Help me understand SAE for WPA3
WiFi Alliance has announced that WPA3 will include SAE protocol, which is based on the Dragonfly handshake, leaving behind the 4-way handshake used in WPA2 that was vulnerable to KRACK.
From what I could gather, the device and the router agree on some elliptic curve parameters prior to SAE. They apply a known transformation (e.g. PBKDF2) to the network password, and each STA generates the password element (PWE), a secret value (called rand
), and a temporal value (called mask
). These values shall not be used in successive protocol runs.
So once this is all derived, SAE protocol uses two message exchanges to establish the connection: a commit and a verification message. STA-A generated the commit message using the PWE and the generated secrets.
When this is sent, if the STA-B checks that the commit message is not validated (expects a value in the message that can be computed using the secrets generated in STA-B), then the authentication fails and the connection process is terminated. Otherwise if successful, a Key (K) is generated. Then K is hashed and a KCK and the PMK are derived from it.
A verification message is sent to STA-A. When STA-A receives the verification message, it verifies that the values given match with what STA-A expected. If everything is okay, then STA-A generates the PMK.
Now with the PMK data encryption, using AES can take place. Is what I understood correct?
Also, I have read that SAE provides forward secrecy. How is that achieved? Is a new PMK generated (i.e. key renovations) each time a message is sent (so does SAE run every time a message is sent)?