Nearly 14 years after it ratified WPA2 (Wi-Fi Protected Access 2), the Wi-Fi Alliance has given the world a peek at what might be coming next for wireless security.
Perhaps unsurprisingly called WPA3, the draft standard’s announcement at the annual CES Show was brief, but offered clues as to how it might address WPA2’s known problems.
The main message is that under WPA3, security will be baked deeper into wireless configuration, making it harder to misconfigure or to avoid.
Four enhancements are mentioned:
- Brute-force resistance. There will be protection against brute-force attacks on Wi-Fi passwords. In future, authentication will be blocked after several unsuccessful attempts. This should, in theory, help to limit the exposure caused by weak passwords.
- IoT support. Wi-Fi devices will be easier to configure using smartphones, a nod to the massive growth in Internet of Things (IoT) hardware using Wi-Fi that could cause major problems if not set up correctly.
- Stronger encryption.. Government and business networks will gain access to “a 192-bit security suite, aligned with the Commercial National Security Algorithm (CNSA) Suite from the Committee on National Security Systems.” This implements technical encryption changes required by the US Government.
- Safer public Wi-Fi. The announcement mentions “strengthen[ing] user privacy in open networks through individualized data encryption,” although it’s not absolutely clear what this refers to.
Speculating, the last enhancement could be a tightening up of the perennial problem of public Wi-Fi networks (e.g. airports, coffee shops, public transport) that are free to use without a password. WPA3 might provide an automatic system for allowing clients and routers to negotiate encrypted connections even on open networks.
If so, this system could also be used to address a cryptographic weaknesses of password-protected Wi-Fi networks. At the moment, anyone who knows the Wi-Fi PSK (Pre-Shared Key, commonly called the “network password”) and who intercepts your traffic at the moment you connect can recover your session key and decrypt all your subsequent traffic.
A password to get on the network combined with an unsniffable unique password for each user would be a useful security improvement.
Presumably, WPA3 will also avoid the sort of implementation flaws in WPA2 that led to the KRACK attack of October 2017.
That flaw was addressed with updates to WPA2 equipment, without any new hardware, so it’s possible that some of what’s in WPA3 might also be addressable with incremental updates to WPA2, even in devices that can’t support WPA3 outright.
The point of a “WPA3 Certified” sticker on products would be to make it easier for buyers to understand what security they were gaining from new equipment – a sort of easy-to-understand line in the sand.
But it’s one thing to promote a new specification, another to persuade organisations and individuals to buy new equipment to support it.
This could unfold over years, which means that WPA2 security will be with us for a long time.
We might have to get used to the reality of a world of two-level wireless security – strong WPA3 and (as research undermines it) weakening WPA2.
Wevy
What new forehead smacking flaws will be added in this closed review process?
IT Guy
‘…This implements technical encryption changes required by the US Government…’
An ominous statement if ever there was one!
Pankhurst
Yes, makes me seriously wonder if WPA3 will be an improvement.
If there are US Government required back-doors, how long until the (really) bad guys have knowledge of them?
Can we have a WPA3-Intl – without the US requirements?
John E Dunn
That part of the spec isn’t mandatory – it’s there for Government networks mainly. For now.
Dave
I’d like to see some mutual authentication for public Wi-Fi. Let me scan a bar code of the public key. It’s all too easy to impersonate a Wi-Fi spot at the moment imo.
bob
well i’m gonna say it…. i really wonder if wpa3 has a backdoor built in….
Tracy
A new WPA, imagine that. I have a question if I may. Why not fix what is broken? If you re-code all you do is insert new flaws and cause us to have to trash devices that work just to stay safe until the bad guys find the new flaws to use against us. Sorry Mate. That is just patching a leaky tire. If you can tell me that this new implementation will be hardened enough to be near impossible to crack then I’m all for it. Frankly it will be the Script Kiddies that will crack it first.