This month the Wi-Fi Alliance announced that the next generation of wireless security protocol, WiFi Protected Access 3 (WPA3) is being released in 2018. This means that WiFi router and device manufacturers have already begun building and testing their hardware to support this new protocol – hopefully we’ll have some of that updated hardware in our hands soon!
But what will WPA3 bring to the table?
Secure Open Networks
WPA2 is now 14 years old; it has started showing its age through its limitations in the last several years. Back in 2004, the WiFi Alliance couldn’t have predicted the proliferation and importance of open networks that we find at places such as airports, coffee shops, and hotels today.
Today’s open-network connections are not encrypted, and even when you use HTTPS, it is possible to still track the websites you visit – I personally try to tether to my phone instead of using open networks at airports or hotels. With the new WPA3’s individualized data encryption between a device and a router, this problem will be solved. Keep in mind that encryption will only be possible when both ends of a connection are WPA3 capable. Existing devices might receive a software update to support WPA3 once everything is rolled out.
Brute Force Attacks
WPA2 uses a four-way handshake to establish the encrypted communication between a device and an access point. That protocol was vulnerable to the KRACK attack that made the news in October 2017. WPA3 will use a new handshake protocol that will not be vulnerable to brute-force dictionary attacks, and it will block any connections upon detecting too many failed password guesses. This will also eliminate risks when a user chooses a weak password (you can never trust the user!).
If you have used any kind of device that doesn’t have a display and keyboard to enter WiFi credentials, you know that trying to connect them to the network is a pain. You may be required to use a smartphone app to type in the password, or temporarily connect them to a secondary network to configure the credentials before deployment. It’s great that the WiFi Alliance has taken notice of these impracticalities.
WPA3 promises a feature to “simplify the process of configuring security for devices that have limited or no display interface”. It’s not clear how this will be done, but I am looking forward to it, nonetheless!
Some organizations such as government defense and safety-critical industries require higher security standards. WPA3 introduces 192-bit security in alignment with the Commercial National Security Algorithm (CNSA) Suite from the Committee on National Security Systems. Which makes me wonder, why not 192-bit security for everyone? Maybe because of CPU and airtime overhead.
It’s exciting that better and stronger security is coming out in 2018 for wireless networks – it was long overdue. As always, there will be a period of time that both WPA2 and WPA3 are available at the same time until the retirement of existing devices.
It’s never fun to have to think twice when connecting your device to an untrusted network. I look forward to the promise of WPA3 fixing that.