Network devices with better security will be hitting the market this year, thanks to Wi-Fi Certified WPA3, which the Wi-Fi Alliance launched Tuesday. The announcement paves the way for the proliferation of devices that support the new, more secure protocol for WiFi communication, which is designed to replace the 14-year-old WPA2.
“WPA3 takes the lead in providing the industry’s strongest protections in the ever-changing security landscape,” said Wi-Fi Alliance CEO Edgar Figueroa.
The new protocol adds features to simplify WiFi security, enable more robust authentication, and deliver increased cryptographic strength for highly sensitive data markets.
“WPA3 is a welcome and long overdue update from the Wi-Fi Alliance, building and improving on WPA2,” said Nick Bilogorskiy, a cybersecurity strategist at Juniper Networks.
While WPA2 has been used for more than a decade, a serious flaw was discovered in it last year, he noted.
“We witnessed a new attack that targeted the four-way handshake of the WPA2 protocol and tricked the victim’s device into reusing an already-in-use key,” Bilosgorskiy told TechNewsWorld.
Helps Home Nets Resist Attacks
WPA3 also replaces WPA2’s flawed Wi-Fi Protected Setup with the Wi-Fi Device Provisioning Protocol.
“That promises a secure method for adding new devices to a network without the need to enter passwords,” explained Craig Young, a senior security researcher at Tripwire.
“This mechanism makes use of public key cryptography to identify and authenticate devices, and should close up one of the weakest points in modern WiFi deployments,” he told TechNewsWorld.
The new protocol improves the authentication mechanisms in a way that makes home implementations resistant to attack, said James Lerud, head of the behavioral research team at Verodin.
“The protocol is resistant to password-guessing and dictionary attacks,” he told TechNewsWorld.
“A key is only valid for a particular session, so if a session is intercepted and the key is compromised, it does not provide access to other sessions or future sessions,” Lerud said.
“This implementation also has the benefit of making weak password selection less damaging,” he added.
Home and Business Flavors
WPA3 comes in two distinct modes to meet the needs of home and business users.
WPA3-Personal has password-based authentication that’s more resilient than WPA2 — even when users choose passwords that don’t meet common complexity recommendations.
It also supports Simultaneous Authentication of Equals (SAE), a secure key protocol that’s established between devices to provide stronger protections for users against password-guessing attempts by third parties.
WPA3-Enterprise offers extra protection for networks transmitting sensitive data, such as those used by governments and financial institutions, by supporting the equivalent of 192-bit encryption.
In addition to introducing Wi-Fi Certified WPA3, the Alliance introduced Wi-Fi Certified Easy Connect, a program aimed at reducing the complexity of connecting WiFi devices with limited or no display interface — such as many devices designed for the Internet of Things — while maintaining high security standards.
Wi-Fi Easy Connect lets users securely add an interface-challenged device to a network through another device with a better interface, such as a smartphone, by scanning a product quick response (QR) code.
While WPA3 will help with IoT security to an extent, many of the issues with IoT devices are outside the scope of the protocol, Lerud said.
“Default passwords and configurations built without security in mind are still the norms in the IoT space,” he noted.
Time to Transition
How long it will take WPA3 devices to supplant the WPA2 installed base remains to be seen. Qualcomm expects to incorporate WPA3 security features into chipsets this summer, starting with its Qualcomm Snapdragon 845 Mobile Platform and continuing to all its WiFi networking infrastructure products.
Nevertheless, it could be years before WPA3 becomes a dominant router protocol.
“Most routers will need a hardware upgrade due to WPA3’s encryption requirements,” said John Wu, CEO of Gryphon.
“Then there’s a new certification process, and client software will need to be rewritten, so it may take a couple of years for wider adoption,” he told TechNewsWorld.
“The fact that the protocol is backward-compatible with WPA2, and manufacturers seem on board, makes me think it will happen relatively quick,” added Lerud.
Old technologies die slowly, though, he acknowledged. For example, WEP, introduced in 1997, still lingers in the router space.
Despite the security improvements in WPA3, there is no reason for consumers to rush to buy a new router that supports it, said Tripwire’s Young.
“Although WPA3 is based heavily on existing technologies, it is quite new, and researchers have not yet had time to poke at the technology for holes,” he noted.
“As with any new technology, there will likely be usability and security issues identified in various implementations,” he continued. “For now, the best action is probably to keep using a strong WPA2 passphrase with WPS disabled.”