WPA3 could be safer: expert opinion
New Wi-Fi Alliance plans focus on security, but independent researchers find missed opportunities in them
Wi-Fi Protected Access 2, or WPA2, worked successfully and for a long time. But after 14 years, gaps inevitably began to appear as the main wireless security protocol. Therefore, the Wi-Fi Alliance announced plans for the successor of this protocol, WPA3, gradually issuing information about the upcoming changes from the beginning of the year.
But the Wi-Fi Alliance , the organization responsible for certifying products using Wi-Fi, may not have done everything it could to make wireless security truly modern — at least, an outside security researcher thinks so. Mathie Vanhof, a researcher from the Catholic University of Leuven in Belgium, who discovered the KRACK attack in 2016, which allows to crack WPA2, believes that the Wi-Fi Alliance could have worked better by studying alternative security protocols and their certificates.
A major difference between WPA2 and WPA3 is the way devices greet the router or other access points they are trying to join. WPA3 introduces a greeting, or handshake, called simultaneous authentication equal to [Simultaneous Authentication of Equals, SAE]. Its advantage is that it prevents attacks such as KRACK, which interrupt the greeting in WPA2. It ensures that the exchange of keys that prove the identity of both devices cannot be interrupted. To do this, it equates the device and the router. Prior to that, a polling device (trying to connect to the network) and an authorizing device (router) participated in this exchange of greetings.
SAE solves big problems with the WPA2 vulnerability - this is an important step, but perhaps not big enough. Vanhof argues that, according to rumors, spreading in the community of security experts, although such a greeting will prevent harmful attacks like KRACK, there are questions about whether it is capable of anything more.
Vanhov says that the mathematical analysis of the greeting seems to confirm his safety. “On the other hand, there are comments and criticisms, from which it is clear that there are other options,” he says. “The likelihood of small issues is higher than other types of greetings.”
One of the concerns is the likelihood of attacks on third-party channels , in particular, the attack on time. Although SAE is resistant to attacks that interrupt the greeting directly, it may be vulnerable to more passive attacks, monitoring authorization time and extracting some password information on this basis.
In 2013, researchers from the University of Newcastle during SAE cryptanalysis found that the greeting was vulnerable to a so-called. attacks of small subgroups . Such attacks reduce the keys exchanged between the router and the connecting device to a small, limited subset of options that is easier to crack than the usually available set of multiple options. To eliminate this vulnerability, the researchers propose to supplement SAE with another step of key verification, sacrificing some of the effectiveness of the greeting.
However, SAE protects against attacks that exploit the flaws of WPA2. Kevin Robinson , vice president of marketing for the Wi-Fi Alliance, says he makes offline dictionary attacks impossible. Such attacks can be carried out when an attacker is able to check thousands and hundreds of thousands of possible passwords in a row without raising network suspicions. SAE also offers direct secrecy — if an attacker gained access to the network, all data sent through it would remain safe — this was not the case with WPA2.
When the Wi-Fi Alliance first announced the release of WPA3 in a press release in January, he mentioned a “feature set” to improve security. The release contained a hint of four specific properties. One of them, SAE, became the foundation of WPA3. The second, 192-bit encryption, it is possible to use in large corporations or financial institutions, switching to WPA3. And the other two properties did not fall into WPA3.
There did not get the properties that exist in separate certification programs. The first, Easy Connect, simplifies the process of connecting devices from the Internet of things to the home network. The second, Enhanced Open, more strongly protects open networks, such as networks at airports and cafes.
“I think the Wi-Fi Alliance specifically formulated the January press release so vaguely,” says the Vanhof. - They did not promise that all this will be included in WPA3. There were arguments that all these properties will become mandatory. However, only greeting became obligatory - and this, I think, is bad. ”
Wanhof is worried that three separate certification programs, WPA3, Easy Connect and Enhanced Open, will confuse users, rather than covering them with an WPA3 umbrella. "We'll have to tell ordinary users to use Easy Connect and Enhanced Open," he says.
The Wi-Fi Alliance believes that separate certification programs will reduce user confusion. “It’s important that the user understands the difference between WPA3 and the Enhanced Open protocol, which is designed for an open network,” says Robinson. Likewise, he says, the industry representatives of the Wi-Fi Alliance considered it very important that the Easy Connect protocol offer a seamless method for connecting devices that still use WPA2, and did not limit this capability only for new devices. "
And yet, regardless of whether users of the Wi-Fi Alliance certification programs are confused or reassured, Vanhof believes that the Wi-Fi Alliance could more openly cover its protocol selection process. “They worked in private mode,” he says. “Because of this, security experts and cryptographers had a hard time commenting on this process,” which raises concerns about potential SAE vulnerabilities and several certification programs.
Vanhof also points out that an open process could lead to the creation of a more robust WPA3 protocol. “We often face secrecy,” he says. “And then we discover that security has been weak as a result.” In general, we realized that it is always better to work openly. ”