Goodbye to WPA-2 and Hello to WPA-3

Goodbye To The Terrible 4-Way Handshake and Hello to Simultaneous Authentication of Equals

4-ways to a disaster

Security in Wi-Fi has had a difficult route. In its current form (WPA-2) a password can be cracked by listening to the 4-way handshake between a client and the access point. This will then crack all the keys that have been used or will be used in the future. WPA-3 addresses this by securing the password, and uses zero-knowledge proof to make sure that no elements of the password are transmitted over the network. Both sides then pass their knowledge of the password, and then both can prove that each of them knows the secret password.

With WPA-2 we hash the SSID and the password and use this to create a master key (and which is used to derive session keys). The intruder can then use a dictionary or a brute force attack on the hash to discover the password and thus the long-term key (to which all other keys are derived). A PBKDF2 hash is used to make the hash difficult to crack, but if an intruder has GPU crackers, it can make the cracking fairly inexpensive. A weak password is also easily crackable, especially if it comes from a standard dictionary. This happens for an offline crack, and where an intruder can use Cloud-based crackers to crack the password on the system, and then crack all the keys derived from it.

A poor history

The upgrading of wi-fi security has often been driven more by keeping compatibility with legacy devices than in driving forward improvements. With WEP we had a standard which broke almost every rule in the good cryptography book. It had a small IV value (24-bits), and which meant that it rolled-over after a relatively show time. This then cracked the global key for the whole network, and an intruder could listen to all of the encrypted traffic. It also supports a flawed stream cipher and key size: 40-bit RC4.

So the fix was WPA which integrated a new encryption method (TKIP) and where the IV and key size was increased to safer levels. In 2004, WPA-2 brought a block cipher: AES and improved authentication, and introduced the 4-way handshake. This handshake has since been the source of a number of vulnerabilities.

Say hello to WPA-3

So with WPA-2 (802.11i) seen as flawed, the Wi-Fi Alliance has released WPA-3 [here], and which introduces almost seamless protection against brute-force attacks for network passwords. The protection only allows for one change to crack a password. As with WPA-2, it is available in two forms:

  • WPA3-Personal: This replaces the 4-way handshake with Simultaneous Authentication of Equals (SAE) [1] and which is defined in the IEEE 802.11s standard. SAE was initially defined for mesh networks, but is now scaling to infrastructure wireless networks.
  • WPA3-Enterprise: This integrates a back-end authentication infrastructure, such as with a RADIUS server. Elliptic Curve Diffie-Hellman (ECDH) exchange and Elliptic Curve Digital Signature Algorithm (ECDSA) using a 384-bit elliptic curve are used to a strong authentication.

Along with these changes, WPA-3 brings the integration of QR codes to gain the network connection details.

Simultaneous Authentication of Equals (SAE)

The focus for SAE is to properly authenticate a device onto a network and using a password and MAC addresses to authenticate. An intruder should not be able to connect to a network unless they known password that the access point uses. Also, an intruder should not be able to guess either the password or the long-term authentication element of the password. In WPA-2 an intruder can listen to the 4-way handshake and can then brute force the password from hashed value created (see the section below for details).

With SAE — and which is based on a zero-knowledge proof known as dragonfly — we use the Diffie-Hellman key exchange method but adds an authentication element. With this we create a shared key with elliptic curve methods (NIST curves), and then use a pre-shared key and MAC addresses. When the client connects to the access point, they perform an SAE exchange. If successful, they will each create a cryptographically strong key, of which the session key will be derived from. If one session key is cracked it will only affect one key, and not all of the key used, as with WPA-2.

Basically a client and access point goes into phases of commit and then confirm. Once we have a commitment, the client and access point can then go into the confirm states each time there is a session key to be generated. The method uses forward secrecy, where an intruder could crack a single key, but not all of the other keys.

In the commit phase, Alice (the client) generates two random values (a,A), then computes a scalar value (a+A). The value that Alice will pass is the PE (Password Equivalent — such as hashed value of the password that Bob and Alice know) raised to the power of -A. The operations are done with (mod q) and where q is a large prime number. Bob does the same, and then they exchange values. In the end they will have the same shared commit key (PE^{ab}). The password has been used to validate Bob and Alice, and they will only have the shared shared commit value if they both have the same password. The intruder cannot determine either the original password or the final shared value.

Dragonfly protocol for zero knowledge proof

More details on the Dragonfly method here.

In the confirm phase we then use the long-term key to generate a unique session key. An attacker cannot determine the password used or the long-term master key (PMK). The cracking of one session key will not reveal the rest of the keys which have been used. Which is not the case for WPA-2.

