WPA3-Personal

WPA3-Personal replaces the static PSK exchange of WPA2-Personal with SAE (Simultaneous Authentication of Equals), the password-authenticated key agreement also known as Dragonfly and specified in RFC 7664. Instead of proving knowledge of a key in a handshake whose frames double as an offline crack oracle, both sides run a balanced commit-and-confirm exchange. Each end commits to a value derived from the passphrase and a fresh ephemeral scalar, then confirms agreement. The result is a Pairwise Master Key that no passive listener can reconstruct.

Two properties follow. First, forward secrecy: every session derives a new PMK from fresh randomness, so recovering one passphrase does not retroactively decrypt past captures. Second, offline-dictionary resistance: a captured SAE exchange contains no material an attacker can grind against a wordlist, because each guess requires a fresh live interaction with the access point. WPA3-Personal also makes Protected Management Frames (PMF, IEEE 802.11w) mandatory, closing the deauthentication-and-disassociation forgery that drives WPA2 handshake capture. The standard is consolidated in IEEE 802.11-2020.

WPA3-Personal has no weakness toggle: it runs SAE-only, with no PSK path to downgrade to. The protocol-specific judgment is hardware and lesson choice. SAE needs a capable adapter, so the Wireless Interface dropdown flags cards that lack it with a yellow note such as No WPA3-SAE (legacy chipset); pick a capable one. Because SAE resists the offline crack that makes WPA2 labs quick, treat this network as a client-interoperability and protocol-behavior range rather than a passphrase-recovery exercise; for downgrade work, use WPA3-Transition (SAE+PSK) instead.

For the full New-Network walkthrough, see Networks.

WPA3-Personal is genuinely strong. There is no practical offline passphrase recovery against a correct SAE implementation, so the field reduces to implementation bugs and denial of service. Test clients and proof-of-concept tooling such as wpa_supplicant drive these from another machine.

Dragonblood timing side-channel (CVE-2019-9494)

The 2019 Dragonblood analysis of Dragonfly showed that some SAE implementations derived the password element (PWE) in variable time, leaking information about the passphrase through timing and cache-access patterns that could seed a partial offline dictionary attack.

# Time SAE Commit responses across many associations to a target BSSID
# and correlate response latency with candidate password groups.
tshark -i wlan0mon -Y "wlan.fixed.auth.alg == 3" -T fields \
  -e frame.time_epoch -e wlan.sa -e wlan.fixed.sequence

Judgment: real but implementation-specific and patched by hash-to-element (H2E); a side channel, not a handshake crack.

SAE Confirm denial of service (CVE-2019-9496)

A malformed or out-of-order SAE Confirm frame processed before a valid Commit caused some hostapd builds to mishandle state and crash the AP daemon, denying service to legitimate clients. It is a denial of service, not an authentication bypass: no key or credential is recovered.

# PoC frameworks craft an SAE Confirm ahead of Commit to probe state handling.
python3 dragondrain.py --interface wlan0mon --bssid AA:BB:CC:DD:EE:FF

Judgment: a state-machine crash in specific builds; fixed upstream, useful only against unpatched targets and only to deny service.

SAE anti-clogging DoS

An attacker floods spoofed SAE Commit frames to exhaust AP state before the anti-clogging cookie threshold engages, denying service to legitimate clients.

# Flood Commit frames from random source MACs to drive the AP into anti-clogging.
mdk4 wlan0mon a -a AA:BB:CC:DD:EE:FF

Judgment: a resource-exhaustion DoS, not a key compromise; sae_anti_clogging_threshold and sae_sync raise the bar but do not remove it.

Transition-mode downgrade

When SAE and WPA2-PSK coexist on one SSID, an attacker suppresses or strips the WPA3 information elements so a dual-mode client falls back to WPA2-PSK and loses forward secrecy, reopening offline capture.

# Stand up a WPA2-PSK rogue with the same SSID/BSSID to win the fallback.
hostapd rogue-wpa2.conf

Judgment: the practical lever against WPA3 deployments, but it only works in transition mode; a pure SAE network has nothing to downgrade to.

Most real WPA3-Personal deployments today run in transition mode for client compatibility, so the highest-value finding is rarely an SAE break: it is the WPA2-PSK fallback path sitting beside it. Pure WPA3-only networks resist the capture-and-crack loop that defines WPA2 engagements, and the Dragonblood-class bugs are largely closed on current firmware via hash-to-element. What remains exploitable in the wild is denial of service against the SAE handshake and the downgrade exposure of mixed-mode SSIDs. The honest takeaway for a lab report: WPA3-Personal moves the weak link off the passphrase and onto implementation quality and deployment mode.

Run WPA3-only wherever the client fleet allows, and reserve transition mode for genuine migration windows. Keep AP and client firmware current so hash-to-element PWE derivation and the patched SAE state machine are in force, closing CVE-2019-9494 and CVE-2019-9496. Leave PMF required (ieee80211w=2), which WPA3-Personal mandates anyway. Tune sae_anti_clogging_threshold and sae_sync to blunt Commit floods, and rate-limit management traffic at the controller where available. SAE removes the offline-dictionary risk, but a weak passphrase is still guessable through live online attempts, so retain a strong, high-entropy passphrase.

• IEEE 802.11-2020 - IEEE Standard for Information Technology (Wi-Fi MAC/PHY, incl. SAE and PMF)
• RFC 7664 - Dragonfly Key Exchange
• CVE-2019-9494 - SAE side-channel (Dragonblood timing/cache)
• CVE-2019-9496 - SAE Confirm denial of service (AP daemon crash)
• Related Tala WTE pages: WPA2-Personal, WPA3-Transition