Impact of the different Wifi security modes

Comparing the different Wifi/WPA authentication and key distribution methods (PSK, EAP, SEA).

Table of content

Overview

The following table summarizes the different options:

• the “user identity” columns indicates whether any user identity (login) is used and how it is transmitted;
• the “passive eavesdropping” columns indicates whether an attacker can passively eavesdrop on the communications;
• the "Evil Twin AP” columns indicates whether an active attacker can impersonate the Access Point (AP) and meddler-in-the-middle (MITM) the communications;
• the “forward secrecy” columns indicates whether forward secrecy is provided.

WPA-personal using PSK (WPA-PSK)

The typical personal Wifi network uses PSK (Pre-Shared Key). In order to connect using PSK authentication, you only need the network SSID and a passphrase. The same passphrase is usually shared for all the stations/users.

A pre-shared key (PSK) is derived from the passphrase and the SSID using PBKDF2^[9]:

PSK = PBKDF2-HMAC−SHA1(passphrase, ssid, 4096 iterations, 256 bits)

This PSK is then combined with two nonces^[10] and the two MAC addresses (AA, SA) in order to derive fresh key material for this connection.

Anyone in possession of the passphrase/PSK can derive the key material of other connections (as long as he has observed the the two nonces in the 4-way handshake). This is problematic since the same passphrase is usually shared for all users. If you share your WPA2-personal passphrase with someone, this person can decrypt your Wifi communications. Everything which is not protected by other protocols (such as TLS, SSH, a VPN, etc.) can be eavesdropped. This typically includes the IP addresses and ports of the machines you are communicating with and the server names of the machines you are communicating with (through DNS requests^[11], through TLS SNI^[12]).

In addition, an attacker could record your (encrypted) Wifi communications before he manages to get your passphrase. If at a later time, he is able to guess/recover your password, he would be able to decrypt your recorded/previous communications as well (lack of forward secrecy).

Moreover, as the passphrase is usually global for the Wifi network, it is usually not possible to revoke the access for a single user: the global passphrase must be changed if any user access has to be revoked.

WPA-entreprise (WPA-EAP)

Before WPA3, all those limitations could be avoided by using WPA-Entreprise (WPA-EAP). As WPA-EAP is intended to be used in professional settings, it support different credentials for different users.

WPA-EAP works by doing an EAP authentication^[13] over Wifi.

The EAP method exports some key material (shared secret), the Master Session Key (MSK), resulting from the authentication. This key material is used in the 4-way handshake to generate the different keys for the Wifi connection.

We highlight some interesting EAP methods below.

EAP-TLS

The EAP-TLS method uses a TLS handshake (over EAP over Wifi) with mutual authentication: both the server and the client have their own (public/private) key pair (and the associated certificate chain) in order to authenticate themselves.

EAP-TTLS

The EAP-TTLS (Tunneled TLS) method uses a TLS connection over EAP over Wifi as well. The server is authenticated at the TLS layer (using on its key pair and certificate chain) as before. The difference with EAP-TLS is that the client is authenticated using some inner authentication protocol which is protected by the TLS tunnel.

EAP-PWD

The EAP-PWD method provides mutual authentication between the supplicant and the authenticator based on a shared password. This EAP method is based on the Dragonfly key exchange which protects against passive and active attacks and provides forward secrecy.

WPA-personal using SAE (WPA-SAE)

WPA3 introduces WPA3-SAE (Simultaneous Authentication of Equals) as a replacemnent for WPA-PSK for personal mode. Like EAP-PWD, it is based on the Dragonfly key exchange which protects against passive and active attacks and provides forward secrecy.

This diagram is based on the diagram in the Dragonblood paper.

Password identifiers

SAE-PK

SAE-PK (SAE with Public Key Authentication) is an extension of SAE. With plain SAE, any user can impersonate the AP. This is especialy problematic in public Wifi networks. SAE-PK associates an ECDSA (public/private) key pair to the AP: this key pair is used to authenticate the access point.

When using SAE-PK, thehe password is derived^[14] from the AP public key: it cannot be chosen arbitrarily.

