WPA3 is not possible to guess the key by adopting "SAE", Kracks will be abused hole, appeared from the end of 2018?

By the way, what SAE is, this is actually IEEE 802.11 Section 12.4.In the method specified in 1, there is even a description of the "DRAGONFLY (RFC7664)" derivative form.

The figure below shows the outline of the SAE.In SAE, the key is replaced using an elliptical curve code.First, parameters of the ellipse itself (IEEE 802).In the case of 11, consider the ellipse that is "y^2 = x^3+ax+b mod p", and replace the A and B at this time.Access points and clients enter a password when choosing SSID (ESSID) to be connected, but based on this, a function called "generator" is used to generate an elliptical position (Point R).Apart from that, we have two random numbers, U/V, respectively.

And in the authentication, first from the client, U and U2.R, V and V2 from access points.It will be sent out of R.This is the form of receiving this with each other, and each of them generates the key.The important thing here is that the elliptical position R, which is required by calculation, has never appeared in the communication.In theory, R value is U2.R or v2.Although it is included in R, both U2 and V2 are random numbers, so you cannot guess R from here.

And we do not speculate the key here because the key has been able to generate the key correctly by sending each other to generate the key to each other.

Thus, as long as you know the common password, you can have a common key to each other, and you cannot guess this from the outside.The key created here is PMK, and then generate TPK or GTK from here, and use each.

By the way, the fact that this method is resistant to speculation attacks on passwords using dictionaries, etc., even if this protocol is intercepted, it is transmitted from the random number called U/V, so it cannot be guessed the value of R.。Furthermore, between access points and clients, it is not possible to judge whether the password matches or not, because it only sends a hash instead of the success / failure of authentication.

For this reason, if you attack, you will have to repeat the decision that this password is wrong because it does not work.In other words, running a dictionary attack will take a lot of time.

Also, in the previous article, "protection even if the password specified by the user is not suitable for the recommended strength" is used to determine the position on an elliptical instead of using the password as it is.Because of the fact, whether the password itself is short or long, the intensity after the conversion is the same (it is just a coordinate), so it is relatively safe.Of course, this is the only story of being eavesdropped by Wi-Fi.

By the way, the "Wi-Fi Certified ENHANCED OPEN" described in the previous article is still unknown, but it seems that it will probably be "Opportunistic Wireless Encryption" specified in the "RFC8110".。

This is also based on an elliptical code, but there is no password because it is an open network.For this reason, the position G on the elliptical is determined in advance.However, since access points and clients generate random numbers with each other and combine them with G, it is the same as SAE that G cannot be guessed by eavesdropping, so I think that at least the secret of communication can be covered.It is being.

Once you have succeeded in replacing the key, you will use EAPOL's 4-Way Handshake, etc. for the login procedure that is often required for open networks.However, since the key has already been replaced, it is possible to encrypt it (the actual method is unknown because the specifications of Wi-Fi Certified Enhanced Open are not clear, but GTK based on the generated PMK.It is thought that it will be encrypted by this).KRACKS was possible only because 4-Way HandShake was performed in a plain text, but it can also respond to these attacks.