Introduction:

The Wi-Fi Alliance introduced WPA3 in 2018 and it is a successor to WPA2. It was released to address the security limitations of WPA2, such as offline dictionary attacks and KRACK & Kraken attacks. Like WPA2, WPA3 also comes in two variants: Personal & Enterprise, but with significant improvements in authentication and encryption. This article focuses on the differences between WPA3-Personal and Transition Mode, illustrated with real-world packet captures.

Why WPA3 and Not WPA2:

Before we dive into the WPA3 modes, it is important to understand why WPA3 is needed and why WPA2 is no longer sufficient. The WPA2 security standard has been in use since 2004, and it is still widely used on many networks. As of now, not many devices support WPA3. In WPA2-Personal, security heavily depends on the strength of the passphrase. That passphrase is directly converted into a PMK which is then used in the 4-way handshake for key derivation. When weak passwords are used, WPA2 networks are vulnerable to KRACK and offline dictionary attacks. On the contrary, WPA3-Personal uses SAE (Simultaneous Authentication of Equals) to generate the PMK, which offers stronger resistance to offline dictionary attacks. The table below highlights the major improvements WPA3 introduces over WPA2.

WPA2 vs. WPA3:

WPA3 Types:

1. WPA3-Personal
2. WPA3-Enterprise

Types are further divided into:

WPA3:

SAE is the authentication type used in WPA3, but it is not new to wireless. It was first introduced in mesh networks (802.11s) to allow APs to discover and authenticate with each other simultaneously. SAE belongs to a family of protocols known as Password-Authenticated Key Exchanges (PAKEs), which let two devices prove they both know the same password without ever sending it across the air. To achieve this, WPA3 uses the Dragonfly handshake, a two-step process where the client and access point exchange special cryptographic values (commit and confirm messages). These values act like proofs that the password is correct, but without revealing the password itself. The result is a shared secret that is unique for every client–AP connection, which then becomes the basis for the Pairwise Master Key (PMK). This design not only blocks offline dictionary attacks but also ensures forward secrecy, so that even if the Wi-Fi password is stolen later, previously captured traffic remains secure. In addition to SAE, WPA3 makes Protected Management Frames (PMF) mandatory, blocking spoofed disassociation or deauthentication frames that plagued WPA2.

How is the PMK generated in WPA3-Personal mode?

For clarity, the explanation below is kept simple and focuses only on the essential steps. It is not intended to cover the full mathematics or cryptographic proof behind SAE and Dragonfly

Dragonfly Handshake - Steps:

1. Generating Private Values:

• Both AP and client pick 2 random numbers. ‘r’ & ‘m’.
  •      ‘r’ -  a private random value (acts like a private key)
  •      ‘m’ - a masking value to protect the private key   
• These values are not shared with anyone.

2. Creating PWE:

• Passphrase is used as a seed to create PWE along with both device’s MAC addresses.
• The PWE is mapped to a point on elliptic curve. This mapping uses a process called hunting and pecking, where the password, MAC addresses, and a counter are repeatedly hashed until a valid curve point is found.
• SAE allows up to 40 attempts.
• This “PWE” is unique for each client–AP pair.

3. Scalar:

• A scalar is computed as:
  • scalar = (r + m) mod q, where ‘q’ is the order of the elliptic curve group
• The scalar will be sent as part of the commit frame.

4. Creating Public Key / Element:

• Using a private value and PWE, both the devices create a public element.
  • element = -m x PWE  

5. Commit Phase:

• Both the devices initiate the ECDH handshake by sending the calculated scalar and FFE (element).
• No private key or actual passwords are revealed here.
• Once both sides receive each other’s public value, they use it along with their own private scalar to compute a shared secret.

6. Confirm Phase:

• Both the devices send the ‘confirm’ message once they derived the shared secret.
• This works as a Zero-Knowledge Proof: each side proves knowledge of the password-derived secret without exposing the password itself.
• The shared secrets are validated through mutual authentication, confirming that both parties have derived the same shared secret without ever transmitting the actual password

7. PMK Derivation:

• Once both sides agree on the shared secret, a Key Derivation Function (KDF) expands it into the Pairwise Master Key (PMK).
• From here, 4-way handshake process is same as WPA2-PSK. From the derived PMK, PTK and GTK keys are derived to protect user traffic.

