Paper 2019/383

Dragonblood: Analyzing the Dragonfly Handshake of WPA3 and EAP-pwd

Mathy Vanhoef and Eyal Ronen


We systematically analyze WPA3 and EAP-pwd, find denial-of-service and downgrade attacks, present severe vulnerabilities in all implementations, reveal side-channels that enable offline dictionary attacks, and propose design fixes which are being officially adopted. The WPA3 certification aims to secure home networks, while EAP-pwd is used by certain enterprise Wi-Fi networks to authenticate users. Both use the Dragonfly handshake to provide forward secrecy and resistance to dictionary attacks. In this paper, we systematically evaluate Dragonfly's security. First, we audit implementations, and present timing leaks and authentication bypasses in EAP-pwd and WPA3 daemons. We then study Dragonfly's design and discuss downgrade and denial-of-service attacks. Our next and main results are side-channel attacks against Dragonfly's password encoding method (e.g.~hash-to-curve). We believe that these side-channel leaks are inherent to Dragonfly. For example, after our initial disclosure, patched software was still affected by a novel side-channel leak. We also analyze the complexity of using the leaked information to brute-force the password. For instance, brute-forcing a dictionary of size $10^{10}$ requires less than $\$$1 in Amazon EC2 instances. These results are also of general interest due to ongoing standardization efforts on Dragonfly as a TLS handshake, Password-Authenticated Key Exchanges (PAKEs), and hash-to-curve. Finally, we discuss backwards-compatible defenses, and propose protocol fixes that prevent attacks. Our work resulted in a new draft of the protocols incorporating our proposed design changes.

Available format(s)
Cryptographic protocols
Publication info
Published elsewhere. To appear in the IEEE Symposium on Security & Privacy, May 2020
implementationcryptographic protocolswpa3wifiside-channeldragongly
Contact author(s)
er @ eyalro net
mathy vanhoef @ nyu edu
2019-08-02: last of 2 revisions
2019-04-16: received
See all versions
Short URL
Creative Commons Attribution


      author = {Mathy Vanhoef and Eyal Ronen},
      title = {Dragonblood: Analyzing the Dragonfly Handshake of WPA3 and EAP-pwd},
      howpublished = {Cryptology ePrint Archive, Paper 2019/383},
      year = {2019},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.