WPA3 is the latest Wi-Fi Protected Access

Wireless communication is easy to intercept if you are within range. Good security measures are a must. Wi-Fi security has evolved from WEP to WPA, to WPA2 and now to forthcoming WPA3. What will change?

WPA2 or Wi-Fi Protected Access (or 802.11i) has been a long-lived solution. WPA was published in 2003 and WPA2 in 2004. Fourteen years is a a long time for any security solution in IT, where hardware capacities grow exponentially. Recently we have seen some reports on WPA2 vulnerabilities. They are not yet very practical but are warning signs of the age of WPA2. To keep Wi-Fi secure Wi-Fi Alliance has published WPA3 in June 2018. What will it bring?

More secure connecting process

The reported WPA2 vulnerabilities have been based on the password exchange in the association phase of the connection. The password is obviously not exchanged as clear text but as a hash. You cannot recover the password from the hash, but… It is possible to precalculate a large dictionary of potential passwords. These dictionaries are called Rainbow Tables and they have been produced for years now. The probability, that the password you are using is in a dictionary, is increasing all the time.

In WPA3 the password hash is not exchanged per se, but SAE (Simultaneous Authentication of Equals) is used instead. 802.11s introduced SAE, which is based on the widely accepted Diffie–Hellman key exchange. In SAE both parties must be active. If a third party is just listening in and recording, he can’t make use of the information. This property will protect against Off-line Brute Force attacks. Another property of SAE is Forward Secrecy. Even if the key is exposed, old recordings cannot be decrypted. Only transfers made after exposure can be decoded. The rumour goes that large intelligence agencies have been storing encrypted transmissions in the hopes that the key can be recovered in the future.

For the ordinary user these technical details are not significant. You will authenticate as before. Technically the authentication is different and for WPA3 to be used both the access point and the user device must support WPA3.

Enhanced Open

Many guest networks today are open, that is unencrypted. The web login used in many airport and hotel hotspots does not provide for encryption. On those networks the connection is clear text and very easy to eavesdrop. If you log on to a service, which doesn’t use SSL/TLS encryption, then all credential information is sent in clear for anyone to receive.

WPA3 Enhanced Open will provide for encrypted connections even if there is no password. All Wi-Fi traffic will always be encrypted. Enhanced Open will not authenticate either party, however. The user can inadvertently connect to a hostile network that is using a familiar, trusted name. This threat has been in Wi-Fi since the beginning. Enhance Open will not help there, but will prevent passive eavesdropping.

Easy Connect

Connecting a computer or smartphone to a Wi-Fi network is a familiar and easy procedure for most of us. However, connecting printers, media servers, weather stations, wireless speakers and other devices, which don’t have a display or keyboard, is another matter. In the future with IoT there will be all kinds of sensors, home appliances, building automation, lightning fixtures to be connected as well.

WPS or Wi-Fi Protected Setup was introduced in 2006 to solve this problem. In WPS you needed to press a button on the access point or enter a short PIN code to the device to connect to the network. WPS was too easy and afterwards many security weaknesses have been found. WPS should not be used at all anymore.

WPA3 Easy Connect is a secure solution to the same problem. In Easy Connect you will use a configurator device like a smartphone, that is already connected, to connect a new device to the network. One way is to scan a QR code on the device and authorize it to connect. Easy Connect is based on trusted public key encryption methods.

WPA3 Personal and Enterprise

Like WPA2 also WPA3 has two modes:

  • WPA3 Personal, where all users share a common password.
  • WPA3 Enterprise, where all users have their unique credentials on a RADIUS server.

New in WPA3 Enterprise is the increased length of the encryption key: from 128 bits to 192 bits. In WPA3 Personal the key length will remain at 128 bits. At this time the difference is quite theoretical since 128 bit keys are still considered secure.

Should I upgrade?

As of now there are no WPA3 devices available, yet. The situation will certainly be different already by the beginning of 2019. WPA3 capability is of no use unless both the access point and the user device support it. If either one only supports WPA2 then WPA2 will be used. Co-existence will continue for several years at least, especially in guest and BYOD networks.

The way Wi-Fi Alliance has defined WPA3 requires that devices must support the whole WPA3 to be compliant. The requirements are thus the new authentication process, Enhanced Open, Easy Connect and 192 bit WPA3 Enterprise.

New devices will soon be WPA3 compliant. There is no reason to produce WPA2-only devices. However, upgrading old devices may be limited. Computers and recent smartphones have enough computing power for the new encryption requirements, unless encryption has been offloaded to a special circuit. If the circuit has been designed for 128 bit encryption it cannot be used for 192 bits. Upgrade options for access points will probably be poor. APs have very modest computing power so I doubt the upgrade could be done with a simple firmware update. The vendors will be happy to sell you new hardware, though 😬

Set up a free https certificate for your web server by Let’s Encrypt

Improve your search engine visibility by moving to https connections!

Let’s Encrypt is a project aimed at making the internet safer, at least a bit. The means is to automate PKI certification creation to the point when the price drops to zero or at least close. Let’s Encrypt hands out their certificates for free, although donations (even small ones) are welcome. Google is encouraging https connections by ranking them higher in search results. Chrome browser has started warning about non-https sites.

If your web hosting provider supports Let’s Encrypt, start using it. Even if they don’t mention it on their pages, you can still ask why it is not supported. Especially if they have links for commercial certificate providers.

