/dev/posts/

Impact of the different Wifi security modes

Published:

Updated:

Comparing the different Wifi/WPA authentication and key distribution methods (PSK, EAP, SEA).

Table of content

Overview

The following table summarizes the different options:

Type Mode User identity Passive eavesdropping Evil Twin AP Forward secrecy
Open Open Network no Yes Yes No
Open OWE no No Yes Yes
Personal WPA-PSK no By users[1] By users[1:1] No
Personal WPA-PSK with PPSK MAC address (usually) For a single passphrase For a single passphrase No
Personal WPA3-SAE no or cleartext[2] No By users[3] Yes
Personal WPA3-SAE-PK no or cleartext[2:1] No No Yes
Entreprise WPA-EAP EAP-TLS cleartext or protected[4] No No Usually[5]
Entreprise WPA-EAP EAP-TTLS [6] protected No No Usually[5:1]
Entreprise WPA-EAP EAP-PWD cleartext No No[7] Yes

WPA-personal using PSK (WPA-PSK)

The typical personal Wifi network uses PSK (Pre-Shared Key). In order to connect using PSK authentication, you only need the network SSID and a passphrase. The same passphrase is usually shared for all the stations/users.

Summary: WPA-PSK

  • mutual authentication based on a PSK (usually derived from a passphrase);
  • the PSK can be used for passive eavesdropping (assuming the 4-way handshake has been observed[8]);
  • can be provisioned using Wifi URIs (usually represented as a QR-code).

Limitations:

  • usually the same passphrase/PSK is shared for all users;
  • anyone knowing the passphrase can impersonate the AP;
  • no easy way to revoke the access to a single user;
  • no forward secrecy (with respect to the PSK).

A pre-shared key (PSK) is derived from the passphrase and the SSID using PBKDF2[9]:

PSK = PBKDF2-HMAC−SHA1(passphrase, ssid, 4096 iterations, 256 bits)

This PSK is then combined with two nonces[10] and the two MAC addresses (AA, SA) in order to derive fresh key material for this connection.

Key hierarchy for WPA2-PSK
Sequence diagram for the WPA-PSK association

Anyone in possession of the passphrase/PSK can derive the key material of other connections (as long as he has observed the the two nonces in the 4-way handshake). This is problematic since the same passphrase is usually shared for all users. If you share your WPA2-personal passphrase with someone, this person can decrypt your Wifi communications. Everything which is not protected by other protocols (such as TLS, SSH, a VPN, etc.) can be eavesdropped. This typically includes the IP addresses and ports of the machines you are communicating with and the server names of the machines you are communicating with (through DNS requests[11], through TLS SNI[12]).

In addition, an attacker could record your (encrypted) Wifi communications before he manages to get your passphrase. If at a later time, he is able to guess/recover your password, he would be able to decrypt your recorded/previous communications as well (lack of forward secrecy).

Moreover, as the passphrase is usually global for the Wifi network, it is usually not possible to revoke the access for a single user: the global passphrase must be changed if any user access has to be revoked.

Note: workarounds for supporting multiple passphrases/PSKs

WPA-PSK does not provide any mean for the station to specify a login/username. Several possible workarounds can be used to support multiple passphrases/PSK on the same network.

The AP can use a different passphrase/PSK depending on the MAC address of the station. This may be called PPSK (private PSK), Identity PSK, ePSK, Multi-PSK, Dynamic-PSK™.

It is possible to support several PSKs for the same MAC address (or without any MAC address based dispatching at all). When the AP receives EAPOL-Key #2, it can try the different PSKs until the MIC passes.

Passive eavesdropping and AP impersonation is possible within a single PSK/passphrase group (i.e. it is not a problem as long as the PSK is not shared).

WPA-entreprise (WPA-EAP)

Summary: WPA-EAP

  • can accomodate different credentials for different users;
  • usually protect against passive eavesdropping;
  • usually protect against AP impersonation;
  • usually provide forward serecy (depending on the EAP method, etc.).

Before WPA3, all those limitations could be avoided by using WPA-Entreprise (WPA-EAP). As WPA-EAP is intended to be used in professional settings, it support different credentials for different users.

WPA-EAP works by doing an EAP authentication[13] over Wifi.

Sequence diagram for the WPA-EAP association

The EAP method exports some key material (shared secret), the Master Session Key (MSK), resulting from the authentication. This key material is used in the 4-way handshake to generate the different keys for the Wifi connection.

Key hierarchy for WPA2-EAP

Note: EAP and AAA

When using EAP, the authentication is usually forwarded by the AP to some authentication server.

Most of the time the RADIUS authentication protocol is used:

  • The EAP messages are transmitted between the AP and the AAA server over RADIUS using the in the EAP-Message RADIUS attribute.
  • If the authentication is successful, the RADIUS sends the computed MSK to the AP. Ihis is usually done using both the MS-MPPE-RECV-Key (which contains the first 32 bytes of the MSK i.e. the PMK in WPA) and the MS-MPPE-SEND-Key (next 32 bytes) RADIUS attributes.

In the Diameter protocol, the EAP-Master-Session-Key attribute is defined to transport the full MSK.

We highlight some interesting EAP methods below.

EAP-TLS

The EAP-TLS method uses a TLS handshake (over EAP over Wifi) with mutual authentication: both the server and the client have their own (public/private) key pair (and the associated certificate chain) in order to authenticate themselves.

Summary: WPA with EAP-TLS

  • TLS with mutual authentication over EAP over Wifi
  • both the authenticator/AP and the supplicant/station are authenticated at the TLS layer
    • the server authenticates itself using its keypair and the associated certificates,
    • the client authenticates itseld as well using its keypair and the associated certificates;
  • in TLS v1.2, the client certificate (containing the client identity) is typically sent in cleartext;
  • with TLS v1.3, the client certificate is always sent encrypted;
  • forward secrecy is provided if a key exchange method/ciphersuite providing forward secrecy is used.

EAP-TTLS

The EAP-TTLS (Tunneled TLS) method uses a TLS connection over EAP over Wifi as well. The server is authenticated at the TLS layer (using on its key pair and certificate chain) as before. The difference with EAP-TLS is that the client is authenticated using some inner authentication protocol which is protected by the TLS tunnel.

Summary: WPA with EAP-TTLS

  • some tunnelled/inner authentication protocol over TLS over EAP over Wifi;
  • the tunnelled/inner authentication protocol may be EAP with another EAP method (such as EAP-GTC) or something else (such as PAP, CHAP, MSCHAPv2;
  • the station/user is often authenticated using a login and password;
  • the station/user identity is protected by the TLS layer;
  • forward secrecy is provided if a key exchange method/ciphersuite providing forward secrecy is used.

Note: similar EAP methods

The PEAP, EAP-FAST and TEAP methods are similar to EAP-TTLS. They use a TLS connection to protect some inner authentication protocol.

Warning: vulnerablity in PEAPv0 and PEAPv1

PEAPv0 and PEAPv1 have a MITM vulnerability when the same authentication method (and the same credentials) is used at the same time as inner authentication method in PEAP and without protection. In this case, a MITM could intercept the unprotected authentication and inject in in the PEAP tunnel in order to complete the PEAP authentication. This is fixed in PEAP v2.

EAP-PWD

The EAP-PWD method provides mutual authentication between the supplicant and the authenticator based on a shared password. This EAP method is based on the Dragonfly key exchange which protects against passive and active attacks and provides forward secrecy.

Summary: WPA with EAP-PWD

  • the station/user is authenticated using a login and password;
  • no client identity (login) protection;
  • if the user password is shared or compromised, it may be used to impersonate the AP for this user;
  • forward secrecy is provided.

Note: similar EAP methods

The EAP-EKE method uses a similar approach but uses the EKE (Encrypted Key Exchange) protocol instead of Dragonfly. It is supposed to provide the same kind of guarantees as EAP-PWD (protection against passive and active attacks, forward secrecy).

WPA-personal using SAE (WPA-SAE)

WPA3 introduces WPA3-SAE (Simultaneous Authentication of Equals) as a replacemnent for WPA-PSK for personal mode. Like EAP-PWD, it is based on the Dragonfly key exchange which protects against passive and active attacks and provides forward secrecy.

Summary: WPA3-SAE

  • replacement for WPA-PSK in WPA3 (WPA3-personal mode);
  • authentication based on a passphrase (no login);
  • usually the same passphrase is shared for all users (but optional support for explicit login through password identifiers);
  • provides forward secrecy;
  • does not protect from AP impersonation (see WPA3-SAE-PK for this);
  • passphrase, SSID, password identifier and network public key can be provisioned using Wifi URIs (usually represented as a QR-code).
Sequence diagram for the WPA3-SAE association
Key hierarchy diagram for the WPA3-SAE association

This diagram is based on the diagram in the Dragonblood paper.

Password identifiers

Summary: WPA3-SAE with password identifiers

  • password identifier serves as a login (cleaner support for multiple users with different passphrases);
  • password identifier sent in cleartext (in the station SAE Commit message);
  • prevent AP impersonation by other users as long as the passphrase is not shared or compromised;
  • password identifier can be provisioned using QR-code (Wifi URIs), with the I: parameter.

SAE-PK

SAE-PK (SAE with Public Key Authentication) is an extension of SAE. With plain SAE, any user can impersonate the AP. This is especialy problematic in public Wifi networks. SAE-PK associates an ECDSA (public/private) key pair to the AP: this key pair is used to authenticate the access point.

When using SAE-PK, the password is derived[14] from the AP public key: it cannot be chosen arbitrarily.

The station is provisioned with:

If the station does not know the public key, it may be validated based on the SAE password.

Summary: WPA3-SAE-PK

  • adds authentication of the AP based on a public key of the AP;
  • prevents impersonation of the AP by users sharing the same passphrase (or compromised passphrase);
  • the password is derived from the AP public key;
  • can be provisioned using Wifi URIs (QR-code), with the K: parameter (which contains the SubjectPublicKeyInfo encoded in base64).

Summary: WPA3-SAE-PK with password identifiers

  • SAE-PK and password identifiers can be used at the same time;
  • different password identifiers [can use either the same or different public keys]https://www.wi-fi.org/system/files/WPA3%20Specification%20v3.3.pdf#page=17);
  • even if the same public key is used for different password identifiers, the associated password can be different.

Conclusion

WPA3-SAE and WPA-EAP with EAP-PWD are quite similar:

WPA-SAE can be provisioned through Wifi URIs (QR-code). However, WPA-SAE is currently not widely supported: EAP-PWD seems to be more widely supported for now.

WPA3-SAE-PK prevents AP impersonation in case the same passphrase is shared or compromised and can be provisioned through Wifi URIs (QR-code). Such a feature is not available in EAP-PWD. WPA3-SAE-PK can be used with password identifiers as well. Support for WPA3-SAE-PK seems to be lacking for now however.

WPA-EAP with a TLS-based method is an interesting alternative for WPA3-SAE-PK with password identifiers:

WPA-EAP with a TLS-based method has several benefits over WPA3-SAE-PK with password identifiers:

One drawback EAP-methods is that provisioning is more cumbersome compared to EAP-personal:

Appendix, OWE

OWE (Opportunistic Wireless Encryption) aka Enhanced Open is a replacement for open Wifi networks. Open wifi network are not protected (no authentication, no encryption). OWE networks are still open (anyone can join the network) but provides opportunistic encryption (based on an unauthenticated Diffie-Hellman key exchange) in order to protect against (passive) eavesdropping.

Summary: OWE

  • opportunistic encryption based on a ephemeral Diffie-Hellman key echange (DHE);
  • no authentication;
  • does not protect against AP impersonation, active attackers;
  • forward secrecy (no long term secret).
Sequence diagram for the OWE association

Appendix, protocol stacks

                            [ ... ]
                            [ EAP / MS-CHAPv2 / ...  ]
                            [ Diameter AVP           ]
               [ mTLS    ]  [ TLS                    ]
               [ EAP-TLS ]  [ EAP-TTLS               ] [ EAP-PSK ]     [ IP                 ]
               [ EAPOL   ]  [ EAPOL                  ] [ EAPOL   ]     [ SNAP               ]
               [ SNAP    ]  [ SNAP                   ] [ SNAP    ]     [ LLC                ]
               [ LLC     ]  [ LLC                    ] [ LLC     ]     [ TKIP / CCMP / GCMP ]
 [ Wifi     ]  [ Wifi    ]  [ Wifi                   ] [ Wifi    ]     [ Wifi               ]
 WPA-Personal    WPA-EAP             WPA-EAP             WPA-EAP           Protected
    Auth.         Auth.              Auth.                Auth.     =>       Wifi
 (PSK or SAE)    EAP-TLS             EAP-TTLS            EAP-PSK              
Protocols stacks for different WPA authentication modes

Appendix, configuration

Software Password identifiers SAE-PK
wpa_supplicant v2.8+ (2019-04-21) v2.10+ (2022-01-16)
hostapd v2.7+ (2018-12-02) v2.10+ (2022-01-16)
NetworkManager N/A N/A

Configuration of wpa_supplicant

In wpa_supplicant, SAE password identifiers can be set using the sae_password_id=my_password parameter.

In wpa_supplicant, the station will automatically try to use SAE-PK if the sae_password looks like a SAE-PK password. We can force the usage of SAE-PK by setting sae_pk=1. There does not seem to be any way to explicitly provision the AP public key.

Configuation of hostapd

hostapd supports multiple PSKs using the wpa_psk_file configuration. Alternatively hostapd supports receiving the password or the PSK/MSK from the RADIUS server through the Tunnel-Password RADIUS attribute in the Access-Accept reply message: this value may be influenced by the MAC address of the station which is sent to the RADIUS server in the Calling-Station-Id attribute. Multiple Tunnel-Password RADIUS attributes may be returned in order to support several PSKs.

We can specify different passwords associated with different SAE password identifiers with sae_password=my_password|id=my_identifier.

