dragonblood weaknesses in
play

Dragonblood : Weaknesses in WPA3s Dragonfly Handshake Mathy Vanhoef - PowerPoint PPT Presentation

Oct 05, 2022 β€’1.33k likes β€’1.97k views

Dragonblood : Weaknesses in WPA3s Dragonfly Handshake Mathy Vanhoef and Eyal Ronen BruCON. Belgium, 11 October 2019. 2 Background: Dragonfly in WPA3 and EAP-pwd = Password Authenticated Key Exchange (PAKE) Negotiate Provide mutual

  1. Dragonblood : Weaknesses in WPA3’s Dragonfly Handshake Mathy Vanhoef and Eyal Ronen BruCON. Belgium, 11 October 2019.

  2. 2

  3. Background: Dragonfly in WPA3 and EAP-pwd = Password Authenticated Key Exchange (PAKE) Negotiate Provide mutual session key authentication Forward secrecy Protect against & prevent offline server compromise dictionary attacks 3

  4. Dragonfly Convert password to Convert password to group element P group element P Commit phase Negotiate shared key 4

  5. Dragonfly Convert password to Convert password to group element P group element P Commit phase Negotiate shared key Confirm phase Confirm peer negotiated same key 5

  6. Dragonfly Convert password to Convert password to group element P group element P Supports two crypto groups: Commit phase 1. MODP groups 2. Elliptic curves Confirm phase 6

  7. Dragonfly Convert password to Convert password to group element P group element P Supports two crypto groups: Commit phase 1. MODP groups 2. Elliptic curves Confirm phase 7

  8. What are MODP groups? Operations performed on integers x where: β€Ί x < π‘ž with π‘ž a prime β€Ί 𝑦 π‘Ÿ mod π‘ž = 1 must hold β€Ί π‘Ÿ = #elements in the group οƒ  All operations are MOD ulo the P rime (= MODP) 8

  9. Convert password to MODP element for (counter = 1; counter < 256; counter++) value = hash(pw, counter, addr1, addr2) if value >= p: continue P = π‘€π‘π‘šπ‘£π‘“ (π‘žβˆ’1)/π‘Ÿ return P 9

  10. Convert password to MODP element for (counter = 1; counter < 256; counter++) value = hash(pw, counter, addr1, addr2) if value >= p: continue P = π‘€π‘π‘šπ‘£π‘“ (π‘žβˆ’1)/π‘Ÿ return P Convert value to a MODP element 10

  11. Convert password to MODP element for (counter = 1; counter < 256; counter++) value = hash(pw, counter, addr1, addr2) if value >= p: continue P = π‘€π‘π‘šπ‘£π‘“ (π‘žβˆ’1)/π‘Ÿ return P Problem for groups 22-24: high chance that value >= p 11

  12. Convert password to MODP element for (counter = 1; counter < 256; counter++) value = hash(pw, counter, addr1, addr2) if value >= p: ??? P = π‘€π‘π‘šπ‘£π‘“ (π‘žβˆ’1)/π‘Ÿ return P 12

  13. Convert password to MODP element for (counter = 1; counter < 256; counter++) value = hash(pw, counter, addr1, addr2) if value >= p: continue P = π‘€π‘π‘šπ‘£π‘“ (π‘žβˆ’1)/π‘Ÿ return P 13

  14. Convert password to MODP element for (counter = 1; counter < 256; counter++) value = hash(pw, counter, addr1, addr2) if value >= p: continue P = π‘€π‘π‘šπ‘£π‘“ (π‘žβˆ’1)/π‘Ÿ return P No timing leak countermeasures, despite warnings by IETF & CFRG! 14

  15. Convert password to MODP element for (counter = 1; counter < 256; counter++) value = hash(pw, counter, addr1, addr2) if value >= p: continue #iterations depends on password P = π‘€π‘π‘šπ‘£π‘“ (π‘žβˆ’1)/π‘Ÿ return P No timing leak countermeasures, despite warnings by IETF & CFRG! 15

  16. IETF mailing list in 2010 β€œ [..] susceptible to side channel (timing) attacks and may leak the shared password. ” β€œ not so sure how important that is [..] doesn't leak the shared password [..] not a trivial attack.” 16

  17. Leaked information: #iterations needed Client address addrA Measured 17

  18. Leaked information: #iterations needed Client address addrA Measured Password 1 Password 2 Password 3 18

  19. Leaked information: #iterations needed Client address addrA Measured Password 1 Password 2 Password 3 19

  20. What information is leaked? for (counter = 1; counter < 256; counter++) value = hash(pw, counter, addr1, addr2) if value >= p: continue Spoof client address to obtain P = π‘€π‘π‘šπ‘£π‘“ (π‘žβˆ’1)/π‘Ÿ different execution & leak new data 20

