Wi-Fi Alliance announces WPA3

Martin Brinkmann
Jan 9, 2018
Updated • Jan 9, 2018
Internet
|
8

The Wi-Fi Alliance announced the WPA3 standard officially on Monday. The new wireless network security standard will replace WPA2 eventually.

WPA2, which stands for Wi-Fi Protected Access 2, is the current security standard for wireless networks.

Practically any device -- smartphones, routers, laptops, IoT devices -- with wireless connectivity supports the nearly 2-decade old standard. Security researchers discovered a vulnerability in WPA in October 2017. KRACK, Key Reinstallation Attacks,  works against all WPA2 protected Wi-Fi networks and can be abused to steal sensitive information and other data.

Features of WPA3

wi-fi-logo

The press release that the Wi-Fi Alliance put out on Monday reveals four new features of WPA3. Three of the features improve security significantly.

The first introduces individualized data encryption. It resolves a long-standing issue of open WiFi networks by encrypting connections between devices on the network and the router individually. This blocks any other connected device from snooping on or manipulating traffic of other devices connected to the same network.

The press release lacked further information but it could be that Opportunistic Wireless Encryption is used for the feature.

With OWE, the client and AP perform a Diffie-Hellman key exchange during the access procedure and use the resulting pairwise secret with the 4-way handshake instead of using a shared and public PSK in the 4-way handshake.

OWE requires no special configuration or user interaction but provides a higher level of security than a common, shared, and public PSK. OWE not only provides more security to the end user, it is also easier to use both for the provider and the end user because there
are no public keys to maintain, share, or manage.

The second improvement protects the wireless network better against brute-force attacks. Brute-force attacks try different passwords, often by using dictionaries of common passwords, to get into the system.

WPA3 features anti-brute-force protection. Requests will be blocked after the system notices several failed authentication attempts.

The third security-related improvement is an improved cryptographic standard.

Finally, a 192-bit security suite, aligned with the Commercial National Security Algorithm (CNSA) Suite from the Committee on National Security Systems, will further protect Wi-Fi networks with higher security requirements such as government, defense, and industrial.

No information other than that it is a 192-bit security suite was revealed.

Finally, WPA3 supports a new configuration feature that makes the configuration of devices without screens easier. Basically, what it enables users to do is set up WPA3 options a device using another device.

WPA3-certified devices are expected to become available later this year. Bleeping Computer had a chance to talk to Mathy Vanhoef, the researcher who discovered the KRACK attack on WPA2. He told Bleeping Computer that Linux's open source Wi-Fi client and access point support the improved handshake already, but that it has not been used in practice.

The Wi-Fi Alliance will continue to deploy WPA2 in Wi-Fi Certified devices. Devices that support WPA3 will work with WPA2 devices.

It is unclear whether new hardware is explicitly required, or if firmware updates may introduce WPA3 support as well.

Summary
Wi-Fi Alliance announces WPA3
Article Name
Wi-Fi Alliance announces WPA3
Description
The Wi-Fi Alliance announced the WPA3 standard officially on Monday. The new wireless network security standard will replace WPA2 eventually. It features important security improvements.
Author
Publisher
Ghacks Technology News
Logo
Advertisement

Tutorials & Tips


Previous Post: «
Next Post: «

Comments

  1. Steve said on February 4, 2018 at 7:13 pm
    Reply

    The last one, which enables users to set up a device using another device, I have a feeling that would be the first WPA3 thing to be exploited. Mark my words and the future will tell.

  2. roxin said on January 10, 2018 at 7:23 pm
    Reply

    so great

  3. flash said on January 9, 2018 at 6:44 pm
    Reply

    “It is unclear whether new hardware is explicitly required, or if firmware updates may introduce WPA3 support as well.”

    Even if no new hardware is required, it would be a major undertaking to not only add software support to legacy devices but also certify them for WPA3. The former requires manpower, which may be in short supply considering the team will also be quite busy working on new devices with WPA3 support. The latter will incur a cost for legacy devices that can’t be recovered.

    In the end, every hardware manufacturer will have to ask himself, if things are worth it. I’ve read in the past that the WFA certification costs around $5,000 per device, which applies not only to every model but also every hardware refresh (which is something that happens regularly with routers).

    Take TP-Link for example, going by the EU listings at geizhals.at, they’re selling 59 different wi-fi routers, 33 wi-fi routers with integrated modem, 32 access points, 21 repeaters and 36 wi-fi adapters (USB, PCIe, etc). That’s a total of 181 devices of which 57 are more than five years old. Next to the ~$19k yearly cost for WFA membership they’d have to pay anyway, the certification cost would run to $905k for all devices of which the $285k applies to the oldest products.

    Think that’s worth doing when some company could offer the sale of a brand-spanking-new product instead with a great new security feature for only a modest price increase? You know the answer.

  4. Yuliya said on January 9, 2018 at 10:41 am
    Reply

    I think the second thing, which bans the MAC address of a device tryin to bruteforce the password, could be implemented right now, without the need of a new WPA standard. The router sees the MAC of the device constantly failing to provide a correct password. It could just block that.

    1. leanon said on January 10, 2018 at 8:53 am
      Reply

      May work if the mac was encrypted

    2. Anonymous said on January 9, 2018 at 7:30 pm
      Reply

      MAC address is trivial to change

    3. Matt said on January 9, 2018 at 2:15 pm
      Reply

      It wouldn’t be that useful since most WPA/WPA2 bruteforcing is done offline.

    4. jupe said on January 9, 2018 at 11:51 am
      Reply

      But that would require firmware updates anyway.

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.