Abaphenyi ababili (UMathy Vanhoef no-Eyal Ronen) bethulwe ngendlela entsha yokuhlasela esivele ikhathalogu ku-CVE-2019-13377 okuyinto lokhu kwehluleka kuthinta amanethiwekhi angenantambo kusetshenziswa ubuchwepheshe bokuphepha be-WPA3 ikuvumela ukuthi uthole ulwazi mayelana nezici zephasiwedi ezingasetshenziswa ukulikhetha ngemodi engaxhunyiwe kwi-inthanethi Inkinga ibonakala kunguqulo yamanje ye-Hostapd.
Laba bacwaningi abafanayo nabo bakhomba ubungozi obuyisithupha ku-WPA3 ezinyangeni ezimbalwa ezedluleikakhulukazi ngokwendlela yokuqinisekisa ye-SAE, eyaziwa nangokuthi i-Dragonfly. Lokhu kuhlaselwa kubukeka njengokuhlaselwa kwesichazamazwi futhi kuvumela umphikisi ukuthi abuyise iphasiwedi ngokuhlukumeza ukuvuza kwesiteshi noma kwesibili.
Futhi, benze inqwaba yokuhlaselwa ngezindlela ezahlukahlukene ezakha umthetho olandelwayo we-WPA3, okufana nokuhlaselwa kwesichazamazwi ku-WPA3 lapho kusebenza ngemodi yenguquko, ukuhlaselwa kohlangothi oluncane lwe-microarchitecture kuSAE Handshake futhi bathathe ithuba ukukhombisa ukuthi imininingwane yesikhathi nemininingwane yesilondolozi engabuyiswa ingasetshenziswa kanjani ukwenza "ukuhlaselwa kwephasiwedi ukwahlukanisa" ungaxhunywanga .
Lokhu kuvumela umhlaseli ukuthi athole kabusha iphasiwedi esetshenziswe isisulu.
Nokho, ukuhlaziywa kubonise ukuthi ukusetshenziswa kweBrainpool kuholela ekubonakaleni kwesigaba esisha sokuvuza eziteshini ezivela eceleni ku-Dragonfly connection algorithm esetshenziswa ku-WPA3, enikeza ukuvikelwa ekuqageleleni kwephasiwedi kwimodi engaxhunyiwe ku-inthanethi.
Inkinga ekhonjisiwe ikhombisa lokho dala ukuqaliswa kwe-Dragonfly ne-WPA3, isuswe ekuvuza kwedatha ngeziteshi ezivela eceleni, kuwumsebenzi onzima ngokweqile Kubonisa futhi ukungahambisani kwemodeli yokuthuthukiswa kwamazinga eminyango evaliwe ngaphandle kokwenza ingxoxo yomphakathi ngezindlela ezihlongozwayo kanye nokuhlolwa komphakathi.
Lapho i-ECC Brainpool isetshenziswa lapho kufakwa ikhodi ye-password, i-algorithm ye-Dragonfly yenza iziqubulo ezimbalwa zokuqala ngephasiwedi ehlobene nokwenza ikhompyutha ngokushesha i-hash emfushane ngaphambi kokufaka ijika elliptical. Kuze kutholakale i-hash emfushane, imisebenzi eyenziwayo incike ngqo kukheli ne-password yeklayenti.
Mayelana nokuba sengozini okusha
Ngesikhathi sokugijima sihambisana nenani lezikhathi eziphindaphindwayo futhi ukubambezeleka phakathi kokusebenza ngesikhathi sokuqala kokuqala kungalinganiswa futhi kusetshenziselwe ukuthola izici zephasiwedi, engasetshenziswa ngokungaxhunyiwe ku-inthanethi ukucacisa ukukhetha okulungile kwezingxenye zephasiwedi ngesikhathi sokukhethwa kwazo.
Ukuze uhlasele, kufanele ube nokufinyelela ohlelweni lomsebenzisi oluxhuma kunethiwekhi engenantambo.
Futhi, abacwaningi bathola ubungozi besibili (I-CVE-2019-13456) ehlotshaniswa nokuvuza kolwazi ekusetshenzisweni komthetho olandelwayo we-EAP-pwd kusetshenziswa i-Dragonfly algorithm.
Inkinga icacisiwe kuseva yeFreeRADIUS RADIUS futhi ngokuya ngokuvuza kolwazi ngeziteshi ezivela eceleni, kanye nokuba sengozini kokuqala, kungakwenza lula kakhulu ukukhetha iphasiwedi.
Ngokuhlanganiswa nendlela ethuthukisiwe yokutholwa komsindo ngesikhathi sokukalwa kokubambezeleka, ukuthola inani lokuphindwaphindwa, kwanele ukwenza izilinganiso ezingama-75 zekheli elilodwa le-MAC.
Ukuhlaselwa okuvelayo kuyasebenza futhi akubizi. Isibonelo, ukuhlaselwa kokonakala kungasetshenziswa kusetshenziswa amathuluzi wokuqhekeza akhona ne-hardware ekhona. Ukuba sengozini kwesiteshi oseceleni, ngokwesibonelo, kungaxhashazwa ukwenza ukuhlaselwa ngesihluku kusetshenziswa izichazamazwi ezaziwa kakhulu ngemali encane njenge $ 2 ezimeni ze-Amazon EC1.
Izindlela zokwenza ngcono ukuphepha kweprotocol ukuvimba izingqinamba ezikhonjiwe sezivele zifakiwe ekubukeni kuqala kwamazinga e-Wi-Fi esizayo (i-WPA 3.1) ne-EAP-pwd.
Ngenhlanhla, njengomphumela wocwaningo, kokubili i-Wi-Fi standard ne-EAP-pwd ziyabuyekezwa nge-protocol evikeleke kakhudlwana. Yize lokhu kubuyekezwa kungahambelani emuva nokuhambisana nokusetshenziswa kwamanje kwe-WPA3, kuvimbela ukuhlaselwa kwethu okuningi.
Umthombo: https://wpa3.mathyvanhoef.com