dragonblood analyzing the dragonfly
play

Dragonblood: Analyzing the Dragonfly Handshake of WPA3 and EAP-pwd - PowerPoint PPT Presentation

Oct 06, 2022 •570 likes •1.04k views

Dragonblood: Analyzing the Dragonfly Handshake of WPA3 and EAP-pwd Mathy Vanhoef and Eyal Ronen ANRW. Montreal, Canada, 22 July 2019. Background: Dragonfly in WPA3 = Password Authenticated Key Exchange (PAKE) Negotiate Provide mutual session

  1. Dragonblood: Analyzing the Dragonfly Handshake of WPA3 and EAP-pwd Mathy Vanhoef and Eyal Ronen ANRW. Montreal, Canada, 22 July 2019.

  2. Background: Dragonfly in WPA3 = Password Authenticated Key Exchange (PAKE) Negotiate Provide mutual session key authentication Forward secrecy Protect against & prevent offline server compromise dictionary attacks 2

  3. Dragonfly Convert password to Convert password to elliptic curve point P elliptic curve point P Commit phase Confirm phase 3

  4. With MODP groups: hash-to-group for (counter = 1; counter < 256; counter++) value = hash(pw, counter, addr1, addr2) if value >= p: continue P = 𝑤𝑏𝑚𝑣𝑓 (𝑞−1)/𝑟 if P > 1: return P 4

  5. With MODP groups: hash-to-group for (counter = 1; counter < 256; counter++) value = hash(pw, counter, addr1, addr2) if value >= p: continue P = 𝑤𝑏𝑚𝑣𝑓 (𝑞−1)/𝑟 if P > 1: return P In practice always true 5

  6. With MODP groups: hash-to-group for (counter = 1; counter < 256; counter++) value = hash(pw, counter, addr1, addr2) if value >= p: continue Problem: value >= p P = 𝑤𝑏𝑚𝑣𝑓 (𝑞−1)/𝑟 if P > 1: return P In practice always true 6

  7. With MODP groups: hash-to-group for (counter = 1; counter < 256; counter++) value = hash(pw, counter, addr1, addr2) if value >= p: continue P = 𝑤𝑏𝑚𝑣𝑓 (𝑞−1)/𝑟 if P > 1: return P 7

  8. With MODP groups: hash-to-group for (counter = 1; counter < 256; counter++) value = hash(pw, counter, addr1, addr2) if value >= p: continue P = 𝑤𝑏𝑚𝑣𝑓 (𝑞−1)/𝑟 if P > 1: return P 8

  9. With MODP groups: hash-to-group for (counter = 1; counter < 256; counter++) value = hash(pw, counter, addr1, addr2) if value >= p: continue P = 𝑤𝑏𝑚𝑣𝑓 (𝑞−1)/𝑟 if P > 1: return P No timing leak countermeasures despite warnings by IETF & CFRG! 9

  10. With MODP groups: hash-to-group for (counter = 1; counter < 256; counter++) value = hash(pw, counter, addr1, addr2) if value >= p: continue WPA3: spoof client address P = 𝑤𝑏𝑚𝑣𝑓 (𝑞−1)/𝑟 to obtain different executions if P > 1: return P No timing leak countermeasures despite warnings by IETF & CFRG! 10

  11. Raspberry Pi 1 B+: differences are measurable 11

  12. Raspberry Pi 1 B+: differences are measurable Hostap (WPA3): ~75 measurements / address iwd (EAP-pwd): ~30 measurements / address 12

  13. Leaked information: #iterations needed Client address addrA Measured 13

  14. Leaked information: #iterations needed Client address addrA Measured Password 1 Password 2 Password 3 14

  15. Leaked information: #iterations needed Client address addrA Measured Password 1 Password 2 Password 3 15

  16. Leaked information: #iterations needed Client address addrA addrB Measured Password 1 Password 2 Password 3 16

  17. Leaked information: #iterations needed Client address addrA addrB Measured Password 1 Password 2 Password 3 17

  18. Leaked information: #iterations needed Client address addrA addrB addrC Measured Password 1 Password 2 Password 3 18

  19. Leaked information: #iterations needed Client address addrA addrB addrC Measured forms a signature of the password Password 1 Password 2 Need ~17 addresses to test ~ 10 7 passwords Password 3 19

  20. What about elliptic curves? Hash-to-group with elliptic curves also affected? › By default Dragonfly uses NIST curves › Timing leaks for NIST curves are mitigated Dragonfly also supports Brainpool curves › After our initial disclosure, the Wi-Fi Alliace private created guidelines that mention these are secure to use › Bad news: Brainpool curves in Dragonfly are insecure 20

