Dragonblood : Attacking the Dragonfly Handshake of WPA3 Mathy - - PowerPoint PPT Presentation
Dragonblood : Attacking the Dragonfly Handshake of WPA3 Mathy Vanhoef and Eyal Ronen Black Hat USA. Las Vegas, 7 August 2019. Background: Dragonfly in WPA3 and EAP-pwd = Password Authenticated Key Exchange (PAKE) Negotiate Provide mutual
Dragonblood: Attacking the Dragonfly Handshake of WPA3
Mathy Vanhoef and Eyal Ronen Black Hat USA. Las Vegas, 7 August 2019.
Background: Dragonfly in WPA3 and EAP-pwd
2
Negotiate session key Provide mutual authentication
Forward secrecy & prevent offline dictionary attacks Protect against server compromise
= Password Authenticated Key Exchange (PAKE)
Dragonfly
3
Convert password to group element P Convert password to group element P
Commit phase Confirm phase
Negotiate shared key Confirm peer negotiated same key
Dragonfly
4
Convert password to group element P Convert password to group element P
Commit phase Confirm phase
Supports two crypto groups:
What are MODP groups?
ο All operations are MODulo the Prime (= MODP)
5
Operations performed on integers x where: βΊ x < π with π a prime βΊ π¦π mod π = 1 must hold βΊ π = #elements in the group
Convert password to MODP element
for (counter = 1; counter < 256; counter++) value = hash(pw, counter, addr1, addr2) if value >= p: continue P = π€πππ£π(πβ1)/π return P
6
Convert value to a MODP element
Convert password to MODP element
for (counter = 1; counter < 256; counter++) value = hash(pw, counter, addr1, addr2) if value >= p: continue P = π€πππ£π(πβ1)/π return P
7
Problem for groups 22-24: high chance that value >= p
Convert password to MODP element
for (counter = 1; counter < 256; counter++) value = hash(pw, counter, addr1, addr2) if value >= p: ??? P = π€πππ£π(πβ1)/π return P
8
Convert password to MODP element
for (counter = 1; counter < 256; counter++) value = hash(pw, counter, addr1, addr2) if value >= p: continue P = π€πππ£π(πβ1)/π return P
9
Convert password to MODP element
for (counter = 1; counter < 256; counter++) value = hash(pw, counter, addr1, addr2) if value >= p: continue P = π€πππ£π(πβ1)/π return P
10
#iterations depends on password
Convert password to MODP element
for (counter = 1; counter < 256; counter++) value = hash(pw, counter, addr1, addr2) if value >= p: continue P = π€πππ£π(πβ1)/π return P
11
No timing leak countermeasures, despite warnings by IETF & CFRG! #iterations depends on password
IETF mailing list in 2010
12
β[..] susceptible to side channel (timing) attacks and may leak the shared password.β βnot so sure how important that is [..] doesn't leak the shared password [..] not a trivial attack.β
Leaked information: #iterations needed
13
Client address addrA Measured
Leaked information: #iterations needed
14
Client address addrA Measured Password 1 Password 2 Password 3
Leaked information: #iterations needed
15
Client address addrA Measured Password 1 Password 2 Password 3
What information is leaked?
for (counter = 1; counter < 256; counter++) value = hash(pw, counter, addr1, addr2) if value >= p: continue P = π€πππ£π(πβ1)/π
16
Spoof client address to obtain different execution & leak new data
Leaked information: #iterations needed
17
Client address addrA addrB Measured Password 1 Password 2 Password 3
Leaked information: #iterations needed
18
Client address addrA addrB Measured Password 1 Password 2 Password 3
Leaked information: #iterations needed
19
Client address addrA addrB addrC Measured Password 1 Password 2 Password 3
Leaked information: #iterations needed
20
Client address addrA addrB addrC Measured Password 1 Password 2 Password 3
Leaked information: #iterations needed
21
Client address addrA addrB addrC Measured Password 1 Password 2 Password 3
Forms a signature of the password Need ~17 addresses to determine password in RockYou dump
Raspberry Pi 1 B+: differences are measurable
22
Raspberry Pi 1 B+: differences are measurable
23
Hostap AP: ~75 measurements / address
What about elliptic curves?
ο Need to convert password to point (x,y) on the curve
24
Operations performed on points (x, y) where: βΊ x < π and y < π with π a prime βΊ π§2 = π¦3 + ππ¦ + π mod π must hold
Hash-to-curve: EAP-pwd
for (counter = 1; counter < 40; counter++) x = hash(pw, counter, addr1, addr2) if x >= p: continue if square_root_exists(x) and not P: return (x, π¦3 + ππ¦ + π)
25
EAP-pwd: similar timing leak with elliptic curves
Hash-to-curve: WPA3 (simplified)
for (counter = 1; counter < 40; counter++) x = hash(pw, counter, addr1, addr2) if x >= p: continue if square_root_exists(x) and not P: P = (x, π¦3 + ππ¦ + π) return P
26
WPA3: always do 40 loops & return first P
Hash-to-curve: WPA3 (simplified)
for (counter = 1; counter < 40; counter++) x = hash(pw, counter, addr1, addr2) if x >= p: continue if square_root_exists(x) and not P: P = (x, π¦3 + ππ¦ + π) return P
27
Problem for Bainpool curves: high chance that x >= p
Hash-to-curve: WPA3 (simplified)
for (counter = 1; counter < 40; counter++) x = hash(pw, counter, addr1, addr2) if x >= p: continue if square_root_exists(x) and not P: P = (x, π¦3 + ππ¦ + π) return P
28
Code may be skipped!
