WPA3 Adds Four Security Enhancements, One of Which Matters

The Wi-Fi Alliance announced its next security enhancement today, called WPA3.  The press release touts "four new capabilities", but only one of the four affects practical Wi-Fi security.

As they are occasionally wont to do, the Wi-Fi Alliance announced a new certification today via a press release featuring an artisnal blend of normal words and corporate gobbledygook.  For those who speak fluent corporate gobbledygook, here are the four enhancements of WPA3:
  • Robust protections even when users choose passwords that fall short of typical complexity recommendations.
  • Simplify the process of configuring security for devices that have limited or no display interface.
  • Strengthen user privacy in open networks through individualized data encryption.
  • A 192-bit security suite, aligned with the Commercial National Security Algorithm (CNSA) Suite from the Committee on National Security Systems to forther protect Wi-Fi networks with higher security requirements such as government, defense, and industrial.
As the Wi-Fi community's self-proclaimed corporate-gobbledygook-to-English translator, I will explain WPA3 in a language that all pro-American Americans can understand.

Robust protections even when users choose passwords that fall short of typical complexity recommendations

What does it mean?

WPA2 Personal passphrases will no longer be vulnerable to dictionary attacks.

Does it matter?

If you use WPA2 Enterprise, no.  (Although, if you use WPA2 Enterprise with PEAP or EAP-TTLS authentication, then your authentication security is WORSE than WPA2 Personal already.  So, change that ASAP.)

If you use WPA2 Personal, not really.  Math folk define "flawed" as "vulnerable to something that would be faster than a brute force attack".  And, sure, WPA2 Personal passphrases are flawed by that definition.  Engineering folk, on the other hand, define "flawed" as "actually flawed".  Meaning that someone would have to be able to realistically recover a WPA2 Personal passphrase via a dictionary attack.  By an engineer's definition, WPA2 Personal is not flawed.  Dictionary attacks on WPA2 Personal passphrases are too slow to work in the real world, unless the targeted passphrase is LITERALLY a word from the Webster's dictionary.

Simplify the process of configuring security for devices that have limited or no display interface

What does it mean?

WPS is getting "fixed".

Does it matter?

I don't know and I don't care.  WPS is push-button WPA2 Personal for printers, coffee makers, and other devices that may not have a traditional user interface.  WPS is another one of those things with theoretical flaws, but no documented occurrences of real world security compromises.

Strengthen user privacy in open networks through individualized data encryption

What does it mean?

An SSL-like link will be set up between station and AP when devices connect to open Wi-Fi.

Does it matter?

Yes!  No more VPNs at hotspots!

Ever since SSL became ubiquitous, WPA2 encryption has been redundant... except in one way.  WPA2 prevents wireless eavesdroppers from finding out which servers people are accessing.  For example, if I went to my local German restaurant and used their Wi-Fi to access Twitter, nobody would be able to wirelessly eavesdrop on my username, password, timeline, DMs, or any other "content", but they would be able to see that I accessed Twitter.

Traditionally, privacy-obsessed users of open Wi-Fi have had to use VPNs to prevent wireless eavesdroppers from finding out which sites, apps, and services are being accessed.  The SSL-like encryption between station and AP will stop that "information seepage", as the kids call it.

I should note that the BIG attacks on open Wi-Fi; Wi-Phishing and man-in-the-middle, will continue to be just as much of a threat as they have always been.  WPA3 does nothing to prevent a hooligan from setting up a Wi-Fi Pineapple with the goal of attracting stray associations.

A 192-bit security suite, aligned with the Commercial National Security Algorithm (CNSA) Suite from the Committee on National Security Systems to forther protect Wi-Fi networks with higher security requirements such as government, defense, and industrial

What does it mean?

192-bit AES encryption.  WPA2 uses 128-bit AES.

Does it matter?

How big of a nerd do you think I am?

I don't know.  I guess 128-bit encryption might not be long enough to withstand a bruteforce attack, given today's processing capabilities.  I wouldn't doubt it.  And obviously 192-bit encryption means that there are two-to-the-one-hundred-ninety-second-power possible encryption keys, rather than two-to-the-one-hundred-twenty-eighth-power.  But if you were to say, "Ben, this is all a conspiracy by Big Wi-Fi to sell unnecessary security to the U.S. military," I'd say, "you may have a point."

******

If you like my blog, you can support it by shopping through my Amazon link or becoming a Patron on Patreon.  Thank you.

Twitter: @Ben_SniffWiFi

ben at sniffwifi dot com

Comments

  1. "WPA2 Enterprise with PEAP or EAP-TTLS authentication, then your authentication security is WORSE than WPA2 Personal already"
    where did you read that?

