National Cyber Warfare Foundation (NCWF)

Welcome back, aspiring cyberwarriors! On June 25, 2018, the Wi-Fi Alliance officially introduced WPA3, a new era for wireless security. While WPA2 has dominated the landscape for over a decade, the world has changed, threats have evolved, and so has the need for more robust authentication. At the core of WPA3’s improvements is the Dragonfly […]

The post Wi-Fi Hacking: Inside DragonFly, the WPA3’s Next-Gen Wireless Authentication Protocol first appeared on Hackers Arise.

Welcome back, aspiring cyberwarriors!

On June 25, 2018, the Wi-Fi Alliance officially introduced WPA3, a new era for wireless security. While WPA2 has dominated the landscape for over a decade, the world has changed, threats have evolved, and so has the need for more robust authentication. At the core of WPA3’s improvements is the Dragonfly protocol – also known as Simultaneous Authentication of Equals (SAE).

Let’s pull back the curtain and see what Dragonfly is all about.

The Problem with WPA2 and PSK

If you’ve spent any time in the field, you know that WPA2 relies on the Pre-Shared Key (PSK) method for authentication. It’s simple: everyone on the network uses the same password. But simplicity comes at a cost. Attackers can capture the handshake between a client and an access point and launch an offline brute-force attack. With modern GPUs or even cloud resources, this process is faster and easier than ever, especially if the password is weak or reused. To learn more about cracking WPA2-PSK check out this article.

This vulnerability has made WPA2-PSK networks a target for attackers, penetration testers, and anyone looking to test their password-cracking skills. The Wi-Fi Alliance knew this was a problem that needed fixing, especially as Wi-Fi becomes the backbone of everything from smart homes to industrial systems.

Enter Dragonfly: The New Defender

WPA3’s answer is the Dragonfly protocol. Unlike WPA2, Dragonfly doesn’t let attackers just grab a handshake and brute-force it at their leisure. Instead, it forces every password guess to be performed live, in real time, with the access point. This means that attackers can’t just passively collect handshakes and crack them later on their own hardware. Every attempt to guess a password requires direct interaction with the target network, making large-scale attacks noisy, slow, and much easier to detect.

Dragonfly is built on the mathematical foundations of elliptic curve cryptography (ECC) or finite field cryptography (FFC). The heart of its security lies in the discrete logarithm problem – a challenge so computationally hard that even the most well-funded adversaries struggle to solve it.

How Dragonfly Works: The Protocol in Action

To understand Dragonfly, you need to look at how it transforms a simple password into a fortress of cryptographic defenses. The process begins with both the client and the access point sharing a password—just like with WPA2. But what happens next is very different.

Instead of hashing the password and sending it over the air, both sides use the password to generate a unique mathematical element, either a point on an elliptic curve or an element in a finite field. This is where the so-called “hunting and pecking” algorithm comes into play. The goal here is to ensure that the same password always results in the same mathematical element, but that it’s computationally infeasible to reverse the process and recover the password from the element alone.

Once this shared element is established, the protocol moves into the commit phase. Both parties generate random private values and compute corresponding public values. These public values are then combined with the password-derived element to create commit messages, which are exchanged.

The commit phase is more than just a handshake. It establishes the cryptographic parameters for the session, ensures that both sides genuinely know the password, and starts the process of deriving the session keys that will protect all subsequent communication.

After the commit exchange, the protocol enters the confirm phase. Here, both sides compute confirmation values based on the exchanged messages and the derived shared secret. These values act as proof that both parties have successfully completed the authentication process and possess the correct password. If everything checks out, the authentication is finalized, and a fresh session key is established.

The Cryptography Behind Dragonfly

Dragonfly’s cryptographic operations are designed to offer strong resistance against a wide range of attacks, while still being efficient enough to run on everything from laptops to IoT sensors. The protocol supports both elliptic curve and finite field groups, giving implementers flexibility to choose what best fits their devices and threat models.