If you run your own servers you have to work little harder. The automation behind Let’s Encrypt means that there is no web user interface for the service. You need to have a script on the server that will install and renew the certificate automatically. EFF provides CertBot that makes this easy on most Unix-like operating systems. Installation and deployment depend on the OS and web server, but EFF’s web page has instructions for the most popular ones. There are several alternatives for Microsoft Windows.

In general you need to create a hidden directory .well-known on your web site, where the script will create a file for the duration of the transaction. This is how Le’ts Encrypt can verify that the request comes from the correct domain. This verification method can cause problems, because the domain on the certificate must be accessible from the internet by https. For example you can not get a certificate for an internal-only website like an intranet (at least without some extra steps) or non-http services unless they are on the same server as the http server.

The script will save the public and private keys on the disk. You can set the file path in script settings, but the default is fine as long as you add the full paths to your web server configuration.

The certificate will be valid for 90 days only, but thanks to the automated renewal you won’t notice when it is renewed. Let’s Encrypt recommends running the script twice a day to ensure smooth renewal. Most of the times the script will do nothing, so it does not tax your server.

The certificate on this site is from Let’s Encrypt. You can check it by clicking on the lock symbol in the address bar (or whatever symbol your browser uses).

Links:

How to use passwords securely

Improve your password security with this password management method – for free

Everyone knows, that passwords should be long, complex, nonsense and so forth. The problem is, such passwords are impossible to remember, especially when you need a lot of them and they need to be changed periodically. That’s why most users use the same password for all services. However, that is the worst solution. It would be more secure to write down all different passwords in your notebook. If there is a leak in one service, the hackers will try the same usernames and passwords in Facebook, GMail, Twitter etc. Usually they succeed in many cases. Then the hackers can expand the identity theft and perhaps convince your friends to step into a trap.

How should you do it?

Make up a permanent password

Make up a password that contains upper and lower case letters and a few special character and number. Start with a simple word with at least six characters, let’s say garage. Replace the r with a 4 to get ga4age for example. Replace the last e with # to get ga4ag#. Capitalize all the vowels to get gA4Ag#. That is starting to look like a proper password. Try to type it on the keyboard. Is it easy enough to type or should you change something? In the best case you should use keys alternatively from both ends of the keyboard, because that way it is faster to type with two hands. In that sense gA4Ag# is not the best choice, but will do as an example here. Avoid characters that are special to your locale. For example ü or ß would appear on every German keyboard, but may be hard to find elsewhere. Avoid also currency symbols like $, £ or €. You may one day need to type your password in a Asian internet cafe. Don’t worry about remembering this password. You will learn it by heart because you will use it everywhere and it will not change.

Make up a word for every service you use

Associate a word for every service. For example workplace account could be payday, frequent flyer account airport, pet forum doggies, email letters etc. Don’t choose the shortest words. Even better if you can come up with more personal associations. Like if you love to fly to beach resorts for vacations, use beaches for the frequent flyer account. Write down the names of the services and the associated words. You can use paper or a notebook, but even better is a file in DropBox, OneDrive, GMail or such (but then you must remember that password!) If this list leaks out, it is of no use without the permanent part and the formula.

Invent a formula to combine the two

Make up an algorithm to combine these. For example two characters from the service word, then the permanent password and the rest of the service word. That would make gA4Ag# + beaches = begA4Ag#aches. Or two characters from each, then the rest or begAaches4Ag#. However you do it, make sure your method splits the service word into at least two sections. You can also use first or last syllables instead of a character count.

These passwords are safe from both dictionary and brute force attacks. They won’t exist in any dictionary and are long enough to defend against systematically trying all character combinations. If you need to renew the password you only need to come up with a new word for the service. There is no need to ever change the permanent password or formula as long as they are kept secret. That’s why you mustn’t write them down!

Deployment

This is how far you can get as a mental excercise only. To actually deploy this takes some effort. You need to log on to every service and update your password. You only need to do this once, but it will take an afternoon or so. We all have quite a few accounts to manage. Start with the service you use most: workplace account, AppleID, Facebook, GMail… You will later come across services you didn’t remember, but always change the password to the new system as you log on.

Here is an Excel spreadsheet where you can try the different password rules described: [Download]

How secure is your WiFi?

Do you have a shared password to the WiFi network? When was it last changed? Hasn’t anyone left the company since?

At first WiFi networks were unsecured. However, radio waves penetrate through walls, so eavesdropping is very simple even from a distance – encryption was required. The first method was Wired Equivalent Privacy or WEP. WEP was weak from the first day on, but yet the breaking of WEP caught the industry pants down. A new method was needed fast – WPA or Wi-Fi Protected Access was created, also known as TKIP. WPA was improved upon and today WPA2 is the preferred choice. WPA2 is fast and presently a trusted method for securing WiFi traffic.

There are two flavors of WPA2: Personal and Enterprise. In Personal there is one, shared password for the whole network. Anyone who knows the password can join the network and listen on the traffic. WPA2 Personal is good for personal and home use, why not for a small office as well. In business use people come and go, though, and the password should be changed every time anyone leaves the company. Nobody should have access to the company network after leaving or being laid off. Still, WPA2 Personal is the most common way of securing WiFi networks.

WPA2 Enterprise requires that every user has a username and a password. This is the case in Windows Active Directory (AD). You can install Network Policy Server role (NPS) to a Windows Server to provide RADIUS service to the access points (AP). The APs will verify each user’s name and password with the RADIUS server (e.g. NPS) before allowing the user to access the network. By removing or disabling a user account in the AD you can deny access to the WiFi network as well. There is no need for additional equipment or software. In practice all APs support WPA2 Enterprise and the NPS role can be installed on AD Domain Controllers (DC).

Read more: