WPA3 Adds Four Security Enhancements, One of Which Matters

The Wi-Fi Alliance announced its next security enhancement today, called WPA3.  The press release touts "four new capabilities", but only one of the four affects practical Wi-Fi security.

 As they are occasionally wont to do, the Wi-Fi Alliance announced a new certification today via a press release featuring an artisnal blend of normal words and corporate gobbledygook.  For those who speak fluent corporate gobbledygook, here are the four enhancements of WPA3:
  • Robust protections even when users choose passwords that fall short of typical complexity recommendations.
  • Simplify the process of configuring security for devices that have limited or no display interface.
  • Strengthen user privacy in open networks through individualized data encryption.
  • A 192-bit security suite, aligned with the Commercial National Security Algorithm (CNSA) Suite from the Committee on National Security Systems to forther protect Wi-Fi networks with higher security requirements such as government, defense, and industrial.
As the Wi-Fi community's self-proclaimed corporate-gobbledygook-to-English translator, I will explain WPA3 in a language that all pro-American Americans can understand.

Robust protections even when users choose passwords that fall short of typical complexity recommendations

What does it mean?

WPA2 Personal passphrases will no longer be vulnerable to dictionary attacks.

Does it matter?

If you use WPA2 Enterprise, no.  (Although, if you use WPA2 Enterprise with PEAP or EAP-TTLS authentication, then your authentication security is WORSE than WPA2 Personal already.  So, change that ASAP.)

If you use WPA2 Personal, not really.  Math folk define "flawed" as "vulnerable to something that would be faster than a brute force attack".  And, sure, WPA2 Personal passphrases are flawed by that definition.  Engineering folk, on the other hand, define "flawed" as "actually flawed".  Meaning that someone would have to be able to realistically recover a WPA2 Personal passphrase via a dictionary attack.  By an engineer's definition, WPA2 Personal is not flawed.  Dictionary attacks on WPA2 Personal passphrases are too slow to work in the real world, unless the targeted passphrase is LITERALLY a word from the Webster's dictionary.

Simplify the process of configuring security for devices that have limited or no display interface

What does it mean?

 WPS is getting "fixed".

Does it matter?

 I don't know and I don't care.  WPS is push-button WPA2 Personal for printers, coffee makers, and other devices that may not have a traditional user interface.  WPS is another one of those things with theoretical flaws, but no documented occurrences of real world security compromises.

Strengthen user privacy in open networks through individualized data encryption

 What does it mean?

 An SSL-like link will be set up between station and AP when devices connect to open Wi-Fi.

Does it matter?

 Yes!  No more VPNs at hotspots!

Ever since SSL became ubiquitous, WPA2 encryption has been redundant... except in one way.  WPA2 prevents wireless eavesdroppers from finding out which servers people are accessing.  For example, if I went to my local German restaurant and used their Wi-Fi to access Twitter, nobody would be able to wirelessly eavesdrop on my username, password, timeline, DMs, or any other "content", but they would be able to see that I accessed Twitter.

Traditionally, privacy-obsessed users of open Wi-Fi have had to use VPNs to prevent wireless eavesdroppers from finding out which sites, apps, and services are being accessed.  The SSL-like encryption between station and AP will stop that "information seepage", as the kids call it.

I should note that the BIG attacks on open Wi-Fi; Wi-Phishing and man-in-the-middle, will continue to be just as much of a threat as they have always been.  WPA3 does nothing to prevent a hooligan from setting up a Wi-Fi Pineapple with the goal of attracting stray associations.

A 192-bit security suite, aligned with the Commercial National Security Algorithm (CNSA) Suite from the Committee on National Security Systems to forther protect Wi-Fi networks with higher security requirements such as government, defense, and industrial

 What does it mean?

 192-bit AES encryption.  WPA2 uses 128-bit AES.

Does it matter?

 How big of a nerd do you think I am?

I don't know.  I guess 128-bit encryption might not be long enough to withstand a bruteforce attack, given today's processing capabilities.  I wouldn't doubt it.  And obviously 192-bit encryption means that there are two-to-the-one-hundred-ninety-second-power possible encryption keys, rather than two-to-the-one-hundred-twenty-eighth-power.  But if you were to say, "Ben, this is all a conspiracy by Big Wi-Fi to sell unnecessary security to the U.S. military," I'd say, "you may have a point."

******

If you like my blog, you can support it by shopping through my Amazon link or becoming a Patron on Patreon.  Thank you.

Twitter: @Ben_SniffWiFi

ben at sniffwifi dot com

Comments

  1. DinisJanuary 9, 2018 at 2:32 PM

    "WPA2 Enterprise with PEAP or EAP-TTLS authentication, then your authentication security is WORSE than WPA2 Personal already"
    where did you read that?

