Recently researchers Mathy Vanhoef and Eyal Ronen released a paper analyzing the Simultaneous Authentication of Equals (SAE) protocol, a key part of the new WPA3 certification program from the Wi-Fi Alliance. SAE performs a password authenticated key exchange (PAKE) that is resistant to offline dictionary attack, a significant improvement over the WPA2-PSK protocol that it replaces. The SAE handshake is commonly known as Dragonfly, and the researchers have named this new set of vulnerabilities Dragonblood.
The paper is being promoted as exposing flaws in the standards (and the standards process) that comprise WPA3. While some of the exploits they identify are against the SAE standard, they are not serious flaws. The serious attack they identify (the cache attack/password partition) is an attack against an implementation of the standard and not against the standard.
WPA3-SAE remains secure and represents a vast improvement in security and usability for Wi-Fi networks. This blog broadly describes the findings in the paper and their applicability to Aruba products.
Cache attack/password partition
SAE performs a loop to deterministically find a secret point on an elliptic curve. The standard defines multiple techniques to avoid side channel attacks on this looping procedure. The researchers determined that one open-source implementation of SAE does not perform one of these techniques in constant time. Their exploit involves running (unprivileged) code on the target device to determine how many loops were required to find the secret point. This allows the attacker to exclude possible passwords (i.e. the ones that would take a different number of loops). After a series of such attacks it is possible for the attacker to eliminate so many passwords that a dictionary attack can be successful.
This is an attack against an implementation and not against the standard. Furthermore, this implementation has already been patched.
Aruba products do not use that implementation of SAE; they use an Aruba-developed version of SAE. Aruba products are not susceptible to this attack.
DoS protection
In the SAE protocol, the AP performs significant cryptographic work on the receipt of the first message from the client. This opens up the AP to a denial-of-service (DoS) attack where an attacker repeatedly sends bogus initial packet from different MAC addresses. To address this, SAE has built-in protection against denial-of-service attacks. But the researchers pointed out that this protection is inadequate to deal with anything more than a simple packet spraying attack. The level of sophistication to overcome SAE’s built-in protection is not very much.
Aruba products implement SAE’s built-in protection against denial-of-service attacks but in addition limits the number of nascent connections it will process. Furthermore, the cryptographic work to process SAE messages are done on interruptible queues that further limit the ability of an attacker to overwhelm the CPU.
Small sub-group attacks
SAE peers agree on a cryptographic group in which to run the protocol. These groups can be elliptic curve (ECC) groups or groups based on exponentiation modulo a prime (MODP). Not all groups are safe to use with SAE. When some weak MODP groups are used with SAE, it is possible to perform repeated attacks in order to partition the dictionary (of possible passwords) and ultimately discover the secret password.
There are actually several groups that should not be used with SAE, not just the three groups the researchers identified. The Wi-Fi Alliance has produced a list of groups that are not suitable for use with SAE.
Aruba products do not support any weak groups and are therefore not susceptible to this attack.
Group downgrade attack
The client in SAE decides which group to use in the handshake. If the AP does not like the group it will reject the offer and the client will try again. The researchers noted this simple request-reject-request method of group negotiation is susceptible to an attack in which the attacker inserts itself as a man-in-the-middle and rejects the client’s offers until the client offers a weak group and then lets the offer go through, thereby downgrading the group used by SAE.
The Wi-Fi Alliance has produced guidance for clients to never offer a group whose cryptographic strength is not suitable for the encryption algorithm being offered—that is, if AES with a 128-bit key is going to be used then do not offer a group which will produce a key that does not have that level of strength. NIST SP 800-57, Part 1 Rev 4, published in January 2016 provides strength estimates for the groups that SAE uses.
Aruba products do not support weak groups and therefore are not susceptible to this attack.
Transition mode attack
SAE is a new protocol that is not backwards compatible with legacy WPA2 protocols. Turning on WPA3 on a network will prevent non-WPA3 clients from connecting. To prevent interruption and allow WPA3 to be deployed gradually, a “transition mode” was defined. This essentially allows both WPA2-PSK and WPA3-SAE to be used on the same basic service set (BSS). Legacy clients connect with WPA2-PSK and WPA3-capable clients connect with WPA3-SAE. To prevent user confusion, the Wi-Fi Alliance decided to use the same password for both WPA2-PSK and WPA3-SAE. The intention is that once a suitable proportion of clients have been upgraded to WPA3 that transition mode would be turned off and a pure WPA3 network would be used.
The researchers claim that this opens up WPA3-SAE to attack, namely a dictionary attack against WPA2-PSK and then using the resulting password to either connect with WPA3-SAE or to create a rogue access point and offer only WPA2-PSK, downgrading WPA3-capable clients to WPA2.
This is not an attack against WPA3-SAE. It is exploiting the known weaknesses of WPA2-PSK. Providing WPA2-PSK access on any network will open that network up to known attacks against WPA2-PSK. There is no way to gradually transition a network from WPA2 to WPA3 without allowing legacy WPA2 access during the transition period.
If customers are concerned about attacks possible with the known weaknesses of WPA2-PSK they should turn it off, turn off PSK/SAE transition mode, and go with a pure WPA3-SAE network.
