# Wireless AKA Progression Cross-Chapter Comparison Sidebar

*Cross-chapter shared reference for `vca-wir-101` Week 4 (802.11 security protocols -- WEP / WPA-PSK / WPA2 / WPA3-SAE / 802.1X) + `vca-rf-301` Ch 4 (RF security primitives -- encryption at RF layer; physical-layer authentication) + `vca-net-201` security module (intermediate-register security cross-cut) + `vca-net-301` Ch 8 (Wireless / 802.11 deep-dive -- 4-way handshake, WPA3-Enterprise) + cross-reference from `vca-sec-101` (wireless-CVE list; KRACK / Dragonblood / FragAttacks). Anchors: Kurose & Ross, *Computer Networking: A Top-Down Approach*, 9th ed., Pearson, 2021 -- §8.8.1 (WPA / WPA2 / WPA3-SAE) + §8.8.2 (5G-AKA, SUCI, IMSI-catcher attack-class). *

**Purpose:** explicit three-way comparison of three contemporary wireless **Authentication and Key Agreement (AKA)** protocols students encounter at intermediate-to-advanced register -- **WPA2-SAE** (802.11i, 2004), **WPA3-SAE / Dragonfly** (802.11-2020 / WPA3, 2018), and **5G-AKA** (3GPP Rel-15, 2018) -- against a common set of three architectural axes (trust-anchor model, long-term-identity privacy, forward-secrecy and replay-protection mechanism). **Pedagogical thesis:** *the AKA protocols students walk into across the wireless and cellular tracks are not three disconnected designs; they are three points on a single design-evolution arc -- each one is the answer to the attack class that broke the previous one.* When a student reads a KRACK reproduction trace, a Dragonblood timing-side-channel writeup, or a 5G-AKA SUCI capture against an IMSI-catcher, the architectural axes below are what makes each readable as a coherent response to a specific historical failure rather than a flat protocol roster.

Print and pin during `wir-101` Week 4 (802.11 security-protocol introduction), `rf-301` Ch 4 (RF security primitives -- physical-layer authentication), `net-201`'s security module (intermediate-register security cross-cut), and `net-301` Ch 8 (wireless deep-dive -- the 802.11/5G companion framing).

---

## At a glance

| Property | Value |
|---|---|
| Architectures compared | **WPA2-SAE** (802.11i, 2004), **WPA3-SAE / Dragonfly** (802.11-2020 / WPA3, 2018), **5G-AKA** (3GPP Rel-15, 2018) |
| Comparison axes | **3** (trust-anchor model / long-term-identity privacy / forward-secrecy + replay-protection mechanism) |
| Primary anchor | Kurose & Ross 9e -- §8.8.1 (WPA / WPA2 / WPA3-SAE) + §8.8.2 (5G-AKA / SUCI / SUPI / IMSI-catcher closure) |
| Track readers | wir-101 Week 4 (entry-register AP-authentication lens) + rf-301 Ch 4 (signal-side capture-and-replay lens) + net-201 security module (protocol-side AKA-design-rationale lens) + net-301 Ch 8 (control-plane wireless lens; cross-link to CT-B) + sec-101 (CVE-register cross-reference) |
| Voice family | Petzold-style Architecture Comparison Sidebar (parallels CT-B 5G-Core/SDN/Mobile-IP, RF-301 OFDM/CDMA/TDMA/FHSS/DSSS, NET-301 Snort/Suricata/Zeek, and the canonical CSA-101 ARM/x86/MIPS/RV32I-Lite roster pattern) |
| Companion sidebar | `handouts/cross-chapter-control-plane-architectures.md` (CT-B; 5G-Core ↔ SDN ↔ Mobile-IP). 5G-AKA appears in both: CT-A reads it as an AKA-progression endpoint; CT-B reads it as a control-plane decomposition expression. The two readings are complementary. |

---

## Three AKA protocols -- one-paragraph each

**WPA2-SAE (802.11i, 2004).** WPA2's authentication-and-key-agreement is the **4-way handshake**, confirmed in IEEE 802.11i in 2004 and the deployed mainstream of enterprise and consumer WiFi for a decade and a half. The pre-shared key (PSK; the network passphrase the user types into the device) is the **trust anchor at both ends** -- AP and station each derive the Pairwise Master Key (PMK) from the PSK independently. Inside the 4-way handshake the AP and station exchange nonces (ANonce + SNonce), derive the Pairwise Transient Key (PTK), confirm the PTK with a MIC-checked message-pair, and install the PTK as the per-session encryption key. Variant **WPA2-Enterprise** replaces the PSK trust anchor with an EAP-driven RADIUS exchange (EAP-TLS most prominently), but the handshake-and-key-derivation skeleton is unchanged. 9e §8.8.1 anchor.

**WPA3-SAE (Dragonfly handshake; 802.11-2020 / WPA3, 2018).** WPA3's authentication-and-key-agreement is **Simultaneous Authentication of Equals (SAE)** built on the **Dragonfly password-authenticated key exchange (PAKE)** primitive (RFC 7664; IETF 2015). The trust anchor is still the network passphrase -- but Dragonfly's PAKE construction means *the passphrase is never transmitted, never derivable from the captured handshake, and never susceptible to the offline-dictionary attack class that broke WPA2's PSK story.* Each side commits to its passphrase-derived element first; only after the commit-pair does the key-derivation proceed; and a captured Dragonfly handshake is provably useless to an offline attacker who does not already know the passphrase. WPA3 also bakes in **forward secrecy by design** -- a captured-and-cracked handshake from session N does not compromise sessions N−1 or N+1 even if the passphrase is later disclosed. 9e §8.8.1 anchor (WPA3 extensions section).

**5G-AKA (3GPP Rel-15, 2018; cellular-AKA endpoint).** 5G-AKA is the cellular-track endpoint of this design-evolution arc. The trust anchor is **not at the device's edge** -- it lives **inside the operator's home network**, in the **Unified Data Management (UDM)** function and the **Authentication Server Function (AUSF)**. The long-term subscriber key (the "K" in the 3GPP AKA family -- historically the Ki of GSM, the K of UMTS-AKA, the K of EPS-AKA in 4G, and now the K of 5G-AKA) is provisioned into the SIM/USIM/eSIM at manufacture and into the home-network UDM at subscriber activation; **the network and the subscriber share a long-term secret that the UE itself never has to send over the air.** 5G-AKA's challenge-response runs on top of this shared secret with home-network sequence-number tracking (SQN) to defeat replay. The architectural break with 4G/3G/2G AKA is **SUCI / SUPI separation:** the 5G UE never transmits its long-term identity (SUPI ≈ IMSI in legacy AKA) in the clear -- it transmits the **SUCI**, an ECIES-encrypted form of the SUPI that only the home network can decrypt -- closing the IMSI-catcher attack class that defined cellular AKA's vulnerability surface for thirty years. 9e §8.8.2 anchor.

---

## Three comparison axes

### Axis 1 -- Trust anchor / authentication root

| Architecture | Trust anchor | Where it lives |
|---|---|---|
| **WPA2-SAE** | **Pre-shared key (PSK)** derived from the network passphrase | At AP and at station -- both endpoints hold the PSK directly |
| **WPA3-SAE** | **Same PSK** -- but the Dragonfly PAKE means the PSK is never transmitted, never derivable from a captured handshake, and never offline-dictionary-attackable | At AP and at station -- same physical locus as WPA2; the cryptographic construction is what changes |
| **5G-AKA** | **Long-term subscriber key (K)** provisioned into SIM/USIM/eSIM at manufacture | At the **home network's UDM/AUSF** + at the SIM -- *not at the visited network*; the visited network never sees K |

**Reading the axis.** All three protocols share the same architectural shape -- a long-term secret known to two parties drives a per-session key derivation -- but the *locus* of the long-term secret tells a story. WPA2 and WPA3 keep the secret at the network's physical edge (the AP or the EAP server); the visited-vs-home distinction does not exist for residential or enterprise WiFi. 5G inherits that distinction from cellular roaming: because a 5G UE may attach to a visited network thousands of kilometres from home, the trust anchor must live with the home network and the per-session derivation must work *via* the visited network without disclosing K to it. The WiFi-to-cellular AKA-design jump is structurally driven by this roaming requirement; everything else in 5G-AKA's complexity follows from it.