SAE-PK support may be configured using: sae_password=hbbi-f4xq-b45g|pk=...

Terminology

MSK (Master Session Key): shared secret (between the AP/authenticator and the station/supplicant) generated at the result of the EAP authentication.

TKIP (Temporal Key Integrity Protocol): encryption protocols used with WPA1.

CCMP (Counter Mode Cipher Block Chaining Message Authentication Code Protocol): encryption protocols used with WPA2.

GCMP (Galois/Counter Mode Protocol): encryption protocols used with WPA3.

PSK (Pre-shared key): secret derived (between the AP and the station) from the Wifi network passphrase. This method is used in for WPA-personal in WPA1 and WPA2.

Snonce, Anonce: nonces chosen by the station and AP respecticely in the four-way handshake. They provide protection against replay attacks.

SA: MAC Address of the Station.

AA: MAC Address of the Access Point.

PMK (Pairwise Master Key): shared secret shared between the AP and the station and used to derive other keys. In WPA-PSK, this is the PSK and is (usually) shared for all stations. In other cases, the PMK is usually different for each Wifi connection.

PTK (Pairwise Transient Key): another shared secret between the station and the AP. This key is divided into KCK, KEK and TK.

KCK (Key Confirmation Key): key used for computing the MIC in the four-way handshake in order to confirm the key.

KEK (Key encryption key): used by the AP to send encrypt the GTK and send it to the station.

TK (Transient Key): key used for encryption and data authentication (MAC) of the unicast traffic. When using the TKIP encryption (WPA1), this is divided into TEK and TMK.

GTK (Group Transient Key): used to protect multicast traffic, generated/chosen by the AP and sent in encrypted form to the stations.

References


  1. In WPA-PSK, any user in possession of the shared passphrase can passively eavesdrop on the communication (at the Wifi level) and impersonate the AP. In general, the passphrase is shared by all users on these network as there is no notion of login in WPA-PSK. ↩︎ ↩︎

  2. By default, WPA3-SAE does not send any login (like WPA-PSK). WPA3-SAE can optionaly support “password identity” (i.e. a login) in order to support multiple users/passwords on the same network. This password identity is sent by the client in cleartext in its SAE Commit message. ↩︎ ↩︎

  3. With WPA3-SAE (as with WPA-PSK), any user in possession of the shared passphrase can impersonate the AP. However, WPA3-SAE has optional support for a password identifier (login) which can be used to have a different password for different users. ↩︎

  4. In EAP-TLS the client identity is sent within its X.509 certificate.

    In TLS v1.2 and below, the certificate is usually transmitted in cleartext. However, EAP-TLS explicitly describes the usage of TLSv1.2 post-handshake renegotiation when the client identity must be protected: in this case, the client certificate is send after the TLS handshake and encrypted by TLS.

    In TLS v1.3, the client certificate is alway sent encrypted. ↩︎

  5. The TLS-based EAP methods will usually provide forward secrecy assuming the key exchange method/ciphersuite used provides forward secrecy. However, using TLS session resumption might adversely affect forward secrecy in TLS v1.2 and below ↩︎ ↩︎

  6. PEAP, EAP-FAST and TEAP are similar to EAP-TTLS. They tunnel some inner authentication over a TLS tunnel. Usually this in a inner-EAP authentication method (such as PAP, CHAP, MSCHAPv2, EAP-GTC) which would be insecure if it was used directly. ↩︎

  7. In EAP-PWD, anyone in possession of the user's passphrase can impersonate the AP for this user. If the user shares his personal passphrase or if the user's passphrase is compromised, the AP can be impersonated. ↩︎

  8. If the 4-way handshake has not been observed, a deauthentication attack can be used to force the station to create a new association. ↩︎

  9. You can use wpa_passphrase SUPERSSID iloveyou to generate the PSK from the SSID and passphrase. In this example, this gives c5d7ead6446974cd91befde13ef0df28140bf0733599b77b490fb70fbbfb7bf0. ↩︎

  10. The two nonces (one chosen by the AP and the other by the station) protect against replay attacks and guarantee that the key material is different for each connection. ↩︎

  11. Unless your DNS traffic is protected for example with DNS-over-TLS (DoT), DNS-over-DTLS, DNS-over-HTTPS (DoH), DNS-over-QUIC (DoQ), etc. ↩︎

  12. Unless your TLS clients are using Encrypted ClientHello (ECH). ↩︎

  13. EAP is an extensible authentication framework which can support a variety of authentication methods (EAP methods). ↩︎

  14. The SAE password is (very) roughly a hash of the SSID, the AP public key and a modifier M encoded in base32 with a dash every four character. It looks something like hbbi-f4xq-b45g or hbbi-f4xq-b457-jjew-muey-fod3. ↩︎