Vulnerabilities in the WPA3 Wi-Fi Security Protocol

Researchers have found several vulnerabilities in the WPA3 Wi-Fi security protocol:

The design flaws we discovered can be divided in two categories. The first category consists of downgrade attacks against WPA3-capable devices, and the second category consists of weaknesses in the Dragonfly handshake of WPA3, which in the Wi-Fi standard is better known as the Simultaneous Authentication of Equals (SAE) handshake. The discovered flaws can be abused to recover the password of the Wi-Fi network, launch resource consumption attacks, and force devices into using weaker security groups. All attacks are against home networks (i.e. WPA3-Personal), where one password is shared among all users.

News article. Research paper: "Dragonblood: A Security Analysis of WPA3's SAE Handshake":

Abstract: The WPA3 certification aims to secure Wi-Fi networks, and provides several advantages over its predecessor WPA2, such as protection against offline dictionary attacks and forward secrecy. Unfortunately, we show that WPA3 is affected by several design flaws,and analyze these flaws both theoretically and practically. Most prominently, we show that WPA3's Simultaneous Authentication of Equals (SAE) handshake, commonly known as Dragonfly, is affected by password partitioning attacks. These attacks resemble dictionary attacks and allow an adversary to recover the password by abusing timing or cache-based side-channel leaks. Our side-channel attacks target the protocol's password encoding method. For instance, our cache-based attack exploits SAE's hash-to-curve algorithm. The resulting attacks are efficient and low cost: brute-forcing all 8-character lowercase password requires less than 125$in Amazon EC2 instances. In light of ongoing standardization efforts on hash-to-curve, Password-Authenticated Key Exchanges (PAKEs), and Dragonfly as a TLS handshake, our findings are also of more general interest. Finally, we discuss how to mitigate our attacks in a backwards-compatible manner, and explain how minor changes to the protocol could have prevented most of our attack

Posted on April 15, 2019 at 2:00 PM • 38 Comments

Comments

David RudlingApril 15, 2019 4:33 PM

Depressing.

I briefly thought there was a light at the end of the tunnel on reading of the mitigations identified but then came to:-

" Surprisingly, when the CFRG was reviewing a minor variant of Dragonfly, they actually discussed these type of modifications ........ However, to our surprise, this change was
not incorporated into any of the Dragonfly variants."

Did someone at the NSA or similar really earn their bonus that time?

Very depressing.

MXApril 16, 2019 8:36 AM

Well, apparently it does mean that all wifi are broken. How should we launch a secure wifi then?

Clive RobinsonApril 16, 2019 9:40 AM

@ David Rudling,

Did someone at the NSA or similar really earn their bonus that time?

With "finese" obviously.

I've seen it happen so many times, it's not only not any longer a surprise, but I actively go looking for it in the notes of meetings in standards committees etc.

As I've remarked befor look out for the "Health and safety" argument, it's just like the "Think of the children argument" based at best on extream or fanciful imaginings of dire consequences that are "Statistical improbabilities" at best, or as our host has named them in the past "Security Theater". However the real point is the argument is designed to be "unarguable against" because if you challenge it they then trot out how evil you are because you want children to be injured, maimed, disfigured, abused, killed, etc, etc...

The best thing to do is make notes such that at future times you can just discredit them just as vociferously, and make very public their history as "agents of evil intent by a rouge nation state". It does not stop their little games but it does slow them down.

The thing is you can never win against such people because they live off of your tax dollars, they suffer absolutly no economic or other harm by trying it on repeatedly untill they get what they want. All you can do is "name and shame" and slow them down. But if you get to successful at lifting the corner of the carpet where they hide like roaches, expect them to come out fighting.

Keep your eye on White House national security adviser John Bolton, he is a thoroughly nasty example of their ilk. Who he is actually working for is difficult to tell, but it does not appear to be the current administration in anything but name. Every time I hear him speak, the thought occurs "What genocide is he plotting now", shortly followed by "And who is going to benift by it"...

TatütataApril 16, 2019 9:47 AM

The depressing thing about this study is that WPA is precisely the kind of standard, which due to past experience, is supposed to undergo intense scrutiny before being released in the wild.

If "they" can't get it right here, where can "they" then?

