PDF Editor
PDF Converter
Image Converter
Video Converter
Audio Converter
File Compressor
dragonblood analyzing the dragonfly

Dragonblood: Analyzing the Dragonfly Handshake of WPA3 and EAP-pwd - PowerPoint PPT Presentation

Oct 06, 2022 β€’570 likes β€’1.04k views

Dragonblood: Analyzing the Dragonfly Handshake of WPA3 and EAP-pwd Mathy Vanhoef and Eyal Ronen ANRW. Montreal, Canada, 22 July 2019. Background: Dragonfly in WPA3 = Password Authenticated Key Exchange (PAKE) Negotiate Provide mutual session

  1. Dragonblood: Analyzing the Dragonfly Handshake of WPA3 and EAP-pwd Mathy Vanhoef and Eyal Ronen ANRW. Montreal, Canada, 22 July 2019.

  2. Background: Dragonfly in WPA3 = Password Authenticated Key Exchange (PAKE) Negotiate Provide mutual session key authentication Forward secrecy Protect against & prevent offline server compromise dictionary attacks 2

  3. Dragonfly Convert password to Convert password to elliptic curve point P elliptic curve point P Commit phase Confirm phase 3

  4. With MODP groups: hash-to-group for (counter = 1; counter < 256; counter++) value = hash(pw, counter, addr1, addr2) if value >= p: continue P = π‘€π‘π‘šπ‘£π‘“ (π‘žβˆ’1)/π‘Ÿ if P > 1: return P 4

  5. With MODP groups: hash-to-group for (counter = 1; counter < 256; counter++) value = hash(pw, counter, addr1, addr2) if value >= p: continue P = π‘€π‘π‘šπ‘£π‘“ (π‘žβˆ’1)/π‘Ÿ if P > 1: return P In practice always true 5

  6. With MODP groups: hash-to-group for (counter = 1; counter < 256; counter++) value = hash(pw, counter, addr1, addr2) if value >= p: continue Problem: value >= p P = π‘€π‘π‘šπ‘£π‘“ (π‘žβˆ’1)/π‘Ÿ if P > 1: return P In practice always true 6

  7. With MODP groups: hash-to-group for (counter = 1; counter < 256; counter++) value = hash(pw, counter, addr1, addr2) if value >= p: continue P = π‘€π‘π‘šπ‘£π‘“ (π‘žβˆ’1)/π‘Ÿ if P > 1: return P 7

  8. With MODP groups: hash-to-group for (counter = 1; counter < 256; counter++) value = hash(pw, counter, addr1, addr2) if value >= p: continue P = π‘€π‘π‘šπ‘£π‘“ (π‘žβˆ’1)/π‘Ÿ if P > 1: return P 8

  9. With MODP groups: hash-to-group for (counter = 1; counter < 256; counter++) value = hash(pw, counter, addr1, addr2) if value >= p: continue P = π‘€π‘π‘šπ‘£π‘“ (π‘žβˆ’1)/π‘Ÿ if P > 1: return P No timing leak countermeasures despite warnings by IETF & CFRG! 9

  10. With MODP groups: hash-to-group for (counter = 1; counter < 256; counter++) value = hash(pw, counter, addr1, addr2) if value >= p: continue WPA3: spoof client address P = π‘€π‘π‘šπ‘£π‘“ (π‘žβˆ’1)/π‘Ÿ to obtain different executions if P > 1: return P No timing leak countermeasures despite warnings by IETF & CFRG! 10

  11. Raspberry Pi 1 B+: differences are measurable 11

  12. Raspberry Pi 1 B+: differences are measurable Hostap (WPA3): ~75 measurements / address iwd (EAP-pwd): ~30 measurements / address 12