Confirmation phase

A new crack on WPA-2

In order to crack WPA-2, we need to capture the communication of the 4-way handshake, and then crack a PBKDF2-SHA1 hashed value. If a weak password is used, it is normally fairly inexpensive to crack the hash and gain access to the network.

As PBKDF2 is a slow hashing method, it will be costly to crack fairly complex passwords with brute force. Typically when using Hashcat, we focus on a range of rules which considerably improves the chances of success, such placing a digit at the end or making the first character an upper case one.

But now things get even easier, as a Hashcat developer — Jens “Atom” Steube — has found a way to crack the network without the involvement of the 4-way handshake. With this an attacker sends a single EAPOL frame to the access point. They then get back the PMK (Pairwise Master Key) and use Hashcat to generate the Pre-Shared Key (PSK). With a reasonably priced GPU cracking infrastructure, many systems could now be cracked in just a few days.

There is thus no need to capture the four-way handshake and to make an association request with the access point. I has been known for a while that WPA-2 (802.11i) has security weaknesses, and that latest one is likely to increase the drive towards the adoption of WPA-3 (‘dragonfly’). With WPA-3 a new handshaking methods is being rolled-out, and which should prevent the cracking of weak passwords.

Background around WPA-2

Within WPA-2 we aim to create an initial pairing between the client and the access point, and then to identify them without giving away the password which has been used. In the initial authentication the client will either use pre-shared key (PSK), or use an EAP exchange through 802.1X (EAPOL).

The EAPOL exchange requires the usage of an authentication server. After this phase a shared secret key is created, and is known as the Pairwise Master Key (PMK). This uses PBKDF2-SHA1 as a hashing method, as the PBKDF2 part makes difficult to crack the hash (as there are a number of rounds used to slow down the hashing process). Within PSK, the PSK is defined with the PMK, but within EAPOL, the PMK is derived from EAP parameters. Generally EAPOL is more difficult to crack than using PSK. The PMK is generated from the PSK with:

PMK = PBKDF2(HMAC−SHA1, PSK, SSID, 4096, 256)

and where we use the SHA1 hashing function with HMAC as the message authentication code. In this case the PMK is generated from 4096 iterations of the hashing method and creates a 256-bit PMK (which is 64 hexadecimal characters and where each hexadecimal character represents 4 bits). A simple Python script to generate the PMK is:

from pbkdf2 import PBKDF2
ssid = 'home'
phrase = 'qwerty123'
print "SSID: "+ssid
print "Pass phrase: "+phrase
print "Pairwise Master Key: " + PBKDF2(phrase, ssid, 4096).read(32).encode("hex"))

and a sample run is [here]:

SSID: home
Pass phrase: qwerty123
Pairwise Master Key: bbaf585c301dc4d4024523535f42baf04630f852e2b01979ec0401edcdf
0e9c8

Thus, for an SSID of “home”, and a pass phrase of “qwerty123” we generate a 256-bit PMK of “bbaf585c301dc4d4024523535f42baf04630f852 e2b01979ec0401edcdf0e9c8”.

The four-way handshake

Within WPA-2 (802.11i) we get the four-way handshake process, and which is illustrated in Figure 1. It is designed so that the access point and wireless client can prove that they know each other by showing that the know the PSK/PMK, without ever releasing the key. They must the encrypt messages to each other, and if they can decrypt them, then they have successfully authenticated each other. In this way we can protect against a malicious spoof access point which is broadcasting the valid looking SSID.

Figure 1: 802.11i Four-way handshake for authentication

Overall the PMK will last for the complete authentication of the devices, and should be used sparingly. Thus the four-way handshake uses a derive key known as the Pairwise Transient Key (PTK), and which is generated from the PMK, a client nonce (ANonce), an access point nonce (SNonce), and the MAC addresses of the client and the access point (AP). These are then put into a pseudo random function, and generate a GTK (Group Temporal Key). The GTK is then used to decrypt multicast and broadcast traffic.

The details of the handshake are thus:

  • AP sends a nonce to the STA (ANonce). The client creates the PTK.
  • Client nonce (SNonce) to AP and a Message Integrity Code (MIC), and which includes the authentication.
  • The AP creates PTK and sends the GTK, along with a sequence number together and an MIC.
  • The client sends a confirmation to the AP.

Conclusions

WPA-2 has some serious flaws, and which are addressed by WPA-3. Many thing, though, that the Wi-Fi Alliance should have mandated the roll-out of WPA-3, in order to force the industry to move away from WPA-2.

[1] D. Harkins, “Simultaneous Authentication of Equals: A Secure, Password-Based Key Exchange for Mesh Networks,” 2008 Second International Conference on Sensor Technologies and Applications (sensorcomm 2008), Cap Esterel, 2008, pp. 839–844. doi: 10.1109/SENSORCOMM.2008.131
 URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=4622764&isnumber=4622621