Wi-Fi Alliance announces WPA3
The Wi-Fi Alliance announced the WPA3 standard officially on Monday. The new wireless network security standard will replace WPA2 eventually.
WPA2, which stands for Wi-Fi Protected Access 2, is the current security standard for wireless networks.
Practically any device -- smartphones, routers, laptops, IoT devices -- with wireless connectivity supports the nearly 2-decade old standard. Security researchers discovered a vulnerability in WPA in October 2017. KRACK, Key Reinstallation Attacks, works against all WPA2 protected Wi-Fi networks and can be abused to steal sensitive information and other data.
Features of WPA3
The press release that the Wi-Fi Alliance put out on Monday reveals four new features of WPA3. Three of the features improve security significantly.
The first introduces individualized data encryption. It resolves a long-standing issue of open WiFi networks by encrypting connections between devices on the network and the router individually. This blocks any other connected device from snooping on or manipulating traffic of other devices connected to the same network.
The press release lacked further information but it could be that Opportunistic Wireless Encryption is used for the feature.
With OWE, the client and AP perform a Diffie-Hellman key exchange during the access procedure and use the resulting pairwise secret with the 4-way handshake instead of using a shared and public PSK in the 4-way handshake.
OWE requires no special configuration or user interaction but provides a higher level of security than a common, shared, and public PSK. OWE not only provides more security to the end user, it is also easier to use both for the provider and the end user because there
are no public keys to maintain, share, or manage.
The second improvement protects the wireless network better against brute-force attacks. Brute-force attacks try different passwords, often by using dictionaries of common passwords, to get into the system.
WPA3 features anti-brute-force protection. Requests will be blocked after the system notices several failed authentication attempts.
The third security-related improvement is an improved cryptographic standard.
Finally, a 192-bit security suite, aligned with the Commercial National Security Algorithm (CNSA) Suite from the Committee on National Security Systems, will further protect Wi-Fi networks with higher security requirements such as government, defense, and industrial.
No information other than that it is a 192-bit security suite was revealed.
Finally, WPA3 supports a new configuration feature that makes the configuration of devices without screens easier. Basically, what it enables users to do is set up WPA3 options a device using another device.
WPA3-certified devices are expected to become available later this year. Bleeping Computer had a chance to talk to Mathy Vanhoef, the researcher who discovered the KRACK attack on WPA2. He told Bleeping Computer that Linux's open source Wi-Fi client and access point support the improved handshake already, but that it has not been used in practice.
The Wi-Fi Alliance will continue to deploy WPA2 in Wi-Fi Certified devices. Devices that support WPA3 will work with WPA2 devices.
It is unclear whether new hardware is explicitly required, or if firmware updates may introduce WPA3 support as well.
The last one, which enables users to set up a device using another device, I have a feeling that would be the first WPA3 thing to be exploited. Mark my words and the future will tell.
so great
“It is unclear whether new hardware is explicitly required, or if firmware updates may introduce WPA3 support as well.”
Even if no new hardware is required, it would be a major undertaking to not only add software support to legacy devices but also certify them for WPA3. The former requires manpower, which may be in short supply considering the team will also be quite busy working on new devices with WPA3 support. The latter will incur a cost for legacy devices that can’t be recovered.
In the end, every hardware manufacturer will have to ask himself, if things are worth it. I’ve read in the past that the WFA certification costs around $5,000 per device, which applies not only to every model but also every hardware refresh (which is something that happens regularly with routers).
Take TP-Link for example, going by the EU listings at geizhals.at, they’re selling 59 different wi-fi routers, 33 wi-fi routers with integrated modem, 32 access points, 21 repeaters and 36 wi-fi adapters (USB, PCIe, etc). That’s a total of 181 devices of which 57 are more than five years old. Next to the ~$19k yearly cost for WFA membership they’d have to pay anyway, the certification cost would run to $905k for all devices of which the $285k applies to the oldest products.
Think that’s worth doing when some company could offer the sale of a brand-spanking-new product instead with a great new security feature for only a modest price increase? You know the answer.
I think the second thing, which bans the MAC address of a device tryin to bruteforce the password, could be implemented right now, without the need of a new WPA standard. The router sees the MAC of the device constantly failing to provide a correct password. It could just block that.
May work if the mac was encrypted
MAC address is trivial to change
It wouldn’t be that useful since most WPA/WPA2 bruteforcing is done offline.
But that would require firmware updates anyway.