The station is provisionned with:

• the SSID;
• the SAE-PK password;
• optionnaly, the public key;
• optionnaly, a password identifier.

If the station does not know the public key, it may by validated based on the SAE password.

Conclusion

WPA3-SAE and WPA-EAP with EAP-PWD are quite similar:

• both are using a Dragonfly-like exchange (password-based) which provides forward secrecy;
• EAP-PWD supports multiple users and WPA3-SAE has optional support for multiple users (using password identifiers) and in both case the login/password identifier is sent in cleartext.

WPA-SAE can be provisionned through Wifi URIs (QR-code). However, WPA-SAE is currently not widely supported: EAP-PWD seems to be more widely supported for now.

WPA3-SAE-PK prevents AP impersonation in case the same passphrase is shared or compromised and can be provisionned through Wifi URIs (QR-code). Such a feature is not available in EAP-PWD. WPA3-SAE-PK can be used with password identifiers as well. Support for WPA3-SAE-PK seems to be lacking for now however.

WPA-EAP with a TLS-based method is an interesting alternative for WPA3-SAE-PK with password identifiers:

• both provide forward secrecy (assuming a good TLS key exchange method is used);
• both have a strong AP authentication in order to prevent AP impersonation.

WPA-EAP with a TLS-based method has several benefits over WPA3-SAE-PK with password identifiers:

• the station/user identity is usually protected (but not for EAP-TLS with TLS v1.2);
• WPA-EAP is currently more widely supported than WPA3-SAE-PK;
• TLS is widely understood/used.

One drawback EAP-methods is that provisioning is more cumbersome compared to EAP-personal:

• WPA-EAP cannot be provisionned through Wifi URIs (QR-code);
• TLS-based EAP method ones may require the provisioning of a trust root (CA certificate) for the server/authenticator certificate chain;
• EAT-TLS requires the provisioning of a client key pair and certificate as well.

Appendix, OWE

OWE (Opportunistic Wireless Encryption) aka Enhanced Open is a replacement for open Wifi networks. Open wifi network are not protected (no authentication, no encryption). OWE networks are still open (anyone can join the network) but provides opportunistic encryption (based on an unauthenticated Diffie-Hellman key exchange) in order to protect against (passive) eavesdropping.

Appendix, protocol stacks

                            [ ... ]
                            [ EAP / MS-CHAPv2 / ...  ]
                            [ Diameter AVP           ]
               [ mTLS    ]  [ TLS                    ]
               [ EAP-TLS ]  [ EAP-TTLS               ] [ EAP-PSK ]     [ IP                 ]
               [ EAPOL   ]  [ EAPOL                  ] [ EAPOL   ]     [ SNAP               ]
               [ SNAP    ]  [ SNAP                   ] [ SNAP    ]     [ LLC                ]
               [ LLC     ]  [ LLC                    ] [ LLC     ]     [ TKIP / CCMP / GCMP ]
 [ Wifi     ]  [ Wifi    ]  [ Wifi                   ] [ Wifi    ]     [ Wifi               ]
 WPA-Personal    WPA-EAP             WPA-EAP             WPA-EAP           Protected
    Auth.         Auth.              Auth.                Auth.     =>       Wifi
 (PSK or SAE)    EAP-TLS             EAP-TTLS            EAP-PSK              

Appendix, configuration

Configuration of wpa_supplicant

In wpa_supplicant, SAE password identifiers can be set using the sae_password_id=my_password parameter.

In wpa_supplicant, the station will automatically try to use SAE-PK if the sae_password looks like a SAE-PK password. We can force the usage of SAE-PK by setting sae_pk=1. There does not seem to be any way to explicitly provision the AP public key.

Configuation of hostapd

hostapd supports multiple PSKs using the wpa_psk_file configuration. Alternatively hostapd supports receiving the password or the PSK/MSK from the RADIUS server through the Tunnel-Password RADIUS attribute in the Access-Accept reply message: this value may be influenced by the MAC address of the station which is sent to the RADIUS server in the Calling-Station-Id attribute. Multiple Tunnel-Password RADIUS attributes may be returned in order to support several PSKs.

