T he Wi-Fi Alliance has recently announced a new standard in wireless,

calling it, Wi-Fi CERTIFIED WPA3™. WPA3 is designed as the successor

to widely used WPA2 and brings a number of core enhancements to
improve security protections and onboarding procedures across personal,
public, and enterprise networks.
“WPA” stands for Wi-Fi Protected Access. It defines the protocol a router
and Wi-Fi client devices use to perform the “handshake” that allows them
to securely connect and communicate using strong encryption that is
much difficult to crack. This encryption ensures that a Wi-Fi access point
(like a router) and a Wi-Fi client (like a laptop or phone) can communicate
wirelessly without their traffic being snooped on.

Precisely, WPA2 and WPA3 are hardware certifications that device

manufacturers must apply for. A device manufacturer must fully
implement the required security features before being able to market their
device as Wi-Fi CERTIFIED™ WPA2™ or Wi-Fi CERTIFIED™
WPA3™.
The Wi-Fi security protocol currently being used, WPA2, was finalised and
first used in 2004. It was not built to handle the quantity of connected
devices, or the lackadaisical approach that many users have to their own
security.
Two major areas that the newly unveiled standard, called WPA3 (Wi-Fi
Protected Access 3) will seek to improve: Simplicity and Strength.

Here are some key features provided by the new protocol:

Higher Security for Government, Defence,

and Industrial Applications
While enterprises deploy highly secure networks using WPA2-Enterprise
configurations, there are still too many options during implementation
that can result in less-than-secure deployments. Hence, Wi-Fi Alliance
announced, the new WPA3 will include a “192-bit security suite,
aligned with the Commercial National Security Algorithm
(CNSA) Suite from the Committee on National Security
Systems”.

Data integrity will be implemented using Secure Hash Algorithm-2 in

which different hash functions are generated for different inputs. Which
means new WPA3-CNSA (EAP-TLS), uses Suite-B TLS cipher
suites while also introduces 192-bit security commonly deployed in high-
security Wi-Fi networks in government, defence, and industrial verticals.
These cipher suites combine all of the various options — cipher mode,
hash algorithm, key exchange, authentication method — into a single suite
that provides consistent security for each user connection.

Also, just like WPA and WPA2 before, there are two WPA3 “security
modes” — WPA3-Personal and WPA3-Enterprise. The main
difference between these two security modes is in the authentication stage.
Protecting Public/Open Wi-Fi Networks

Currently, open Wi-Fi networks — the kind we find in airports, hotels,

coffee shops, and other public locations — are a security mess. Because
they’re open and allow anyone to connect. Traffic sent over them isn’t
encrypted at all. With WPA3, there are no more open networks!

Opportunistic Wireless Encryption (OWE) is a new feature in

WPA3 that replaces the 802.11 “open” authentication that is widely used
in hotspots and public networks. The key idea is to use a secure key
exchange mechanism to encrypt all communication between a device and
an access point (router). The decryption key for the communication is
different for each client connecting to the access point. So, none of the
other devices on the network can decrypt this communication.

This benefit is called “Individualized Data Protection”- data traffic

between a client and access point is “individualized”; so, other clients can’t
decrypt the traffic.

WPA3 also blocks authentication after a certain number of

failed log-in attempts and thus also provides protection
against Brute-Force Attack.

A big advantage of OWE is that when you connect to an open Wi-Fi

network, the traffic between your device and the Wi-Fi access point will be
encrypted, even though you didn’t enter a password at the time of
connection.

WPA3 establishes mandatory certificate chain testing to ensure proper

network verification by the end-device. WPA3 also introduces
mandatory management frame protection, which helps secure
devices against an attack masking itself as an access point. These will
make public/open Wi-Fi networks much more private.

Protection Against Brute-Force Attacks

When a device connects to a Wi-Fi access point, the devices perform a
“handshake” that ensures you’ve used the correct passphrase to connect
and negotiates the encryption that will be used to secure the connection.
This handshake using WPA2-PSK had proved vulnerable to the KRACK
attack in 2017.

WPA3 defines a new handshake that “will deliver robust protections

even when users choose passwords that fall short of typical
complexity recommendations”. The new security standard will use
new key exchange protocol, Simultaneous Authentication of
Equals (SAE), otherwise known as the Dragonfly Key
Exchange system, to bolster defences, requiring network interaction in
order to attempt a login between two devices using WPA3-SAE. That boils
down to users being able to use easy-to-remember passwords, whilst still
protecting their network from easy infiltration. WPA3 standard has had its
ability to deal with ‘dictionary attacks’ or brute force attempts to guess Wi-
Fi passwords using downloaded intercepted data.

WPA3 Forward Secrecy

Wireless networking uses radio signal to transmit information (data
packets). These radio signals are being broadcasted openly and can be
intercepted or “received” by anyone in the vicinity. When the wireless
network is protected via a password — whether WPA2 or WPA3 — the
signals are encrypted so a third-party intercepting the signals will not be
able to understand the data. However, an attacker can record all this data
they are intercepting. And if they are able to guess the password in the
future (which is possible via a dictionary attack on WPA2), they can use
the key to decrypt data traffic recorded in the past on that network.

As a solution to this, WPA3 provides Forward Secrecy. The protocol is

designed in a way that even with the network password, it is impossible for
an eavesdropper to snoop on traffic between the access point and a
different client device.

Wi-Fi Easy Connect

WPA3 also introduces Easy Connect, a feature that promises to “simplify
the process of configuring security for devices that have limited or no
display interface”. In simple terms: WPA3 will mean a smartphone or
tablet can be used to manage everything connected to a network from one
interface.

Using Device Provisioning Protocol (DPP), users will be able to easily

connect trickier gadgets to their network. Imagine yourself with a brand-
new Google Home Mini or Amazon Alexa. The typical procedure is to
connect to the IoT device and manually enter the network SSID and
password. As you connect more and more devices, especially in an
enterprise setting where you may need to connect a plethora of Smart TVs,
Apple HomePods, and connected lighting, scale becomes a huge problem.
DPP provisioning gives a certificate-like credential to these devices, and
allows a trusted device to bootstrap another device onto a network with
any of the following secure/unsecure methods:

 Scanning a QR code printed on the back

 Using a simple code or phrase

 Touching the device with NFC

Caveat
WPA3 certification program only “mandates” support of the new
dragonfly handshake. The other features are either optional, or a part of
other certification programs.

First, the technology to easily and securely add new devices to a network
will be certified under the Wi-Fi CERTIFIED Easy Connect program.
Second, improved security features for open hotspots (based on
unauthenticated encryption) will be tested for interoperability under
the Wi-Fi CERTIFIED Enhanced Open program. This means that if
someone buys a device that is WPA3 capable, there is no guarantee
whatsoever that it supports these two features. Third, the increased key
sizes are an optional part of the WPA3 Personal certification. More
precisely, only when using the WPA3-Enterprise version — the increased
key sizes are mandatory.

Hence, various security experts suspect that, in practice this means

manufacturers will just implement the new handshake, slap a “WPA3
certified” label on it, and be done with it.