How does WPA3 provide better security

WPA3 protects against WLAN intrusions and connects devices without a display

As expected, the industrial organization Wi-Fi Alliance (WFA) has expanded the WLAN specifications for authentication and encryption to include the improved WPA3 process. The move is necessary because the WPA2, introduced in 2004, has gradually become full of holes. The WFA unites many chip and device manufacturers and certifies WLAN devices - soon also with regard to the WPA3 function. Cross-manufacturer compatibility is to be expected for the introduction from 2019. In addition, the WFA guarantees "interoperability with WPA2 devices" so that WPA3 does not lock out older devices.

As with its predecessors, WPA and WPA2, there are two variants of WPA3: The main difference is that WLAN routers and bases (access points), which are designed for private use (personal), only have one common key for all users of theirs Use radio cells (pre-shared key, PSK). With the company variant called WPA3-Enterprise, an administrator assigns each user their own key.

Against dictionary attacks on simple passwords

WPA3 brings various new functions to simplify handling and increase security. The WFA calls among other things a "more robust authentication" and "improved cryptography". At the same time, WPA3 cuts off old braids and explicitly excludes unsafe protocols. In the certification tests, the WFA also checks whether the devices actually implement these guidelines.

This is important because WPA2 is vulnerable to an offline dictionary attack on weak passwords; the attack only requires the recording of handshakes. This does not mean that WPA2 is completely unusable, but the WFA wants to bring an improvement before an even bigger hole is discovered in WPA2. It therefore relies on the SAE (Simultaneous Authentication of Equals) method in WPA3-Personal when exchanging keys using a pre-determined password. The method is intended to make it extremely difficult to crack the password offline and also prevent the subsequent decryption of user data (Perfect Forward Secrecy).

Some observers doubt the usefulness of WPA3-Personal because many Internet applications use TLS and thus cannot be sniffed out even in unencrypted hotspots. These include, for example, cloud synchronization, most messaging apps, many mail offers and increasingly also web services. However, WPA3 not only excludes unwanted readers, but also prevents the intrusion into private networks by means of dictionary attacks on weak passwords.

In addition, the WFA advertises WPA3-Enterprise and the new optional operating mode with a 192-bit cipher. This brings "additional security" for networks that transmit confidential data, and is particularly useful for government agencies and the banking industry. However, the expansion does not go down well everywhere, because it is not backwards compatible, so that it would require investments in new devices. For example, the WLAN service provider Eduroam expressly warns in a current advisory against setting up the 192-bit mode as part of the Eduroam service. Eduroam (education roaming) offers a worldwide WLAN roaming service for research and teaching. Participants can use WLANs from institutions and research facilities in 72 regions around the world with a single account. Eduroam provides the participants with authentication against the RADIUS server of their home WLAN.

Switching for devices without a display

The Easy Connect mode is also new and remarkable. This is intended to simplify the WLAN coupling of devices that have no or very simplified user interfaces. The WFA is thus targeting the growing Internet of Things (IoT) market. With Easy Connect, users could in future add any device to their WLAN by using the user interface of another device, such as a smartphone. To do this, a smartphone scans the QR code of the target access point and the QR code of the IoT device using a specific app. Based on the data recorded via the QR codes, the IoT device is then provisioned for coupling with the access point. It then automatically logs into the new WLAN.

Details on the WPA3 procedure can be found in the c't article

additional Information


Read comments (141) Go to homepage
Ad ad