FaustusApril 16, 2019 10:12 AM

"The resulting attacks are efficient and low cost: brute-forcing all 8-character lowercase password requires less than 125$"

Isn't this a little deceptive as a standalone number? The domain of upper and lower case passwords of 8 characters is 2^8 times larger than lower. The domain of reasonable passwords (with numbers and symbols) of eight characters is about 3^8 times larger than the lowercase version. Make it a much more reasonable 10 character upper, lower, digit, symbol password and the domain is at least 3^8*75*75 approx= 37 million times larger.

There are efficiencies in cracking large sets of passwords but they are probably captured by the original $125 cost of 8 char lower. Since any reasonable person uses at least 10 characters and a full character set perhaps we should be pointing out the cost of brute forcing a reasonable password is probably well over $1 billion dollars?

BobApril 16, 2019 10:39 AM

@MX

1. Downgrade & Dictionary Attack Against WPA3-Transition

This is bruteforce/dictionary attack by forcing the WPA2 standard. This is exploitation of an existing WPA2 vulnerability. Long (>20 chars) password was already recommended because of this WPA2 vuln, and honestly, security will never be so good anywhere that short passwords become viable.

2. Security Group Downgrade Attack

Client-based. We're basically waiting on MS, Apple, and Google to fix this from what I can tell. We saw something similar with KRACK, though that really only affected Android from what I can recall.

3. Timing-Based Side-Channel Attack

Looks like a different form of brute force, this one based on time to process using older security methods that don't obfuscate time to process. Password length is probably the biggest factor here, though there may be some other confounding factors depending on the intricacies of the algorithms involved. I'm not an algorithms guy.

4. Cache-Based Side-Channel Attack

This one starts off with the phrase "When an adversary is able to observe memory access patterns on a victim's device..." Honestly, this one feels like a bit of a nothingburger. At the point that "an adversary is able to observe memory access patterns on a victim's device," that device and everything on it, including wi-fi credentials, is already pwned.

5. Denial-of-Service Attack

No confidentiality impact here. Potential for integrity impact in poorly planned implementations. High availability impact - essentially tricking the AP into using all its CPU power on garbage authentication attempts. Looks like limiting the amount of CPU usable for authentication attempts is a start, though that's still going to delay or prevent legitimate connections from being formed, it should keep the AP from getting deadlocked. This one's going to take some creativity on the part of the vendors. I still have the good fortune of not having to run anything mission-critical over wi-fi.

Clive RobinsonApril 16, 2019 11:17 AM

@ MX,

How should we launch a secure wifi then?

Well as you've not been able to do it so far, what makes you think you might be able to now?

The point is secure communications has three asspects you need to consider,

1, Message Content security.
2, Mesage Metadata security.
3, Underlying hardware/OS security.

The first can be done with the right forms of "end to end" encryption, only if the endpoints are secure.

The inherent way that WiFi protocols works means that unless you build some inyeresting network topology over the top of the WiFi and ethernet protocols the metadata can not be made secure, thus traffic analysis can be fairly easily acomplished by even a single person as an adversary.

As for hardware, OS and Application security, it's effectively non existant. So without some specialized precautions you end points will not be secure. So it does not realy matter how hard you try to make the WiFi asspect of things secure, you will fail to "end run attacks" via IO drivers below the OS kernel and the apps the OS supports that makes the plain text a user sees available to the adversary...

Yup nobody said it was easy, abd the idiom of the "weakest link" still holds sway and in this case it's the underlying end point securiry negating all the communications security.

Clive RobinsonApril 16, 2019 11:25 AM

@ Tatütata,

which due to past experience, is supposed to undergo intense scrutiny before being released in the wild.

And it is subject to intense scrutiny, but not for what you would hope. The intense scrutiny is so that some standards committee does not SNAFU the pitch of the IC's "collect it all" by accidentally or by design.

I've seen it rather to often to doubt in any way it exists.

Any way I hear the rattle of the dinner trolly, hopefully they have my order right and not the usuall inedible fodder they serve the other unfortunates under going medical care...

Clive RobinsonApril 16, 2019 11:41 AM

@ Bob,

At the point that "an adversary is able to observe memory access patterns on a victim's device," that device and everything on it, including wi-fi credentials, is already pwned.

Cache usually alow timings of activities in memoryvto become visable to the network simply by sending the target device data.

You don't have to actually see either the contents of the memory or the addresses at which it's stored for cache based attacks to leak data.

Look on it as an attack against meta-operations not data/addresses or meta-data/addresses.

