The Wi-Fi Alliance, a non-profit organization that tests and slaps the “Wi-Fi Certified” logo on products that meet certain standards of interoperability, has announced enhancements for WPA2 and the imminent introduction of WPA3.
WPA2 (Wi-Fi Protected Access II) is a security protocol widely used for securing wireless computer networks, and has been around for some 13-odd years.
While a definite improvement over Wired Equivalent Privacy (WEP), WPA2 does have a number of security weaknesses. The latest serious ones have been made public in October last year by Mathy Vanhoef, a postdoc at Belgian University of Leuven, who also came up with KRACK, i.e. key reinstallation attack, to exploit them.
“WPA2 provides reliable security used in billions of Wi-Fi devices every day, and will continue to be deployed in Wi-Fi CERTIFIED devices for the foreseeable future,” the organization noted.
“Wi-Fi Alliance will continue enhancing WPA2 to ensure it delivers strong security protections to Wi-Fi users as the security landscape evolves. Advanced Wi-Fi applications will rely on WPA2 with Protected Management Frames, broadly adopted in the current generation of Wi-Fi CERTIFIED devices, to maintain the resiliency of mission-critical networks. New testing enhancements will also reduce the potential for vulnerabilities due to network misconfiguration, and further safeguard managed networks with centralized authentication services.”
WPA3 security enhancements
“Four new capabilities for personal and enterprise Wi-Fi networks will emerge in 2018 as part of Wi-Fi CERTIFIED WPA3,” the alliance shared.
“Two of the features will deliver robust protections even when users choose passwords that fall short of typical complexity recommendations, and will simplify the process of configuring security for devices that have limited or no display interface. Another feature will strengthen user privacy in open networks through individualized data encryption. Finally, a 192-bit security suite, aligned with the Commercial National Security Algorithm (CNSA) Suite from the Committee on National Security Systems, will further protect Wi-Fi networks with higher security requirements such as government, defense, and industrial.”
In the meantime, Vanhoef noted that the fact that WPA3 will include a more secure handshake will mean that dictionary attacks will no longer work.
“The handshake they’re referring to is likely Simultaneous Authentication of Equals (SAE). Which is also called Dragonfly,” he noted, and added that Linux’s open source Wi-Fi client and access point already support the improved handshake, but it’s not used in practice.
He also posited that the individualized data encryption could be based on Opportunistic Wireless Encryption (OWE), a mode that provides wireless encryption without authentication.
For an eventual confirmation of those conjectures, we’ll have to wait a bit. “More on WPA3 security will be revealed later in 2018,” the alliance noted.