dragonfly handshake of
play

Dragonfly Handshake of WPA3 and EAP-pwd Mathy Vanhoef and Eyal Ronen - PowerPoint PPT Presentation

Sep 01, 2023 •520 likes •1.58k views

Dragonblood : Analyzing the Dragonfly Handshake of WPA3 and EAP-pwd Mathy Vanhoef and Eyal Ronen Background: Wi-Fi Security 1999: Wired Equivalent Privacy (WEP) RC4 with 40 (!) or 104 bits key Broken in 2001 [FMS01] Deprecated 2004 2

  1. Hash-to-curve: WPA3 for (counter = 1; counter < 40 ; counter++) x = hash(pw, counter, addr1, addr2) if x >= p: continue if square_root_exists(x) and not P : P = (x, 𝑦 3 + 𝑏𝑦 + 𝑐 ) pw = rand() return P 28

  2. Hash-to-curve: WPA3 for (counter = 1; counter < 40 ; counter++) x = hash(pw, counter, addr1, addr2) if x >= p: continue if square_root_exists(x) and not P : P = (x, 𝑦 3 + 𝑏𝑦 + 𝑐 ) pw = rand() return P WPA3: always do 40 loops & return first P 28

  3. Hash-to-curve: WPA3 for (counter = 1; counter < 40; counter++) x = hash(pw, counter, addr1, addr2) if x >= p: continue if square_root_exists(x) and not P: P = (x, 𝑦 3 + 𝑏𝑦 + 𝑐 ) Blinded constant time pw = rand() square root test return P 29

  4. Hash-to-curve: WPA3 for (counter = 1; counter < 40; counter++) x = hash(pw, counter, addr1, addr2) if x >= p: continue if square_root_exists(x) and not P: P = (x, 𝑦 3 + 𝑏𝑦 + 𝑐 ) pw = rand() return P Extra iterations based on random password 30

  5. Hash-to-curve: WPA3 for (counter = 1; counter < 40; counter++) x = hash(pw, counter, addr1, addr2) if x >= p: continue if square_root_exists(x) and not P: P = (x, 𝑦 3 + 𝑏𝑦 + 𝑐 ) pw = rand() return P Are we Safe? 31

  6. Hash-to-curve: WPA3 for (counter = 1; counter < 40; counter++) x = hash(pw, counter, addr1, addr2) if x >= p: continue Truncate to size of prime p if square_root_exists(x) and not P: P = (x, 𝑦 3 + 𝑏𝑦 + 𝑐 ) pw = rand() return P 32

  7. Hash-to-curve: WPA3 for (counter = 1; counter < 40; counter++) x = hash(pw, counter, addr1, addr2) if x >= p: continue if square_root_exists(x) and not P: P = (x, 𝑦 3 + 𝑏𝑦 + 𝑐 ) Brainpool: 𝑞 = 0xA9FB57DBA1EEA9BC… pw = rand()  High chance that x >= p return P 33

  8. Hash-to-curve: WPA3 for (counter = 1; counter < 40; counter++) x = hash(pw, counter, addr1, addr2) if x >= p: continue = rejection sampling if square_root_exists(x) and not P: P = (x, 𝑦 3 + 𝑏𝑦 + 𝑐 ) pw = rand() return P 34

  9. Hash-to-curve: WPA3 for (counter = 1; counter < 40; counter++) x = hash(pw, counter, addr1, addr2) if x >= p: continue if square_root_exists(x) and not P: P = (x, 𝑦 3 + 𝑏𝑦 + 𝑐 ) pw = rand() return P Code may be skipped 35

  10. Hash-to-curve: WPA3 for (counter = 1; counter < 40; counter++) x = hash(pw, counter, addr1, addr2) if x >= p: continue if square_root_exists(x) and not P: P = (x, 𝑦 3 + 𝑏𝑦 + 𝑐 ) pw = rand() return P #Times skipped depends on password 36

