Simultaneous Authentication of Equals (SAE) is a secure key exchange protocol that’s used in Wi-Fi networks, particularly in WPA3 (Wi-Fi Protected Access 3). It’s designed to improve the security of the initial authentication process when a device connects to a Wi-Fi network, replacing the pre-shared key (PSK) method used in WPA2. SAE aims to prevent offline dictionary attacks and other security vulnerabilities associated with PSKs. Here’s a detailed explanation of how SAE works:
1. Initial Commitment:
- Peer Devices: In SAE, two devices participate in the key exchange: the supplicant (the device that wants to connect to the network) and the authenticator (the access point or router).
- Commitment: Both the supplicant and the authenticator generate random numbers called “commitments.” These commitments are kept secret and are used to derive the shared secret key later.
2. Exchange of Commitments:
- Commitment Exchange: The supplicant and authenticator exchange their commitments without revealing them to each other. This is done in the clear, without encryption, which is why it’s often referred to as “commitment exchange.”
3. Deriving the Intermediate Key:
- Password: The actual shared secret is the Wi-Fi network’s password (PSK), which is known to both the supplicant and the authenticator.
- Intermediate Key: Using the commitments and the password, the supplicant and the authenticator derive an intermediate key (Intermediate Key, or ICK) using a mathematical function. This key is used temporarily and is not the final shared key.
4. Mutual Authentication:
- Commitment Verification: Both the supplicant and the authenticator verify each other’s commitments without revealing their own commitments. This is done using the ICK and commitments received.
- Authenticator Check: The authenticator checks that the supplicant’s commitment matches the commitment it received earlier. If not, the supplicant might not be legitimate, and the connection is terminated.
- Supplicant Check: The supplicant checks that the authenticator’s commitment matches the commitment it received earlier. If not, it means the network might not be legitimate, and the supplicant refuses to proceed.
5. Key Confirmation:
- Confirming the Key: Once both the supplicant and authenticator have verified each other’s commitments, they derive the final shared secret key, known as the Pairwise Transient Key (PTK), using the ICK and other information.
6. Secure Connection:
- Encrypted Communication: With the PTK in hand, both devices can securely encrypt and decrypt data exchanged between them. This ensures that the connection is secure and that the shared secret (password) is not exposed during the initial exchange.
The primary advantage of SAE is that it significantly reduces the risk of offline attacks where an attacker can capture the authentication exchange and attempt to crack the network password. With SAE, even if an attacker captures the commitment exchange, they won’t have enough information to perform offline dictionary attacks effectively.
SAE is considered a more secure method for establishing a Wi-Fi connection compared to the previous PSK-based approach, and it’s a critical component of the WPA3 security protocol.