With the expanded use of wireless networks connecting business computers, home computers, smartphone and tablets, and the ever expanding list of smart IoT devices, strong wireless network security is more important than ever. Fortunately there is a new wireless security protocol, WPA3, that will fix some of the weaknesses inherent in the current standard, WPA2.
Wireless security is all about encrypting the radio signal between your device and the access point. Anyone within range of your transmission can easily intercept and read the packets containing your session. By encrypting this traffic, WPA2 makes sure that any information that is intercepted is unreadable.
The history of wireless security is checkered at best. All of the solutions prior to WPA3 have had identifiable and exploitable weaknesses.
- WEP – Wireless Equivalency Protocol was introduced in 1997 had several problems.
- Pre-shared key – A secret that is shared soon stops being a secret, which required frequent key changing. Since this rarely happened in practice, it became a critical vulnerability.
- Initialization vector – The initialization vector that used to create the encrypted session is sent in clear text, making it trivial to discovery the cipher.
- 40-bit encryption key – This is too small, and makes it easy to crack the encryption key.
- DNS dependency – This makes WEP vulnerable to man-in-the-middle attacks.
- Checksum – The checksum is linear and predictable.
- WPA – Wi-Fi Protected Access was introduced in 2003, as the Draft IEEE 802.11i standard. As it was a draft standard, it was quickly replaced in 2004 by the finalized standard WPA2. This is what most of us are using today.
- WPA2 – Wi-Fi Protected Access 2 has two implementations, WPA2-Personal and WPA2-Enterprise.
- WPA2-Personal protects the network users through the use of a pre-shared key created from a passphrase. The default encryption standard is either TKIP (Temporal Key Integrity Protocol). TKIP uses an RC-4 128-bit per-packet key, which means the encryption key is always changing. This, and the longer key length, makes key cracking nearly impossible.
- WPA2-Enterprise combines use of a secret key with user identification and access management. It authenticates users to the network individually by using a server, often a RADIUS server. WPA-Enterprise typically uses AES-CCMP (AES-Counter Mode CBC-MAC Protocol) for encryption. This is considerably stronger than TKIP.
- WPS – Wi-Fi Protected Setup was developed to make connecting computers and devices to a wireless access point easier, but the WPS PIN recovery feature made this anything but secure, and on secure networks this is generally disabled.
WPA2 has its own security problems, including but not limited to:
- Use of a short or weak passphrase
- Lack of forward secrecy
- WPA Packet spoofing and decryption
- KRACK attack, revealed in October 2017
In January 2018 the Wi-Fi Alliance announced WPA3 as a replacement for WPA2. Here is a short list of features to look forward to.
- Encryption – The new standard uses 128-bit encryption in WPA3-Personal mode and 192-bit encryption in WPA3-Enterprise.
- Perfect forward secrecy – It uses forward secrecy which prevents the compromise of a passphrase from compromising individual session keys.
- Simultaneous Authentication of Equals – This replaces the pre-shared key. SAE blocks offline password cracking. Password cracking must be made on a live connection, which makes automated attacks vulnerable to rate limiting and incorrect password lock-out defensive strategies.
- Opportunistic Wireless Encryption (OWE) – Finally, the death of open Wi-Fi. Public networks in coffee shops, hotels, airports, libraries, and open guest networks in business networks will be protected by a secure encrypted connection between the user and access point by using a unique encryption key.
- Replace WPS – WPS is replaced with a system called Wi-Fi Easy Connect that uses a QR code to make it easier to connect IoT and other devices to the wireless network.
Many manufacturers are offering support for existing products through software or firmware upgrades, but the fact remains that implementation of the new standard will require replacing some or much of your existing wireless gear. As they say, your results may vary. I still would recommend adopting WPA3 at your earliest opportunity. If you are replacing or upgrading a wireless access point in the near future, you might want to resist the close-out, fire-sale prices on WPA2 gear, and buy the new WPA3 product instead.