WPA 3 - Improvements over WPA 2 or broken again?

Maximilian Appel, Dr.-Ing. Stephan Guenther∗

∗ Chair of Network Architectures and Services, Department of Informatics
Technical University of Munich, Germany
Email: [email protected], [email protected]

Abstract—Due to the widespread usage of WiFi, securing in terms of hardware demands. The main reason for the
them is and will continue to be an important task. After latter is the utilization of Counter Mode with Cipher
it was signed into IEEE 802.11 in 2004, WPA2 became the Block Chaining Message Authentication Code Protocol
commonly used encryption standard for WiFi networks, re- (CCMP), which uses the Advanced Encryption Standard
placing the originally as temporary solution conceived WPA. (AES) block cipher for its data encryption. Both of which
It’s successor WPA3 was released in June 2018. At the time are described in more detail in the following sections.
of writing it has not found widespread adoption yet. This Temporal Key Integrity Protocol (TKIP) is still available
paper aims to provide an overview on the designs of WPA2 under WPA2, in order to provide backward compatibility
and WPA3, including their currently known vulnerabilities. to WPA capable devices that possess insufficient process-
And tries to come to a conclusion on whether WPA3 is still ing power for AES.
a viable successor or if it has already been compromised
beyond repair. Client AP
join request
Index Terms—wireless networks, WPA2, WPA3, Encryption,
KRACK-Attack, Dragonblood-Attack acknowledge request

Generate Anonce
Anonce (Msg. 1)
1. Introduction Generate Snonce
Snonce, MIC (Msg. 2)
Build PTK & MIC
Created as a guideline for wireless connected networks Build and validate PTK

in 1997, IEEE 802.11 also defined security protocols for Encryp. GTK (Msg. 3)
Encrypt GTK

such networks and as such has been revised multiple times Decrypt GTK
in reaction to emerging technologies and attack methods. Install PTK & GTK
The original security mechanism WEP was replaced in Confirm (Msg. 4)

2003 in favor of the at them time new WPA. The main Install PTK

reason for this was the discovery of major weaknesses in

the RC4 encryption algorithm, that WEP was based on.
However, this was only an intermediate measure meant Figure 1: diagram showing the steps of the four-way
to strengthen security during the creation process for a handshake
full amendment to the the standard. The full standard was
signed in 2004 as IEEE 802.11i, also more commonly
known as WPA2. This amendment officially deprecated 2.1. Authentication
WEP and even forbids the implementation in new devices.
However because of the higher hardware requirements of WPA2 handles authentication via two separate types
its successors it partially remains in use to this day. In of keys, which are used for the decryption and encryption
2018 WPA3 was announced as the replacement for WPA2, of messages. Pairwise Transient Keys (PTKs) that are
meant to solve known problems and vulnerabilities. The used for unicast messages and as such are only known
full protocol was released in June 2018 and is, at the time to the AP and a single client. The other type is the
of writing, the currently recommended security standard Groupwise Transient Key (GTK), a single key that is
for wireless networks. The rest of this paper first pro- used for multicasts and broadcast, and therefore is known
vides a detailed description of WPA2 and WPA3. This by the AP and all clients in the network. In order to
is followed by a brief analysis of the currently known generate and distribute these keys WPA2 uses two separate
vulnerability for each of them. It is then concluded with handshake protocols. The so called four-way handshake
a discussion on whether or not WPA3 is still a viable is executed first and generates and distributes the PTK.
security scheme. [1] A simple handshake that is secured with the individual
clients PTK, is used to update and distribute the GTK from
2. WPA2 the AP to the clients. The four-way handshake (see figure
1) begins under the assumption that both the client and the
Signed as IEEE 802.11i in 2004, WPA2 marked a AP possess a shared Pairwise Master Key (PMK), which
large step forward not only in terms of security, but also consists of a PBKDF2 function value of the network’s

Seminar IITM SS 20,

7 doi: 10.2313/NET-2020-11-1_02
Network Architectures and Services, November 2020
passphrase, the networks Service Set Identifier (SSID), TABLE 1: Number of encryption rounds for AES key
and the Hash Message Authentication Protocol (HMAC) sizes
function used to stretch the passphrase. First the client AES key size Number of rounds
sends a connection request to the AP, which is then
answered with an acknowledgment. Afterwards the client 128 bit 10
192 bit 12
generates a nonce (Anonce), a randomly generated value 256 bit 14
that prevents message replay attacks, and sends it to client.
The client then generates a nonce of its own (Snonce)
and uses it to generate the PTK, by concatenating both
nonces, the PMK and the mac addresses of both AP this section to attacks that allow attacks on APs without
and client. In the next step the client uses the PTK to prior knowledge of the password.We are also excluding
generate a Message Integrity Code (MIC) and then sends the KRACK-Exploit, because patches that secure APs
the Snonce along it to the AP. The AP then uses the against it are available under WPA2.
received Snonce to generate the PTK, in the same way
the client did. After that it uses the PTK and the Snonce 2.4.1. Deauthentication Attack.
to derive a MIC, which is then compared to the MIC that Session management frames are system messages between
was received with the Snonce. If either of the nonces was clients and APs used for communication. Once type of
manipulated by an attacker, the MICs will not match and management frame are de-authentication frames which are
the handshake is aborted. Due to the random nonces role normally sent by client and AP to signal the end of a
in the generation Process, the generated PTK will always session. Under WPA2 session management frames are sent
be unique for the individual session. At the end of the encrypted without authentication. By spoofing the clients
four-way handshake, the AP uses the freshly established and the AP’s MAC address and then sending false De-
PTK to safely transmit the current GTK. This completes authentication frames, an attacker can cause both AP and
the client’s authentication. [2] client to cease communication with each other. [1]

2.2. AES 2.4.2. Handshake Capture Dictionary Attack.

The four-way handshake generates the PTK by combin-
The Advanced Encryption Standard (AES) defines a ing two randomly generated nonces with the otherwise
secure block cipher encryption algorithm. AES was cho- completely static PMK. Because the nonces are sent in
sen in 2001 at the end of the AES selection process as the plaintext, an attacker can gain enough information to per-
standard for safe encryption by the US government. AES form off-line dictionary and brute-force attacks against the
supports various key sizes (128bit, 192bit, and 256bit) and passphrase by eavesdropping on an successful handshake.
handles data in blocks. The block’s sizes are independent In theory this still requires an attacker to wait for a
of the chosen key size. A complex algorithm is used to handshake that he can capture. However, by using the pre-
enlarge the initial key into several 128bit large keys. All viously mentioned Deauthentication Attack to disconnect
but one of these keys are then used in separate encryption an already authenticated client the attacker is able force
rounds, each of which consists of three substitutions and a the client to perform a four-way handshake, which he
one permutation. The total number of rounds depends on then can capture. [1]
the used key size (see table 1). The remaining unused key
is later used to start the decryption process. [1], [3]
2.4.3. PMKID Hash Dictionary Attack.
2.3. CCMP During the authentication phase of WPA2, but before the
actual four-way handshake, the AP sends the client a
Counter Mode with Cipher Block Chaining Message Extensible Authentication Protocol over LAN (EAPOL)
Authentication Code Protocol (CCMP) is an implementa- frame. This frame contains the titular Pairwise Master
tion of the standards of the IEEE 802.11i amendment. It Key Identification (PMKID). The PKMID is a hash value
protects the confidentiality of the data by using AES in derived from the PMK, a static String, the clients MAC
counter mode and uses CBC-MACs to assure authentic- address and the AP’s MAC address. An attacker can use
ity and integrity of the messages. It therefore provides the PKMID to perform dictionary and brute-force attacks
protection for confidentiality, authenticity and integrity. against the networks passphrase by simply calculating the
The protocol first takes a key, which in WPA2’s case is hash with a candidate passphrase and comparing the result
either a PTK or the GTK, and additional data necessary with the PKMID. [1]
for the protocol and runs them through AES in counter
mode. Counter mode refers to a specific algorithm that
turns a block cipher into a stream cipher. The in this way 3. WPA3
generated keystream is then combined with the plaintext
in an XOR operation to build the encrypted ciphertext. Published in 2018, WPA3 is mostly build upon its
(see figure 2) [1] predecessor and as such only makes minor changes to
the decryption standards. For the sake of brevity this
2.4. Vulnerabilities paper only focuses on the big changes in the authenti-
cation protocol. This is then followed by a description
This section provides a brief overview on WPA2s of the relatively recently discovered vulnerabilities: the
known weaknesses. For the sake of brevity, we are limiting Dragonblood-Attacks.

Seminar IITM SS 20,

8 doi: 10.2313/NET-2020-11-1_02
Network Architectures and Services, November 2020
 Plaintext
its x coordinate to get the key k . They then calculate a
HMAC ci over all the data that has been generated and
exchanged during the handshake, utilizing k as key. The
Ciphertext parties then exchange and check their corresponding ci ’s
in a confirm frame, which is discarded in the case of an
XOR unexpected value. If the values are correct, the handshake
has succeeded and k is the resulting key (see figure 3. [4]
PTK or GTK
AES
(in countermode)

Additional Countermode Data

The key k is then used as PMK in WPA2s four way
handshake, which is now more secure than before due
Figure 2: diagram showing the encryption process with to the much higher entropy of the PMK. This also en-
CCMP ables backward compatibility with devices that are unable
to perform the calculations necessary for the Dragonfly
Handshake, by setting the AP into a Transition-Mode to
3.1. Authentication merely advertise the Dragonfly Handshake as part of op-
tional Management Frame Protection (MFP) to the clients,
WPA3 changes the authentication protocol by adding although actually all WPA3 capable devices are forced to
an additional layer of security in form of the Simultaneous use the MFP, despite it being advertised as optional. [1]
Authentication of Equals (SAE) handshake, a variant of
the Dragonfly Handshake. The Dragonfly Handshake was
originally developed by Dan Harkins in 2008 as Pass-
word Authenticated Key Exchange (PAKE) for mesh net-
works and as such turns a shared plaintext password into
a secure cryptographic key. Dragonfly supports Elliptic
Curve Cryptography (ECC) and Finite Field Cryptography
(FFC). Because ECC is the more common option and
the general similarities between the two, this paper only
contains a description of ECC.

3.1.1. Elliptic Curve Cryptography.

Dragonfly uses elliptic curves over a prime field (ECP
groups) in its ECC mode. ECP groups are defined over a
prime p and the parameters a and b for the polynomial
y 2 = (x3 + ax + b) mod p Figure 3: a diagram detailing the WPA3 SAE Handshake
between a connecting client and an AP. In theory either
The key is generated out of the shared password by parties can initiated the handshake, but we assume the
calculating a combined hash over the pre shared password, standard case of the Client sending the first commit. The
an increment counter and identities (IDs) of the client Calculations shown assume that an ECP group is used.
and the AP. In WPA3 the identities are the client’s MAC
address and AP’s MAC address. That hash is then used as
the x value in an attempt to find a corresponding y value. 3.2. Dragonblood
If that attempt is unsuccessful, the hash is recalculated
with an increased counter. After this another attempt with The Dragonblood attacks refer to a number of weak-
the new x value is made. This strategy is repeated until a nesses in the WPA3 security scheme’s personal mode.
y value is found. The calculated point (x,y) is then used They were published by Mathy Vanhoef and Eyal Ronen
as the password (P) in the Dragonfly Handshake. [4] in April 2019. Dragonblood consists of several different
types of attacks.
3.1.2. The Dragonfly Handshake.
The handshake consists of two phases. The commit phase 3.2.1. Downgrade Attacks.
occurs first and can be initiated by both parties, although Downgrade attacks target WPA3 networks that are set
in WPA3-personal the client will always send the first into the earlier mentioned transition mode. Normally this
commit, while in enterprise mode the radius server com- mode allows devices that are incompatible with the SAE
mits first. For the commits each of the peers chooses two protocol to still connect to the AP under WPA2, while
random values within the interval [2,p] , a private ri and forcing all devices that are able to, to use WPA3. However,
a mask mi such that si = ri + mi  [2,p]. They then by setting up an impostor network with the same ID
calculate the value Ei = −mi · P and send it along with that only supports WPA2, even WPA3 capable clients are
their respective si to each other. After having received tricked into using WPA2. By catching parts of the WPA2
the commit frames, both participants validate the received handshake they are able to once again perform dictionary
values and abort the entire handshake in the case of an and brute force attacks against the passwords of WPA3
incorrect value. In the confirm phase the parties use the networks. [4]
exchanged data to calculate the secret point K with the
formula K = ri (sj P + Ej ) (j denoting the parties own 3.2.2. Security Group Downgrade Attack.
value and j denoting the received values) and hashes During the commit phase of the Dragonfly Handshake,

Seminar IITM SS 20,

9 doi: 10.2313/NET-2020-11-1_02
Network Architectures and Services, November 2020
the initiator, which in case of WPA3 is usually the client, additional security provided by the Dragonfly Handshake,
sends his first commit frame with his preferred security it was considered to be almost impossible to crack the
group. If the AP doesn’t support this specific security password of a WPA3 network. However Dragonblood
group he answers with a decline message, forcing the revealed major flaws within the WPA3 security scheme
client to use a different possibly unsafer group instead. that in our opinion cast serious doubt on its long term
This is done until the AP accepts the offered group. viability as a security standard. At the time of writing
By catching the clients commits and sending fake denial WPA3 is prone to implementation errors, which make
messages, an attacker is able to force the client into using side-channel attacks possible. In addition to that WPA3
a group of his choice. [4] also has two known conceptional faults, that make the side
channel leaks even worse. Although technically temporary
3.2.3. Cache-Based Side-Channel Attack. the downgrade attack against the transition mode remains
These attack require an attacker to be able to observe especially worrisome, since transition mode can be ex-
the memory access pattern of one of the parties of the pected to be the most common use case for at least the
Dragonfly Handshake. The memory access patterns during next several years. In total all of these vulnerabilities make
the generation of a commit frame allow an attacker to dictionary and brute-force attacks on the passphrase once
gain information about the used password. This informa- again possible, negating one of the biggest advantages
tion can be used for dictionary attacks that compare the WPA3 had over WPA2. All of this has lead us to believe
observed patterns with the expected patterns of a to be that WPA3 in its current form should not be a long term
guessed password. [4] solution and either has to amended in order to fix the
currently known problems or possibly even abandoned in
3.2.4. Timing-Based Side-Channel Attack. favor of an alternative improved scheme. Implementing
When using certain security groups, the time it takes for additional defenses under WPA3 have proven to be prob-
an AP to response to a commit frame depends on the used lematic and even partially impossible on already existing
password. This leaked information allows an attacker to WPA3 hardware. Meaning that expensive hardware up-
perform a variant dictionary attack, by comparing the ex- grades might become necessary. All of this makes WPA3’s
pected time for a password with the AP’s actual response future seem highly uncertain, as it will depend on the
time. [4] feasibility of possible solutions, which warrants further
research. Despite these issues with WPA3 our conclusion
3.2.5. Denial-of-Service Attack. is still that WPA3 is a considerable improvement over
Due to the high computational cost in the Dragonfly WPA2 in terms of security and should remain in service
Handshakes commit phase, an attacker can very easily for the time being.
overload an AP by sending bogus commit frames. This
leads to high CPU usage on the AP, which in turn can References
cause delays or even prevention in the regular use of
the AP. These attacks can be worsened, depending on if [1] T. H. Christopher P. Kohlios, “A Comprehensive Attack Flow Model
and how defenses against the previously described side and SecurityAnalysis for Wi-Fi and WPA3,” Electronics, vol. 7,
channel attacks are implemented, due to the necessity of no. 11, 2018.
additional computations. [4] [2] M. Gast, 802.11 Wireless networks: the definitive guide, 2nd edn.
O´Reilly Media, Inc., 2005.
3.2.6. Possible Fixes. [3] “FIPs PUB 179: Announcing the ADVANCED ENCRYPTION
The downgrade attack against the transition mode, while STANDARD (AES),” November 2001. [Online]. Available: https:
in theory only temporary, is still highly problematic. Be- //nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.197.pdf
cause it is to be expected that the adoption of WPA3 to [4] M. Vanhoef and E. Ronen, “Dragonblood: Analyzing the Dragonfly
the point of the full on deprecation of WPA2 will at least handshake of WPA3 and EAP-pwd,” in IEEE Symposium on Security
take several years. Until that point however most WPA3 & Privacy (SP). IEEE, 2020.
networks will likely be used in transition mode. Meaning
that unless this vulnerability is closed, all of these APs
will be vulnerable to dictionary and brute-force attacks.
As already mentioned and shown by the followup research
made after the original publication, implementing WPA3
with defenses against the currently known side channel
attacks without introducing new ones has proven rather
difficult and tedious. They also have shown to increase
WPA3’s already high computational requirements even
further, which poses problem for devices that are unable
to implement them. [4]

4. Conclusion
WPA3 was meant to solve most of the vulnerabilities
that WPA2 had. None of the known WPA2 specific attack
methods went unaddressed and all of the vulnerabilities
described in the WPA2 section 2.4 were fixed. Due to the

Seminar IITM SS 20,

10 doi: 10.2313/NET-2020-11-1_02
Network Architectures and Services, November 2020