dragonblood a security analysis
play

Dragonblood: A Security Analysis of WPA3s SAE Handshake Mathy - PowerPoint PPT Presentation

Jul 31, 2023 •341 likes •1.04k views

Dragonblood: A Security Analysis of WPA3s SAE Handshake Mathy Vanhoef and Eyal Ronen WAC Workshop @ CRYPTO, Santa Barbara, 17 August 2019. Background: Dragonfly in WPA3 and EAP-pwd = Password Authenticated Key Exchange (PAKE) Negotiate

  1. Dragonblood: A Security Analysis of WPA3’s SAE Handshake Mathy Vanhoef and Eyal Ronen WAC Workshop @ CRYPTO, Santa Barbara, 17 August 2019.

  2. Background: Dragonfly in WPA3 and EAP-pwd = Password Authenticated Key Exchange (PAKE) Negotiate Provide mutual session key authentication Forward secrecy Protect against & prevent offline server compromise dictionary attacks 2

  3. Dragonfly 3

  4. Dragonfly Convert password to Convert password to group element P group element P 4

  5. Dragonfly Convert password to Convert password to group element P group element P Commit phase 5

  6. Dragonfly Convert password to Convert password to group element P group element P Commit phase Negotiate shared key 6

  7. Dragonfly Convert password to Convert password to group element P group element P Commit phase Negotiate shared key Confirm phase 7

  8. Dragonfly Convert password to Convert password to group element P group element P Commit phase Negotiate shared key Confirm phase Confirm peer negotiated same key 8

  9. Dragonfly Convert password to Convert password to group element P group element P Supports two crypto groups: Commit phase 1. MODP groups 2. Elliptic curves Confirm phase 9

  10. Dragonfly Convert password to Convert password to group element P group element P Supports two crypto groups: Commit phase 1. MODP groups 2. Elliptic curves Confirm phase 10

  11. What are MODP groups? Operations performed on integers x where: › x < 𝑞 with 𝑞 a prime › 𝑦 𝑟 mod 𝑞 = 1 must hold › 𝑟 = #elements in the group  All operations are MOD ulo the P rime (= MODP) 11

  12. Convert password to MODP element for (counter = 1; counter < 256; counter++) value = hash(pw, counter, addr1, addr2) if value >= p: continue P = 𝑤𝑏𝑚𝑣𝑓 (𝑞−1)/𝑟 return P 12

  13. Convert password to MODP element for (counter = 1; counter < 256; counter++) value = hash(pw, counter, addr1, addr2) if value >= p: continue P = 𝑤𝑏𝑚𝑣𝑓 (𝑞−1)/𝑟 return P Convert value to a MODP element 13

  14. Convert password to MODP element for (counter = 1; counter < 256; counter++) value = hash(pw, counter, addr1, addr2) if value >= p: continue P = 𝑤𝑏𝑚𝑣𝑓 (𝑞−1)/𝑟 return P Problem for groups 22-24: high chance that value >= p 14

  15. Convert password to MODP element for (counter = 1; counter < 256; counter++) value = hash(pw, counter, addr1, addr2) if value >= p: ??? P = 𝑤𝑏𝑚𝑣𝑓 (𝑞−1)/𝑟 return P 15

  16. Convert password to MODP element for (counter = 1; counter < 256; counter++) value = hash(pw, counter, addr1, addr2) if value >= p: continue P = 𝑤𝑏𝑚𝑣𝑓 (𝑞−1)/𝑟 return P 16

  17. Convert password to MODP element for (counter = 1; counter < 256; counter++) value = hash(pw, counter, addr1, addr2) if value >= p: continue #iterations depends on password P = 𝑤𝑏𝑚𝑣𝑓 (𝑞−1)/𝑟 return P 17

  18. Convert password to MODP element for (counter = 1; counter < 256; counter++) value = hash(pw, counter, addr1, addr2) if value >= p: continue #iterations depends on password P = 𝑤𝑏𝑚𝑣𝑓 (𝑞−1)/𝑟 return P No timing leak countermeasures, despite warnings by IETF & CFRG! 18

  19. IETF mailing list in 2010 “ [..] susceptible to side channel (timing) attacks and may leak the shared password. I'd therefore recommend [excluding the MAC addresses]. ” “ not so sure how important that is [..] doesn't leak the shared password [..] not a trivial attack.” 19

  20. Leaked information: #iterations needed Client address addrA Measured 20

  21. Leaked information: #iterations needed Client address addrA Measured Password 1 Password 2 Password 3 21

  22. Leaked information: #iterations needed Client address addrA Measured Password 1 Password 2 Password 3 22

  23. What information is leaked? for (counter = 1; counter < 256; counter++) value = hash(pw, counter, addr1, addr2) if value >= p: continue Spoof client address to obtain P = 𝑤𝑏𝑚𝑣𝑓 (𝑞−1)/𝑟 different execution & leak new data 23