  13. Leaked information: #iterations needed Client address addrA Measured 13

  14. Leaked information: #iterations needed Client address addrA Measured Password 1 Password 2 Password 3 14

  15. Leaked information: #iterations needed Client address addrA Measured Password 1 Password 2 Password 3 15

  16. Leaked information: #iterations needed Client address addrA addrB Measured Password 1 Password 2 Password 3 16

  17. Leaked information: #iterations needed Client address addrA addrB Measured Password 1 Password 2 Password 3 17

  18. Leaked information: #iterations needed Client address addrA addrB addrC Measured Password 1 Password 2 Password 3 18

  19. Leaked information: #iterations needed Client address addrA addrB addrC Measured forms a signature of the password Password 1 Password 2 Need ~17 addresses to test ~ 10 7 passwords Password 3 19

  20. What about elliptic curves? Hash-to-group with elliptic curves also affected? β€Ί By default Dragonfly uses NIST curves β€Ί Timing leaks for NIST curves are mitigated Dragonfly also supports Brainpool curves β€Ί After our initial disclosure, the Wi-Fi Alliace private created guidelines that mention these are secure to use β€Ί Bad news: Brainpool curves in Dragonfly are insecure 20

  21. Hash-to-curve for (counter = 1; counter < k or not x; counter++) value = hash(pw, counter, addr1, addr2) if value >= p: continue y_sqr = value^3 + a * value + b if is_quadratic_residue(y_sqr) and not x: x = value pw = random() y = sqrt(x^3 + a * x + b) return (x, y) 21

  22. Hash-to-curve for (counter = 1; counter < k or not x; counter++) value = hash(pw, counter, addr1, addr2) if value >= p: continue y_sqr = value^3 + a * value + b Problem: no solution for y if is_quadratic_residue(y_sqr) and not x: x = value pw = random() y = sqrt(x^3 + a * x + b) return (x, y) 22

  23. Hash-to-curve for (counter = 1; counter < k or not x; counter++) value = hash(pw, counter, addr1, addr2) if value >= p: continue y_sqr = value^3 + a * value + b if is_quadratic_residue(y_sqr) and not x: x = value pw = random() y = sqrt(x^3 + a * x + b) return (x, y) 23

  24. Hash-to-curve for (counter = 1; counter < k or not x; counter++) value = hash(pw, counter, addr1, addr2) if value >= p: continue y_sqr = value^3 + a * value + b if is_quadratic_residue(y_sqr) and not x: x = value pw = random() y = sqrt(x^3 + a * x + b) return (x, y) 24

  25. Hash-to-curve for (counter = 1; counter < k or not x; counter++) value = hash(pw, counter, addr1, addr2) if value >= p: continue y_sqr = value^3 + a * value + b Problem: different passwords if is_quadratic_residue(y_sqr) and not x: have different execution time x = value pw = random() y = sqrt(x^3 + a * x + b) return (x, y) 25

  26. Hash-to-curve for (counter = 1; counter < k or not x; counter++) value = hash(pw, counter, addr1, addr2) if value >= p: continue y_sqr = value^3 + a * value + b if is_quadratic_residue(y_sqr) and not x : x = value pw = random() οƒ  Always execute at y = sqrt(x^3 + a * x + b) least k iterations return (x, y) 26

  27. Hash-to-curve for (counter = 1; counter < k or not x; counter++) value = hash(pw, counter, addr1, addr2) if value >= p: continue y_sqr = value^3 + a * value + b if is_quadratic_residue(y_sqr) and not x : x = value In case quadratic test pw = random() is not constant time y = sqrt(x^3 + a * x + b) return (x, y) 27

  28. Hash-to-curve for (counter = 1; counter < k or not x; counter++) value = hash(pw, counter, addr1, addr2) if value >= p: continue y_sqr = value^3 + a * value + b Problem: value >= p if is_quadratic_residue(y_sqr) and not x: x = value pw = random() y = sqrt(x^3 + a * x + b) return (x, y) 28

  29. Hash-to-curve May be true for for (counter = 1; counter < k or not x; counter++) Brainpool curves! value = hash(pw, counter, addr1, addr2) if value >= p: continue y_sqr = value^3 + a * value + b if is_quadratic_residue(y_sqr) and not x: x = value pw = random() y = sqrt(x^3 + a * x + b) return (x, y) 29