  21. Leaked information: #iterations needed Client address addrA addrB Measured Password 1 Password 2 Password 3 21

  22. Leaked information: #iterations needed Client address addrA addrB Measured Password 1 Password 2 Password 3 22

  23. Leaked information: #iterations needed Client address addrA addrB addrC Measured Password 1 Password 2 Password 3 23

  24. Leaked information: #iterations needed Client address addrA addrB addrC Measured Forms a signature of the password Password 1 Password 2 Need ~17 addresses to determine password in RockYou dump Password 3 24

  25. Raspberry Pi 1 B+: differences are measurable Hostap AP: ~75 measurements / address 25

  26. What about elliptic curves? Operations performed on points (x, y) where: β€Ί x < π‘ž and y < π‘ž with π‘ž a prime β€Ί 𝑧 2 = 𝑦 3 + 𝑏𝑦 + 𝑐 mod π‘ž must hold οƒ  Need to convert password to point (x,y) on the curve 26

  27. Hash-to-curve: EAP-pwd for (counter = 1; counter < 40; counter++) x = hash(pw, counter, addr1, addr2) if x >= p: continue if square_root_exists(x) and not P: return (x, 𝑦 3 + 𝑏𝑦 + 𝑐 ) 27

  28. Hash-to-curve: EAP-pwd for (counter = 1; counter < 40; counter++) x = hash(pw, counter, addr1, addr2) if x >= p: continue if square_root_exists(x) and not P: return (x, 𝑦 3 + 𝑏𝑦 + 𝑐 ) EAP-pwd: similar timing leak with elliptic curves 28

  29. Hash-to-curve: WPA3 (simplified) for (counter = 1; counter < 40 ; counter++) x = hash(pw, counter, addr1, addr2) if x >= p: continue if square_root_exists(x) and not P : P = (x, 𝑦 3 + 𝑏𝑦 + 𝑐 ) return P WPA3: always do 40 loops & return first P 29

  30. Hash-to-curve: WPA3 (simplified) for (counter = 1; counter < 40 ; counter++) x = hash(pw, counter, addr1, addr2) if x >= p: continue if square_root_exists(x) and not P : P = (x, 𝑦 3 + 𝑏𝑦 + 𝑐 ) return P Problem for Bainpool curves: high chance that x >= p 30

  31. Hash-to-curve: WPA3 (simplified) for (counter = 1; counter < 40; counter++) x = hash(pw, counter, addr1, addr2) if x >= p: continue if square_root_exists(x) and not P: P = (x, 𝑦 3 + 𝑏𝑦 + 𝑐 ) return P 31

  32. Hash-to-curve: WPA3 (simplified) for (counter = 1; counter < 40; counter++) x = hash(pw, counter, addr1, addr2) if x >= p: continue if square_root_exists(x) and not P: P = (x, 𝑦 3 + 𝑏𝑦 + 𝑐 ) return P Code may be skipped! 32

  33. Hash-to-curve: WPA3 (simplified) for (counter = 1; counter < 40; counter++) x = hash(pw, counter, addr1, addr2) if x >= p: continue if square_root_exists(x) and not P: P = (x, 𝑦 3 + 𝑏𝑦 + 𝑐 ) return P #Times skipped depends on password 33

  34. Hash-to-curve: WPA3 (simplified) for (counter = 1; counter < 40; counter++) x = hash(pw, counter, addr1, addr2) if x >= p: continue if square_root_exists(x) and not P: P = (x, 𝑦 3 + 𝑏𝑦 + 𝑐 ) return P οƒ  Simplified, execution time again forms a signature of the password. 34

  35. Cache Attacks 35

  36. NIST Elliptic Curves Monitor using Flush+Reload to know in which iteration we are for (counter = 1; counter < 40; counter++) x = hash(pw, counter, addr1, addr2) if x >= p: continue if square_root_exists(x) and not P: P = (x, 𝑦 3 + 𝑏𝑦 + 𝑐 ) return P NIST curves: use Flush+Reload to detect when code is executed 36

  37. NIST Elliptic Curves for (counter = 1; counter < 40; counter++) x = hash(pw, counter, addr1, addr2) if x >= p: continue if square_root_exists(x) and not P: οƒ  Essentially, we again learn a P = (x, 𝑦 3 + 𝑏𝑦 + 𝑐 ) signature of the password return P 37

