|
|
|
|
|
|
by noiseman
2518 days ago
|
|
|
> Dragonfly is the invention of a guy named Dan Harkins. Dan Harkins took it upon himself to retrofit elliptic curves onto first-generation multiplicative-group PAKEs like SRP. We’re losing you here but bear with me: there were PAKE protocols that used the same simple math as Diffie Hellman, and Dan Harkins tried to design one that used ECC. Anyways, when Harkins tried to get his new PAKE included in TLS, Trevor Perrin broke it in a mailing list post. The story goes on and involves the NSA and a bunch of intrigue and is worth looking into. Oh how we laughed. > And then WPA3 was released and, oh look, there’s Harkins’ Dragonfly protocol, right there in our wireless handshakes. > It’s pretty clear to us that the WiFi standards groups triggered some ancient mummy curse, because the WiFi standards by themselves are a master class in everything that can go wrong with a crypto protocol. And, as Vanhoef and Ronen show, WPA3 is by itself a lesson in everything that can go wrong with a single handshake: invalid curve attacks! Protocol downgrade attacks! Timing attacks! They’ll teach this one in schools, unless the WiFi people come up with WPA4 or something, which will surely be even worse. This can’t be real. Are the WiFi standards groups really as incompetent as this page makes them out to be? These are the standards that everybody uses, right? |
|
|
This seems especially unwarranted, since WPA3 is not, as you might assume from this, worse than WPA2, and the paper is explicit about that.
Indeed two of their attacks are trying to _degrade_ you to WPA2, which would be a terrible idea if WPA3 was weaker.
The paper shows that if you do WPA3 badly, you are vulnerable to a bunch of nasty attacks, and doing it well is resource intensive (which may it hard to justify in cheap / low-power WiFi implementations). That's a good criticism of WPA3, but it isn't a reason WPA2 was better since that extra resource is needed to deliver a feature WPA3 didn't have at all (Forward Secrecy).