Simultaneous Authentication of Equals (SAE) is based on the Dragonfly handshake protocol and enables the secure exchange of keys of password-based authentication methods. In WPA3, SAE replaces the previous methods of negotiating session keys using pre-shared keys and is also used in WLAN mesh implementations.
What is SAE (Simultaneous Authentication of Equals)?
The acronym SAE stands for Simultaneous Authentication of Equals and refers to a secure key negotiation and exchange method for password-based authentication methods. It is a variant of the Dragonfly key exchange protocol specified in RFC 7664, which in turn is based on Diffie-Hellmann key exchange.
Among other things, SAE is used in WPA3 (Wi-Fi Protected Access 3) and replaces the previous method of negotiating session keys using pre-shared keys. In addition, Simultaneous Authentication of Equals is used in IEEE 802.11s WLAN mesh networks during the peer discovery process. SAE improves the security of key exchange in the handshake process.
Even when weak passwords are used, authentication is protected. Dictionary or brute force attacks and attack methods such as KRACK (Key Reinstallation Attack) are virtually impossible when using Simultaneous Authentication of Equals.
The motivation for Simultaneous Authentication of Equals
WPA2-based WLANs are vulnerable to KRACK, an attack method on WPA2 encryption that became known in 2017. Attackers can gain possession of the keys and manipulate or read the transmitted data. KRACK exploits a vulnerability in the multi-stage handshake process for negotiating session keys.
Another common security problem in WLANs is that weak or very short passwords are used. These can be found out relatively quickly using a dictionary or brute-force attacks. SAE is intended to secure WLANs against these vulnerabilities and protect data traffic in mesh networks. Simultaneous Authentication of Equals increases security in the case of weak passwords and makes it impossible to draw conclusions about the keys used by recording the handshake.
In addition, the key exchange protocol supports Perfect Forward Secrecy (PFS) and prevents session keys from being reconstructed after the fact. Even the subsequent disclosure of a WLAN password does not allow recorded data packets to be decrypted.
How SAE Authentication works
SAE still uses matching passwords that clients use to gain access to a WLAN. However, a unique Pairwise Master Key (PMK) that is different for each client is derived from the passwords.
Despite the use of a password that is the same for all clients, each client receives its own PMK. Pairwise Transient Keys (PTK) are derived from the PMK by means of a four-way handshake between the WLAN client and the authentication server and are used for the actual encryption of the data.
The use of SAE Security – SAE Encryption
One of the most important applications of SAE is the authentication and encryption standard for WLANs WPA3. In WPA3, the method used by WPA2 to negotiate session keys with pre-shared keys is replaced by Simultaneous Authentication of Equals. Since keys are no longer transmitted over the radio links, it is virtually impossible to draw conclusions about the keys by reading the handshake.
Session keys between the WLAN client and access point can be negotiated securely. Perfect Forward Secrecy (PFS) also ensures that recorded data packets cannot be subsequently decrypted, even if an attacker comes into possession of a WLAN password.
SAE is also used in WLAN mesh networks. The IEEE 802.11s standard defines how WLAN devices connect to form a meshed WLAN. Peers use SAE during the discovery process and establish secure connections using the derived pairwise keys.