The Wi-Fi Alliance announced the WPA3 standard officially on Monday. The new wireless network security standard will replace WPA2 eventually.
WPA2, which stands for Wi-Fi Protected Access 2, is the current security standard for wireless networks.
Practically any device — smartphones, routers, laptops, IoT devices — with wireless connectivity supports the nearly 2-decade old standard. Security researchers discovered a vulnerability in WPA in October 2017. KRACK, Key Reinstallation Attacks, works against all WPA2 protected Wi-Fi networks and can be abused to steal sensitive information and other data.
Features of WPA3
The press release that the Wi-Fi Alliance put out on Monday reveals four new features of WPA3. Three of the features improve security significantly.
The first introduces individualized data encryption. It resolves a long-standing issue of open WiFi networks by encrypting connections between devices on the network and the router individually. This blocks any other connected device from snooping on or manipulating traffic of other devices connected to the same network.
The press release lacked further information but it could be that Opportunistic Wireless Encryption is used for the feature.
With OWE, the client and AP perform a Diffie-Hellman key exchange during the access procedure and use the resulting pairwise secret with the 4-way handshake instead of using a shared and public PSK in the 4-way handshake.
OWE requires no special configuration or user interaction but provides a higher level of security than a common, shared, and public PSK. OWE not only provides more security to the end user, it is also easier to use both for the provider and the end user because there
are no public keys to maintain, share, or manage.
The second improvement protects the wireless network better against brute-force attacks. Brute-force attacks try different passwords, often by using dictionaries of common passwords, to get into the system.
WPA3 features anti-brute-force protection. Requests will be blocked after the system notices several failed authentication attempts.
The third security-related improvement is an improved cryptographic standard.
Finally, a 192-bit security suite, aligned with the Commercial National Security Algorithm (CNSA) Suite from the Committee on National Security Systems, will further protect Wi-Fi networks with higher security requirements such as government, defense, and industrial.
No information other than that it is a 192-bit security suite was revealed.
Finally, WPA3 supports a new configuration feature that makes the configuration of devices without screens easier. Basically, what it enables users to do is set up WPA3 options a device using another device.
WPA3-certified devices are expected to become available later this year. Bleeping Computer had a chance to talk to Mathy Vanhoef, the researcher who discovered the KRACK attack on WPA2. He told Bleeping Computer that Linux’s open source Wi-Fi client and access point support the improved handshake already, but that it has not been used in practice.
The Wi-Fi Alliance will continue to deploy WPA2 in Wi-Fi Certified devices. Devices that support WPA3 will work with WPA2 devices.