dragonblood weaknesses in
play

Dragonblood : Weaknesses in WPA3s Dragonfly Handshake Mathy Vanhoef - PowerPoint PPT Presentation

Oct 05, 2022 β€’1.33k likes β€’1.97k views

Dragonblood : Weaknesses in WPA3s Dragonfly Handshake Mathy Vanhoef and Eyal Ronen BruCON. Belgium, 11 October 2019. 2 Background: Dragonfly in WPA3 and EAP-pwd = Password Authenticated Key Exchange (PAKE) Negotiate Provide mutual

  1. Dragonblood : Weaknesses in WPA3’s Dragonfly Handshake Mathy Vanhoef and Eyal Ronen BruCON. Belgium, 11 October 2019.

  2. 2

  3. Background: Dragonfly in WPA3 and EAP-pwd = Password Authenticated Key Exchange (PAKE) Negotiate Provide mutual session key authentication Forward secrecy Protect against & prevent offline server compromise dictionary attacks 3

  4. Dragonfly Convert password to Convert password to group element P group element P Commit phase Negotiate shared key 4

  5. Dragonfly Convert password to Convert password to group element P group element P Commit phase Negotiate shared key Confirm phase Confirm peer negotiated same key 5

  6. Dragonfly Convert password to Convert password to group element P group element P Supports two crypto groups: Commit phase 1. MODP groups 2. Elliptic curves Confirm phase 6

  7. Dragonfly Convert password to Convert password to group element P group element P Supports two crypto groups: Commit phase 1. MODP groups 2. Elliptic curves Confirm phase 7

  8. What are MODP groups? Operations performed on integers x where: β€Ί x < π‘ž with π‘ž a prime β€Ί 𝑦 π‘Ÿ mod π‘ž = 1 must hold β€Ί π‘Ÿ = #elements in the group οƒ  All operations are MOD ulo the P rime (= MODP) 8

  9. Convert password to MODP element for (counter = 1; counter < 256; counter++) value = hash(pw, counter, addr1, addr2) if value >= p: continue P = π‘€π‘π‘šπ‘£π‘“ (π‘žβˆ’1)/π‘Ÿ return P 9

  10. Convert password to MODP element for (counter = 1; counter < 256; counter++) value = hash(pw, counter, addr1, addr2) if value >= p: continue P = π‘€π‘π‘šπ‘£π‘“ (π‘žβˆ’1)/π‘Ÿ return P Convert value to a MODP element 10

  11. Convert password to MODP element for (counter = 1; counter < 256; counter++) value = hash(pw, counter, addr1, addr2) if value >= p: continue P = π‘€π‘π‘šπ‘£π‘“ (π‘žβˆ’1)/π‘Ÿ return P Problem for groups 22-24: high chance that value >= p 11

  12. Convert password to MODP element for (counter = 1; counter < 256; counter++) value = hash(pw, counter, addr1, addr2) if value >= p: ??? P = π‘€π‘π‘šπ‘£π‘“ (π‘žβˆ’1)/π‘Ÿ return P 12

  13. Convert password to MODP element for (counter = 1; counter < 256; counter++) value = hash(pw, counter, addr1, addr2) if value >= p: continue P = π‘€π‘π‘šπ‘£π‘“ (π‘žβˆ’1)/π‘Ÿ return P 13

  14. Convert password to MODP element for (counter = 1; counter < 256; counter++) value = hash(pw, counter, addr1, addr2) if value >= p: continue P = π‘€π‘π‘šπ‘£π‘“ (π‘žβˆ’1)/π‘Ÿ return P No timing leak countermeasures, despite warnings by IETF & CFRG! 14

  15. Convert password to MODP element for (counter = 1; counter < 256; counter++) value = hash(pw, counter, addr1, addr2) if value >= p: continue #iterations depends on password P = π‘€π‘π‘šπ‘£π‘“ (π‘žβˆ’1)/π‘Ÿ return P No timing leak countermeasures, despite warnings by IETF & CFRG! 15

  16. IETF mailing list in 2010 β€œ [..] susceptible to side channel (timing) attacks and may leak the shared password. ” β€œ not so sure how important that is [..] doesn't leak the shared password [..] not a trivial attack.” 16

  17. Leaked information: #iterations needed Client address addrA Measured 17

  18. Leaked information: #iterations needed Client address addrA Measured Password 1 Password 2 Password 3 18

  19. Leaked information: #iterations needed Client address addrA Measured Password 1 Password 2 Password 3 19

  20. What information is leaked? for (counter = 1; counter < 256; counter++) value = hash(pw, counter, addr1, addr2) if value >= p: continue Spoof client address to obtain P = π‘€π‘π‘šπ‘£π‘“ (π‘žβˆ’1)/π‘Ÿ different execution & leak new data 20