  38. Cache-attacks in practice Requires powerfull adversary: β€Ί Run unpriviliged code on victim’s machine β€Ί Act as malicious client/AP within range of victim Abuse leaked info to recover the password β€Ί Spoof various client addresses similar to timing attack β€Ί Use resulting password signature in dictionary attack 38

  39. Brute-force Performance Timing & cache attack result in password signature β€Ί Both use the same brute-force algorithm Estimate performance on GPUs: β€Ί We can brute-force 𝟐𝟏 𝟐𝟏 passwords for $1 β€Ί MODP / Brainpool: all 8 symbols costs $67 β€Ί NIST curves: all 8 symbols costs $14k 39

  40. Implementation Inspection 40

  41. Invalid Curve Attack Point isn’t on curve Commit(x’, y’) Negotiated key is predictable 41

  42. Invalid Curve Attack Point isn’t on curve Commit(x’, y’) Negotiated key is predictable Commit reply Guess key and send confirm Confirm phase 42

  43. Invalid Curve Attack Point isn’t on curve Commit(x’, y’) Negotiated key is predictable Bypasses authentication Commit reply οƒ˜ EAP-pwd: all implementations affected Guess key and οƒ˜ WPA3: only iwd is vulnerable send confirm Confirm phase 43

  44. Implementation Vulnerabilities II Bad randomness : β€Ί Can recover password element P β€Ί Aruba’s EAP -pwd client for Windows is affected β€Ί With WPA2 bad randomness has lower impact! Side-channels : β€Ί FreeRADIUS aborts if >10 iterations are needed β€Ί Aruba’s EAP -pwd aborts if >30 are needed β€Ί Can use leaked info to recover password 44

  45. Wi-Fi Specific Attacks 45

  46. Denial-of-Service Attack Convert password to Convert password to group element P group element P AP converts password to EC point when client connects β€Ί Conversion is computationally expensive ( 40 iterations ) β€Ί Forging 8 connections/sec saturates AP’s CPU 46

Recommend

Dragonblood: A Security Analysis of WPA3s SAE Handshake Mathy Vanhoef and Eyal Ronen WAC

Dragonblood: A Security Analysis of WPA3s SAE Handshake Mathy Vanhoef and Eyal Ronen WAC

Dragonblood: A Security Analysis of WPA3s SAE Handshake Mathy Vanhoef and Eyal Ronen WAC Workshop @ CRYPTO, Santa Barbara, 17 August 2019. Background: Dragonfly in WPA3 and EAP-pwd = Password Authenticated Key Exchange (PAKE) Negotiate

1.04k views β€’ 69 slides
Five weaknesses of ASPIC+ Leila Amgoud amgoud@irit.fr Amgoud (IRIT) Weaknesses of APSIC+ 1 /

Five weaknesses of ASPIC+ Leila Amgoud amgoud@irit.fr Amgoud (IRIT) Weaknesses of APSIC+ 1 /

Five weaknesses of ASPIC+ Leila Amgoud amgoud@irit.fr Amgoud (IRIT) Weaknesses of APSIC+ 1 / 12 Motivation Argumentation = an activity of reason aimed to increase (or decrease) the acceptability of a controversial standpoint by putting

975 views β€’ 38 slides
Dragonblood: Analyzing the Dragonfly Handshake of WPA3 and EAP-pwd Mathy Vanhoef and Eyal Ronen

Dragonblood: Analyzing the Dragonfly Handshake of WPA3 and EAP-pwd Mathy Vanhoef and Eyal Ronen

Dragonblood: Analyzing the Dragonfly Handshake of WPA3 and EAP-pwd Mathy Vanhoef and Eyal Ronen ANRW. Montreal, Canada, 22 July 2019. Background: Dragonfly in WPA3 = Password Authenticated Key Exchange (PAKE) Negotiate Provide mutual session

1.04k views β€’ 45 slides
How UNAIDS works Strengths and weaknesses in the governance of UNAIDS Strengths Inclusiveness

How UNAIDS works Strengths and weaknesses in the governance of UNAIDS Strengths Inclusiveness

How UNAIDS works Strengths and weaknesses in the governance of UNAIDS Strengths Inclusiveness of decision making Involvement of civil society, PLWH Things can change Strengths and weaknesses in the governance of UNAIDS Weaknesses

209 views β€’ 7 slides
Dragonblood : Attacking the Dragonfly Handshake of WPA3 Mathy Vanhoef and Eyal Ronen Black Hat

Dragonblood : Attacking the Dragonfly Handshake of WPA3 Mathy Vanhoef and Eyal Ronen Black Hat

