Wi-Fi is safer: everything you need to know about WPA3

WPA3, improved open [Enhanced Open], easy connection [Easy Connect]: three new protocols from the Wi-Fi Alliance

Recently, the Wi-Fi Alliance unveiled the largest Wi-Fi security update of the past 14 years. The Wi-Fi Protected Access 3 (WPA3) security protocol introduces much-needed updates to the WPA2 protocol introduced in 2004. Instead of completely redesigning Wi-Fi security, WPA3 focuses on new technologies that need to close the gaps that have begun to appear in WPA2.

The Wi-Fi Alliance also announced two additional, separate certification protocols that are being launched in parallel with WPA3. Enhanced Open and Easy Connect protocols are not dependent on WPA3, but they improve security for certain types of networks and situations.

All protocols are available for implementation by manufacturers in their devices. If WPA2 can be considered an indicator, then these protocols will eventually be accepted everywhere, but the Wi-Fi Alliance does not give any schedule by which this should happen. Most likely, with the introduction of new devices on the market, we will eventually reach the stage after which WPA3, Enhanced Open and Easy Connect will become new security pillars.

What are all these new protocols doing? There are a lot of details, and since most of them are related to wireless encryption, complex mathematics is also encountered - but here’s an approximate description of the four major changes that they will bring to wireless security.

Simultaneous peer authentication [Simultaneous Authentication of Equals, SAE]

The biggest change WPA3 will bring . The most important moment in the protection of the network comes when a new device tries to establish a connection. The enemy must remain behind the gate, so WPA2 and WPA3 pay a lot of attention to authenticating new connections and ensuring that they will not be hacker attempts to gain access.

SAE is a new device authentication method attempting to connect to the network. SAE is a variant of the so-called. dragonfly handshake [ dragonfly communication], which uses cryptography to prevent an intruder from guessing the password. It says exactly how a new device, or user, should “greet” the network router when exchanging cryptographic keys.

SAE is replacing the Pre-Shared Key (PSK) [Pre-Shared Key] method used since the WPA2 presentation in 2004. PSK is also known as four-way communication, since there are so many messages, or two-way “handshakes,” that need to be transferred between the router and the connecting device to confirm that they have agreed on a password, despite the fact that neither party informs the other . Until 2016, PSK seemed to be safe, and then an attack was launched with a Key Reinstallation Attacks ( KRACK ) reinstalled .

KRACK interrupts a series of handshakes, pretending that the connection with the router is temporarily interrupted. In fact, he uses repetitive connectivity to analyze handshakes until he can guess what the password was. SAE blocks the possibility of such an attack, as well as the most common offline dictionary attacks, when a computer goes through millions of passwords to determine which one fits the information received during PSK connections.

As the name implies, SAE works on the basis of the assumption of equality of devices, instead of considering one device to send requests, and the second - establishing the right to connect (traditionally, these were the device trying to connect and the router, respectively). Either party can send a connection request, and then they begin to send their credentials independently, instead of exchanging messages one by one, back and forth. And without such an exchange, the KRACK attack will not have the ability to “insert a foot between the door and the jamb”, and dictionary attacks will become useless.

SAE Offers Additional Security Enhancement That Was Not In PSK: Direct Secrecy[forward secrecy]. Suppose an attacker gains access to encrypted data that the router sends and receives from the Internet. Previously, an attacker could save this data, and then, in case of a successful password guessing, decrypt it. With the use of SAE, with each new connection, a new encrypting password is set, so even if the attacker at some point penetrates the network, he will only be able to steal the password from the data transmitted after that moment.

SAE is described in the IEEE 802.11-2016 standard , which covers more than 3,500 pages.

192-bit security protocols

WPA3-Enterprise , version of WPA3, designed to work in government and financial institutions, as well as in a corporate environment, has encryption of 192 bits. This level of encryption for the home router will be redundant, but it makes sense to use it in networks that work with particularly sensitive information.

Wi-Fi now works with 128 bit security. Security in 192 bits will not be mandatory - it will be a configuration option for those organizations whose networks will need it. The Wi-Fi Alliance also emphasizes that in industrial networks it is necessary to enhance security on all fronts: the stability of the system is determined by the resistance of the weakest link.

To ensure a proper level of security for the entire network, from start to finish, WPA3-Enterprise will use the 256-bit Galois / Counter Mode protocol for encryption, 384-bit Hashed Message Authentication Mode Mode for creating and confirming keys, and Elliptic Curve Diffie-Hellman algorithms exchange, Elliptic Curve Digital Signature Algorithm for key authentication. They have a lot of complex mathematics, but the plus is that at every step encryption of 192 bits will be supported.

Easy connect

Easy Connect is a recognition of the presence in the world of a huge number of devices connected to the network. And although it is possible that not all people will want to acquire smart homes, the average person most likely has more devices connected to the home router today than in 2004. Easy Connect - an attempt by the Wi-Fi alliance to make the connection of all these devices more intuitive.

Instead of entering a password every time you add a device, devices will have unique QR codes - and each device code will work as a public key. To add a device, you can scan the code using a smartphone already connected to the network.

After scanning, the device will exchange authentication keys with the network to establish a subsequent connection. Easy Connect is not connected to WPA3 — devices certified for it must have a certificate for WPA2, but not necessarily a certificate for WPA3.

Enhanced open

Enhanced Open is another separate protocol designed to protect a user on an open network. Open networks, such as those you use at a cafe or airport, carry a whole range of problems that usually do not concern you when you establish a connection at home or at work.

Many attacks occurring in an open network are considered passive. When a bunch of people connect to the network, an attacker can collect a lot of data simply by filtering the information passing by.

Enhanced Open uses opportunistic wireless encryption (OWE), defined in the Internet Engineering Task Force RFC 8110 standard .to guard against passive eavesdropping. OWE does not require additional protection with authentication - it focuses on improving the encryption of data transmitted over public networks in order to prevent their theft. It also prevents so-called. a simple packet injection [unsophisticated packet injection], in which an attacker tries to disrupt the network by creating and transmitting special data packets that look like part of the network’s normal operation.

Enhanced Open does not provide protection with authentication due to the peculiarities of the organization of open networks - they are by definition intended for universal use. Enhanced Open was designed to improve the protection of open networks against passive attacks, so as not to require users to enter additional passwords or pass additional steps.

It will take at least several years before WPA3, Easy Connect and Enhanced Open become the norm. WPA3 will be widely distributed only after replacing or updating routers. However, if you are concerned about the security of your personal network, you can replace your current router with another one that supports WPA3 as soon as manufacturers start selling them, which can happen in a few months.