### Axis 2 -- Long-term-identity privacy

| Architecture | Long-term identity exposure | Attack class addressed |
|---|---|---|
| **WPA2-SAE** | **AP MAC + station MAC visible in every frame** (no privacy of long-term identity at the AKA layer) | None -- privacy not a design goal at the 802.11i layer; randomised-MAC arrived later as an OS-side feature |
| **WPA3-SAE** | **Same** -- AP MAC + station MAC visible (the WPA3 privacy improvements live in **OWE / Opportunistic Wireless Encryption** for open networks, not in the SAE handshake itself) | None directly; the privacy story for open-network WiFi is parallel to the WPA3-SAE story |
| **5G-AKA** | **SUCI = ECIES(SUPI)** -- the long-term identity (SUPI ≈ IMSI) is never transmitted in the clear; only the home-network UDM holds the private key to decrypt SUCI back to SUPI | **IMSI-catcher attack class** -- the thirty-year cellular vulnerability where any party with a fake-base-station could harvest IMSIs by triggering Identity-Request frames |

**Reading the axis.** This is the axis where the WiFi family and the cellular family diverge most sharply. WPA2 and WPA3 do not address long-term-identity privacy at the AKA layer at all -- and arguably do not need to, because a residential or enterprise WiFi AP is a known fixed party in a small-scale deployment context where MAC visibility is not the dominant attack surface. Cellular's threat model is the inverse: the UE attaches to whatever base station the radio finds, the operator cannot know in advance which base stations are real and which are fake-base-station IMSI-catchers, and the long-term identity (IMSI / SUPI) is the durable subscriber-identifying key whose disclosure enables long-term tracking. 5G-AKA's SUCI-over-the-air design directly closes this attack class -- the *exact* IMSI-catcher attack class that defined the cellular-AKA threat model from GSM forward. Pedagogical lesson: the design choices are not architectural taste; they are responses to specific named attack classes against specific deployment-context threat models.

### Axis 3 -- Forward secrecy + replay-protection mechanism

| Architecture | Forward-secrecy story | Replay-protection mechanism |
|---|---|---|
| **WPA2-SAE** | **None by default** -- the PMK is derived from the static PSK; once an attacker recovers the PSK (offline-dictionary attack against captured handshakes is the dominant pathway), all past and future sessions are compromised | **Per-message nonces (ANonce + SNonce)** -- but the **KRACK** attack class (Vanhoef + Piessens, 2017) showed that nonce-reuse in the 4-way handshake's message-3 retransmission path was the door to full key-stream recovery; widely-deployed implementations were vulnerable until coordinated patching |
| **WPA3-SAE** | **Forward secrecy by design** -- Dragonfly's PAKE construction means each session's key is independent of the long-term passphrase; passphrase recovery does not retroactively compromise past or future sessions | **Per-handshake commit nonces** -- the Dragonblood attack class (Vanhoef + Ronen, 2019) demonstrated timing and side-channel weaknesses in early WPA3-SAE implementations, all of which were addressable in implementation rather than requiring protocol redesign |
| **5G-AKA** | **Forward secrecy depends on operator implementation** -- the long-term key K does not directly derive per-session keys (per-session keys come from K + RAND + SQN through the AKA challenge-response), so K-disclosure does not retroactively decrypt past sessions, *but* a compromised K compromises future session-establishment | **Sequence numbers (SQN) tracked at home-network UDM** -- replay-protection follows from SQN monotonicity; the residual concern is **downgrade attacks** (forced fallback to legacy AKA generations with weaker properties), and 3GPP working-group countermeasures against downgrade are an active area |

**Reading the axis.** This is the axis where the AKA-progression story is most visible as a *story.* WPA2's no-forward-secrecy story is what made KRACK so consequential -- the protocol design and the implementation bug compounded. WPA3's forward-secrecy-by-design story is the protocol-design response to that compound failure. 5G-AKA's SQN-based replay-protection inherits a thirty-year cellular tradition (SQN tracking goes back to UMTS-AKA in the early 2000s) and applies it to a home-network-anchored trust model rather than a device-anchored one. Three protocols, three different forward-secrecy and replay stories -- each one a response to the threats the previous design left unaddressed.