Dragonblood : Attacking the Dragonfly Handshake of WPA3 Mathy Vanhoef and Eyal Ronen Black Hat USA. Las Vegas, 7 August 2019. Background: Dragonfly in WPA3 and EAP-pwd = Password Authenticated Key Exchange (PAKE) Negotiate Provide mutual

532 views β€’ 50 slides
Weaknesses of Probabilistic Context-Free Grammars Michael Collins, Columbia University Weaknesses

Weaknesses of Probabilistic Context-Free Grammars Michael Collins, Columbia University Weaknesses

Weaknesses of Probabilistic Context-Free Grammars Michael Collins, Columbia University Weaknesses of PCFGs Lack of sensitivity to lexical information Lack of sensitivity to structural frequencies S NP VP NNP Vt NP IBM bought NNP

805 views β€’ 9 slides
www.redrokk.com 1 Focus Group Goals Qualitative Goals Discover EdCCs

www.redrokk.com 1 Focus Group Goals Qualitative Goals Discover EdCCs

www.redrokk.com 1 Focus Group Goals Qualitative Goals Discover EdCCs obstacles/weaknesses Learn more about the why Stylistic preferences www.redrokk.com 2 Key Weaknesses Key Weaknesses No clear brand identity

559 views β€’ 28 slides
Collision Detection Collision detection weaknesses Naive collision detection suffers from 3 known

Collision Detection Collision detection weaknesses Naive collision detection suffers from 3 known

07 Tutorial: Broadphase Collision Detection Collision detection weaknesses Naive collision detection suffers from 3 known weaknesses Fixed-timestep weakness All-pairs weakness Pair-processing weakness Two-phase collision detection

833 views β€’ 20 slides
Our Economic Weaknesses Revealed by COVID-19 and What We Can Do about It ECONOMIC

Our Economic Weaknesses Revealed by COVID-19 and What We Can Do about It ECONOMIC

Our Economic Weaknesses Revealed by COVID-19 and What We Can Do about It ECONOMIC OPPORTUNITY INSTITUTE MAY 22, 2020 OPPORTUNITYINSTITUTE.ORG US least prepared of any wealthy country Unlike peer nations, U.S. lacks: Universal health

415 views β€’ 25 slides
WORKSHEET 1: ANALYSIS What are the strengths and weaknesses of your community? How will they

WORKSHEET 1: ANALYSIS What are the strengths and weaknesses of your community? How will they

WORKSHEET 1: ANALYSIS What are the strengths and weaknesses of your community? How will they impact your marketing strategy? Brand Acceleration, Inc. | Indianapolis, IN 317-536-6255 | brandaccel.com WORKSHEET 2: TARGETS Based on your

290 views β€’ 3 slides
Weaknesses, and Opportunities for Improvement Shingai Machingaidze BSc(Hons), MPH Senior

Weaknesses, and Opportunities for Improvement Shingai Machingaidze BSc(Hons), MPH Senior

Vaccination Programs in Africa: Strengths, Weaknesses, and Opportunities for Improvement Shingai Machingaidze BSc(Hons), MPH Senior Scientist South African Medical Research Council 6.9 (6.8-7.4) million children under 5 died in 2011; 19 000

336 views β€’ 23 slides
To determine the level of fitness of students. To identify strengths and weaknesses for

To determine the level of fitness of students. To identify strengths and weaknesses for

To determine the level of fitness of students. To identify strengths and weaknesses for development/improvement To provide a baseline data for selection of physical activities for enhancement of health and skill performance. To

552 views β€’ 38 slides
Knowing Your Sons Learning Style Objectives Know your son Strengths and Weaknesses in

Knowing Your Sons Learning Style Objectives Know your son Strengths and Weaknesses in

Knowing Your Sons Learning Style Objectives Know your son Strengths and Weaknesses in learning. Understand your children's learning needs Identify reasons for underachievement Student/teacher interaction improvement Aware that Learning

204 views β€’ 18 slides
Goals for Today Learning Objective: Contrast strengths/weaknesses of security primitives

Goals for Today Learning Objective: Contrast strengths/weaknesses of security primitives

Goals for Today Learning Objective: Contrast strengths/weaknesses of security primitives Understand design concepts of OS-layer Access Control Announcements, etc: MP3 Soft Extension: Submit by April 25th for -10pts MP4 due

489 views β€’ 26 slides
Background Data Collection Regarding the Strengths/Weaknesses of DDSNs Current Band Payment

Background Data Collection Regarding the Strengths/Weaknesses of DDSNs Current Band Payment

