Use WPA3 with Linux – that’s how it works

In the WLAN, WPA3 was an important update for the authentication and encryption method. WPA3 is now available on many devices and is part of everyday life – also on Linux systems, depending on the hardware equipment.

To date, WPA2 has been the common method of protecting WLAN with authentication and securing it with encryption. Its successor, WPA3, has been approved by the Wi-Fi Alliance industrial consortium since 2018. Since July 1st, 2020, new WLAN devices must also be able to work with WPA3 in order to be allowed to carry the Wi-Fi seal. Linux systems have basically supported WPA3 since Kernel 3.8 and “wpa_supplicant” 2.9, which handles the encryption. But only now are access points, routers and finally network chips that require a driver update so widespread that a step-by-step changeover makes sense. The article shows what needs to be considered under Linux.

A hack called Krack

In mid-October 2017, two cryptography experts at the University of Leuven, Belgium, published the results of a research project showing a practical attack on WPA2. The security researchers have been working on the practical implementation of this attack since 2016, which was given the catchy name “Krack”, an abbreviation for “Key Reinstallation Attack”. The gap found concerns the multi-level key exchange during a connection establishment in the WLAN between the base station and clients. As in other procedures, a one-time key is used for key exchange, which is actually no longer allowed to be used in this connection. However, an attacker disrupts the exchange of the one-time key, so that the same key, called “Nonce” (short for “Number Used Once”) is sent over and over again. After a while, the attacker has collected enough encrypted WPA2 packets with various contents. With a lot of computing power, a cryptographic analysis can reconstruct the entire key of the WPA2 connection.

Linux systems were even more affected: The kernel module “wpa_supplicant” from Linux, which also works in Android and most embedded systems on routers, modems and access points, is even a bit more susceptible to cracking. The kernel developers thought it was a good idea to overwrite the one-time key in memory with zeros after the first use. However, they did not expect that this string would be sent more often unchanged – consequently the repeated keys only consist of zeros. This makes cryptographic analysis particularly easy.

In Linux distributions, the first patches for WPA2 came just one day after the attack method was published, so that the vulnerability can no longer be exploited so easily. And older WPA2 devices, which are still present in abundance in most wireless networks, can still be operated sufficiently securely with the latest software and a strong password, as the box “WPA2: Safety Precautions” shows.

What WPA3 does better

In multiple exchanges, the router and client use the WLAN password to create the shared key that is intended to protect further data transmission. WPA3 no longer uses the vulnerable PSK (Pre Shared Key) procedure, but SAE (Simultaneous Authentication of Equals), which uses the password to calculate a more complex key than PSK. The secret key is no longer transmitted by radio as with WPA2, but only the result of a calculation (hash value). It can then no longer be guessed in a reasonable time frame, even if the basic WiFi password should be very simple.

In addition, WPA3 does not allow subsequent decryption of recorded data packets using “Perfect Forward Secrecy”, even if the key should have been lost due to other security gaps.

Linux clients: is WPA3 supported?

The first look at a Linux computer that is to participate in a WLAN is its equipment. Because even if Linux systems have the software requirements for WPA3, the firmware of the WLAN chip also has to play along. Age is not the deciding factor here, but manufacturer support. For example, the Intel chip 7265 (dual band wireless AC) in an older Thinkpad T450s from 2015 and the Wi-Fi chip in the Raspberry Pi 3 B with WPA3 also worked in our tests. Entering

shows whether the chip supports the SAE method. If so, the chances are good that WPA3 will work. Next, the command lists

nmcli -f all dev wifi list 

All Wi-Fi networks and shows in the table under “Security” whether WPA3 is activated. If the target network offers WPA3, you should first connect via the network manager of the desktop environment. KDE Plasma 5.2 conveniently displays the encryption in the connection details. Checked on other desktops

nmcli c show [WLAN] | grep sae

the connection on WPA3, where the placeholder “[WLAN]“Stands for the name of the wireless network.

If you do not receive a response with this command, the connection via WPA3 did not work. It is then still possible to force WPA3 – via the shell version of the network manager, which the call nmtui starts in the terminal.

Under “Edit a connection” and “Edit” of a WLAN there is the “Security” field in the text-based dialog that allows “WPA3 Personal” to be specified. A reboot is then necessary. If the connection with WPA3 succeeds, this setting is permanent.

WPA3: access point and router

In general, most access points and routers offer WPA3 after a firmware update, usually in mixed operation with WPA2. With WPA3 devices it can happen that, despite the activated WPA3 / WPA2 mixed method, they still only use WPA2 for encryption. In this case you have to delete the entry for this WLAN on the WLAN client, because the client prefers to use the saved settings instead of renegotiating the encryption with the router. The password must be entered manually, because WPS is no longer an option with WPA3 and would reactivate WPA2 in mixed mode.

Older Fritz boxes from AVM: In general, WPA3 is available from the Fritz-OS 7.20 firmware on routers and repeaters. Some models like the AVM Fritzbox 7560 have not (yet) received this firmware. However, it is worth taking a look at the lab firmware from this manufacturer at

In this way we were able to teach a Fritzbox 7560 with advance firmware WPA3.

See also:

WPA3 encryption:

Are your devices fit for the new standard?


Related Articles

Back to top button