  21. Leaked information: #iterations needed Client address addrA addrB Measured Password 1 Password 2 Password 3 21

  22. Leaked information: #iterations needed Client address addrA addrB Measured Password 1 Password 2 Password 3 22

  23. Leaked information: #iterations needed Client address addrA addrB addrC Measured Password 1 Password 2 Password 3 23

  24. Leaked information: #iterations needed Client address addrA addrB addrC Measured Forms a signature of the password Password 1 Password 2 Need ~17 addresses to determine password in RockYou dump Password 3 24

  25. Raspberry Pi 1 B+: differences are measurable Hostap AP: ~75 measurements / address 25

  26. What about elliptic curves? Operations performed on points (x, y) where: β€Ί x < π‘ž and y < π‘ž with π‘ž a prime β€Ί 𝑧 2 = 𝑦 3 + 𝑏𝑦 + 𝑐 mod π‘ž must hold οƒ  Need to convert password to point (x,y) on the curve 26

  27. Hash-to-curve: EAP-pwd for (counter = 1; counter < 40; counter++) x = hash(pw, counter, addr1, addr2) if x >= p: continue if square_root_exists(x) and not P: return (x, 𝑦 3 + 𝑏𝑦 + 𝑐 ) 27

  28. Hash-to-curve: EAP-pwd for (counter = 1; counter < 40; counter++) x = hash(pw, counter, addr1, addr2) if x >= p: continue if square_root_exists(x) and not P: return (x, 𝑦 3 + 𝑏𝑦 + 𝑐 ) EAP-pwd: similar timing leak with elliptic curves 28

  29. Hash-to-curve: WPA3 (simplified) for (counter = 1; counter < 40 ; counter++) x = hash(pw, counter, addr1, addr2) if x >= p: continue if square_root_exists(x) and not P : P = (x, 𝑦 3 + 𝑏𝑦 + 𝑐 ) return P WPA3: always do 40 loops & return first P 29

  30. Hash-to-curve: WPA3 (simplified) for (counter = 1; counter < 40 ; counter++) x = hash(pw, counter, addr1, addr2) if x >= p: continue if square_root_exists(x) and not P : P = (x, 𝑦 3 + 𝑏𝑦 + 𝑐 ) return P Problem for Bainpool curves: high chance that x >= p 30

  31. Hash-to-curve: WPA3 (simplified) for (counter = 1; counter < 40; counter++) x = hash(pw, counter, addr1, addr2) if x >= p: continue if square_root_exists(x) and not P: P = (x, 𝑦 3 + 𝑏𝑦 + 𝑐 ) return P 31

  32. Hash-to-curve: WPA3 (simplified) for (counter = 1; counter < 40; counter++) x = hash(pw, counter, addr1, addr2) if x >= p: continue if square_root_exists(x) and not P: P = (x, 𝑦 3 + 𝑏𝑦 + 𝑐 ) return P Code may be skipped! 32

  33. Hash-to-curve: WPA3 (simplified) for (counter = 1; counter < 40; counter++) x = hash(pw, counter, addr1, addr2) if x >= p: continue if square_root_exists(x) and not P: P = (x, 𝑦 3 + 𝑏𝑦 + 𝑐 ) return P #Times skipped depends on password 33

  34. Hash-to-curve: WPA3 (simplified) for (counter = 1; counter < 40; counter++) x = hash(pw, counter, addr1, addr2) if x >= p: continue if square_root_exists(x) and not P: P = (x, 𝑦 3 + 𝑏𝑦 + 𝑐 ) return P οƒ  Simplified, execution time again forms a signature of the password. 34

  35. Cache Attacks 35

  36. NIST Elliptic Curves Monitor using Flush+Reload to know in which iteration we are for (counter = 1; counter < 40; counter++) x = hash(pw, counter, addr1, addr2) if x >= p: continue if square_root_exists(x) and not P: P = (x, 𝑦 3 + 𝑏𝑦 + 𝑐 ) return P NIST curves: use Flush+Reload to detect when code is executed 36

  37. NIST Elliptic Curves for (counter = 1; counter < 40; counter++) x = hash(pw, counter, addr1, addr2) if x >= p: continue if square_root_exists(x) and not P: οƒ  Essentially, we again learn a P = (x, 𝑦 3 + 𝑏𝑦 + 𝑐 ) signature of the password return P 37

