Page Content

Tutorials

Load more

What is Simultaneous Authentication of Equals Explained

CCNA
Agarapu Geetha
Author: Agarapu Geetha
3 min.read

SAE Simultaneous Authentication of Equals

A contemporary, safe, password-based technique for key establishment and authentication is the Simultaneous Authentication of Equals (SAE) protocol. It is a fundamental part of the Personal Wi-Fi security standard, WPA3.

SAE operates as a Password-Authenticated Key Exchange (PAKE), which means that without ever exchanging the password or a hash of it, the client and the Access Point (AP) safely create a shared key while concurrently authenticating one another. This procedure is mirrored in its name, which indicates that the authentication process is started equally and simultaneously by the client and the AP.

Simultaneous Authentication of Equals
Simultaneous Authentication of Equals

You can also read What is Split MAC Architecture, Functions, and Benefits

Context and Replacement of WPA2-PSK

SAE was created to take the place of WPA2-Personal mode’s less secure Pre-Shared Key (PSK) exchange mechanism.

Vulnerability of PSK: An attacker could listen in and record the first four-way handshake in WPA2-PSK. In order to crack the password, they may then take the cryptographic hash offline and use a dictionary attack, sometimes known as a brute-force attack.

SAE Solution: SAE is made especially to stop these offline dictionary attacks and greatly improves the key exchange. An attacker cannot obtain the hash required to carry out an offline attack using SAE. Attacks are incredibly sluggish and impractical since each password guess requires an attacker to communicate directly with the network.

Mechanism: The Dragonfly Handshake

The Dragonfly Key Exchange, as described in RFC 7664, is the foundation of SAE. The Dragonfly Handshake is a common term used to describe the complete SAE procedure. Using finite cyclic groups, such as elliptic curves, it makes use of Diffie-Hellman key exchange (also known as elliptic curve cryptography, or ECC).

The key steps in the SAE process are:

  • Commit Exchange (Messages 1 and 2): Random numbers are generated by the AP and the client device. They individually determine a cryptographic commitment using these random values, their MAC addresses, and the shared password. The password itself is never sent, but these commitment messages are.
  • Key Derivation: Both parties separately compute the identical Pairwise Master Key (PMK) using the data they got in the other party’s Commit message, their own secret numbers, and the information derived from the password. Passive capture of the exchange prevents an offline password attack since the password and the shared secret (the PMK) are modified by transitory, random values selected by both parties.
  • Confirm Exchange (Messages 3 and 4): Confirm messages with a hash based on the determined PMK are exchanged between the two parties. This establishes both parties as “equals” by mutually confirming that they both have the right shared password.
  • 4-Way Handshake: The conventional WPA 4-way handshake, which creates the transitory session encryption keys required for data transfer, is initiated using the well-known, cryptographically robust PMK if the confirmations are successful.

You can also read What is Extended Service Set Advantages and Disadvantages

Key Security Benefits

SAE improves Wi-Fi security in a number of ways:

  • Resistance to Offline Attacks: It keeps hackers from recording the handshake and using the shared password to launch offline brute-force attacks.
  • Mutual Authentication: Without broadcasting the password over the air, both the client and the AP demonstrate that they are aware of it.
  • Forward Secrecy: SAE offers forward secrecy. Every connection generates a different encryption key that is exclusive to the session. This makes it impossible for an attacker to decrypt previously recorded traffic using the network password in the event that it is later hacked.
  • Enhanced Resilience: Even when users select weaker passwords, SAE offers strong authentication. Additionally, it provides defence against flaws in WPA2’s 4-way handshake, including those associated with Key Reinstallation Attacks (KRACK).

Implementation and Security Notes

Initially, IEEE 802.11 mesh networks used SAE for peer-to-peer communication. It is utilized in the WPA3-Personal mode.

It is significant to remember that a 2019 research discovered flaws in WPA3’s Dragonfly handshake, also referred to as Dragonblood, that would have enabled an attacker nearby to retrieve the password or assume the identity of a user and get access to the network without knowing the password.

By employing a public-private key pair to confirm the legitimacy of the network, an optional enhancement called SAE Public Key (SAE-PK) can offer even higher security, especially against evil twin attacks.

You can also read What is Basic Service Set Definition, Types and Advantages

Previous article
What is Split MAC Architecture, Functions, and Benefits
Next article
Identity Services Engine Cisco Core Functions and Benefits
Agarapu Geetha
Agarapu Geetha
My name is Agarapu Geetha, a B.Com graduate with a strong passion for technology and innovation. I work as a content writer at Govindhtech, where I dedicate myself to exploring and publishing the latest updates in the world of tech.

About Us 

Contact Us

Privacy Polacy

Disclaimer

© G Solutions

Index