WPA2 & WPA3: The New, The Changed, The Future
The Wi-Fi Alliance announced three enhancements to extend the effectiveness of WPA2. They also revealed four key features of WPA3 designed to both simplify and advance Wi-Fi security: Simultaneous Authentication of Equals, Opportunistic Wireless Encryption, Device Provisioning Protocol, and optional 192-bit encryption.
In a double-tap move, the Wi-Fi Alliance has announced enhancements to the WPA2 protocol and more details about its eventual successor, WPA3. Others discussing this announcement have alluded to the WPA/WPA2 vulnerabilities revealed last year at the Black Hat USA Conference and more widely in October 2017. The truth is that WPA2 was introduced 14 years ago. Not only is it “getting long in the tooth,” but with quantum computers on the horizon, there is a real need for a fully tested and implemented quantum-safe cryptography.
The first new feature of WPA3 is a new handshake that is designed to prevent dictionary attacks on pre-shared key security modes. Don’t worry, the fine people who work at Webster’s do not have to go into WitSec. A dictionary attack is based on trying all the strings in a pre-arranged listing. Software that aids in cracking hashes include colorful examples such as Cain and Abel, John the Ripper, and L0phtCrack. Previous techniques to thwart dictionary attacks have included requiring complex passwords and using a salt. By adopting Simultaneous Authentication of Equals (SAE), WPA3 will protect users with passwords that do not meet typical complexity requirements, making pre-shared key modes secure, while keeping them easy-to-use.
The second feature is designed to provide a simple way for public and guest WLANs to be encrypted and secure without the need for a personal VPN. A “new” encryption, Opportunistic Wireless Encryption (OWE), is based on RFC8110. Without a pre-configured password, client devices and access points will be able to create a one-time use Pairwise Master Key (PMK), replacing the most common current use of “Open” wireless security.
The third feature is optional and designed to secure IoT devices, most of which have limited or no display interface. The new Device Provisioning Protocol will provide a simple and secure way to add these devices to a Wi-Fi network.
The fourth feature is an optional 192-bit security suite. This is a cryptographic strength enhancement. The feature is aligned with the Commercial National Security Algorithm (CNSA) Suite and designed to maintain data integrity on networks requiring the highest security, even in a post-quantum computer era.
As the Wi-Fi Alliance has stated, “WPA2 will continue to be deployed in Wi-Fi CERTIFIED devices for the foreseeable future, and all devices supporting WPA3 will continue to work with WPA2 devices. Wi-Fi CERTIFIED for both WPA2 and WPA3 validates recommended security practices as the security landscape changes.”