WPA3 Adds Four Security Enhancements, One of Which Matters

The Wi-Fi Alliance announced its next security enhancement today, called WPA3.  The press release touts "four new capabilities", but only one of the four affects practical Wi-Fi security.

As they are occasionally wont to do, the Wi-Fi Alliance announced a new certification today via a press release featuring an artisnal blend of normal words and corporate gobbledygook.  For those who speak fluent corporate gobbledygook, here are the four enhancements of WPA3:
  • Robust protections even when users choose passwords that fall short of typical complexity recommendations.
  • Simplify the process of configuring security for devices that have limited or no display interface.
  • Strengthen user privacy in open networks through individualized data encryption.
  • A 192-bit security suite, aligned with the Commercial National Security Algorithm (CNSA) Suite from the Committee on National Security Systems to forther protect Wi-Fi networks with higher security requirements such as government, defense, and industrial.
As the Wi-Fi community's self-proclaimed corporate-gobbledygook-to-English translator, I will explain WPA3 in a language that all pro-American Americans can understand.

Robust protections even when users choose passwords that fall short of typical complexity recommendations

What does it mean?

WPA2 Personal passphrases will no longer be vulnerable to dictionary attacks.

Does it matter?

If you use WPA2 Enterprise, no.  (Although, if you use WPA2 Enterprise with PEAP or EAP-TTLS authentication, then your authentication security is WORSE than WPA2 Personal already.  So, change that ASAP.)

If you use WPA2 Personal, not really.  Math folk define "flawed" as "vulnerable to something that would be faster than a brute force attack".  And, sure, WPA2 Personal passphrases are flawed by that definition.  Engineering folk, on the other hand, define "flawed" as "actually flawed".  Meaning that someone would have to be able to realistically recover a WPA2 Personal passphrase via a dictionary attack.  By an engineer's definition, WPA2 Personal is not flawed.  Dictionary attacks on WPA2 Personal passphrases are too slow to work in the real world, unless the targeted passphrase is LITERALLY a word from the Webster's dictionary.

Simplify the process of configuring security for devices that have limited or no display interface

What does it mean?

WPS is getting "fixed".

Does it matter?

I don't know and I don't care.  WPS is push-button WPA2 Personal for printers, coffee makers, and other devices that may not have a traditional user interface.  WPS is another one of those things with theoretical flaws, but no documented occurrences of real world security compromises.

Strengthen user privacy in open networks through individualized data encryption

What does it mean?

An SSL-like link will be set up between station and AP when devices connect to open Wi-Fi.

Does it matter?

Yes!  No more VPNs at hotspots!

Ever since SSL became ubiquitous, WPA2 encryption has been redundant... except in one way.  WPA2 prevents wireless eavesdroppers from finding out which servers people are accessing.  For example, if I went to my local German restaurant and used their Wi-Fi to access Twitter, nobody would be able to wirelessly eavesdrop on my username, password, timeline, DMs, or any other "content", but they would be able to see that I accessed Twitter.

Traditionally, privacy-obsessed users of open Wi-Fi have had to use VPNs to prevent wireless eavesdroppers from finding out which sites, apps, and services are being accessed.  The SSL-like encryption between station and AP will stop that "information seepage", as the kids call it.

I should note that the BIG attacks on open Wi-Fi; Wi-Phishing and man-in-the-middle, will continue to be just as much of a threat as they have always been.  WPA3 does nothing to prevent a hooligan from setting up a Wi-Fi Pineapple with the goal of attracting stray associations.

A 192-bit security suite, aligned with the Commercial National Security Algorithm (CNSA) Suite from the Committee on National Security Systems to forther protect Wi-Fi networks with higher security requirements such as government, defense, and industrial

What does it mean?

192-bit AES encryption.  WPA2 uses 128-bit AES.

Does it matter?

How big of a nerd do you think I am?

I don't know.  I guess 128-bit encryption might not be long enough to withstand a bruteforce attack, given today's processing capabilities.  I wouldn't doubt it.  And obviously 192-bit encryption means that there are two-to-the-one-hundred-ninety-second-power possible encryption keys, rather than two-to-the-one-hundred-twenty-eighth-power.  But if you were to say, "Ben, this is all a conspiracy by Big Wi-Fi to sell unnecessary security to the U.S. military," I'd say, "you may have a point."

******

If you like my blog, you can support it by shopping through my Amazon link or becoming a Patron on Patreon.  Thank you.

Twitter: @Ben_SniffWiFi

ben at sniffwifi dot com

Comments

  1. "WPA2 Enterprise with PEAP or EAP-TTLS authentication, then your authentication security is WORSE than WPA2 Personal already"
    where did you read that?

    ReplyDelete
    Replies
    1. I didn't read it anywhere. It's just a fact.

      Delete
    2. WPA2-PSK can use a 256-bit key derived from a password for authentication, can be crackable by a dictionary attack.

      WPA2-Enterprise, also known as 802.1x uses a RADIUS server for authentication purposes. Authentication is achieved using variants of the EAP protocol. This is a more complex but more secure setup.

      I didn't get your point.

      Delete
    3. I'd be interested to hear the rationale there too, and not in a derogatory way mind you, just in an informational one!

      Delete
    4. I would have thought mechanisms that employ TLS tunnels would be more secure than ones that do not? Hopefully you can elaborate?

      Delete
    5. Password-based EAP is worse than WPA2 Personal for two reasons:

      1) Cracking of Password-based EAP is guaranteed; WPA2 Personal cracking relies on extraordinarily weak passphrases.

      2) EAP almost always uses enterprise credentials; WPA2 Personal almost never does.

