Chapter 4. API Guides
STA Setting AP Setting Outcome
PMF Optional PMF Optional/Required Mgmt Frames Protected
PMF Optional PMF Disabled Mgmt Frames Not Protected
PMF Required PMF Optional/Required Mgmt Frames Protected
PMF Required PMF Disabled STA refuses Connection
PMF Disabled PMF Optional/Disabled Mgmt Frames Not Protected
PMF Disabled PMF Required AP refuses Connection
PMF Optional Mode, which is shown in the example of wifi_confit_t, is suggested to be used in all Station
configurations. This is to take the additional security benefit of PMF whenever possible without breaking connections
with legacy AP’s.
4.34.3 WPA3-Personal
Introduction
Wi-Fi Protected Access-3 (WPA3) is a set of enhancements to Wi-Fi access security intended to replace the current
WPA2 standard. It includes new features and capabilities that offer significantly better protection against different
types of attacks. It improves upon WPA2-Personal in following ways:
• WPA3 uses Simultaneous Authentication of Equals (SAE), which is password-authenticated key agreement
method based on Diffie-Hellman key exchange. Unlike WPA2, the technology is resistant to offline-dictionary
attack, where the attacker attempts to determine shared password based on captured 4-way handshake without
any further network interaction.
• Disallows outdated protocols such as TKIP, which is susceptible to simple attacks like MIC key recovery attack.
• Mandates Protected Management Frames (PMF), which provides protection for unicast and multicast robust
management frames which include Disassoc and Deauth frames. This means that the attacker cannot disrupt
an established WPA3 session by sending forged Assoc frames to the AP or Deauth/Disassoc frames to the
Station.
• Provides forward secrecy, which means the captured data cannot be decrypted even if password is compromised
after data transmission.
Please refer to Security section of Wi-Fi Alliance’s official website for further details.
Setting up WPA3 with ESP32-S2
In IDF Menuconfig under Wi-Fi component, a config option“Enable WPA3-Personal”is provided to Enable/Disable
WPA3. By default it is kept enabled, if disabled ESP32-S2 will not be able to establish a WPA3 connection. Currently,
WPA3 is supported only in the Station mode. Additionally, since PMF is mandated by WPA3 protocol, PMF Mode
should be set to either Optional or Required while setting WiFi config.
Refer to Protected Management Frames (PMF) on how to set this mode.
After these settings are done, Station is ready to use WPA3-Personal. Application developers need not worry about
the underlying security mode of the AP. WPA3-Personal is now the highest supported protocol in terms of security,
so it will be automatically selected for the connection whenever available. For example, if an AP is configured to be
in WPA3 Transition Mode, where it will advertise as both WPA2 and WPA3 capable, Station will choose WPA3 for
the connection with above settings. Note that Wi-Fi stack size requirement will increase 3kB when WPA3 is used.
Espressif Systems 1561
Submit Document Feedback
Release v4.4
To Next Page
Loading...
Need help?
General