Shows Wpa-Enterprise Authentication Performance Impact with Post-Quantum Cryptography Algorithms

Researchers are now urgently assessing the viability of post-quantum cryptography to safeguard wireless networks against future threats from quantum computers. Lukas Köder, Nils Lohmiller and Phil Schmieder, from University of Applied Sciences Esslingen and University of Wuppertal respectively, alongside Bastian Buck et al., present a detailed evaluation of the performance impact of integrating post-quantum algorithms into WPA-Enterprise authentication protocols. Their work is significant because it moves beyond theoretical analysis, offering the first real-world performance measurements using a dedicated testbed and open-source tools. By analysing authentication latency and categorising potential weaknesses, the team demonstrates that practical implementations of post-quantum WPA-Enterprise are feasible, with combinations like ML-DSA-65 and Falcon-1024 offering a promising balance between security and performance, and session resumption further mitigating overhead.

Evaluating performance impacts of post-quantum cryptography within WPA-Enterprise networks requires careful consideration

Scientists have demonstrated the practical feasibility of integrating Post-Quantum Cryptography (PQC) into WPA-Enterprise authentication, a critical step towards securing wireless networks against the looming threat of quantum computers. This research addresses the vulnerability of current Wi-Fi Protected Access (WPA)-Enterprise protocols, which rely on asymmetric cryptography susceptible to attacks from sufficiently powerful quantum machines.
The team achieved a first-of-its-kind real-world performance evaluation of PQC-enabled WPA-Enterprise, utilising a testbed constructed with FreeRADIUS and hostapd to meticulously measure authentication latency. Researchers conducted experiments to quantify the performance overhead introduced by various PQC algorithm combinations, comparing them directly to currently deployed cryptographic schemes.

The study reveals that while PQC algorithms inevitably introduce additional latency to the authentication process, specific combinations, such as ML-DSA-65 and Falcon-1024 alongside ML-KEM, offer a favourable balance between robust security and acceptable performance. Beyond simply measuring speed, the work innovatively assesses the security implications of these algorithm choices by correlating authentication mechanisms with the computational effort required for quantum-based exploitation.

This approach allows for a systematic categorization of Post-Quantum relevant weaknesses within WPA-Enterprise, prioritised by their practical urgency and potential for attack. The evaluation results demonstrate that session resumption can effectively mitigate the performance overhead associated with PQC implementation.

This research establishes a crucial baseline for understanding the trade-offs involved in transitioning to PQC within enterprise Wi-Fi networks. By meticulously measuring the impact of different PQC algorithms on authentication latency, the scientists provide concrete data to inform future standardisation efforts and deployment strategies.

The team’s work goes further by releasing the necessary software modifications for FreeRADIUS and hostapd, alongside the complete testbed configuration, fostering further research and collaboration within the security community. This proactive approach is vital, given the anticipated arrival of large-scale quantum computers and the potential for “harvest-now-decrypt-later” attacks targeting currently encrypted data.

Furthermore, the study introduces a novel metric termed “quantum annoyance”, which characterises the scaling of effort required by a quantum adversary to compromise WPA-Enterprise networks. This metric allows for a nuanced understanding of the security benefits offered by different PQC algorithms, moving beyond simple comparisons of key sizes and computational complexity.

The NIST PQ security levels, ranging from 1 to 5, were considered, with level 1 representing the minimal resource requirements equivalent to a key search on a 128-bit block cipher, and level 5 corresponding to a key search on a 256-bit block cipher. The research highlights the importance of proactive adaptation, as the lengthy processes of technology standardisation and deployment necessitate immediate consideration of PQC solutions to maintain long-term network security.

Quantifying latency of post-quantum WPA-Enterprise authentication with a FreeRADIUS and hostapd testbed reveals significant overhead

Scientists investigated the performance impact of Post-Quantum Cryptography (PQC) algorithms on WPA-Enterprise authentication using a purpose-built testbed. Researchers constructed this system with FreeRADIUS and hostapd, open-source tools enabling detailed measurement of authentication latency across the client, access point, and RADIUS server.

The study employed multiple combinations of PQC algorithms to quantify performance overhead compared to currently deployed cryptographic schemes, focusing on ML-DSA-65 and Falcon-1024 alongside ML-KEM. To assess the practical urgency of PQ-relevant weaknesses, the team related authentication mechanisms to the effort required for potential exploitation.