  24. Leaked information: #iterations needed Client address addrA addrB Measured Password 1 Password 2 Password 3 24

  25. Leaked information: #iterations needed Client address addrA addrB Measured Password 1 Password 2 Password 3 25

  26. Leaked information: #iterations needed Client address addrA addrB addrC Measured Password 1 Password 2 Password 3 26

  27. Leaked information: #iterations needed Client address addrA addrB addrC Measured Password 1 Password 2 Need ~17 addresses to determine password in RockYou ( ~𝟐𝟏 𝟖 ) dump Password 3 27

  28. Leaked information: #iterations needed Client address addrA addrB addrC Measured Forms a signature of the password Password 1 Password 2 Need ~17 addresses to determine password in RockYou ( ~𝟐𝟏 𝟖 ) dump Password 3 28

  29. Raspberry Pi 1 B+: differences are measurable Hostap AP: ~75 measurements / address 29

  30. What about elliptic curves? Operations performed on points (x, y) where: › x < 𝑞 and y < 𝑞 with 𝑞 a prime › 𝑧 2 = 𝑦 3 + 𝑏𝑦 + 𝑐 mod 𝑞 must hold  Need to convert password to point (x,y) on the curve 30

  31. Hash-to-curve: EAP-pwd for (counter = 1; counter < 40; counter++) x = hash(pw, counter, addr1, addr2) if x >= p: continue if square_root_exists(x) and not P: return (x, 𝑦 3 + 𝑏𝑦 + 𝑐 ) EAP-pwd: similar timing leak with elliptic curves 31

  32. Hash-to-curve: WPA3 for (counter = 1; counter < 40 ; counter++) x = hash(pw, counter, addr1, addr2) if x >= p: continue if square_root_exists(x) and not P : P = (x, 𝑦 3 + 𝑏𝑦 + 𝑐 ) pw = rand() WPA3: always do 40 return P loops & return first P 32

  33. Hash-to-curve: WPA3 for (counter = 1; counter < 40; counter++) x = hash(pw, counter, addr1, addr2) if x >= p: continue if square_root_exists(x) and not P: P = (x, 𝑦 3 + 𝑏𝑦 + 𝑐 ) pw = rand() return P Extra iterations based on random password 33

  34. Hash-to-curve: WPA3 for (counter = 1; counter < 40; counter++) x = hash(pw, counter, addr1, addr2) if x >= p: continue if square_root_exists(x) and not P: P = (x, 𝑦 3 + 𝑏𝑦 + 𝑐 ) pw = rand() Problem for Bainpool curves: return P high chance that x >= p 34

  35. Hash-to-curve: WPA3 for (counter = 1; counter < 40; counter++) x = hash(pw, counter, addr1, addr2) if x >= p: continue if square_root_exists(x) and not P: P = (x, 𝑦 3 + 𝑏𝑦 + 𝑐 ) pw = rand() return P 35

  36. Hash-to-curve: WPA3 for (counter = 1; counter < 40; counter++) x = hash(pw, counter, addr1, addr2) if x >= p: continue if square_root_exists(x) and not P: P = (x, 𝑦 3 + 𝑏𝑦 + 𝑐 ) pw = rand() return P Code may be skipped 36

  37. Hash-to-curve: WPA3 for (counter = 1; counter < 40; counter++) x = hash(pw, counter, addr1, addr2) if x >= p: continue if square_root_exists(x) and not P: P = (x, 𝑦 3 + 𝑏𝑦 + 𝑐 ) pw = rand() return P #Times skipped depends on password 37

  38. Hash-to-curve: WPA3 for (counter = 1; counter < 40; counter++) x = hash(pw, counter, addr1, addr2) if x >= p: continue if square_root_exists(x) and not P: P = (x, 𝑦 3 + 𝑏𝑦 + 𝑐 ) pw = rand() return P #Times skipped depends on password & random password in extra itreations 38

  39. Hash-to-curve: WPA3 for (counter = 1; counter < 40; counter++) x = hash(pw, counter, addr1, addr2) if x >= p: continue if square_root_exists(x) and not P: P = (x, 𝑦 3 + 𝑏𝑦 + 𝑐 ) pw = rand() return P Variance ~ when password element was found 39

