Dragonblood - A Security Analysis of WPA3’s SAE Handshake

Explore a comprehensive security analysis of WPA3's Simultaneous Authentication of Equals (SAE) handshake in this 52-minute conference talk by Mathy Vanhoef at the Workshop on Attacks in Cryptography 2 (WAC2). Delve into the intricacies of the Dragonfly protocol used in WPA3 and EAP-pwd, examining the process of converting passwords to MODP elements and the implications for elliptic curves. Investigate various attack optimizations, including timing and cache attacks that can lead to password signatures. Learn about the Invalid Curve Attack, Reflection Attack, and other implementation vulnerabilities. Examine potential Denial-of-Service attacks and downgrade attacks against WPA3-Transition mode. Discuss the fundamental issues still present in the protocol, particularly for lightweight devices, and consider the broader implications for Wi-Fi security. Gain valuable insights into the challenges and vulnerabilities of modern wireless security protocols through this in-depth presentation.

Intro
Background: Dragonfly in WPA3 and EAP-pwd
Convert password to MODP element
What about elliptic curves?
Hash-to-curve: WPA3 for (counter - 1; counter 40; counter:-)
Attack Optimizations Timing & cache attack result in password signature Both use the same brute-force algorithm
Invalid Curve Attack
Reflection Attack: EAP-pwd example
Other Implementation Vulnerabilities
Denial-of-Service Attack
Downgrade Against WPA3-Transition Transition mode: WPA2/3 use the same password
Crypto Group Downgrade Handshake can be performed with multiple curves Initiator proposes curve & responder accepts/rejects Spoof reject messages to downgrade used curve
Fundamental issue still unsolved On lightweight devices, doing 40 iterations is too costly Even powerfull devices are at risk: handshake might be offloaded the lightweight Wi-Fi chip itself
Conclusion
Thank you! Questions?