dragonblood attacking the dragonfly
play

Dragonblood : Attacking the Dragonfly Handshake of WPA3 Mathy - PowerPoint PPT Presentation

Jun 13, 2023 β€’32 likes β€’532 views

Dragonblood : Attacking the Dragonfly Handshake of WPA3 Mathy Vanhoef and Eyal Ronen Black Hat USA. Las Vegas, 7 August 2019. Background: Dragonfly in WPA3 and EAP-pwd = Password Authenticated Key Exchange (PAKE) Negotiate Provide mutual

  1. Dragonblood : Attacking the Dragonfly Handshake of WPA3 Mathy Vanhoef and Eyal Ronen Black Hat USA. Las Vegas, 7 August 2019.

  2. Background: Dragonfly in WPA3 and EAP-pwd = Password Authenticated Key Exchange (PAKE) Negotiate Provide mutual session key authentication Forward secrecy Protect against & prevent offline server compromise dictionary attacks 2

  3. Dragonfly Convert password to Convert password to group element P group element P Commit phase Negotiate shared key Confirm phase Confirm peer negotiated same key 3

  4. Dragonfly Convert password to Convert password to group element P group element P Supports two crypto groups: Commit phase 1. MODP groups 2. Elliptic curves Confirm phase 4

  5. What are MODP groups? Operations performed on integers x where: β€Ί x < π‘ž with π‘ž a prime β€Ί 𝑦 π‘Ÿ mod π‘ž = 1 must hold β€Ί π‘Ÿ = #elements in the group οƒ  All operations are MOD ulo the P rime (= MODP) 5

  6. Convert password to MODP element for (counter = 1; counter < 256; counter++) value = hash(pw, counter, addr1, addr2) if value >= p: continue P = π‘€π‘π‘šπ‘£π‘“ (π‘žβˆ’1)/π‘Ÿ return P Convert value to a MODP element 6

  7. Convert password to MODP element for (counter = 1; counter < 256; counter++) value = hash(pw, counter, addr1, addr2) if value >= p: continue P = π‘€π‘π‘šπ‘£π‘“ (π‘žβˆ’1)/π‘Ÿ return P Problem for groups 22-24: high chance that value >= p 7

  8. Convert password to MODP element for (counter = 1; counter < 256; counter++) value = hash(pw, counter, addr1, addr2) if value >= p: ??? P = π‘€π‘π‘šπ‘£π‘“ (π‘žβˆ’1)/π‘Ÿ return P 8

  9. Convert password to MODP element for (counter = 1; counter < 256; counter++) value = hash(pw, counter, addr1, addr2) if value >= p: continue P = π‘€π‘π‘šπ‘£π‘“ (π‘žβˆ’1)/π‘Ÿ return P 9

  10. Convert password to MODP element for (counter = 1; counter < 256; counter++) value = hash(pw, counter, addr1, addr2) if value >= p: continue #iterations depends on password P = π‘€π‘π‘šπ‘£π‘“ (π‘žβˆ’1)/π‘Ÿ return P 10

  11. Convert password to MODP element for (counter = 1; counter < 256; counter++) value = hash(pw, counter, addr1, addr2) if value >= p: continue #iterations depends on password P = π‘€π‘π‘šπ‘£π‘“ (π‘žβˆ’1)/π‘Ÿ return P No timing leak countermeasures, despite warnings by IETF & CFRG! 11

  12. IETF mailing list in 2010 β€œ [..] susceptible to side channel (timing) attacks and may leak the shared password. ” β€œ not so sure how important that is [..] doesn't leak the shared password [..] not a trivial attack.” 12

  13. Leaked information: #iterations needed Client address addrA Measured 13

  14. Leaked information: #iterations needed Client address addrA Measured Password 1 Password 2 Password 3 14

  15. Leaked information: #iterations needed Client address addrA Measured Password 1 Password 2 Password 3 15

  16. What information is leaked? for (counter = 1; counter < 256; counter++) value = hash(pw, counter, addr1, addr2) if value >= p: continue Spoof client address to obtain P = π‘€π‘π‘šπ‘£π‘“ (π‘žβˆ’1)/π‘Ÿ different execution & leak new data 16

  17. Leaked information: #iterations needed Client address addrA addrB Measured Password 1 Password 2 Password 3 17

  18. Leaked information: #iterations needed Client address addrA addrB Measured Password 1 Password 2 Password 3 18

  19. Leaked information: #iterations needed Client address addrA addrB addrC Measured Password 1 Password 2 Password 3 19

  20. Leaked information: #iterations needed Client address addrA addrB addrC Measured Password 1 Password 2 Password 3 20

  21. Leaked information: #iterations needed Client address addrA addrB addrC Measured Forms a signature of the password Password 1 Password 2 Need ~17 addresses to determine password in RockYou dump Password 3 21

  22. Raspberry Pi 1 B+: differences are measurable 22

  23. Raspberry Pi 1 B+: differences are measurable Hostap AP: ~75 measurements / address 23

  24. What about elliptic curves? Operations performed on points (x, y) where: β€Ί x < π‘ž and y < π‘ž with π‘ž a prime β€Ί 𝑧 2 = 𝑦 3 + 𝑏𝑦 + 𝑐 mod π‘ž must hold οƒ  Need to convert password to point (x,y) on the curve 24

  25. Hash-to-curve: EAP-pwd for (counter = 1; counter < 40; counter++) x = hash(pw, counter, addr1, addr2) if x >= p: continue if square_root_exists(x) and not P: return (x, 𝑦 3 + 𝑏𝑦 + 𝑐 ) EAP-pwd: similar timing leak with elliptic curves 25

  26. Hash-to-curve: WPA3 (simplified) for (counter = 1; counter < 40 ; counter++) x = hash(pw, counter, addr1, addr2) if x >= p: continue if square_root_exists(x) and not P : P = (x, 𝑦 3 + 𝑏𝑦 + 𝑐 ) return P WPA3: always do 40 loops & return first P 26

  27. Hash-to-curve: WPA3 (simplified) for (counter = 1; counter < 40 ; counter++) x = hash(pw, counter, addr1, addr2) if x >= p: continue if square_root_exists(x) and not P : P = (x, 𝑦 3 + 𝑏𝑦 + 𝑐 ) return P Problem for Bainpool curves: high chance that x >= p 27

  28. Hash-to-curve: WPA3 (simplified) for (counter = 1; counter < 40; counter++) x = hash(pw, counter, addr1, addr2) if x >= p: continue if square_root_exists(x) and not P: P = (x, 𝑦 3 + 𝑏𝑦 + 𝑐 ) return P Code may be skipped! 28

  29. Hash-to-curve: WPA3 (simplified) for (counter = 1; counter < 40; counter++) x = hash(pw, counter, addr1, addr2) if x >= p: continue if square_root_exists(x) and not P: P = (x, 𝑦 3 + 𝑏𝑦 + 𝑐 ) return P #Times skipped depends on password 29

  30. Hash-to-curve: WPA3 (simplified) for (counter = 1; counter < 40; counter++) x = hash(pw, counter, addr1, addr2) if x >= p: continue if square_root_exists(x) and not P: P = (x, 𝑦 3 + 𝑏𝑦 + 𝑐 ) return P οƒ  simplified, execution time for several client MAC addresses forms a signature of the password. 30

  31. Cache Attacks 31

  32. NIST Elliptic Curves Monitor using Flush+Reload to know in which iteration we are for (counter = 1; counter < 40; counter++) x = hash(pw, counter, addr1, addr2) if x >= p: continue if square_root_exists(x) and not P: P = (x, 𝑦 3 + 𝑏𝑦 + 𝑐 ) return P NIST curves: use Flush+Reload to detect when code is executed 32

  33. Bainpool Elliptic Curves Monitor using Flush+Reload to know in which iteration we are for (counter = 1; counter < 40; counter++) x = hash(pw, counter, addr1, addr2) if x >= p: continue if square_root_exists(x) and not P: P = (x, 𝑦 3 + 𝑏𝑦 + 𝑐 ) return P Brainpool curves: use Flush+Reload to detect when code is executed 33

  34. Cache-attacks in practice Requires powerfull adversary: β€Ί Run unpriviliged code on victim’s machine β€Ί Act as malicious client/AP within range of victim Abuse leaked info to recover the password β€Ί Spoof various client addresses similar to timing attack β€Ί Use resulting password signature in dictionary attack 34

  35. Attack Optimizations Timing & cache attack result in password signature β€Ί Both use the same brute-force algorithm Improve performance using GPU code: β€Ί We can brute-force 𝟐𝟏 𝟐𝟏 passwords for $1 β€Ί MODP / Brainpool: all 8 symbols costs $67 β€Ί NIST curves: all 8 symbols costs $14k 35

  36. Implementation Inspection 36

  37. Invalid Curve Attack Point isn’t on curve Commit(x’, y’) Negotiated key is predictable 37

  38. Invalid Curve Attack Point isn’t on curve Commit(x’, y’) Negotiated key is predictable Commit reply Guess key and send confirm Confirm phase 38