  21. Hash-to-curve for (counter = 1; counter < k or not x; counter++) value = hash(pw, counter, addr1, addr2) if value >= p: continue y_sqr = value^3 + a * value + b if is_quadratic_residue(y_sqr) and not x: x = value pw = random() y = sqrt(x^3 + a * x + b) return (x, y) 21

  22. Hash-to-curve for (counter = 1; counter < k or not x; counter++) value = hash(pw, counter, addr1, addr2) if value >= p: continue y_sqr = value^3 + a * value + b Problem: no solution for y if is_quadratic_residue(y_sqr) and not x: x = value pw = random() y = sqrt(x^3 + a * x + b) return (x, y) 22

  23. Hash-to-curve for (counter = 1; counter < k or not x; counter++) value = hash(pw, counter, addr1, addr2) if value >= p: continue y_sqr = value^3 + a * value + b if is_quadratic_residue(y_sqr) and not x: x = value pw = random() y = sqrt(x^3 + a * x + b) return (x, y) 23

  24. Hash-to-curve for (counter = 1; counter < k or not x; counter++) value = hash(pw, counter, addr1, addr2) if value >= p: continue y_sqr = value^3 + a * value + b if is_quadratic_residue(y_sqr) and not x: x = value pw = random() y = sqrt(x^3 + a * x + b) return (x, y) 24

  25. Hash-to-curve for (counter = 1; counter < k or not x; counter++) value = hash(pw, counter, addr1, addr2) if value >= p: continue y_sqr = value^3 + a * value + b Problem: different passwords if is_quadratic_residue(y_sqr) and not x: have different execution time x = value pw = random() y = sqrt(x^3 + a * x + b) return (x, y) 25

  26. Hash-to-curve for (counter = 1; counter < k or not x; counter++) value = hash(pw, counter, addr1, addr2) if value >= p: continue y_sqr = value^3 + a * value + b if is_quadratic_residue(y_sqr) and not x : x = value pw = random()  Always execute at y = sqrt(x^3 + a * x + b) least k iterations return (x, y) 26

  27. Hash-to-curve for (counter = 1; counter < k or not x; counter++) value = hash(pw, counter, addr1, addr2) if value >= p: continue y_sqr = value^3 + a * value + b if is_quadratic_residue(y_sqr) and not x : x = value In case quadratic test pw = random() is not constant time y = sqrt(x^3 + a * x + b) return (x, y) 27

  28. Hash-to-curve for (counter = 1; counter < k or not x; counter++) value = hash(pw, counter, addr1, addr2) if value >= p: continue y_sqr = value^3 + a * value + b Problem: value >= p if is_quadratic_residue(y_sqr) and not x: x = value pw = random() y = sqrt(x^3 + a * x + b) return (x, y) 28

  29. Hash-to-curve May be true for for (counter = 1; counter < k or not x; counter++) Brainpool curves! value = hash(pw, counter, addr1, addr2) if value >= p: continue y_sqr = value^3 + a * value + b if is_quadratic_residue(y_sqr) and not x: x = value pw = random() y = sqrt(x^3 + a * x + b) return (x, y) 29

  30. Hash-to-curve May be true for for (counter = 1; counter < k or not x; counter++) Brainpool curves! value = hash(pw, counter, addr1, addr2) if value >= p: continue y_sqr = value^3 + a * value + b if is_quadratic_residue(y_sqr) and not x: x = value Quadratic test may be skipped pw = random() y = sqrt(x^3 + a * x + b) return (x, y) 30

  31. Hash-to-curve May be true for for (counter = 1; counter < k or not x; counter++) Brainpool curves! value = hash(pw, counter, addr1, addr2) if value >= p: continue y_sqr = value^3 + a * value + b if is_quadratic_residue(y_sqr) and not x: x = value Quadratic test may be skipped pw = random() y = sqrt(x^3 + a * x + b) A random #(extra iterations) return (x, y) have a too big hash output 31

  32. Influence of extra iterations Execution 1 32

  33. Influence of extra iterations Execution 1 Execution 2 Execution 3 Execution 4 33

  34. Influence of extra iterations Execution 1 Execution 2 Execution 3 Execution 4 34

  35. Influence of extra iterations Execution 1 Execution 2 Execution 3 Execution 4 Variance ~ when password element was found 35

  36. Influence of extra iterations Execution 1 Execution 2 Execution 3 Execution 4 Variance ~ when password element was found Average ~ when found and #iterations with big hash 36