  11. Hash-to-curve: WPA3 for (counter = 1; counter < 40; counter++) x = hash(pw, counter, addr1, addr2) if x >= p: continue if square_root_exists(x) and not P: P = (x, 𝑦 3 + 𝑏𝑦 + 𝑐 ) pw = rand() return P #Times skipped depends on password & random password in extra itreations 37

  12. Hash-to-curve: WPA3 for (counter = 1; counter < 40; counter++) x = hash(pw, counter, addr1, addr2) if x >= p: continue if square_root_exists(x) and not P: P = (x, 𝑦 3 + 𝑏𝑦 + 𝑐 ) pw = rand() return P Variance ~ when password element was found 38

  13. Hash-to-curve: WPA3 for (counter = 1; counter < 40; counter++) x = hash(pw, counter, addr1, addr2) if x >= p: continue if square_root_exists(x) and not P: P = (x, 𝑦 3 + 𝑏𝑦 + 𝑐 ) pw = rand() return P Variance ~ when password element was found Average ~ when found & #iterations code skipped 39

  14. Raspberry Pi 1 B+ 40

  15. Raspberry Pi 1 B+ WPA3 AP (Hostap): ~300 measurements / address Using Crosby’s box test 40

  16. Cache Attacks 41

  17. Threat Model 42

  18. Threat Model 42

  19. Threat Model 42

  20. Cache attack on NIST curves for (counter = 1; counter < 40; counter++) x = hash(pw, counter, addr1, addr2) if x >= p: continue if square_root_exists(x) and not P: NIST: 𝑞 = 0x0xFFFFFFFF00000001000… P = (x, 𝑦 3 + 𝑏𝑦 + 𝑐 )  Negligible chance that x >= p pw = rand() return P 43

  21. Cache attack on NIST curves for (counter = 1; counter < 40; counter++) x = hash(pw, counter, addr1, addr2) if x >= p: continue if square_root_exists(x) and not P: P = (x, 𝑦 3 + 𝑏𝑦 + 𝑐 ) pw = rand() NIST curves: use Flush+Reload to return P detect when code is executed 44

  22. Cache attack on NIST curves Monitor using Flush+Reload to know in which iteration we are for (counter = 1; counter < 40; counter++) x = hash(pw, counter, addr1, addr2) if x >= p: continue if square_root_exists(x) and not P: P = (x, 𝑦 3 + 𝑏𝑦 + 𝑐 ) pw = rand() NIST curves: use Flush+Reload to return P detect when code is executed 44

  23. Attacking client: Intel Core i7-7500 45

  24. Attacking client: Intel Core i7-7500 WPA3 client (Hostap): ~20 measurements / address Using Linear Classifier 46

  25. Detailed Analysis: See Paper › Estimate required #(spoofed MAC addresses): 47

  26. Detailed Analysis: See Paper › Estimate required #(spoofed MAC addresses): › Offline brute-force cost: 47

  27. Password Brute-force Cost 48

  28. Implementation Inspection 49

  29. Invalid Curve Attack Commit(x’, y’) 50

  30. Invalid Curve Attack Point isn’t on curve Commit(x’, y’) 50

  31. Invalid Curve Attack Point isn’t on curve Commit(x’, y’) Negotiated key is predictable 50

  32. Invalid Curve Attack Point isn’t on curve Commit(x’, y’) Negotiated key is predictable Commit reply Guess key and send confirm 50

  33. Invalid Curve Attack Point isn’t on curve Commit(x’, y’) Negotiated key is predictable Commit reply Guess key and send confirm Confirm phase 50

  34. Invalid Curve Attack Point isn’t on curve Commit(x’, y’) Negotiated key is predictable Bypasses authentication Commit reply  EAP-pwd: all implementations affected Guess key and  WPA3: only iwd is vulnerable send confirm Confirm phase 50

