On 25/03/2019 22:41, Guy Harris wrote:
On Mar 25, 2019, at 2:32 AM, Kanstrup, Mikael <Mikael.Kanstrup@xxxxxxxx> wrote:
I started working on WPA3 decryption support. Some parts of it has already been merged.
So does this mean we'll prove Michael Berg of Tamosoft wrong?
https://twitter.com/TamoSoft/status/1049975990695399424
"WPA3 will make it impossible to perform on-the-fly or post-capture decryption of WiFi packets by tools like CommView for WiFi. Good security, but still upsetting from the packet analysis standpoint..."
No. That is still valid. I'm not trying to magically decrypt traffic
without knowledge about the decryption keys. For WPA2 PSK the PSK == PMK
is same for all connections towards a certain network making it possible
to decrypt all traffic as long as you've recorded the 4-way handshake
messages.
For WPA3 PMK is unique for each association and the passphrase -> PMK
generation is strong. This gives:
- With password alone you cannot decrypt any traffic
- With password + 4-way handshake you cannot decrypt any traffic
- If you somehow can get hold of PMK you can only decrypt that specific
connection. No other(s).
WPA3 decryption with Wireshark will only decrypt traffic where you know
the PMK. This is similar to what is supported for WPA2 enterprise
already today.
The dot11crypt engine duplicate quite a lot IEEE 802.11 dissector functionality
Yes, and it shouldn't.
Agree. Thanks for feedback!
/Mikael
