WPA2 uses AES-CCMP-128 which is not efficient (or even feasible) for high data rates as it cannot be parallelized. WPA3 uses GCMP-128 or GCMP-256, which (in the case of 256-bit) is stronger security and also can achieve gigabit level speeds or higher due to being able to parallelize the encryption.

WPA2 is susceptible to offline-dictionary attack and the cost is quite low (less than $10), especially with cloud computing. WPA3 is resistant to offline dictionary attack.

If an adversary knows the WPA2 passphrase, the adversary can eavesdrop on connections between the AP device and the station device. In comparison, in WPA3, even if an adversary knows the passphrase, the adversary will not be able to decrypt communications between the AP and the station device. The adversary is still able to gain access to the network, but the attack surface area has been reduced.

WPA3 uses HMAC-SHA256 for key derivation, whereas WPA2 uses HMAC-SHA1. NIST and other cryptography agencies have recommended against the use of SHA1 in cryptographic systems due to known weaknesses.

WPA3 has many advantages over WPA2. In addition, most of the implementation for WPA3 is in software and also available as open source.

> WPA2 is susceptible to offline-dictionary attack and the cost is quite low (less than $10), especially with cloud computing.

I agree that offline attacks are a threat to WPA2, but do you have a cost breakdown/source/? for that cost figure? The attack to me is still in the realm of unlikely if not using a common, rainbow-tabled SSID and/or very simple password.

I am not involved in the GPU cloud compute area, so I only did a very quick check on EC2 GPU instance pricing. At about 10$ that translates to about 2 hours of g5.12xlarge with 4 high end GPUs. I am not familiar with these models, but I am assuming they are comparable to high end, current gen GPUs. To me 8 GPU hours sounds a bit on the low side, even for relatively weak passwords. For reference, it seems an RTX 3090 does about 1 MH/s [1]. 8 GPU hours on that card translates roughly to 230 billion (230x10^9) password variants, a lot, but not overwhelmingly a lot. An 8 character lower+upper+digit is estimated at about 47 bits, so roughly 140x10^12. A wordlist+mutation is likely far more efficient than a naive attack. I am on the fence whether this makes for a reasonable 10$ real world attack.

Happy to learn I am stuck in the past!

(The rainbow table I am talking about: https://www.renderlab.net/projects/WPA-tables/)

[1] https://gist.github.com/Chick3nman/e4fcee00cb6d82874dace7210...

(EDIT: * -> x, one day I will learn formatting)

>WPA3 uses HMAC-SHA256 for key derivation, whereas WPA2 uses HMAC-SHA1. NIST and other cryptography agencies have recommended against the use of SHA1 in cryptographic systems due to known weaknesses.

AFAIK SHA1 is only broken with respect to preimage/collision attacks. For generating random bits it's still perfectly fine. In other words, sha1 is broken, but not in ways that matter for its use in WPA2.

What are you using your raspberry pi for that is going to be attacked by people who can break SHA-1?

What are you using your PC for that is going to be attacked by people who can break TLS?

> susceptible to offline-dictionary attack and the cost is quite low (less than $10)

Only if it's a common password... you're saying this like it's a given, like you can break into anyone's WiFi for less than $10 after capturing a correct authentication challenge+response from a legitimate user.

If you have a stupid ISP in the area that uses crackable passwords, or tech-savvy users that change the password to something stupid, perhaps you'll have a decent recovery rate, but otherwise I'd estimate it's far below even odds whether this gets you into any given network.

Putting a dollar price on cracking a hash is like putting a dollar price on fresh air: if you have a laptop standing around, it's practically free to try a few million passwords; if you need a GPU farm, it may cost ten thousand euros; and it may be impossible if it's just not crackable (27 chars alphanumeric is just not possible, also not with a quantum computer in a thousand years, but you don't know that when all you've got is the challenge-response hash).

This sounds about right to me, but I’d like to point out the cost barrier differs into unrelated paradigms above/below OSI Layer 2.

I didn’t know WPA3 had parallelizeable encryption. That is great.

WPA3-only is mandatory if you want to use 6GHz frequencies though. At least for the gear we use, that means if you want 6GHz you either must only have devices that support WPA3 or you have to use a separate SSID for 6GHz clients to use. Fallback to WPA2 isn’t permitted.

I appreciate the sentiment, but new devices being sold that still don’t support WPA3 means the adoption of 6GHz is going to be a very slow process.

More info here since this is surprising to many: https://www.extremenetworks.com/resources/blogs/wireless-sec...

> I appreciate the sentiment, but new devices being sold that still don’t support WPA3 means the adoption of 6GHz is going to be a very slow process.

No, it just means the adoption of WPA3 is going to happen at the same speed of 6 Ghz. The point is that every device that supports 6Ghz has to support WPA3.It's not like you could do 6Ghz on your Raspberry Pi but lack of WPA3 blocks you from it.

There’s a nuance that I didn’t explain well. WPA2 and 6GHz clients can’t exist together on the same SSID. According to the specification, if you enable 6GHz, the whole network becomes exclusively WPA3. If you enable WPA2, that SSID can’t speak 6GHz. Having new non-WPA3 devices being sold is going to really slow down the adoption of 6GHz, because they can’t coexist. You can’t band steer 6GHz clients to a preferred 6GHz compatible WPA3 only network, it’s up to the user to pick the right SSID.