    ReplyDelete
    Replies
    1. Ben MillerJanuary 11, 2018 at 1:04 PM

      I didn't read it anywhere. It's just a fact.

      Delete
    2. DinisJanuary 11, 2018 at 3:27 PM

      WPA2-PSK can use a 256-bit key derived from a password for authentication, can be crackable by a dictionary attack.

      WPA2-Enterprise, also known as 802.1x uses a RADIUS server for authentication purposes. Authentication is achieved using variants of the EAP protocol. This is a more complex but more secure setup.

      I didn't get your point.

      Delete
    3. ExmachinahJanuary 12, 2018 at 7:52 AM

      I'd be interested to hear the rationale there too, and not in a derogatory way mind you, just in an informational one!

      Delete
    4. Airproof BlogJanuary 22, 2018 at 6:01 AM

      I would have thought mechanisms that employ TLS tunnels would be more secure than ones that do not? Hopefully you can elaborate?

      Delete
    5. Ben MillerJanuary 29, 2018 at 11:46 AM

      Password-based EAP is worse than WPA2 Personal for two reasons:

      1) Cracking of Password-based EAP is guaranteed; WPA2 Personal cracking relies on extraordinarily weak passphrases.

      2) EAP almost always uses enterprise credentials; WPA2 Personal almost never does.

      Delete
  2. HowardJanuary 10, 2018 at 9:05 AM

    You imply that all devices without displays are simplistic. There are many devices that have no displays and yet are quite expensive and sophisticated.
    Sometimes WPS gets too much credit. It has had, and still has, problems even if most of these are caused by a manufacturer's lack of (security) imagination.
    You did not mention it, but Protected Management Frames have been required with all WPA2 certifications since early 2016.

    ReplyDelete
    Replies
    1. Ben MillerJanuary 11, 2018 at 1:06 PM

      I don't imply anything about how expensive devices are.

      Delete
  3. UnknownJanuary 23, 2018 at 1:14 AM

    Two points I'd like to raise.

    1. I think you should caveat that BADLY configured WPA2 with PEAP is WORSE than WPA2 Personal. The weakness is the RADIUS Man in the Middle attack which can be mitigated with the correct use of Server Certs and Client configuration.

    2. I think you hit the nail on the head with WPS being for devices without a traditional UI. Surely this would be ideal in the world of IoT where sensors etc may not have a useful UI. So as WLAN engineers we may well care :)

    ReplyDelete
    Replies
    1. Ben MillerJanuary 29, 2018 at 11:48 AM

      Any PEAP is worse than WPA2 Personal, for the two reasons cited above. We shall see if IoT sensors used in enterprises Wi-Fi start using WPS. I have yet to see that, but who knows what will happen in the future?

      Delete
  4. UnknownSeptember 7, 2018 at 6:43 AM

    When capturing WiFi traffic between a device and an AP, that is secured by WPA2, the layer 2 packets can be decrypted as long as the initial 4-phase handsake and and the PSK are known. I rely on this routinely for ethical traffic analysis.

    Will there be a way to do this type of analysis on WPA3 protected traffic?

    ReplyDelete
  5. Macaw Security SolutionsJuly 17, 2021 at 11:19 PM

    I liked your work and the way in which you have shared this article here aboutsecurity companies midlands. It is a beneficial and helpful article for us. Thanks for sharing an article like this.

    ReplyDelete
  6. AnonymousJuly 26, 2021 at 1:12 AM

    This is a very nice one and gives in-depth information. I am really happy with the quality and presentation of the article. I’d really like to appreciate the efforts you get with writing this post. Thanks for sharing.
    Corporate course in Bangalore

    ReplyDelete
  7. AES GlobalSeptember 4, 2021 at 2:57 AM


    Great article by the great author, it is very massive and informative but still preaches the way to sounds like that it has some beautiful thoughts described so I really appreciate this article. Best türsprechanlage mit video service provider

    ReplyDelete
  8. Professional Courses and TrainingNovember 9, 2021 at 7:11 AM


    It's like you've got the point right, but forgot to include your readers. Maybe you should think about it from different angles.
    Best Data Science Courses in Bangalore

    ReplyDelete
  9. asmaferozJanuary 22, 2022 at 2:00 AM

    Thanks for sharing this blog. It was so informative.
    Screening call
    No screening means

    ReplyDelete
  10. Data Science Course in Bhilai - 360DigiTMGMarch 22, 2022 at 11:58 PM

    Impressive blog to be honest definitely this post will inspire many more upcoming aspirants. Eventually, this makes the participants experience and innovate themselves knowledge wise by visiting this kind of a blog. Once again excellent job keep inspiring with your cool stuff.

