SLIDE 1
Dragonblood: Weaknesses in WPA3’s Dragonfly Handshake
Mathy Vanhoef and Eyal Ronen
- BruCON. Belgium, 11 October 2019.
2
Dragonblood : Weaknesses in WPA3s Dragonfly Handshake Mathy Vanhoef - - PowerPoint PPT Presentation
Dragonblood : Weaknesses in WPA3s Dragonfly Handshake Mathy Vanhoef - - PowerPoint PPT Presentation
Dragonblood : Weaknesses in WPA3s Dragonfly Handshake Mathy Vanhoef and Eyal Ronen BruCON. Belgium, 11 October 2019. 2 Background: Dragonfly in WPA3 and EAP-pwd = Password Authenticated Key Exchange (PAKE) Negotiate Provide mutual
SLIDE 2
SLIDE 3
Background: Dragonfly in WPA3 and EAP-pwd
3
Negotiate session key Provide mutual authentication
Forward secrecy & prevent offline dictionary attacks Protect against server compromise
= Password Authenticated Key Exchange (PAKE)
SLIDE 4
Dragonfly
4
Convert password to group element P Convert password to group element P
Commit phase
Negotiate shared key
SLIDE 5
Dragonfly
5
Convert password to group element P Convert password to group element P
Commit phase Confirm phase
Negotiate shared key Confirm peer negotiated same key
SLIDE 6
Dragonfly
6
Convert password to group element P Convert password to group element P
Commit phase Confirm phase
Supports two crypto groups:
- 1. MODP groups
- 2. Elliptic curves
SLIDE 7
Dragonfly
7
Convert password to group element P Convert password to group element P
Commit phase Confirm phase
Supports two crypto groups:
- 1. MODP groups
- 2. Elliptic curves
SLIDE 8
What are MODP groups?
All operations are MODulo the Prime (= MODP)
8
Operations performed on integers x where: › x < 𝑞 with 𝑞 a prime › 𝑦𝑟 mod 𝑞 = 1 must hold › 𝑟 = #elements in the group
SLIDE 9
Convert password to MODP element
for (counter = 1; counter < 256; counter++) value = hash(pw, counter, addr1, addr2) if value >= p: continue P = 𝑤𝑏𝑚𝑣𝑓(𝑞−1)/𝑟 return P
9
SLIDE 10
Convert password to MODP element
for (counter = 1; counter < 256; counter++) value = hash(pw, counter, addr1, addr2) if value >= p: continue P = 𝑤𝑏𝑚𝑣𝑓(𝑞−1)/𝑟 return P
10
Convert value to a MODP element
SLIDE 11
Convert password to MODP element
for (counter = 1; counter < 256; counter++) value = hash(pw, counter, addr1, addr2) if value >= p: continue P = 𝑤𝑏𝑚𝑣𝑓(𝑞−1)/𝑟 return P
11
Problem for groups 22-24: high chance that value >= p
SLIDE 12
Convert password to MODP element
for (counter = 1; counter < 256; counter++) value = hash(pw, counter, addr1, addr2) if value >= p: ??? P = 𝑤𝑏𝑚𝑣𝑓(𝑞−1)/𝑟 return P
12
SLIDE 13
Convert password to MODP element
for (counter = 1; counter < 256; counter++) value = hash(pw, counter, addr1, addr2) if value >= p: continue P = 𝑤𝑏𝑚𝑣𝑓(𝑞−1)/𝑟 return P
13
SLIDE 14
Convert password to MODP element
for (counter = 1; counter < 256; counter++) value = hash(pw, counter, addr1, addr2) if value >= p: continue P = 𝑤𝑏𝑚𝑣𝑓(𝑞−1)/𝑟 return P
14
No timing leak countermeasures, despite warnings by IETF & CFRG!
SLIDE 15
Convert password to MODP element
for (counter = 1; counter < 256; counter++) value = hash(pw, counter, addr1, addr2) if value >= p: continue P = 𝑤𝑏𝑚𝑣𝑓(𝑞−1)/𝑟 return P
15
No timing leak countermeasures, despite warnings by IETF & CFRG! #iterations depends on password
SLIDE 16
IETF mailing list in 2010
16
“[..] susceptible to side channel (timing) attacks and may leak the shared password.” “not so sure how important that is [..] doesn't leak the shared password [..] not a trivial attack.”
