03-16-2025, 11:46 AM
I've re done the tests I did Friday and took another look at the documentation again. And yes it's plain text that is needed. When you connect on the command line it initially connects, on reboot it will failback to AP mode. When you create the connection manually it also writes a plaintext password in to the config.
It's not a security issue as the way WPA3 works is different. It uses the password as a authentication method to authenticate your allowed to connect, it doesn't even send the key it derives another token from it so it never goes across the airwaves. All cryptographic keys and data are no longer derived from the key. All that is handled internally in the WPA3 dragonfly protocol. Storing the plaintext is not really different than storing the hashed version at this point as both are purely to authenticate that your allowed to connect rather than encrypting traffic that could then be decrypted using a key. WPA3 was designed to get around offline attacks. Overall a bit step forward in security.
In the UI probably best to rename it from WPA3-SEC to just WPA3 as there is just two modes, sae (personal) and the enterprise mode. So nicer for users to just see WPA3, reduces confusion. If there is already key in there clear the text field and then write the clear text out to the config. WPA2 using the wpa_supplicant hashing is cool as is.
I didn't try it in mixed mode, i.e router in WPA2+WPA3 but should work just fine. I did get some odd results back from my router, It reported that the WPA3 was in WPA2 mode on a WPA3 only setup. All looks good and working correctly, that was probably down to a mode set on the Broadcom driver. That test will have to wait for another day but as that's a bit more in depth, but all working great.
I tested using a DrayTek, would be good to get some other test results, especially what the router shows after the connection. I'm outta time for the next few weeks. All working good here so will use it in WPA3 mode. When I get some more time I'll do some other test in to the strange result.
It's not a security issue as the way WPA3 works is different. It uses the password as a authentication method to authenticate your allowed to connect, it doesn't even send the key it derives another token from it so it never goes across the airwaves. All cryptographic keys and data are no longer derived from the key. All that is handled internally in the WPA3 dragonfly protocol. Storing the plaintext is not really different than storing the hashed version at this point as both are purely to authenticate that your allowed to connect rather than encrypting traffic that could then be decrypted using a key. WPA3 was designed to get around offline attacks. Overall a bit step forward in security.
In the UI probably best to rename it from WPA3-SEC to just WPA3 as there is just two modes, sae (personal) and the enterprise mode. So nicer for users to just see WPA3, reduces confusion. If there is already key in there clear the text field and then write the clear text out to the config. WPA2 using the wpa_supplicant hashing is cool as is.
I didn't try it in mixed mode, i.e router in WPA2+WPA3 but should work just fine. I did get some odd results back from my router, It reported that the WPA3 was in WPA2 mode on a WPA3 only setup. All looks good and working correctly, that was probably down to a mode set on the Broadcom driver. That test will have to wait for another day but as that's a bit more in depth, but all working great.
I tested using a DrayTek, would be good to get some other test results, especially what the router shows after the connection. I'm outta time for the next few weeks. All working good here so will use it in WPA3 mode. When I get some more time I'll do some other test in to the strange result.
