The Wi-Fi Protected Access protocol which released about 15 months ago was considered by important architects as the most resistant to the password-theft attacks which were rampant in the earlier protocols. But then this did not remain true for a long time, as researchers revealed that there were many serious design gaps in the WPA3, which destroyed its notion to be most secure till now. It led to serious questions regarding what the future of wireless security holds and also regarding the protection of cheap Internet-of-things devices.
There was a big improvement in the recent release over the previous weak models, but the current WPA2 protocol which has been in use since the 2000s has a very grave design flaw which has been known for a very long time. The four way handshake method – a cryptographic process which is used by the WPA2 to validate many devices such as computers, mobile phones, tablets to an access point and also vice versa stores the network password in a hashed form. Anyone who is in the range of the electronic device can record this handshake. After that, the devices are very vulnerable to digital thefts as the passwords which are short or those which are not random can be very easily cracked in a matter of a few seconds.
It was widely promoted that one of the major changes in the WPA3 was the use of Dragonfly which is a fully revamped handshake technique in which the four way handshake key is augmented with a Pairwise Master Key, as a result of which it possesses more entropy than the network passwords. In the world of WiFi this is known as the Simultaneous Authentication of Equals handshake or just SAE in short. A very crucial feature provided by SAE is that it protects the past sessions against any future attacks on the passwords. This is also known as forward secrecy.
The research paper titled “Dragonblood: A Security Analysis of WPA3’s SAE Handshake” reveals the many vulnerabilities which are present in WPA3, that make the users open to many of the attacks which threatened the users of WPA2. Researchers have warned that many of the faults can persist in the low-cost devices for years. The process of WPA3 being formalized by the WiFi Alliance industry group has also been criticized by the experts.
Experts have agreed on the conclusion that if the alliance agreed to the recommendation to move from the hash-to-group password format to hash-to-curve password encoding, then most of the exploits against the Dragonblood would not have worked.