dragonblood weaknesses in
play

Dragonblood : Weaknesses in WPA3s Dragonfly Handshake Mathy Vanhoef - PowerPoint PPT Presentation

Dragonblood : Weaknesses in WPA3s Dragonfly Handshake Mathy Vanhoef and Eyal Ronen BruCON. Belgium, 11 October 2019. 2 Background: Dragonfly in WPA3 and EAP-pwd = Password Authenticated Key Exchange (PAKE) Negotiate Provide mutual


  1. Dragonblood : Weaknesses in WPA3’s Dragonfly Handshake Mathy Vanhoef and Eyal Ronen BruCON. Belgium, 11 October 2019.

  2. 2

  3. Background: Dragonfly in WPA3 and EAP-pwd = Password Authenticated Key Exchange (PAKE) Negotiate Provide mutual session key authentication Forward secrecy Protect against & prevent offline server compromise dictionary attacks 3

  4. Dragonfly Convert password to Convert password to group element P group element P Commit phase Negotiate shared key 4

  5. Dragonfly Convert password to Convert password to group element P group element P Commit phase Negotiate shared key Confirm phase Confirm peer negotiated same key 5

  6. Dragonfly Convert password to Convert password to group element P group element P Supports two crypto groups: Commit phase 1. MODP groups 2. Elliptic curves Confirm phase 6

  7. Dragonfly Convert password to Convert password to group element P group element P Supports two crypto groups: Commit phase 1. MODP groups 2. Elliptic curves Confirm phase 7

  8. What are MODP groups? Operations performed on integers x where: β€Ί x < π‘ž with π‘ž a prime β€Ί 𝑦 π‘Ÿ mod π‘ž = 1 must hold β€Ί π‘Ÿ = #elements in the group οƒ  All operations are MOD ulo the P rime (= MODP) 8

  9. Convert password to MODP element for (counter = 1; counter < 256; counter++) value = hash(pw, counter, addr1, addr2) if value >= p: continue P = π‘€π‘π‘šπ‘£π‘“ (π‘žβˆ’1)/π‘Ÿ return P 9

  10. Convert password to MODP element for (counter = 1; counter < 256; counter++) value = hash(pw, counter, addr1, addr2) if value >= p: continue P = π‘€π‘π‘šπ‘£π‘“ (π‘žβˆ’1)/π‘Ÿ return P Convert value to a MODP element 10

  11. Convert password to MODP element for (counter = 1; counter < 256; counter++) value = hash(pw, counter, addr1, addr2) if value >= p: continue P = π‘€π‘π‘šπ‘£π‘“ (π‘žβˆ’1)/π‘Ÿ return P Problem for groups 22-24: high chance that value >= p 11

  12. Convert password to MODP element for (counter = 1; counter < 256; counter++) value = hash(pw, counter, addr1, addr2) if value >= p: ??? P = π‘€π‘π‘šπ‘£π‘“ (π‘žβˆ’1)/π‘Ÿ return P 12

  13. Convert password to MODP element for (counter = 1; counter < 256; counter++) value = hash(pw, counter, addr1, addr2) if value >= p: continue P = π‘€π‘π‘šπ‘£π‘“ (π‘žβˆ’1)/π‘Ÿ return P 13

  14. Convert password to MODP element for (counter = 1; counter < 256; counter++) value = hash(pw, counter, addr1, addr2) if value >= p: continue P = π‘€π‘π‘šπ‘£π‘“ (π‘žβˆ’1)/π‘Ÿ return P No timing leak countermeasures, despite warnings by IETF & CFRG! 14

  15. Convert password to MODP element for (counter = 1; counter < 256; counter++) value = hash(pw, counter, addr1, addr2) if value >= p: continue #iterations depends on password P = π‘€π‘π‘šπ‘£π‘“ (π‘žβˆ’1)/π‘Ÿ return P No timing leak countermeasures, despite warnings by IETF & CFRG! 15

  16. IETF mailing list in 2010 β€œ [..] susceptible to side channel (timing) attacks and may leak the shared password. ” β€œ not so sure how important that is [..] doesn't leak the shared password [..] not a trivial attack.” 16

  17. Leaked information: #iterations needed Client address addrA Measured 17

  18. Leaked information: #iterations needed Client address addrA Measured Password 1 Password 2 Password 3 18

  19. Leaked information: #iterations needed Client address addrA Measured Password 1 Password 2 Password 3 19

  20. What information is leaked? for (counter = 1; counter < 256; counter++) value = hash(pw, counter, addr1, addr2) if value >= p: continue Spoof client address to obtain P = π‘€π‘π‘šπ‘£π‘“ (π‘žβˆ’1)/π‘Ÿ different execution & leak new data 20

  21. Leaked information: #iterations needed Client address addrA addrB Measured Password 1 Password 2 Password 3 21

  22. Leaked information: #iterations needed Client address addrA addrB Measured Password 1 Password 2 Password 3 22

  23. Leaked information: #iterations needed Client address addrA addrB addrC Measured Password 1 Password 2 Password 3 23

  24. Leaked information: #iterations needed Client address addrA addrB addrC Measured Forms a signature of the password Password 1 Password 2 Need ~17 addresses to determine password in RockYou dump Password 3 24

  25. Raspberry Pi 1 B+: differences are measurable Hostap AP: ~75 measurements / address 25

  26. What about elliptic curves? Operations performed on points (x, y) where: β€Ί x < π‘ž and y < π‘ž with π‘ž a prime β€Ί 𝑧 2 = 𝑦 3 + 𝑏𝑦 + 𝑐 mod π‘ž must hold οƒ  Need to convert password to point (x,y) on the curve 26