  38. Cache-attacks in practice Requires powerfull adversary: β€Ί Run unpriviliged code on victim’s machine β€Ί Act as malicious client/AP within range of victim Abuse leaked info to recover the password β€Ί Spoof various client addresses similar to timing attack β€Ί Use resulting password signature in dictionary attack 38

  39. Brute-force Performance Timing & cache attack result in password signature β€Ί Both use the same brute-force algorithm Estimate performance on GPUs: β€Ί We can brute-force 𝟐𝟏 𝟐𝟏 passwords for $1 β€Ί MODP / Brainpool: all 8 symbols costs $67 β€Ί NIST curves: all 8 symbols costs $14k 39

  40. Implementation Inspection 40

  41. Invalid Curve Attack Point isn’t on curve Commit(x’, y’) Negotiated key is predictable 41

  42. Invalid Curve Attack Point isn’t on curve Commit(x’, y’) Negotiated key is predictable Commit reply Guess key and send confirm Confirm phase 42

  43. Invalid Curve Attack Point isn’t on curve Commit(x’, y’) Negotiated key is predictable Bypasses authentication Commit reply οƒ˜ EAP-pwd: all implementations affected Guess key and οƒ˜ WPA3: only iwd is vulnerable send confirm Confirm phase 43

  44. Implementation Vulnerabilities II Bad randomness : β€Ί Can recover password element P β€Ί Aruba’s EAP -pwd client for Windows is affected β€Ί With WPA2 bad randomness has lower impact! Side-channels : β€Ί FreeRADIUS aborts if >10 iterations are needed β€Ί Aruba’s EAP -pwd aborts if >30 are needed β€Ί Can use leaked info to recover password 44

  45. Wi-Fi Specific Attacks 45

  46. Denial-of-Service Attack Convert password to Convert password to group element P group element P AP converts password to EC point when client connects β€Ί Conversion is computationally expensive ( 40 iterations ) β€Ί Forging 8 connections/sec saturates AP’s CPU 46

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Dragonblood: A Security Analysis of WPA3s SAE Handshake Mathy Vanhoef and Eyal Ronen WAC

Dragonblood: A Security Analysis of WPA3s SAE Handshake Mathy Vanhoef and Eyal Ronen WAC

Dragonblood: A Security Analysis of WPA3s SAE Handshake Mathy Vanhoef and Eyal Ronen WAC Workshop @ CRYPTO, Santa Barbara, 17 August 2019. Background: Dragonfly in WPA3 and EAP-pwd = Password Authenticated Key Exchange (PAKE) Negotiate

1.04k views β€’ 69 slides
Five weaknesses of ASPIC+ Leila Amgoud amgoud@irit.fr Amgoud (IRIT) Weaknesses of APSIC+ 1 /

Five weaknesses of ASPIC+ Leila Amgoud amgoud@irit.fr Amgoud (IRIT) Weaknesses of APSIC+ 1 /

Five weaknesses of ASPIC+ Leila Amgoud amgoud@irit.fr Amgoud (IRIT) Weaknesses of APSIC+ 1 / 12 Motivation Argumentation = an activity of reason aimed to increase (or decrease) the acceptability of a controversial standpoint by putting

975 views β€’ 38 slides
Dragonblood: Analyzing the Dragonfly Handshake of WPA3 and EAP-pwd Mathy Vanhoef and Eyal Ronen

Dragonblood: Analyzing the Dragonfly Handshake of WPA3 and EAP-pwd Mathy Vanhoef and Eyal Ronen

Dragonblood: Analyzing the Dragonfly Handshake of WPA3 and EAP-pwd Mathy Vanhoef and Eyal Ronen ANRW. Montreal, Canada, 22 July 2019. Background: Dragonfly in WPA3 = Password Authenticated Key Exchange (PAKE) Negotiate Provide mutual session

1.04k views β€’ 45 slides
How UNAIDS works Strengths and weaknesses in the governance of UNAIDS Strengths Inclusiveness

How UNAIDS works Strengths and weaknesses in the governance of UNAIDS Strengths Inclusiveness

How UNAIDS works Strengths and weaknesses in the governance of UNAIDS Strengths Inclusiveness of decision making Involvement of civil society, PLWH Things can change Strengths and weaknesses in the governance of UNAIDS Weaknesses

209 views β€’ 7 slides
Dragonblood : Attacking the Dragonfly Handshake of WPA3 Mathy Vanhoef and Eyal Ronen Black Hat

Dragonblood : Attacking the Dragonfly Handshake of WPA3 Mathy Vanhoef and Eyal Ronen Black Hat

