Dragonblood: Attacking the Dragonfly Handshake of WPA3

Presented at Black Hat USA 2019, Aug. 7, 2019, 11:15 a.m. (50 minutes).

One of its main advantages of WPA3 is that it provides forward secrecy and prevents offline dictionary attacks. However, the WPA3 certification program was created behind closed doors, meaning researchers could not critique it. This is problematic because, even though WPA3 relies on the existing Dragonfly handshake, this handshake received significant criticism during its standardization. This raises the question of how secure WPA3 is.

In this talk, we will show that WPA3 is affected by several design and implementations flaws. Most prominently, we show that WPA3's Dragonfly handshake, in Wi-Fi also known as SAE, is vulnerable to side-channel attacks. We demonstrate that the leaked information can be abused to carry out password partitioning attacks. These attacks resemble a dictionary attack, and allow an adversary to recover the password by abusing timing or cache-based side-channel leaks. Our side-channel attacks target the protocol's password encoding method, for example, our cache-based attack exploits Dragonfly's so-called hash-to-curve algorithm. Additionally, we present invalid curve attacks against EAP-pwd, which internally uses a close variant of the Dragonfly handshake. This enables an adversary to bypass authentication. We will also discuss downgrade attacks to WPA2, which in turn enable dictionary attacks, and discuss denial-of-service attacks. Finally, we explain how we confirmed all vulnerabilities in practice, and discuss to which extend attacks can be mitigated in a backwards-compatible manner.

Our conclusion is that WPA3 does not meet the standards of a modern security protocol. Either all countermeasures are implemented, in which case it might be affected by DoS attacks, or it does not implement the defenses, in which case it is vulnerable to our attacks. Nevertheless, WPA3 does remain an improvement over WPA2.


Presenters:

  • Mathy Vanhoef - Postdoctoral Researcher, New York University Abu Dhabi
    Mathy Vanhoef is a postdoctoral researcher at New York University Abu Dhabi. He is most well known for his KRACK attack against WPA2, and the RC4 NOMORE attack against RC4. His research interest is in computer security with a focus on network security, wireless security (e.g. Wi-Fi), network protocols, and applied cryptography. Currently his research is about analyzing security protocols and discovering (logical) vulnerabilities in their implementations. He also wants to learn more about how to (automatically) prove the correctness of protocol implementations. Apart from research, he's interested in low-level security, reverse engineering, and binary exploitation.

Links:

Similar Presentations: