Security of wireless networks has always been essential. This January the Wi-Fi Alliance(r) announced a new version of its Wi-Fi Protected Access(r) or WPA designed to improve the security of 802.11 wireless networks. The four improvements directly address authentication and confidentiality of the networks.
Since most of us have Wi-Fi networks in our homes, offices, cars, or pockets, these changes directly impact virtually everyone. Some of the details were not initially detailed, so I will elaborate on some and speculate a tiny bit on others.
The four changes are:
- Improvements to using Wi-Fi in a public environment. Public Wi-Fi has always had issues. Two of the bigger ones are "open" networks and key The first is those networks where one can connect without any authentication; users just click Connect and can use the network. In the second case, users share a single key. That is everyone has the same "network password".
WPA3 addresses this by using "individualized data encryption". That seems to indicate that each user will start the key generation process with a different base. Currently, the Wireless Access Point and each station share a key based on the password. An attacker with the password can generate that shared key and eavesdrop on the traffic.
- Brute-force resistance. In private networks, the key is considered secret - that's what makes them "private". Sometimes the key can be discovered through a brute-force attack. That's where the attacker tries one password after another to try to guess the correct one.
WPA3 addresses this presumably by limiting the number of password attempts to some small number. It may be configurable, or it may be fixed in the specification.
- Improved IoT support. The current version of WPA, WPA2, was created before there was even real talk of an "Internet of Things". One idea behind the IoT is that devices without displays will be able to integrate easily into existing wireless The problem now is that entering the password for a private network (or using existing auto-connect methods) is difficult or impossible for a device with no screen and a limited processor.
The press release doesn't detail how this new support will work, but it seems possible that third device such as a phone or tablet could be used to associate the IoT device with the Access Point.
- Stronger encryption. This one sounds like a beneficial if confusing, The AES encryption in WPA2 is specified in IEEE 802.11i. There is a slide-based summary of the ideas and techniques on the IEEE 802 site.
WPA3 will use 192-bit encryption. If that is AES, too, that is a clear improvement. But the press release said, "a 192-bit security suite, aligned with the Commercial National Security Algorithm (CNSA) Suite from the Committee on National Security Systems." While that could mean 192-bit AES, the CNSA document only seems to mention AES-256, not AES-192! However, it refers to 384-bit elliptic curves for key exchange, signatures, and hashing. A 384-bit curve also has an effective strength of 192 bits! That makes it difficult to discern what the actual implementation will be.
While some of the details of WPA3 are unclear, what is clear is that it promises to be a step up in wireless security. Implementation of the protocol is due later in 2018, and hopefully, it will mean more secure wireless networks.
AUTHOR: John McDermott
Networking & Virtualization