You can use such attacks to synchronize timing for other active fault injection attacks. It's a subject that does not get much talked about, but is a very real threat. In essence if you know the code being executed it has a timing signiture against which it can not only be identified, but it's future actions identified. If you then cause an error or exception at an appropriate time you can in effect break the atomic nature of blocks of code which can open other vulnerabilities that can be exploited.

Such injection attacks can work against "formaly verified" code because it can cause a change of state that top level checking does not catch. Thus it's an attack method that "bubbles up" the computing stack.

Ross SniderApril 16, 2019 12:54 PM

I made this comment in 2018 on this blog as the standards were coming to a closure:

The use of the dragonfly PAKE has significant disadvantages:
1. There are known timing side channels on the protocol which already defeat the password protection.
2. There are several known active attacks on the protocol which already defeat the password protection, some under the assumption of non-robust implementations and others unconditional properties of the protocol.
3. The implication of the protocol is that passwords must be stored in a format which make them brute forceable, again defeating the password protection.
4. The parameter negotiation can be used to force malicious parameters, which is even more dangerous given how the protocol can be initiated by any side.
5. The implementation of the crypto is fragile (easy to exclude checks which subvert the security of the scheme). It is not clear that the specification includes all checks necessary for a robust implementation.

https://www.schneier.com/blog/archives/2018/07/wpa3.html#c6777931

The designer of Dragonfly came into the comments and spread more FUD about it: https://www.schneier.com/blog/archives/2018/07/wpa3.html#c6778014


Anyway, all of this was predicted, and there was even a fairly concerned effort by cryptographers to point out in public the poor choices of the committee and NSA-supported position.

RealFakeNewsApril 16, 2019 5:29 PM

I'm sure it was discussed right here on this blog when it was first announced, that WPA3 is insecure.

I'm sure it was also mentioned how they seemed to almost deliberately miss the point with WiFi security when inventing any of these schemes.

Why don't they use tried-and-true PKI with AES-256 and be done, instead of this nonsense?

Clive RobinsonApril 16, 2019 6:45 PM

@ David Rudling,

Did someone at the NSA or similar really earn their bonus that time?

Some definitely think so and have named a name who works for the NSA, and point blankly demands the persons removal from post. With an involved "J'Accuse" attached. Whilst not quite upto that published by Emile Zola, it does make the case refrencing back to other NSA employee behaviour and misdeeds with respect the CS-DRBG they back doored...

It's taken me a little longer to find than I thought it would...

https://www.ietf.org/mail-archive/web/cfrg/current/msg03554.html

You and others might find it interesting reading...

I would have found it sooner but Google has just screwed the pooch re EU and the GDPR data protection regulations in a totally bat shit crazy way. So I've tried using another search engine with which I'm not familliar, and I suspect my mutterings although muted somewhat were not as temperate as they could be :$ However having purged Google, I will put in the effort to get the best from the new search engine...

But... It turns out @Ross Snider posted a link back to an earlier thread on this blog and the link I was looking for was on that very page...

DroneApril 16, 2019 10:58 PM

Excerpting from this informative April 10th 2019 ZDNet piece:

https://www.zdnet.com/article/dragonblood-vulnerabilities-disclosed-in-wifi-wpa3-standard/

"In total, five vulnerabilities are part of the Dragonblood ensemble -- a denial of service attack, two downgrade attacks, and two side-channel information leaks. While the denial of service attack is somewhat unimportant as it only leads to crashing WPA3-compatible access points, the other four are the ones that can be used to recover user passwords.

...

Dargonblood [sic] also impacts EAP-pwd: Besides WPA3, researchers said the Dragonblood vulnerabilities also impact the EAP-pwd (Extensible Authentication Protocol) that is supported in the previous WPA and WPA2 WiFi authentication standards.

...

The two researchers didn't publish details how the Dragonblood vulnerabilities impact EAP-pwd because the patching process is still in progress. They did, however, publish tools that can be used to discover if WPA3-capable devices are vulnerbale [sic] to any of the major Dragonblood flaws.

https://wpa3.mathyvanhoef.com/#tools

...

Fixes for WPA3 are available: On the other hand, the WiFi Alliance announced today a security update for the WPA3 standard following Vanhoef and Ronen's public disclosure of the Dragonblood flaws. "These issues can all be mitigated through software updates without any impact on devices' ability to work well together," the WiFi Alliance said today in a press release. Vendors of WiFi products will now have to integrate these changes into their products via firmware updates.

...

