WPA3 SAE resists offline attacks
SAE requires live interaction for every password guess. WPA2 PSK allows offline cracking of captured handshakes.
7.3 Wireless Security
Choosing the right channel avoids interference. Securing the wireless traffic prevents eavesdropping and unauthorized access.
Wireless Encryption
Section titled “Wireless Encryption”| Protocol | Encryption | Status |
|---|---|---|
| WEP | RC4 | Broken. Never use. |
| WPA | TKIP | Deprecated. |
| WPA2 | AES-CCMP | Minimum acceptable standard. |
| WPA3 | AES-GCMP + SAE | Current standard. Resistant to offline dictionary attacks. |
WPA3 SAE vs WPA2 PSK
Section titled “WPA3 SAE vs WPA2 PSK”WPA2 Personal uses a PSK (Pre-Shared Key). The client and AP derive the encryption key from the PSK using a four-way handshake. An attacker who captures this handshake can run an offline dictionary attack: try millions of passwords against the captured handshake without any further interaction with the network.
WPA3 Personal replaces PSK with SAE (Simultaneous Authentication of Equals), based on the Dragonfly key exchange (RFC 7664). SAE is a zero-knowledge proof: both sides prove they know the password without revealing it. Each handshake produces a unique session key, even if the password is the same.
| Feature | WPA2 PSK | WPA3 SAE |
|---|---|---|
| Key exchange | 4-way handshake | Dragonfly (zero-knowledge proof) |
| Offline dictionary attack | Vulnerable (capture handshake, crack offline) | Resistant (each attempt requires live interaction) |
| Forward secrecy | No (compromised PSK decrypts past sessions) | Yes (unique key per session) |
| Password strength dependency | High (weak password = easy crack) | Lower (rate-limited by live interaction) |
SAE forces the attacker to interact with the AP for every password guess. The AP rate-limits authentication attempts, making brute-force attacks impractical even with weak passwords.
Both WPA2 and WPA3 operate in two modes. Personal mode uses a shared password. Enterprise mode uses 802.1X with a RADIUS server, authenticating each user individually.
SSID and Network Types
Section titled “SSID and Network Types”An SSID (Service Set Identifier) is the name of a wireless network, broadcast in beacon frames by the AP. A BSSID (Basic Service Set Identifier) is the MAC address of the AP radio. An ESS (Extended Service Set) consists of multiple APs sharing the same SSID, allowing clients to roam between APs seamlessly.
Key Takeaways
Section titled “Key Takeaways”Use Enterprise mode for OT wireless
802.1X with a RADIUS server authenticates each user individually. Personal mode shares one password across all users.
ESS enables seamless roaming
Multiple APs sharing the same SSID allow clients to move between coverage areas without reconnecting.
What Comes Next
Section titled “What Comes Next”Encryption secures the data in transit. The next page covers antenna types and wireless considerations specific to OT environments, including why wireless is avoided for real-time control.
References
Section titled “References”- RFC 7664 — Dragonfly Key Exchange (IETF, 2015)