---

## Cross-track pedagogy notes

**wir-101 Week 4 -- entry-register AP-authentication lens.** The wireless-pentesting register reads this AKA-progression as a *story of increasingly-sophisticated attack surfaces driving protocol redesign.* WIR-101 students arrive having just completed Week 3's site survey; Week 4 is where they learn that "what security mode is this network in?" is a question with a deep technical lineage. The pedagogical move at this level is to walk WPA2 → WPA3 → 5G-AKA as a *historical* progression, surfacing the named attacks (KRACK, Dragonblood, IMSI-catcher) as the *driving force* behind each protocol redesign. By the end of Week 5's hashcat-against-WPA2 lab, students should be able to articulate why the same lab is structurally impossible against a properly-implemented WPA3-SAE network and structurally inapplicable to a 5G-AKA exchange -- and *why* each next-generation protocol's attack surface is qualitatively different from the previous one's.

**rf-301 Ch 4 -- signal-side / capture-and-replay lens.** The advanced-RF register reads this AKA-progression *from the radio outward.* Each protocol presents a different capture-side opportunity: WPA2's 4-way handshake is the canonical capture target (KRACK demos, hashcat-against-PMK pipeline); WPA3-SAE's Dragonfly commit-pair is the timing-and-side-channel target (Dragonblood demos); 5G-AKA's NAS Identity-Response and SUCI computation are the cellular-baseband side-channel targets (recall that 9e §8.8.2 names this class explicitly). The RF-track-register move is to read each protocol as a *signal artifact first* -- what does the capture look like, what fingerprints distinguish each handshake on the air, and where are the implementation side-channels that real-world attacks exploit?

**net-201 security module -- protocol-side AKA-design-rationale lens.** The intermediate-NET register reads this AKA-progression *from the protocol design outward.* NET-201's security-module register is where students first see AKA as *a class of protocols* rather than *one protocol*; the cross-track sidebar makes the protocol-design rationale explicit (why PAKE? why home-network anchoring? why SUCI?). This is also the right register to surface the cryptographic-primitive choices: HMAC-SHA1 in WPA2, ECC + Dragonfly PAKE in WPA3-SAE, ECIES + per-operator EC parameters in 5G-AKA's SUCI computation. Students who internalise the primitive-choice rationale here transfer the reading skill directly to TLS 1.2/1.3/QUIC-TLS, which lives in Ch 4 of net-201's primary curriculum.

**net-301 Ch 8 -- control-plane wireless lens; cross-link to CT-B.** The advanced-NET register reads this AKA-progression *together with* the control-plane-architecture comparison from CT-B. The 5G-AKA endpoint is where CT-A and CT-B meet: 5G-AKA is the AKA-progression endpoint *and* the 5G-Core control-plane authentication function. The pedagogy at NET-301 register is to read the two sidebars in concert -- students who hold both side-by-side see that 5G-AKA's home-network anchoring (CT-A Axis 1) is what *enables* the 5G-Core's UDM/AUSF decomposition (CT-B Axis 1); the two architectural decisions are joint, not independent.

**sec-101 -- CVE-register cross-reference.** SEC-101 already names KRACK / Dragonblood / FragAttacks as canonical 802.11 CVE records (line 302 of `vca-sec-101.html`); CT-A is the cross-track sidebar that contextualises those CVEs *as protocol-design responses* rather than *as flat vulnerability records.* SEC-101's CVE-walk catalog pairs naturally with CT-A's protocol-progression register; students who hold both see that "read the CVE record" and "read the protocol-design rationale" are the two halves of the same skill.