Vanhoef is the same security researcher who in the fall of 2017 disclosed the KRACK attack on the WiFi WPA2 standard, which was the main reason the WiFi Alliance developed WPA3 in the first place."

DaveApril 16, 2019 11:13 PM

>Did someone at the NSA or similar really earn their bonus that time?

It had nothing to do with the NSA. The author of Dragonfly is notoriously difficult to deal with and prefers to shout down any feedback or criticism rather than responding to it and fixing things. Even before that point some within the IETF declined to review his proposal because it just wasn't worth the headache of having to deal with him so it barely got any review.

There's a lot more to it than that but the blame is squarely at the foot of the Dragonfly author no need for any NSA conspiracy.

I haven't mentioned a name because he kibozes the net for any mention of himself and pops up in the discussion to argue with everyone in sight. I assume he'll turn up here at some point just listen for the shouting.

fishApril 16, 2019 11:16 PM

@Clive Robinson

Which search engine is this? I find that Google used to be by far the best (but now they merge different search terms in ways that make research quite difficult), with Bing being a close second. Pretty much anything but DuckDuckGo (whose results are downright awful)...

Clive RobinsonApril 17, 2019 10:47 PM

@ fish,

The reason for dropping Google is their now absolute insistance that you be "data raped" by them.

Prior to this you used to be able to use Google with Javascript and cookies turned off.

Yes unless you went through a VPN they could still track you but it was not as invasive.

But also working with broadband mobile Google sending several packets for each key you press, takes a very big chunk of a dataplan for absolutly no good reason. Also it alows them to do biometric identification by both your typing cadence and any spelling error patterns you might correct...

As Microsoft are just as bad if not worse these days, their offering is also compleatly dissed.

Which leaves DuckDuck... Yes it's not very good but Google and other Silicon Vally and Seattle based organisations have made it absolutly clear that data rape is their primary objrctive, and that they fully intend to kill off the purpose of the EU GDPR, I'm voting with my feet and they can go take a flying one at each other.

Hopefully a more EU legislation search engine will arise, and thus break the US cartel.

fishApril 18, 2019 8:47 PM

@Clive Robinson

I use Tor to reduce the tracking done by Google (yes, they block it sometimes, which is a shame). With the security slider set to high, JavaScript is also disabled which reduces the risk of biometric fingerprinting ("real-time search" or whatever they call it).

Why not use StartPage? It uses a syndicated feed to Google so the search quality is pretty good (much better than DDG), but doesn't track you.

Clive RobinsonApril 19, 2019 6:35 PM

@ fish,

I use Tor to reduce the tracking done by Google (yes, they block it sometimes, which is a shame).

Google are not the only ones to block Tor... Certain broadband mobile suppliers also prevent not just Tor but other VPN services...

Even though I am known for a dislike of Tor[1] I would use it or even a --very limited-- number of VPN services, to do a subset of things I do.

With regards,

Why not use StartPage? It uses a syndicated feed to Google so the search quality is pretty good (much better than DDG), but doesn't track you.

I guess it's something I'm going to look into along with a number of other options. I guess Google caught me "flat footed like the proverbial duck" by the way they changed things. I though based on earlier issues it was just going to be another very visually annoying possibly illegal HCI upgrade.

[1] My issues with Tor are much like they are with Secute Messaging Apps, they all have end point issues that can not realistically be solved with modern system architectures and OS's (though there are ways if you know what you are doing). Tor also due to wanting to support "interactive" or "real time" communications tries to have very low latency which makes it an easier target for "traffic analysis". So yes they do increase security, but no you should not think of them as "being secure" because "secure" is a relative term and all told they only give small to moderate increases in security. Unfortunatly journalists and others such as political activists mistakenly believe from the "web secure myth" that both Tor and Secure Messaging are going to keep them safe, they are not. As Chinese spys working for the CIA found to their terminal detriment security on the web is extreamly difficult to achive even for supposed experts... I've spent years working with the various meanings of "secure" and communications and I would not trust myself with what I could design for the Internet as it currently is. Because so far I've always found ways to break one or more of the "security" meanings. Oh and the laws of physics don't help, whilst information is neither energy or mass as far as we are currently aware all communications requires energy of some form. Even kinetic energy due to it's interaction with the environment it's in ends up "radiating" some coherent part on it's way to becoming the ultimate form of polution which is heat. Any coherent signal that radiates can be received by anyone with appropriate technology[2] which can be a lot further in range than you might expect.

