Wi-Fi security has a long and sordid past. The original Wired Equivalent Privacy (WEP) for 802.11 wireless networks was used with 802.11a and 802.11b. It used an RC4 stream cipher for encryption and the CRC-32 checksum for integrity. WEP has 64-bit and 128-bit versions. Unfortunately, though, it’s been hacked.
The Wi-Fi Alliance addressed WEP by moving to Wi-Fi Protected Access (WPA). WPA2 has been commonly used and improved since 2004. Most systems ship with WEP for backward compatibility, but WPA2 is the recommended platform.
WPA2 utilized the Advanced Encryption Standard (AES) to provide better security along with new handshake protocols. WPA2 has been under attack, too, including the WPA2 KRACK attack.
Enter WPA3.
WPA3 was released in June of 2018. Like WPA2, it includes WPA3-Personal and WPA3-Enterprise versions. WPA3 makes it mandatory to use Protected Management Frames (PMF), whereas the PMF was a late addition and optional for WPA2. The 128-bit AES encryption employed with WPA2 is still in effect with WPA3, but the enterprise version requires 192-bit AES support. It’s optional for the personal edition.
WPA3 uses the Simultaneous Authentication of Equals (SAE) to replace WPA2’s Pre-Shared Key (PSK) exchange protocol. SAE is a more secure protocol for handling the initial key exchange addressed with the KRACK. SAE, also known as Dragonfly Key Exchange, uses forward secrecy and is resistant to offline decryption attacks.
WPA2’s 4-way handshake was susceptible to offline dictionary-based attacks, especially when short passwords under 16 characters were employed. WPA3’s handshake protocol forces real-time attacks, essentially eliminating dictionary attack techniques.
Forward secrecy, used with WPA3, prevents an attacker from recording the encrypted transmission of a session and then decoding it in the future, should the wireless network password be obtained in some fashion.
Opportunistic Wireless Encryption (OWE)
The 802.11 “open” authentication support has been replaced with Opportunistic Wireless Encryption (OWE). It’s designed for use with networks that don’t have network passwords while providing encryption communication. Each device receives its own key providing Individualized Data Protection (IDP). IDP is useful even for password-protected networks, since knowing the network password doesn’t provide access to other encrypted communication.
OWE is very useful, but it will not protect against all attacks. It’s still possible to set up "rogue" access points (APs) like honeypot APs or evil twins. These are used to fool users into connecting to the APs so that the systems can steal information. This underscores why security in depth is important, as additional encryption or authentication is effective in this case.
WPA3 doesn’t mandate OWE. Look for the Wi-Fi CERTIFIED Enhanced Open logo.
Doing Away with WPS
The Wi-Fi Protected Setup (WPS) feature of WPA2 made it easier to link new devices with a wireless network. Typically, it involved pushing a button on the access point and one on the device to initiate a handshake within a time-limited session. It was also possible to use an eight-digit pin instead of the potentially longer network key. The system worked, but it wasn’t necessarily as secure as one might like.
The Wi-Fi Device Provisioning Protocol (DPP) replaces WPS. Because DPP is an optional feature, it may not be found on a device unless it’s part of Wi-Fi CERTIFIED Easy Connect program.
Like other linking methods used for device networks such as Z-Wave, DPP leverages out-of-band (OOB) communication with either QR codes or near-field communication (NFC) along with a smartphone to acquire the necessary information to identify a device. This assumes that the smartphone is connected to the wireless network, and hence an AP, so that the device can be provisioned.
On the plus side, this process potentially provides more information to the smartphone, which could be utilized to make additional linkages such as connecting the device to the cloud in an Internet of Things (IoT) application.
WPA3 systems are just now becoming available. It may be possible to upgrade existing systems to support WPA3. However, if history is an example, then most current systems will likely need to be replaced to get WPA3 security. Many new systems will provide backward compatibility, even to WEP, but this will be on a per-system basis. Whether a device can be upgraded with new software depends on a number of factors, including the hardware involved and the amount of headroom in terms of memory and performance of the existing system.
