This chapter covers WPA3 and modern wireless attacks, a critical topic for the PT0-002 exam. WPA3 addresses the vulnerabilities of WPA2, such as KRACK and offline brute-force attacks, by introducing Simultaneous Authentication of Equals (SAE) and 192-bit security mode. Expect approximately 5–7% of exam questions to touch on wireless security, with WPA3-specific attacks (e.g., Dragonblood, timing side-channels) and configuration weaknesses being common. This chapter provides the depth needed to understand the protocol mechanics, identify attack vectors, and recommend mitigations.
Jump to a section
Imagine a secret club where members must prove they know the password without actually saying it out loud. In WPA2, the club had a bouncer (the AP) who would ask each person to recite the password, but a hidden eavesdropper (attacker) could record the password when it was spoken during the handshake. This allowed the attacker to later brute-force the password offline. WPA3 introduces a new bouncer who uses a 'password puzzle' called the Dragonfly handshake. When you approach, the bouncer gives you a unique, random puzzle (based on the password but scrambled with your identity). You solve the puzzle using the password and give back the solution. The bouncer checks if your solution is correct, but the eavesdropper, who only sees the puzzle and the solution, cannot reverse-engineer the password because the puzzle is different every time and the solution doesn't reveal the password. Even if the eavesdropper records hundreds of puzzles and solutions, they cannot brute-force the password because each puzzle is tied to a specific interaction and the math (Diffie-Hellman on an elliptic curve) makes reversing the process computationally infeasible. This is the core of SAE (Simultaneous Authentication of Equals): both parties prove knowledge of the password without transmitting it, and the shared session key is derived from the password plus random contributions from each side, ensuring perfect forward secrecy.
Introduction to WPA3
WPA3 (Wi-Fi Protected Access 3) was introduced in 2018 by the Wi-Fi Alliance as a replacement for WPA2. It addresses two major weaknesses of WPA2: the vulnerability to offline dictionary attacks after capturing the 4-way handshake, and the lack of forward secrecy. WPA3 is defined in IEEE 802.11-2020 and comes in two flavors: - WPA3-Personal: Uses Simultaneous Authentication of Equals (SAE) based on Dragonfly Key Exchange (RFC 7664). - WPA3-Enterprise: Offers 192-bit security mode (mandatory for certain government use) using CNSA Suite (Commercial National Security Algorithm Suite).
The exam focuses on WPA3-Personal and its attack surface. Key features include: - SAE handshake: Resists offline dictionary attacks. - Forward secrecy: Compromising the long-term password does not reveal past session keys. - Protected Management Frames (PMF): Mandatory in WPA3, preventing deauthentication attacks. - Transition mode: Allows coexistence with WPA2 devices but introduces downgrade attack vectors.
How SAE Works: The Dragonfly Handshake
SAE is a password-authenticated key exchange (PAKE) protocol. It uses a finite cyclic group (typically an elliptic curve group, e.g., ECC P-256 or P-384) and the password to generate a shared secret. The handshake unfolds in two phases:
Phase 1 - Commitment:
1. Both parties (supplicant and AP) derive a secret element from the password using a hash-to-curve function. This element is unique per session.
2. Each party generates a random scalar (private key) and computes a public value: commit-scalar and commit-element.
3. They exchange these commit values. The commit-scalar is a random number, and the commit-element is a point on the curve derived from the password and the random scalar.
Phase 2 - Confirm: 1. Each party computes a shared secret using the other's commit values and their own private scalar. This is a Diffie-Hellman key exchange over the elliptic curve. 2. They derive a confirmation key from the shared secret. 3. Each sends a confirmation message (a keyed hash of the exchanged data) to prove knowledge of the password. 4. After verification, both derive the Pairwise Master Key (PMK) from the shared secret.
Key properties:
The password is never transmitted over the air.
An attacker who captures the commit and confirm messages cannot perform offline brute-force because each message is bound to the random scalars.
Perfect forward secrecy: If the password is later compromised, past session keys remain secure because each session uses ephemeral keys.
WPA3 Timers and Defaults
SAE retransmission timeout: Default 200 ms (configurable).
SAE sync count: Default 3 retries before disassociation.
PMK lifetime: Default 3600 seconds (1 hour) in many implementations.
Group (curve): Typically P-256 (NIST curve) for WPA3-Personal; P-384 for 192-bit mode.
Password length: Minimum 8 characters in most certifications, but recommended 12+.
