Overview
Syllabus
Intro
Background: Dragonfly in WPA3 and EAP-pwd
Convert password to MODP element
What about elliptic curves?
Hash-to-curve: WPA3 for (counter - 1; counter 40; counter:-)
Attack Optimizations Timing & cache attack result in password signature Both use the same brute-force algorithm
Invalid Curve Attack
Reflection Attack: EAP-pwd example
Other Implementation Vulnerabilities
Denial-of-Service Attack
Downgrade Against WPA3-Transition Transition mode: WPA2/3 use the same password
Crypto Group Downgrade Handshake can be performed with multiple curves Initiator proposes curve & responder accepts/rejects Spoof reject messages to downgrade used curve
Fundamental issue still unsolved On lightweight devices, doing 40 iterations is too costly Even powerfull devices are at risk: handshake might be offloaded the lightweight Wi-Fi chip itself
Conclusion
Thank you! Questions?
Taught by
TheIACR