---

## Anchor citations

- **Primary.** Kurose & Ross, *Computer Networking: A Top-Down Approach*, 9th ed., Pearson, 2021. §8.8.1 (WPA / WPA2 / WPA3-SAE -- the 9e expansion of the wireless-AKA story); §8.8.2 (5G-AKA, SUCI / SUPI, IMSI-catcher attack-class closure -- new in 9e).
- **Secondary -- wireless side.** IEEE 802.11i-2004 (WPA2 4-way handshake; normative). IEEE 802.11-2020 (WPA3 / Dragonfly SAE; normative). RFC 7664 (Dragonfly PAKE; IETF reference for the SAE primitive). Vanhoef & Piessens, *Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2*, ACM CCS 2017 (KRACK canonical). Vanhoef & Ronen, *Dragonblood: Analyzing the Dragonfly Handshake of WPA3 and EAP-pwd*, IEEE S&P 2020.
- **Secondary -- cellular side.** 3GPP TS 33.501 (5G security architecture; SUCI / SUPI / 5G-AKA normative). 3GPP TS 33.402 (non-3GPP access; 5G-AKA-prime variant for WiFi-to-5G-Core integration; mentioned as cross-link only). 3GPP TS 23.501 (5G system architecture; UDM / AUSF roster -- see CT-B for the control-plane decomposition reading).
- **Cross-references.** OpenAirInterface community docs for 5G-AKA hands-on (rf-301 Ch 5 lab substrate; net-301 Ch 8 cross-cut). aircrack-ng + hashcat documentation for WPA2-SAE attack reproduction (wir-101 Lab 5 substrate). Wireshark 802.11 dissector documentation for handshake-byte annotation (wir-101 Lab 4 + net-301 Lab 10 substrate).

---

## Cross-references

| Picks up at | Chapter / module | Purpose |
|---|---|---|
| `vca-wir-101.html` | Week 4 (802.11 security protocols -- WEP / WPA-PSK / WPA2 / WPA3-SAE / 802.1X) | Entry-register AP-authentication weave; sidebar slot anchor in the Foundational Anchor Weaves section |
| `vca-rf-301.html` | Ch 4 (RF security primitives -- encryption at RF layer; physical-layer authentication) | Signal-side capture-and-replay lens; sidebar slot anchor in the Architecture Comparison Sidebars section |
| `vca-net-201.html` | Security module (intermediate-register security cross-cut) | Protocol-side AKA-design-rationale lens; sidebar slot anchor in the Architecture Comparison Sidebars section |
| `vca-net-301.html` | Ch 8 (Wireless / 802.11 deep-dive -- 4-way handshake, WPA3-Enterprise) | Advanced control-plane wireless lens; sidebar slot anchor in the Architecture Comparison Sidebars section; cross-link to CT-B for the joint AKA-and-control-plane reading |
| `vca-sec-101.html` | Per-course skill-transfer roster (wireless-CVE list; KRACK / Dragonblood / FragAttacks) | "▶ See also" cross-reference pointer; CT-A contextualises the wireless CVEs SEC-101 names as protocol-design responses |
| `handouts/cross-chapter-control-plane-architectures.md` (CT-B) | Companion sidebar | Joint reading: 5G-AKA appears in both -- CT-A reads it as AKA-progression endpoint; CT-B reads it as control-plane decomposition expression |

---

## Pedagogical note -- the AKA-progression arc as a Petzold-style design-evolution case study

The three protocols compared above form a textbook case of *protocol-evolution-driven-by-attack-surface-discovery* -- the same compare-N-implementations-of-one-architectural-pattern shape that the canonical Petzold ARM/x86/MIPS/RV32I-Lite sidebar uses to teach instruction-set-architecture design choices. WPA2-SAE was the protocol that worked for fifteen years; KRACK was the attack class that broke it; WPA3-SAE was the design response. Cellular AKA evolved on a parallel track from GSM through UMTS through EPS-AKA (4G) to 5G-AKA, with IMSI-catcher attacks as the analogous driving attack class and SUCI as the analogous design response. By teaching the three protocols *together* -- across the wireless-track, RF-track, NET-track, and cross-referenced from the security-fundamentals track -- students see *protocol evolution as a discipline*, not as a flat history. That is the load-bearing pedagogical move CT-A enables; the per-track readings above are the registers in which the move takes place.

---

*Companion: `cross-chapter-control-plane-architectures.md` (CT-B; 5G-Core, SDN, Mobile-IP). Both handouts implement the same Architecture Comparison Sidebar pattern.*