This chapter covers WPA3's Simultaneous Authentication of Equals (SAE) handshake and its forward secrecy property—critical enhancements over WPA2 that address vulnerabilities like offline dictionary attacks and KRACK. For the N10-009 exam, expect 2-3 questions on WPA3 features, SAE operation, and how forward secrecy improves wireless security. Understanding SAE's cryptographic steps and its contrast with WPA2's 4-way handshake is essential for Objective 4.5 (Network Security).
Jump to a section
Imagine two people, Alice and Bob, who work in a secure facility and need to establish a private conversation each time they meet. They start with a shared secret phrase that both know (the pre-shared key). However, instead of using that phrase directly to encrypt their conversation, they use it only as a starting point for a more secure process. Alice and Bob each generate a unique, temporary random number (their private key) and compute a public value from it. They exchange these public values. Then, using their own private random number and the other's public value, each independently calculates the same shared secret session key. This is like each person writing a number on a piece of paper, swapping papers, and then combining their own secret number with the received number to get a result that only they could both compute. Importantly, even if an attacker overhears the entire exchange, they cannot derive the session key because they don't have the private random numbers. Moreover, if the attacker somehow learns one session key, they cannot use it to break future or past sessions because each session uses fresh random numbers. This is the core of SAE: a password-authenticated key exchange that provides forward secrecy, ensuring that compromising the long-term secret (the password) does not compromise past or future session keys.
1. The Problem: WPA2's Vulnerabilities
WPA2 uses the 4-way handshake based on the Pre-Shared Key (PSK). The PSK is derived from the SSID and password. During the handshake, the Authenticator (AP) and Supplicant (client) exchange nonces and Message Integrity Codes (MICs). An attacker who captures the four handshake messages can perform an offline dictionary attack: try guessed passwords, compute the PSK, and verify the MIC. This attack is computationally feasible and is the basis for tools like aircrack-ng. Additionally, WPA2 lacks forward secrecy: if the PSK is compromised, all past and future session keys can be derived.
2. WPA3 and SAE: The Solution
WPA3, ratified in 2018 (IEEE 802.11-2016 amendment), introduces SAE (Simultaneous Authentication of Equals) as the handshake protocol for WPA3-Personal. SAE is defined in IEEE 802.11-2016 section 12.4. It is based on the Dragonfly Key Exchange (RFC 7664), which uses a Password-Authenticated Key Exchange (PAKE) protocol. SAE provides:
Resistance to offline dictionary attacks: The password is never directly transmitted or used in a verifiable way during the handshake.
Forward secrecy: Compromising the password does not allow decryption of past or future sessions.
Mutual authentication: Both parties prove knowledge of the password without revealing it.
3. SAE Handshake: Step-by-Step Mechanics
SAE operates in two phases: the Commit phase and the Confirm phase.
Phase 1: Commit Both the client and AP independently generate a random private value (called a scalar and an element). They compute a public commitment using the password. The commitment is a one-way function that cannot be reversed. They exchange these commitments. Each party then uses its own private value and the other's commitment to compute a shared secret (the Pairwise Master Key, PMK). Because the computation involves the password, only parties who know the password can compute the same PMK.
Phase 2: Confirm Both parties exchange confirmation messages that prove they computed the same PMK. This is done by sending a key confirmation key (KCK) derived from the PMK. If the confirmations match, authentication succeeds.
Cryptographic Details: SAE uses a finite cyclic group (e.g., an elliptic curve group like ECC group 19 (256-bit) or group 21 (521-bit)). The password is encoded into a point on the curve using a password-based key derivation function (PBKDF2). The scalar is a random integer; the element is a random point on the curve. The commitment is calculated as a function of the scalar, element, and password encoding.
Forward Secrecy: Each SAE exchange generates a fresh PMK. Even if an attacker learns the password, they cannot derive the PMK for any session without also knowing the ephemeral private values (scalar and element) used in that session. These ephemeral values are discarded after the handshake. Therefore, past sessions remain secure.
4. Key Parameters and Defaults
Group: SAE supports multiple groups. The default group for WPA3 is ECC group 19 (256-bit prime modulus). Group 21 (521-bit) is also supported for higher security. The AP advertises the group in the Beacon and Probe Response frames.
Password: Must be at least 8 characters (though best practice is 12+). The password is case-sensitive and can include spaces.
