WPA3 Adds Four Security Enhancements, One of Which Matters

The Wi-Fi Alliance announced its next security enhancement today, called WPA3.  The press release touts "four new capabilities", but only one of the four affects practical Wi-Fi security.

As they are occasionally wont to do, the Wi-Fi Alliance announced a new certification today via a press release featuring an artisnal blend of normal words and corporate gobbledygook.  For those who speak fluent corporate gobbledygook, here are the four enhancements of WPA3:
  • Robust protections even when users choose passwords that fall short of typical complexity recommendations.
  • Simplify the process of configuring security for devices that have limited or no display interface.
  • Strengthen user privacy in open networks through individualized data encryption.
  • A 192-bit security suite, aligned with the Commercial National Security Algorithm (CNSA) Suite from the Committee on National Security Systems to forther protect Wi-Fi networks with higher security requirements such as government, defense, and industrial.
As the Wi-Fi community's self-proclaimed corporate-gobbledygook-to-English translator, I will explain WPA3 in a language that all pro-American Americans can understand.

Robust protections even when users choose passwords that fall short of typical complexity recommendations

What does it mean?

WPA2 Personal passphrases will no longer be vulnerable to dictionary attacks.

Does it matter?

If you use WPA2 Enterprise, no.  (Although, if you use WPA2 Enterprise with PEAP or EAP-TTLS authentication, then your authentication security is WORSE than WPA2 Personal already.  So, change that ASAP.)

If you use WPA2 Personal, not really.  Math folk define "flawed" as "vulnerable to something that would be faster than a brute force attack".  And, sure, WPA2 Personal passphrases are flawed by that definition.  Engineering folk, on the other hand, define "flawed" as "actually flawed".  Meaning that someone would have to be able to realistically recover a WPA2 Personal passphrase via a dictionary attack.  By an engineer's definition, WPA2 Personal is not flawed.  Dictionary attacks on WPA2 Personal passphrases are too slow to work in the real world, unless the targeted passphrase is LITERALLY a word from the Webster's dictionary.

Simplify the process of configuring security for devices that have limited or no display interface

What does it mean?

WPS is getting "fixed".

Does it matter?

I don't know and I don't care.  WPS is push-button WPA2 Personal for printers, coffee makers, and other devices that may not have a traditional user interface.  WPS is another one of those things with theoretical flaws, but no documented occurrences of real world security compromises.

Strengthen user privacy in open networks through individualized data encryption

What does it mean?

An SSL-like link will be set up between station and AP when devices connect to open Wi-Fi.

Does it matter?

Yes!  No more VPNs at hotspots!

Ever since SSL became ubiquitous, WPA2 encryption has been redundant... except in one way.  WPA2 prevents wireless eavesdroppers from finding out which servers people are accessing.  For example, if I went to my local German restaurant and used their Wi-Fi to access Twitter, nobody would be able to wirelessly eavesdrop on my username, password, timeline, DMs, or any other "content", but they would be able to see that I accessed Twitter.

Traditionally, privacy-obsessed users of open Wi-Fi have had to use VPNs to prevent wireless eavesdroppers from finding out which sites, apps, and services are being accessed.  The SSL-like encryption between station and AP will stop that "information seepage", as the kids call it.

I should note that the BIG attacks on open Wi-Fi; Wi-Phishing and man-in-the-middle, will continue to be just as much of a threat as they have always been.  WPA3 does nothing to prevent a hooligan from setting up a Wi-Fi Pineapple with the goal of attracting stray associations.

A 192-bit security suite, aligned with the Commercial National Security Algorithm (CNSA) Suite from the Committee on National Security Systems to forther protect Wi-Fi networks with higher security requirements such as government, defense, and industrial

What does it mean?

192-bit AES encryption.  WPA2 uses 128-bit AES.

Does it matter?

How big of a nerd do you think I am?

I don't know.  I guess 128-bit encryption might not be long enough to withstand a bruteforce attack, given today's processing capabilities.  I wouldn't doubt it.  And obviously 192-bit encryption means that there are two-to-the-one-hundred-ninety-second-power possible encryption keys, rather than two-to-the-one-hundred-twenty-eighth-power.  But if you were to say, "Ben, this is all a conspiracy by Big Wi-Fi to sell unnecessary security to the U.S. military," I'd say, "you may have a point."

