The 2019 Pwnie Winner For Best Cryptographic Attack


Credit: Mathy Vanhoef and Eyal Ronen

There’s a backstory on this bug, which recovers passwords from WPA3 handshakes.

The WPA3 handshake relies on a PAKE (a cryptographic key exchange secured by a password) called Dragonfly. Dragonfly is the invention of a guy named Dan Harkins. Dan Harkins took it upon himself to retrofit elliptic curves onto first-generation multiplicative-group PAKEs like SRP. We’re losing you here but bear with me: there were PAKE protocols that used the same simple math as Diffie Hellman, and Dan Harkins tried to design one that used ECC. Anyways, when Harkins tried to get his new PAKE included in TLS, Trevor Perrin broke it in a mailing list post. The story goes on and involves the NSA and a bunch of intrigue and is worth looking into. Oh how we laughed.

And then WPA3 was released and, oh look, there’s Harkins’ Dragonfly protocol, right there in our wireless handshakes.

It’s pretty clear to us that the WiFi standards groups triggered some ancient mummy curse, because the WiFi standards by themselves are a master class in everything that can go wrong with a crypto protocol. And, as Vanhoef and Ronen show, WPA3 is by itself a lesson in everything that can go wrong with a single handshake: invalid curve attacks! Protocol downgrade attacks! Timing attacks! They’ll teach this one in schools, unless the WiFi people come up with WPA4 or something, which will surely be even worse.