Transition Mode and Downgrade Attacks
WPA3 supports Transition Mode where the AP broadcasts both WPA2 and WPA3 capabilities. A client can connect using either. This allows legacy devices to connect but introduces the risk of a downgrade attack: an attacker can spoof the AP's beacon to advertise only WPA2, forcing the client to use the weaker protocol. The exam tests this scenario. Mitigation: Use WPA3-only mode if possible, or enable PMF and disable TKIP.
Modern Wireless Attacks on WPA3
1. Dragonblood Attacks: A family of vulnerabilities discovered in 2019 by Vanhoef and Ronen. They target the SAE implementation, not the protocol itself. Key attacks: - Timing side-channel: The hash-to-curve function in some implementations (e.g., using a loop that exits early on certain conditions) leaks timing information that can be used to brute-force the password character by character. - Cache-based side-channel: In some CPU implementations, the hash-to-curve function uses a lookup table that is indexed by password bytes, allowing an attacker to observe cache timing. - Downgrade to WPA2: Exploiting transition mode to force clients into WPA2 and then performing a dictionary attack on the captured 4-way handshake. 2. SAE Reflection Attack: A theoretical attack where the attacker reflects the commit message back to the sender. Mitigated by requiring that commit-scalar and commit-element are not identical to the ones sent. 3. Brute-force on weak passwords: While SAE resists offline attacks, if the password is weak (e.g., 'password123'), an online brute-force attack is still possible. The AP can rate-limit SAE attempts, but many implementations do not enforce this by default. 4. PMKID attack on WPA3-Transition: In transition mode, the AP may expose the PMKID in the first message of the 4-way handshake (if WPA2 is used). This allows an attacker to derive the PMK and perform an offline dictionary attack on the password. However, this only works if the client uses WPA2; WPA3 clients do not expose PMKID.
Protected Management Frames (PMF)
WPA3 mandates PMF (802.11w). PMF encrypts and authenticates management frames (deauthentication, disassociation, beacon). This prevents classic deauth attacks. However, PMF can be disabled in some configurations (e.g., for compatibility), which is a common exam trap.
Configuration and Verification Commands
On Cisco wireless controllers, WPA3 configuration might look like:
config wlan security wpa3 {enable|disable}
config wlan security sae {enable|disable} <wlan-id>
config wlan security pmf {optional|mandatory|disabled} <wlan-id>On Linux hostapd, the configuration file includes:
wpa=2
wpa_key_mgmt=SAE
ieee80211w=2 # 0=disabled, 1=optional, 2=mandatory
sae_password=secret
sae_groups=19 # 19=P-256, 20=P-384Verification commands (on Linux):
iw dev wlan0 station dump | grep -E 'PMF|SAE'
hostapd_cli sae_statusOn the client side, wpa_supplicant logs SAE handshake details:
wpa_supplicant -Dnl80211 -iwlan0 -c/etc/wpa_supplicant.conf -ddLook for lines containing "SAE: " or "Dragonfly".
Interaction with Related Technologies
WPA2 backward compatibility: Transition mode uses a mixed PSK/SAE authentication. The AP must support both.
802.1X/EAP: WPA3-Enterprise uses EAP with 192-bit security (AES-GCMP-256, SHA-384).
Wi-Fi 6 (802.11ax): WPA3 is mandatory for Wi-Fi 6 certification.
OWE (Opportunistic Wireless Encryption): Used in open networks (no password) to provide encryption; not part of WPA3 but often confused with it.
Exam-Specific Details
The exam expects you to know that SAE uses a finite cyclic group (typically ECC) and that the password is never transmitted.
Dragonblood is the name of the attack suite; remember that it targets implementations, not the protocol.
PMF mandatory is a key differentiator; if PMF is optional or disabled, deauth attacks are possible.
Transition mode is a common vector for downgrade attacks.
Timing side-channel attacks on SAE use the hash-to-curve function; the fix is constant-time implementation.
The exam may ask which attack is effective against WPA3 but not WPA2: answer: timing side-channel (since WPA2 doesn't use SAE).
1. Beacon and Probe Exchange
The AP broadcasts beacons containing RSNE (Robust Security Network Element) that advertises WPA3 capabilities, including the AKM suite (00-0F-AC:8 for SAE). The client sends a probe request; the AP responds with a probe response including the same RSNE. If the client supports WPA3, it selects SAE. In transition mode, the beacon also includes WPA2 AKM suites, allowing legacy clients to associate using WPA2. An attacker can capture the beacon to identify WPA3 networks and plan downgrade attacks.