  40. Hash-to-curve: WPA3 for (counter = 1; counter < 40; counter++) x = hash(pw, counter, addr1, addr2) if x >= p: continue if square_root_exists(x) and not P: P = (x, 𝑦 3 + 𝑏𝑦 + 𝑐 ) pw = rand() return P Variance ~ when password element was found Average ~ when found & #iterations code skipped 40

  41. Raspberry Pi 1 B+ Hostap (WPA3): ~300 measurements / address 41

  42. Cache Attacks 42

  43. NIST Elliptic Curves for (counter = 1; counter < 40; counter++) x = hash(pw, counter, addr1, addr2) if x >= p: continue if square_root_exists(x) and not P: P = (x, 𝑦 3 + 𝑏𝑦 + 𝑐 ) pw = rand() NIST curves: use Flush+Reload to return P detect when code is executed 43

  44. NIST Elliptic Curves Monitor using Flush+Reload to know in which iteration we are for (counter = 1; counter < 40; counter++) x = hash(pw, counter, addr1, addr2) if x >= p: continue if square_root_exists(x) and not P: P = (x, 𝑦 3 + 𝑏𝑦 + 𝑐 ) pw = rand() NIST curves: use Flush+Reload to return P detect when code is executed 44

  45. Bainpool Elliptic Curves Monitor using Flush+Reload to know in which iteration we are for (counter = 1; counter < 40; counter++) x = hash(pw, counter, addr1, addr2) if x >= p: continue if square_root_exists(x) and not P: P = (x, 𝑦 3 + 𝑏𝑦 + 𝑐 ) pw = rand() Brainpool curves: use Flush+Reload return P to detect when code is executed 45

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Dragonblood: Analyzing the Dragonfly Handshake of WPA3 and EAP-pwd Mathy Vanhoef and Eyal Ronen

Dragonblood: Analyzing the Dragonfly Handshake of WPA3 and EAP-pwd Mathy Vanhoef and Eyal Ronen

Dragonblood: Analyzing the Dragonfly Handshake of WPA3 and EAP-pwd Mathy Vanhoef and Eyal Ronen ANRW. Montreal, Canada, 22 July 2019. Background: Dragonfly in WPA3 = Password Authenticated Key Exchange (PAKE) Negotiate Provide mutual session

1.04k views • 45 slides
Dragonblood : Weaknesses in WPA3s Dragonfly Handshake Mathy Vanhoef and Eyal Ronen BruCON.

Dragonblood : Weaknesses in WPA3s Dragonfly Handshake Mathy Vanhoef and Eyal Ronen BruCON.

Dragonblood : Weaknesses in WPA3s Dragonfly Handshake Mathy Vanhoef and Eyal Ronen BruCON. Belgium, 11 October 2019. 2 Background: Dragonfly in WPA3 and EAP-pwd = Password Authenticated Key Exchange (PAKE) Negotiate Provide mutual

1.97k views • 56 slides
Dragonblood : Attacking the Dragonfly Handshake of WPA3 Mathy Vanhoef and Eyal Ronen Black Hat

Dragonblood : Attacking the Dragonfly Handshake of WPA3 Mathy Vanhoef and Eyal Ronen Black Hat

Dragonblood : Attacking the Dragonfly Handshake of WPA3 Mathy Vanhoef and Eyal Ronen Black Hat USA. Las Vegas, 7 August 2019. Background: Dragonfly in WPA3 and EAP-pwd = Password Authenticated Key Exchange (PAKE) Negotiate Provide mutual

532 views • 50 slides
Dragonfly Handshake of WPA3 and EAP-pwd Mathy Vanhoef and Eyal Ronen Background: Wi-Fi Security

Dragonfly Handshake of WPA3 and EAP-pwd Mathy Vanhoef and Eyal Ronen Background: Wi-Fi Security

Dragonblood : Analyzing the Dragonfly Handshake of WPA3 and EAP-pwd Mathy Vanhoef and Eyal Ronen Background: Wi-Fi Security 1999: Wired Equivalent Privacy (WEP) RC4 with 40 (!) or 104 bits key Broken in 2001 [FMS01] Deprecated 2004 2

1.58k views • 105 slides
Analysis of Security Protocols Gavin Lowe Analysis of Security Protocols 02 Overview Brief

Analysis of Security Protocols Gavin Lowe Analysis of Security Protocols 02 Overview Brief

Analysis of Security Protocols 01 Analysis of Security Protocols Gavin Lowe Analysis of Security Protocols 02 Overview Brief introduction to security protocols; Model checking of security protocols, particularly using the process

1.28k views • 110 slides
Program Analysis with PREfast &amp; SAL Erik Poll Digital Security group Radboud University

Program Analysis with PREfast &amp; SAL Erik Poll Digital Security group Radboud University

