WPA2 or Wi-Fi Protected Access (or 802.11i) has been a long-lived solution. WPA was published in 2003 and WPA2 in 2004. Fourteen years is a a long time for any security solution in IT, where hardware capacities grow exponentially. Recently we have seen some reports on WPA2 vulnerabilities. They are not yet very practical but are warning signs of the age of WPA2. To keep Wi-Fi secure Wi-Fi Alliance has published WPA3 in June 2018. What will it bring?
More secure connecting process
The reported WPA2 vulnerabilities have been based on the password exchange in the association phase of the connection. The password is obviously not exchanged as clear text but as a hash. You cannot recover the password from the hash, but… It is possible to precalculate a large dictionary of potential passwords. These dictionaries are called Rainbow Tables and they have been produced for years now. The probability, that the password you are using is in a dictionary, is increasing all the time.
In WPA3 the password hash is not exchanged per se, but SAE (Simultaneous Authentication of Equals) is used instead. 802.11s introduced SAE, which is based on the widely accepted Diffie–Hellman key exchange. In SAE both parties must be active. If a third party is just listening in and recording, he can’t make use of the information. This property will protect against Off-line Brute Force attacks. Another property of SAE is Forward Secrecy. Even if the key is exposed, old recordings cannot be decrypted. Only transfers made after exposure can be decoded. The rumour goes that large intelligence agencies have been storing encrypted transmissions in the hopes that the key can be recovered in the future.
For the ordinary user these technical details are not significant. You will authenticate as before. Technically the authentication is different and for WPA3 to be used both the access point and the user device must support WPA3.
Many guest networks today are open, that is unencrypted. The web login used in many airport and hotel hotspots does not provide for encryption. On those networks the connection is clear text and very easy to eavesdrop. If you log on to a service, which doesn’t use SSL/TLS encryption, then all credential information is sent in clear for anyone to receive.
WPA3 Enhanced Open will provide for encrypted connections even if there is no password. All Wi-Fi traffic will always be encrypted. Enhanced Open will not authenticate either party, however. The user can inadvertently connect to a hostile network that is using a familiar, trusted name. This threat has been in Wi-Fi since the beginning. Enhance Open will not help there, but will prevent passive eavesdropping.
Connecting a computer or smartphone to a Wi-Fi network is a familiar and easy procedure for most of us. However, connecting printers, media servers, weather stations, wireless speakers and other devices, which don’t have a display or keyboard, is another matter. In the future with IoT there will be all kinds of sensors, home appliances, building automation, lightning fixtures to be connected as well.
WPS or Wi-Fi Protected Setup was introduced in 2006 to solve this problem. In WPS you needed to press a button on the access point or enter a short PIN code to the device to connect to the network. WPS was too easy and afterwards many security weaknesses have been found. WPS should not be used at all anymore.
WPA3 Easy Connect is a secure solution to the same problem. In Easy Connect you will use a configurator device like a smartphone, that is already connected, to connect a new device to the network. One way is to scan a QR code on the device and authorize it to connect. Easy Connect is based on trusted public key encryption methods.
WPA3 Personal and Enterprise
Like WPA2 also WPA3 has two modes:
- WPA3 Personal, where all users share a common password.
- WPA3 Enterprise, where all users have their unique credentials on a RADIUS server.
New in WPA3 Enterprise is the increased length of the encryption key: from 128 bits to 192 bits. In WPA3 Personal the key length will remain at 128 bits. At this time the difference is quite theoretical since 128 bit keys are still considered secure.
Should I upgrade?
As of now there are no WPA3 devices available, yet. The situation will certainly be different already by the beginning of 2019. WPA3 capability is of no use unless both the access point and the user device support it. If either one only supports WPA2 then WPA2 will be used. Co-existence will continue for several years at least, especially in guest and BYOD networks.
The way Wi-Fi Alliance has defined WPA3 requires that devices must support the whole WPA3 to be compliant. The requirements are thus the new authentication process, Enhanced Open, Easy Connect and 192 bit WPA3 Enterprise.
New devices will soon be WPA3 compliant. There is no reason to produce WPA2-only devices. However, upgrading old devices may be limited. Computers and recent smartphones have enough computing power for the new encryption requirements, unless encryption has been offloaded to a special circuit. If the circuit has been designed for 128 bit encryption it cannot be used for 192 bits. Upgrade options for access points will probably be poor. APs have very modest computing power so I doubt the upgrade could be done with a simple firmware update. The vendors will be happy to sell you new hardware, though 😬