PDF Editor
PDF Converter
Image Converter
Video Converter
Audio Converter
File Compressor
dragonblood a security analysis

Dragonblood: A Security Analysis of WPA3s SAE Handshake Mathy - PowerPoint PPT Presentation

Jul 31, 2023 β€’341 likes β€’1.04k views

Dragonblood: A Security Analysis of WPA3s SAE Handshake Mathy Vanhoef and Eyal Ronen WAC Workshop @ CRYPTO, Santa Barbara, 17 August 2019. Background: Dragonfly in WPA3 and EAP-pwd = Password Authenticated Key Exchange (PAKE) Negotiate

  1. Dragonblood: A Security Analysis of WPA3’s SAE Handshake Mathy Vanhoef and Eyal Ronen WAC Workshop @ CRYPTO, Santa Barbara, 17 August 2019.

  2. Background: Dragonfly in WPA3 and EAP-pwd = Password Authenticated Key Exchange (PAKE) Negotiate Provide mutual session key authentication Forward secrecy Protect against & prevent offline server compromise dictionary attacks 2

  3. Dragonfly 3

  4. Dragonfly Convert password to Convert password to group element P group element P 4

  5. Dragonfly Convert password to Convert password to group element P group element P Commit phase 5

  6. Dragonfly Convert password to Convert password to group element P group element P Commit phase Negotiate shared key 6

  7. Dragonfly Convert password to Convert password to group element P group element P Commit phase Negotiate shared key Confirm phase 7

  8. Dragonfly Convert password to Convert password to group element P group element P Commit phase Negotiate shared key Confirm phase Confirm peer negotiated same key 8

  9. Dragonfly Convert password to Convert password to group element P group element P Supports two crypto groups: Commit phase 1. MODP groups 2. Elliptic curves Confirm phase 9

  10. Dragonfly Convert password to Convert password to group element P group element P Supports two crypto groups: Commit phase 1. MODP groups 2. Elliptic curves Confirm phase 10

  11. What are MODP groups? Operations performed on integers x where: β€Ί x < π‘ž with π‘ž a prime β€Ί 𝑦 π‘Ÿ mod π‘ž = 1 must hold β€Ί π‘Ÿ = #elements in the group οƒ  All operations are MOD ulo the P rime (= MODP) 11

  12. Convert password to MODP element for (counter = 1; counter < 256; counter++) value = hash(pw, counter, addr1, addr2) if value >= p: continue P = π‘€π‘π‘šπ‘£π‘“ (π‘žβˆ’1)/π‘Ÿ return P 12

  13. Convert password to MODP element for (counter = 1; counter < 256; counter++) value = hash(pw, counter, addr1, addr2) if value >= p: continue P = π‘€π‘π‘šπ‘£π‘“ (π‘žβˆ’1)/π‘Ÿ return P Convert value to a MODP element 13

  14. Convert password to MODP element for (counter = 1; counter < 256; counter++) value = hash(pw, counter, addr1, addr2) if value >= p: continue P = π‘€π‘π‘šπ‘£π‘“ (π‘žβˆ’1)/π‘Ÿ return P Problem for groups 22-24: high chance that value >= p 14

  15. Convert password to MODP element for (counter = 1; counter < 256; counter++) value = hash(pw, counter, addr1, addr2) if value >= p: ??? P = π‘€π‘π‘šπ‘£π‘“ (π‘žβˆ’1)/π‘Ÿ return P 15

  16. Convert password to MODP element for (counter = 1; counter < 256; counter++) value = hash(pw, counter, addr1, addr2) if value >= p: continue P = π‘€π‘π‘šπ‘£π‘“ (π‘žβˆ’1)/π‘Ÿ return P 16

  17. Convert password to MODP element for (counter = 1; counter < 256; counter++) value = hash(pw, counter, addr1, addr2) if value >= p: continue #iterations depends on password P = π‘€π‘π‘šπ‘£π‘“ (π‘žβˆ’1)/π‘Ÿ return P 17

