In October 2017, researchers made public a serious vulnerability in WPA2, the security protocol that protects most of today’s WiFi networks. This discovery put the protocol’s security in the spotlight and led to discussions about the need for a new standard.
Finally, the WiFi Alliance, the organization that certifies WiFi devices, announced WPA3, a new and enhanced authentication protocol that is set to be rolled out in 2018. This new version isn’t aimed at improving the reputation of WPA2, as various manufacturers are patching the disclosed vulnerability in their updates. Instead, it seeks to implement new features and increase the security of a protocol that hasn’t been improved in the past 13 years.
This new protocol is looking to bring improvements in authentication and encryption while facilitating the configuration of wireless networks. Crucially for the enhancing of encryption, the new security protocol will feature 192-bit encryption. Although the Alliance did not explicitly state so, it is safe to assume that, just like its predecessor and as utilized in WPA, WPA3 will also use a 48-bit initialization vector. That way, this new protocol is in line with the highest security standards and is fit for use in networks with the most stringent security requirements, such as those of governments, defense or industrial systems.
Another notable feature of WPA3 is the implementation of the Dragonfly protocol, also referred to as Simultaneous Authentication of Equals (SAE). This is aimed at improving security at the time of the handshake, which is when the key is being exchanged. As a result, WPA3 is poised to provide robust security even if short or weak passwords are used, i.e. those that don’t contain a combination of letters, numbers and symbols.
This feature is very useful, especially considering that users have difficulties creating strong and hard-to-guess passwords. According to the WiFi Alliance, it will be almost impossible to breach a WiFi network using current methods such as dictionary and brute-force attacks.
Finally, for those who usually work remotely and use public WiFi networks in coffee shops, hotels or at airports, WPA3 will be a robust solution to privacy problems. This is because by applying individualized data encryption – where every connection between a device and a router will be encrypted with a unique key – it seeks to further mitigate the risk of Man-in-the-Middle (MitM) attacks.
“This new protocol is looking to bring improvements in authentication and encryption while facilitating the configuration of wireless networks”
The improvements that are expected to be brought by WPA3 are clearly aimed at strengthening the protocol and at enhancing security for users. At the same time, the protocol also seeks to simplify WiFi connections for devices that don’t have a graphical user interface (GUI) or, where they do have it, it is rather rudimentary. This is highly important if we consider just how many IoT devices hit the market every day. In these cases, connecting to a wireless network will be even simpler. We assume, therefore, that WPA3 will also improve connection by pressing the WPS button as used by WPA2.
Although more specifics about the implementation of WPA3 are not available yet, some standards that underpin this new protocol have already been around for some time. However, manufacturers will now be obliged to observe the applicable requirements in order for their devices to receive the ‘WPA3-certified’ seal of approval from the WiFi Alliance. On the other hand, since WPA3 will be newly incorporated into devices and given that many users rarely change their router at home, it will take a while before the protocol is used in all households.
Therefore, WPA3 is not an immediate replacement for its predecessor. On the contrary, WPA2 will continue to be maintained and updated for a long time while WPA3 is being incorporated into devices available on the market and before those devices are used in homes. In fact, the Alliance also announced that it will continue to perform security tests on WPA2 with an eye toward reducing the impact of vulnerabilities caused by unsafe configurations and towards further enhancing the protection of wireless networks. Therefore, until we have more information about this new protocol, we recommend you to continue to follow our tips for securing your WiFi network.
Author Cecilia Pastorino, ESET