PMK derivation in a flow chart:

Understanding the WPA3-Personal mode connection flow from packet capture:

I used ExtremeCloud IQ controller–AP [On-premise] for this testing. Wlan – SSID configuration from XIQ-C controller running on version 10.14.01

1.  Packet # 1113 to 1173 – WPA3-Personal mode complete flow.

2. Beacon & Probe Response frames show the RSN Information of the BSS.

• Supported “Group Suite,” “Pairwise Cipher Suite,” “Auth Key Management,” & “PMF Support” details.
• Auth Key management—00-0F-AC:8   --> is indicating SAE is used.
• Management frame Protection Required [MFPR] & Management frame Protection Capabilities [MFPC] -->  True indicates PMF is mandatory

3. Authentication Frames 1 & 2 - Commit messages: Packets # 1148 & 1157

• Authentication Frame 1 - Client to AP  
• Authentication Frame 2 – AP to client
  • Which includes status code: Successful
  • SAE type - Commit (1)
  • Group ID: 19 - refer to cryptographic group used for ECDH (Elliptic Curve Diffie–Hellman)
  • Scalar – masked Private value derived from r & m.
  • FFE – Element - Public Key

4. Authentication Frames 3 & 4 – Confirm Messages: Packet # 1161 & 1162

• Authentication frames 3 & 4 – Between client to AP and vice versa.
  • Which includes, Status code: Successful
  • SAE message type – Confirm (2)
  • From client to AP: Send-Confirm 1
  • From AP to Client: Send-Confirm 0 
  • Confirm: shows the Key Confirmation Token (KCK-derived MAC)

5. How to confirm in the capture that the PMK is generated:

• After the successful PMK generation, it will lead to the 4-way key handshake with no error in the flow.

--------------------------------------------------------------------

WPA3-Personal Transition Mode:

WPA3 transition mode is used to provide support for mixed devices deployments to provide backward compatibility. As of now, not all the devices are capable of WPA3.  For the customers who want security but also want to support WPA2 devices at the same time, the solution is to use the WPA3 transition mode. In Transition mode, PMF is optional, allowing WPA2 clients to connect.

Wlan SSID configuration for WPA3-Transition:

How to identify the difference between WPA3-personal and transition mode in the packet capture?

1. The BSS broadcasting the WPA3-transition mode will broadcast both the AKM suites. This information can be checked in the “Beacon” & “Probe Response” frame.
   • The packet capture image above shows both the PSK & SAE AKM.
     • 00-0F-AC:2 --> is indicating PSK is used.
     • 00-0F-AC:8 --> is indicating SAE is used.
   • PMF is optional. 
     •  Management frame Protection Required [MFPR] --> False
     • Management frame Protection Capabilities [MFPC] --> True (these values indicate PMF is optional).

2. The below image shows the connection flow from the WPA2 supported client connected to the WPA3 transition SSID but it is using AKM suite – PSK for connection but using same passphrase configured in the WPA3.

• Unlike, 4 -Authentication frames in WPA3, this capture shows only 2.

•  

  The authentication algorithm is “Open System” and not "SAE".

How to check whether WPA3 is configured to use FT?

This option varies based on vendor. ExtremeCloud AP supports WPA3 SAE with FT. If the AP supports 802.11r, how to check the same in the packet capture?

• As discussed before, in the “Beacon” and the “Probe Response” RSN Information “Auth Key Management” field will show 2 SAE types.
  • Auth Key management—00-0F-AC:8 -->  SAE is used.
  • Auth Key management—00-0F-AC:9 --> FT using SAE is used.

What happens when non-WPA3 supported clients try to connect to the WPA3-personal mode:

Visual look:

When clicking WLAN icon, the WPA3 SSID will show with a “X” symbol and there will be no option given to ‘connect’. The message will show ‘can’t connect to this network’.  

How to check for the wireless NIC WPA3 support in Windows laptop:

• Use #netsh wlan show drivers to verify the list of supported AKM by the wireless NIC card.

WPA3 Strength & Weakness:

Conclusion:

WPA3 strengthens Wi-Fi security by replacing PSK with SAE, enforcing Protected Management Frames, and introducing stronger encryption for both personal and enterprise deployments. While Transition Mode and inconsistent roaming remain challenges, WPA3 is a significant step forward. Organizations should plan phased migrations, retire WPA2 when possible, and adopt WPA3-only SSIDs to achieve the best balance of security and performance.

Reference:

[1]https://dl.aircrack-ng.org/wiki-files/doc/additional_papers/dragonblood.pdf

[2] https://www.wi-fi.org/system/files/WPA3%20Specification%20v3.4.pdf

[3] https://praneethwifi.in/2021/02/04/wpa3-authentication-part-1/?utm_source=chatgpt.com

[4] https://mrncciew.com/2019/11/29/wpa3-sae-mode/

[5] https://mrncciew.com/2019/11/29/wpa3-sae-transition-mode/

[6] https://wlan1nde.wordpress.com/2018/09/14/wpa3-improving-your-wlan-security/

[7] https://en.wikipedia.org/wiki/Diffie%E2%80%93Hellman_key_exchange

[8] https://arubanetworking.hpe.com/techdocs/aos/wifi-design-deploy/security/modes/wpa3-personal/?utm_so...