[2] Back shortly after WWII in the UK scientists discovered radiation reflected not just from man made objects, such as aircraft but "heavenly bodies,as well. It was discovered whilst looking for Russian military signals bouncing off of metal skined aircraft. Not only did they get signals bouncing from aircraft in the "Berlin Air Corridors" they also found military signals bouncing of aircraft over the Russian heartland, and the moon. Both are something Amateur Radio practicioners carry on with today. With formally deep pockets were required for "Earth Moon Earth" (EME) working, new transmittion modes designed by a Nobel Prize winner have brought it into most Hams pocket book range. Whilst some with realy big antennas have worked "Earth Venus Earth"(EVE)

DennisApril 20, 2019 8:35 AM

@fish wrote, "Why not use StartPage? It uses a syndicated feed to Google so the search quality is pretty good (much better than DDG), but doesn't track you."

This isn't just about Googling on the interweb. Many prime OSes have already integrated their very own advertising platforms. See how MS stocks had steadily climbed in recent years. Thanks to Mr. Gates they've gotten it right again in this new era. Next to ante this up a bit, your mobile telcos will provide hooks to serve ads. There's simply no getting out from these all-knowing advertisers.

fishApril 22, 2019 10:39 PM

@Clive Robinson

I've understand your dislike of Tor, but it is just a tool. The real issues are people misusing it or assuming it protects against attacks which it does not. For example, Firefox ESR (which Tor Browser is based on) is not the most secure browser out there, and Tor cannot protect against an exploited browser which simply bypasses the proxy settings.

Tor is like a non-executable stack. On its own it does nothing, but it is a vital part of anonymous communications when used correctly in a safe software ecosystem and by individuals with good opsec. I do think you should focus more on this issue - the difficulty of using Tor properly and the inherent weakness against active software attacks - rather than flat-out attacking the Tor network itself. And although the protocol does have its problems (CTR mode with a zero nonce and 128-bit block size makes way for potential multi-target attacks, only authenticating the endpoints makes cryptographic tagging attacks possible, and low latency makes traffic analysis easier), many of them are either impractical or impossible for many adversaries.

fishApril 22, 2019 10:47 PM

In regards to the correct way to use Tor, simply "using Tor Browser" is often enough for many people, even if it is still vulnerable to targeted attacks or waterhole attacks. It provides confidentiality from the ISP, especially since traffic analysis attacks become considerably harder for small ISPs which do not have the capability of storing much more than netflow records. However, different threat models require different mitigations. To properly use Tor against a more powerful adversary, using a firewall (e.g. NetFilter, or something akin to Whonix but with physical isolation) can completely negate the danger of proxy bypasses. Mandatory Access Controls can additionally be applied to the browser to limit the scope of damage.

Tor is not perfect, and it is easy for a novice to assume that it will protect them automagically, but saying you "hate" Tor is a bit strong. Do you really hate it, or do you just see it as a tool with a specific and limited scope, and hate that people so often use it improperly in a way that prevents it from actually protecting them?

Clive RobinsonApril 23, 2019 5:39 AM

@ fish,

The real issues are people misusing it or assuming it protects against attacks which it does not.

That is the nub of the problem, but what is it's cause?

From my view it is a lack of information as usefull knowledge. In effect it creates a vacuum in which myths appear, echo and become accepted facts. Even though they are no such thing.

Ignoring Tor for a moment, there was a short while ago a lot of trumpeting about secure messaging apps, especialy those developed around the work of Moxie MarlinSpike. Yes he had put in a lot of work in certain areas, and that may have made those areas of a greater level of security, many apprare to think so and made public comment to that effect.

I made myself unpopular by pointing out that the applications were not secure...

Why did I say that? Because it was true. If those singing the prases of the areas Moxie had worked on, and taken a step back and viewed the whole system as I had done then they perhaps would have been more cautious in their praise.

When I look at the security of a system I look at it from "human to human" rather than just one or two of the very many links in the whole chain.

The apps like all apps had the issue that they ran on insecure platforms. It was known from several years before that malware writers had successfully attacked banking apps by putting I/O shims in between the app and the screen and keyboard, this enabled the attackers from other parts of the communications system, to in real time control what the application user saw on their screens, and change what they typed going into the application that got sent to the bank. The user thought they were paying the electricity bill, but the bank got told to transfer a large part of the account balance off to the attackers account.