Hash-to-curve: WPA3 (simplified)
for (counter = 1; counter < 40; counter++) x = hash(pw, counter, addr1, addr2) if x >= p: continue if square_root_exists(x) and not P: P = (x, π¦3 + ππ¦ + π) return P
29
#Times skipped depends on password
Hash-to-curve: WPA3 (simplified)
for (counter = 1; counter < 40; counter++) x = hash(pw, counter, addr1, addr2) if x >= p: continue if square_root_exists(x) and not P: P = (x, π¦3 + ππ¦ + π) return P
30
ο simplified, execution time for several client MAC addresses forms a signature of the password.
31
NIST Elliptic Curves
for (counter = 1; counter < 40; counter++) x = hash(pw, counter, addr1, addr2) if x >= p: continue if square_root_exists(x) and not P: P = (x, π¦3 + ππ¦ + π) return P
32
Monitor using Flush+Reload to know in which iteration we are NIST curves: use Flush+Reload to detect when code is executed
Bainpool Elliptic Curves
for (counter = 1; counter < 40; counter++) x = hash(pw, counter, addr1, addr2) if x >= p: continue if square_root_exists(x) and not P: P = (x, π¦3 + ππ¦ + π) return P
33
Monitor using Flush+Reload to know in which iteration we are Brainpool curves: use Flush+Reload to detect when code is executed
Cache-attacks in practice
Requires powerfull adversary: βΊ Run unpriviliged code on victimβs machine βΊ Act as malicious client/AP within range of victim
34
Abuse leaked info to recover the password βΊ Spoof various client addresses similar to timing attack βΊ Use resulting password signature in dictionary attack
Attack Optimizations
Timing & cache attack result in password signature βΊ Both use the same brute-force algorithm Improve performance using GPU code: βΊ We can brute-force ππππ passwords for $1 βΊ MODP / Brainpool: all 8 symbols costs $67 βΊ NIST curves: all 8 symbols costs $14k
35
36
Invalid Curve Attack
37
Commit(xβ, yβ)
Point isnβt on curve
Negotiated key is predictable
Invalid Curve Attack
38
Commit(xβ, yβ) Commit reply
Point isnβt on curve
Negotiated key is predictable Guess key and send confirm Confirm phase
Invalid Curve Attack
39
Commit(xβ, yβ) Commit reply
Point isnβt on curve
Negotiated key is predictable Guess key and send confirm Confirm phase
Bypasses authentication
Implementation Vulnerabilities II
40
Bad randomness: βΊ Can recover password element P βΊ Arubaβs EAP-pwd client for Windows is affected βΊ With WPA2 bad randomness has lower impact! Side-channels: βΊ FreeRADIUS aborts if >10 iterations are needed βΊ Arubaβs EAP-pwd aborts if >30 are needed βΊ Can use leaked info to recover password
41
Denial-of-Service Attack
42
Convert password to group element P Convert password to group element P
AP converts password to EC point when client connects
βΊ Conversion is computationally expensive (40 iterations) βΊ Forging 8 connections/sec saturates APβs CPU
Downgrade Against WPA3-Transition
Transition mode: WPA2/3 use the same password βΊ WPA2βs handshake detects downgrades ο forward secrecy βΊ Performing partial WPA2 handshake ο dictionary attacks Solution is to remember which networks support WPA3 βΊ Similar to trust on first use of SSH & HSTS βΊ Implemented by Pixel 3 and Linuxβs NetworkManager
43
Crypto Group Downgrade
Handshake can be performed with multiple curves βΊ Initiator proposes curve & responder accepts/rejects βΊ Spoof reject messages to downgrade used curve
44
= design flaw, all client & AP implementations vulnerable
45
Disclosure process
Notified parties early with hope to influence WPA3 βΊ Some initially sceptic, considered it implementation flaws βΊ Group downgrade: βwas known, but forgot to warn about itβ Reaction of the Wi-Fi Alliance βΊ Privately created backwards-compatible security guidelines βΊ 2nd disclosure round to address Brainpool side-channels
46
Fundamental issue still unsolved
βΊ On lightweight devices, doing 40 iterations is too costly βΊ Even powerfull devices are at risk: handshake might be
47
Wi-Fi standard now being updated βΊ Prevent crypto group downgrade attack βΊ Allow offline computation of password element
Additional upates to Wi-Fi standard
48
Elliptic curve groups: βΊ Restrict usage of weak elliptic curves βΊ Constant-time algo (simplified SWU)
MODP crypto groups: βΊ Restrict usage of weak MODP groups βΊ Constant-time algo (modulo intead of iterations)
Updates arenβt backwards-compatible
Might lead to WPA3.1? βΊ Not yet clear how this will be handled βΊ Risk of downgrade attacks to original WPA3
49
Will people be able to easily attack WPA3? βΊ No, WPA3 > WPA2 even with its flaws βΊ Timing leaks: non-trival to determine if vulnerable
βΊ WPA3 vulnerable to side-channels βΊ Countermeasures are costly βΊ Standard now being updated βΊ WPA3 > WPA2 & planned updates are strong https://wpa3.mathyvanhoef.com
50