  35. Reflection Attack: EAP-pwd example association 51

  36. Reflection Attack: EAP-pwd example association Commit(x, y) 51

  37. Reflection Attack: EAP-pwd example association Commit(x, y) Reflect frame Commit(x, y) 51

  38. Reflection Attack: EAP-pwd example association Commit(x, y) Reflect frame Commit(x, y) Confirm 51

  39. Reflection Attack: EAP-pwd example association Commit(x, y) Reflect frame Commit(x, y) Confirm Reflect frame Confirm 51

  40. Reflection Attack: EAP-pwd example association Commit(x, y) Authenticate as victim Reflect frame Commit(x, y)  EAP-pwd: all servers are vulnerable Confirm  WPA3: old wpa_supplicants affected Reflect frame Confirm 51

  41. Other Implementation Vulnerabilities Bad randomness : › Can recover password element P › Aruba’s EAP -pwd client for Windows is affected › With WPA2 bad randomness has lower impact! 52

  42. Other Implementation Vulnerabilities Bad randomness : › Can recover password element P › Aruba’s EAP -pwd client for Windows is affected › With WPA2 bad randomness has lower impact! Side-channels : › FreeRADIUS aborts if >10 iterations are needed › Aruba’s EAP -pwd aborts if >30 are needed › Can use leaked info to recover password 52

  43. Wi-Fi Specific Attacks 54

  44. Denial-of-Service Attack Convert password to Convert password to group element P group element P AP converts password to EC point when client connects › Conversion is computationally expensive ( 40 iterations ) › Forging 8 connections/sec saturates AP’s CPU 55

  45. Downgrade Attacks Transition mode: WPA2/3 use the same password › WPA2’s handshake detects downgrades 56

  46. Downgrade Attacks Transition mode: WPA2/3 use the same password › WPA2’s handshake detects downgrades › Performing partial WPA2 handshake  dictionary attacks 56

  47. Downgrade Attacks Transition mode: WPA2/3 use the same password › WPA2’s handshake detects downgrades › Performing partial WPA2 handshake  dictionary attacks Handshake can be performed with multiple curves › Initiator proposes curve & responder accepts/rejects › Spoof reject messages to downgrade used curve 56

  48. Implementation-specific downgrades › Clone WPA3-only network & advertise it only supports WPA2 iwd 57

  49. Implementation-specific downgrades › Clone WPA3-only network & advertise it only supports WPA2 › Galaxy S10 & iwd connected using the WPA3-only password › Results in trivial dictionary attack iwd 57

  50. Disclosure 58

  51. Disclosure process Notified parties early with hope to influence WPA3 Reaction of the Wi-Fi Alliance › Privately created backwards-compatible security guidelines › 2 nd disclosure round to address Brainpool side-channels › Nov 2019 : Updated guidelines now prohibit Brainpool curves 59

  52. Latest Wi-Fi Alliance guidelines (Nov 2019) › “implementations must avoid [..] side - channels” 60

  53. Latest Wi-Fi Alliance guidelines (Nov 2019) › “implementations must avoid [..] side - channels” › If WPA3-Transition “doesn’t meet security requirements” , then seperate passwords 60

  54. Latest Wi-Fi Alliance guidelines (Nov 2019) › “implementations must avoid [..] side - channels” › If WPA3-Transition “doesn’t meet security requirements” , then seperate passwords › “Failure to implement...”  how can it be checked? 60

  55. Fundamental issue still unsolved › Hard to implement in constant time › On lightweight devices, doing 40 iterations is too costly 61

  56. Fundamental issue still unsolved › Hard to implement in constant time › On lightweight devices, doing 40 iterations is too costly Draft IEEE 802.11 standard has been updated › Exclude MAC addresses from hash2curve Allows offline computation of password element › Now uses constant-time hash2curve › Explicitly prohibit use of weak EC & MODP groups › Prevent crypto group downgrade attack 61

  57. Remaining issues Message transcript is not included in key derivation › Prevents formal proof of protocol › High risk of implementation issues › E.g. prevention of crypto group downgrade attack 62