Not only was this a known attack, it was one I had predicted from the 1990's and mentioned in several places over the years.

It works because there is a gap between the security end point inside the application and the communications end point with the human that an attacker can access on the device. In short the attacker could "end run" around the application through the OS to get at the application plaintext interface.

Although a true, factual and known attack method, people dod not want to know this, so like the King of old they attacked the messenger...

It's actually fairly easy to fix this issue, but inconvenient. To fix it you simply move the security end point beyond the communications end point an attacker can reach/influence/see. In past times when talking about the issue with banking applications I said you had to do two things, firstly authenticate transactions not communications, and secondly I made it clear you had to move the security end point off of the device in such a way that an attacker could not reach beyond the device, by putting the human in the communications path.

The problem is the second step is not convenient, thus people don't want to do it. Thus you could say they realy don't want to be secure.

But they are actually not given the choice, because a developer assumes the user won't put up with the inconvenience. Thus the user is not given the choice, they are just given an insecure system with some areas that are potentialy strong. Worse yet the application is sold on the strong points and the user never gets told the system is actually known to be insecure or why... So they don't get the chance to make the choice to employ methods that will make it secure...

It's this condescending behaviour by developers and those extolling individual features that annoys me, because the users get not just important truths hidden from them, they are also robbed of the choice to be secure or not.

In short they get sold a known to be insecure system well because they are users...

This whole attitude is the prevailing one in the software side of security, and as far as I can see the same is now true for the hardware side of things as well...

Thus if you want security then the reality is you are out on your own, which is OK if,

1, You have the information to know you are in that state.
2, You have the knowledge of how to mitigate that state.

But how many people do you know who have both the information and the knowledge?

fishApril 23, 2019 3:17 PM

@Clive Robinson

For Tor at least, the developers do try to counter the myths around the software, but they are not very good at doing that given how prevalent such myths have become. There's even a big scary FAQ page explaining what Tor can and cannot do, yet very few people end up reading it.

This is why I take issue with the way you explain your issues with Tor. I see it like saying you "hate AES" and explaining that you're "not a fan of the AES cipher" which is arguably misused far more often. After all, it's extremely fragile and will break spectacularly if used incorrectly, even if only slightly (e.g. reusing a nonce in CTR mode). AES, like Tor, only solves one very specific and narrow problem, but it is very good at what it does. I will say that I hate the most people know is not to use ECB mode while not understanding how important authentication is, but I won't say I "hate AES". I just hate when people misuse or misunderstand it.

> But how many people do you know who have both the information and the knowledge?

Quite a few, but then again I don't hang around the crowds that get immersed in mystical thinking (even if they are a majority). I can't think of a single person I know who uses Tor but does not understand the limitations in regards to endpoint exploitation, nor a single person who uses secure messengers but does not realize that they do not protect from compromise of the device.

DennisApril 23, 2019 10:34 PM

@fish wrote, " I can't think of a single person I know who uses Tor but does not understand the limitations in regards to endpoint exploitation, nor a single person who uses secure messengers but does not realize that they do not protect from compromise of the device."

While this is good insightful info, I can't help but wonder. Isn't the point of using Tor not to let you or anyone else know using it? Why would anyone use Tor and then go about to widely chat about their experiences of it? This appears to violate some kind of opsec rule in the manuals.

fishApril 23, 2019 11:06 PM

@Dennis

No, that's not the point of Tor. While it does have a feature to bypass censorship at the ISP-level, it is designed primarily for privacy at the ISP-level and for anonymity. By default, Tor makes no attempt to hide the fact that you are using it. That is not its job.

DennisApril 26, 2019 4:07 AM

@fish wrote, "No, that's not the point of Tor. While it does have a feature to bypass censorship at the ISP-level, it is designed primarily for privacy at the ISP-level and for anonymity. By default, Tor makes no attempt to hide the fact that you are using it. That is not its job."

This is an interesting argument. If Tor has a design to bypass censorship locally, how does it do it without hiding the fact that you are using it?

DennisApril 26, 2019 4:10 AM

@Clive Robinson wrote, "Ignoring Tor for a moment, there was a short while ago a lot of trumpeting about secure messaging apps, especialy those developed around the work of Moxie MarlinSpike. Yes he had put in a lot of work in certain areas, and that may have made those areas of a greater level of security, many apprare to think so and made public comment to that effect."

