WPA2 vs WPA3: Why the Handshake Matters
WPA2 vs WPA3: Why the Handshake Matters
A detailed breakdown of what changed between two generations of Wi-Fi security — and why the shift from a four-message exchange to a cryptographic dance called Dragonfly is a bigger deal than most people realize.
01 - Setting the Stage
Wi-Fi security has been a moving target since the late 1990s. WEP collapsed under academic scrutiny. WPA was a temporary band-aid. WPA2 — introduced in 2004 — became the bedrock of wireless security for nearly two decades. And now WPA3, standardized in 2018, is gradually taking its place.
But the transition is not just a version bump. WPA3 represents a fundamental rethinking of how devices authenticate each other on a wireless network. The centerpiece of that rethinking is the authentication handshake — the cryptographic ritual that establishes a shared secret before any real communication begins.
Key insight: "The weakness of WPA2 was not a flaw in AES encryption — it was a flaw in how the keys were derived before encryption even began."
To understand why WPA3 matters, we need to go deep into both handshakes: WPA2's 4-Way Handshake and WPA3's Dragonfly (SAE). Let's start from first principles.
02 - WPA2 and the 4-Way Handshake
How WPA2 Derives Keys
WPA2 uses a Pre-Shared Key (PSK) model in personal/home mode (WPA2-Personal). The Wi-Fi password you type is not used directly as an encryption key. Instead, it is passed through a PBKDF2 function (Password-Based Key Derivation Function 2) combined with the network SSID to produce a 256-bit value called the Pairwise Master Key (PMK).
This PMK is static — it does not change until the password changes. Every device that knows the password derives the same PMK. This is the root of WPA2's deepest vulnerability.
The 4-Way Handshake — Step by Step
Once a device (Supplicant) and access point (Authenticator) both hold the PMK, they engage in a four-message exchange to derive a session-specific Pairwise Transient Key (PTK) used to encrypt actual traffic.
[ WPA2 · 4-Way Handshake ]
Step 1 — AP → Client: ANonce (Authenticator Nonce)
↳ AP sends a fresh random number. No authentication yet — anyone can receive this.
Step 2 — Client → AP: SNonce + MIC
↳ Client generates SNonce.
↳ Derives PTK from: PMK + ANonce + SNonce + MAC addresses (both).
↳ Sends SNonce + Message Integrity Code (MIC) to prove PMK knowledge.
Step 3 — AP → Client: GTK + MIC
↳ AP derives the same PTK independently, verifies the MIC.
↳ Sends the Group Transient Key (GTK) for broadcast traffic, encrypted with PTK.
Step 4 — Client → AP: ACK + MIC
↳ Client acknowledges receipt of GTK.
↳ Both sides install PTK and GTK. Encrypted communication begins.
The Vulnerabilities
1. Offline Dictionary Attack An attacker who captures all four handshake messages (trivially done with any passive Wi-Fi adapter) can repeatedly guess passwords offline. For each guess, they derive the PMK, then the PTK, and check if the computed MIC matches. No connection to the network is needed. Tools like hashcat on a GPU can try billions of passwords per second.
2. No Forward Secrecy All session keys derive from the static PMK. If an attacker records encrypted traffic today and learns the password in the future, they can decrypt everything retroactively. Past sessions are not protected.
3. KRACK Attack (2017) A flaw in the handshake's retransmission logic allowed nonce reuse by replaying message 3, breaking AES-CCMP confidentiality without knowing the password at all.
03- WPA3 and Dragonfly (SAE)
WPA3 replaces the PSK model with Simultaneous Authentication of Equals (SAE), also known as the Dragonfly Handshake — defined in IEEE 802.11-2016 and RFC 7664.
The fundamental design shift: instead of deriving a static secret from the password before the handshake begins, both parties engage in a zero-knowledge proof-based exchange where they prove knowledge of the password without ever transmitting anything derived from it in a recoverable form.
The Math Behind Dragonfly
SAE is built on Elliptic Curve Diffie-Hellman (ECDH) over a finite field, specifically using a Password-Authenticated Key Exchange (PAKE) protocol.
Both parties map the password deterministically to a point P on an elliptic curve. This mapping — called the "hunting and pecking" method (or the newer, timing-safe hash-to-curve method) — produces a shared base point without revealing any information about the password itself.
Each party then generates an ephemeral (one-time) random scalar, performs scalar multiplication on the curve, and they exchange the resulting public values. The Diffie-Hellman shared secret they compute becomes the PMK for that session only.
The Dragonfly Handshake — Step by Step
[ WPA3 · SAE (Dragonfly) Exchange ]
Phase 1: COMMIT
Client → AP: scalar_c + element_c
↳ scalar_c = random ephemeral value
↳ element_c = curve point derived from (password mapping + scalar_c)
↳ No password or PMK information is transmitted — looks like random curve points.
AP → Client: scalar_ap + element_ap
↳ AP computes independently using same password mapping + its own random scalar.
