WPA3 was developed with the backward compatibility into consideration, i.e., if WPA3 is enabled on WPA2+PSK SSID (also called mixed mode), then both WPA3 and WPA2-only clients can associate to same SSID. This will work as long as SSID is configured to use default-PSK. In other words, if SSID is configured with iPSK, then WPA2-only clients can associate to the SSID using iPSK, but WPA3 clients fails to associate to this SSID using iPSK, as current WPA3 SAE negotiation does not consider iPSK (unique PSK per client). Also, WPA3 was introduced to combat offline dictionary attacks on WPA2+PSK by using SAE protocol where-in an attacker would not be able to go through a word-list and compute a PMK that comes from the dragonfly handshake to test the MIC of a PTK off-line without interacting with the Authenticator. But still WPA3 is vulnerable to online dictionary attacks. The technique presented herein propose method to support iPSK even for the WPA3 clients and much more beneficial for the mixed-mode (i.e., supporting both WPA2 and WPA3 clients with iPSK) deployments. Also, this method decreases the attack surface of the WPA3 by aborting/breaking the SAE negotiation as early as possible.
Creative Commons License
This work is licensed under a Creative Commons Attribution 4.0 License.
M M, Niranjan; Kothamasu, Vijay; and Kenchaiah, Nagaraj, "Method to support iPSK for WPA3 clients as well as reduce Online Dictionary Attacks", Technical Disclosure Commons, (May 17, 2022)