I think the fact Facebook is going on a enterprise-wide effort to consolidate it's messaging platform(s) is a solid telling there are ways around the proposed e2e messaging protocol/scheme(s). The fact that Mr. Z is throwing resources at the problem signifies the scale of the issue.

Clive RobinsonApril 26, 2019 4:08 PM

@ Dennis,

... is a solid telling there are ways around the proposed e2e messaging protocol/scheme(s)

I would say it's very likely.

Also note that those shouting the loudest for backdoors / Frontdoors / golden keys / etc are not the "professionals" like the IC and SigInt agencies, but those who were once called "the bumbling flat foots" of Law Enforcment.

In part this is because Law Enforcment is somewhat amateurish in it's abilities in this area, and they are also in effect lazy wanting to just sit there and have everything presented on a plate rather than learn to do what's required to get their desired results. Also unlike the IC and SigInt agencies they have to play more "within the law". Hence the continuing battle of the FBI and DoJ to get "legal precedent" via dodgy trials and "rights stripping" that never should have been brought before a court.

fishApril 30, 2019 1:54 PM

@Dennis

Tor is designed to bypass censorship by allowing people to evade ISP-level website blocks. If an ISP tries to counter that by blocking Tor in general, then the user can use the built in "pluggable transports" that obfuscate the connection. It's not meant to make the protocol resistant to manual analysis, just to automated blocking. This is not used by default though, because most ISPs will not block Tor entirely, even if Tor can be used to bypass other blocks.

The UK for example loves to censor pornographic websites, but they don't block people's connections to the Tor network. This allows people in the UK to use Tor to evade ridiculous website restrictions.

@Clive Robinson

This is exactly why the FBI keeps complaining about "going dark". The IC works quietly to push for backdoors, whereas their brain damaged counterparts in the police force can only complain that their job isn't as easy as they want it to be. But I'd go beyond saying that they're "somewhat amateurish". They really have NO idea what they're doing. The tools they use are all sold to them for an insanely high price when dirt cheap or free alternatives exist. Their data recovery abilities are only one step above point-and-click. Their forensics "experts" can't tell the difference between an ITP-XDP JTAG header and a USB slot. What they do have, though, is lawyers and legal experts who try their damnedest to convince the public and the courts that backdoors are necessary.

Clive RobinsonApril 30, 2019 5:45 PM

@ fish,

What they do have, though, is lawyers and legal experts who try their damnedest to convince the public and the courts that backdoors are necessary.

As an outsider looking into the US I'm never sure with the DoJ and FBI which end of the dog is the head and which end the tail.

The DoJ appears staffed with a number of legal types who make your everyday sociopath look normal. The case against Apple was clearly cooked up between the FBI and the DoJ and was ment to be a coup d grass on Silicon Valley by setting case law. It went badly wrong Apple fought back and the FBI very clearly lied to a magistrate, which is never a wise thing to do, the magistrate certainly appeared to be wise to what was going on and started to real things in. The DoJ knowing that they were going to loose and rather than have a court set things the wrong way, they pulled the rip cord and the FBI did their little Pirouette on cue and both of the "cleared out of Dodge in a hurry".

I feel sorry for the more normal people that work at the DoJ with such people.

But still the thought lingered, who came up wirh that little stunt someone at the FBI or someone at the DoJ... It's clear from other more recent cases that the FBI feel quite happy purjuring themselves in court, yet nothing appears to be done about it.

Thus the question of why both agencies feel it's OK to knowingly lie in court. What gives them the sense of invincibility and why it continues.

What ever the reasoning, my name once came up over a DMCA takedown, I only found out about it by accident via a Google search. To this day I still don't know what the takedown was or why I was connected with it. But one thing it has set in stone for me, even with the statute of limitations and even if I do get well enough to fly again, I will not be visiting the US or US friendly countries like Canada or Australia, as it would appear based on other FBI activities that the risk is potentially to high...

Perhaps it sounds overly cautious / paranoid to some, but I have a somewhat chequered past. Even though it's been suggested I'm a little paranoid in the past over not having social media, having javascript and cookies turned off, not having my personal machines connected to the Internet or no Personal Email. So far my choices based on what I can see as possible attack vectors appears to have been correct, if a little early.

I have a guiding rule on this sort of thing which is "If the laws of physics alow it someone will eventually do it" with the rider that "Base technology costs approximately halve every nine months" when you consider capacity / performance / bandwidth / power.

fishApril 30, 2019 10:26 PM

@Clive Robinson

It's not just the DoJ and FBI that get to lie in court. Virtually any entity with power can do that, whether it's a member of the intelligence community or a particularly powerful company, like Facebook. The US legal system is fatally broken.