Elliptic curve implementations are typically favored for their combination of security and efficiency. Well-known curves like P-256, P-384, or P-521 are commonly used, offering strong protection without overtaxing device resources. Even resource-constrained devices can handle the necessary operations within acceptable timeframes.

For those who opt for finite field cryptography, Dragonfly uses modular arithmetic over carefully chosen prime fields. The selection of these fields follows established cryptographic standards, ensuring that the discrete logarithm problem remains hard to solve – even for attackers with specialized hardware or distributed computing power.

Security Properties That Matter

One of Dragonfly’s standout features is perfect forward secrecy (PFS). This means that even if someone manages to compromise the shared password at some point in the future, all previous communication sessions remain secure. This is achieved by generating ephemeral keys for each authentication session, derived from random values generated during each protocol run. It’s a critical property, especially in environments where passwords might be shared among many users or left unchanged for long periods.

Another major innovation is Dragonfly’s resistance to offline dictionary attacks. In traditional schemes, an attacker who captures authentication messages can try as many password guesses as they want, offline, without ever alerting the network. Dragonfly changes the rules: verifying a password guess requires active participation from both parties. The captured messages alone don’t provide enough information for an attacker to verify guesses independently. This fundamentally changes the threat landscape for wireless networks.

Mutual authentication is another core benefit. Both the client and the access point must prove knowledge of the shared password. This prevents rogue access points and client impersonation, shutting down a wide range of attacks that have plagued Wi-Fi networks for years.

The protocol also includes robust key derivation mechanisms. Session keys are generated using the shared secret established during authentication, combined with random values and protocol parameters to ensure uniqueness and unpredictability. These keys are suitable for use with a variety of encryption algorithms, providing strong protection for all subsequent communication.

Real-World Implementation: What It Means for Devices

Implementing Dragonfly does require more computational effort than WPA2-PSK, but modern hardware is up to the task. Elliptic curve operations, in particular, are efficient and well-supported by today’s wireless chipsets. Even battery-powered devices can handle Dragonfly’s workload without noticeable impact on performance or user experience.

Memory requirements are modest, too. Devices need to store cryptographic parameters, temporary values for calculations, and buffers for protocol messages. For most modern devices, this is no problem. Even in the world of IoT, where resources are tight, Dragonfly can be implemented with careful optimization.

Interoperability is crucial. Dragonfly is specified in several standards, including IEEE 802.11, RFC 7664, and Wi-Fi Alliance documents. Implementers must follow these standards closely to ensure that devices from different manufacturers can communicate securely. This includes agreeing on cryptographic groups, message formats, error handling, and security parameter selection.

Known Limitations and Ongoing Research

While Dragonfly is a huge step forward, it’s not invincible. Researchers have identified potential side-channel vulnerabilities in some implementations, where timing or cache-based attacks could leak information about the password element. These attacks are complex and require close proximity or advanced capabilities, but they’re a reminder that implementation matters as much as protocol design.

Another concern is the so-called “transition mode” in WPA3, where networks support both WPA2 and WPA3 for compatibility. This can open the door to downgrade attacks, where an attacker forces a client to use the less secure WPA2 handshake, then cracks the password offline as before. The best defense is to use WPA3-only mode whenever possible.

Dictionary attack against WPA3-SAE when it is operating in transition mode, by attempting to downgrade the client into directly using WPA2’s 4-way handshake.

Implementation bugs are another risk. As with any complex protocol, mistakes in coding or configuration can introduce vulnerabilities. Regular updates, thorough testing, and adherence to best practices are essential to maintain security.

Summary

The introduction of Dragonfly marks a major milestone in the evolution of wireless security. By fundamentally changing how passwords are used and protected, it makes life much harder for attackers and raises the bar for everyone. But as always, security is a moving target. New attacks and vulnerabilities will emerge, and defenders must stay vigilant.

To learn more about Wi-Fi hacking attend our online class July 22-24.