Software Security Program Analysis with PREfast &amp; SAL Erik Poll Digital Security group Radboud University Nijmegen 1 Static analysis aka source code analysis Automated analysis at compile time to find potential bugs Broad range of

499 views • 36 slides
Improvements in Transportation Security Analysis from a Complex Risk Mitigation Framework for the

Improvements in Transportation Security Analysis from a Complex Risk Mitigation Framework for the

Improvements in Transportation Security Analysis from a Complex Risk Mitigation Framework for the Security of International Spent Nuclear Fuel Transportation Adam D. Williams Global Security Research &amp; Analysis Sandia National Laboratories

505 views • 13 slides
Security and Emo0on: Sen0ment Analysis of Security Discussions

Security and Emo0on: Sen0ment Analysis of Security Discussions

Security and Emo0on: Sen0ment Analysis of Security Discussions on GitHub @DanielPletea @b_vasilescu @aserebrenik Eindhoven University of Technology, NL SEC NEG :

204 views • 7 slides
Security Planning and Risk Analysis CS461/ECE422 Computer Security I Fall 2010 Slide #1

Security Planning and Risk Analysis CS461/ECE422 Computer Security I Fall 2010 Slide #1

Security Planning and Risk Analysis CS461/ECE422 Computer Security I Fall 2010 Slide #1 Overview Elements of Risk Analysis Quantitative vs Qualitative Analysis One Risk Analysis framework Slide #2 Reading Material Chapter

706 views • 32 slides
Security Planning and Risk Analysis CS461/ECE422 Computer Security I Fall 2009 Slide #1

Security Planning and Risk Analysis CS461/ECE422 Computer Security I Fall 2009 Slide #1

Security Planning and Risk Analysis CS461/ECE422 Computer Security I Fall 2009 Slide #1 Overview Elements of Risk Analysis Quantitative vs Qualitative Analysis One Risk Analysis framework Slide #2 Reading Material Chapter

793 views • 32 slides
Using Z-Ray for Lightning Fast Security Analysis Martin Bednorz ZendCon Las Vegas 2018 1

Using Z-Ray for Lightning Fast Security Analysis Martin Bednorz ZendCon Las Vegas 2018 1

Using Z-Ray for Lightning Fast Security Analysis Martin Bednorz ZendCon Las Vegas 2018 1 Introduction 10+ years of web development experience IT security background Web application security Incremental static code analysis

881 views • 73 slides
Complex Security Policy? A Longitudinal Analysis of Deployed Content Security Policies Sebastian

Complex Security Policy? A Longitudinal Analysis of Deployed Content Security Policies Sebastian

Complex Security Policy? A Longitudinal Analysis of Deployed Content Security Policies Sebastian Roth , Timothy Barron, Stefano Calzavara, Nick Nikiforakis &amp; Ben Stock Network and Distributed System Security Symposium (NDSS '20) Cross-Site

878 views • 31 slides
Cryptographic Analysis of TLS Kenny Paterson FOSAD 2013 Information Security Group 1 Outline

Cryptographic Analysis of TLS Kenny Paterson FOSAD 2013 Information Security Group 1 Outline

Cryptographic Analysis of TLS Kenny Paterson FOSAD 2013 Information Security Group 1 Outline TLS overview TLS Record Protocol Theory Attacks Security analysis TLS Handshake Protocol Security analysis Discussion 2

1.78k views • 173 slides
NetFlow Analysis Jonzy Data Security Analysis, Sr. Information Security Office NetFlow Analysis

NetFlow Analysis Jonzy Data Security Analysis, Sr. Information Security Office NetFlow Analysis

NetFlow Analysis Jonzy Data Security Analysis, Sr. Information Security Office NetFlow Analysis Intrusion Detection, Protection, and Usage Reporting NetFlow is a cornucopia of information that allows for: Intrusion Detection, Bandwidth usage,

665 views • 17 slides
Mathy Vanhoef Public PhD Defense A Security Analysis of the WPA- TKIP and TLS Security Protocols

Mathy Vanhoef Public PhD Defense A Security Analysis of the WPA- TKIP and TLS Security Protocols

Mathy Vanhoef Public PhD Defense A Security Analysis of the WPA- TKIP and TLS Security Protocols Data handled by computers: Banking details Emails Messaging Adult websites Private files Mobile devices 2 Goal of dissertation Is the

758 views • 51 slides
Applying F(I)MEA Technique for SDN/OpenFlow Security Analysis Green Kim greenkim@konkuk.ac.kr

Applying F(I)MEA Technique for SDN/OpenFlow Security Analysis Green Kim greenkim@konkuk.ac.kr

