Released in 2018, WPA3 is an updated and more secure version of the Wi-Fi Protected Access protocol to secure wireless networks. As we described in the comparison of WPA2 with WPA, WPA2 has been the recommended way to secure your wireless network since 2004 because it is more secure than WEP and WPA. WPA3 makes further security improvements that make it harder to break into networks by guessing passwords; it also makes it impossible to decrypt data captured in the past i.e., before the key (password) was cracked.
When the Wi-Fi alliance announced technical details for WPA3 in early 2018, their press release touted four major features: a new, more secure handshake for establishing connections, an easy method to securely add new devices to a network, some basic protection when using open hotspots, and finally increased key sizes.
The final specification only mandates the new handshake but some manufacturers will implement the other features as well.
|Stands For||Wi-Fi Protected Access 2||Wi-Fi Protected Access 3|
|What Is It?||A security protocol developed by the Wi-Fi Alliance in 2004 for use in securing wireless networks; designed to replace the WEP and WPA protocols.||Released in 2018, WPA3 is the next generation of WPA and has better security features. It protects against weak passwords that can be cracked relatively easily via guessing.|
|Methods||Unlike WEP and WPA, WPA2 uses the AES standard instead of the RC4 stream cipher. CCMP replaces WPA's TKIP.||128-bit encryption in WPA3-Personal mode (192-bit in WPA3-Enterprise) and forward secrecy. WPA3 also replaces the Pre-Shared Key (PSK) exchange with Simultaneous Authentication of Equals, a more secure way to do initial key exchange.|
|Secure and Recommended?||WPA2 is recommended over WEP and WPA, and is more secure when Wi-Fi Protected Setup (WPS) is disabled. It is not recommended over WPA3.||Yes, WPA3 is more secure than WPA2 in ways discussed in the essay below.|
|Protected Management Frames (PMF)||WPA2 mandates support of PMF since early 2018. Older routers with unpatched firmware may not support PMF.||WPA3 mandates use of Protected Management Frames (PMF)|
New Handshake: Simultaneous Authentication of Equals (SAE)
When a device tries to log on to a password-protected Wi-Fi network, the steps of supplying and verifying the password are taken via a 4-way handshake. In WPA2, this part of the protocol was vulnerable to KRACK attacks:
In a key reinstallation attack [KRACK], the adversary tricks a victim into reinstalling an already-in-use key. This is achieved by manipulating and replaying cryptographic handshake messages. When the victim reinstalls the key, associated parameters such as the incremental transmit packet number (i.e. nonce) and receive packet number (i.e. replay counter) are reset to their initial value. Essentially, to guarantee security, a key should only be installed and used once.
Even with updates to WPA2 to mitigate against KRACK vulnerabilities, WPA2-PSK can still be cracked. There are even how-to guides for hacking WPA2-PSK passwords.
WPA3 fixes this vulnerability and mitigates other problems by using a different handshake mechanism for authenticating to a Wi-Fi network—Simultaneous Authentication of Equals, also known as Dragonfly Key Exchange.
The advantages of Dragonfly key exchange are forward secrecy and resistance to offline decryption.
Resistant to Offline Decryption
A vulnerability of the WPA2 protocol is that the attacker does not have to stay connected to the network in order to guess the password. The attacker can sniff and capture the 4-way handshake of a WPA2-based initial connection when in proximity of the network. This captured traffic can then be used offline in a dictionary-based attack to guess the password. This means that if the password is weak, it is easily breakable. In fact, alphanumeric passwords up to 16 characters can be cracked fairly quickly for WPA2 networks.
WPA3 uses the Dragonfly Key Exchange system so it is resistant to dictionary attacks. This is defined as follows:
Resistance to dictionary attack means that any advantage an adversary can gain must be directly related to the number of interactions she makes with an honest protocol participant and not through computation. The adversary will not be able to obtain any information about the password except whether a single guess from a protocol run is correct or incorrect.
This feature of WPA3 protects networks where the network password—i.e., the pre-shared key (PSDK)—is weaker than the recommended complexity.
Wireless networking uses a radio signal to transmit information (data packets) between a client device (e.g. phone or laptop) and the wireless access point (router). These radio signals are broadcast openly and can be intercepted or "received" by anyone in the vicinity. When the wireless network is protected via a password—whether WPA2 or WPA3—the signals are encrypted so a third-party intercepting the signals will not be able to understand the data.
However, an attacker can record all this data they are intercepting. And if they are able to guess the password in the future (which is possible via a dictionary attack on WPA2, as we have seen above), they can use the key to decrypt data traffic recorded in the past on that network.
WPA3 provides forward secrecy. The protocol is designed in a way that even with the network password, it is impossible for an eavesdropper to snoop on traffic between the access point and a different client device.
Opportunistic Wireless Encryption (OWE)
Described in this whitepaper (RFC 8110), Opportunistic Wireless Encryption (OWE) is a new feature in WPA3 that replaces the 802.11 “open” authentication that is widely used in hotspots and public networks.
This YouTube video provides a technical overview of OWE. The key idea is to use a Diffie-Hellman key exchange mechanism to encrypt all communication between a device and an access point (router). The decryption key for the communication is different for each client connecting to the access point. So none of the other devices on the network can decrypt this communication, even if they listen in on it (which is called sniffing). This benefit is called Individualized Data Protection—data traffic between a client and access point is "individualized"; so while other clients can sniff and record this traffic, it they can't decrypt it.