Recommend

Dragonblood: Analyzing the Dragonfly Handshake of WPA3 and EAP-pwd Mathy Vanhoef and Eyal Ronen

Dragonblood: Analyzing the Dragonfly Handshake of WPA3 and EAP-pwd Mathy Vanhoef and Eyal Ronen

Dragonblood: Analyzing the Dragonfly Handshake of WPA3 and EAP-pwd Mathy Vanhoef and Eyal Ronen ANRW. Montreal, Canada, 22 July 2019. Background: Dragonfly in WPA3 = Password Authenticated Key Exchange (PAKE) Negotiate Provide mutual session

1.04k views • 45 slides
Dragonblood : Weaknesses in WPA3s Dragonfly Handshake Mathy Vanhoef and Eyal Ronen BruCON.

Dragonblood : Weaknesses in WPA3s Dragonfly Handshake Mathy Vanhoef and Eyal Ronen BruCON.

Dragonblood : Weaknesses in WPA3s Dragonfly Handshake Mathy Vanhoef and Eyal Ronen BruCON. Belgium, 11 October 2019. 2 Background: Dragonfly in WPA3 and EAP-pwd = Password Authenticated Key Exchange (PAKE) Negotiate Provide mutual

1.97k views • 56 slides
Dragonblood : Attacking the Dragonfly Handshake of WPA3 Mathy Vanhoef and Eyal Ronen Black Hat

Dragonblood : Attacking the Dragonfly Handshake of WPA3 Mathy Vanhoef and Eyal Ronen Black Hat

Dragonblood : Attacking the Dragonfly Handshake of WPA3 Mathy Vanhoef and Eyal Ronen Black Hat USA. Las Vegas, 7 August 2019. Background: Dragonfly in WPA3 and EAP-pwd = Password Authenticated Key Exchange (PAKE) Negotiate Provide mutual

532 views • 50 slides
Dragonfly Handshake of WPA3 and EAP-pwd Mathy Vanhoef and Eyal Ronen Real World Crypto, New

Dragonfly Handshake of WPA3 and EAP-pwd Mathy Vanhoef and Eyal Ronen Real World Crypto, New

Dragonblood : Analyzing the Dragonfly Handshake of WPA3 and EAP-pwd Mathy Vanhoef and Eyal Ronen Real World Crypto, New York, 10 January 2020. Background: Wi-Fi Security 1999: Wired Equivalent Privacy (WEP) Broken in 2001 [FMS01] 2003:

818 views • 62 slides
Goals Understand use of Dragonfly from game Dragonfly programmers perspective Mostly,

Goals Understand use of Dragonfly from game Dragonfly programmers perspective Mostly,

2/7/2012 Goals Understand use of Dragonfly from game Dragonfly programmers perspective Mostly, Project 1 Provide overview of Dragonfly architecture Class diagrams Discuss details needed to fully implement Dragonfly classes

900 views • 42 slides
Dragonblood: A Security Analysis of WPA3s SAE Handshake Mathy Vanhoef and Eyal Ronen WAC

Dragonblood: A Security Analysis of WPA3s SAE Handshake Mathy Vanhoef and Eyal Ronen WAC

Dragonblood: A Security Analysis of WPA3s SAE Handshake Mathy Vanhoef and Eyal Ronen WAC Workshop @ CRYPTO, Santa Barbara, 17 August 2019. Background: Dragonfly in WPA3 and EAP-pwd = Password Authenticated Key Exchange (PAKE) Negotiate

1.04k views • 69 slides
Threads and DragonFly BSD Improving Thread Performance on DragonFly BSD Conduits for program

Threads and DragonFly BSD Improving Thread Performance on DragonFly BSD Conduits for program

Threads and DragonFly BSD Improving Thread Performance on DragonFly BSD Conduits for program execution Concurrency A property that allows several vessels of execution to be run without a predefined order. Parallelism A property that

625 views • 23 slides
Clockless IC Design using Handshake Technology Ad Peeters Handshake Solutions Philips

