What security does the wpa_passphrase tool actually add to a wpa-supplicant configuration file?

1

I was looking at this guide to setting up a wifi connection on a modern linux system (specifically raspbian, but I assume the steps are similar in other linux systems) with only a command-line interface. The guide mentioned that the PSK could be stored as a pre-encrypted 32 byte hexadecimal number, but also mentioned that a plaintext SSID and PSK will be used to connect. Further, the wpa_passphrase tool seems to encrypt the PSK using the SSID (unless I am misinterpreting the tutorial).

If an attacker gained access to this wpa-supplicant configuration file, it seems like he could just use the SSID (stored there in plain text) and knowledge of the wpa_passphrase tool's encryption algorithm to decrypt the PSK, giving no more security than storing a plain-text PSK in the file. Is this not the case, and why?

jaredad7

Posted 2019-03-05T20:48:31.377

Reputation: 125

1"If an attacker gained access to this wpa-supplicant configuration file..." - Most threat model collapse with this level of compromise. An attacker that has root and can read configuration files can also read state of the random number generator, read decrypted traffic, and do other nefarious things. There's no confidentiality or integrity after that. – jww – 2019-03-05T21:13:59.223

You might also be interested in Is there a way to configure WPA2-PSK to provide Forward Secrecy? Also see Wi-Fi Protected Access and "WPA and WPA2 don't provide forward secrecy, meaning that once an adverse person discovers the pre-shared key, they can potentially decrypt all packets encrypted using that PSK transmitted in the future and even past..." It looks like WPA3 is going to close the gap.

– jww – 2019-03-05T21:17:50.740

Answers

3

The PSK isn't an encrypted version of your passphrase; it's a hashed version of your passphrase. Specifically (if I remember correctly), the PSK in WPA2 is the output of PBKDF2(passphrase) using the SSID as a salt.

The difference is that ciphers are reversible, hashes are not. The PSK is actually directly usable as the WPA2 network key, without any decryption at all, but it cannot be reversed to find out the original passphrase.

This only provides mild security on its own, but if you frequently rotate the passphrase (e.g. MyLittleWifi42 → MyLittleWifi43 → MyLittleWifi44), then someone having just the hashed PSK has no way of guessing future passphrases. Similarly, renaming the network also invalidates all old PSKs.

(Note: As far as I know, this method will no longer work with WPA3-SAE, which requires the client to have the original passphrase. Storing just the PSK would limit you to WPA2 only.)

user1686

Posted 2019-03-05T20:48:31.377

Reputation: 283 655

I didn't realize that the hash was usable as a network key (or even that it was a hash). That clears things up. – jaredad7 – 2019-03-05T21:48:36.447

Hashing the passphrase this way is how all Wi-Fi devices calculate the network key. – user1686 – 2019-03-06T04:53:09.397

Asked: 2019-03-05T20:48:31.377

Viewed: 501 times

Active: 2019-03-05T21:13:16.397