WPA3 is the latest Wi-Fi Protected Access

Wireless communication is easy to intercept if you are within range. Good security measures are a must. Wi-Fi security has evolved from WEP to WPA, to WPA2 and now to forthcoming WPA3. What will change?

WPA2 or Wi-Fi Protected Access (or 802.11i) has been a long-lived solution. WPA was published in 2003 and WPA2 in 2004. Fourteen years is a a long time for any security solution in IT, where hardware capacities grow exponentially. Recently we have seen some reports on WPA2 vulnerabilities. They are not yet very practical but are warning signs of the age of WPA2. To keep Wi-Fi secure Wi-Fi Alliance has published WPA3 in June 2018. What will it bring?

More secure connecting process

The reported WPA2 vulnerabilities have been based on the password exchange in the association phase of the connection. The password is obviously not exchanged as clear text but as a hash. You cannot recover the password from the hash, but… It is possible to precalculate a large dictionary of potential passwords. These dictionaries are called Rainbow Tables and they have been produced for years now. The probability, that the password you are using is in a dictionary, is increasing all the time.

In WPA3 the password hash is not exchanged per se, but SAE (Simultaneous Authentication of Equals) is used instead. 802.11s introduced SAE, which is based on the widely accepted Diffie–Hellman key exchange. In SAE both parties must be active. If a third party is just listening in and recording, he can’t make use of the information. This property will protect against Off-line Brute Force attacks. Another property of SAE is Forward Secrecy. Even if the key is exposed, old recordings cannot be decrypted. Only transfers made after exposure can be decoded. The rumour goes that large intelligence agencies have been storing encrypted transmissions in the hopes that the key can be recovered in the future.

For the ordinary user these technical details are not significant. You will authenticate as before. Technically the authentication is different and for WPA3 to be used both the access point and the user device must support WPA3.

Enhanced Open

Many guest networks today are open, that is unencrypted. The web login used in many airport and hotel hotspots does not provide for encryption. On those networks the connection is clear text and very easy to eavesdrop. If you log on to a service, which doesn’t use SSL/TLS encryption, then all credential information is sent in clear for anyone to receive.

WPA3 Enhanced Open will provide for encrypted connections even if there is no password. All Wi-Fi traffic will always be encrypted. Enhanced Open will not authenticate either party, however. The user can inadvertently connect to a hostile network that is using a familiar, trusted name. This threat has been in Wi-Fi since the beginning. Enhance Open will not help there, but will prevent passive eavesdropping.

Easy Connect

Connecting a computer or smartphone to a Wi-Fi network is a familiar and easy procedure for most of us. However, connecting printers, media servers, weather stations, wireless speakers and other devices, which don’t have a display or keyboard, is another matter. In the future with IoT there will be all kinds of sensors, home appliances, building automation, lightning fixtures to be connected as well.

WPS or Wi-Fi Protected Setup was introduced in 2006 to solve this problem. In WPS you needed to press a button on the access point or enter a short PIN code to the device to connect to the network. WPS was too easy and afterwards many security weaknesses have been found. WPS should not be used at all anymore.

WPA3 Easy Connect is a secure solution to the same problem. In Easy Connect you will use a configurator device like a smartphone, that is already connected, to connect a new device to the network. One way is to scan a QR code on the device and authorize it to connect. Easy Connect is based on trusted public key encryption methods.

WPA3 Personal and Enterprise

Like WPA2 also WPA3 has two modes:

  • WPA3 Personal, where all users share a common password.
  • WPA3 Enterprise, where all users have their unique credentials on a RADIUS server.

New in WPA3 Enterprise is the increased length of the encryption key: from 128 bits to 192 bits. In WPA3 Personal the key length will remain at 128 bits. At this time the difference is quite theoretical since 128 bit keys are still considered secure.

Should I upgrade?

As of now there are no WPA3 devices available, yet. The situation will certainly be different already by the beginning of 2019. WPA3 capability is of no use unless both the access point and the user device support it. If either one only supports WPA2 then WPA2 will be used. Co-existence will continue for several years at least, especially in guest and BYOD networks.

The way Wi-Fi Alliance has defined WPA3 requires that devices must support the whole WPA3 to be compliant. The requirements are thus the new authentication process, Enhanced Open, Easy Connect and 192 bit WPA3 Enterprise.

New devices will soon be WPA3 compliant. There is no reason to produce WPA2-only devices. However, upgrading old devices may be limited. Computers and recent smartphones have enough computing power for the new encryption requirements, unless encryption has been offloaded to a special circuit. If the circuit has been designed for 128 bit encryption it cannot be used for 192 bits. Upgrade options for access points will probably be poor. APs have very modest computing power so I doubt the upgrade could be done with a simple firmware update. The vendors will be happy to sell you new hardware, though 😬

How secure is your WiFi?

Do you have a shared password to the WiFi network? When was it last changed? Hasn’t anyone left the company since?

At first WiFi networks were unsecured. However, radio waves penetrate through walls, so eavesdropping is very simple even from a distance – encryption was required. The first method was Wired Equivalent Privacy or WEP. WEP was weak from the first day on, but yet the breaking of WEP caught the industry pants down. A new method was needed fast – WPA or Wi-Fi Protected Access was created, also known as TKIP. WPA was improved upon and today WPA2 is the preferred choice. WPA2 is fast and presently a trusted method for securing WiFi traffic.

There are two flavors of WPA2: Personal and Enterprise. In Personal there is one, shared password for the whole network. Anyone who knows the password can join the network and listen on the traffic. WPA2 Personal is good for personal and home use, why not for a small office as well. In business use people come and go, though, and the password should be changed every time anyone leaves the company. Nobody should have access to the company network after leaving or being laid off. Still, WPA2 Personal is the most common way of securing WiFi networks.

WPA2 Enterprise requires that every user has a username and a password. This is the case in Windows Active Directory (AD). You can install Network Policy Server role (NPS) to a Windows Server to provide RADIUS service to the access points (AP). The APs will verify each user’s name and password with the RADIUS server (e.g. NPS) before allowing the user to access the network. By removing or disabling a user account in the AD you can deny access to the WiFi network as well. There is no need for additional equipment or software. In practice all APs support WPA2 Enterprise and the NPS role can be installed on AD Domain Controllers (DC).

Read more: