— Wi-Fi Alliance WPA3 Spe">
Classroom Glossary Public page

WIR-101 Week 6 — WPA3-SAE and the Dragonblood Disclosures

1,156 words

"SAE replaces the pre-shared key exchange with a zero-knowledge proof. Knowing the passphrase is not enough -- you have to be there for the exchange." — Wi-Fi Alliance WPA3 Specification, §3.2

Lecture (50 min)

6.1 WPA3-SAE: What Changed

WPA3-Personal uses Simultaneous Authentication of Equals (SAE) in place of WPA2's 4-way handshake PSK mode. SAE is based on the Dragonfly key exchange (IETF RFC 7664), which is a balanced Password Authenticated Key Exchange (PAKE).

The key properties SAE provides that WPA2-PSK does not:

Forward Secrecy: each SAE exchange produces a fresh session key using ephemeral randomness. Capturing a year of WPA3 traffic and later obtaining the passphrase does not let you decrypt the previously captured traffic. WPA2-PSK had no forward secrecy -- the PMK is static and the PTK is deterministic from the PMK + captured nonces.

Offline dictionary attack immunity: with WPA2-PSK, the attacker captures the 4-way handshake (or PMKID) and runs the dictionary attack offline at GPU speed. With WPA3-SAE, the attacker cannot verify a passphrase candidate without interacting with the AP for each candidate. The AP rate-limits SAE attempts; there is no offline attack equivalent.

Equal authentication: both sides prove knowledge of the passphrase without one side having a privileged role. In WPA2-PSK, the AP sends the ANonce first (without proving it knows the PSK), and the client's MIC in Message 2 proves knowledge -- the AP verifies but never had to prove its own knowledge.

6.2 SAE Exchange: Commit-Confirm

The SAE handshake has two phases:

Commit phase:

  1. Both sides independently map the passphrase + their MAC addresses to a point on an elliptic curve (or an element in a finite field). This is the "Password Element" (PWE), computed using a hash-to-curve algorithm.
  2. Each side generates a random scalar (private key) and computes a group element (public key) commitment.
  3. Each side sends: (scalar, group_element). No information about the password is revealed by this transmission.
  4. Both sides compute a shared secret using the DH-like combination of their scalar, the other's scalar, and both elements.
  5. The shared secret + MAC addresses + scalars + elements together produce the PMK.

Confirm phase:

  • Each side computes a confirmation value (HMAC of the exchange parameters) using the derived PMK.
  • Exchange of confirmations proves that both sides derived the same PMK without revealing it.

The key feature: if an attacker captures the commit and confirm messages, they have the scalars, elements, and confirmation HMAC -- but these do not let them verify a passphrase candidate without solving the ECDH problem.

6.3 Dragonblood: CVE-2019-9494 and CVE-2019-9496

In April 2019, Mathy Vanhoef and Eyal Ronen disclosed the Dragonblood vulnerabilities in WPA3-SAE implementations (not in the SAE specification itself).

CVE-2019-9494 -- Timing side-channel in PWE generation:

The SAE "hunting-and-pecking" algorithm for computing the Password Element iterates through candidate values until it finds one that maps to a valid curve point. The number of iterations depends on the password and the MAC address. An attacker who can measure the time the commit phase takes (or observe power consumption) can narrow down which iteration count occurred, which constrains the password.

Modern implementations mitigate this by:

  1. Switching from hunting-and-pecking to hash-to-curve (RFC 9380), which runs in constant time
  2. The Wi-Fi Alliance updated the certification requirements post-Dragonblood

CVE-2019-9496 -- Side-channel in confirmation failure handling:

The timing of the "confirmation failure" response leaks whether the scalar + element in the commit message produced a valid PWE. An attacker making many carefully crafted commit attempts can use timing differences to perform an offline dictionary attack despite SAE's design.