******

If you like my blog, you can support it by shopping through my Amazon link or becoming a Patron on Patreon.  Thank you.

Twitter: @Ben_SniffWiFi

ben at sniffwifi dot com

Comments

  1. "WPA2 Enterprise with PEAP or EAP-TTLS authentication, then your authentication security is WORSE than WPA2 Personal already"
    where did you read that?

    ReplyDelete
    Replies
    1. I didn't read it anywhere. It's just a fact.

      Delete
    2. WPA2-PSK can use a 256-bit key derived from a password for authentication, can be crackable by a dictionary attack.

      WPA2-Enterprise, also known as 802.1x uses a RADIUS server for authentication purposes. Authentication is achieved using variants of the EAP protocol. This is a more complex but more secure setup.

      I didn't get your point.

      Delete
    3. I'd be interested to hear the rationale there too, and not in a derogatory way mind you, just in an informational one!

      Delete
    4. I would have thought mechanisms that employ TLS tunnels would be more secure than ones that do not? Hopefully you can elaborate?

      Delete
    5. Password-based EAP is worse than WPA2 Personal for two reasons:

      1) Cracking of Password-based EAP is guaranteed; WPA2 Personal cracking relies on extraordinarily weak passphrases.

      2) EAP almost always uses enterprise credentials; WPA2 Personal almost never does.

      Delete
  2. You imply that all devices without displays are simplistic. There are many devices that have no displays and yet are quite expensive and sophisticated.
    Sometimes WPS gets too much credit. It has had, and still has, problems even if most of these are caused by a manufacturer's lack of (security) imagination.
    You did not mention it, but Protected Management Frames have been required with all WPA2 certifications since early 2016.

    ReplyDelete
    Replies
    1. I don't imply anything about how expensive devices are.

      Delete
  3. Two points I'd like to raise.

    1. I think you should caveat that BADLY configured WPA2 with PEAP is WORSE than WPA2 Personal. The weakness is the RADIUS Man in the Middle attack which can be mitigated with the correct use of Server Certs and Client configuration.

    2. I think you hit the nail on the head with WPS being for devices without a traditional UI. Surely this would be ideal in the world of IoT where sensors etc may not have a useful UI. So as WLAN engineers we may well care :)

    ReplyDelete
    Replies
    1. Any PEAP is worse than WPA2 Personal, for the two reasons cited above. We shall see if IoT sensors used in enterprises Wi-Fi start using WPS. I have yet to see that, but who knows what will happen in the future?

      Delete
  4. When capturing WiFi traffic between a device and an AP, that is secured by WPA2, the layer 2 packets can be decrypted as long as the initial 4-phase handsake and and the PSK are known. I rely on this routinely for ethical traffic analysis.

    Will there be a way to do this type of analysis on WPA3 protected traffic?

    ReplyDelete
  5. I liked your work and the way in which you have shared this article here aboutsecurity companies midlands. It is a beneficial and helpful article for us. Thanks for sharing an article like this.

    ReplyDelete
  6. This is a very nice one and gives in-depth information. I am really happy with the quality and presentation of the article. I’d really like to appreciate the efforts you get with writing this post. Thanks for sharing.
    Corporate course in Bangalore

    ReplyDelete

  7. Great article by the great author, it is very massive and informative but still preaches the way to sounds like that it has some beautiful thoughts described so I really appreciate this article. Best türsprechanlage mit video service provider

    ReplyDelete
  8. I am a new user of this site, so here I saw several articles and posts published on this site, I am more interested in some of them, will provide more information on these topics in future articles.

