WPA3

WPA3 is a Wi-Fi scheme introduced in 2018 and is an improvement to WPA2. Among others features, WPA3 offers a better encryption solution and requires the use of Protection Management Frame (PMF).

Protection Management Frame (PMF) feature which prevent Deauthentication Attacks

In WPA2, management frame are not signed for the most part. This means that is not protected against spoofing. For example, an attacker can send de-authentication packets to an AP for a specific device connected, and the AP will have no way to verify if these packets come from the legitimate connected source. In the same manner an attacker could send de-authentication packet to a specific device and the client's device will have no way to verify that these packets come from the legitimate AP. Attackers leverage this lack of authentication on management frames to conduct de-authentication or denial of services attacks and force clients to disconnect from the AP they are connected to.

Protection Management Frame (PMF) exists since 2009. In WPA2, Management Frame Protection (MFP) is left optional, but in WPA3, the Management Frame Protection are mandatory. The management frames are signed by a key to ensure that the packets come from a legitimate source.

Differences between WPA2 and WPA3

Open network is replaced by OWE.

WPA2 Personal is replaced by WPA3-SAE (Simultaneous Authentication of Equal).

WPA2-Enterprise is replaced by WPA3-Enterprise (pretty much similar).

Wi-Fi Protected Set up (WPS) is replaced by DPP.

WPA3 uses DHE and ECDHE to secure communication.

WPA3 offers forward secrecy.

Forward Secrecy

Forward secrecy is the principle that implying that if a key is cracked from an exchange. This key can not be used to decrypt previous communication. Unlike WPA2, WPA3, the Common Secret is different for each connection between the AP and the supplicant.

Diffie Hellman Exchange

WPA3 relies on the Diffie Hellman Exchange to generate a session key.

Diffie Hellman Exchange is used between two parties to exchange a secret key over a public channel that can be monitored by an attacker. The mathematical concepts behind the Diffie Hellman Exchange is a bit complicated. However, the algorithm can be simplified using colors analogy.

An attacker knows the Common paint, as well as the Public Transports Colors. However, the attacker does not know about the Bob and Alice Secret colors. In the image below, we can see that Alice and Bob are mixing the same colors, which results in the same Common secret. This Common secret (Yellow) will be used to encrypt the data between Alice and Bob. Although an attacker knows the Common Paint and Public transport colors, he does not know the Secret's color of the two parties, which is needed to retrieve the Common Secret.

The image below shows the mathematical operations behinds the Diffie Hellman Exchange process where private and public keys are involved. In practices, the colors are replaced by very large numbers in such that it is not possible to retrieve the value of x and y by having only the results of g^yx and the base g. The generator (g) and the modulus (p) is predetermined and depends on the MODP groups. MODPs groups define the g, p (modulus) and q values.

Also, in practice, the Common Secret is not directly used to encrypt the communication. A symmetric key is calculated based on information like the device's MAC address and the Common Secret.

One problem with the Diffie Hellman Exchange is that there is no way to verify that we communicate with the legitimate parties. An attacker could impersonate Party I or Party II without the others party to know. Therefore, DH is eavesdropper proof but is still vulnerable to MITM attack.

Elliptic Curve Diffie Hellman

The DHE (Diffie Hellman Exchange) has a modern variation which is the ECDH (Elliptic Curve Crypto Diffie Hellman). ECDH provides more security than its predecessor the DHE and the symmetric key is very reduced in bytes size.

OWE - Opportunistic Wireless Encryption

The Opportunistic Wireless Encryption provides privacy to an Open network by applying the ECDH to the process to ensure a secure communication between the AP and the client.

1. The Association Request and Response from both parties contains RSNIE and OWE-DHIE. The RSNIE stands for Robust Security Network Information Element which provides information about encryption and authentication types. After both parties exchanged the information, they can both derive the PMK. The PMK can be used to calculated the PTK by performing a 4-way handshake.

The image below shows how ECDH is applied in OWE in more details.

On both side, it can be observed that both Supplicant and Authenticator are calculating their own ECDH privK/pubK. Following the exchange of the Authentication Request and Response between the two parties, the supplicant will send an Association Request to the AP containing the Group ID and its pubK (public key). The Group ID corresponds to the Elliptic curve standardized group to use. The group chosen determine the strength of the key used during the exchanges. Then, the AP will respond with its own pubK' and the Group ID.