    ReplyDelete
    Replies
    1. I didn't read it anywhere. It's just a fact.

      Delete
    2. WPA2-PSK can use a 256-bit key derived from a password for authentication, can be crackable by a dictionary attack.

      WPA2-Enterprise, also known as 802.1x uses a RADIUS server for authentication purposes. Authentication is achieved using variants of the EAP protocol. This is a more complex but more secure setup.

      I didn't get your point.

      Delete
    3. I'd be interested to hear the rationale there too, and not in a derogatory way mind you, just in an informational one!

      Delete
    4. I would have thought mechanisms that employ TLS tunnels would be more secure than ones that do not? Hopefully you can elaborate?

      Delete
    5. Password-based EAP is worse than WPA2 Personal for two reasons:

      1) Cracking of Password-based EAP is guaranteed; WPA2 Personal cracking relies on extraordinarily weak passphrases.

      2) EAP almost always uses enterprise credentials; WPA2 Personal almost never does.

      Delete
  2. You imply that all devices without displays are simplistic. There are many devices that have no displays and yet are quite expensive and sophisticated.
    Sometimes WPS gets too much credit. It has had, and still has, problems even if most of these are caused by a manufacturer's lack of (security) imagination.
    You did not mention it, but Protected Management Frames have been required with all WPA2 certifications since early 2016.

    ReplyDelete
    Replies
    1. I don't imply anything about how expensive devices are.

      Delete
  3. Two points I'd like to raise.

    1. I think you should caveat that BADLY configured WPA2 with PEAP is WORSE than WPA2 Personal. The weakness is the RADIUS Man in the Middle attack which can be mitigated with the correct use of Server Certs and Client configuration.

    2. I think you hit the nail on the head with WPS being for devices without a traditional UI. Surely this would be ideal in the world of IoT where sensors etc may not have a useful UI. So as WLAN engineers we may well care :)

    ReplyDelete
    Replies
    1. Any PEAP is worse than WPA2 Personal, for the two reasons cited above. We shall see if IoT sensors used in enterprises Wi-Fi start using WPS. I have yet to see that, but who knows what will happen in the future?

      Delete
  4. When capturing WiFi traffic between a device and an AP, that is secured by WPA2, the layer 2 packets can be decrypted as long as the initial 4-phase handsake and and the PSK are known. I rely on this routinely for ethical traffic analysis.

    Will there be a way to do this type of analysis on WPA3 protected traffic?

    ReplyDelete
  5. I liked your work and the way in which you have shared this article here aboutsecurity companies midlands. It is a beneficial and helpful article for us. Thanks for sharing an article like this.

    ReplyDelete
  6. This is a very nice one and gives in-depth information. I am really happy with the quality and presentation of the article. I’d really like to appreciate the efforts you get with writing this post. Thanks for sharing.
    Corporate course in Bangalore

    ReplyDelete

  7. Great article by the great author, it is very massive and informative but still preaches the way to sounds like that it has some beautiful thoughts described so I really appreciate this article. Best türsprechanlage mit video service provider

    ReplyDelete

  8. It's like you've got the point right, but forgot to include your readers. Maybe you should think about it from different angles.
    Best Data Science Courses in Bangalore

    ReplyDelete
  9. Impressive blog to be honest definitely this post will inspire many more upcoming aspirants. Eventually, this makes the participants experience and innovate themselves knowledge wise by visiting this kind of a blog. Once again excellent job keep inspiring with your cool stuff.

    Data Science Training in Bhilai

    ReplyDelete
  10. This comment has been removed by the author.

    ReplyDelete
  11. I just need to say this is a well-informed article that you have shared here about home security systems toledo. It is an engaging and gainful article for us. Continue imparting this sort of info, Thanks to you.

    ReplyDelete
  12. Thanks for sharing this article here about the Business. Your article is very informative and I will share it with my other friends as the information is really very useful. Keep sharing your excellent work.security guard training in twickenham site.

    ReplyDelete
  13. I read the above article and I got some different kind of information from your article about a mattress. It is a helpful article to enhance our knowledge for us. Thankful to you for sharing an article like this.WB Sales and Service

    ReplyDelete
  14. I admire this article for the well-researched content and excellent wording. Read more info about Toronto Construction Security Guard Service. I got so involved in this material that I couldn’t stop reading. I am impressed with your work and skill. Thank you so much.

    ReplyDelete
  15. The delightful article you have posted here. This is a good way to increase our knowledge.WB Sales and Service Continue sharing this kind of articles, Thank you.

    ReplyDelete

Post a Comment

Popular posts from this blog

Chips, Glorious Wi-Fi 6E Chips!

Five Facts About 6 GHz Wi-Fi

Go To Sleep, Go To Sleep, Go To Sleep Little iPhone