  37. Influence of extra iterations Execution 1 Execution 2 Execution 3 Execution 4 Variance ~ when password element was found Average ~ when found and #iterations with big hash  Again forms a signature of the password 37

  38. Raspberry Pi 1 B+ 38

  39. Raspberry Pi 1 B+ Hostap (WPA3): ~300 measurements / address 39

  40. Cache Attacks 40

  41. Hash-to-curve: Quadratic Residue for (counter = 1; counter < k or not x; counter++) value = hash(pw, counter, addr1, addr2) if value >= p: continue y_sqr = value^3 + a * value + b if is_quadratic_residue(y_sqr) and not x: x = value pw = random() NIST curves: use Flush+Reload to y = sqrt(x^3 + a * x + b) detect if code is executed in 1 st iteration return (x, y) 41

  42. Hash-to-curve: Quadratic Residue Use as clock to detect in which iteration we are for (counter = 1; counter < k or not x; counter++) value = hash(pw, counter, addr1, addr2) if value >= p: continue y_sqr = value^3 + a * value + b if is_quadratic_residue(y_sqr) and not x: x = value pw = random() NIST curves: use Flush+Reload to y = sqrt(x^3 + a * x + b) detect if code is executed in 1 st iteration return (x, y) 42

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Dragonblood : Weaknesses in WPA3s Dragonfly Handshake Mathy Vanhoef and Eyal Ronen BruCON.

Dragonblood : Weaknesses in WPA3s Dragonfly Handshake Mathy Vanhoef and Eyal Ronen BruCON.

Dragonblood : Weaknesses in WPA3s Dragonfly Handshake Mathy Vanhoef and Eyal Ronen BruCON. Belgium, 11 October 2019. 2 Background: Dragonfly in WPA3 and EAP-pwd = Password Authenticated Key Exchange (PAKE) Negotiate Provide mutual

1.97k views • 56 slides
Dragonblood : Attacking the Dragonfly Handshake of WPA3 Mathy Vanhoef and Eyal Ronen Black Hat

Dragonblood : Attacking the Dragonfly Handshake of WPA3 Mathy Vanhoef and Eyal Ronen Black Hat

Dragonblood : Attacking the Dragonfly Handshake of WPA3 Mathy Vanhoef and Eyal Ronen Black Hat USA. Las Vegas, 7 August 2019. Background: Dragonfly in WPA3 and EAP-pwd = Password Authenticated Key Exchange (PAKE) Negotiate Provide mutual

532 views • 50 slides
Dragonfly Handshake of WPA3 and EAP-pwd Mathy Vanhoef and Eyal Ronen Background: Wi-Fi Security

Dragonfly Handshake of WPA3 and EAP-pwd Mathy Vanhoef and Eyal Ronen Background: Wi-Fi Security

Dragonblood : Analyzing the Dragonfly Handshake of WPA3 and EAP-pwd Mathy Vanhoef and Eyal Ronen Background: Wi-Fi Security 1999: Wired Equivalent Privacy (WEP) RC4 with 40 (!) or 104 bits key Broken in 2001 [FMS01] Deprecated 2004 2

1.58k views • 105 slides
Dragonfly Handshake of WPA3 and EAP-pwd Mathy Vanhoef and Eyal Ronen Real World Crypto, New

Dragonfly Handshake of WPA3 and EAP-pwd Mathy Vanhoef and Eyal Ronen Real World Crypto, New

Dragonblood : Analyzing the Dragonfly Handshake of WPA3 and EAP-pwd Mathy Vanhoef and Eyal Ronen Real World Crypto, New York, 10 January 2020. Background: Wi-Fi Security 1999: Wired Equivalent Privacy (WEP) Broken in 2001 [FMS01] 2003:

818 views • 62 slides
Dragonblood: A Security Analysis of WPA3s SAE Handshake Mathy Vanhoef and Eyal Ronen WAC

Dragonblood: A Security Analysis of WPA3s SAE Handshake Mathy Vanhoef and Eyal Ronen WAC

Dragonblood: A Security Analysis of WPA3s SAE Handshake Mathy Vanhoef and Eyal Ronen WAC Workshop @ CRYPTO, Santa Barbara, 17 August 2019. Background: Dragonfly in WPA3 and EAP-pwd = Password Authenticated Key Exchange (PAKE) Negotiate

1.04k views • 69 slides
Goals Understand use of Dragonfly from game Dragonfly programmers perspective Mostly,

Goals Understand use of Dragonfly from game Dragonfly programmers perspective Mostly,

2/7/2012 Goals Understand use of Dragonfly from game Dragonfly programmers perspective Mostly, Project 1 Provide overview of Dragonfly architecture Class diagrams Discuss details needed to fully implement Dragonfly classes