  27. Hash-to-curve: EAP-pwd for (counter = 1; counter < 40; counter++) x = hash(pw, counter, addr1, addr2) if x >= p: continue if square_root_exists(x) and not P: return (x, 𝑦 3 + 𝑏𝑦 + 𝑐 ) 27

  28. Hash-to-curve: EAP-pwd for (counter = 1; counter < 40; counter++) x = hash(pw, counter, addr1, addr2) if x >= p: continue if square_root_exists(x) and not P: return (x, 𝑦 3 + 𝑏𝑦 + 𝑐 ) EAP-pwd: similar timing leak with elliptic curves 28

  29. Hash-to-curve: WPA3 (simplified) for (counter = 1; counter < 40 ; counter++) x = hash(pw, counter, addr1, addr2) if x >= p: continue if square_root_exists(x) and not P : P = (x, 𝑦 3 + 𝑏𝑦 + 𝑐 ) return P WPA3: always do 40 loops & return first P 29

  30. Hash-to-curve: WPA3 (simplified) for (counter = 1; counter < 40 ; counter++) x = hash(pw, counter, addr1, addr2) if x >= p: continue if square_root_exists(x) and not P : P = (x, 𝑦 3 + 𝑏𝑦 + 𝑐 ) return P Problem for Bainpool curves: high chance that x >= p 30

  31. Hash-to-curve: WPA3 (simplified) for (counter = 1; counter < 40; counter++) x = hash(pw, counter, addr1, addr2) if x >= p: continue if square_root_exists(x) and not P: P = (x, 𝑦 3 + 𝑏𝑦 + 𝑐 ) return P 31

  32. Hash-to-curve: WPA3 (simplified) for (counter = 1; counter < 40; counter++) x = hash(pw, counter, addr1, addr2) if x >= p: continue if square_root_exists(x) and not P: P = (x, 𝑦 3 + 𝑏𝑦 + 𝑐 ) return P Code may be skipped! 32

  33. Hash-to-curve: WPA3 (simplified) for (counter = 1; counter < 40; counter++) x = hash(pw, counter, addr1, addr2) if x >= p: continue if square_root_exists(x) and not P: P = (x, 𝑦 3 + 𝑏𝑦 + 𝑐 ) return P #Times skipped depends on password 33

  34. Hash-to-curve: WPA3 (simplified) for (counter = 1; counter < 40; counter++) x = hash(pw, counter, addr1, addr2) if x >= p: continue if square_root_exists(x) and not P: P = (x, 𝑦 3 + 𝑏𝑦 + 𝑐 ) return P οƒ  Simplified, execution time again forms a signature of the password. 34

  35. Cache Attacks 35

  36. NIST Elliptic Curves Monitor using Flush+Reload to know in which iteration we are for (counter = 1; counter < 40; counter++) x = hash(pw, counter, addr1, addr2) if x >= p: continue if square_root_exists(x) and not P: P = (x, 𝑦 3 + 𝑏𝑦 + 𝑐 ) return P NIST curves: use Flush+Reload to detect when code is executed 36

  37. NIST Elliptic Curves for (counter = 1; counter < 40; counter++) x = hash(pw, counter, addr1, addr2) if x >= p: continue if square_root_exists(x) and not P: οƒ  Essentially, we again learn a P = (x, 𝑦 3 + 𝑏𝑦 + 𝑐 ) signature of the password return P 37

  38. Cache-attacks in practice Requires powerfull adversary: β€Ί Run unpriviliged code on victim’s machine β€Ί Act as malicious client/AP within range of victim Abuse leaked info to recover the password β€Ί Spoof various client addresses similar to timing attack β€Ί Use resulting password signature in dictionary attack 38

  39. Brute-force Performance Timing & cache attack result in password signature β€Ί Both use the same brute-force algorithm Estimate performance on GPUs: β€Ί We can brute-force 𝟐𝟏 𝟐𝟏 passwords for $1 β€Ί MODP / Brainpool: all 8 symbols costs $67 β€Ί NIST curves: all 8 symbols costs $14k 39

  40. Implementation Inspection 40

  41. Invalid Curve Attack Point isn’t on curve Commit(x’, y’) Negotiated key is predictable 41

  42. Invalid Curve Attack Point isn’t on curve Commit(x’, y’) Negotiated key is predictable Commit reply Guess key and send confirm Confirm phase 42

  43. Invalid Curve Attack Point isn’t on curve Commit(x’, y’) Negotiated key is predictable Bypasses authentication Commit reply οƒ˜ EAP-pwd: all implementations affected Guess key and οƒ˜ WPA3: only iwd is vulnerable send confirm Confirm phase 43

  44. Implementation Vulnerabilities II Bad randomness : β€Ί Can recover password element P β€Ί Aruba’s EAP -pwd client for Windows is affected β€Ί With WPA2 bad randomness has lower impact! Side-channels : β€Ί FreeRADIUS aborts if >10 iterations are needed β€Ί Aruba’s EAP -pwd aborts if >30 are needed β€Ί Can use leaked info to recover password 44

  45. Wi-Fi Specific Attacks 45

  46. Denial-of-Service Attack Convert password to Convert password to group element P group element P AP converts password to EC point when client connects β€Ί Conversion is computationally expensive ( 40 iterations ) β€Ί Forging 8 connections/sec saturates AP’s CPU 46

Recommend


More recommend