In October 2017, researchers made public a serious vulnerability in WPA2, the security protocol that protects
most of today’s WiFi networks. This discovery put the protocol’s security in
the spotlight and led to discussions about the need for a new standard.
Finally, the WiFi Alliance, the organization that
certifies WiFi devices, announced WPA3, a new and enhanced authentication protocol
that is set to be rolled out in 2018. This new version isn’t aimed at improving
the reputation of WPA2, as various manufacturers are patching the disclosed
vulnerability in their updates. Instead, it seeks to implement new features and
increase the security of a protocol that hasn’t been improved in the past 13
years.
This new protocol is looking to bring improvements
in authentication and encryption while facilitating the configuration of
wireless networks. Crucially for the enhancing of encryption, the new security
protocol will feature 192-bit encryption. Although the Alliance did not
explicitly state so, it is safe to assume that, just like its predecessor and
as utilized in WPA, WPA3 will also use a 48-bit initialization vector. That
way, this new protocol is in line with the highest security standards and is
fit for use in networks with the most stringent security requirements, such as
those of governments, defense or industrial systems.
Another notable feature of WPA3 is the
implementation of the Dragonfly protocol, also referred to as Simultaneous
Authentication of Equals (SAE). This is aimed at improving security at the time
of the handshake, which is when the key is being exchanged. As a result, WPA3
is poised to provide robust security even if short or weak passwords are used,
i.e. those that don’t contain a combination of letters, numbers and symbols.
This feature is very useful, especially considering
that users have difficulties creating strong and hard-to-guess passwords. According to the WiFi
Alliance, it will be almost impossible to breach a WiFi network using current
methods such as dictionary and brute-force attacks.
Finally, for those who usually work remotely and
use public WiFi networks in coffee shops, hotels or at airports,
WPA3 will be a robust solution to privacy problems. This is because by applying
individualized data encryption – where every connection between a device and
a router will be encrypted with a unique key – it seeks to further mitigate the
risk of Man-in-the-Middle (MitM) attacks.
“This new protocol is
looking to bring improvements in authentication and encryption while
facilitating the configuration of wireless networks”
The improvements that are expected to be brought by
WPA3 are clearly aimed at strengthening the protocol and at enhancing security
for users. At the same time, the protocol also seeks to simplify WiFi
connections for devices that don’t have a graphical user interface (GUI) or,
where they do have it, it is rather rudimentary. This is highly important if we
consider just how many IoT devices hit the market every day. In these cases,
connecting to a wireless network will be even simpler. We assume, therefore,
that WPA3 will also improve connection by pressing the WPS button as used by
WPA2.
Although more specifics about the implementation of
WPA3 are not available yet, some standards that underpin this new protocol have
already been around for some time. However, manufacturers will now be obliged
to observe the applicable requirements in order for their devices to receive
the ‘WPA3-certified’ seal of approval from the WiFi Alliance. On the other
hand, since WPA3 will be newly incorporated into devices and given that many
users rarely change their router at home, it will take a while before the protocol
is used in all households.
Therefore, WPA3 is not an immediate replacement for
its predecessor. On the contrary, WPA2 will continue to be maintained and
updated for a long time while WPA3 is being incorporated into devices available
on the market and before those devices are used in homes. In fact, the Alliance
also announced that it will continue to perform security tests on WPA2 with an
eye toward reducing the impact of vulnerabilities caused by unsafe
configurations and towards further enhancing the protection of wireless
networks. Therefore, until we have more information about this new protocol, we
recommend you to continue to follow our tips for securing your WiFi network.