Dragonblood: Attacking the Dragonfly Handshake of WPA3

Conference:  BlackHat USA 2019



WPA 3, a modern security protocol, has vulnerabilities to side channels, but is still better than WPA 2. The standard is being updated with strong countermeasures to prevent these vulnerabilities.
  • WPA 3 is vulnerable to side channels, making it susceptible to attacks
  • Countermeasures are being implemented to prevent these vulnerabilities, including a defense against downgrade attacks and modifications to the algorithm that converts passwords into group elements
  • Other defenses being discussed include implementing the password conversion algorithm in a constant time fashion and updating the standard to prevent side channel leaks
  • WPA 3 is still better than WPA 2, which is vulnerable to dictionary attacks
  • The updates to WPA 3 are not backwards compatible, which may lead to a new revision of the protocol
  • If possible, devices should use WPA 3 despite its flaws
The speaker demonstrated how timing measurements could be used to perform attacks on WPA 3, highlighting the vulnerabilities of the protocol.


One of its main advantages of WPA3 is that it provides forward secrecy and prevents offline dictionary attacks. However, the WPA3 certification program was created behind closed doors, meaning researchers could not critique it. This is problematic because, even though WPA3 relies on the existing Dragonfly handshake, this handshake received significant criticism during its standardization. This raises the question of how secure WPA3 is.In this talk, we will show that WPA3 is affected by several design and implementations flaws. Most prominently, we show that WPA3's Dragonfly handshake, in Wi-Fi also known as SAE, is vulnerable to side-channel attacks. We demonstrate that the leaked information can be abused to carry out password partitioning attacks. These attacks resemble a dictionary attack, and allow an adversary to recover the password by abusing timing or cache-based side-channel leaks. Our side-channel attacks target the protocol's password encoding method, for example, our cache-based attack exploits Dragonfly's so-called hash-to-curve algorithm. Additionally, we present invalid curve attacks against EAP-pwd, which internally uses a close variant of the Dragonfly handshake. This enables an adversary to bypass authentication. We will also discuss downgrade attacks to WPA2, which in turn enable dictionary attacks, and discuss denial-of-service attacks. Finally, we explain how we confirmed all vulnerabilities in practice, and discuss to which extend attacks can be mitigated in a backwards-compatible manner.Our conclusion is that WPA3 does not meet the standards of a modern security protocol. Either all countermeasures are implemented, in which case it might be affected by DoS attacks, or it does not implement the defenses, in which case it is vulnerable to our attacks. Nevertheless, WPA3 does remain an improvement over WPA2.