900 views • 42 slides
Threads and DragonFly BSD Improving Thread Performance on DragonFly BSD Conduits for program

Threads and DragonFly BSD Improving Thread Performance on DragonFly BSD Conduits for program

Threads and DragonFly BSD Improving Thread Performance on DragonFly BSD Conduits for program execution Concurrency A property that allows several vessels of execution to be run without a predefined order. Parallelism A property that

625 views • 23 slides
Adaptive Routing in Dragonfly Networks Peyman Faizian , ShafayatRahman Scott Pakin AtiqulMollah,

Adaptive Routing in Dragonfly Networks Peyman Faizian , ShafayatRahman Scott Pakin AtiqulMollah,

Traffic Pattern-based C Adaptive Routing in Dragonfly Networks Peyman Faizian , ShafayatRahman Scott Pakin AtiqulMollah, Xin Yuan Mike Lang Florida State University Los Alamos National Laboratory Motivation Dragonfly has been known as a

491 views • 33 slides
On the Provable Security of the Dragonfly protocol Jean Lancrenon 1 Marjan krobot 1 1

On the Provable Security of the Dragonfly protocol Jean Lancrenon 1 Marjan krobot 1 1

PAKEs Dragonfly Results Conclusion On the Provable Security of the Dragonfly protocol Jean Lancrenon 1 Marjan krobot 1 1 Interdisciplinary Centre for Security, Reliability and Trust University of Luxembourg ISC 2015 1 / 18 PAKEs

915 views • 65 slides
Dragonfly June 2012 IndieCrews Photo??? Paperclip https:/ /github.com/thoughtbot/paperclip

Dragonfly June 2012 IndieCrews Photo??? Paperclip https:/ /github.com/thoughtbot/paperclip

Dragonfly June 2012 IndieCrews Photo??? Paperclip https:/ /github.com/thoughtbot/paperclip Dinosaur / Dragon ? Dragonfly CarrierWave Anyone? GitHub stats CarrierWave - 3046 watchers, 390 forks Paperclip - 4294 watchers, 877 forks

658 views • 22 slides
Introducing Stet the frog &amp; Drago the dragonfly Drago did you know that Rotoruas

Introducing Stet the frog &amp; Drago the dragonfly Drago did you know that Rotoruas

Introducing Stet the frog &amp; Drago the dragonfly Drago did you know that Rotoruas Water Supply is from springs? Wow thats why its so clean! Then what happens after people use it? PUMP STATION &amp; TREATMENT Well Drago.

364 views • 13 slides
PRESENTER OUTLINE Edward Schmalfeld II, P.E. PRESENTER OVERVIEW Owner of Dragonfly

PRESENTER OUTLINE Edward Schmalfeld II, P.E. PRESENTER OVERVIEW Owner of Dragonfly

11/18/2019 MISSISSIPPI SWANA DRONES &amp; SOLID WASTE Presented By: Edward Schmalfeld, P.E. PRESENTER OUTLINE Edward Schmalfeld II, P.E. PRESENTER OVERVIEW Owner of Dragonfly AeroSolutions Headquartered in Jacksonville, Florida

287 views • 8 slides
Seabird abundance project update F . Thompson, E. Abraham &amp; M. Oliver Dragonfly CSP/NPOA

Seabird abundance project update F . Thompson, E. Abraham &amp; M. Oliver Dragonfly CSP/NPOA

Seabird abundance project update F . Thompson, E. Abraham &amp; M. Oliver Dragonfly CSP/NPOA Seabirds Technical Working Group 5 October 2009 Outline Data collection and grooming 1 Diaries and forms Data entry Reconciliation Summary

220 views • 20 slides
Citizen Scientists Study Mercury in Dragonfly Larvae from National Parks Colleen Flanagan,

Citizen Scientists Study Mercury in Dragonfly Larvae from National Parks Colleen Flanagan,

Citizen Scientists Study Mercury in Dragonfly Larvae from National Parks Colleen Flanagan, Ecologist, National Park Service Air Resources Dr. Sarah Nelson, Associate Professor, University of Maine National Association of Interpretation

639 views • 24 slides
Dragonfly: A PAKE Scheme Dan Harkins IETF 83 Paris, France The Rise of Password Protocols in

Dragonfly: A PAKE Scheme Dan Harkins IETF 83 Paris, France The Rise of Password Protocols in

Dragonfly: A PAKE Scheme Dan Harkins IETF 83 Paris, France The Rise of Password Protocols in the IETF EAP-GPSK, TLS-SRP, TLS-PSK EAP-pwd PAP! Plaintext passwords (1986 to 1995 or so) PAP-like exchange completely broken