Phase 2: CONFIRM
Client → AP: confirm token
↳ Both sides compute a shared PMK via ECDH using each other's commit values.
↳ Client sends H(PMK, scalars, elements) — proves it holds the correct PMK.
AP → Client: confirm token
↳ AP sends its own confirm hash. Both verify.
↳ Only if BOTH parties know the correct password do the confirms match.
→ PMK established. A standard 4-Way Handshake then derives the session PTK.
Why This Eliminates the Attacks
1. No offline dictionary attacks An attacker who captures the commit messages gets elliptic curve points — mathematically indistinguishable from random values without knowing the password. Every guess requires a new live interaction with the network (online attack), which can be rate-limited and detected.
2. Perfect Forward Secrecy (PFS) Each session uses a fresh ECDH exchange, producing a unique PMK. Compromising the password later does not decrypt past traffic — the ephemeral scalars were never stored.
3. Mutual authentication by design Both client and AP prove knowledge of the password simultaneously. Neither learns anything about the other's private value beyond the proof of correctness.
4. Resistance to passive eavesdropping Even an attacker who records every packet of the SAE exchange gains nothing computationally useful. The ECDH discrete logarithm problem remains hard.
04 - WPA2 vs WPA3 — Full Comparison
| Feature | WPA2 | WPA3 |
|---|---|---|
| Authentication | Pre-Shared Key (PSK) | SAE / Dragonfly (PAKE) |
| Handshake | 4-Way (static PMK) | Dragonfly + 4-Way (ephemeral PMK) |
| Key Derivation | PBKDF2 (static, deterministic) | ECDH with ephemeral scalars |
| Forward Secrecy | ❌ None | ✅ Perfect Forward Secrecy |
| Offline Dictionary Attack | ❌ Possible from captured handshake | ✅ Not possible — requires live interaction |
| Encryption (Personal) | AES-CCMP (128-bit) | AES-GCMP-256 (256-bit) |
| Management Frame Protection | Optional (MFP) | Mandatory (PMF) |
| Open Network Security | None | OWE (Opportunistic Wireless Encryption) |
| Enterprise Encryption | 128-bit minimum | 192-bit minimum (CNSA suite) |
| KRACK Attack | ❌ Vulnerable | ✅ Not applicable — handshake redesigned |
| Deauth Attack Surface | High (unprotected management frames) | Reduced (PMF mandatory) |
| IoT / Low-power Devices | Low CPU overhead | Higher SAE CPU cost; transition mode helps |
05 - Real-World Implications
For IoT and Embedded Devices
From an embedded systems perspective, WPA3's Dragonfly handshake introduces non-trivial compute requirements. Elliptic curve operations on resource-constrained MCUs — think Cortex-M4 or similar — require careful attention.
The original "hunting and pecking" algorithm in SAE was also vulnerable to timing side-channel attacks (Dragonblood, 2019), leading to a timing-safe hash-to-curve replacement in the standard. Implementors using Zephyr OS or similar RTOSes must verify their Wi-Fi module firmware implements SAE correctly.
For Enterprise Networks
WPA3-Enterprise mandates a 192-bit security mode using GCMP-256, HMAC-SHA-384, and ECDH/ECDSA with 384-bit elliptic curves — aligning with the NSA's Commercial National Security Algorithm (CNSA) suite. For organizations handling sensitive data, this is a meaningful upgrade over WPA2-Enterprise's 128-bit minimum.
For Home Users
The most tangible benefit is offline dictionary attack immunity. A captured WPA3 handshake is useless to crack offline. Password spray attacks are forced online, where they can be detected and blocked.
⚠ Transition Mode Warning: WPA3's transition mode (which supports both WPA2 and WPA3 clients simultaneously) introduces a downgrade attack surface — a WPA3-capable client can be forced to connect via WPA2 by a rogue AP. Pure WPA3-only mode eliminates this, at the cost of legacy device compatibility.
⚠ Dragonblood (2019) — Known SAE Vulnerabilities
Researchers Mathy Vanhoef and Eyal Ronen published the Dragonblood paper identifying two classes of SAE vulnerabilities:
- Cache-based side-channels
- Timing side-channels in the hunting-and-pecking algorithm
These allowed partial password recovery under certain conditions. The Wi-Fi Alliance responded with countermeasures including adoption of constant-time hash-to-curve methods, codified in IEEE 802.11-2020. Most modern WPA3 implementations have patched these. The structural advantages of SAE remain intact.
The Bottom Line
WPA2's 4-Way Handshake was clever for its era, but it was built on the assumption that the pre-shared key would stay secret forever. WPA3's Dragonfly handshake removes that assumption entirely — each session generates fresh keying material, and capturing the handshake gives an attacker nothing to work with offline.
The move from PSK to SAE is not just a protocol revision. It is a shift from security through secrecy to security through mathematics. Whether you're securing a home router, an embedded IoT gateway, or an enterprise access point, understanding this distinction is the foundation of making sound wireless security decisions.
If this was useful → share it with someone still running WPA2 on their home router.