The biggest Wi-Fi security update in 14 years was recently unveiled by the Wi-Fi Alliance. The Wi-Fi Protected Access 3 (WPA3) security certificate protocol provides some much-needed updates to the WPA2 protocol introduced in 2004. Rather than a wholesale working of Wi-Fi security, WPA3 is focused on bringing new techniques to bear against the cracks that have begun to show in WPA2.
The Wi-Fi Alliance also announced two additional, separate certification protocols alongside WPA3. The Enhanced Open and Easy Connect protocols are not dependent on WPA3, but they do improve security for specific types of networks and certain situations.
All of these protocols are now available for manufacturers to incorporate into their devices. If WPA2 is anything to go by, these protocols will eventually see universal adoption, but the Wi-Fi Alliance has not set any sort of timeline on when that should happen. Most likely, as new devices make their way into the market, we will eventually see a tipping point where WPA3, Enhanced Open, and Easy Connect are new mainstays.
So, what do all these new certification protocols do? There are a lot of details, and since most of them deal with wireless encryption, a lot of complicated math too, but here’s the gist of the four main changes these protocols will be bringing to wireless security.
Simultaneous Authentication of Equals
This is the biggest change that WPA3 brings to the table. The most important moment in any network’s defense is when a new device or user tries to connect. The enemy should remain outside the gate, which is why WPA2, and now WPA3, put a lot of emphasis on authenticating new connections and ensuring they aren’t attempts by attackers to gain access.
Simultaneous Authentication of Equals (SAE) is a new method of authenticating a device trying to connect to a network. A variation of the so-called dragonfly handshake that uses cryptography to prevent an eavesdropper guessing a password, SAE dictates exactly how a new device, or user, should “greet” a network router when they exchange cryptographic keys.
SAE replaces the Pre-Shared Key (PSK) method that has been in use since WPA2 was introduced in 2004. PSK is also known as a four-way handshake, after the number of back-and-forth handshakes, or messages, that had to pass between a router and a connecting device for both sides to prove they knew a previously agreed upon password without either side actually revealing it outright. Until 2016, PSK seemed secure, until Key Reinstallation Attacks (KRACK) were discovered.
A KRACK interrupts the series of handshakes by pretending to temporarily lose the connection to the router. In actuality, it is using the repeated connection opportunities to analyze the handshakes until it pieces together what the password must be. SAE blocks this kind of attack, as well as more common offline dictionary attacks, where a computer churns through hundreds, thousands, or millions of passwords to determine which password matches the verification information provided by the PSK handshakes.
As the name suggests, SAE works by considering devices as equals, rather than treating one side as an explicit requester and the other side an authenticator (traditionally the connecting device and the router, respectively). Either party can initiate the handshake, and then they proceed through sending their authentication information independently, rather as part of a back-and-forth exchange. Without the back-and-forth, KRACK has nowhere to get a foot in the door, and dictionary attacks are useless.
SAE offers an additional security feature that PSK doesn’t: forward secrecy. Suppose an attacker gains access to encrypted data that a router is sending and receiving from the wider Internet. Previously, the attacker could hold on to that data. Then later, if they succeeded in nabbing a password, they could decrypt the earlier stored data. With SAE, the encryption password is changed each time a connection is established, so even if an attacker did trick their way into the network, they could only steal the passwords to decrypt data transmitted after that time.
SAE is defined in the standard IEEE 802.11-2016, which, incidentally, is more than 3,500 pages long.
192-Bit Security Protocols
WPA3-Enterprise, a version of WPA3 certification geared toward financial institutions, governments, and corporations, features 192-bit encryption. This is an excessive level of security for, say, a router on a home network, but it makes sense for networks that deal with particularly sensitive information.
Wi-Fi currently delivers security with 128-bit security. The 192-bit security protocol will not be mandatory but rather an optional setting for institutions that want or require it for their networks. The Wi-Fi Alliance is also emphasizing that enterprise networks should have a strong level of cryptographic strength throughout: The overall strength of a system’s security hinges on its weakest link.
To ensure that the entire security of a network, from end to end, meets this level of consistency, WPA3-Enterprise will use a 256-bit Galois/Counter Mode Protocol for encryption, a 384-bit Hashed Message Authentication Mode to create and confirm keys, and an Elliptic Curve Diffie-Hellman exchange and Elliptic Curve Digital Signature Algorithm to authenticate keys. It’s a lot of complicated math, but the upshot is that each step of the process will maintain a 192-bit encryption and security minimum for organizations that want it.
Easy Connect is a recognition of the sheer number of connected devices in the world today. While not everyone may be jumping on the smart-home trend, odds are that the average person today has at least a few more devices connected to their home router than they did in 2004. Easy Connect is the Wi-Fi Alliance’s effort to make connecting all those devices more intuitive.
Rather than enter passwords every time you want to add something to your network, devices will have unique QR codes—each device’s code will function as a sort of public key. To add a device, you scan the code using a smartphone already connected to the network.