First Wifi products are now coming to the market that support WPA-3 personal mode authentication and ciphering key exchange so I thought it would be a good idea to have a closer look at how it works and why an update was necessary.
To answer the last question first: WPA-2 PSK (Pre-Shared Key) uses the Wifi password as basis for all authentication and encryption exchanges between Wifi access point and clients. Many networks only use short and thus very weak passwords, and brute forcing them offline without interaction with the network has become quite feasible with current generation computing hardware. WPA-3 tries to address this issue with a new authentication scheme referred to as ‘Simultaneous Authentication of Equals’ (SAE). It is based on Diffie Hellman Elliptic Curve Public/Private keypair generation algorithms that are also used for generating ciphering keys for secure HTTPS connections today.
The mathematical details of the process can be found in RFC 7664 and a good higher level description can be found here. Still, it took me quite a few hours to understand the principles, so I though I’d assemble a less mathematically focused description on the basics of WPA-3 SAE and how it is used in practice:
The authentication and ciphering key generation process starts by the access point and client generating their own random numbers, let’s call then X and Y. X and Y are different and secret and never exchanged over the air! Together with the Wifi password that is the same on both sides, X and Y go trough a mathematical function on each device to generate two public values. Let’s call them A and B. These are then exchanged over the air. An attacker can intercept A and B but due to the properties of the function with which they were generated, it is not possible to brute force X, Y or the Wifi password. On one device X and B is then used to generate the common secret S. On the other device, Y and A is used to generate the common secret S as well. If the password was the same on both sides, S will also be the same on both sides. The point is that without knowledge of one of the random numbers, an attacker intercepting A and B can’t calculate S.
Both sides then use S as the basis for generating the symmetric session keys and other cryptographic parameters which are exchanged with the EAPOL message exchange mechanism already used in WPA-2. The difference to WPA2 is, however, that instead of the Wifi password, the common secret S is used as the basis for the parameter generation. The key is ‘symmetric’ because it is the same on both sides, i.e. encryption and decryption is done with the same key.
Usage in Practice
The exchange of A and B is referred to as the SAE ‘Commit’ phase and requires one message from each side. In a second step, each side sends a hash value based on S to the other side to confirm that each side has used the same password. This step is referred to as the SAE ‘Confirm’ phase. In total, four messages are exchanged. This four message exchange replaces the two message ‘open system authentication’ exchange that was used so far. Once done, the procedure continues as in WPA-2 with an association request and response message to connect to the AP after which the EAP-PSK (Encapsulated Authentication Protocol – Pre-Shared Key) exchange takes place. Instead of the password, however, a value derived from the common secret S is used in the exchange.
- It is not possible to brute force the password offline. As the random numbers are not known by the attacker, he is not able to produce A or B even if he knows the correct password.
- As an attacker can’t calculate the random numbers X and Y from A, B and the password, he also can’t calculate the session key even if he knew the password. Hence, an attacker is unable to decode a user’s traffic even if the password is known. This is referred to as Perfect Forward Secrecy.
Why a Strong Password Is Still A Good Idea
And finally, it is worth mentioning that online brute forcing the password is still possible to some degree. If it is too simple, only few tries might be required and hence additional security measures like slowing down authentication attempts to prevent quick brute force repetitions will not be effective. Therefore, it is still a good idea to select a strong password to deny an attacker access to the network.