WPA3 Dragonfly Handshake (Derivation, Anti-Clogging Tokens)

#Inside the Mathematical Shield#link

To fully appreciate why WPA3-Personal is immune to dictionary attacks, we must dive into the Dragonfly mechanism (the engine of SAE). It moves the security from a simple hash verification to a complex elliptic curve problem.

The Two-Phase Process: Commit and Confirm

The Dragonfly handshake consists of two distinct phases. First, the 'Commit' phase, where both parties exchange scalar and element values derived from the password. Second, the 'Confirm' phase, where they prove they both possess the same key.

# Conceptual Dragonfly Commit
# 1. Hash password to find a point P on the curve (Hunting and Pecking)
# 2. Generate a random private scalar 'r'
# 3. Public Element = r * P
# 4. Send (r, Public Element) to peer

# The peer does the same, and through DH, they find a shared secret

If the password is wrong, the parties will derive different points on the curve, and the 'Confirm' phase will fail. Crucially, an observer sees only random-looking points, not the password's hash.

Combating Denial of Service: Anti-Clogging Tokens

To prevent this, WPA3 introduces 'Anti-Clogging Tokens.' If the AP is under load, it refuses to process a Commit until the client returns a token, proving the client can at least receive and echo a packet.

The Security Guarantee

Because the Dragonfly handshake provides an authenticated key exchange, an attacker cannot perform an offline attack. To guess the password, they must interact with the AP for every single guess, making a dictionary attack practically impossible.

• ▪No offline cracking
• ▪Perfect Forward Secrecy (PFS)
• ▪Resilience against passive eavesdropping
• ▪Built-in DoS protection via tokens