Security Vulnerabilities Disclosed for SAE Handshake – no update needed
for Cisco Wireless products
By Cisco Team
April 11, 2019
On April 10, 2019, a research paper entitled Dragonblood: Analysing WPA3’s Dragonfly Handshakewas made publicly available. This paper describes how the Simultaneous Authentication of Equals (SAE) handshake, defined in IEEE-802.11-2016 and implemented as part of the Wi-Fi Alliance’s Wi-Fi Protected Access 3 (WPA3) security suite, has recently been identified to have multiple vulnerabilities.
An attacker could exploit these vulnerabilities to attempt the offline recovery of the password used to secure a Wi-Fi network or perform a denial of service attack against vulnerable access points. Cisco Access points are not affected by any of the vulnerabilities described. The Cisco AireOS and IOS-XE releases that support SAE for WPA3-Personal will also include protection mechanisms against these vulnerabilities. WPA3 clients may need to be updated and Cisco recommends finding the latest information from vendors’ websites.
Although no Cisco products are affected, Cisco understands that customers are interested in understanding the vulnerabilities in order to assess WPA3 clients’ vulnerabilities. This document provides a summary of the issues raised in the vulnerability disclosure.
Simultaneous Authentication of Equals (SAE) is a password authenticated key exchange intended to provide resistance to offline dictionary attacks which is one of the major challenges in WPA-2 Personal (PSK). SAE is defined in the 802.11 standard, and WPA3 uses SAE in the WPA3-Personal (PSK) mode. Please note that WPA3-Enterprise mode (with 802.1X/EAP) is not affected by the vulneraibioty disclosure. When using SAE (in WPA3-personal), the researcher has found that several vulnerabilities were possible:
Denial of Service attacks: with SAE, the initiating station (typically the client) starts by sending a commit frame, which content is built from the PSK and random numbers. Processing that frame and generating an answer is computationally expensive on the AP. An attacker could use this fact to generate a large number of commit frames from fake MAC addresses and overload the AP. Cisco APs incorporate automatic detection and blacklisting of misbehaving clients as well as anti-exhaustion mechanisms. The effect of such attack on clients in a Cisco network may be a slower handshake completion.
Backward compatibility attack: To accomodate older clients that only support WPA2-Personal and aid in the transition from WPA2-Personal to WPA3-Personal, a WPA3-Personal transition mode was created (thus an SSID allowing both WPA3-PSK and WPA2-PSK). An attacker could spoof the AP MAC address and force clients to a WPA2 mode (then use known attacks against WPA2-PSK to recover the PSK). Cisco supports both “WPA3-Personal Only” and “WPA2+WPA3 Personal” mode (which is the mixed mode.) Cisco recommends configuring WPA-3 only WLANs and avoid configuring WLANs in mixed mode.
SAE group key negotiation attack: when sending the commit frame, the initiating side (typically the client) mentions the security group algorithm that it wants to use. If the AP does not support that group, it can return a decline message, forcing the initiating station to choose another group (until a group algorithm supported by both sides is found). An attacker can impersonate an AP and force the stations to choose a weaker, or a computationally expensive, group (thus attempting to exhaust the AP resources). Cisco access points are not susceptible to this attack. Cisco encourages customers to verify susceptibility of this attack with endpoint vendors.
Password partitioning: finding the PSK from the SAE generated strings is considered nearly infeasible in reasonable time with current computing power and techniques. However, an attacker could attempt to guess which subset of passwords the PSK may belong to, by using two possible techniques. WPA3 mandates the support of DH-Group 19 (256-bit ECG), but allows support for other DH groups. When multiplicative groups mod a prime p (MODP groups) is used, the attacker could measure the time that the AP takes to answer to the commit frame, guess the time the AP took to compute its own commit frame, then attempt to measure which subset of passwors would require that same computation time (versus faster or slower computation). This is on the AP side. Cisco APs are not vulnerable to this attack, and do not support MODP groups. The attacker could also compromise a client station, then observe the station memory, guess the commit frame computation time and then also attempt to measure which subset of passwors would require that same computation time. This attack is only valid for client stations, and can be applicable to any DH group. Cisco recommends verifying with the station vendor if its operating system is protected against such attack, for example with anti-malware mechanisms.
Cisco access points and implementation of SAE are not vulnerable to these attacks and will continue to stay abreast of developments in security vulnerabilities. Cisco recommends verifying susceptibility of these issues with vendors. In addition, Cisco best practices include the use of WPA3-Enterprise, using WPA3-PSK if necessary, and avoiding WPA3+WPA2-PSK hybrid WLANs.