Applying F(I)MEA Technique for SDN/OpenFlow Security Analysis Green Kim greenkim@konkuk.ac.kr Contents 1. Introduction 1.1 Motivation 1.2 Related Works Analysis 1.2.1 OpenFlow: A Security Analysis 1.2.2 OpenFlow Vulnerability Assessment

345 views • 30 slides
ROUNDERS (1998) CASINO ROYALE (2006) HAND RANKINGS HIGH CARD HAND RANKINGS PAIR HIGH CARD

ROUNDERS (1998) CASINO ROYALE (2006) HAND RANKINGS HIGH CARD HAND RANKINGS PAIR HIGH CARD

ROUNDERS (1998) CASINO ROYALE (2006) HAND RANKINGS HIGH CARD HAND RANKINGS PAIR HIGH CARD HAND RANKINGS TWO PAIR PAIR HIGH CARD HAND RANKINGS THREE OF A KIND TWO PAIR PAIR HIGH CARD HAND RANKINGS STRAIGHT THREE OF A KIND TWO PAIR

1.1k views • 106 slides
Linux Performance Analysis New Tools and Old Secrets Brendan Gregg Senior Performance Architect

Linux Performance Analysis New Tools and Old Secrets Brendan Gregg Senior Performance Architect

Linux Performance Analysis New Tools and Old Secrets Brendan Gregg Senior Performance Architect Performance Engineering Team bgregg@netflix.com @brendangregg Porting these to Linux Massive Amazon EC2 Linux cloud Tens of thousands of

864 views • 75 slides
DAWG : A Defense Against Cache Timing Attacks in Speculative Execution Processors Vladimir

DAWG : A Defense Against Cache Timing Attacks in Speculative Execution Processors Vladimir

DAWG : A Defense Against Cache Timing Attacks in Speculative Execution Processors Vladimir Kiriansky, Ilia Lebedev, Saman Amarasinghe, Srinivas Devadas, Joel Emer {vlk, ilebedev, saman, devadas, emer}@csail.mit.edu MICRO'18

949 views • 78 slides
An Open Framework for Architecting TEEs Dayeol Lee, David Kohlbrenner, Shweta Shinde, Dawn Song,

An Open Framework for Architecting TEEs Dayeol Lee, David Kohlbrenner, Shweta Shinde, Dawn Song,

An Open Framework for Architecting TEEs Dayeol Lee, David Kohlbrenner, Shweta Shinde, Dawn Song, and Krste Asanovic Trusted Execution Environment (TEE) Applications User Program and Data Remote OS Attestation Trustworthy Hardware

815 views • 50 slides
Defense Mechanism against Spectre Attacks Jacob Fustos, Farzad Farshchi, Heechul Yun University

Defense Mechanism against Spectre Attacks Jacob Fustos, Farzad Farshchi, Heechul Yun University

SpectreGuard: An Efficient Data-centric Defense Mechanism against Spectre Attacks Jacob Fustos, Farzad Farshchi, Heechul Yun University of Kansas 1 Speculative Execution Attacks Attacks exploiting microarchitectural side-effects of

499 views • 21 slides
Active Access: A Mechanism for High-Performance Distributed Data-Centric Computations M ACIEJ B

Active Access: A Mechanism for High-Performance Distributed Data-Centric Computations M ACIEJ B

spcl.inf.ethz.ch @spcl_eth Active Access: A Mechanism for High-Performance Distributed Data-Centric Computations M ACIEJ B ESTA , T ORSTEN H OEFLER spcl.inf.ethz.ch @spcl_eth R EMOTE M EMORY A CCESS (RMA) P ROGRAMMING spcl.inf.ethz.ch

974 views • 66 slides
Installing slides into electronic enclosures Installing slides into electronic enclosures 2012

Installing slides into electronic enclosures Installing slides into electronic enclosures 2012

Installing slides into electronic enclosures Installing slides into electronic enclosures 2012 DISTRIBUTION Standard width dimensions 5/8 15.87mm 5/8 15.87mm EIA cabinets have to 1/2 12.70mm have the standard 1U 1U=44.45mm

335 views • 16 slides
Drive-Thru: Drive-Thru: Fast, Accurate Evaluation of Fast, Accurate Evaluation of Storage Power

Drive-Thru: Drive-Thru: Fast, Accurate Evaluation of Fast, Accurate Evaluation of Storage Power

Drive-Thru: Drive-Thru: Fast, Accurate Evaluation of Fast, Accurate Evaluation of Storage Power Management Storage Power Management Daniel Peek Jason Flinn University of Michigan 1 Power Management Needed Power Management Needed

587 views • 34 slides

More recommend