Anti-clogging tokens: To prevent denial-of-service attacks, SAE uses anti-clogging tokens. Before the Commit phase, the AP may require the client to solve a computational puzzle (a hashcash-like token) to prove it is not a malicious source.
Retry limits: If authentication fails, the client must wait a minimum time (e.g., 100 ms) before retrying, to slow down brute-force attempts.
5. Configuration Examples
On a typical enterprise WLC (e.g., Cisco 9800) or a small business AP (e.g., Ubiquiti UniFi), enabling WPA3 is straightforward:
! Cisco WLC CLI example for WPA3-Personal
config wlan security wpa3 1 enable
config wlan security wpa3 sae 1 enable
config wlan security wpa3 sae password 1 MySecurePassword123On a Linux host using wpa_supplicant, the configuration file (e.g., /etc/wpa_supplicant/wpa_supplicant.conf) includes:
network={
ssid="MyWPA3Network"
key_mgmt=SAE
pairwise=CCMP
group=CCMP
ieee80211w=2
sae_password="MySecurePassword123"
}Note: ieee80211w=2 mandates Protected Management Frames (PMF), which is required for WPA3. PMF ensures management frames are encrypted, preventing spoofing and deauthentication attacks.
6. Interaction with Related Technologies
WPA3-Enterprise: Uses 802.1X with EAP-TLS or other strong EAP methods. SAE is not used; instead, the handshake is similar to WPA2-Enterprise but with mandatory PMF and GCMP-256 encryption.
WPA3-Transition Mode: Allows mixed WPA2 and WPA3 clients on the same SSID. The AP advertises both WPA2 and WPA3 capabilities. WPA2 clients use the 4-way handshake; WPA3 clients use SAE. This mode is insecure because attackers can force clients to downgrade to WPA2. The exam tests that transition mode is a temporary measure and should be phased out.
Protected Management Frames (PMF): WPA3 mandates PMF (802.11w). PMF encrypts unicast management frames and provides integrity for broadcast management frames. This prevents deauthentication attacks and other management frame exploits.
Opportunistic Wireless Encryption (OWE): Used in WPA3-Open (formerly WPA2-Open). OWE provides encryption without authentication. It uses Diffie-Hellman key exchange to derive a session key. It is not related to SAE but is part of the WPA3 family.
7. Verification Commands
On a client, you can verify the connection uses WPA3:
# On Windows:
netsh wlan show interfaces
# Look for "Authentication: WPA3-Personal"
# On Linux:
iw dev wlan0 link
# Look for "key_mgmt: SAE"
# On macOS:
/System/Library/PrivateFrameworks/Apple80211.framework/Versions/Current/Resources/airport -I
# Look for "link auth: wpa3"On the AP, logs show SAE handshake success:
# Example from a Cisco AP
*Mar 1 02:30:45.123: %WLC-6-SAE_AUTH_SUCCESS: Client 00:11:22:33:44:55 authenticated via SAE on WLAN 1Client and AP discover capabilities
The client listens for Beacon frames or sends Probe Requests. The AP advertises its WPA3 capabilities in the Robust Security Network (RSN) Information Element (IE) within Beacons and Probe Responses. The RSN IE includes the AKM suite type (00-0F-AC:8 for SAE) and the cipher suites (CCMP-128 or GCMP-256). The client selects the highest mutually supported security. If the client supports SAE and the AP advertises it, the client proceeds with SAE. The AP may also include an anti-clogging token requirement in the Beacon if it is under DoS attack.
Anti-clogging token exchange (optional)
If the AP is experiencing high authentication load, it may include a cookie (anti-clogging token) in the Beacon or Probe Response. The client must include this cookie in its Commit frame. The token is a random value that the AP can validate quickly without storing state. This prevents attackers from flooding the AP with Commit frames. If the client does not include a valid token, the AP drops the frame. This step is not always present; it depends on AP load.
Commit phase: exchange commitments
Both the client and AP independently generate a random scalar (a large integer) and a random element (a point on the elliptic curve). They also encode the password into a point on the curve using a deterministic function (hunting and pecking). Then each computes a commitment: a cryptographic hash of the scalar, element, and password encoding. They exchange these commitments in Commit frames. At this point, neither party can compute the shared secret because they lack the other's private values. The Commit frames are unencrypted but do not reveal the password.
