππ£π (πβ1)/π return P 12
Convert password to MODP element for (counter = 1; counter < 256; counter++) value = hash(pw, counter, addr1, addr2) if value >= p: continue P = π€πππ£π (πβ1)/π return P 13
Convert password to MODP element for (counter = 1; counter < 256; counter++) value = hash(pw, counter, addr1, addr2) if value >= p: continue P = π€πππ£π (πβ1)/π return P No timing leak countermeasures, despite warnings by IETF & CFRG! 14
Convert password to MODP element for (counter = 1; counter < 256; counter++) value = hash(pw, counter, addr1, addr2) if value >= p: continue #iterations depends on password P = π€πππ£π (πβ1)/π return P No timing leak countermeasures, despite warnings by IETF & CFRG! 15
IETF mailing list in 2010 β [..] susceptible to side channel (timing) attacks and may leak the shared password. β β not so sure how important that is [..] doesn't leak the shared password [..] not a trivial attack.β 16
Leaked information: #iterations needed Client address addrA Measured 17
Leaked information: #iterations needed Client address addrA Measured Password 1 Password 2 Password 3 18
Leaked information: #iterations needed Client address addrA Measured Password 1 Password 2 Password 3 19
What information is leaked? for (counter = 1; counter < 256; counter++) value = hash(pw, counter, addr1, addr2) if value >= p: continue Spoof client address to obtain P = π€πππ£π (πβ1)/π different execution & leak new data 20
Leaked information: #iterations needed Client address addrA addrB Measured Password 1 Password 2 Password 3 21
Leaked information: #iterations needed Client address addrA addrB Measured Password 1 Password 2 Password 3 22
Leaked information: #iterations needed Client address addrA addrB addrC Measured Password 1 Password 2 Password 3 23
Leaked information: #iterations needed Client address addrA addrB addrC Measured Forms a signature of the password Password 1 Password 2 Need ~17 addresses to determine password in RockYou dump Password 3 24
Raspberry Pi 1 B+: differences are measurable Hostap AP: ~75 measurements / address 25
What about elliptic curves? Operations performed on points (x, y) where: βΊ x < π and y < π with π a prime βΊ π§ 2 = π¦ 3 + ππ¦ + π mod π must hold ο Need to convert password to point (x,y) on the curve 26
Hash-to-curve: EAP-pwd for (counter = 1; counter < 40; counter++) x = hash(pw, counter, addr1, addr2) if x >= p: continue if square_root_exists(x) and not P: return (x, π¦ 3 + ππ¦ + π ) 27
Hash-to-curve: EAP-pwd for (counter = 1; counter < 40; counter++) x = hash(pw, counter, addr1, addr2) if x >= p: continue if square_root_exists(x) and not P: return (x, π¦ 3 + ππ¦ + π ) EAP-pwd: similar timing leak with elliptic curves 28
Hash-to-curve: WPA3 (simplified) for (counter = 1; counter < 40 ; counter++) x = hash(pw, counter, addr1, addr2) if x >= p: continue if square_root_exists(x) and not P : P = (x, π¦ 3 + ππ¦ + π ) return P WPA3: always do 40 loops & return first P 29
Hash-to-curve: WPA3 (simplified) for (counter = 1; counter < 40 ; counter++) x = hash(pw, counter, addr1, addr2) if x >= p: continue if square_root_exists(x) and not P : P = (x, π¦ 3 + ππ¦ + π ) return P Problem for Bainpool curves: high chance that x >= p 30
Hash-to-curve: WPA3 (simplified) for (counter = 1; counter < 40; counter++) x = hash(pw, counter, addr1, addr2) if x >= p: continue if square_root_exists(x) and not P: P = (x, π¦ 3 + ππ¦ + π ) return P 31
Hash-to-curve: WPA3 (simplified) for (counter = 1; counter < 40; counter++) x = hash(pw, counter, addr1, addr2) if x >= p: continue if square_root_exists(x) and not P: P = (x, π¦ 3 + ππ¦ + π ) return P Code may be skipped! 32
Hash-to-curve: WPA3 (simplified) for (counter = 1; counter < 40; counter++) x = hash(pw, counter, addr1, addr2) if x >= p: continue if square_root_exists(x) and not P: P = (x, π¦ 3 + ππ¦ + π ) return P #Times skipped depends on password 33
Hash-to-curve: WPA3 (simplified) for (counter = 1; counter < 40; counter++) x = hash(pw, counter, addr1, addr2) if x >= p: continue if square_root_exists(x) and not P: P = (x, π¦ 3 + ππ¦ + π ) return P ο Simplified, execution time again forms a signature of the password. 34
Cache Attacks 35
NIST Elliptic Curves Monitor using Flush+Reload to know in which iteration we are for (counter = 1; counter < 40; counter++) x = hash(pw, counter, addr1, addr2) if x >= p: continue if square_root_exists(x) and not P: P = (x, π¦ 3 + ππ¦ + π ) return P NIST curves: use Flush+Reload to detect when code is executed 36
NIST Elliptic Curves for (counter = 1; counter < 40; counter++) x = hash(pw, counter, addr1, addr2) if x >= p: continue if square_root_exists(x) and not P: ο Essentially, we again learn a P = (x, π¦ 3 + ππ¦ + π ) signature of the password return P 37
Cache-attacks in practice Requires powerfull adversary: βΊ Run unpriviliged code on victimβs machine βΊ Act as malicious client/AP within range of victim Abuse leaked info to recover the password βΊ Spoof various client addresses similar to timing attack βΊ Use resulting password signature in dictionary attack 38
Brute-force Performance Timing & cache attack result in password signature βΊ Both use the same brute-force algorithm Estimate performance on GPUs: βΊ We can brute-force ππ ππ passwords for $1 βΊ MODP / Brainpool: all 8 symbols costs $67 βΊ NIST curves: all 8 symbols costs $14k 39
Implementation Inspection 40
Invalid Curve Attack Point isnβt on curve Commit(xβ, yβ) Negotiated key is predictable 41
Invalid Curve Attack Point isnβt on curve Commit(xβ, yβ) Negotiated key is predictable Commit reply Guess key and send confirm Confirm phase 42
Invalid Curve Attack Point isnβt on curve Commit(xβ, yβ) Negotiated key is predictable Bypasses authentication Commit reply ο EAP-pwd: all implementations affected Guess key and ο WPA3: only iwd is vulnerable send confirm Confirm phase 43
Implementation Vulnerabilities II Bad randomness : βΊ Can recover password element P βΊ Arubaβs EAP -pwd client for Windows is affected βΊ With WPA2 bad randomness has lower impact! Side-channels : βΊ FreeRADIUS aborts if >10 iterations are needed βΊ Arubaβs EAP -pwd aborts if >30 are needed βΊ Can use leaked info to recover password 44
Wi-Fi Specific Attacks 45
Denial-of-Service Attack Convert password to Convert password to group element P group element P AP converts password to EC point when client connects βΊ Conversion is computationally expensive ( 40 iterations ) βΊ Forging 8 connections/sec saturates APβs CPU 46
Recommend
More recommend