SLIDE 17
Leaked information: #iterations needed
17
Client address addrA Measured
SLIDE 18
Leaked information: #iterations needed
18
Client address addrA Measured Password 1 Password 2 Password 3
SLIDE 19
Leaked information: #iterations needed
19
Client address addrA Measured Password 1 Password 2 Password 3
SLIDE 20
What information is leaked?
for (counter = 1; counter < 256; counter++) value = hash(pw, counter, addr1, addr2) if value >= p: continue P = 𝑤𝑏𝑚𝑣𝑓(𝑞−1)/𝑟
20
Spoof client address to obtain different execution & leak new data
SLIDE 21
Leaked information: #iterations needed
21
Client address addrA addrB Measured Password 1 Password 2 Password 3
SLIDE 22
Leaked information: #iterations needed
22
Client address addrA addrB Measured Password 1 Password 2 Password 3
SLIDE 23
Leaked information: #iterations needed
23
Client address addrA addrB addrC Measured Password 1 Password 2 Password 3
SLIDE 24
Leaked information: #iterations needed
24
Client address addrA addrB addrC Measured Password 1 Password 2 Password 3
Forms a signature of the password Need ~17 addresses to determine password in RockYou dump
SLIDE 25
Raspberry Pi 1 B+: differences are measurable
25
Hostap AP: ~75 measurements / address
SLIDE 26
What about elliptic curves?
Need to convert password to point (x,y) on the curve
26
Operations performed on points (x, y) where: › x < 𝑞 and y < 𝑞 with 𝑞 a prime › 𝑧2 = 𝑦3 + 𝑏𝑦 + 𝑐 mod 𝑞 must hold
SLIDE 27
Hash-to-curve: EAP-pwd
for (counter = 1; counter < 40; counter++) x = hash(pw, counter, addr1, addr2) if x >= p: continue if square_root_exists(x) and not P: return (x, 𝑦3 + 𝑏𝑦 + 𝑐)
27
SLIDE 28
Hash-to-curve: EAP-pwd
for (counter = 1; counter < 40; counter++) x = hash(pw, counter, addr1, addr2) if x >= p: continue if square_root_exists(x) and not P: return (x, 𝑦3 + 𝑏𝑦 + 𝑐)
28
EAP-pwd: similar timing leak with elliptic curves
SLIDE 29
Hash-to-curve: WPA3 (simplified)
for (counter = 1; counter < 40; counter++) x = hash(pw, counter, addr1, addr2) if x >= p: continue if square_root_exists(x) and not P: P = (x, 𝑦3 + 𝑏𝑦 + 𝑐) return P
29
WPA3: always do 40 loops & return first P
SLIDE 30
Hash-to-curve: WPA3 (simplified)
for (counter = 1; counter < 40; counter++) x = hash(pw, counter, addr1, addr2) if x >= p: continue if square_root_exists(x) and not P: P = (x, 𝑦3 + 𝑏𝑦 + 𝑐) return P
30
Problem for Bainpool curves: high chance that x >= p
SLIDE 31
Hash-to-curve: WPA3 (simplified)
for (counter = 1; counter < 40; counter++) x = hash(pw, counter, addr1, addr2) if x >= p: continue if square_root_exists(x) and not P: P = (x, 𝑦3 + 𝑏𝑦 + 𝑐) return P
31
SLIDE 32
Hash-to-curve: WPA3 (simplified)
for (counter = 1; counter < 40; counter++) x = hash(pw, counter, addr1, addr2) if x >= p: continue if square_root_exists(x) and not P: P = (x, 𝑦3 + 𝑏𝑦 + 𝑐) return P
32
Code may be skipped!
SLIDE 33
Hash-to-curve: WPA3 (simplified)
for (counter = 1; counter < 40; counter++) x = hash(pw, counter, addr1, addr2) if x >= p: continue if square_root_exists(x) and not P: P = (x, 𝑦3 + 𝑏𝑦 + 𝑐) return P
33
#Times skipped depends on password
SLIDE 34
Hash-to-curve: WPA3 (simplified)
for (counter = 1; counter < 40; counter++) x = hash(pw, counter, addr1, addr2) if x >= p: continue if square_root_exists(x) and not P: P = (x, 𝑦3 + 𝑏𝑦 + 𝑐) return P
34
Simplified, execution time again forms a signature of the password.
