Countermeasures

To mitigate our downgrade to dictionary attack, a client should remember if a network supports WPA3-SAE. That is, after successfully connecting using SAE, the client should store that the network supports SAE. From this point onward, the client must never connect to this network using a weaker handshake. This trust-on-first-usage idea is similar to the one of SSH, and similar to the Strict-Transport-Security header of HTTPS. Notice from Table 2 that Linux’s NetworkManager and the Google Pixel 3 already employ a similar defense. Optionally, in case the client notices the security configuration of the network changes, the client can prompt the user for the password of the network. This would prevent automatic downgrade attacks, while still allowing the user to override our defense by reentering the password. To handle networks where only some APs support WPA3, a flag could be added to the RSNE that indicates some APs only support WPA2, meaning downgrade attacks cannot be prevented against this network. Another possible defense, which requires minimal modifications on clients or APs, would be to deploy separate networks with separate passwords for both WPA2 and WPA3. In principle, group downgrade attacks can also be mitigated by remembering which groups a network supports. However, the supported groups of an AP are more likely to change over time, and therefore we do not recommend such a defense. Instead, the supported groups can be included as a bitmap in the RSNE during the 4-way handshake. This will enable a station to detect if a downgrade attack took place, and to subsequently abort the handshake