Researchers from New York University Abu Dhabi and Tel Aviv University have warned of serious flaws in the freshly-finalised Wireless Protected Access 3 (WPA3) Wi-Fi security standard, to which they have given the dramatic name 'Dragonblood'.
Announced back in January 2018 and launched as a finalised standard in June 2018, Wireless Protected Access 3 (WPA3) is designed to address security flaws in the widespread WPA2 standard, including the Key Reinstallation Attack (KRACK), which itself was launched to fix flaws in the original WPA standard, which in turn came about owing to the woeful security offered by the original Wired Equivalent Privacy (WEP) standard for Wi-Fi cryptography.
Sadly, WPA3 appears to come with a few flaws of its own. Mathy Vanhoef and Eyal Ronen, researchers at New York University Abu Dhabi and Tel Aviv University respectively, have published a paper detailing flaws in the Simultaneous Authentication of Equals (SAE) handshake process, formerly codenamed Dragonfly. These flaws, the pair claim, allow for password partitioning attacks: A method of obtaining the password used to protect the Wi-Fi network through timing or cache-based side-channel analysis.
The blame, the researchers claim, lies firmly at the feet of the Wi-Fi Alliance for developing the new WPA3 standard behind closed doors. 'Unfortunately, [WPA3] was created without public review, meaning experts could not critique any of WPA3's new features before they were released,' the pair explain. 'Moreover, although the new handshake of WPA3 was designed in an open manner, its security guarantees are unclear. On the one hand there is a security proof of a close variant of WPA3's handshake, but on the other hand another close variant of the handshake received significant criticism during its standardisation.'
The flaws, which were notified to the Wi-Fi Alliance before publication, are serious. 'We believe that WPA3 does not meet the standard of a modern security protocol,' the researchers conclude. 'Moreover, we believe that our attacks could have been avoided if the Wi-Fi Alliance created the WPA3 standard in a more open manner. Notable also is that nearly all of our attacks are against SAE's password encoding method, i.e. against its hash-to-group and hash-to-curve algorithm. Interestingly, a simple change to this algorithm would have prevented most of our attacks.'
While concluding that WPA3, even in its flawed form, represents 'an improvement over WPA2', the pair have urged adopters of WPA3 to consider implementing proposed backwards-compatible side-channel countermeasures detailed in the paper - though warns this is 'non-trivial', in particular on resource-constrained devices.
The full paper is available to read here (PDF warning).
September 16 2019 | 14:00