  18. Convert password to MODP element for (counter = 1; counter < 256; counter++) value = hash(pw, counter, addr1, addr2) if value >= p: continue #iterations depends on password P = π‘€π‘π‘šπ‘£π‘“ (π‘žβˆ’1)/π‘Ÿ return P No timing leak countermeasures, despite warnings by IETF & CFRG! 18

  19. IETF mailing list in 2010 β€œ [..] susceptible to side channel (timing) attacks and may leak the shared password. I'd therefore recommend [excluding the MAC addresses]. ” β€œ not so sure how important that is [..] doesn't leak the shared password [..] not a trivial attack.” 19

  20. Leaked information: #iterations needed Client address addrA Measured 20

  21. Leaked information: #iterations needed Client address addrA Measured Password 1 Password 2 Password 3 21

  22. Leaked information: #iterations needed Client address addrA Measured Password 1 Password 2 Password 3 22

  23. What information is leaked? for (counter = 1; counter < 256; counter++) value = hash(pw, counter, addr1, addr2) if value >= p: continue Spoof client address to obtain P = π‘€π‘π‘šπ‘£π‘“ (π‘žβˆ’1)/π‘Ÿ different execution & leak new data 23

  24. Leaked information: #iterations needed Client address addrA addrB Measured Password 1 Password 2 Password 3 24

  25. Leaked information: #iterations needed Client address addrA addrB Measured Password 1 Password 2 Password 3 25

  26. Leaked information: #iterations needed Client address addrA addrB addrC Measured Password 1 Password 2 Password 3 26

  27. Leaked information: #iterations needed Client address addrA addrB addrC Measured Password 1 Password 2 Need ~17 addresses to determine password in RockYou ( ~𝟐𝟏 πŸ– ) dump Password 3 27

  28. Leaked information: #iterations needed Client address addrA addrB addrC Measured Forms a signature of the password Password 1 Password 2 Need ~17 addresses to determine password in RockYou ( ~𝟐𝟏 πŸ– ) dump Password 3 28

  29. Raspberry Pi 1 B+: differences are measurable Hostap AP: ~75 measurements / address 29

  30. What about elliptic curves? Operations performed on points (x, y) where: β€Ί x < π‘ž and y < π‘ž with π‘ž a prime β€Ί 𝑧 2 = 𝑦 3 + 𝑏𝑦 + 𝑐 mod π‘ž must hold οƒ  Need to convert password to point (x,y) on the curve 30

  31. Hash-to-curve: EAP-pwd for (counter = 1; counter < 40; counter++) x = hash(pw, counter, addr1, addr2) if x >= p: continue if square_root_exists(x) and not P: return (x, 𝑦 3 + 𝑏𝑦 + 𝑐 ) EAP-pwd: similar timing leak with elliptic curves 31

  32. Hash-to-curve: WPA3 for (counter = 1; counter < 40 ; counter++) x = hash(pw, counter, addr1, addr2) if x >= p: continue if square_root_exists(x) and not P : P = (x, 𝑦 3 + 𝑏𝑦 + 𝑐 ) pw = rand() WPA3: always do 40 return P loops & return first P 32

  33. Hash-to-curve: WPA3 for (counter = 1; counter < 40; counter++) x = hash(pw, counter, addr1, addr2) if x >= p: continue if square_root_exists(x) and not P: P = (x, 𝑦 3 + 𝑏𝑦 + 𝑐 ) pw = rand() return P Extra iterations based on random password 33

  34. Hash-to-curve: WPA3 for (counter = 1; counter < 40; counter++) x = hash(pw, counter, addr1, addr2) if x >= p: continue if square_root_exists(x) and not P: P = (x, 𝑦 3 + 𝑏𝑦 + 𝑐 ) pw = rand() Problem for Bainpool curves: return P high chance that x >= p 34

  35. Hash-to-curve: WPA3 for (counter = 1; counter < 40; counter++) x = hash(pw, counter, addr1, addr2) if x >= p: continue if square_root_exists(x) and not P: P = (x, 𝑦 3 + 𝑏𝑦 + 𝑐 ) pw = rand() return P 35

  36. Hash-to-curve: WPA3 for (counter = 1; counter < 40; counter++) x = hash(pw, counter, addr1, addr2) if x >= p: continue if square_root_exists(x) and not P: P = (x, 𝑦 3 + 𝑏𝑦 + 𝑐 ) pw = rand() return P Code may be skipped 36

  37. Hash-to-curve: WPA3 for (counter = 1; counter < 40; counter++) x = hash(pw, counter, addr1, addr2) if x >= p: continue if square_root_exists(x) and not P: P = (x, 𝑦 3 + 𝑏𝑦 + 𝑐 ) pw = rand() return P #Times skipped depends on password 37

  38. Hash-to-curve: WPA3 for (counter = 1; counter < 40; counter++) x = hash(pw, counter, addr1, addr2) if x >= p: continue if square_root_exists(x) and not P: P = (x, 𝑦 3 + 𝑏𝑦 + 𝑐 ) pw = rand() return P #Times skipped depends on password & random password in extra itreations 38

  39. Hash-to-curve: WPA3 for (counter = 1; counter < 40; counter++) x = hash(pw, counter, addr1, addr2) if x >= p: continue if square_root_exists(x) and not P: P = (x, 𝑦 3 + 𝑏𝑦 + 𝑐 ) pw = rand() return P Variance ~ when password element was found 39

  40. Hash-to-curve: WPA3 for (counter = 1; counter < 40; counter++) x = hash(pw, counter, addr1, addr2) if x >= p: continue if square_root_exists(x) and not P: P = (x, 𝑦 3 + 𝑏𝑦 + 𝑐 ) pw = rand() return P Variance ~ when password element was found Average ~ when found & #iterations code skipped 40

  41. Raspberry Pi 1 B+ Hostap (WPA3): ~300 measurements / address 41

  42. Cache Attacks 42

  43. NIST Elliptic Curves for (counter = 1; counter < 40; counter++) x = hash(pw, counter, addr1, addr2) if x >= p: continue if square_root_exists(x) and not P: P = (x, 𝑦 3 + 𝑏𝑦 + 𝑐 ) pw = rand() NIST curves: use Flush+Reload to return P detect when code is executed 43

  44. NIST Elliptic Curves Monitor using Flush+Reload to know in which iteration we are for (counter = 1; counter < 40; counter++) x = hash(pw, counter, addr1, addr2) if x >= p: continue if square_root_exists(x) and not P: P = (x, 𝑦 3 + 𝑏𝑦 + 𝑐 ) pw = rand() NIST curves: use Flush+Reload to return P detect when code is executed 44

  45. Bainpool Elliptic Curves Monitor using Flush+Reload to know in which iteration we are for (counter = 1; counter < 40; counter++) x = hash(pw, counter, addr1, addr2) if x >= p: continue if square_root_exists(x) and not P: P = (x, 𝑦 3 + 𝑏𝑦 + 𝑐 ) pw = rand() Brainpool curves: use Flush+Reload return P to detect when code is executed 45

Recommend

DNS and Security DNS and Security DNS and Security DNS and Security DNS and Security DNS and

DNS and Security DNS and Security DNS and Security DNS and Security DNS and Security DNS and

DNS and Security DNS and Security DNS and Security DNS and Security DNS and Security DNS and Security DNS and Security DNS and Security DNS and Security DNS and Security DNS and Security DNS and Security DNS and Security DNS and

860 views β€’ 71 slides
Dragonblood: Analyzing the Dragonfly Handshake of WPA3 and EAP-pwd Mathy Vanhoef and Eyal Ronen

Dragonblood: Analyzing the Dragonfly Handshake of WPA3 and EAP-pwd Mathy Vanhoef and Eyal Ronen

Dragonblood: Analyzing the Dragonfly Handshake of WPA3 and EAP-pwd Mathy Vanhoef and Eyal Ronen ANRW. Montreal, Canada, 22 July 2019. Background: Dragonfly in WPA3 = Password Authenticated Key Exchange (PAKE) Negotiate Provide mutual session

1.04k views β€’ 45 slides
Dragonblood : Weaknesses in WPA3s Dragonfly Handshake Mathy Vanhoef and Eyal Ronen BruCON.

Dragonblood : Weaknesses in WPA3s Dragonfly Handshake Mathy Vanhoef and Eyal Ronen BruCON.

Dragonblood : Weaknesses in WPA3s Dragonfly Handshake Mathy Vanhoef and Eyal Ronen BruCON. Belgium, 11 October 2019. 2 Background: Dragonfly in WPA3 and EAP-pwd = Password Authenticated Key Exchange (PAKE) Negotiate Provide mutual

1.97k views β€’ 56 slides
Dragonblood : Attacking the Dragonfly Handshake of WPA3 Mathy Vanhoef and Eyal Ronen Black Hat

Dragonblood : Attacking the Dragonfly Handshake of WPA3 Mathy Vanhoef and Eyal Ronen Black Hat

Dragonblood : Attacking the Dragonfly Handshake of WPA3 Mathy Vanhoef and Eyal Ronen Black Hat USA. Las Vegas, 7 August 2019. Background: Dragonfly in WPA3 and EAP-pwd = Password Authenticated Key Exchange (PAKE) Negotiate Provide mutual

532 views β€’ 50 slides
Analysis of Security Protocols Gavin Lowe Analysis of Security Protocols 02 Overview Brief

Analysis of Security Protocols Gavin Lowe Analysis of Security Protocols 02 Overview Brief

Analysis of Security Protocols 01 Analysis of Security Protocols Gavin Lowe Analysis of Security Protocols 02 Overview Brief introduction to security protocols; Model checking of security protocols, particularly using the process

1.28k views β€’ 110 slides
Dragonfly Handshake of WPA3 and EAP-pwd Mathy Vanhoef and Eyal Ronen Background: Wi-Fi Security

Dragonfly Handshake of WPA3 and EAP-pwd Mathy Vanhoef and Eyal Ronen Background: Wi-Fi Security

Dragonblood : Analyzing the Dragonfly Handshake of WPA3 and EAP-pwd Mathy Vanhoef and Eyal Ronen Background: Wi-Fi Security 1999: Wired Equivalent Privacy (WEP) RC4 with 40 (!) or 104 bits key Broken in 2001 [FMS01] Deprecated 2004 2

1.58k views β€’ 105 slides
Network Security Network Security Srinidhi Varadarajan Network security Network security

Network Security Network Security Srinidhi Varadarajan Network security Network security

Network Security Network Security Srinidhi Varadarajan Network security Network security Foundations: what is security? cryptography authentication message integrity key distribution and certification Security in practice:

644 views β€’ 36 slides
Dragonfly Handshake of WPA3 and EAP-pwd Mathy Vanhoef and Eyal Ronen Real World Crypto, New

Dragonfly Handshake of WPA3 and EAP-pwd Mathy Vanhoef and Eyal Ronen Real World Crypto, New

Dragonblood : Analyzing the Dragonfly Handshake of WPA3 and EAP-pwd Mathy Vanhoef and Eyal Ronen Real World Crypto, New York, 10 January 2020. Background: Wi-Fi Security 1999: Wired Equivalent Privacy (WEP) Broken in 2001 [FMS01] 2003:

818 views β€’ 62 slides
Security, Security, Security Presentation to NSAI Consultation Meeting Chinese National Body

Security, Security, Security Presentation to NSAI Consultation Meeting Chinese National Body

Chinese NB presentation: Security, Security, Security Dublin, Ireland, Feb. 22, 2006 Security, Security, Security Presentation to NSAI Consultation Meeting Chinese National Body Feb. 22, 2006 Thank you Mr. Chairman, Chinese National