> Perhaps it sounds overly cautious / paranoid to some

No, it sounds perfectly reasonable to me.

> Even though it's been suggested I'm a little paranoid in the past over not having social media, having javascript and cookies turned off

Just make sure you use a syscall whitelist, because disabling JavaScript really only does so much... I'm sure I don't need to tell you how cheap scriptless browser 0days are nowadays, at least for Firefox. Not sure why you'd disable ALL cookies though. Not good for your anonymity set.

DennisMay 6, 2019 5:54 AM

@Clive Robinson

"Also note that those shouting the loudest for backdoors / Frontdoors / golden keys / etc are not the "professionals" like the IC and SigInt agencies, but those who were once called "the bumbling flat foots" of Law Enforcment."

This is not to say LEOs don't participate in such acts. What they must acquire is a legal right admissable in the court of law, while the IC does not answer to courts. The IC also are not accustomed to "talk" unless there is an advantage to do so due to what we learn are nefarious "counter-intelligence" practices. Thus, whenever the IC do come up and talk about something, one must listen with every caution taken. The MIC and LEO are entirely different beasts because one acts on pay grade and the other acts off a patriotic sense of duty. IMHO

NotTheNSAAugust 20, 2019 8:33 PM

This is hilarious. Reread the quasi-prescient comments section on this blog post from 2018 about the new WPA3 standard:

swr • July 12, 2018 8:00 AM

There are some reports that the PAKE used in WPA3 is (or is based upon) Dragonfly. The link Starous posted earlier includes some mention of this.

Dragonfly caused some controversy in the IETF:

Trevor Perrin's summary

Dan Harkins' response

Trevor Perrin's request to remove CFRG co-chair

Ross Snider • July 13, 2018 1:49 AM

Is the summary here that popular editorials have glossed over the controversial decisions of an NSA-backed standard?

The use of the dragonfly PAKE has significant disadvantages:
1. There are known timing side channels on the protocol which already defeat the password protection.
...

Some Guy • July 13, 2018 2:18 AM

@swr: Dragonfly caused some controversy in the IETF:

It's not the protocol I'd have chosen. The author is a difficult person to work with and has a long history of trying to push his pet crypto projects through as standards despite multiple cryptographers pointing out problems with them, which he invariably perceives as some sort of personal attack on him rather than the genuine technical criticism which they are. It'll be interesting to see whether further attacks on Dragonfly turn up in the future (I would say, yes, they will). It'd also be interesting to find out what sort of shenanigans went on for Dragonfly of all things to get adopted for WPA3 when there are so many other well-designed, heavily-analysed protocols around.


These critical comments about Dan Harkins and his pet protocol Dragonfly, which now appear to be generally vindicated, were objected to at great length by what appears to be the thin-skinned, Extremely Online Mr. Harkins himself:

Dan Harkins • July 13, 2018 1:38 PM

@Some Guy, do I know you? Have we worked together? The things I
take as personal attacks are when people publicly accuse me of
being an NSA plant out to subvert the Internet (which someone did
both in email and in print). So yea, I take personal attacks as
if they're personal attacks.

I'm not sure which "multiple cryptographers" you're talking about.
...


Dan Harkins • July 14, 2018 12:19 PM

@Ross Snider

What do you mean "an NSA backed standard"? Can you please substantiate that statement?
...


Dan Harkins • August 10, 2018 4:38 PM

So I reached out to Ross Snider at Oracle over his comments about SAE and whether
he can substantiate his accusations of:

1. "several known active attacks on the protocol which already defeat the password protection"
2. how "parameter negotiation can be used to force malicious parameters"
3. how "[t]he implementation of the crypto is fragile"
4. why he said there is no formal security proof when one does exist
5. what are the "significant cryptographic weaknesses" this protocol has
6. how weaknesses "probably amount to an NSA backdoor"

Each time I asked he merely replied, "I will attempt to find some time to look into this." There's been plenty of time and no response.
...

He's come such a long way from 2013, when Basil Dolmatov's reaction to reading an email from Dan Harkins was:

Was impressed by the quality of arguments used in discussing of new cryptographic protocols. :-/

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Sidebar photo of Bruce Schneier by Joe MacInnis.