[EXT] Re: SAE: reduce loop iterations of PWE derivation

[Gang Li]

Hi Jouni Malinen,

Yes, I understand the consequences.

A few STAs may not support the Hash-to-Element (H2E) WPA3 SAE method, then it needs to use Hunting-and-Pecking (HnP) method.
But it takes a long time to generate PWE, causing authentication failure.

So reduce loop iterations of PWE derivation, and add CONFIG_SAE_PWE_NS macro, disable by default.
It is up to the user to decide whether to enable it.

Best Regards,
Gang Li

-----Original Message-----
From: Jouni Malinen <j at w1.fi> 
Sent: 2024年8月12日 16:42
To: Gang Li <gang.li_1 at nxp.com>
Cc: hostap at lists.infradead.org
Subject: [EXT] Re: SAE: reduce loop iterations of PWE derivation

Caution: This is an external email. Please take care when clicking links or opening attachments. When in doubt, report the message using the 'Report this email' button


On Mon, Aug 12, 2024 at 07:50:53AM +0000, Gang Li wrote:
> For low-performance processors, reduce the number of loop iterations 
> for PWE derivation to reduce the time to generate PWE.
> Add CONFIG_SAE_PWE_NS macro to enable it.

That would reintroduce the widely reported side-channel attacks against SAE. If you want to do that and understand the consequences, that is your choice, but I won't promote that in hostap.git.

An appropriate way to avoid the iterations is to upgrade to using the direct hash-to-element mechanism with SAE. That avoids this loop completely.

--
Jouni Malinen                                            PGP id EFC895FA