  30. Hash-to-curve May be true for for (counter = 1; counter < k or not x; counter++) Brainpool curves! value = hash(pw, counter, addr1, addr2) if value >= p: continue y_sqr = value^3 + a * value + b if is_quadratic_residue(y_sqr) and not x: x = value Quadratic test may be skipped pw = random() y = sqrt(x^3 + a * x + b) return (x, y) 30

  31. Hash-to-curve May be true for for (counter = 1; counter < k or not x; counter++) Brainpool curves! value = hash(pw, counter, addr1, addr2) if value >= p: continue y_sqr = value^3 + a * value + b if is_quadratic_residue(y_sqr) and not x: x = value Quadratic test may be skipped pw = random() y = sqrt(x^3 + a * x + b) A random #(extra iterations) return (x, y) have a too big hash output 31

  32. Influence of extra iterations Execution 1 32

  33. Influence of extra iterations Execution 1 Execution 2 Execution 3 Execution 4 33

  34. Influence of extra iterations Execution 1 Execution 2 Execution 3 Execution 4 34

  35. Influence of extra iterations Execution 1 Execution 2 Execution 3 Execution 4 Variance ~ when password element was found 35

  36. Influence of extra iterations Execution 1 Execution 2 Execution 3 Execution 4 Variance ~ when password element was found Average ~ when found and #iterations with big hash 36

  37. Influence of extra iterations Execution 1 Execution 2 Execution 3 Execution 4 Variance ~ when password element was found Average ~ when found and #iterations with big hash οƒ  Again forms a signature of the password 37

  38. Raspberry Pi 1 B+ 38

  39. Raspberry Pi 1 B+ Hostap (WPA3): ~300 measurements / address 39

  40. Cache Attacks 40

  41. Hash-to-curve: Quadratic Residue for (counter = 1; counter < k or not x; counter++) value = hash(pw, counter, addr1, addr2) if value >= p: continue y_sqr = value^3 + a * value + b if is_quadratic_residue(y_sqr) and not x: x = value pw = random() NIST curves: use Flush+Reload to y = sqrt(x^3 + a * x + b) detect if code is executed in 1 st iteration return (x, y) 41

  42. Hash-to-curve: Quadratic Residue Use as clock to detect in which iteration we are for (counter = 1; counter < k or not x; counter++) value = hash(pw, counter, addr1, addr2) if value >= p: continue y_sqr = value^3 + a * value + b if is_quadratic_residue(y_sqr) and not x: x = value pw = random() NIST curves: use Flush+Reload to y = sqrt(x^3 + a * x + b) detect if code is executed in 1 st iteration return (x, y) 42

Recommend

Goals Understand use of Dragonfly from game Dragonfly programmers perspective Mostly,

Goals Understand use of Dragonfly from game Dragonfly programmers perspective Mostly,

2/7/2012 Goals Understand use of Dragonfly from game Dragonfly programmers perspective Mostly, Project 1 Provide overview of Dragonfly architecture Class diagrams Discuss details needed to fully implement Dragonfly classes

900 views β€’ 42 slides
Dragonblood : Weaknesses in WPA3s Dragonfly Handshake Mathy Vanhoef and Eyal Ronen BruCON.

Dragonblood : Weaknesses in WPA3s Dragonfly Handshake Mathy Vanhoef and Eyal Ronen BruCON.