This is a draconian reading of the standard which I think no reasonable person would agree with.

If this is about 12.12.2, then it refers exclusively to the 6GHz STA, and not "to the entire network", which on Wi-Fi is a very loosely defined concept (same BSS? same ESS? already the standard forces different channels to use different BSSIDs).

Nothing prevents the 6 GHz AP's SSID from "coincidentally" being the same as the 2.5/5GHz AP. In fact, this is exactly how a/n works now: even though initially it was common for 5GHz STAs to operate on a different SSID, no one bothers to check, and nowadays I can barely find a consumer/business AP that _by default_ still keeps separate SSIDs for both 2.5 and 5.

While I can find APs that today by default give different SSIDs to 2.5/5 and 6 (oh, the irony), I have not found any that would prevent me from setting the same SSID to all; and some APs I have already set the same SSID to 2.5/5/6 by default. These all have the Wi-Fi logo.

> You can’t band steer 6GHz clients to a preferred 6GHz compatible WPA3 only network, it’s up to the user to pick the right SSID.

You have never been able to truly band steer clients since this is at the client's discretion. Even if you give everything the same SSID, the client may choose to prefer the 2.4GHz band instead -- this is also one of the reasons it was common to give both of them a different SSID early on, so that users could force 5GHz.

When commercial routers "band steer" they simply prevent the client from associating to to the lower bands (by e.g. hackishly not responding to probes at that band), thereby leaving the client with only one choice: the band you want.

Is that strictly true? Isn't there a whole transitional specification which allows clients to connect the same SSID with either WPA2 or WPA3?

Yes, but you can’t use it if you enable 6ghz according to the 6E specification.

But, here in the real world, you can. I know this because I do on my Netgear 6E WAPs.

Sounds like a dumb spec?

A spec which uses a new frequency and still makes it impossible to co-exist with existing previous versions of the spec on other, different frequencies is fundamentally dumb.

It would be like if USB-C required any device with USB C to not support any other USB types or specs. Seriously, what the hell!

And no, there is no practical reason for them to be mutually exclusive.

The single-threaded nature of WPA2 AES-CCMP-128 is the reason (in addition to not wanting to embed known weak security protocols). The higher speeds and later standardization of Wi-Fi 6E (as compared to Wi-Fi 6) made this, in my opinion, a reasonable trade-off.

For Wi-Fi to survive, it must bring improvements in security protocols /and/ user experience (speed, coverage, and ease of setup). While I agree that security configuration should ideally not be tied to the physical characteristics of the link, security tends to lag, and the driver is user experience. So, if we want to have a high baseline of security, we have to tie it to the driver, the craving for a better user experience (higher speed and better spectrum utilization).

Good standards make trade-offs in the right places (both in time and space). Dumb standards miss the goal. I cannot say that this is a dumb standard when it is evident that trade-offs have to be made. Using WPA2 would have impacted cost of equipment, performance and security negatively.

So instead, it won’t roll out widely for a decade plus due to active incompatibility, therefore rendering its improvements pointless for all but a tiny number of early adopters?

As I said, dumb.

Next version will likely include degrees of backward compatibility or workarounds, would be my guess. Since you can’t even iteratively roll it out!

That or routers will have parallel radios and 2x SSIDs, which would confuse everyone and add even more to the costs.

Yay for IPv4 vs IPv6 on wifi.

That's the sort of thing that gets put into specs, is completely ignored by everybody except the handful of companies that pushed to get it into the spec in the first place, and eventually generates enough market pressure than even they start to ignore it.

I can understand a desire to kill WPA2 (and I can make some guesses about some maybe less noble motives)... but the WiFi standards can't effectively mandate things the market won't accept. Little trademarked "certified" logos and whatnot end up losing out to "it actually works". Generating pain in the process.

Are there even computers with 6GHz but no WPA3 if "WPA3 or bust" is part of the 6GHz spec as you said?

Sounds to me like if something doesn't support WPA3, it also doesn't support 6GHz which makes the point moot.

The problem is that if you enable 6GHz on an existing 2.4/5 GHz SSID, you immediately kick off all WPA2 devices. So you have to create a unique SSID for 6GHz devices to use, which is kinda confusing to end users.

It also makes it harder to roam between 6/5/2.4 networks.

They didn’t save anything. The hardware they shipped supports it but Broadcom can’t be bothered to release a driver.

Paying engineers to develop said driver costs at least "a buck."

When the alternative is no connectivity, resulting in a product that gets returned at ever increasing rates, you have to go and fix the issue.

Already I have run across a plethora of devices that do not connect to networks in WPA2/WPA3 mix mode. Consumers who are not technically literate will return new hardware they buy that doesn't connect to their WPA3 enabled Wi-Fi network. Their iPhone and laptop connect to it without issue, thus it must be a defective device if your IoT thing won't connect to the existing WPA3 network.

So does that mean the Raspberry Pi 5 sold today could enable it at some point in the future, if someone like Broadcom decides to provide that driver?

Yes, it sure does.

A big thing with WPA3 is that it mandates protected management frames which means you can no longer be randomly deauthenticated by anyone with a WiFi card.

WPA3 (SAE) support enables OWE.