We can specify different passwords associated with different SAE password identifiers with sae_password=my_password|id=my_identifier.

SAE-PK support may be configured using: sae_password=hbbi-f4xq-b45g|pk=...

Terminology

MSK (Master Session Key): shared secret (between the AP/authenticator and the station/supplicant) generated at the result of the EAP authentication.

TKIP (Temporal Key Integrity Protocol): encryption protocols used with WPA1.

CCMP (Counter Mode Cipher Block Chaining Message Authentication Code Protocol): encryption protocols used with WPA2.

GCMP (Galois/Counter Mode Protocol): encryption protocols used with WPA3.

PSK (Pre-shared key): secret derived (between the AP and the station) from the Wifi network passphrase. This method is used in for WPA-personal in WPA1 and WPA2.

Snonce, Anonce: nonces chosen by the station and AP respecticely in the four-way handshake. They provide protection against replay attacks.

SA: MAC Address of the Station.

AA: MAC Address of the Access Point.

PMK (Pairwise Master Key): shared secret shared between the AP and the station and used to derive other keys. In WPA-PSK, this is the PSK and is (usually) shared for all stations. In other cases, the PMK is usually different for each Wifi connection.

PTK (Pairwise Transient Key): another shared secret between the station and the AP. This key is divided into KCK, KEK and TK.

KCK (Key Confirmation Key): key used for computing the MIC in the four-way handshake in order to confirm the key.

KEK (Key encryption key): used by the AP to send encrypt the GTK and send it to the station.

TK (Transient Key): key used for encryption and data authentication (MAC) of the unicast traffic. When using the TKIP encryption (WPA1), this is divided into TEK and TMK.

GTK (Group Transient Key): used to protect multicast traffic, generated/chosen by the AP and sent in encrypted form to the stations.

References

• PCAP file for WPA-PSK
• PCAP file for WPA-EAP
• WPA3 specification 2.0
• WPA3 specification 3.0
• RFC8110, OWE
• WPA3-SAE in Action
• Dragonblood: Analyzing the Dragonfly Handshake of WPA3 and EAP-pwd and associated slides
• PEAP: Pwned Extensible Authentication Protocol
• EAP-PWD - Wifi security done right
• RFC5931, EAP-PWD
• KRACK Attacks, Breaking WPA2
• A Chosen Random Value Attack on WPA3 SAE authentication protocol
• Attacking WPA3: New Vulnerabilities & ExploitFramework
• Analysis of Protected Management Frames and WPA3's SAE-PK
• Wi-Fi security – WEP, WPA and WPA2
• Wi-Fi Alliance® Wi-Fi® Security Roadmap and WPA3™ Updates
• RFC5216, EAP-TLS
• RFC9190, EAP-TLS for TLSv1.3
• RFC5281, EAP-TTLSv0
• draft for EAP-TTLSv1
• PEAP v0 (draft)
• PEAP v1 (draft)
• PEAP v2 (draft)
• RFC4851, EAP-FAST
• RFC7170, TEAP
• RFC9190, EAP-TLSv1.3
• RFC9427, EAP with TLS1.3
• RFC5931, EAP-PWD , mutual authentication and forward secrecy based on Dragonfly
• RFC8146, salted password extension for EAP-PWD
• RFC6124, EAP-EKE
• RFC3748, EAP
• RFC2759, MSCHAPv2
• 802.11-2016
• Next Gen Wi-Fi Security: WPA3, Enhanced Open, DPP
• RFC4017, requirements for EAP for WLAN
• Wifi Easy Connect Specification v2.0
• RFC2865, RADIUS
• RFC3733, Diameter
• RFC4072, Dimaeter for EAP
• RFC3579, RADIUS Support for EAP
• Extensible Authentication Protocol (EAP) Registry
• NIST SP 800-153 : Guidelines for Securing Wireless Local Area Networks (WLANs)
• Example wpa_supplicant configuration file
• Wi-Fi security - WEP, WPA and WPA2