[presto8]

WPA2 uses AES-CCMP-128 which is not efficient (or even feasible) for high data rates as it cannot be parallelized. WPA3 uses GCMP-128 or GCMP-256, which (in the case of 256-bit) is stronger security and also can achieve gigabit level speeds or higher due to being able to parallelize the encryption.

WPA2 is susceptible to offline-dictionary attack and the cost is quite low (less than $10), especially with cloud computing. WPA3 is resistant to offline dictionary attack.

If an adversary knows the WPA2 passphrase, the adversary can eavesdrop on connections between the AP device and the station device. In comparison, in WPA3, even if an adversary knows the passphrase, the adversary will not be able to decrypt communications between the AP and the station device. The adversary is still able to gain access to the network, but the attack surface area has been reduced.

WPA3 uses HMAC-SHA256 for key derivation, whereas WPA2 uses HMAC-SHA1. NIST and other cryptography agencies have recommended against the use of SHA1 in cryptographic systems due to known weaknesses.

WPA3 has many advantages over WPA2. In addition, most of the implementation for WPA3 is in software and also available as open source.

[rft]

> WPA2 is susceptible to offline-dictionary attack and the cost is quite low (less than $10), especially with cloud computing.

I agree that offline attacks are a threat to WPA2, but do you have a cost breakdown/source/? for that cost figure? The attack to me is still in the realm of unlikely if not using a common, rainbow-tabled SSID and/or very simple password.

I am not involved in the GPU cloud compute area, so I only did a very quick check on EC2 GPU instance pricing. At about 10$ that translates to about 2 hours of g5.12xlarge with 4 high end GPUs. I am not familiar with these models, but I am assuming they are comparable to high end, current gen GPUs. To me 8 GPU hours sounds a bit on the low side, even for relatively weak passwords. For reference, it seems an RTX 3090 does about 1 MH/s [1]. 8 GPU hours on that card translates roughly to 230 billion (230x10^9) password variants, a lot, but not overwhelmingly a lot. An 8 character lower+upper+digit is estimated at about 47 bits, so roughly 140x10^12. A wordlist+mutation is likely far more efficient than a naive attack. I am on the fence whether this makes for a reasonable 10$ real world attack.

Happy to learn I am stuck in the past!

(The rainbow table I am talking about: https://www.renderlab.net/projects/WPA-tables/)

[1] https://gist.github.com/Chick3nman/e4fcee00cb6d82874dace7210...

(EDIT: * -> x, one day I will learn formatting)

[gruez]

>WPA3 uses HMAC-SHA256 for key derivation, whereas WPA2 uses HMAC-SHA1. NIST and other cryptography agencies have recommended against the use of SHA1 in cryptographic systems due to known weaknesses.

AFAIK SHA1 is only broken with respect to preimage/collision attacks. For generating random bits it's still perfectly fine. In other words, sha1 is broken, but not in ways that matter for its use in WPA2.

[drexlspivey]

What are you using your raspberry pi for that is going to be attacked by people who can break SHA-1?

[jmprspret]

What are you using your PC for that is going to be attacked by people who can break TLS?

[lucb1e]

> susceptible to offline-dictionary attack and the cost is quite low (less than $10)

Only if it's a common password... you're saying this like it's a given, like you can break into anyone's WiFi for less than $10 after capturing a correct authentication challenge+response from a legitimate user.

If you have a stupid ISP in the area that uses crackable passwords, or tech-savvy users that change the password to something stupid, perhaps you'll have a decent recovery rate, but otherwise I'd estimate it's far below even odds whether this gets you into any given network.

Putting a dollar price on cracking a hash is like putting a dollar price on fresh air: if you have a laptop standing around, it's practically free to try a few million passwords; if you need a GPU farm, it may cost ten thousand euros; and it may be impossible if it's just not crackable (27 chars alphanumeric is just not possible, also not with a quantum computer in a thousand years, but you don't know that when all you've got is the challenge-response hash).

[ianpenney]

This sounds about right to me, but I’d like to point out the cost barrier differs into unrelated paradigms above/below OSI Layer 2.

[ianlevesque]

I didn’t know WPA3 had parallelizeable encryption. That is great.