askvity

How does SAE work?

Published in Network Security 3 mins read

Simultaneous Authentication of Equals (SAE) works by enabling peers to authenticate each other and establish a strong cryptographic key when they discover each other, particularly in mesh networks with security enabled. This process relies on a password-based authentication mechanism and elliptic-curve cryptography.

Here's a breakdown of how it works:

  • Peer Discovery: Devices looking to join a network first discover each other. This initial discovery phase isn't directly part of the SAE process but is a prerequisite.

  • SAE Exchange Initiation: When two peers discover each other and security is enabled, they initiate the SAE exchange.

  • Password-Based Authentication: SAE uses a shared password (often referred to as the mesh password or pre-shared key) as its foundation. This password isn't directly used for encryption, but it's used to derive cryptographic keys.

  • Elliptic-Curve Cryptography: SAE relies on elliptic-curve cryptography (ECC) for its key exchange. This offers strong security with relatively short key lengths.

  • Cryptographic Key Derivation: The SAE exchange involves several rounds of communication between the peers. During these rounds, each peer performs cryptographic calculations using the password and random values. The specifics of these calculations are beyond the scope of this simplified explanation, but they are designed to be resistant to various attacks.

  • Authentication and Key Establishment: If the SAE exchange completes successfully, both peers can be confident that the other party knows the shared password. More importantly, the exchange results in both peers possessing a cryptographically strong, shared secret key. This key can then be used to encrypt subsequent communication between the devices.

  • Confirmation and Connection: Once the key exchange is complete and both devices possess the same key, a connection is established. Data transmitted across the connection is encrypted with the newly established key.

In essence, SAE provides a secure way for devices to authenticate each other based on a shared password and establish a secure communication channel without relying on a central authentication server. It offers protection against common attacks like dictionary attacks and man-in-the-middle attacks. It allows peers to establish trust and a secure key derived from the mesh password without revealing that password directly over the air.

Related Articles