Dragonblood : Weaknesses in WPA3s Dragonfly Handshake Mathy Vanhoef and Eyal Ronen BruCON. Belgium, 11 October 2019. 2 Background: Dragonfly in WPA3 and EAP-pwd = Password Authenticated Key Exchange (PAKE) Negotiate Provide mutual

1.97k views β€’ 56 slides
Dragonblood : Attacking the Dragonfly Handshake of WPA3 Mathy Vanhoef and Eyal Ronen Black Hat

Dragonblood : Attacking the Dragonfly Handshake of WPA3 Mathy Vanhoef and Eyal Ronen Black Hat

Dragonblood : Attacking the Dragonfly Handshake of WPA3 Mathy Vanhoef and Eyal Ronen Black Hat USA. Las Vegas, 7 August 2019. Background: Dragonfly in WPA3 and EAP-pwd = Password Authenticated Key Exchange (PAKE) Negotiate Provide mutual

532 views β€’ 50 slides
Threads and DragonFly BSD Improving Thread Performance on DragonFly BSD Conduits for program

Threads and DragonFly BSD Improving Thread Performance on DragonFly BSD Conduits for program

Threads and DragonFly BSD Improving Thread Performance on DragonFly BSD Conduits for program execution Concurrency A property that allows several vessels of execution to be run without a predefined order. Parallelism A property that

625 views β€’ 23 slides
Dragonfly Handshake of WPA3 and EAP-pwd Mathy Vanhoef and Eyal Ronen Real World Crypto, New

Dragonfly Handshake of WPA3 and EAP-pwd Mathy Vanhoef and Eyal Ronen Real World Crypto, New

Dragonblood : Analyzing the Dragonfly Handshake of WPA3 and EAP-pwd Mathy Vanhoef and Eyal Ronen Real World Crypto, New York, 10 January 2020. Background: Wi-Fi Security 1999: Wired Equivalent Privacy (WEP) Broken in 2001 [FMS01] 2003:

818 views β€’ 62 slides
Dragonfly Handshake of WPA3 and EAP-pwd Mathy Vanhoef and Eyal Ronen Background: Wi-Fi Security

Dragonfly Handshake of WPA3 and EAP-pwd Mathy Vanhoef and Eyal Ronen Background: Wi-Fi Security

Dragonblood : Analyzing the Dragonfly Handshake of WPA3 and EAP-pwd Mathy Vanhoef and Eyal Ronen Background: Wi-Fi Security 1999: Wired Equivalent Privacy (WEP) RC4 with 40 (!) or 104 bits key Broken in 2001 [FMS01] Deprecated 2004 2

1.58k views β€’ 105 slides
Dragonblood: A Security Analysis of WPA3s SAE Handshake Mathy Vanhoef and Eyal Ronen WAC

Dragonblood: A Security Analysis of WPA3s SAE Handshake Mathy Vanhoef and Eyal Ronen WAC

Dragonblood: A Security Analysis of WPA3s SAE Handshake Mathy Vanhoef and Eyal Ronen WAC Workshop @ CRYPTO, Santa Barbara, 17 August 2019. Background: Dragonfly in WPA3 and EAP-pwd = Password Authenticated Key Exchange (PAKE) Negotiate

1.04k views β€’ 69 slides
On the Provable Security of the Dragonfly protocol Jean Lancrenon 1 Marjan krobot 1 1

On the Provable Security of the Dragonfly protocol Jean Lancrenon 1 Marjan krobot 1 1

PAKEs Dragonfly Results Conclusion On the Provable Security of the Dragonfly protocol Jean Lancrenon 1 Marjan krobot 1 1 Interdisciplinary Centre for Security, Reliability and Trust University of Luxembourg ISC 2015 1 / 18 PAKEs

915 views β€’ 65 slides
Adaptive Routing in Dragonfly Networks Peyman Faizian , ShafayatRahman Scott Pakin AtiqulMollah,

Adaptive Routing in Dragonfly Networks Peyman Faizian , ShafayatRahman Scott Pakin AtiqulMollah,

Traffic Pattern-based C Adaptive Routing in Dragonfly Networks Peyman Faizian , ShafayatRahman Scott Pakin AtiqulMollah, Xin Yuan Mike Lang Florida State University Los Alamos National Laboratory Motivation Dragonfly has been known as a

492 views β€’ 33 slides
Dragonfly June 2012 IndieCrews Photo??? Paperclip https:/ /github.com/thoughtbot/paperclip