  39. Invalid Curve Attack Point isn’t on curve Commit(x’, y’) Negotiated key is predictable Bypasses authentication Commit reply οƒ˜ EAP-pwd: all implementations affected Guess key and οƒ˜ WPA3: only iwd is vulnerable send confirm Confirm phase 39

  40. Implementation Vulnerabilities II Bad randomness : β€Ί Can recover password element P β€Ί Aruba’s EAP -pwd client for Windows is affected β€Ί With WPA2 bad randomness has lower impact! Side-channels : β€Ί FreeRADIUS aborts if >10 iterations are needed β€Ί Aruba’s EAP -pwd aborts if >30 are needed β€Ί Can use leaked info to recover password 40

  41. Wi-Fi Specific Attacks 41

  42. Denial-of-Service Attack Convert password to Convert password to group element P group element P AP converts password to EC point when client connects β€Ί Conversion is computationally expensive ( 40 iterations ) β€Ί Forging 8 connections/sec saturates AP’s CPU 42

  43. Downgrade Against WPA3-Transition Transition mode: WPA2/3 use the same password β€Ί WPA2’s handshake detects downgrades οƒ  forward secrecy β€Ί Performing partial WPA2 handshake οƒ  dictionary attacks Solution is to remember which networks support WPA3 β€Ί Similar to trust on first use of SSH & HSTS β€Ί Implemented by Pixel 3 and Linux’s NetworkManager 43

  44. Crypto Group Downgrade Handshake can be performed with multiple curves β€Ί Initiator proposes curve & responder accepts/rejects β€Ί Spoof reject messages to downgrade used curve = design flaw , all client & AP implementations vulnerable 44

  45. Disclosure 45

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Dragonblood: Analyzing the Dragonfly Handshake of WPA3 and EAP-pwd Mathy Vanhoef and Eyal Ronen

Dragonblood: Analyzing the Dragonfly Handshake of WPA3 and EAP-pwd Mathy Vanhoef and Eyal Ronen

Dragonblood: Analyzing the Dragonfly Handshake of WPA3 and EAP-pwd Mathy Vanhoef and Eyal Ronen ANRW. Montreal, Canada, 22 July 2019. Background: Dragonfly in WPA3 = Password Authenticated Key Exchange (PAKE) Negotiate Provide mutual session

1.04k views β€’ 45 slides
Dragonblood : Weaknesses in WPA3s Dragonfly Handshake Mathy Vanhoef and Eyal Ronen BruCON.

Dragonblood : Weaknesses in WPA3s Dragonfly Handshake Mathy Vanhoef and Eyal Ronen BruCON.

Dragonblood : Weaknesses in WPA3s Dragonfly Handshake Mathy Vanhoef and Eyal Ronen BruCON. Belgium, 11 October 2019. 2 Background: Dragonfly in WPA3 and EAP-pwd = Password Authenticated Key Exchange (PAKE) Negotiate Provide mutual

1.97k views β€’ 56 slides
Dragonblood: A Security Analysis of WPA3s SAE Handshake Mathy Vanhoef and Eyal Ronen WAC

Dragonblood: A Security Analysis of WPA3s SAE Handshake Mathy Vanhoef and Eyal Ronen WAC

Dragonblood: A Security Analysis of WPA3s SAE Handshake Mathy Vanhoef and Eyal Ronen WAC Workshop @ CRYPTO, Santa Barbara, 17 August 2019. Background: Dragonfly in WPA3 and EAP-pwd = Password Authenticated Key Exchange (PAKE) Negotiate

1.04k views β€’ 69 slides
Goals Understand use of Dragonfly from game Dragonfly programmers perspective Mostly,

Goals Understand use of Dragonfly from game Dragonfly programmers perspective Mostly,

2/7/2012 Goals Understand use of Dragonfly from game Dragonfly programmers perspective Mostly, Project 1 Provide overview of Dragonfly architecture Class diagrams Discuss details needed to fully implement Dragonfly classes

900 views β€’ 42 slides
Dragonfly Handshake of WPA3 and EAP-pwd Mathy Vanhoef and Eyal Ronen Background: Wi-Fi Security

Dragonfly Handshake of WPA3 and EAP-pwd Mathy Vanhoef and Eyal Ronen Background: Wi-Fi Security

Dragonblood : Analyzing the Dragonfly Handshake of WPA3 and EAP-pwd Mathy Vanhoef and Eyal Ronen Background: Wi-Fi Security 1999: Wired Equivalent Privacy (WEP) RC4 with 40 (!) or 104 bits key Broken in 2001 [FMS01] Deprecated 2004 2

1.58k views β€’ 105 slides
Dragonfly Handshake of WPA3 and EAP-pwd Mathy Vanhoef and Eyal Ronen Real World Crypto, New

