The Wi-Fi Alliance has recently announced a new standard in wireless, Wi-Fi CERTIFIED WPA3TM. WPA3 (Wi-Fi Protected Access) is designed as the successor to widely used WPA2 and brings a number of core enhancements to improve security protections and onboarding procedures across personal, public, and enterprise networks.
Security issues on the network range widely for IT and personal users alike – from malicious attackers and unknown devices to risks posed by a misconfigured network. The rise in IoT devices exacerbate these problems, especially in enterprise networks. In the home and small business space, open and lightly protected networks are attractive targets for attackers out to gain access to the network or sniff out potentially sensitive information sent in the clear. WPA2-Personal is particularly susceptible to offline dictionary attacks, while WPA2-Enterprise is very hard to the provision because it has so many options.
This is where standards-based designs, much like an API-compatible, multivendor network architecture, steps in to enable a high degree of adoption of new features and technologies to improve end-user protections and IT capabilities.
As we walk through what WPA3 does, please note, WPA3 does not replace your existing enterprise-grade security solution. Security must be taken holistically and integrate capabilities ranging from a user, device, and application-level granularity.
With that, WPA3 aims to solve these key problems:
Problem: Wireless traffic is passed in the clear (open networks)
Solution: With WPA3, there are no more open networks! OWE, or Opportunistic Wireless Encryption encrypts all wireless traffic on formerly Open networks.
The most likely relatable scenario typically involves networks you commonly connect to in small businesses such as coffee shops, private auto shops, and restaurants, where Wi-Fi is not a gated asset. If these are Open networks or even if they use a shared and public PSK (such as written on a chalkboard or on the menu in a restaurant) your Wi-Fi traffic can be decrypted by attackers on the network. OWE raises the bar on security and protects against these passive attacks.
An OWE network provides users with a seamless experience. It looks like an Open network in the list of available networks, but under the covers, OWE provides improved security.
Problem: PSK can be methodically hacked with an offline dictionary attack
Solution: PSK mode is replaced by SAE, or Simultaneous Authentication of Equals, which is resistant to active, passive, and dictionary attacks. Offline dictionary attacks observe a single WPA2-PSK exchange and then cycle through all possible combinations of a Wi-Fi password, seeing if the guessed one was used in the exchange, until the right password is found. The more complex you make your password the better, but complex passwords are hard for people to manage and enter with a low probability of error. Putting the burden of network security on users is never a good idea. With WPA3-SAE, the protocol is secured and retains its security even when used with PSKs that would be deemed too weak for WPA2-PSK.
With WPA3-SAE, users need not learn about new security procedures (or know what a dictionary attack is). The UI for SAE is identical to a PSK network. Users are comfortable entering a password when prompted and nothing changes from their point-of-view but under the covers they get a truly secure connection.
Problem: Mix-and-match nature of WPA2-Enterprise can result in less-than-optimal security
Solution: WPA3 introduces 256-bit encryption, CNSA (Suite B) security capabilities, and baseline rules to ensure consistent security.
While enterprises deploy highly secure networks using WPA2-Enterprise configurations, there are still too many options during implementation that can result in less-than-secure deployments. For instance, should you use RSA key exchanges? 1024-bit authenticating 2048-bit? TLS 1.0? SHA1? With new WPA3-CNSA, EAP-TLS uses Suite B TLS ciphersuites, and also introduces 192-bit security commonly deployed in high-security Wi-Fi networks in government, defense, and industrial verticals. These ciphersuites combine all of the various options—cipher mode, hash algorithm, key exchange, authentication method—into a single suite that provides consistent security for each user connection. No more mixing and matching of options and no more worries about clients “negotiating down” the security of an EAP-TLS connection, whether intentionally or unintentionally