Impact of the different Wifi security modes
Published:
Updated:
Comparing the different Wifi/WPA authentication and key distribution methods (PSK, EAP, SEA).
Table of content
Overview
The following table summarizes the different options:
- the “user identity” columns indicates whether any user identity (login) is used and how it is transmitted;
- the “passive eavesdropping” columns indicates whether an attacker can passively eavesdrop on the communications;
- the "Evil Twin AP” columns indicates whether an active attacker can impersonate the Access Point (AP) and man-in-the-middle (MITM) the communications;
- the “forward secrecy” columns indicates whether forward secrecy is provided.
Type | Mode | User identity | Passive eavesdropping | Evil Twin AP | Forward secrecy |
---|---|---|---|---|---|
Open | Open Network | no | Yes | Yes | No |
Open | OWE | no | No | Yes | Yes |
Personal | WPA-PSK | no | By users[1] | By users[1:1] | No |
Personal | WPA-PSK with PPSK | MAC address (usually) | For a single passphrase | For a single passphrase | No |
Personal | WPA3-SAE | no or cleartext[2] | No | By users[3] | Yes |
Personal | WPA3-SAE-PK | no or cleartext[2:1] | No | No | Yes |
Entreprise | WPA-EAP EAP-TLS | cleartext or protected[4] | No | No | Usually[5] |
Entreprise | WPA-EAP EAP-TTLS [6] | protected | No | No | Usually[5:1] |
Entreprise | WPA-EAP EAP-PWD | cleartext | No | No[7] | Yes |
WPA-personal using PSK (WPA-PSK)
The typical personal Wifi network uses PSK (Pre-Shared Key). In order to connect using PSK authentication, you only need the network SSID and a passphrase. The same passphrase is usually shared for all the stations/users.
Summary: WPA-PSK
- mutual authentication based on a PSK (usually derived from a passphrase);
- the PSK can be used for passive eavesdropping (assuming the 4-way handshake has been observed[8]);
- can be provisioned using Wifi URIs (usually represented as a QR-code).
Limitations:
- usually the same passphrase/PSK is shared for all users;
- anyone knowing the passphrase can impersonate the AP;
- no easy way to revoke the access to a single user;
- no forward secrecy (with respect to the PSK).
A pre-shared key (PSK) is derived from the passphrase and the SSID using PBKDF2[9]:
PSK = PBKDF2-HMAC−SHA1(passphrase, ssid, 4096 iterations, 256 bits)
This PSK is then combined with two nonces[10] and the two MAC addresses (AA, SA) in order to derive fresh key material for this connection.
Anyone in possession of the passphrase/PSK can derive the key material of other connections (as long as he has observed the the two nonces in the 4-way handshake). This is problematic since the same passphrase is usually shared for all users. If you share your WPA2-personal passphrase with someone, this person can decrypt your Wifi communications. Everything which is not protected by other protocols (such as TLS, SSH, a VPN, etc.) can be eavesdropped. This typically includes the IP addresses and ports of the machines you are communicating with and the server names of the machines you are communicating with (through DNS requests[11], through TLS SNI[12]).
In addition, an attacker could record your (encrypted) Wifi communications before he manages to get your passphrase. If at a later time, he is able to guess/recover your password, he would be able to decrypt your recorded/previous communications as well (lack of forward secrecy).
Moreover, as the passphrase is usually global for the Wifi network, it is usually not possible to revoke the access for a single user: the global passphrase must be changed if any user access has to be revoked.
Note: workarounds for supporting multiple passphrases/PSKs
WPA-PSK does not provide any mean for the station to specify a login/username. Several possible workarounds can be used to support multiple passphrases/PSK on the same network.
The AP can use a different passphrase/PSK depending on the MAC address of the station. This may be called PPSK (private PSK), Identity PSK, ePSK, Multi-PSK, Dynamic-PSK™.
It is possible to support several PSKs for the same MAC address (or without any MAC address based dispatching at all). When the AP receives EAPOL-Key #2, it can try the different PSKs until the MIC passes.
Passive eavesdropping and AP impersonation is possible within a single PSK/passphrase group (i.e. it is not a problem as long as the PSK is not shared).
WPA-entreprise (WPA-EAP)
Summary: WPA-EAP
- can accomodate different credentials for different users;
- usually protect against passive eavesdropping;
- usually protect against AP impersonation;
- usually provide forward serecy (depending on the EAP method, etc.).
Before WPA3, all those limitations could be avoided by using WPA-Entreprise (WPA-EAP). As WPA-EAP is intended to be used in professional settings, it support different credentials for different users.
WPA-EAP works by doing an EAP authentication[13] over Wifi.
The EAP method exports some key material (shared secret), the Master Session Key (MSK), resulting from the authentication. This key material is used in the 4-way handshake to generate the different keys for the Wifi connection.
Note: EAP and AAA
When using EAP, the authentication is usually forwarded by the AP to some authentication server.
Most of the time the RADIUS authentication protocol is used:
- The EAP messages are transmitted between the AP and the AAA server over RADIUS using the in the
EAP-Message
RADIUS attribute. - If the authentication is successful, the RADIUS sends the computed MSK to the AP. Ihis is usually done using both the
MS-MPPE-RECV-Key
(which contains the first 32 bytes of the MSK i.e. the PMK in WPA) and theMS-MPPE-SEND-Key
(next 32 bytes) RADIUS attributes.
In the Diameter protocol, the EAP-Master-Session-Key
attribute is defined to transport the full MSK.
We highlight some interesting EAP methods below.
EAP-TLS
The EAP-TLS method uses a TLS handshake (over EAP over Wifi) with mutual authentication: both the server and the client have their own (public/private) key pair (and the associated certificate chain) in order to authenticate themselves.
Summary: WPA with EAP-TLS
- TLS with mutual authentication over EAP over Wifi
- both the authenticator/AP and the supplicant/station are authenticated at the TLS layer
- the server authenticates itself using its keypair and the associated certificates,
- the client authenticates itseld as well using its keypair and the associated certificates;
- in TLS v1.2, the client certificate (containing the client identity) is typically sent in cleartext;
- with TLS v1.3, the client certificate is always sent encrypted;
- forward secrecy is provided if a key exchange method/ciphersuite providing forward secrecy is used.
EAP-TTLS
The EAP-TTLS (Tunneled TLS) method uses a TLS connection over EAP over Wifi as well. The server is authenticated at the TLS layer (using on its key pair and certificate chain) as before. The difference with EAP-TLS is that the client is authenticated using some inner authentication protocol which is protected by the TLS tunnel.
Summary: WPA with EAP-TTLS
- some tunnelled/inner authentication protocol over TLS over EAP over Wifi;
- the tunnelled/inner authentication protocol may be EAP with another EAP method (such as EAP-GTC) or something else (such as PAP, CHAP, MSCHAPv2;
- the station/user is often authenticated using a login and password;
- the station/user identity is protected by the TLS layer;
- forward secrecy is provided if a key exchange method/ciphersuite providing forward secrecy is used.
Note: similar EAP methods
The PEAP, EAP-FAST and TEAP methods are similar to EAP-TTLS. They use a TLS connection to protect some inner authentication protocol.
Warning: vulnerablity in PEAPv0 and PEAPv1
PEAPv0 and PEAPv1 have a MITM vulnerability when the same authentication method (and the same credentials) is used at the same time as inner authentication method in PEAP and without protection. In this case, a MITM could intercept the unprotected authentication and inject in in the PEAP tunnel in order to complete the PEAP authentication. This is fixed in PEAP v2.
EAP-PWD
The EAP-PWD method provides mutual authentication between the supplicant and the authenticator based on a shared password. This EAP method is based on the Dragonfly key exchange which protects against passive and active attacks and provides forward secrecy.
Summary: WPA with EAP-PWD
- the station/user is authenticated using a login and password;
- no client identity (login) protection;
- if the user password is shared or compromised, it may be used to impersonate the AP for this user;
- forward secrecy is provided.
Note: similar EAP methods
The EAP-EKE method uses a similar approach but uses the EKE (Encrypted Key Exchange) protocol instead of Dragonfly. It is supposed to provide the same kind of guarantees as EAP-PWD (protection against passive and active attacks, forward secrecy).
WPA-personal using SAE (WPA-SAE)
WPA3 introduces WPA3-SAE (Simultaneous Authentication of Equals) as a replacemnent for WPA-PSK for personal mode. Like EAP-PWD, it is based on the Dragonfly key exchange which protects against passive and active attacks and provides forward secrecy.
Summary: WPA3-SAE
- replacement for WPA-PSK in WPA3 (WPA3-personal mode);
- authentication based on a passphrase (no login);
- usually the same passphrase is shared for all users (but optional support for explicit login through password identifiers);
- provides forward secrecy;
- does not protect from AP impersonation (see WPA3-SAE-PK for this);
- passphrase, SSID, password identifier and network public key can be provisioned using Wifi URIs (usually represented as a QR-code).
This diagram is based on the diagram in the Dragonblood paper.
Password identifiers
Summary: WPA3-SAE with password identifiers
- password identifier serves as a login (cleaner support for multiple users with different passphrases);
- password identifier sent in cleartext (in the station SAE Commit message);
- prevent AP impersonation by other users as long as the passphrase is not shared or compromised;
- password identifier can be provisioned using QR-code (Wifi URIs), with the
I:
parameter.
SAE-PK
SAE-PK (SAE with Public Key Authentication) is an extension of SAE. With plain SAE, any user can impersonate the AP. This is especialy problematic in public Wifi networks. SAE-PK associates an ECDSA (public/private) key pair to the AP: this key pair is used to authenticate the access point.
When using SAE-PK, the password is derived[14] from the AP public key: it cannot be chosen arbitrarily.
The station is provisioned with:
- the SSID;
- the SAE-PK password;
- optionnaly, the public key (usually through a QR code);
- optionnaly, a password identifier.
If the station does not know the public key, it may be validated based on the SAE password.
Summary: WPA3-SAE-PK
- adds authentication of the AP based on a public key of the AP;
- prevents impersonation of the AP by users sharing the same passphrase (or compromised passphrase);
- the password is derived from the AP public key;
- can be provisioned using Wifi URIs (QR-code), with the
K:
parameter (which contains theSubjectPublicKeyInfo
encoded in base64).
Summary: WPA3-SAE-PK with password identifiers
- SAE-PK and password identifiers can be used at the same time;
- different password identifiers [can use either the same or different public keys]https://www.wi-fi.org/system/files/WPA3%20Specification%20v3.3.pdf#page=17);
- even if the same public key is used for different password identifiers, the associated password can be different.
Conclusion
WPA3-SAE and WPA-EAP with EAP-PWD are quite similar:
- both are using a Dragonfly-like exchange (password-based) which provides forward secrecy;
- EAP-PWD supports multiple users and WPA3-SAE has optional support for multiple users (using password identifiers) and in both case the login/password identifier is sent in cleartext.
WPA-SAE can be provisioned through Wifi URIs (QR-code). However, WPA-SAE is currently not widely supported: EAP-PWD seems to be more widely supported for now.
WPA3-SAE-PK prevents AP impersonation in case the same passphrase is shared or compromised and can be provisioned through Wifi URIs (QR-code). Such a feature is not available in EAP-PWD. WPA3-SAE-PK can be used with password identifiers as well. Support for WPA3-SAE-PK seems to be lacking for now however.
WPA-EAP with a TLS-based method is an interesting alternative for WPA3-SAE-PK with password identifiers:
- both provide forward secrecy (assuming a good TLS key exchange method is used);
- both have a strong AP authentication in order to prevent AP impersonation.
WPA-EAP with a TLS-based method has several benefits over WPA3-SAE-PK with password identifiers:
- the station/user identity is usually protected (but not for EAP-TLS with TLS v1.2);
- WPA-EAP is currently more widely supported than WPA3-SAE-PK;
- TLS is widely understood/used.
One drawback EAP-methods is that provisioning is more cumbersome compared to EAP-personal:
- WPA-EAP cannot be provisioned through Wifi URIs (QR-code);
- TLS-based EAP method ones may require the provisioning of a trust root (CA certificate) for the server/authenticator certificate chain;
- EAT-TLS requires the provisioning of a client key pair and certificate as well.
Appendix, OWE
OWE (Opportunistic Wireless Encryption) aka Enhanced Open is a replacement for open Wifi networks. Open wifi network are not protected (no authentication, no encryption). OWE networks are still open (anyone can join the network) but provides opportunistic encryption (based on an unauthenticated Diffie-Hellman key exchange) in order to protect against (passive) eavesdropping.
Summary: OWE
- opportunistic encryption based on a ephemeral Diffie-Hellman key echange (DHE);
- no authentication;
- does not protect against AP impersonation, active attackers;
- forward secrecy (no long term secret).
Appendix, protocol stacks
Appendix, configuration
Software | Password identifiers | SAE-PK |
---|---|---|
wpa_supplicant | v2.8+ (2019-04-21) | v2.10+ (2022-01-16) |
hostapd | v2.7+ (2018-12-02) | v2.10+ (2022-01-16) |
NetworkManager | N/A | N/A |
Configuration of wpa_supplicant
In wpa_supplicant
, SAE password identifiers can be set using the sae_password_id=my_password
parameter.
In wpa_supplicant, the station will automatically try to use SAE-PK if the sae_password
looks like a SAE-PK password. We can force the usage of SAE-PK by setting sae_pk=1
. There does not seem to be any way to explicitly provision the AP public key.
Configuation of hostapd
hostapd supports multiple PSKs using the wpa_psk_file
configuration. Alternatively hostapd supports receiving the password or the PSK/MSK from the RADIUS server through the Tunnel-Password
RADIUS attribute in the Access-Accept
reply message: this value may be influenced by the MAC address of the station which is sent to the RADIUS server in the Calling-Station-Id
attribute. Multiple Tunnel-Password
RADIUS attributes may be returned in order to support several PSKs.
We can specify different passwords associated with different SAE password identifiers with sae_password=my_password|id=my_identifier
.
SAE-PK support may be configured using: sae_password=hbbi-f4xq-b45g|pk=...
Terminology
MSK (Master Session Key): shared secret (between the AP/authenticator and the station/supplicant) generated at the result of the EAP authentication.
TKIP (Temporal Key Integrity Protocol): encryption protocols used with WPA1.
CCMP (Counter Mode Cipher Block Chaining Message Authentication Code Protocol): encryption protocols used with WPA2.
GCMP (Galois/Counter Mode Protocol): encryption protocols used with WPA3.
PSK (Pre-shared key): secret derived (between the AP and the station) from the Wifi network passphrase. This method is used in for WPA-personal in WPA1 and WPA2.
Snonce, Anonce: nonces chosen by the station and AP respecticely in the four-way handshake. They provide protection against replay attacks.
SA: MAC Address of the Station.
AA: MAC Address of the Access Point.
PMK (Pairwise Master Key): shared secret shared between the AP and the station and used to derive other keys. In WPA-PSK, this is the PSK and is (usually) shared for all stations. In other cases, the PMK is usually different for each Wifi connection.
PTK (Pairwise Transient Key): another shared secret between the station and the AP. This key is divided into KCK, KEK and TK.
KCK (Key Confirmation Key): key used for computing the MIC in the four-way handshake in order to confirm the key.
KEK (Key encryption key): used by the AP to send encrypt the GTK and send it to the station.
TK (Transient Key): key used for encryption and data authentication (MAC) of the unicast traffic. When using the TKIP encryption (WPA1), this is divided into TEK and TMK.
GTK (Group Transient Key): used to protect multicast traffic, generated/chosen by the AP and sent in encrypted form to the stations.
References
- Specification of WPA 2.0
- Specification of WPA 3.0
- Specification of WPA 3.1
- Specification of WPA 3.2
- Specification of WPA 3.3
- PCAP file for WPA-PSK
- PCAP file for WPA-EAP
- RFC 8110, OWE
- WPA3-SAE in Action
- Dragonblood: Analyzing the Dragonfly Handshake of WPA3 and EAP-pwd and associated slides
- PEAP: Pwned Extensible Authentication Protocol
- EAP-PWD - Wifi security done right
- RFC 5931, EAP-PWD
- KRACK Attacks, Breaking WPA2
- A Chosen Random Value Attack on WPA3 SAE authentication protocol
- Attacking WPA3: New Vulnerabilities & ExploitFramework
- Analysis of Protected Management Frames and WPA3's SAE-PK
- Wi-Fi security – WEP, WPA and WPA2
- Wi-Fi Alliance® Wi-Fi® Security Roadmap and WPA3™ Updates
- RFC 5216, EAP-TLS
- RFC 9190, EAP-TLS for TLSv1.3
- RFC 5281, EAP-TTLSv0
- draft for EAP-TTLSv1
- PEAP v0 (draft)
- PEAP v1 (draft)
- PEAP v2 (draft)
- RFC 4851, EAP-FAST
- RFC 7170, TEAP
- RFC 9190, EAP-TLSv1.3
- RFC 9427, EAP with TLS1.3
- RFC 5931, EAP-PWD , mutual authentication and forward secrecy based on Dragonfly
- RFC 8146, salted password extension for EAP-PWD
- RFC 6124, EAP-EKE
- RFC 3748, EAP
- RFC 2759, MSCHAPv2
- 802.11-2016
- Next Gen Wi-Fi Security: WPA3, Enhanced Open, DPP
- RFC 4017, requirements for EAP for WLAN
- Wifi Easy Connect Specification v2.0
- Wifi Easy Connect Specification v3.0
- RFC 2865, RADIUS
- RFC 3733, Diameter
- RFC 4072, Dimaeter for EAP
- RFC 3579, RADIUS Support for EAP
- Extensible Authentication Protocol (EAP) Registry
- NIST SP 800-153 : Guidelines for Securing Wireless Local Area Networks (WLANs)
- Example wpa_supplicant configuration file
- Wi-Fi security - WEP, WPA and WPA2
In WPA-PSK, any user in possession of the shared passphrase can passively eavesdrop on the communication (at the Wifi level) and impersonate the AP. In general, the passphrase is shared by all users on these network as there is no notion of login in WPA-PSK. ↩︎ ↩︎
By default, WPA3-SAE does not send any login (like WPA-PSK). WPA3-SAE can optionaly support “password identity” (i.e. a login) in order to support multiple users/passwords on the same network. This password identity is sent by the client in cleartext in its SAE Commit message. ↩︎ ↩︎
With WPA3-SAE (as with WPA-PSK), any user in possession of the shared passphrase can impersonate the AP. However, WPA3-SAE has optional support for a password identifier (login) which can be used to have a different password for different users. ↩︎
In EAP-TLS the client identity is sent within its X.509 certificate.
In TLS v1.2 and below, the certificate is usually transmitted in cleartext. However, EAP-TLS explicitly describes the usage of TLSv1.2 post-handshake renegotiation when the client identity must be protected: in this case, the client certificate is send after the TLS handshake and encrypted by TLS.
In TLS v1.3, the client certificate is alway sent encrypted. ↩︎
The TLS-based EAP methods will usually provide forward secrecy assuming the key exchange method/ciphersuite used provides forward secrecy. However, using TLS session resumption might adversely affect forward secrecy in TLS v1.2 and below ↩︎ ↩︎
PEAP, EAP-FAST and TEAP are similar to EAP-TTLS. They tunnel some inner authentication over a TLS tunnel. Usually this in a inner-EAP authentication method (such as PAP, CHAP, MSCHAPv2, EAP-GTC) which would be insecure if it was used directly. ↩︎
In EAP-PWD, anyone in possession of the user's passphrase can impersonate the AP for this user. If the user shares his personal passphrase or if the user's passphrase is compromised, the AP can be impersonated. ↩︎
If the 4-way handshake has not been observed, a deauthentication attack can be used to force the station to create a new association. ↩︎
You can use
wpa_passphrase SUPERSSID iloveyou
to generate the PSK from the SSID and passphrase. In this example, this givesc5d7ead6446974cd91befde13ef0df28140bf0733599b77b490fb70fbbfb7bf0
. ↩︎The two nonces (one chosen by the AP and the other by the station) protect against replay attacks and guarantee that the key material is different for each connection. ↩︎
Unless your DNS traffic is protected for example with DNS-over-TLS (DoT), DNS-over-DTLS, DNS-over-HTTPS (DoH), DNS-over-QUIC (DoQ), etc. ↩︎
Unless your TLS clients are using Encrypted ClientHello (ECH). ↩︎
EAP is an extensible authentication framework which can support a variety of authentication methods (EAP methods). ↩︎
The SAE password is (very) roughly a hash of the SSID, the AP public key and a modifier M encoded in base32 with a dash every four character. It looks something like hbbi-f4xq-b45g or hbbi-f4xq-b457-jjew-muey-fod3. ↩︎