240 views β€’ 7 slides
UCP GROUP Maritime Security Services UCP GROUP ONE SOLUTION ONE PLATFORM ONE SECURITY SERVICE

UCP GROUP Maritime Security Services UCP GROUP ONE SOLUTION ONE PLATFORM ONE SECURITY SERVICE

UCP GROUP Maritime Security Services UCP GROUP ONE SOLUTION ONE PLATFORM ONE SECURITY SERVICE Maritime Security - Commercial Shipping Security - Cruise Liner Security - Super-Yacht Security Maritime Security Services UCP GROUP is a market

247 views β€’ 22 slides
Xpanda security gates Security solutions Retail security gate solutions Industrial

Xpanda security gates Security solutions Retail security gate solutions Industrial

STOREFRONT PROTECTION Xpanda security gates Security solutions Retail security gate solutions Industrial security gate solutions Institutional security gate solutions Access control security gate solutions Office building

406 views β€’ 13 slides
A (re)introduction to Spring Security Agenda Before Spring Security: Acegi security

A (re)introduction to Spring Security Agenda Before Spring Security: Acegi security

A (re)introduction to Spring Security Agenda Before Spring Security: Acegi security Introducing Spring Security View layer security Whats coming in Spring Security 3 E-mail: craig@habuma.com Blog: http://www.springloaded.info

452 views β€’ 19 slides
OS Security Thierry Sans Security is a wide topic CSCD27 Computer and Network Security covers

OS Security Thierry Sans Security is a wide topic CSCD27 Computer and Network Security covers

OS Security Thierry Sans Security is a wide topic CSCD27 Computer and Network Security covers Cryptography Network security System security Web security (recap) Protection File systems implement a protection system Who

800 views β€’ 30 slides
CPSC410/611: Security Security Security Attacks Security Threats Crypto

CPSC410/611: Security Security Security Attacks Security Threats Crypto

CPSC 410 / 611 : Operating Systems CPSC410/611: Security Security Security Attacks Security Threats Crypto Authentication Examples SSL Security Threats Breach of confidentiality unauthorized access to

459 views β€’ 18 slides
SECURITY TESTING Towards a safer web world AGENDA 1. 3 WS OF SECURITY TESTING 2. SECURITY

SECURITY TESTING Towards a safer web world AGENDA 1. 3 WS OF SECURITY TESTING 2. SECURITY

SECURITY TESTING Towards a safer web world AGENDA 1. 3 WS OF SECURITY TESTING 2. SECURITY TESTING CONCEPTS 3. SECURITY TESTING TYPES 4. TOP 10 SECURITY RISKS Few Security Breaches Date: 2013-14 September 2016, while in negotiations to

404 views β€’ 18 slides
NetFlow Analysis Jonzy Data Security Analysis, Sr. Information Security Office NetFlow Analysis

NetFlow Analysis Jonzy Data Security Analysis, Sr. Information Security Office NetFlow Analysis

NetFlow Analysis Jonzy Data Security Analysis, Sr. Information Security Office NetFlow Analysis Intrusion Detection, Protection, and Usage Reporting NetFlow is a cornucopia of information that allows for: Intrusion Detection, Bandwidth usage,

665 views β€’ 17 slides
ROUNDERS (1998) CASINO ROYALE (2006) HAND RANKINGS HIGH CARD HAND RANKINGS PAIR HIGH CARD

ROUNDERS (1998) CASINO ROYALE (2006) HAND RANKINGS HIGH CARD HAND RANKINGS PAIR HIGH CARD

ROUNDERS (1998) CASINO ROYALE (2006) HAND RANKINGS HIGH CARD HAND RANKINGS PAIR HIGH CARD HAND RANKINGS TWO PAIR PAIR HIGH CARD HAND RANKINGS THREE OF A KIND TWO PAIR PAIR HIGH CARD HAND RANKINGS STRAIGHT THREE OF A KIND TWO PAIR

1.1k views β€’ 106 slides
Linux Performance Analysis New Tools and Old Secrets Brendan Gregg Senior Performance Architect