Dragonblood : Attacking the Dragonfly Handshake of WPA3 Mathy Vanhoef and Eyal Ronen Black Hat USA. Las Vegas, 7 August 2019. Background: Dragonfly in WPA3 and EAP-pwd = Password Authenticated Key Exchange (PAKE) Negotiate Provide mutual

532 views β€’ 50 slides
Weaknesses of Probabilistic Context-Free Grammars Michael Collins, Columbia University Weaknesses

Weaknesses of Probabilistic Context-Free Grammars Michael Collins, Columbia University Weaknesses

Weaknesses of Probabilistic Context-Free Grammars Michael Collins, Columbia University Weaknesses of PCFGs Lack of sensitivity to lexical information Lack of sensitivity to structural frequencies S NP VP NNP Vt NP IBM bought NNP

805 views β€’ 9 slides
www.redrokk.com 1 Focus Group Goals Qualitative Goals Discover EdCCs

www.redrokk.com 1 Focus Group Goals Qualitative Goals Discover EdCCs

www.redrokk.com 1 Focus Group Goals Qualitative Goals Discover EdCCs obstacles/weaknesses Learn more about the why Stylistic preferences www.redrokk.com 2 Key Weaknesses Key Weaknesses No clear brand identity

559 views β€’ 28 slides
Collision Detection Collision detection weaknesses Naive collision detection suffers from 3 known

Collision Detection Collision detection weaknesses Naive collision detection suffers from 3 known

07 Tutorial: Broadphase Collision Detection Collision detection weaknesses Naive collision detection suffers from 3 known weaknesses Fixed-timestep weakness All-pairs weakness Pair-processing weakness Two-phase collision detection

833 views β€’ 20 slides
Our Economic Weaknesses Revealed by COVID-19 and What We Can Do about It ECONOMIC

Our Economic Weaknesses Revealed by COVID-19 and What We Can Do about It ECONOMIC

Our Economic Weaknesses Revealed by COVID-19 and What We Can Do about It ECONOMIC OPPORTUNITY INSTITUTE MAY 22, 2020 OPPORTUNITYINSTITUTE.ORG US least prepared of any wealthy country Unlike peer nations, U.S. lacks: Universal health

415 views β€’ 25 slides
WORKSHEET 1: ANALYSIS What are the strengths and weaknesses of your community? How will they

WORKSHEET 1: ANALYSIS What are the strengths and weaknesses of your community? How will they

WORKSHEET 1: ANALYSIS What are the strengths and weaknesses of your community? How will they impact your marketing strategy? Brand Acceleration, Inc. | Indianapolis, IN 317-536-6255 | brandaccel.com WORKSHEET 2: TARGETS Based on your

290 views β€’ 3 slides
Weaknesses, and Opportunities for Improvement Shingai Machingaidze BSc(Hons), MPH Senior

Weaknesses, and Opportunities for Improvement Shingai Machingaidze BSc(Hons), MPH Senior

Vaccination Programs in Africa: Strengths, Weaknesses, and Opportunities for Improvement Shingai Machingaidze BSc(Hons), MPH Senior Scientist South African Medical Research Council 6.9 (6.8-7.4) million children under 5 died in 2011; 19 000

336 views β€’ 23 slides
To determine the level of fitness of students. To identify strengths and weaknesses for

To determine the level of fitness of students. To identify strengths and weaknesses for

To determine the level of fitness of students. To identify strengths and weaknesses for development/improvement To provide a baseline data for selection of physical activities for enhancement of health and skill performance. To

552 views β€’ 38 slides
Knowing Your Sons Learning Style Objectives Know your son Strengths and Weaknesses in

Knowing Your Sons Learning Style Objectives Know your son Strengths and Weaknesses in

Knowing Your Sons Learning Style Objectives Know your son Strengths and Weaknesses in learning. Understand your children's learning needs Identify reasons for underachievement Student/teacher interaction improvement Aware that Learning

204 views β€’ 18 slides
Goals for Today Learning Objective: Contrast strengths/weaknesses of security primitives

Goals for Today Learning Objective: Contrast strengths/weaknesses of security primitives

Goals for Today Learning Objective: Contrast strengths/weaknesses of security primitives Understand design concepts of OS-layer Access Control Announcements, etc: MP3 Soft Extension: Submit by April 25th for -10pts MP4 due

489 views β€’ 26 slides
Background Data Collection Regarding the Strengths/Weaknesses of DDSNs Current Band Payment

Background Data Collection Regarding the Strengths/Weaknesses of DDSNs Current Band Payment

Background Data Collection Regarding the Strengths/Weaknesses of DDSNs Current Band Payment System &amp; Direction for Improvement Presentation to the Legislative Oversight Committee, House of Representatives February 1, 2018 By Interim