2. SAE Commitment Exchange
The client and AP each compute a password element (PWE) by hashing the password with a random scalar and the MAC addresses. They exchange commit messages containing a commit-scalar and commit-element. The commit-element is a point on the elliptic curve derived from the PWE and the random scalar. The exchange is unauthenticated at this stage; an attacker can replay or reflect commit messages, but the protocol includes anti-replay measures (e.g., using MAC addresses in the hash). The commit messages are sent as Action frames (category: SAE).
3. SAE Confirm Exchange
After receiving the peer's commit, each party computes the shared secret using the other's commit-element and their own private scalar. They derive a confirmation key (kck) and a pairwise master key (PMK) from the shared secret. They send a confirm message that includes a keyed hash (using kck) of the previous messages. The peer verifies the hash. If verification fails, the handshake is aborted. This step proves that both parties know the password, as only the correct password yields the same shared secret. An attacker without the password cannot generate a valid confirm.
4. 4-Way Handshake (if WPA2 fallback) or PMK Caching
In WPA3-only mode, the SAE handshake directly produces the PMK, and the 4-way handshake is skipped. However, in WPA3-Transition mode, if the client uses WPA2, the AP uses the PMK from the 4-way handshake. The 4-way handshake is identical to WPA2: the AP sends an ANonce, the client responds with a hash (PTK derivation), the AP sends the GTK, and the client acknowledges. An attacker can capture this handshake and perform offline dictionary attacks if the PMK is derived from a weak password. In WPA3, the PMK is derived from SAE, so the 4-way handshake is not vulnerable offline.
5. Data Encryption and PMF
Once the PTK is established, data frames are encrypted using AES-CCMP (WPA2) or AES-GCMP (WPA3-Enterprise 192-bit). Management frames are protected by PMF (802.11w) using BIP (Broadcast Integrity Protocol). The AP and client exchange encrypted management frames, preventing spoofing and deauthentication attacks. If PMF is mandatory, the client must support it; otherwise, association is rejected. The exam often tests that PMF prevents deauth attacks, which are effective against WPA2.
Enterprise Deployment Scenario 1: Corporate Office with Legacy Devices
A large corporation upgrades to WPA3 but must support older Windows 7 laptops that only support WPA2. The network team configures WPA3-Transition mode. The AP broadcasts both AKM suites. However, an attacker sets up a rogue AP that advertises only WPA2, causing the legacy clients to connect to it. The attacker captures the 4-way handshake and performs an offline dictionary attack using a weak corporate password (e.g., 'Company2020'). Mitigation: The team should enforce PMF mandatory on all SSIDs and require WPA3-only for new devices, while segmenting legacy devices on a separate VLAN with additional monitoring. Additionally, they should implement brute-force detection on the RADIUS server (if using 802.1X) or rate-limit SAE attempts.
Scenario 2: Public Wi-Fi Hotspot with OWE
A coffee shop uses Open (no password) Wi-Fi with OWE (Opportunistic Wireless Encryption). OWE provides encryption without authentication, but the exam distinguishes OWE from WPA3. The shop later upgrades to WPA3-Personal with a shared password printed on receipts. An attacker performs a Dragonblood timing attack by sending crafted SAE commit frames and measuring the response time of the AP's hash-to-curve function. The AP uses a vulnerable implementation (e.g., hostapd before version 2.8). The attacker recovers the password character by character. Mitigation: The shop must update the AP firmware to a constant-time implementation and use a strong random password.
Scenario 3: Government Agency with 192-bit Mode
A government agency requires CNSA Suite compliance. They deploy WPA3-Enterprise with 192-bit mode, using EAP-TLS with certificates and AES-GCMP-256 encryption. The network uses a RADIUS server for authentication. An attacker cannot perform offline dictionary attacks because the handshake is based on certificates. However, the attacker can still perform a rogue AP attack if the client does not validate the server certificate. The agency must configure clients to validate the RADIUS server certificate and use PMF mandatory. Common misconfiguration: leaving PMF as optional, which allows deauth attacks that can force clients to reconnect to a rogue AP.
What PT0-002 Tests on WPA3 (Objective 3.5)
The exam focuses on: - SAE handshake characteristics: Understand that the password is never transmitted and that forward secrecy is provided. - Dragonblood attacks: Know that they are implementation-specific (timing side-channels) and that the fix is constant-time code. - Transition mode vulnerabilities: Downgrade attacks that force clients to use WPA2. - PMF: Mandatory in WPA3; if disabled, deauth attacks are possible. - Comparison to WPA2: WPA2 uses a 4-way handshake vulnerable to offline dictionary attacks; WPA3 uses SAE which resists them.