Dragonfly Handshake of WPA3 and EAP-pwd Mathy Vanhoef and Eyal Ronen Real World Crypto, New

Dragonblood : Analyzing the Dragonfly Handshake of WPA3 and EAP-pwd Mathy Vanhoef and Eyal Ronen Real World Crypto, New York, 10 January 2020. Background: Wi-Fi Security 1999: Wired Equivalent Privacy (WEP) Broken in 2001 [FMS01] 2003:

818 views β€’ 62 slides
Who Whos Really Attacking Y s Really Attacking Your our #WHOAMI Threat

Who Whos Really Attacking Y s Really Attacking Your our #WHOAMI Threat

Who Whos Really Attacking Y s Really Attacking Your our #WHOAMI Threat Researcher at Trend Micro- research and blogger on criminal underground, persistent threats,

792 views β€’ 44 slides
Threads and DragonFly BSD Improving Thread Performance on DragonFly BSD Conduits for program

Threads and DragonFly BSD Improving Thread Performance on DragonFly BSD Conduits for program

Threads and DragonFly BSD Improving Thread Performance on DragonFly BSD Conduits for program execution Concurrency A property that allows several vessels of execution to be run without a predefined order. Parallelism A property that

625 views β€’ 23 slides
SAP Security: Attacking SAP users Attacking SAP users with sapsploit eXtended 1.1 Xt d d 1 1

SAP Security: Attacking SAP users Attacking SAP users with sapsploit eXtended 1.1 Xt d d 1 1

SAP Security: Attacking SAP users Attacking SAP users with sapsploit eXtended 1.1 Xt d d 1 1 Alexander @sh2kerr Polyakov. PCI QSA,PA-QSA 11 We change look but we keep mind Company Digital Security Research Group International

924 views β€’ 59 slides
Adaptive Routing in Dragonfly Networks Peyman Faizian , ShafayatRahman Scott Pakin AtiqulMollah,

Adaptive Routing in Dragonfly Networks Peyman Faizian , ShafayatRahman Scott Pakin AtiqulMollah,

Traffic Pattern-based C Adaptive Routing in Dragonfly Networks Peyman Faizian , ShafayatRahman Scott Pakin AtiqulMollah, Xin Yuan Mike Lang Florida State University Los Alamos National Laboratory Motivation Dragonfly has been known as a

491 views β€’ 33 slides
On the Provable Security of the Dragonfly protocol Jean Lancrenon 1 Marjan krobot 1 1

On the Provable Security of the Dragonfly protocol Jean Lancrenon 1 Marjan krobot 1 1

PAKEs Dragonfly Results Conclusion On the Provable Security of the Dragonfly protocol Jean Lancrenon 1 Marjan krobot 1 1 Interdisciplinary Centre for Security, Reliability and Trust University of Luxembourg ISC 2015 1 / 18 PAKEs

915 views β€’ 65 slides
Dragonfly June 2012 IndieCrews Photo??? Paperclip https:/ /github.com/thoughtbot/paperclip

Dragonfly June 2012 IndieCrews Photo??? Paperclip https:/ /github.com/thoughtbot/paperclip

Dragonfly June 2012 IndieCrews Photo??? Paperclip https:/ /github.com/thoughtbot/paperclip Dinosaur / Dragon ? Dragonfly CarrierWave Anyone? GitHub stats CarrierWave - 3046 watchers, 390 forks Paperclip - 4294 watchers, 877 forks

658 views β€’ 22 slides
Introducing Stet the frog &amp; Drago the dragonfly Drago did you know that Rotoruas

Introducing Stet the frog &amp; Drago the dragonfly Drago did you know that Rotoruas

Introducing Stet the frog &amp; Drago the dragonfly Drago did you know that Rotoruas Water Supply is from springs? Wow thats why its so clean! Then what happens after people use it? PUMP STATION &amp; TREATMENT Well Drago.