975 views β€’ 55 slides
Weaknesses and Failures of Risk Assessment Dr. William L. Oberkampf Consulting Engineer Austin,

Weaknesses and Failures of Risk Assessment Dr. William L. Oberkampf Consulting Engineer Austin,

Weaknesses and Failures of Risk Assessment Dr. William L. Oberkampf Consulting Engineer Austin, Texas wloconsulting@gmail.com International Federation of Information Processing and National Institute of Standards and Technology Workshop on

568 views β€’ 17 slides
Applied Cryptography December 2017 ECDLP is the problem of finding an ECC user's secret key,

Applied Cryptography December 2017 ECDLP is the problem of finding an ECC user's secret key,

Applied Cryptography December 2017 ECDLP is the problem of finding an ECC user's secret key, given the user's public key. Unfortunately, there is a gap between ECDLP difficulty and ECC security.There are many attacks that break

527 views β€’ 18 slides
KEY DISTRIBUTION: PKI and SESSION-KEY EXCHANGE Mihir Bellare UCSD 1 The public key setting

KEY DISTRIBUTION: PKI and SESSION-KEY EXCHANGE Mihir Bellare UCSD 1 The public key setting

KEY DISTRIBUTION: PKI and SESSION-KEY EXCHANGE Mihir Bellare UCSD 1 The public key setting Bobs secret key is sk [ B ] and its associated public key is pk [ B ]. The public key setting assumes Alice is in possession of pk [ B ]. Alice pk [ B

619 views β€’ 48 slides
Passpet Convenient Password Management and Phishing Protection Ka-Ping Yee Kragen Sitaker

Passpet Convenient Password Management and Phishing Protection Ka-Ping Yee Kragen Sitaker

Passpet Convenient Password Management and Phishing Protection Ka-Ping Yee Kragen Sitaker ping@zesty.ca kragen@pobox.com problems: design: solutions: practical matters: evaluation: problems: the big 5 problems: the big 5 1 many

961 views β€’ 51 slides
Crypto: Passwords and RNGs CS 642 Guest Lecturer: Adam Everspaugh http://pages.cs.wisc.edu/~ace

Crypto: Passwords and RNGs CS 642 Guest Lecturer: Adam Everspaugh http://pages.cs.wisc.edu/~ace

Crypto: Passwords and RNGs CS 642 Guest Lecturer: Adam Everspaugh http://pages.cs.wisc.edu/~ace Topics Password-based Crypto Random Number Generators Symmetric Key Encryption key generation R k Gen K R M Enc C C Dec M

726 views β€’ 29 slides
Cryptographic Key Infrastructure Goal: bind identity to key Classical: not possible as

Cryptographic Key Infrastructure Goal: bind identity to key Classical: not possible as

Cryptographic Key Infrastructure Goal: bind identity to key Classical: not possible as all keys are shared Use protocols to agree on a shared key (see earlier) Public key: bind identity to public key Crucial as people will

690 views β€’ 41 slides
User Authentication and Passwords Storing Passwords Selecting Passwords CSS322: Security and

User Authentication and Passwords Storing Passwords Selecting Passwords CSS322: Security and

CSS322 Passwords Authentication Passwords Entropy User Authentication and Passwords Storing Passwords Selecting Passwords CSS322: Security and Cryptography Sirindhorn International Institute of Technology Thammasat University Prepared by

670 views β€’ 28 slides
BITCRACKER Elena Agostini, Massimo Bernaschi 2 BITCRACKER: BITLOCKER MEETS GPUS BITLOCKER

BITCRACKER Elena Agostini, Massimo Bernaschi 2 BITCRACKER: BITLOCKER MEETS GPUS BITLOCKER

BITLOCKER MEETS GPUS BITCRACKER Elena Agostini, Massimo Bernaschi 2 BITCRACKER: BITLOCKER MEETS GPUS BITLOCKER Windows Vista, 7, 8.1 and 10 encryption feature (Ultimate, Pro, Enterprise, etc..) It encrypts several types of memory units

904 views β€’ 30 slides
Investigating the Distribution of Password Choices David Malone and Kevin Maher, Hamilton

Investigating the Distribution of Password Choices David Malone and Kevin Maher, Hamilton

Investigating the Distribution of Password Choices David Malone and Kevin Maher, Hamilton Institute, NUI Maynooth. 19 April 2012 How to Guess a Password? Passwords are everywhere. If you dont know the password, can you guess it? 1. Make a

420 views β€’ 18 slides

More recommend