Background Data Collection Regarding the Strengths/Weaknesses of DDSNs Current Band Payment System &amp; Direction for Improvement Presentation to the Legislative Oversight Committee, House of Representatives February 1, 2018 By Interim

975 views β€’ 55 slides
Weaknesses and Failures of Risk Assessment Dr. William L. Oberkampf Consulting Engineer Austin,

Weaknesses and Failures of Risk Assessment Dr. William L. Oberkampf Consulting Engineer Austin,

Weaknesses and Failures of Risk Assessment Dr. William L. Oberkampf Consulting Engineer Austin, Texas wloconsulting@gmail.com International Federation of Information Processing and National Institute of Standards and Technology Workshop on

568 views β€’ 17 slides
Strengths and Weaknesses of Corpus Linguistics in Legal Analysis: A Case Study of the Law and

Strengths and Weaknesses of Corpus Linguistics in Legal Analysis: A Case Study of the Law and

Strengths and Weaknesses of Corpus Linguistics in Legal Analysis: A Case Study of the Law and Language at the European Court of Justice Project Karen McAuliffe k.mcauliffe@bham.ac.uk University of Birmingham @dr_KMcA Goldfarb, Neal, Corpus

708 views β€’ 37 slides
Most frequent DAS errors and systems weaknesses observed by the European Court of Auditors EAGF

Most frequent DAS errors and systems weaknesses observed by the European Court of Auditors EAGF

Most frequent DAS errors and systems weaknesses observed by the European Court of Auditors EAGF Presented by Michael Zenner Head of unit: EAGF - financial audit Important Notice: The following presentation is a personal analysis of the

298 views β€’ 26 slides
Web Security Cyber Security Lab Spring '10 04/15/10 Cyber Security Lab 1 Outline Web

Web Security Cyber Security Lab Spring '10 04/15/10 Cyber Security Lab 1 Outline Web

Web Security Cyber Security Lab Spring '10 04/15/10 Cyber Security Lab 1 Outline Web application weaknesses XSS AJAX weaknesses SQL Injection Attacks (Slides from Lars Olson)

588 views β€’ 41 slides
EAP-SIM Security Analysis Mobility Solutions Keyspace and Mutual Authentication Weaknesses Uri

EAP-SIM Security Analysis Mobility Solutions Keyspace and Mutual Authentication Weaknesses Uri

EAP-SIM Security Analysis Mobility Solutions Keyspace and Mutual Authentication Weaknesses Uri Blumenthal (analysis done by Sarvar Patel) Member of Technical Staff EAP-SIM Draft and its Security Claims Current EAP-SIM provides

342 views β€’ 7 slides
Performance Monitoring and Measurement: Strengths and Weaknesses Burt S. Barnow George

Performance Monitoring and Measurement: Strengths and Weaknesses Burt S. Barnow George

The U.S. Experience with Performance Monitoring and Measurement: Strengths and Weaknesses Burt S. Barnow George Washington University Prepared for the Conference on More Effective Workforce Programs through Comparative Performance Monitoring

516 views β€’ 12 slides
Strengths and weaknesses of governance mechanisms workshop report 21st February 2018,

Strengths and weaknesses of governance mechanisms workshop report 21st February 2018,

Strengths and weaknesses of governance mechanisms workshop report 21st February 2018, Aberdeen Authors: Anja Byg, Michaela Roberts, Carol Kyle &amp; Sophie Tindale The James Hutton Institute Aberdeen Scotland Contents Summary

610 views β€’ 41 slides
Abusing Performance Optimization Weaknesses to Bypass ASLR Byoungyoung Lee Yeongjin Jang Tielei

Abusing Performance Optimization Weaknesses to Bypass ASLR Byoungyoung Lee Yeongjin Jang Tielei

Abusing Performance Optimization Weaknesses to Bypass ASLR Byoungyoung Lee Yeongjin Jang Tielei Wang Chengyu Song Long Lu Taesoo Kim Wenke Lee Georgia Tech Information Security Center (Rough) System Attack Trends Executing existing code

661 views β€’ 50 slides
Governance of Nanotechnology: EC Code Strengths and Weaknesses Dr Donald M. Bruce Edinethics

Governance of Nanotechnology: EC Code Strengths and Weaknesses Dr Donald M. Bruce Edinethics

Governance of Nanotechnology: EC Code Strengths and Weaknesses Dr Donald M. Bruce Edinethics Ltd. ethics in science and technology 1 Nanotechnologies Human enhancement Stem cells &amp; Cloning Human Genetics GM Food &amp; Animals ethics

264 views β€’ 10 slides

More recommend