← Back to context

Comment by kd913

12 hours ago

If this is true, I feel teh wifi alliance have a tonne to answer for the ewaste they generate.

WPA3 moved from symmetric AES to ECDH which is vulnerable to Quantum. Gonna be a tonne of IOT inverters waste.

9 comments

kd913

Reply
supernetworks_  12 hours ago

WPA3 moved from PBKDF to ECDH. AES CCMP and GCMP are still the underlying block ciphers in WPA3 with some other extensions for China

tptacek  12 hours ago

For what it's worth, cryptography engineers were generally not happy with the Dragonfly PAKE, and PQC was a legitimate concern even in 2012.

dlcarrier  10 hours ago

Just yesterday I used an IoT device with WEP as the only WiFi option. Needless tosay, I use the wired connection.

The say the 's' in IoT stands for secure, and from my experience that is true. Pretty much nothing is getting thrown out, because it isn't secure.

evil-olive  12 hours ago

WPA3 was announced in 2018 [0]. I don't think it's reasonable to blame them for not anticipating the next decade of cryptographic research.

...but even if they had, what realistically could they have done about it? ML-KEM was only standardized in 2024 [1].

also, the addition of ECDH in WPA3 was to address an existing, very real, not-theoretical attack [2]:

> WPA and WPA2 do not provide forward secrecy, meaning that once an adverse person discovers the pre-shared key, they can potentially decrypt all packets encrypted using that PSK transmitted in the future and even past, which could be passively and silently collected by the attacker. This also means an attacker can silently capture and decrypt others' packets if a WPA-protected access point is provided free of charge at a public place, because its password is usually shared to anyone in that place.

0: https://en.wikipedia.org/wiki/Wi-Fi_Protected_Access#WPA3

1: https://en.wikipedia.org/wiki/ML-KEM

2: https://en.wikipedia.org/wiki/Wi-Fi_Protected_Access#Lack_of...

  • ndriscoll  12 hours ago

    Does it matter if an attacker can decrypt public wifi traffic? You already have to assume the most likely adversary (e.g. the most likely to sell your information) is the entity running the free wifi, and they can already see everything.

    • bdamm  11 hours ago

      It is precisely because the operator of the wifi is not necessarily the adversary a user may be most concerned about. They may be, but they are not the only one. They are the one you know can be, but they aren't the only one.

    • evil-olive  11 hours ago

      > You already have to assume the most likely adversary is the entity running the free wifi

      why do you have to assume that?

      you're at Acme Coffeeshop. their wifi password is "greatcoffee" and it's printed next to the cash register where all customers can see it.

      with WPA2 you have to consider N possible adversaries - Acme Coffee themselves, as well as every single other person at the coffeeshop.

      ...and also anyone else within signal range of their AP. maybe I live in an apartment above the coffeeshop, and think "lol it'd be fun to collect all that traffic and see if any of it is unencrypted".

      with WPA3 you only have to consider the single possible adversary, the coffeeshop themselves.

      2 replies →