The Wi-Fi Alliance announced the WPA3 standard officially on Monday. The new wireless network security standard will replace WPA2 eventually.
WPA2, which stands for Wi-Fi Protected Access 2, is the current security standard for wireless networks.
Practically any device -- smartphones, routers, laptops, IoT devices -- with wireless connectivity supports the nearly 2-decade old standard. Security researchers discovered a vulnerability in WPA in October 2017. KRACK, Key Reinstallation Attacks, works against all WPA2 protected Wi-Fi networks and can be abused to steal sensitive information and other data.
The press release that the Wi-Fi Alliance put out on Monday reveals four new features of WPA3. Three of the features improve security significantly.
The first introduces individualized data encryption. It resolves a long-standing issue of open WiFi networks by encrypting connections between devices on the network and the router individually. This blocks any other connected device from snooping on or manipulating traffic of other devices connected to the same network.
The press release lacked further information but it could be that Opportunistic Wireless Encryption is used for the feature.
With OWE, the client and AP perform a Diffie-Hellman key exchange during the access procedure and use the resulting pairwise secret with the 4-way handshake instead of using a shared and public PSK in the 4-way handshake.
OWE requires no special configuration or user interaction but provides a higher level of security than a common, shared, and public PSK. OWE not only provides more security to the end user, it is also easier to use both for the provider and the end user because there
are no public keys to maintain, share, or manage.
The second improvement protects the wireless network better against brute-force attacks. Brute-force attacks try different passwords, often by using dictionaries of common passwords, to get into the system.
WPA3 features anti-brute-force protection. Requests will be blocked after the system notices several failed authentication attempts.
The third security-related improvement is an improved cryptographic standard.
Finally, a 192-bit security suite, aligned with the Commercial National Security Algorithm (CNSA) Suite from the Committee on National Security Systems, will further protect Wi-Fi networks with higher security requirements such as government, defense, and industrial.
No information other than that it is a 192-bit security suite was revealed.
Finally, WPA3 supports a new configuration feature that makes the configuration of devices without screens easier. Basically, what it enables users to do is set up WPA3 options a device using another device.
WPA3-certified devices are expected to become available later this year. Bleeping Computer had a chance to talk to Mathy Vanhoef, the researcher who discovered the KRACK attack on WPA2. He told Bleeping Computer that Linux's open source Wi-Fi client and access point support the improved handshake already, but that it has not been used in practice.
The Wi-Fi Alliance will continue to deploy WPA2 in Wi-Fi Certified devices. Devices that support WPA3 will work with WPA2 devices.
It is unclear whether new hardware is explicitly required, or if firmware updates may introduce WPA3 support as well.
Advertising revenue is falling fast across the Internet, and independently-run sites like Ghacks are hit hardest by it. The advertising model in its current form is coming to an end, and we have to find other ways to continue operating this site.
We are committed to keeping our content free and independent, which means no paywalls, no sponsored posts, no annoying ad formats (video ads) or subscription fees.
If you like our content, and would like to help, please consider making a contribution:
Ghacks is a technology news blog that was founded in 2005 by Martin Brinkmann. It has since then become one of the most popular tech news sites on the Internet with five authors and regular contributions from freelance writers.