Practical impact: the Dragonblood vulnerabilities are implementation-level, not specification-level. Fully patched WPA3 implementations (2020 and later) are not vulnerable. The primary lesson for security professionals: a cryptographically correct specification does not guarantee a secure implementation. Timing attacks, power analysis, and fault injection are implementation concerns.

6.4 FragAttacks: CVE-2020-24586/24587/24588 and Variants

In 2021, Mathy Vanhoef disclosed FragAttacks -- 12 vulnerabilities affecting virtually every Wi-Fi device released in the past 20 years, regardless of WEP/WPA/WPA2/WPA3.

Three design flaws (present since 802.11 ratification in 1997):

  • CVE-2020-24586: fragment caching -- old fragments from a previous session can be injected into a new one
  • CVE-2020-24587: mixed key attacks -- an attacker can cause a receiver to reassemble a fragmented frame using fragments protected by different keys
  • CVE-2020-24588: aggregation attack -- an attacker can inject plaintext into an aggregated frame

Nine implementation flaws in specific vendor chipsets and drivers were also disclosed.

The most dangerous FragAttack variant allows an attacker in range to inject arbitrary plaintext packets (e.g., DNS responses, TCP resets) into a WPA2/WPA3 session. Exploitation requires the attacker to be in RF range and either be on the same L2 network (for injection) or use the design-flaw variants.

Mitigation: vendor firmware patches. The 2.4/5 GHz spectrum monitoring remains the only way to detect active exploitation.

6.5 Comparative Attack Surface Table

Attribute WEP WPA2-PSK WPA3-SAE
Encryption RC4 + IV (24-bit) AES-CCMP AES-CCMP
Offline dictionary attack Yes (IVs only needed) Yes (handshake capture) No (requires live AP interaction)
Forward secrecy No No Yes
MFP (Deauth protection) No Optional Mandatory
Client capture required No No (PMKID) No
Known critical vulns FMS, PTW, Chopchop Dragonblood N/A Dragonblood (patched in 2020+)
FragAttacks Yes Yes Yes

Midterm Week

Lab 6 is the midterm. No separate lab file. See the Instructor Guide for midterm format.

Homework

Reading (45 min): Read the Dragonblood paper abstract + Section 3 (the timing attack) at dragonblood.info (linked from course portal). You do not need to understand the elliptic curve math; focus on the side-channel mechanism and the mitigation.

Hands-on (60 min): Using the provided WPA3-SAE capture file, open it in Wireshark. Find the SAE Commit frames (wlan.rsn.akms == 8). Compare the frame structure to a WPA2 4-way handshake: which fields are present in WPA2 but absent in SAE? Which new fields does SAE introduce? Write a 1-page comparison.

Toolchain Diary Entry

First-introduce this week: Wireshark RSN IE dissector, wpa_supplicant debug mode

wpa_supplicant -Dnl80211 -iwlan0 -c wpa3.conf -d: run wpa_supplicant in debug mode (-d) to observe SAE commit/confirm exchange messages in real time.

Wireshark filter for SAE frames: wlan.rsn.akms.type == 8 (RSN AKM Suite OUI 00:0F:AC type 8 = SAE).

Key Terms

  • SAE: Simultaneous Authentication of Equals; balanced PAKE used in WPA3-Personal; eliminates offline dictionary attacks
  • Dragonfly (RFC 7664): the key exchange algorithm underlying SAE; provides mutual authentication and forward secrecy
  • PWE: Password Element; the point on an elliptic curve (or element in a finite field) derived from the passphrase and both MAC addresses; the foundation of SAE's security
  • Forward secrecy: property where compromise of long-term secrets (passphrase) does not expose previously captured session traffic
  • PAKE: Password-Authenticated Key Exchange; a protocol where both sides authenticate using a shared password without revealing the password
  • Dragonblood: 2019 disclosure of timing + cache side-channels in WPA3-SAE implementations; patched in 2020+; does not break the SAE specification
  • FragAttacks: 2021 disclosure of design + implementation flaws in 802.11 fragmentation/aggregation; affects all Wi-Fi security generations; mitigated by vendor firmware patches