Once each party has the pubK of the other party, the Common Secret (cs) can be calculated on both side. This Common Secret is the same in both parties since:

cs = (g^{pubK}) ^{pubK'}=(g^{pubK'}) ^{pubK}

The Common Secret is used in combination with labels for the calculation of the PMK. An attacker that does not know the private key of both parties won't be able to calculate the cs and thus the PMK. The labels corresponds to network information such as the MAC addresses of the devices and so on.

Finally, a 4-Way handshake will be performed to derive the PTK from the PMK. The PTK will finally be used to encrypt data to ensure a secure tunnel.

OWE also benefits from the Protection Management Frames as well as PMK Caching.

WPA3 - SAE - Simultaneous Authentication of Equal

WPA3-SAE is an authentication scheme that can be used for personal usage. It is a more secure option than WPA2-Personal (PSK) in many ways. The Dragonfly handshake that occurs between the supplicant and the AP at the beginning of the authentication process ensure that the passphrase is almost impossible to be be cracked offline. The Dragon fly handshake, which corresponds to the 4 Authentication packets, also ensure the authentication of both parties and the generation of a unique secret session key.

Objective of SAE

SAE offers a new method of authentication to mitigate the security flaws associated with authentication in WPA2. In WPA2-PSK an attacker can listen the traffic between an AP and a supplicant and capture the PMK, which is a hash derived from the passphrase. A brute force or dictionary attack can thus be conducted to recover the passphrase from the captured hash. With WPA2-PSK the ease an attacker will have to brute force the key depends on many factors such as its GPU powers and the weakness of the passphrase.

Indeed, the PMK space is 256 bits, but is much smaller in reality because the PMK is derived from the passphrase which can be weak and short. This reduces the combinations spaces significantly.

In SAE, we want to keep the PMK combinations space of 2^128 or more. This combination space should be irrespective of the size and quality of the passphrase chosen. We want to keep the number of key combination two big to be able to perform an offline dictionary or brute force attack even if the passphrase chosen by the client is short and weak. SAE is also more secure since it meets the Forward Secrecy principle. Random components are used to calculate the PMK and the PMK is different to each connection. Therefore, if the session key is recovered for a session, an attacker won't be able to use this key to decrypt communication from previous or others sessions.

SAE take advantages of the Diffie Hellman Exchange in combination with a passphrase. In SAE, the Generator (g) is derived from the passphrase. The Point on Curve, the shared secrets and the PMK are parameters determined following complex mathematical operations and exchange flow that we won't cover here.

SAE Exchanges Packets

In SAE, 4 Authentication packets are exchanged between the supplicant and the AP. Both the supplicant and the AP use the Authentication packets to derive the PMK, which is unique to each session.

The image below shows an overview of the DragonFly handshake which result in the calculation of the PMK.

Once, the PMK has been calculated on both side, a traditional 4-Way handshake can occur to calculate the PTK.

Again, the SAE scheme can benefit from the Protection Management Frame and the PMK caching.

WPA3-Entreprise

WPA-3 Enterprise is similar to WPA2 Enterprise, but uses 192-bit security for a better encryption protection which is aligned with the Commercial National Security Algorithm (CNSA). WPA3-Enterprise requires Protection Management Frames and the RADIUS server is limited to a selection of more secure EAP ciphers (Source: Meraki).

TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384

Device Provisioning Protocol (DPP)

DPP stands in replacement of the insecure WPS (Wireless Protected Setup) feature which allows IoT devices to connect to wireless network. The Wi-Fi Alliance refers to it as Easy Connect. With DPP, connecting a device to a wireless network is a way more easier and secure. DPP uses a secure encryption scheme using the Elliptic Curve Diffie Hellman exchange and a private/public key pair. A user needs to scan a QR code which will provide to the configurator the information needed to compute a common secret shared key.

In the image below, we can observe the ECDH exchanges flow between the two devices. The configurator is taking the information it needs to derive the K1 key via a QR code scan tied to the Device.

The image below shows the Config packets exchanged between the two parties. The Device sends to the Configurator a Config Request and the Configurator sends back to the device the configuration response which can contains a password or a DPP connector. A DPP connector can be think as a mini certificate signed with the private key of the configurator.