![]() |
![]() |
University of Birmingham > Talks@bham > Computer Security Seminars > Dragonblood: Analyzing the Dragonfly Handshake of WPA3 and EAP-pwd
Dragonblood: Analyzing the Dragonfly Handshake of WPA3 and EAP-pwdAdd to your list(s) Download to your calendar using vCal
If you have a question about this talk, please contact Isra Ahmed. The WPA3 certification aims to secure home networks, while EAP -pwd is used by certain enterprise Wi-Fi networks to authenticate users. Both use the Dragonfly handshake to provide forward secrecy and resistance to dictionary attacks. In this talk, we systematically evaluate Dragonfly’s security. First, we audit implementations, and present timing leaks and authentication bypasses in all EAP -pwd daemons and one WPA3 client. We then study Dragonfly’s design and discuss downgrade and denial-of-service attacks. Our next and main results are side-channel attacks against Dragonfly’s password encoding method (e.g. hash-to-curve). We believe that these side-channel leaks are inherent to Dragonfly. For example, after our initial disclosure, patched software was still affected by a novel side-channel leak. We also analyze the complexity of using the leaked information to brute-force the password. For instance, brute-forcing a dictionary of size 10^10 requires less than $1 in Amazon EC2 instances. These results are also of general interest due to ongoing standardization efforts on Dragonfly as a TLS handshake, Password-Authenticated Key Exchanges (PAKEs), and hash-to-curve. Finally, we discuss backwards-compatible defenses, and propose a minor protocol change that mitigates most attacks. This talk is part of the Computer Security Seminars series. This talk is included in these lists:
Note that ex-directory lists are not shown. |
Other listsMedical Imaging Research Seminars School of Metallurgy and Materials Colloquia Computer Science Distinguished SeminarsOther talksQuantitative imaging with random light: Challenges and Opportunities Quantum dots for THz technology |