Commit phase: compute shared secret
After receiving the other's commitment, each party uses its own private scalar/element and the other's commitment to compute the Pairwise Master Key (PMK). The computation involves a zero-knowledge proof: each party proves they know the password without revealing it. Specifically, they compute a shared secret using elliptic curve Diffie-Hellman (ECDH) with the password-encoded point as a generator. The result is the PMK, a 256-bit key. If the password is incorrect, the computed PMK will differ, and the subsequent Confirm phase will fail.
Confirm phase: mutual authentication
Both parties derive a Key Confirmation Key (KCK) from the PMK. They exchange Confirm frames containing a hash of the KCK and the exchanged Commit values. Each party verifies the other's Confirm frame. If the verification succeeds, both know that the other has the correct password. The PMK is then used to derive the Pairwise Transient Key (PTK) for data encryption. The Confirm frames are also unencrypted but are protected by the hash; an attacker cannot forge a valid Confirm without the password.
Data encryption and session establishment
Once the Confirm phase succeeds, the client and AP derive session keys (PTK) from the PMK using a PRF (Pseudo-Random Function). The PTK is split into three keys: KCK (Key Confirmation Key), KEK (Key Encryption Key), and TK (Temporal Key) for data encryption. The TK is used with CCMP (AES-128) or GCMP (AES-256) to encrypt data frames. The session is now established. If the client disconnects and reconnects, a new SAE handshake generates a fresh PMK, providing forward secrecy.
Enterprise Deployment Scenario 1: Corporate Office with WPA3-Enterprise A multinational corporation deploys WPA3-Enterprise across its campus to secure wireless access for employees. The network uses 802.1X with EAP-TLS, where each employee has a unique certificate. The APs are configured to require WPA3 only, with no transition mode. SAE is not used here because WPA3-Enterprise uses the same 4-way handshake as WPA2-Enterprise but with mandatory PMF and stronger ciphers (GCMP-256). The problem solved is protection against rogue APs and credential theft. The configuration on Cisco WLCs involves creating a WLAN with security type WPA3, enabling 802.1X, and setting the cipher to GCMP256. Common issues include certificate expiry and mismatched EAP methods. Performance is excellent with modern clients; older devices may not support WPA3, requiring a separate SSID.
Scenario 2: Small Business with WPA3-Personal A small retail store uses WPA3-Personal with SAE to secure its guest and internal networks. The password is shared with employees via a secure portal. The problem solved is resistance to offline dictionary attacks; even if an attacker captures the handshake, they cannot brute-force the password. The AP (e.g., Ubiquiti UniFi) is configured with WPA3 only, password length 12+ characters, and PMF required. The store uses a single SSID for internal use and a separate guest network with OWE. Misconfiguration: if the AP is set to WPA3-Transition mode, attackers can force clients to downgrade to WPA2 and attempt dictionary attacks. The fix is to disable transition mode once all clients support WPA3.
Scenario 3: Public Wi-Fi with OWE A city deploys open Wi-Fi in public parks using WPA3-Open (OWE). OWE provides encryption without authentication, using Diffie-Hellman key exchange. The problem solved is passive eavesdropping: without OWE, an attacker can sniff all traffic. OWE is configured by setting the security mode to OWE on the AP. Clients that support OWE will automatically use it; legacy clients still connect without encryption. The main consideration is that OWE does not authenticate users, so it is suitable only for guest networks where no authentication is needed. Misconfiguration: if the AP is not configured to advertise OWE in the RSN IE, clients will not initiate OWE.
Common Pitfalls:
Forgetting to enable PMF: WPA3 requires PMF (802.11w). If PMF is disabled, WPA3 clients will not associate.
Using weak passwords: SAE is resistant to offline attacks, but a weak password (e.g., 'password') is still vulnerable to online brute-force. Use strong passwords.
Transition mode left enabled: This introduces a downgrade attack vector. Phase out WPA2 clients.
Group mismatch: SAE groups must match between client and AP. Most devices use group 19. If the AP forces group 21, some clients may fail to connect.
Exam Focus for N10-009 Objective 4.5 (Network Security)
What the exam tests: - Identify WPA3 features: SAE, forward secrecy, PMF, GCMP-256, OWE. - Understand the difference between WPA2-PSK and WPA3-SAE, especially regarding offline dictionary attack resistance. - Know that WPA3 mandates PMF (802.11w) and that it prevents deauthentication attacks. - Recognize that WPA3-Transition mode allows mixed WPA2/WPA3 but is less secure. - Understand that forward secrecy means that compromising the pre-shared key does not compromise past sessions.
Common wrong answers and why: 1. "WPA3 uses the same 4-way handshake as WPA2" — WRONG. WPA3-Personal uses SAE, which is a different protocol. WPA3-Enterprise uses the same 4-way handshake but with mandatory PMF and stronger ciphers. 2. "WPA3 eliminates the need for a password" — WRONG. WPA3-Personal still requires a password; SAE just makes offline attacks infeasible. 3. "Forward secrecy means the password is never transmitted" — WRONG. The password is never transmitted in WPA2 either (it is used to derive the PSK). Forward secrecy specifically means that session keys are not derivable from the long-term secret. 4. "WPA3 supports TKIP for backward compatibility" — WRONG. WPA3 only supports CCMP and GCMP; TKIP is deprecated. 5. "WPA3-Open is the same as open Wi-Fi" — WRONG. WPA3-Open uses OWE to encrypt traffic, though no authentication is performed.
Specific numbers and terms: - SAE group 19 (256-bit ECC) is the default. - PMK is 256 bits. - GCMP-256 uses a 256-bit key; CCMP-128 uses 128-bit. - 802.11w is the standard for PMF. - WPA3-Personal uses AKM suite type 00-0F-AC:8. - WPA3-Enterprise uses AKM suite type 00-0F-AC:6 (with 802.1X) or 00-0F-AC:12 (with PMF).
Edge cases: - If a client does not support WPA3, it cannot connect to a WPA3-only SSID. Transition mode must be used. - If PMF is set to optional (not required), WPA3 clients may still connect but the connection is not fully compliant; the exam expects that WPA3 requires PMF. - Some older devices may not support SAE group 21; they will fail to connect if the AP requires it.
How to eliminate wrong answers: - If the question mentions "offline dictionary attack" or "KRACK", the correct answer likely involves WPA3 or SAE. - If the question mentions "management frame protection", look for PMF or 802.11w. - If the question mentions "forward secrecy", the answer must involve a key exchange that uses ephemeral keys (like SAE or Diffie-Hellman). - If the question asks about backward compatibility, transition mode is the answer, but note that it is not fully secure.
SAE (Simultaneous Authentication of Equals) is the handshake used in WPA3-Personal, defined in IEEE 802.11-2016.
SAE provides resistance to offline dictionary attacks by never transmitting a verifiable password hash.
Forward secrecy means that compromising the long-term password does not allow decryption of past or future sessions.
WPA3 mandates Protected Management Frames (PMF) per 802.11w, preventing deauthentication attacks.
WPA3 uses only CCMP (AES-128) or GCMP (AES-256) ciphers; TKIP is not supported.
WPA3-Transition mode allows mixed WPA2/WPA3 on the same SSID but is less secure; it should be phased out.
The default SAE group is ECC group 19 (256-bit). Group 21 (521-bit) is also available.
WPA3-Open uses OWE (Opportunistic Wireless Encryption) to encrypt traffic without authentication.
These come up on the exam all the time. Here's how to tell them apart.
WPA2-PSK (4-way handshake)
Uses 4-way handshake with PSK derived from password and SSID
Vulnerable to offline dictionary attacks if handshake is captured
No forward secrecy: compromising PSK decrypts all past and future sessions
Uses CCMP/AES-128 for encryption (TKIP deprecated)
PMF (802.11w) is optional
WPA3-SAE (SAE handshake)
Uses SAE (Dragonfly) handshake based on PAKE
Resistant to offline dictionary attacks; password never verifiable offline
Provides forward secrecy: each session uses ephemeral keys; password compromise does not affect past sessions
Uses CCMP/AES-128 or GCMP/AES-256 for encryption
PMF (802.11w) is mandatory
Mistake
WPA3 uses the same 4-way handshake as WPA2 but with stronger encryption.
Correct
WPA3-Personal uses a completely different handshake called SAE (Simultaneous Authentication of Equals), which is based on the Dragonfly key exchange. WPA3-Enterprise still uses the 4-way handshake but with mandatory PMF and optional GCMP-256.
Mistake
WPA3 eliminates the need for a password; it uses certificates instead.
Correct
WPA3-Personal still requires a password (pre-shared key). The improvement is that the password is never exposed to offline dictionary attacks. WPA3-Enterprise can use certificates, but that is not a requirement of the standard.
Mistake
Forward secrecy means that the password is not transmitted over the air.
Correct
In WPA2, the password is also not transmitted directly; it is used to derive the PSK. Forward secrecy specifically means that if the long-term secret (password) is compromised, past and future session keys remain secure because each session uses ephemeral keys.
Mistake
WPA3 supports TKIP for backward compatibility with older devices.
Correct
WPA3 only supports CCMP (AES-128) and GCMP (AES-256). TKIP is deprecated and not allowed in WPA3. Backward compatibility is provided via transition mode, where the same SSID advertises both WPA2 and WPA3, but TKIP is still not used in WPA3.
Mistake
WPA3-Open provides authentication for open networks.
Correct
WPA3-Open uses OWE (Opportunistic Wireless Encryption) which provides encryption but no authentication. The network is still open; any client can connect. OWE prevents passive eavesdropping but does not verify identity.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
SAE stands for Simultaneous Authentication of Equals. It is the key exchange protocol used in WPA3-Personal that replaces WPA2's 4-way handshake. SAE is based on the Dragonfly PAKE (Password-Authenticated Key Exchange) and provides resistance to offline dictionary attacks and forward secrecy. During SAE, both the client and AP prove knowledge of the password without transmitting it, and they derive a unique session key that is not linked to the password.
SAE prevents offline dictionary attacks because the password is never used in a form that can be verified offline. In WPA2, the handshake contains a MIC that can be computed using a guessed PSK, allowing attackers to test passwords. In SAE, the exchange uses cryptographic commitments and zero-knowledge proofs. An attacker who captures the handshake cannot verify a password guess without interacting with the AP, because the commitment is one-way and the password is combined with ephemeral random values. Thus, the only way to test a password is to attempt an online connection, which is rate-limited and detectable.
Forward secrecy (or perfect forward secrecy) ensures that if the long-term secret (the pre-shared key/password) is compromised, past session keys remain secure. In WPA3-SAE, each authentication generates a fresh Pairwise Master Key (PMK) using ephemeral random values (scalars and elements). Even if an attacker learns the password, they cannot derive the PMK for any past session because they would need the ephemeral private values that were discarded after the handshake. This is a key advantage over WPA2, where the PSK directly generates the session keys.
WPA3 is not directly backward compatible. However, WPA3-Transition mode allows an AP to advertise both WPA2 and WPA3 capabilities on the same SSID. WPA2 clients connect using the 4-way handshake, while WPA3 clients use SAE. Transition mode is less secure because an attacker can force a client to downgrade to WPA2 by blocking WPA3 advertisements. The exam emphasizes that transition mode is a temporary solution and should be replaced with WPA3-only once all clients support it.
Protected Management Frames (PMF), defined in IEEE 802.11w, is mandatory in WPA3. PMF encrypts unicast management frames (e.g., deauthentication, disassociation) and provides integrity protection for broadcast management frames. This prevents attackers from sending forged deauthentication frames to disconnect clients (deauth attacks). Without PMF, WPA3 would still be vulnerable to these attacks. On the exam, remember that WPA3 requires PMF, while WPA2 makes it optional.
WPA3-Personal uses SAE for key exchange and a pre-shared password. It is designed for home and small office use. WPA3-Enterprise uses 802.1X authentication with EAP methods (e.g., EAP-TLS) and the same 4-way handshake as WPA2-Enterprise, but with mandatory PMF and the option to use GCMP-256 encryption. WPA3-Enterprise also supports 192-bit security mode (WPA3-Enterprise 192-bit) which uses Suite B cryptography. The exam may test that WPA3-Enterprise does not use SAE.
The default SAE group is ECC group 19, which uses a 256-bit prime modulus elliptic curve. Group 21 (521-bit) is also supported. The AP advertises the group in its beacon. Most clients support group 19. If a client does not support the group advertised, it cannot connect. On the exam, know that group 19 is the most common and that group 21 offers higher security but may cause compatibility issues.
You've just covered WPA3 Protocol: SAE, Forward Secrecy — now see how well it sticks with free N10-009 practice questions. Full explanations included, no account needed.
Done with this chapter?