Dragonfly June 2012 IndieCrews Photo??? Paperclip https:/ /github.com/thoughtbot/paperclip

Dragonfly June 2012 IndieCrews Photo??? Paperclip https:/ /github.com/thoughtbot/paperclip Dinosaur / Dragon ? Dragonfly CarrierWave Anyone? GitHub stats CarrierWave - 3046 watchers, 390 forks Paperclip - 4294 watchers, 877 forks

658 views β€’ 22 slides
PerfMon redux: analyzing a CUDA application with the Windows PerfMon redux: analyzing a CUDA

PerfMon redux: analyzing a CUDA application with the Windows PerfMon redux: analyzing a CUDA

S6287 PerfMon redux: analyzing a CUDA application with the Windows PerfMon redux: analyzing a CUDA application with the Windows Performance Monitor Richard Wilton Department of Physics and Astronomy Johns Hopkins University S6287: Analyzing

279 views β€’ 25 slides
What are survey weights? Kelly McConville Assistant Professor of Statistics DataCamp Analyzing

What are survey weights? Kelly McConville Assistant Professor of Statistics DataCamp Analyzing

DataCamp Analyzing Survey Data in R ANALYZING SURVEY DATA IN R What are survey weights? Kelly McConville Assistant Professor of Statistics DataCamp Analyzing Survey Data in R Survey data Have you ever found yourself analyzing a dataset that

414 views β€’ 27 slides
Understanding Census geography and tigris basics Kyle Walker Instructor DataCamp Analyzing US

Understanding Census geography and tigris basics Kyle Walker Instructor DataCamp Analyzing US

DataCamp Analyzing US Census Data in R ANALYZING US CENSUS DATA IN R Understanding Census geography and tigris basics Kyle Walker Instructor DataCamp Analyzing US Census Data in R TIGER/Line Shapefiles DataCamp Analyzing US Census Data in

473 views β€’ 29 slides
Twitter Networks Alex Hanna Computational Social Scientist DataCamp Analyzing Social Media Data

Twitter Networks Alex Hanna Computational Social Scientist DataCamp Analyzing Social Media Data

DataCamp Analyzing Social Media Data in Python ANALYZING SOCIAL MEDIA DATA IN PYTHON Twitter Networks Alex Hanna Computational Social Scientist DataCamp Analyzing Social Media Data in Python DataCamp Analyzing Social Media Data in Python

660 views β€’ 25 slides
Seabird abundance project update F . Thompson, E. Abraham &amp; M. Oliver Dragonfly CSP/NPOA

Seabird abundance project update F . Thompson, E. Abraham &amp; M. Oliver Dragonfly CSP/NPOA

Seabird abundance project update F . Thompson, E. Abraham &amp; M. Oliver Dragonfly CSP/NPOA Seabirds Technical Working Group 5 October 2009 Outline Data collection and grooming 1 Diaries and forms Data entry Reconciliation Summary

220 views β€’ 20 slides
Burst Buffer Simulation In Dragonfly Network Jian Peng, Michael Lang Illinois Institute of

Burst Buffer Simulation In Dragonfly Network Jian Peng, Michael Lang Illinois Institute of

Burst Buffer Simulation In Dragonfly Network Jian Peng, Michael Lang Illinois Institute of Technology, Los Alamos National Laboratory Purpose: Residing in the compute node network, and using solid state drives (SSD), burst buffers bring a

280 views β€’ 16 slides
Spectrometer Assembly Connect raspberry pi to the screen: Connect pins on the touchscreen using

Spectrometer Assembly Connect raspberry pi to the screen: Connect pins on the touchscreen using

ICTP Winter College on Applications of Optics and Photonics in Food Science Spectrometer Assembly Connect raspberry pi to the screen: Connect pins on the touchscreen using the jumper cables, and the connector using the white ribbon cable. The

334 views β€’ 8 slides
Vulnerability and Threat Management and Prevention Weston Hecker Security Expert With KLJ Systems