A big advantage of OWE is that it protects not just networks that require a password to connect; it also protects open "unsecured" networks that have no password requirements, e.g. wireless networks at libraries. OWE provides these networks with encryption without authentication. No provisioning, no negotiation, and no credentials are required – it just works without the user having to do anything or even knowing that her browsing is now more secure.
A caveat: OWE does not protect against "rogue" access points (APs) like honeypot APs or evil twins that try to trick the user into connecting with them and steal information.
Another caveat is that WPA3 supports—but does not mandate—unauthenticated encryption. It is possible that a manufacturer gets the WPA3 label without implementing unauthenticated encryption. The feature is now called Wi-Fi CERTIFIED Enhanced Open so buyers should look for this label in addition to the WPA3 label to ensure the device they are buying supports unauthenticated encryption.
Device Provisioning Protocol (DPP)
Wi-Fi Device Provisioning Protocol (DPP) replaces the less secure Wi-Fi Protected Setup (WPS). Many devices in home automation—or the Internet of Things (IoT)—do not have an interface for password entry and need to rely on smartphones to intermediate their Wi-Fi setup.
The caveat here once again is that the Wi-Fi Alliance has not mandated this feature be used in order to get WPA3 certification. So it is not technically part of WPA3. Instead, this feature is now part of their Wi-Fi CERTIFIED Easy Connect program. So look for that label before buying WPA3-certified hardware.
DPP allows devices to be authenticated to the Wi-Fi network without a password, using either a QR code or NFC (Near-field communication, the same technology that powers wireless transactions on Apple Pay or Android Pay) tags.
With Wi-Fi Protected Setup (WPS), the password is communicated from your phone to the IoT device, which then uses the password to authenticate to the Wi-Fi network. But with the new Device Provisioning Protocol (DPP), devices perform mutual authentication without a password.
Longer Encryption Keys
Most WPA2 implementations use 128-bit AES encryption keys. The IEEE 802.11i standard also supports 256-bit encryption keys. In WPA3, longer key sizes—the equivalent of 192-bit security—are mandated only for WPA3-Enterprise.
WPA3-Enterprise refers to enterprise authentication, which uses a username and password for connecting to the wireless network, rather than just a password (aka pre-shared key) that is typical for home networks.
For consumer applications, the certification standard for WPA3 has made longer key sizes optional. Some manufacturers will use longer key sizes since they are now supported by the protocol, but the onus is going to be on consumers to choose a router/access point that does.
As described above, over the years WPA2 has become vulnerable to various forms of attack, including the infamous KRACK technique for which patches are available but not for all routers and not widely deployed by users because it requires a firmware upgrade.
In August 2018, yet another attack vector for WPA2 was discovered. This makes it easy for an attacker who sniffs WPA2 handshakes to obtain the hash of the pre-shared key (password). The attacker can then use a brute force technique to compare this hash against the hashes of a list of commonly-used passwords, or a list of guesses that tries every possible variation of letters and numbers of varying length. Using cloud computing resources, it is trivial to guess any password less than 16 characters long.
In short, WPA2 security is as good as broken, but only for WPA2-Personal. WPA2-Enterprise is a lot more resistant. Until WPA3 is widely available, use a strong password for your WPA2 network.
Support for WPA3
After its introduction in 2018, it is expected to take 12-18 months for support to go mainstream. Even if you have a wireless router that supports WPA3, your old phone or tablet may not receive the software upgrades necessary for WPA3. In that case, the access point will fall back to WPA2 so you can still connect to the router—but without the advantages of WPA3.
In 2-3 years, WPA3 will become mainstream and if you are buying router hardware now it is advisable to future-proof your purchases.
- Where possible, choose WPA3 over WPA2.
- When buying WPA3-certified hardware, look also for Wi-Fi Enhanced Open and Wi-Fi Easy Connect certifications. As described above, these features enhance security of the network.
- Choose a long, complex password (pre-shared key):
- use numbers, upper and lower case letters, spaces and even "special" characters in your password.
- Make it a passphrase instead of a single word.
- Make it long—20 characters or more.
- If you are buying a new wireless router or access point, choose one that supports WPA3 or plans to roll out a software update that will support WPA3 in the future. Wireless router vendors periodically release firmware upgrades for their products. Depending upon how good the vendor is, they release upgrades more frequently. e.g. after the KRACK vulnerability, TP-LINK was among the first vendors to release patches for their routers. They also released patches for older routers. So if you are researching which router to buy, look at the history of firmware versions released by that manufacturer. Choose a company that is diligent about their upgrades.
- Use a VPN when using a public Wi-Fi hotspot such as a cafe or library, irrespective of whether the wireless network is password-protected (i.e., secure) or not.
- KRACK attacks on WPA2
- Dragonfly Key Exchange - IEEE white paper
- Wi-Fi Alliance Press Release for WPA3 features and WPA2 improvements
- WPA3 Security Enhancements - YouTube
- Opportunistic Wireless Encryption: RFC 1180
- WPA3 - A Missed Opportunity
- WPA3 Technical Details
- The Beginning of the End of WPA-2: Cracking WPA-2 Just Got a Whole Lot Easier