      Delete
  2. You imply that all devices without displays are simplistic. There are many devices that have no displays and yet are quite expensive and sophisticated.
    Sometimes WPS gets too much credit. It has had, and still has, problems even if most of these are caused by a manufacturer's lack of (security) imagination.
    You did not mention it, but Protected Management Frames have been required with all WPA2 certifications since early 2016.

    ReplyDelete
    Replies
    1. I don't imply anything about how expensive devices are.

      Delete
  3. Two points I'd like to raise.

    1. I think you should caveat that BADLY configured WPA2 with PEAP is WORSE than WPA2 Personal. The weakness is the RADIUS Man in the Middle attack which can be mitigated with the correct use of Server Certs and Client configuration.

    2. I think you hit the nail on the head with WPS being for devices without a traditional UI. Surely this would be ideal in the world of IoT where sensors etc may not have a useful UI. So as WLAN engineers we may well care :)

    ReplyDelete
    Replies
    1. Any PEAP is worse than WPA2 Personal, for the two reasons cited above. We shall see if IoT sensors used in enterprises Wi-Fi start using WPS. I have yet to see that, but who knows what will happen in the future?

      Delete
  4. When capturing WiFi traffic between a device and an AP, that is secured by WPA2, the layer 2 packets can be decrypted as long as the initial 4-phase handsake and and the PSK are known. I rely on this routinely for ethical traffic analysis.

    Will there be a way to do this type of analysis on WPA3 protected traffic?

    ReplyDelete
  5. Such a very useful article. Very interesting to read this article. I would like to thank you for the efforts you had made for writing this awesome article.
    Data Science Course in Pune
    Data Science Training in Pune

    ReplyDelete
  6. Nice blog. I finally found great post here Very interesting to read this article and very pleased to find this site. Great work!
    Data Science Training in Pune
    Data Science Course in Pune

    ReplyDelete
  7. I feel very grateful that I read this. It is very helpful and very informative and I really learned a lot from it.
    Data Analytics Course in Pune
    Data Analytics Training in Pune

    ReplyDelete
  8. After reading your article I was amazed. I know that you explain it very well. And I hope that other readers will also experience how I feel after reading your article.
    Ethical Hacking Course in Bangalore
    Certified Ethical Hacker Course

    ReplyDelete
  9. Wow! Such an amazing and helpful post this is. I really really love it. I hope that you continue to do your work like this in the future also.
    Ethical Hacking Training in Bangalore
    Ethical Hacking Training

    ReplyDelete
  10. Thumbs up guys your doing a really good job. It is the intent to provide valuable information and best practices, including an understanding of the regulatory process.
    Cyber Security Course in Bangalore

    ReplyDelete
  11. Very nice blog and articles. I am really very happy to visit your blog. Now I am found which I actually want. I check your blog everyday and try to learn something from your blog. Thank you and waiting for your new post.
    Cyber Security Training in Bangalore

    ReplyDelete
  12. I will really appreciate the writer's choice for choosing this excellent article appropriate to my matter. Here is deep description about the article matter which helped me more.
    Best Institute for Cyber Security in Bangalore

    ReplyDelete
  13. Awesome blog. I enjoyed reading your articles. This is truly a great read for me. I have bookmarked it and I am looking forward to reading new articles. Keep up the good work!
    Data Science Training Institute in Bangalore

    ReplyDelete
  14. I feel very grateful that I read this. It is very helpful and very informative and I really learned a lot from it.
    Best Data Science Courses in Bangalore

    ReplyDelete
  15. I am impressed by the information that you have on this blog. Thanks for Sharing
    Ethical Hacking in Bangalore

    ReplyDelete
  16. After reading your article I was amazed. I know that you explain it very well. And I hope that other readers will also experience how I feel after reading your article.
    Ethical Hacking Course in Bangalore

    ReplyDelete
  17. Wow! Such an amazing and helpful post this is. I really really love it. I hope that you continue to do your work like this in the future also.
    Ethical Hacking Training in Bangalore

    ReplyDelete
  18. Here at this site really the fastidious material collection so that everybody can enjoy a lot.

    Data Science Course

    ReplyDelete
  19. Your work is very good and I appreciate you and hopping for some more informative posts.

    Data Science Training

    ReplyDelete
  20. Truly mind blowing blog went amazed with the subject they have developed the content. These kind of posts really helpful to gain the knowledge of unknown things which surely triggers to motivate and learn the new innovative contents. Hope you deliver the similar successive contents forthcoming as well.

    360DigiTMG Machine Learning Course

    ReplyDelete
  21. Wonderful blog found to be very impressive to come across such an awesome blog. I should really appreciate the blogger for the efforts they have put in to develop such an amazing content for all the curious readers who are very keen of being updated across every corner. Ultimately, this is an awesome experience for the readers. Anyways, thanks a lot and keep sharing the content in future too.

    360DigiTMG Tableau Course

    ReplyDelete
  22. Terrific post thoroughly enjoyed reading the blog and more over found to be the tremendous one. In fact, educating the participants with it's amazing content. Hope you share the similar content consecutively.

    artificial intelligence training in bhilai

    ReplyDelete
  23. Impressive blog to be honest definitely this post will inspire many more upcoming aspirants. Eventually, this makes the participants to experience and innovate themselves through knowledge wise by visiting this kind of a blog. Once again excellent job keep inspiring with your cool stuff.

    Data Science certification in Bhilai

    ReplyDelete
  24. Extraordinary blog went amazed with the content that they have developed in a very descriptive manner. This type of content surely ensures the participants to explore themselves. Hope you deliver the same near the future as well. Gratitude to the blogger for the efforts.

    Digital Marketing training in Bhilai

    ReplyDelete

Post a Comment

Popular posts from this blog

Go To Sleep, Go To Sleep, Go To Sleep Little iPhone

Are You(r APs' Transmit Power) Still Down? Raise 'Em Up

Five Facts About 6 GHz Wi-Fi