Linux Performance Analysis New Tools and Old Secrets Brendan Gregg Senior Performance Architect

Linux Performance Analysis New Tools and Old Secrets Brendan Gregg Senior Performance Architect Performance Engineering Team bgregg@netflix.com @brendangregg Porting these to Linux Massive Amazon EC2 Linux cloud Tens of thousands of

864 views β€’ 75 slides
DAWG : A Defense Against Cache Timing Attacks in Speculative Execution Processors Vladimir

DAWG : A Defense Against Cache Timing Attacks in Speculative Execution Processors Vladimir

DAWG : A Defense Against Cache Timing Attacks in Speculative Execution Processors Vladimir Kiriansky, Ilia Lebedev, Saman Amarasinghe, Srinivas Devadas, Joel Emer {vlk, ilebedev, saman, devadas, emer}@csail.mit.edu MICRO'18

950 views β€’ 78 slides
An Open Framework for Architecting TEEs Dayeol Lee, David Kohlbrenner, Shweta Shinde, Dawn Song,

An Open Framework for Architecting TEEs Dayeol Lee, David Kohlbrenner, Shweta Shinde, Dawn Song,

An Open Framework for Architecting TEEs Dayeol Lee, David Kohlbrenner, Shweta Shinde, Dawn Song, and Krste Asanovic Trusted Execution Environment (TEE) Applications User Program and Data Remote OS Attestation Trustworthy Hardware

815 views β€’ 50 slides
Defense Mechanism against Spectre Attacks Jacob Fustos, Farzad Farshchi, Heechul Yun University

Defense Mechanism against Spectre Attacks Jacob Fustos, Farzad Farshchi, Heechul Yun University

SpectreGuard: An Efficient Data-centric Defense Mechanism against Spectre Attacks Jacob Fustos, Farzad Farshchi, Heechul Yun University of Kansas 1 Speculative Execution Attacks Attacks exploiting microarchitectural side-effects of

499 views β€’ 21 slides
Active Access: A Mechanism for High-Performance Distributed Data-Centric Computations M ACIEJ B

Active Access: A Mechanism for High-Performance Distributed Data-Centric Computations M ACIEJ B

spcl.inf.ethz.ch @spcl_eth Active Access: A Mechanism for High-Performance Distributed Data-Centric Computations M ACIEJ B ESTA , T ORSTEN H OEFLER spcl.inf.ethz.ch @spcl_eth R EMOTE M EMORY A CCESS (RMA) P ROGRAMMING spcl.inf.ethz.ch

974 views β€’ 66 slides
Installing slides into electronic enclosures Installing slides into electronic enclosures 2012

Installing slides into electronic enclosures Installing slides into electronic enclosures 2012

Installing slides into electronic enclosures Installing slides into electronic enclosures 2012 DISTRIBUTION Standard width dimensions 5/8 15.87mm 5/8 15.87mm EIA cabinets have to 1/2 12.70mm have the standard 1U 1U=44.45mm

335 views β€’ 16 slides
Drive-Thru: Drive-Thru: Fast, Accurate Evaluation of Fast, Accurate Evaluation of Storage Power

Drive-Thru: Drive-Thru: Fast, Accurate Evaluation of Fast, Accurate Evaluation of Storage Power

Drive-Thru: Drive-Thru: Fast, Accurate Evaluation of Fast, Accurate Evaluation of Storage Power Management Storage Power Management Daniel Peek Jason Flinn University of Michigan 1 Power Management Needed Power Management Needed

587 views β€’ 34 slides

More recommend

Logo Sambuz

Unleash a World of Digital Possibilitiesβ€”Browse, Share, and Explore Content Without Boundaries

Useful Links

About Us Privacy Services FAQ's Blogs Contact

Newsletter

Stay Informed & Inspiredβ€”Subscribe for the Latest Updates, Tips, and Exclusive Content Directly to Your Inbox.

Mail Us

mail@sambuz.com

2025 SAMBUZ, All right reserved.