Clockless IC Design using Handshake Technology Ad Peeters Handshake Solutions Philips

Clockless IC Design using Handshake Technology Ad Peeters Handshake Solutions Philips Electronics Philips Semiconductors Philips Corporate Technologies Philips Medical Systems Lighting, ... Philips Research Philips IP &amp; Standards,

474 views • 26 slides
Create a Handshake Account 1. Log into go.ucr.edu/ucrhandshake with your UCR username and

Create a Handshake Account 1. Log into go.ucr.edu/ucrhandshake with your UCR username and

Create a Handshake Account 1. Log into go.ucr.edu/ucrhandshake with your UCR username and password. 2. Complete your UCR Handshake profile by adding your resume, photos, skills and more. Make your profile public to employers. 3. Click Jobs

551 views • 24 slides
Adaptive Routing in Dragonfly Networks Peyman Faizian , ShafayatRahman Scott Pakin AtiqulMollah,

Adaptive Routing in Dragonfly Networks Peyman Faizian , ShafayatRahman Scott Pakin AtiqulMollah,

Traffic Pattern-based C Adaptive Routing in Dragonfly Networks Peyman Faizian , ShafayatRahman Scott Pakin AtiqulMollah, Xin Yuan Mike Lang Florida State University Los Alamos National Laboratory Motivation Dragonfly has been known as a

491 views • 33 slides
On the Provable Security of the Dragonfly protocol Jean Lancrenon 1 Marjan krobot 1 1

On the Provable Security of the Dragonfly protocol Jean Lancrenon 1 Marjan krobot 1 1

PAKEs Dragonfly Results Conclusion On the Provable Security of the Dragonfly protocol Jean Lancrenon 1 Marjan krobot 1 1 Interdisciplinary Centre for Security, Reliability and Trust University of Luxembourg ISC 2015 1 / 18 PAKEs

915 views • 65 slides
Security Handshake Pitfalls Slide 1 Login with Shared Secret: Variant 1 B: R , A: K f R g ,

Security Handshake Pitfalls Slide 1 Login with Shared Secret: Variant 1 B: R , A: K f R g ,

handshake 1 Security Handshake Pitfalls Slide 1 Login with Shared Secret: Variant 1 B: R , A: K f R g , where K fg can be hash AB authentication not mutual connection hijacking off-line password attack compromise of database

424 views • 16 slides
Student Login Path: My Baker My Services Career Services Handshake

Student Login Path: My Baker My Services Career Services Handshake

Student Login Path: My Baker My Services Career Services Handshake Handshake (Single Sign-on) My Profile How do I edit my education information? Uploading Resume Click on your name towards the top right

551 views • 22 slides
Asynchronous circuit technology is on the market Overview Introduction Handshake

Asynchronous circuit technology is on the market Overview Introduction Handshake

Asynchronous circuit technology is on the market Overview Introduction Handshake Solutions Handshake Technology Counting asynchronous millionaires More metrics # trained people # competition # asynchronous

528 views • 36 slides
1 Description Mur Modeling Prior to 4-way handshake, we assume:

1 Description Mur Modeling Prior to 4-way handshake, we assume:

Scenario: 802.11 Analysis of 4-way handshake protocol in IEEE 802.11i Wired Network Changhua He Stanford University Security ! Mar. 04, 2004 An example of a 802.11 wireless local area network History of Security Concerns Terms

285 views • 3 slides
Dragonfly June 2012 IndieCrews Photo??? Paperclip https:/ /github.com/thoughtbot/paperclip

Dragonfly June 2012 IndieCrews Photo??? Paperclip https:/ /github.com/thoughtbot/paperclip

Dragonfly June 2012 IndieCrews Photo??? Paperclip https:/ /github.com/thoughtbot/paperclip Dinosaur / Dragon ? Dragonfly CarrierWave Anyone? GitHub stats CarrierWave - 3046 watchers, 390 forks Paperclip - 4294 watchers, 877 forks

658 views • 22 slides
Introducing Stet the frog &amp; Drago the dragonfly Drago did you know that Rotoruas

Introducing Stet the frog &amp; Drago the dragonfly Drago did you know that Rotoruas

Introducing Stet the frog &amp; Drago the dragonfly Drago did you know that Rotoruas Water Supply is from springs? Wow thats why its so clean! Then what happens after people use it? PUMP STATION &amp; TREATMENT Well Drago.

