The Wi-Fi Alliance officially announced the launch of the WiFi Certified WPA3 wireless security technology late on June 25, providing next-generation WiFi security capabilities.
WPA3 is the successor to the widely deployed WPA2 WiFi security model that was launched in September 2004. WPA2 has been found to have multiple weaknesses including the KRACK vulnerabilities that were publicly disclosed in October 2017. WPA3 includes additional security capabilities on top of what WPA2 provides in an effort to offer a higher degree of wireless security.
“WPA3-Enterprise does not fundamentally change or replace the protocols included in WPA2-Enterprise or the underlying IEEE 802.11 standard,” Kevin Robinson, vice president of marketing at the Wi-Fi Alliance, told eWEEK. “Instead, WPA3-Enterprise defines and enforces policies to deliver greater consistency in the application of those protocols to ensure desired security.”
For example, WPA3 reduces the susceptibility of networks to a successful attack by mandating policies around the use of Advanced Encryption Standard (AES) with legacy protocols, such as Temporal Key Integrity Protocol (TKIP), Robinson said. In addition, WPA3 delivers network resiliency by mandating the consistent use of Protected Management Frame protections, he said.
Robinson noted that for sensitive security environments, WPA3-Enterprise offers an optional 192-bit security mode that specifies the configuration of each cryptographic component such that the overall security of the network is consistent.
Standards
WPA3 has both personal and enterprise operational frameworks. WPA3-Personal provides improved password authentication and is based on the IEEE standard Simultaneous Authentication of Equals (SAE), defined in IEEE Std 802.11-2016.
“SAE uses a Dragonfly handshake defined in the Internet Engineering Task Force (IETF) RFC 7664 specification and applies it to a WiFi network for password-based authentication,” Robinson explained. “The Wi-Fi Alliance WPA3 specification defines additional requirements for devices operating in SAE modes.”
Among the new capabilities that WPA3 provides as an improvement over WPA2 in resistance to offline dictionary attacks, where attackers aim to guess weak user passwords. Additionally, Robinson said WPA3-Personal provides forward secrecy to network data traffic, protecting data even if the password is compromised after the data was transmitted.
“WPA3-Personal delivers these new capabilities without requiring any change to the way users connect to a WiFi network,” Robinson said.
Industry Perspectives
The official launch of WPA3 is being seen in a positive light by multiple WiFi hardware vendors.
“WPA3 provides a comprehensive security offering without added complexity,” Dan Harkins, Distinguished Technologist at Aruba, a Hewlett Packard Company, told eWEEK.
Harkins said that users will receive better experiences with WPA3 by creating passwords that are easier to remember and manage, using the same WPA2 workflows. In addition, organizations will be able to ensure consistent and strong cryptography throughout their infrastructure through new technologies such as strengthened key exchanges and simplified 802.1X handshaking.
Bruce Miller, vice president of product marketing at Riverbed, is also optimistic about WPA3. According to Miller, WPA3 provides a number of new capabilities that strengthen WiFi security, including stronger encryption, improved security for guests on public networks and simplified security for headless internet of things (IoT) devices.
“These are important improvements. However, they will work only if both the WiFi infrastructure [access points] and WiFi clients are updated,” Miller told eWEEK. “It will take some time for support for WPA3 capabilities to propagate through the industry, and they will be backward-compatible with today’s WPA2 security when it does.”
Interoperability
Interoperability between WPA3 and WPA2 is part of the Wi‑Fi Certified WPA3 effort. Robinson said that WPA3 devices are interoperable with WPA2 devices through a transition mode.
WPA3 is generally implemented in software, and users may receive the capabilities through product updates, he said. Depending on the specific implementation, Robinson said the 192-bit security mode in WPA3-Enterprise may require new hardware.
“When a network is configured for WPA3 transition mode, WPA2 and WPA3 devices both connect seamlessly, allowing users to immediately benefit from WPA3 in capable devices as they gradually migrate to the next generation of WiFi security,” Robinson said. “WPA2 remains mandatory for Wi-Fi Certified devices, and as next-generation security adoption grows, WPA3 will become mandatory.”
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.