Common Wrong Answers and Why Candidates Choose Them
"WPA3 uses a 4-way handshake like WPA2": Incorrect. WPA3 uses SAE (Dragonfly) handshake; the 4-way handshake is only used in transition mode for WPA2 clients. Candidates confuse the two.
"Dragonblood attacks break WPA3 protocol": Incorrect. Dragonblood attacks exploit implementation flaws (timing, cache), not the SAE algorithm itself. Candidates assume the protocol is broken.
"WPA3 prevents all brute-force attacks": Incorrect. SAE prevents offline brute-force, but online brute-force (trying passwords against the AP) is still possible if rate-limiting is not enforced. Candidates overstate the security.
"PMF is optional in WPA3": Incorrect. PMF is mandatory for WPA3 certification. However, some implementations allow disabling it. The exam tests that mandatory PMF is a requirement.
Specific Numbers and Terms
AKM suite for SAE: 00-0F-AC:8
Group 19: P-256 elliptic curve (default for WPA3-Personal)
Group 20: P-384 (used in 192-bit mode)
PMF (802.11w): Mandatory in WPA3
Dragonblood: CVE-2019-9494 (timing side-channel) and CVE-2019-9495 (cache-based).
Edge Cases and Exceptions
SAE with groups other than ECC: SAE can also use FFC (Finite Field Cryptography) groups, but ECC is preferred. The exam may test that ECC is the default.
WPA3-Enterprise with 192-bit mode: Uses AES-GCMP-256 and SHA-384; not commonly tested but may appear.
OWE vs WPA3: OWE is for open networks; WPA3 is for password-protected networks. The exam may ask which provides authentication.
Eliminating Wrong Answers
If a question mentions capturing a handshake and performing offline brute-force, the answer likely involves WPA2 or WPA3-Transition mode (not pure WPA3).
If a question mentions timing measurements, the answer is likely a Dragonblood attack.
If a question asks how to prevent deauth attacks, the answer is enable PMF mandatory.
If a question mentions "forward secrecy", the correct answer involves SAE or WPA3.
WPA3 uses SAE (Simultaneous Authentication of Equals) for key exchange, which does not transmit the password and provides forward secrecy.
Dragonblood attacks are implementation-specific side-channel attacks on SAE, not protocol flaws.
Protected Management Frames (PMF) are mandatory in WPA3; disabling them allows deauthentication attacks.
WPA3-Transition mode allows WPA2 clients but introduces downgrade attack vectors.
SAE uses a finite cyclic group (default: ECC P-256) and a password-derived element (PWE) hashed to a curve point.
The exam tests that WPA3 resists offline brute-force but not online brute-force if rate-limiting is absent.
PMKID attack is effective only against WPA2 clients in transition mode, not against WPA3 clients.
Common wrong answer: WPA3 uses a 4-way handshake — it uses SAE handshake.
Timing side-channel attacks on SAE exploit the hash-to-curve function; fix is constant-time implementation.
WPA3-Enterprise 192-bit mode uses AES-GCMP-256 and SHA-384.
These come up on the exam all the time. Here's how to tell them apart.
WPA2
Uses 4-way handshake for key exchange; password-derived PMK is transmitted in the handshake.
Vulnerable to offline dictionary attacks after capturing the 4-way handshake (e.g., KRACK).
No forward secrecy; compromising the PSK reveals all past session keys.
Protected Management Frames (PMF) are optional (802.11w).
Uses AES-CCMP encryption (128-bit).
WPA3
Uses SAE (Dragonfly) handshake; password is never transmitted.
Resists offline dictionary attacks due to SAE's password-authenticated key exchange.
Provides forward secrecy; each session uses ephemeral keys.
PMF is mandatory (802.11w).
Uses AES-CCMP (Personal) or AES-GCMP (Enterprise 192-bit).
WPA3-Personal
Uses SAE with a pre-shared password.
Default elliptic curve: P-256 (Group 19).
Encryption: AES-CCMP (128-bit).
Suitable for home and small business.
No requirement for RADIUS or certificate infrastructure.
WPA3-Enterprise 192-bit
Uses EAP (e.g., EAP-TLS) with CNSA Suite.
Uses P-384 (Group 20) or higher.
Encryption: AES-GCMP-256 (256-bit).
Required for government and high-security environments.
Requires RADIUS server and client certificates.
Mistake
WPA3 uses a 4-way handshake like WPA2.