364 views • 13 slides
PRESENTER OUTLINE Edward Schmalfeld II, P.E. PRESENTER OVERVIEW Owner of Dragonfly

PRESENTER OUTLINE Edward Schmalfeld II, P.E. PRESENTER OVERVIEW Owner of Dragonfly

11/18/2019 MISSISSIPPI SWANA DRONES &amp; SOLID WASTE Presented By: Edward Schmalfeld, P.E. PRESENTER OUTLINE Edward Schmalfeld II, P.E. PRESENTER OVERVIEW Owner of Dragonfly AeroSolutions Headquartered in Jacksonville, Florida

287 views • 8 slides
Seabird abundance project update F . Thompson, E. Abraham &amp; M. Oliver Dragonfly CSP/NPOA

Seabird abundance project update F . Thompson, E. Abraham &amp; M. Oliver Dragonfly CSP/NPOA

Seabird abundance project update F . Thompson, E. Abraham &amp; M. Oliver Dragonfly CSP/NPOA Seabirds Technical Working Group 5 October 2009 Outline Data collection and grooming 1 Diaries and forms Data entry Reconciliation Summary

220 views • 20 slides
Discovering Logical Vulnerabilities in the Wi-Fi Handshake Using Model-Based Testing Mathy

Discovering Logical Vulnerabilities in the Wi-Fi Handshake Using Model-Based Testing Mathy

Discovering Logical Vulnerabilities in the Wi-Fi Handshake Using Model-Based Testing Mathy Vanhoef, Domien Schepers, Frank Piessens imec-DistriNet, KU Leuven Asia CCS 2017 Introduction More and more Wi-Fi network use encryption: 2010 Most

531 views • 19 slides
Modernizing Legacy Equipment Permitting no longer just a handshake with landowner

Modernizing Legacy Equipment Permitting no longer just a handshake with landowner

Modernizing Legacy Equipment Permitting no longer just a handshake with landowner Typically digital stations require larger footprint Telemetry Long distance radio links and phone lines Limited success so far with digital VHF

166 views • 4 slides
WiFuzz: Detecting and Exploiting Logical Flaws in the Wi-Fi Cryptographic Handshake Mathy

WiFuzz: Detecting and Exploiting Logical Flaws in the Wi-Fi Cryptographic Handshake Mathy

WiFuzz: Detecting and Exploiting Logical Flaws in the Wi-Fi Cryptographic Handshake Mathy Vanhoef - @vanhoefm Black Hat, 27 July 2017 In collaboration with Domien Schepers and Frank Piessens Introduction More and more Wi-Fi network use

414 views • 26 slides
T riple Handshake: can cryptography, formal methods, and applied security be friends?

T riple Handshake: can cryptography, formal methods, and applied security be friends?

T riple Handshake: can cryptography, formal methods, and applied security be friends? http://miTLS.org Karthik Bhargavan Markulf Kohlweiss with Antoine Delignat-Lavaud, Cdric Fournet, Alfredo Pironti, Pierre-Yves Strub, Santiago Zanella

639 views • 46 slides
Citizen Scientists Study Mercury in Dragonfly Larvae from National Parks Colleen Flanagan,

Citizen Scientists Study Mercury in Dragonfly Larvae from National Parks Colleen Flanagan,

Citizen Scientists Study Mercury in Dragonfly Larvae from National Parks Colleen Flanagan, Ecologist, National Park Service Air Resources Dr. Sarah Nelson, Associate Professor, University of Maine National Association of Interpretation

639 views • 24 slides

More recommend