On Monday, the Wi-Fi Alliance, the organization that manages Wi-Fi technologies, announced the official release of WPA3.
WPA3 is the latest version of Wi-Fi Protected Access (WPA), a user authentication technology for Wi-Fi connections.
News that the Wi-Fi Alliance was working on WPA3 leaked online in January. The organization started working on WPA3 after a security researcher revealed KRACK, a vulnerability in the WPA2 WiFi protocol that made it somewhat trivial for an attacker to gain access to WiFi transmissions protected by WPA2.
WPA3 is currently optional for all newly produced devices, but it will become the de-facto Wi-Fi authentication standard for all Wi-Fi capable devices in the coming years. A date has not been set yet, but the new WPA3 will retain interoperability with older WPA2 devices to ensure as less friction as possible during the transition to WPA3.
Just like WPA1 and WPA2 before it, there are two WPA3 "security modes" —WPA3-Personal and WPA3-Enterprise. The main difference between these two security modes is in the authentication stage.
WPA3 uses the Simultaneous Authentication of Equals (SAE) algorithm, which replaces Pre-shared Key (PSK) in WPA2-Personal, while WPA3-Enterprise uses a more complex set of features that replace IEEE 802.1X from WPA2-Enterprise. These are:
The WPA3-Enterprise security mode is recommended for devices used on enterprise, governments, and financial networks.
As for WPA3-Personal, this is the standard that most of us will be interacting with on a regular basis once we replace older devices.
The Wi-Fi Alliance says that WPA3's SAE is resistant to offline dictionary attacks where an attacker tries to guess a Wi-Fi network's password by trying various passwords in a quick succession.
Security experts who've analyzed the standard say WPA3 will block authentication requests after several failed attempts, hence limiting the impact of such brute-force attacks.
Furthermore, WPA3's SAE also implements a cryptography method known as forward secrecy. This is a feature of key-exchange authentication protocols where session keys are independent on their own and will not be compromised even if the private key of the server is compromised. This ensures that attackers who discover a Wi-Fi network's password can't decrypt old traffic captures sent inside that network by other participants.
A separate Wi-Fi feature also announced with WPA3 is a technology called Wi-Fi Easy Connect. This feature is aimed at smart (Internet of Things) devices that don't have a screen where a user can configure its Wi-Fi network settings.
For example, a user will be able to use his phone or tablet to configure the WiFi WPA3 options of another device that doesn't have a screen, such as tiny IoT equipment like smart locks, smart light bulbs, and others.
The Wi-Fi Alliance says Wi-Fi Easy Connect will be available for devices running both WPA2 and WPA3, and this is not a WPA3-exclusive feature.
Earlier this month, the Wi-Fi Alliance also announced Wi-Fi Enhanced Open, another proprietary technology that is meant to be deployed on "open Wi-Fi networks" such as those in airports, malls, bars, or internet cafes.
The technology works by using an algorithm known as Opportunistic Wireless Encryption (OWE) to encrypt each connection between a WiFi user and the router/access point with its own custom encryption key.
This per-user encryption prevents local attackers from snooping on other users' traffic, even if the network doesn't require a password to join.
Following the disclosure of the KRACK vulnerability, the Wi-Fi Alliance has reacted admirably and has released technologies meant to boost everyone's security. Now, all that remains is that device vendors incorporate them in new products at their earliest convenience.
The researcher behind the KRACK attack has also published his analysis on the new WPA3 standard.