WPA3-Personal
5 minute read
Offline dictionary attacks against WPA2-Personal have been widely known for well over two decades. They were discovered shortly after the inception of WPA2-Personal. Certain venues offer free Wi-Fi networks using a shared and public password. Some incorrectly believe Wi-Fi traffic is secure when WPA2-Personal is used. With PSK, the password directly derives a master key and knowledge of the password enables decryption, replay, and forgery of data frames.
sequenceDiagram Note over Client,AP: Discovery Note over Client,AP: Open System Authentication Note over AP,Client: Association Note right of Client:PMK generation:<br>PMK=PBKDF2(HMAC-SHA-1,<br>Password,SSID,4096,256) Note over AP,Client: 4-way handshake
Protocol
Originally introduced for mesh security in IEEE 802.11-2016, the Simultaneous Authentication of Equals (SAE) protocol replaces the Pre-Shared Key (PSK) implementation found in WPA2-Personal with a password-based authentication method resistant to dictionary attacks.
Users will find a similar experience with SAE and PSK as they are both password provisioned. However, there are major implementation differences in the security protocol.
For those venues who intend to offer better data protection for their users, SAE offers a more secure password-based option than a shared and public PSK. This is because the master key (PMK) resulting from SAE is not solely based on the password.
With SAE, the password is used in a zero-knowledge proof cryptographic function to derive a unique pairwise master key (PMK) per client. The password is used to index a secret point on an elliptic curve. The point on the curve becomes the generator for use in a cryptographic exchange.
sequenceDiagram Note over Client,AP: Discovery Client->>+AP:PWE = f(password)<br>m,n ← random<br>N = -n * PWE<br>SAE Authentication Commit AP->>+Client:PWE = f(password)<br>i,j ← random<br>J = -j * PWE<br>SAE Authentication Commit Client->>+AP:SAE Authentication Confirm<br>S = m * ((i+j) * J)<br>PMK = KDF(S, label) AP->>+Client:SAE Authentication Confirm<br>S = i * ((m+n) * N)<br>PMK = KDF(S, label) Note over AP,Client: Association Note over AP,Client: 4-way handshake
This means the password or password-derived data is never sent over the air. Unlike with WPA2-Personal (PSK), knowledge of the password cannot decrypt SAE encrypted data frames. The PMK is needed to decrypt SAE encrypted data frames and the only parties that know the PMK are the client and AP which performed SAE. This means the SAE protocol is resistant to active, passive, and dictionary attacks.
WPA3-Personal Only Mode
WPA3-Personal advertises or negotiates the following capabilities in beacons, probe response, or association:
- AKM suite selector as
00-0F-AC:8
(SAE). - Pairwise cipher suite selector as
00-0F-AC:4
(CCMP-128). - Group data cipher suite selector as
00-0F-AC:4
(CCMP-128). - Group management cipher suite selector as
00-0F-AC:6
(BIP-CMAC-128). - Protected Management Frames are mandatory (MFPR=1 and MFPC=1).
When SAE with AKM:24 is negotiated, Hash-to-Element (H2E) is enforced. With AKM:24, the hash algorithm is based on the Diffie-Hellman (DH) group used with SAE. For example, a prime with a length of 384 (p384) will use SHA-384 instead of SHA-256.
GCMP-256 for cipher suites and BIP-GMAC-256 for group management may be advertised along with AKM:24.
Wi-Fi 7 connections must use AKM:24 for WPA3-Personal.
WPA3-Personal Transition Mode
WPA3-Personal may be deployed in transition mode that allows both SAE clients and PSK clients to connect to the same Basic Service Set (BSS), which is a mixed mode of operation. The beacon or probe response contains an AKM list in the RSNE which will contain both PSK (AKM:2) and SAE (AKM:8).
This means the password is shared between WPA2-Personal and WPA3-Personal. The WPA2-Personal network is still vulnerable to all the classic issues. If an attacker gains knowledge of the password by attacking WPA2-Personal, they will get access to the network, but will not be able to decrypt WPA3-Personal sessions. Downgrade attacks from WPA3-Personal to WPA2-Personal are also possible.
Due to the same BSS servicing both WPA2-Personal (PSK) and WPA3-Personal (SAE) clients, Protected Management Frames are optional (MFPR=0 and MFPC=1) for WPA3-Personal Transition networks.
WPA3-Personal in Transition Mode advertises or negotiates the following capabilities in beacons, probe response, or association:
- AKM suite selectors include
00-0F-AC:2
(PSK) and00-0F-AC:8
(SAE). - Pairwise cipher suite selector as
00-0F-AC:4
(CCMP-128). - Group data cipher suite selector as
00-0F-AC:4
(CCMP-128). - Group management cipher suite selector as
00-0F-AC:6
(BIP-CMAC-128). - Protected Management Frames are optional (MFPR=1 and MFPC=0).
A drawback of WPA3-Personal in transition mode includes downgrade attacks where attackers target PSK rather than SAE to gain network access or force clients that support SAE into connecting to a rogue PSK network.
Consider disabling transition mode to limit attack vectors. Consider deploying WPA3-Personal and WPA2-Personal on different individual VAPs and logically separated and isolated network segments, and if you do so make sure to use different credentials on the WPA3-Personal and WPA2-Personal networks.
For more details on these vulnerabilities, which was published under the name of Dragonblood, see https://blogs.arubanetworks.com/solutions/dragonblood-an-analysis-of-the-wpa3-sae-handshake.
Hash-to-Element (H2E)
Hash-to-element (also referred to as hash-to-curve or direct hashing) is a cryptographic method for generation of the password element (PWE) which replaces the weaker and original hunting-and-pecking (also referred to as looping) method for SAE. With hash-to-element, WPA3-Personal is further resistant to side-channel attacks and timing attacks.
SAE H2E capability can be found in beacon and probe response frames in the extended RSN capabilities field of the RSN eXtension element (RSNXE).
Status code 126 found in the authentication frame from the client indicates which method is used.
PWE derivation behavior starting in AOS 8.10 and 10.4:
- Operation in the 2.4 GHz and 5 GHz bands:
- Hash-to-element (H2E) is preferred but allows hunting-and-pecking if the client does not support H2E.
- Operation in the 6 GHz band:
- Enforces use of H2E and does not allow hunting-and-pecking.
Support for hash-to-element (H2E) is mandatory for WPA3 certified devices.
Clients have been supporting H2E since 2021:
- Android 12+
- Linux wpa_supplicant v2.10+ (see
sae_pwe
parameter for configuration) - macOS Catalina+
- Windows 10 21H2+
Best Practices
For use-cases where WPA2-Personal was used before, WPA3-Personal is a suitable replacement to provide better security, even when a non-complex password is used. WPA3-Personal provides stronger data encryption and protection than WPA2-Personal.
WPA3-Personal is also suitable for use-cases where WPA2-Personal is no longer allowed such as with 6 GHz operation and Wi-Fi 7 connectivity.
Feedback
Was this page helpful?
Glad to hear it!
Sorry to hear that.