ANNOUNCEMENT: Live Wireshark University & Allegro Packets online APAC Wireshark Training Session
July 17th, 2024 | 10:00am-11:55am SGT (UTC+8) | Online

Wireshark-dev: Re: [Wireshark-dev] IEEE 802.11 WPA3 decryption support

Date Prev · Date Next · Thread Prev · Thread Next
From: Mikael Kanstrup <mikael.kanstrup@xxxxxxxx>
Date: Tue, 26 Mar 2019 10:59:11 +0100
On 25/03/2019 22:41, Guy Harris wrote:
On Mar 25, 2019, at 2:32 AM, Kanstrup, Mikael <Mikael.Kanstrup@xxxxxxxx> wrote:

I started working on WPA3 decryption support. Some parts of it has already been merged.
So does this mean we'll prove Michael Berg of Tamosoft wrong?

	https://twitter.com/TamoSoft/status/1049975990695399424

"WPA3 will make it impossible to perform on-the-fly or post-capture decryption of WiFi packets by tools like CommView for WiFi. Good security, but still upsetting from the packet analysis standpoint..."

No. That is still valid. I'm not trying to magically decrypt traffic without knowledge about the decryption keys. For WPA2 PSK the PSK == PMK is same for all connections towards a certain network making it possible to decrypt all traffic as long as you've recorded the 4-way handshake messages.

For WPA3 PMK is unique for each association and the passphrase -> PMK generation is strong. This gives:

- With password alone you cannot decrypt any traffic
- With password + 4-way handshake you cannot decrypt any traffic
- If you somehow can get hold of PMK you can only decrypt that specific connection. No other(s).

WPA3 decryption with Wireshark will only decrypt traffic where you know the PMK. This is similar to what is supported for WPA2 enterprise already today.

The dot11crypt engine duplicate quite a lot IEEE 802.11 dissector functionality
Yes, and it shouldn't.

Agree. Thanks for feedback!

/Mikael