Correct
WPA3-Personal uses the SAE (Dragonfly) handshake, not the 4-way handshake. The 4-way handshake is only used in WPA3-Transition mode when a client connects using WPA2. SAE does not transmit the password and provides forward secrecy.
Mistake
Dragonblood attacks break the WPA3 protocol itself.
Correct
Dragonblood attacks exploit implementation flaws in the SAE handshake, such as timing side-channels in the hash-to-curve function or cache-based leaks. The protocol design is sound; the vulnerabilities are in specific software versions.
Mistake
WPA3 prevents all types of brute-force attacks.
Correct
WPA3 prevents offline dictionary attacks because the handshake does not reveal password-derived data that can be brute-forced offline. However, online brute-force attacks (trying passwords against the AP) are still possible if the AP does not implement rate-limiting or account lockout.
Mistake
Protected Management Frames (PMF) are optional in WPA3.
Correct
PMF (802.11w) is mandatory for WPA3 certification. However, some APs allow administrators to disable PMF for compatibility. The exam treats mandatory PMF as a requirement for WPA3; if PMF is disabled, the network is not truly WPA3 compliant.
Mistake
WPA3-Transition mode is as secure as WPA3-only mode.
Correct
Transition mode allows WPA2 clients to connect, which introduces vulnerabilities such as downgrade attacks and exposure to the 4-way handshake offline brute-force. An attacker can force a client to use WPA2 by spoofing the AP's capabilities, then capture the 4-way handshake and crack the password.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
Yes, WPA3 prevents KRACK attacks because KRACK exploits the 4-way handshake in WPA2. WPA3 uses the SAE handshake, which does not have the same vulnerability. Additionally, WPA3 mandates PMF, which prevents the key reinstallation aspect of KRACK. However, if a network is in WPA3-Transition mode and a client uses WPA2, that client is still vulnerable to KRACK.
Dragonblood is a set of vulnerabilities discovered in 2019 that affect implementations of WPA3's SAE handshake. The most critical are timing side-channel attacks (CVE-2019-9494) and cache-based side-channel attacks (CVE-2019-9495). These allow an attacker to recover the password by observing the time taken to compute the hash-to-curve function or by monitoring CPU cache. The fix is to use constant-time implementations. The exam tests that Dragonblood is an implementation flaw, not a protocol flaw.
No, you cannot brute-force a WPA3 password offline from captured handshake data. In WPA3, the SAE handshake does not reveal any password-derived information that can be used for offline cracking. Each handshake uses random ephemeral keys, so captured messages are bound to that session. However, online brute-force (trying passwords against the AP) is possible if the AP does not rate-limit SAE attempts. The exam expects you to know that WPA3 resists offline brute-force but not necessarily online.
WPA3-Transition mode allows an AP to support both WPA2 and WPA3 clients simultaneously. The AP broadcasts both AKM suites in beacons. The danger is that an attacker can perform a downgrade attack by spoofing the AP's beacon to advertise only WPA2, forcing the client to use the weaker protocol. The attacker can then capture the WPA2 4-way handshake and perform offline dictionary attacks. Mitigation: Use WPA3-only mode if possible, or enforce PMF mandatory and disable TKIP.
Yes, Protected Management Frames (PMF) are mandatory for WPA3 certification. This means that any device certified for WPA3 must support 802.11w. However, some APs allow administrators to disable PMF for compatibility reasons, which would break WPA3 compliance. The exam tests that PMF is mandatory in WPA3 and that disabling it exposes the network to deauthentication and disassociation attacks.
WPA3-Personal uses a pre-shared password and the SAE handshake for authentication. It is designed for home and small office use. WPA3-Enterprise uses 802.1X/EAP with a RADIUS server and supports 192-bit security mode (CNSA Suite) for government and high-security environments. The 192-bit mode uses AES-GCMP-256 encryption and SHA-384 hashing. The exam may test that WPA3-Enterprise requires certificate-based authentication.
No, a WPA3 client cannot connect to a WPA2-only AP because the client's supplicant will not find the SAE AKM suite in the AP's beacon. The client would need to have WPA2 support enabled (which most do) to fall back. However, if the client is configured to require WPA3 (e.g., setting `wpa=2` and `wpa_key_mgmt=SAE` in wpa_supplicant), it will refuse to connect to a WPA2-only AP. In transition mode, the AP supports both, so the client can connect using WPA2 if it does not support WPA3.
You've just covered WPA3 and Modern Wireless Attacks — now see how well it sticks with free PT0-002 practice questions. Full explanations included, no account needed.
Done with this chapter?