    Data Science Training in Bhilai

    ReplyDelete
  11. apcamericaApril 1, 2022 at 10:32 PM

    This comment has been removed by the author.

    ReplyDelete
  12. apcamericaApril 1, 2022 at 11:40 PM

    I just need to say this is a well-informed article that you have shared here about home security systems toledo. It is an engaging and gainful article for us. Continue imparting this sort of info, Thanks to you.

    ReplyDelete
  13. emeraldacademyApril 8, 2022 at 4:32 PM

    Thanks for sharing this article here about the Business. Your article is very informative and I will share it with my other friends as the information is really very useful. Keep sharing your excellent work.security guard training in twickenham site.

    ReplyDelete
  14. WB Sales and ServiceApril 16, 2022 at 12:31 PM

    I read the above article and I got some different kind of information from your article about a mattress. It is a helpful article to enhance our knowledge for us. Thankful to you for sharing an article like this.WB Sales and Service

    ReplyDelete
  15. securtacApril 25, 2022 at 7:32 AM

    I admire this article for the well-researched content and excellent wording. Read more info about Toronto Construction Security Guard Service. I got so involved in this material that I couldn’t stop reading. I am impressed with your work and skill. Thank you so much.

    ReplyDelete
  16. WB Sales and ServiceMay 20, 2022 at 11:54 AM

    The delightful article you have posted here. This is a good way to increase our knowledge.WB Sales and Service Continue sharing this kind of articles, Thank you.

    ReplyDelete
  17. SM FIBER LINKSMay 4, 2025 at 10:54 PM

    Thank you for sharing a wonderful blog. keep on posting it.
    best internet plans in Hyderabad

    ReplyDelete

Post a Comment

Popular posts from this blog

Chips, Glorious Wi-Fi 6E Chips!

Qualcomm, owners of the Atheros line of Wi-Fi radios, recently announced the availability of Wi-Fi 6E chips. Game onnnnnnn! 6 GHz Wi-Fi is here. Sort of... Qualcomm is selling Wi-Fi 6E (802.11ax w/ 6 GHz support) chips, but we don't yet know when enterprise-grade APs and mobile devices will begin supporting 6 GHz Wi-Fi. Chip-to-product timelines can vary. Wi-Fi 5 (802.11ac) saw enterprise WLAN vendors sell products only a few months after chip announcements. Wi-Fi 6 (802.11ax) saw the big vendors wait a year or more before introducing new AP models. A ton of concerns factor into a vendor's decision on when to develop, manufacture and market new AP technology. Vendors with small market share may be extra eager. Aerohive tried to boost their enterprise Wi-Fi profile by being a leader in Wi-Fi 6. On the other hand, some vendors' enthusiasm for new Wi-Fi hardware may be dulled by competing organizational initiatives. Aruba/HPE, for example, was veering f...
Read more

At Least They Didn't Blame the Wi-Fi

Prime Video's stream of the 49ers-Cardinals NFL game received plenty of bad reviews on social media. While most of the negativity focused on stream quality, Wi-Fi largely escaped blame. There is one application type that confounds networks above all others, and it is live video. Pick your poison: voice, location tracking, on-demand video, cloud-hosted apps... None of them cause problems as consistently or predictably as the livestream. The issue is a simple one: broadcast vs. two-way. Packetized data networks are a two-way communication medium. Receiver must acknowledge sender. Live video has, since its inception decades ago, been a broadcast technology. Your television doesn't send anything to the local broadcast tower. Same with cable boxes. Same with satellite dishes. Pushing against this immutable scientific fact is commerce. Sports leagues see the billions of dollars being spent by streaming services, and they want some. Streaming services see the millions of eyeballs tun...
Read more

Go To Sleep, Go To Sleep, Go To Sleep Little iPhone

Image
In some circles, Apple Wi-Fi devices are knows to have problems with lost connections.  iPhones and iPads will unexpectedly miss incoming calls, have delays in receiving push notifications and even be forced to reauthenticate. There is a solution to Apple devices' connection problems, and as with most "device problems", the fix resides on the infrastructure.  The DTIM setting needs to be increased.  ( Apple recommends a setting of 3 or higher .)  Here's why: Some Apple Wi-Fi connection problems stem from Apple iOS devices' use of 802.11 power management.  To understand what Apple devices are doing with power management, one must first understand how 802.11 power management works. Let's start with unicast data.  The 802.11 standard allows devices' Wi-Fi radios to enter the Doze state in order to conserve battery life.  Wi-Fi radios in the Doze state are unable to receive data from the AP, so APs buffer all unicast data that has a destination MAC ...
Read more