WPA3-Personal

Improving the security of password secured Wi-Fi networks.

Offline dictionary attacks against WPA2-Personal have been widely known for well over two decades. They were discovered shortly after the inception of WPA2-Personal. Certain venues offer free Wi-Fi networks using a shared and public password. Some incorrectly believe Wi-Fi traffic is secure when WPA2-Personal is used. With PSK, the password directly derives a master key and knowledge of the password enables decryption, replay, and forgery of data frames.

sequenceDiagram
    Note over Client,AP: Discovery
    Note over Client,AP: Open System Authentication
    Note over AP,Client: Association
    Note right of Client:PMK generation:<br>PMK=PBKDF2(HMAC-SHA-1,<br>Password,SSID,4096,256)
    Note over AP,Client: 4-way handshake

Protocol

Originally introduced for mesh security in IEEE 802.11-2016, the Simultaneous Authentication of Equals (SAE) protocol replaces the Pre-Shared Key (PSK) implementation found in WPA2-Personal with a password-based authentication method resistant to dictionary attacks.

Users will find a similar experience with SAE and PSK as they are both password provisioned. However, there are major implementation differences in the security protocol.

For those venues who intend to offer better data protection for their users, SAE offers a more secure password-based option than a shared and public PSK. This is because the master key (PMK) resulting from SAE is not solely based on the password.

With SAE, the password is used in a zero-knowledge proof cryptographic function to derive a unique pairwise master key (PMK) per client. The password is used to index a secret point on an elliptic curve. The point on the curve becomes the generator for use in a cryptographic exchange.

sequenceDiagram
    Note over Client,AP: Discovery
    Client->>+AP:PWE = f(password)<br>m,n ← random<br>N = -n * PWE<br>SAE Authentication Commit
    AP->>+Client:PWE = f(password)<br>i,j ← random<br>J = -j * PWE<br>SAE Authentication Commit
    Client->>+AP:SAE Authentication Confirm<br>S = m * ((i+j) * J)<br>PMK = KDF(S, label)
    AP->>+Client:SAE Authentication Confirm<br>S = i * ((m+n) * N)<br>PMK = KDF(S, label)
    Note over AP,Client: Association
    Note over AP,Client: 4-way handshake

This means the password or password-derived data is never sent over the air. Unlike with WPA2-Personal (PSK), knowledge of the password cannot decrypt SAE encrypted data frames. The PMK is needed to decrypt SAE encrypted data frames and the only parties that know the PMK are the client and AP which performed SAE. This means the SAE protocol is resistant to active, passive, and dictionary attacks.

WPA3-Personal Only Mode

WPA3-Personal advertises or negotiates the following capabilities in beacons, probe response, or association:

  • AKM suite selector as 00-0F-AC:8 (SAE).
  • Pairwise cipher suite selector as 00-0F-AC:4 (CCMP-128).
  • Group data cipher suite selector as 00-0F-AC:4 (CCMP-128).
  • Group management cipher suite selector as 00-0F-AC:6 (BIP-CMAC-128).
  • Protected Management Frames are mandatory (MFPR=1 and MFPC=1).

WPA3-Personal (SAE) illustration of operations

WPA3-Personal Transition Mode

WPA3-Personal may be deployed in transition mode that allows both SAE clients and PSK clients to connect to the same Basic Service Set (BSS), which is a mixed mode of operation. The beacon or probe response contains an AKM list in the RSNE which will contain both PSK (AKM:2) and SAE (AKM:8).

This means the password is shared between WPA2-Personal and WPA3-Personal. The WPA2-Personal network is still vulnerable to all the classic issues. If an attacker gains knowledge of the password by attacking WPA2-Personal, they will get access to the network, but will not be able to decrypt WPA3-Personal sessions. Downgrade attacks from WPA3-Personal to WPA2-Personal are also possible.

Due to the same BSS servicing both WPA2-Personal (PSK) and WPA3-Personal (SAE) clients, Protected Management Frames are optional (MFPR=0 and MFPC=1) for WPA3-Personal Transition networks.

WPA3-Personal in Transition Mode advertises or negotiates the following capabilities in beacons, probe response, or association:

  • AKM suite selectors include 00-0F-AC:2 (PSK) and 00-0F-AC:8 (SAE).
  • Pairwise cipher suite selector as 00-0F-AC:4 (CCMP-128).
  • Group data cipher suite selector as 00-0F-AC:4 (CCMP-128).
  • Group management cipher suite selector as 00-0F-AC:6 (BIP-CMAC-128).
  • Protected Management Frames are optional (MFPR=1 and MFPC=0).

WPA3-Personal Transition Mode RSNE example

Hash-to-Element (H2E)

Hash-to-element (also referred to as hash-to-curve or direct hashing) is a cryptographic method for generation of the password element (PWE) which replaces the weaker and original hunting-and-pecking (also referred to as looping) method for SAE. With hash-to-element, WPA3-Personal is further resistant to side-channel attacks and timing attacks.

SAE H2E capability can be found in beacon and probe response frames in the extended RSN capabilities field of the RSN eXtension element (RSNXE).

RSNXE example

Status code 126 found in the authentication frame from the client indicates which method is used.

SAE authentication frame example

PWE derivation behavior starting in AOS 8.10 and 10.4:

  • Operation in the 2.4 GHz and 5 GHz bands:
    • Hash-to-element (H2E) is preferred but allows hunting-and-pecking if the client does not support H2E.
  • Operation in the 6 GHz band:
    • Enforces use of H2E and does not allow hunting-and-pecking.

Support for hash-to-element (H2E) is mandatory for WPA3 certified devices.

Clients have been supporting H2E since 2021:

Best Practices

For use-cases where WPA2-Personal was used before, WPA3-Personal is a suitable replacement to provide better security, even when a non-complex password is used. WPA3-Personal provides stronger data encryption and protection than WPA2-Personal.

WPA3-Personal is also suitable for use-cases where WPA2-Personal is no longer allowed such as with 6 GHz operation and Wi-Fi 7 connectivity.


Last modified: April 2, 2024 (68436ce)