As the days goes by newer and improved security systems arrive to the market, thanks to Wi-Fi Certified WPA3, which the Wi-Fi Alliance launched Tuesday. The announcement paves the way for the proliferation of devices that support the new, more secure protocol for Wi-Fi communication, which is designed to replace the 14-year-old WPA2.
The new protocol adds features to simplify WiFi security, enable more robust authentication, and deliver increased cryptographic strength for highly sensitive data markets.
Provides greater security for home networks
WPA3 also replaces WPA2’s flawed Wi-Fi Protected Setup with the Wi-Fi Device Provisioning Protocol.
“That promises a secure method for adding new devices to a network without the need to enter passwords,” explained Craig Young, a senior security researcher at Tripwire.
“This mechanism makes use of public key cryptography to identify and authenticate devices, and should close up one of the weakest points in modern WiFi deployments,” he told TechNewsWorld.
The new protocol improves the authentication mechanisms in a way that makes home implementations resistant to attack, said James Lerud, head of the behavioral research team at Verodin.
“The protocol is resistant to password-guessing and dictionary attacks,” he told TechNewsWorld.
“A key is only valid for a particular session, so if a session is intercepted and the key is compromised, it does not provide access to other sessions or future sessions,” Lerud said.
“This implementation also has the benefit of making weak password selection less damaging,” he added.
Eligible for both home and business use
WPA3 comes in two separate modes to meet the needs of home and business users.
WPA3-Personal has password-based authentication that’s more resilient than WPA2 — even when users choose passwords that don’t meet common complexity recommendations.
It also supports Simultaneous Authentication of Equals (SAE), a secure key protocol that’s established between devices to provide stronger protections for users against password-guessing attempts by third parties.
WPA3-Enterprise offers extra protection for networks transmitting sensitive data, such as those used by governments and financial institutions, by supporting the equivalent of 192-bit encryption.
In addition to introducing Wi-Fi Certified WPA3, the Alliance introduced Wi-Fi Certified Easy Connect, a program aimed at reducing the complexity of connecting WiFi devices with limited or no display interface.
Wi-Fi Easy Connect lets users securely add an interface-challenged device to a network through another device with a better interface, such as a smartphone, by scanning a product quick response (QR) code.
Time for upgrading WPA2 to WPA3
How long it will take WPA3 devices to supplant the WPA2 installed base remains to be seen. Qualcomm expects to incorporate WPA3 security features into chipsets this summer, starting with its Qualcomm Snapdragon 845 Mobile Platform and continuing to all its WiFi networking infrastructure products.
“Most routers will need a hardware upgrade due to WPA3’s encryption requirements,” said John Wu, CEO of Gryphon.
“Then there’s a new certification process, and client software will need to be rewritten, so it may take a couple of years for wider adoption,” he told TechNewsWorld.
“The fact that the protocol is backward-compatible with WPA2, and manufacturers seem on board, makes me think it will happen relatively quick,” added Lerud.
Despite the security improvements in WPA3, there is no reason for consumers to rush to buy a new router that supports it, said Tripwire’s Young.
“Although WPA3 is based heavily on existing technologies, it is quite new, and researchers have not yet had time to poke at the technology for holes,” he noted.
“As with any new technology, there will likely be usability and security issues identified in various implementations,” he continued. “For now, the best action is probably to keep using a strong WPA2 passphrase with WPS disabled.”