Vulnerability and Threat Management and Prevention Weston Hecker Security Expert With KLJ Systems

A1 Vulnerability and Threat Management and Prevention Weston Hecker Security Expert With KLJ Systems Network Analyst/Penetration Tester/President Of Computer Security Association Of North Dakota Slide 1 A1 Author, 9/16/2013 About Me About Me:

925 views β€’ 23 slides
Everything I know about Kubernetes I learned from a cluster of Raspberry Pis Jeff Geerling

Everything I know about Kubernetes I learned from a cluster of Raspberry Pis Jeff Geerling

Everything I know about Kubernetes I learned from a cluster of Raspberry Pis Jeff Geerling (geerlingguy) Builder Track - www.pidramble.com http://www.shockinglydelicious.com/dorothys-fresh-raspberry-pie-recipe/ The Big Question What can I do with

821 views β€’ 25 slides
IMAGE AND VIDEO PROCESSING ON RASPBERRY PI PLATFORM Ph.D. Mustafa Karhan ankr Karatekin

IMAGE AND VIDEO PROCESSING ON RASPBERRY PI PLATFORM Ph.D. Mustafa Karhan ankr Karatekin

IMAGE AND VIDEO PROCESSING ON RASPBERRY PI PLATFORM Ph.D. Mustafa Karhan ankr Karatekin University, Electronics and Automation Department, ankr, Turkey mustafakarhan@gmail.com Timisoara, Romania July, 2019 Computer Vision &amp;

3.1k views β€’ 32 slides
End to End Optimization Stack for Deep Learning Presenter: Tianqi Chen Paul G. Allen School of

End to End Optimization Stack for Deep Learning Presenter: Tianqi Chen Paul G. Allen School of

End to End Optimization Stack for Deep Learning Presenter: Tianqi Chen Paul G. Allen School of Computer Science &amp; Engineering University of Washington Collaborators University of Washington AWS AI Team Ziheng Jiang Tianqi Chen Thierry

823 views β€’ 46 slides
A Telegram bot for Amartyo Banerjee and SK Venkatesan printing LaTeX files TNQ Books and

A Telegram bot for Amartyo Banerjee and SK Venkatesan printing LaTeX files TNQ Books and

TUG 2016. A Telegram bot for Amartyo Banerjee and SK Venkatesan printing LaTeX files TNQ Books and Journals, India July 25. Toronto. Introduction I present a proof of concept of a Telegram bot, meant to run on the Raspberry Pi.

516 views β€’ 17 slides
H a C keR S Notes by Michael Madden &amp; Kevin Madden, CoderDojo Athenry, 2019 A HackerSpace in

H a C keR S Notes by Michael Madden &amp; Kevin Madden, CoderDojo Athenry, 2019 A HackerSpace in

H a C keR S Notes by Michael Madden &amp; Kevin Madden, CoderDojo Athenry, 2019 A HackerSpace in CoderDojo! What the Hackers Do Not About Law-Breaking! Hack things together Take apart to understand &amp; improve Work on Projects

199 views β€’ 19 slides
SITCH Inexpensive, coordinated GSM anomaly detection About Me 2000: Technology career started

SITCH Inexpensive, coordinated GSM anomaly detection About Me 2000: Technology career started

SITCH Inexpensive, coordinated GSM anomaly detection About Me 2000: Technology career started (I can get paid for this??) 2003: Started building with Linux Came to infosec through systems and network engineering, integration

1.1k views β€’ 56 slides

More recommend

Logo Sambuz

Unleash a World of Digital Possibilitiesβ€”Browse, Share, and Explore Content Without Boundaries

Useful Links

About Us Privacy Services FAQ's Blogs Contact

Newsletter

Stay Informed & Inspiredβ€”Subscribe for the Latest Updates, Tips, and Exclusive Content Directly to Your Inbox.

Mail Us

mail@sambuz.com

2025 SAMBUZ, All right reserved.