364 views β€’ 13 slides
Attacking the stack Thanks to SysSec and Int. Secure Systems Labs at Vienna University of

Attacking the stack Thanks to SysSec and Int. Secure Systems Labs at Vienna University of

Attacking the stack Thanks to SysSec and Int. Secure Systems Labs at Vienna University of Technology for some of these slides sws1 1 1 Attacking the stack We have seen how the stack works. Now: lets see how we can abuse this. We have

733 views β€’ 48 slides
PRESENTER OUTLINE Edward Schmalfeld II, P.E. PRESENTER OVERVIEW Owner of Dragonfly

PRESENTER OUTLINE Edward Schmalfeld II, P.E. PRESENTER OVERVIEW Owner of Dragonfly

11/18/2019 MISSISSIPPI SWANA DRONES &amp; SOLID WASTE Presented By: Edward Schmalfeld, P.E. PRESENTER OUTLINE Edward Schmalfeld II, P.E. PRESENTER OVERVIEW Owner of Dragonfly AeroSolutions Headquartered in Jacksonville, Florida

287 views β€’ 8 slides
y g sws1 1 Attacking the stack Thanks to SysSec and Int. Secure Systems Labs at Vienna

y g sws1 1 Attacking the stack Thanks to SysSec and Int. Secure Systems Labs at Vienna

Security bug of the week (in iOS and OS X) y g sws1 1 Attacking the stack Thanks to SysSec and Int. Secure Systems Labs at Vienna University of Technology for some of these slides sws1 2 2 Attacking the stack g We have seen how the

850 views β€’ 47 slides
Starting on TLS 1.3 Eric Rescorla ekr@rtfm.com IETF 85 Random CNAMEs 1 Reminder: Objectives

Starting on TLS 1.3 Eric Rescorla ekr@rtfm.com IETF 85 Random CNAMEs 1 Reminder: Objectives

Starting on TLS 1.3 Eric Rescorla ekr@rtfm.com IETF 85 Random CNAMEs 1 Reminder: Objectives Encrypt as much of the handshake as possible Reduce handshake latency, with a target of 0-RTT for repeated handshakes and 1-RTT for full

269 views β€’ 22 slides
Interrupt and Exception Handling on the x86 ( Lecture 8 ) x86 Interrupt Vectors - Every

Interrupt and Exception Handling on the x86 ( Lecture 8 ) x86 Interrupt Vectors - Every

6.828: Operating System Engineering Interrupt and Exception Handling on the x86 ( Lecture 8 ) x86 Interrupt Vectors - Every Exception/Interrupt type is assigned a number: - its vector - When an interrupt occurs, the vector determines what code

456 views β€’ 13 slides
ECE 2574: Data Structures and Algorithms - Error Handling and Exceptions C. L. Wyatt Today we

ECE 2574: Data Structures and Algorithms - Error Handling and Exceptions C. L. Wyatt Today we

ECE 2574: Data Structures and Algorithms - Error Handling and Exceptions C. L. Wyatt Today we will look at more detail into error handling mechanisms and the use of exceptions. Motivation: what can go wrong? The two and a half approaches

523 views β€’ 18 slides
Garside structure and Dehornoy ordering of braid groups for topologist (mini-course II) Tetsuya

Garside structure and Dehornoy ordering of braid groups for topologist (mini-course II) Tetsuya

Garside structure and Dehornoy ordering of braid groups for topologist (mini-course II) Tetsuya Ito Combinatorial Link Homology Theories, Braids, and Contact Geometry Aug, 2014 Tetsuya Ito Braid calculus Aug , 2014 1 / 64 Part II: The

1.37k views β€’ 114 slides
Asynchronous circuit technology is on the market Overview Introduction Handshake

Asynchronous circuit technology is on the market Overview Introduction Handshake

Asynchronous circuit technology is on the market Overview Introduction Handshake Solutions Handshake Technology Counting asynchronous millionaires More metrics # trained people # competition # asynchronous

528 views β€’ 36 slides
Utilizing the Marquette University Career Services Center Courtney Hanson Director, Career

Utilizing the Marquette University Career Services Center Courtney Hanson Director, Career

Utilizing the Marquette University Career Services Center Courtney Hanson Director, Career Services Center Marquette University Marquette University Career Services Center Holthusen Hall, First Floor (414) 288-7423

159 views β€’ 15 slides
Modeling and Analyzing Concurrent Systems Robert B. France 1 Overview Why model and analyze

Modeling and Analyzing Concurrent Systems Robert B. France 1 Overview Why model and analyze

Modeling and Analyzing Concurrent Systems Robert B. France 1 Overview Why model and analyze concurrent systems? How are concurrent systems modeled? How are concurrent systems analyzed? What tools are available for modeling and

1.13k views β€’ 85 slides
ECE 650 Systems Programming &amp; Engineering Spring 2018 I/O Handling Tyler Bletsch Duke

ECE 650 Systems Programming &amp; Engineering Spring 2018 I/O Handling Tyler Bletsch Duke

ECE 650 Systems Programming &amp; Engineering Spring 2018 I/O Handling Tyler Bletsch Duke University Slides are adapted from Brian Rogers (Duke) Input/Output (I/O) Typical application flow consists of alternating phases Compute

815 views β€’ 24 slides

More recommend