People say "every kick in the ass is a step forward." Well, Belgian security researcher Mathy Vanhoef gave the WiFi Protected Access (WPA) standard a huge kick in the ass last fall when it disclosed details about KRACK, a vulnerability in the WPA2 WiFi protocol used by billions of devices.
The step forward came today when the WiFi Alliance, the organization that decides WiFi standards, published the first details about the upcoming WPA3 WiFi protocol.
A first official draft of the WPA3 WiFi authentication protocol will be available later this year, but the WiFi Alliance teased four major features today that users and hardware vendors should look forward in the new standard.
The first feature is protection against brute-force attacks by blocking the WiFi authentication process after several failed login attempts. This is a basic feature found in many web or software authentication systems and makes perfect sense to be deployed with WiFi networks, which are most often subject to dictionary brute-force attacks.
The second is the ability to use nearby WiFi-enabled devices as the configuration panel for other devices. For example, a user will be able to use his phone or tablet to configure the WiFi WPA3 options of another device that doesn't have a screen, such as tiny IoT equipment like smart locks, smart light bulbs, and others.
The third and fourth features are related to encryption capabilities included in WiFi WPA3. The third is "individualized data encryption," which is a feature that encrypts connections between each device and the router or access point, and the fourth is an improved cryptographic standard that the WiFi Alliance described as "a 192-bit security suite, aligned with the Commercial National Security Algorithm (CNSA) Suite from the Committee on National Security Systems, [which] will further protect Wi-Fi networks with higher security requirements such as government, defense, and industrial." More details besides these generic descriptions are expected later in 2018.
Despite the WiFi Alliance's quick move to get a new version of the WPA WiFi authentication standard out, it will take some time before users will be able to buy devices with WPA3 support included.
Nonetheless, the rollout process is expected to go on without snags as vendors got on board with the new WPA protocol in a hurry, and most knew WPA2's time was up when they received word of the KRACK vulnerability under embargo, earlier in 2017.
"The standards behind WPA3 already existed for a while," said Mathy Vanhoef, the author of the KRACK attack on WPA2. "But now devices are *required* to support them, otherwise they're won't receive the 'WPA3-certified' label."
"Linux's open source Wi-Fi client and access point already support the improved handshake," he added. "It just isn't used in practice.. But hopefully, that will change now."