A Comprehensive Guide to Simultaneous Authentication of Equals (SAE) in WPA3

 Simultaneous Authentication of Equals (SAE) 

SAE is a password‑authenticated key exchange (PAKE) protocol used in WPA3‑Personal Wi‑Fi networks.

It replaces the older PSK (Pre‑Shared Key) approach used in WPA2.

SAE is based on the Dragonfly key exchange protocol and provides a far more secure method for establishing encryption keys on wireless networks.

1. Why SAE Exists

Under WPA2-PSK, a weak password made the network vulnerable to:

• Offline dictionary attacks
• Attackers could capture the 4‑way handshake and brute‑force it offline without interacting with the network.
• No forward secrecy
• If the PSK was discovered later, past traffic could be decrypted.

SAE solves these problems.

2. What SAE Does

SAE provides:

• Mutual authentication
• Both the client and the access point demonstrate knowledge of the password without revealing it.
• Forward Secrecy
• The encryption keys change for each session.
• If the password leaks later, old traffic cannot be decrypted.
• Protection from Offline Cracking
• An attacker cannot capture a handshake and brute‑force it later.
• They must perform live, interactive attempts—slowing attacks drastically.
• Resistance to Passive Attacks
• Simply listening to the traffic gives no useful information about the password.

3. How SAE Works (Step-by-Step)

SAE is a two‑phase handshake:

Phase 1 – Commit Exchange

Both sides (client and AP):

1. Convert the shared Wi‑Fi password into a Password Element (PWE).

• PWE is derived from the password and the two MAC addresses.
• Ensures the handshake is unique for each client–AP pair.

2. Generate a random number (their private “secret”).

3. Compute:

• A commit scalar
• A commit element

4. Exchange these values openly over the air.

Important:

Even though the commit values are public, they cannot be used to derive the password.

Phase 2 – Confirm Exchange

Both sides:

1. Compute the shared secret key using:

• Their own private random number
• The other party’s commit element

2. Derive a session key (PMK).

3. Exchange confirm messages proving they derived the same key.

If confirm messages match → authentication succeeds.

4. Key Properties of SAE

• Offline Attack Resistance
• An attacker capturing SAE handshakes gets no password-derivable data.
• Forward Secrecy
• Keys change for every session.
• Anti-Clogging
• To prevent DoS attacks (spamming commit messages), the AP can require "anti-clogging tokens" before continuing.
• Mutual Authentication
• Both sides prove knowledge of the password.

5. How SAE Differs from WPA2‑PSK

6. Where SAE Is Used

SAE is the mandatory authentication method for:

• WPA3-Personal
• Wi-Fi Enhanced Open (for upgrade paths)
• Enterprise environments that enable "Transition Mode"

7. Common Terms Related to SAE

• Dragonfly Key Exchange — underlying cryptographic design.
• Password Element (PWE) — ECC point representing the password.
• Commit & Confirm messages — two-step handshake communication.
• PMK (Pairwise Master Key) — key derived from SAE for the 4‑way handshake.

8. Why SAE Is Considered Secure

Because SAE:

• Never transmits information usable to guess the password
• Requires an attacker to interact for every guess
• Uses elliptic-curve Diffie-Hellman
• Uses strong hashing of the PWE
• Provides fresh keys per session

This combination makes it substantially more secure than WPA2-PSK.

Summary

SAE (Simultaneous Authentication of Equals) is the WPA3 authentication method designed to prevent:

• Offline dictionary attacks
• Decryption of old traffic
• Reuse of stale session keys
• Weaknesses inherent to WPA2-PSK

It accomplishes this through a secure, mutual, password-authenticated key exchange that provides forward secrecy and robust resistance to brute-force attacks.