Cryptology ePrint Archive: Report 2019/383

Dragonblood: A Security Analysis of WPA3's SAE Handshake

Mathy Vanhoef and Eyal Ronen

Abstract: The WPA3 certification aims to secure Wi-Fi networks, and provides several advantages over its predecessor WPA2, such as protection against offline dictionary attacks and forward secrecy.

Unfortunately, we show that WPA3 is affected by several design flaws, and analyze these flaws both theoretically and practically. Most prominently, we show that WPA3's Simultaneous Authentication of Equals (SAE) handshake, commonly known as Dragonfly, is affected by password partitioning attacks. These attacks resemble dictionary attacks and allow an adversary to recover the password by abusing timing or cache-based side-channel leaks. Our side-channel attacks target the protocol's password encoding method. For instance, our cache-based attack exploits SAE's hash-to-curve algorithm.

The resulting attacks are efficient and low cost: brute-forcing all 8-character lowercase password requires less than 125$ in Amazon EC2 instances.

In light of ongoing standardization efforts on hash-to-curve, Password-Authenticated Key Exchanges (PAKEs), and Dragonfly as a TLS handshake, our findings are also of more general interest.

Finally, we discuss how to mitigate our attacks in a backwards-compatible manner, and explain how minor changes to the protocol could have prevented most of our attacks.

Category / Keywords: cryptographic protocols / implementation, cryptographic protocols, wpa3, wifi, side-channel, dragongly

Date: received 10 Apr 2019

Contact author: er at eyalro net, mathy vanhoef@nyu edu

Available format(s): PDF | BibTeX Citation

Version: 20190416:032828 (All versions of this report)

Short URL: ia.cr/2019/383


[ Cryptology ePrint archive ]