    Business Analytics Course

    ReplyDelete

  9. It's like you've got the point right, but forgot to include your readers. Maybe you should think about it from different angles.
    Best Data Science Courses in Bangalore

    ReplyDelete
  10. The post is written in very a good manner and it contains many useful information for me.
    security system provider

    ReplyDelete
  11. Nice Post. Thank you for helping people get the information they need and great stuff as usual. Keep up the great work!!!
    Artificial Intelligence Courses in Hyderabad

    ReplyDelete
  12. I am always searching online for articles that can help me and you made some good points in Features also. Keep working, great job
    Data Science Training

    ReplyDelete
  13. Thank you for sharing this wonderful blog, I read that Post and got it fine and informative. Please share more like that...
    Ethical Hacking Institute in Bangalore

    ReplyDelete
  14. I am hoping the same best effort from you in the future as well and in fact your creative writing skills has inspired me.
    Data Science Course near me

    ReplyDelete
  15. This is truly an practical and pleasant information for all and happy to see this awesome post by the way thanks for sharing this post.
    Data Scientist Course in Noida

    ReplyDelete
  16. Very great post which I really enjoy reading this and it is not everyday that I have the possibility to see something like this. Thank You.
    Best Online Data Science Courses

    ReplyDelete
  17. Really impressed! Information shared was very helpful Your website is very valuable. Thanks for sharing.
    Business Analytics Course in Bangalore

    ReplyDelete
  18. Impressive blog to be honest definitely this post will inspire many more upcoming aspirants. Eventually, this makes the participants experience and innovate themselves knowledge wise by visiting this kind of a blog. Once again excellent job keep inspiring with your cool stuff.

    Data Science Training in Bhilai

    ReplyDelete
  19. Wonderful blog found to be very impressive to come across such an awesome blog. I should really appreciate the blogger for the efforts they have put in to develop such amazing content for all the curious readers who are very keen on being updated across every corner. Ultimately, this is an awesome experience for the readers. Anyways, thanks a lot and keep sharing the content in future too.

    Data Science Course in Bhilai

    ReplyDelete
  20. This is an excellent article. I like this topic. I have found a lot of interesting things on this site.Thanks for posting this again.
    Business Analytics Course in Jaipur

    ReplyDelete
  21. This comment has been removed by the author.

    ReplyDelete
  22. I just need to say this is a well-informed article that you have shared here about home security systems toledo. It is an engaging and gainful article for us. Continue imparting this sort of info, Thanks to you.

    ReplyDelete
  23. Thanks for sharing this article here about the Business. Your article is very informative and I will share it with my other friends as the information is really very useful. Keep sharing your excellent work.security guard training in twickenham site.

    ReplyDelete
  24. I read the above article and I got some different kind of information from your article about a mattress. It is a helpful article to enhance our knowledge for us. Thankful to you for sharing an article like this.WB Sales and Service

    ReplyDelete
  25. I admire this article for the well-researched content and excellent wording. Read more info about Toronto Construction Security Guard Service. I got so involved in this material that I couldn’t stop reading. I am impressed with your work and skill. Thank you so much.

    ReplyDelete
  26. This information is meaningful and magnificent which you have shared here about the I am impressed by the details that you have shared in this post and It reveals how nicely you understand this subject. I would like to thanks for sharing this article here.Concierge Services

    ReplyDelete
  27. The delightful article you have posted here. This is a good way to increase our knowledge.WB Sales and Service Continue sharing this kind of articles, Thank you.

    ReplyDelete
  28. As per India Today , the Data Science sector has witnessed a massive hike of 650%, far outpacing other sectors since 2012. MCTA is a top-notch Digital Marketing Training institute in Mumbai. It offers excellent end-to-end digital marketing as well as Data Science courses.

    ReplyDelete
  29. Ideal and Lowest priced Jabodetabek Private Classes, all of our staff along with teachers can come home, established your very own review agenda and may opt for just about any area associated with analyze ... visit https://kursus-ekonomi.netlify.app/les-privat-ekonomi-cilandak.html for more details

    ReplyDelete
  30. We offer private lessons for PAUD, TK, SD, SMP, SMA, and Alumni. With an incorporated and accelerated method, it truly is hoped who's should be able to foster a generation of people with good morals... click for more information https://biologi-exed.blogspot.com/2022/04/les-privat-biologi-di-menteng-terdekat.html

    ReplyDelete

Post a Comment

Popular posts from this blog

Five Facts About 6 GHz Wi-Fi

Go To Sleep, Go To Sleep, Go To Sleep Little iPhone

At Least They Didn't Blame the Wi-Fi