SLIDE 35
35
Cache Attacks
SLIDE 36
NIST Elliptic Curves
for (counter = 1; counter < 40; counter++) x = hash(pw, counter, addr1, addr2) if x >= p: continue if square_root_exists(x) and not P: P = (x, 𝑦3 + 𝑏𝑦 + 𝑐) return P
36
Monitor using Flush+Reload to know in which iteration we are NIST curves: use Flush+Reload to detect when code is executed
SLIDE 37
NIST Elliptic Curves
for (counter = 1; counter < 40; counter++) x = hash(pw, counter, addr1, addr2) if x >= p: continue if square_root_exists(x) and not P: P = (x, 𝑦3 + 𝑏𝑦 + 𝑐) return P
37
Essentially, we again learn a signature of the password
SLIDE 38
Cache-attacks in practice
Requires powerfull adversary: › Run unpriviliged code on victim’s machine › Act as malicious client/AP within range of victim
38
Abuse leaked info to recover the password › Spoof various client addresses similar to timing attack › Use resulting password signature in dictionary attack
SLIDE 39
Brute-force Performance
Timing & cache attack result in password signature › Both use the same brute-force algorithm Estimate performance on GPUs: › We can brute-force 𝟐𝟏𝟐𝟏 passwords for $1 › MODP / Brainpool: all 8 symbols costs $67 › NIST curves: all 8 symbols costs $14k
39
SLIDE 40
Implementation Inspection
40
SLIDE 41
Invalid Curve Attack
41
Commit(x’, y’)
Point isn’t on curve
Negotiated key is predictable
SLIDE 42
Invalid Curve Attack
42
Commit(x’, y’) Commit reply
Point isn’t on curve
Negotiated key is predictable Guess key and send confirm Confirm phase
SLIDE 43
Invalid Curve Attack
43
Commit(x’, y’) Commit reply
Point isn’t on curve
Negotiated key is predictable Guess key and send confirm Confirm phase
Bypasses authentication
- EAP-pwd: all implementations affected
- WPA3: only iwd is vulnerable
SLIDE 44
Implementation Vulnerabilities II
44
Bad randomness: › Can recover password element P › Aruba’s EAP-pwd client for Windows is affected › With WPA2 bad randomness has lower impact! Side-channels: › FreeRADIUS aborts if >10 iterations are needed › Aruba’s EAP-pwd aborts if >30 are needed › Can use leaked info to recover password
SLIDE 45
Wi-Fi Specific Attacks
45
SLIDE 46
Denial-of-Service Attack
46
Convert password to group element P Convert password to group element P
AP converts password to EC point when client connects
› Conversion is computationally expensive (40 iterations) › Forging 8 connections/sec saturates AP’s CPU
SLIDE 47
Downgrade Against WPA3-Transition
Transition mode: WPA2/3 use the same password › WPA2 can detect MitM downgrades forward secrecy › Performing partial WPA2 handshake dictionary attacks Solution is to remember which networks support WPA3 › Similar to trust on first use of SSH & HSTS › Implemented by Pixel 3 and Linux’s NetworkManager
47
SLIDE 48
Crypto Group Downgrade
Handshake can be performed with multiple curves › Initiator proposes curve & responder accepts/rejects › Spoof reject messages to downgrade used curve
48
= design flaw, all client & AP implementations vulnerable
SLIDE 49
Implementation-specific downgrades
› Clone WPA3-only network & advertise it only supports WPA2 › Galaxy S10 & iwd connected using the WPA3-only password › Results in trivial dictionary attack
49
iwd
SLIDE 50
50
Disclosure
SLIDE 51
Disclosure process
Notified parties early with hope to influence WPA3 › Some initially sceptic, considered it implementation flaws › Group downgrade: “was known, but forgot to warn about it” Reaction of the Wi-Fi Alliance › Privately created backwards-compatible security guidelines › 2nd disclosure round to address Brainpool side-channels
51
SLIDE 52
Fundamental issue still unsolved
› On lightweight devices, doing 40 iterations is too costly › Even powerfull devices are at risk: handshake might be
- ffloaded the lightweight Wi-Fi chip itself
52
!
Wi-Fi standard now being updated › Prevent crypto group downgrade attack › Allow offline computation of password element
SLIDE 53
Additional upates to Wi-Fi standard
53
Elliptic curve groups: › Restrict usage of weak elliptic curves › Constant-time algo (simplified SWU)
MODP crypto groups: › Restrict usage of weak MODP groups › Constant-time algo (modulo intead of iterations)
SLIDE 54
Updates aren’t backwards-compatible
Might lead to WPA3.1? › Not yet clear how this will be handled › Risk of downgrade attacks to original WPA3
54
Will people be able to easily attack WPA3? › No, WPA3 > WPA2 even with its flaws › Timing leaks: non-trival to determine if vulnerable
SLIDE 55
Conclusion
› WPA3 vulnerable to side-channels › Countermeasures are costly › Standard now being updated › WPA3 > WPA2 & planned updates are strong https://wpa3.mathyvanhoef.com
55
SLIDE 56
Thank you! Questions?
› WPA3 vulnerable to side-channels › Countermeasures are costly › Standard now being updated › WPA3 > WPA2 & planned updates are strong https://wpa3.mathyvanhoef.com
56