The experimental setup involved a PQ-secure EAP-TLS exchange, mirroring a Wi-Fi environment with a client, access point, and RADIUS server, as depicted in Figure 2 of the work. This process began with the access point initiating authentication by sending an EAP-Request/Identity to the client, followed by a response relayed to the RADIUS server.

Upon identity acceptance, the server initiated the EAP-TLS handshake with an EAP-Request containing the TLS ClientHello message, including PQ signature algorithm identifiers and key exchange groups. The researchers deliberately incorporated larger PQC artifacts, anticipating the need for fragmentation of handshake messages, which introduced additional EAP round-trips and consequently increased latency.

The server responded with a ServerHello encapsulated within an EAP-Request, containing the PQ certificate chain, signature, and key share ciphertext. Clients then performed decapsulation and certificate verification, responding with their own credentials. This methodology enabled the team to isolate latency across three stages: client-side processing, access point forwarding, and RADIUS server-side computations. The study pioneered a real-world performance evaluation of PQC-enabled WPA-Enterprise authentication, demonstrating its practical feasibility and identifying combinations offering a favourable trade-off between security and performance.

Quantifying latency impacts of post-quantum cryptography in WPA-Enterprise authentication requires careful measurement

Scientists investigated the performance impact of Post-Quantum Cryptography (PQC) algorithms on WPA-Enterprise authentication, a critical area given the threat posed by large-scale computers. The research team conducted experiments using a testbed built with FreeRADIUS and hostapd to measure authentication latency at the client, access point, and RADIUS server.

These measurements aimed to quantify the performance overhead introduced by PQC algorithms compared to currently deployed cryptographic schemes. Experiments revealed that combinations of ML-DSA-65 and Falcon-1024, used alongside ML-KEM, provided a favourable trade-off between security and performance.

The team measured authentication latency for various PQC combinations, assessing the effort required for potential exploitation of authentication mechanisms. Data shows that while PQC introduces additional latency, strategic algorithm pairings can mitigate this impact. Furthermore, scientists demonstrated that session resumption effectively reduces the overhead associated with PQC-enabled authentication.

The work presents a first real-world performance evaluation of PQC-enabled WPA-Enterprise authentication, establishing its practical feasibility for enterprise Wi-Fi deployments. Measurements confirm the potential for proactive security changes to address the threat of harvest-now-decrypt-later attacks.

The study categorised quantum annoyance, a resilience metric quantifying the effort required by a quantum adversary to extract security-relevant information. This metric characterises how the number of quantum computing operations scales with attack complexity. NIST PQ security levels, ranging from 1 to 5, were considered, with level 1 representing a key search on a 128-bit block cipher and level 5 a key search on a 256-bit block cipher.

Researchers released software changes for FreeRADIUS and hostapd, alongside testbed configurations, on GitHub to facilitate further research. The team’s work highlights the importance of integrating PQ-secure key encapsulation and signature schemes into the WPA-Enterprise handshake to counter the threat of quantum computers.

Practical performance of post-quantum WPA-Enterprise with latency mitigation requires further investigation

Scientists have demonstrated the practical feasibility of integrating post-quantum cryptography (PQC) into WPA-Enterprise authentication for enterprise Wi-Fi networks. This research presents a real-world performance evaluation using open-source tools like hostapd and FreeRADIUS, quantifying the impact of PQC algorithms on authentication latency.

The study assessed various PQC combinations, revealing that algorithms such as ML-DSA-65 and Falcon-1024, when paired with ML-KEM, offer a beneficial balance between security and performance. Researchers systematically categorised potential weaknesses related to PQC within WPA-Enterprise, considering the effort required for exploitation.

Their findings indicate that the increased authentication latency introduced by PQC can be effectively mitigated through session resumption techniques. The evaluation was conducted across varying signal qualities, excellent, good, and poor, demonstrating the consistent performance of Falcon and ML-DSA compared to RSA.

Consequently, the authors recommend Falcon at security level 5 or ML-DSA at security level 3 for practical implementation. The authors acknowledge that while the overhead is unlikely to significantly impact most organisations, particularly with session resumption, further investigation is warranted. They suggest that SLH-DSA variants may be better suited for weak signal environments due to reduced packet transmission, although they still exhibit longer authentication times than Falcon or ML-DSA. This work establishes a pathway for securing WPA-Enterprise networks against quantum computing threats, facilitating a practical transition towards post-quantum secure wireless communication.