337 views • 12 slides
PerfMon redux: analyzing a CUDA application with the Windows PerfMon redux: analyzing a CUDA

PerfMon redux: analyzing a CUDA application with the Windows PerfMon redux: analyzing a CUDA

S6287 PerfMon redux: analyzing a CUDA application with the Windows PerfMon redux: analyzing a CUDA application with the Windows Performance Monitor Richard Wilton Department of Physics and Astronomy Johns Hopkins University S6287: Analyzing

279 views • 25 slides
Spectrometer Assembly Connect raspberry pi to the screen: Connect pins on the touchscreen using

Spectrometer Assembly Connect raspberry pi to the screen: Connect pins on the touchscreen using

ICTP Winter College on Applications of Optics and Photonics in Food Science Spectrometer Assembly Connect raspberry pi to the screen: Connect pins on the touchscreen using the jumper cables, and the connector using the white ribbon cable. The

334 views • 8 slides
Vulnerability and Threat Management and Prevention Weston Hecker Security Expert With KLJ Systems

Vulnerability and Threat Management and Prevention Weston Hecker Security Expert With KLJ Systems

A1 Vulnerability and Threat Management and Prevention Weston Hecker Security Expert With KLJ Systems Network Analyst/Penetration Tester/President Of Computer Security Association Of North Dakota Slide 1 A1 Author, 9/16/2013 About Me About Me:

925 views • 23 slides
Everything I know about Kubernetes I learned from a cluster of Raspberry Pis Jeff Geerling

Everything I know about Kubernetes I learned from a cluster of Raspberry Pis Jeff Geerling

Everything I know about Kubernetes I learned from a cluster of Raspberry Pis Jeff Geerling (geerlingguy) Builder Track - www.pidramble.com http://www.shockinglydelicious.com/dorothys-fresh-raspberry-pie-recipe/ The Big Question What can I do with

821 views • 25 slides
IMAGE AND VIDEO PROCESSING ON RASPBERRY PI PLATFORM Ph.D. Mustafa Karhan ankr Karatekin

IMAGE AND VIDEO PROCESSING ON RASPBERRY PI PLATFORM Ph.D. Mustafa Karhan ankr Karatekin

IMAGE AND VIDEO PROCESSING ON RASPBERRY PI PLATFORM Ph.D. Mustafa Karhan ankr Karatekin University, Electronics and Automation Department, ankr, Turkey mustafakarhan@gmail.com Timisoara, Romania July, 2019 Computer Vision &amp;

3.1k views • 32 slides
End to End Optimization Stack for Deep Learning Presenter: Tianqi Chen Paul G. Allen School of

End to End Optimization Stack for Deep Learning Presenter: Tianqi Chen Paul G. Allen School of

End to End Optimization Stack for Deep Learning Presenter: Tianqi Chen Paul G. Allen School of Computer Science &amp; Engineering University of Washington Collaborators University of Washington AWS AI Team Ziheng Jiang Tianqi Chen Thierry

822 views • 46 slides
A Telegram bot for Amartyo Banerjee and SK Venkatesan printing LaTeX files TNQ Books and

A Telegram bot for Amartyo Banerjee and SK Venkatesan printing LaTeX files TNQ Books and

TUG 2016. A Telegram bot for Amartyo Banerjee and SK Venkatesan printing LaTeX files TNQ Books and Journals, India July 25. Toronto. Introduction I present a proof of concept of a Telegram bot, meant to run on the Raspberry Pi.

516 views • 17 slides
H a C keR S Notes by Michael Madden &amp; Kevin Madden, CoderDojo Athenry, 2019 A HackerSpace in

H a C keR S Notes by Michael Madden &amp; Kevin Madden, CoderDojo Athenry, 2019 A HackerSpace in

H a C keR S Notes by Michael Madden &amp; Kevin Madden, CoderDojo Athenry, 2019 A HackerSpace in CoderDojo! What the Hackers Do Not About Law-Breaking! Hack things together Take apart to understand &amp; improve Work on Projects

199 views • 19 slides
SITCH Inexpensive, coordinated GSM anomaly detection About Me 2000: Technology career started

SITCH Inexpensive, coordinated GSM anomaly detection About Me 2000: Technology career started

SITCH Inexpensive, coordinated GSM anomaly detection About Me 2000: Technology career started (I can get paid for this??) 2003: Started building with Linux Came to infosec through systems and network engineering, integration

1.1k views • 56 slides

More recommend