Earlier this month, the Wi-Fi Alliance made a press release announcing the availability of WPA3.

Built on top of several existing but not widely deployed technologies, WPA3 makes several vast improvements over the security provided by WPA2. Most notably, WPA3 should close the door on offline dictionary-based password cracking attempts by leveraging a more modern key establishment protocol called Simultaneous Authentication of Equals (SAE). This mechanism has some commonality with the Diffie-Hellman key exchange and has already been deployed in some mesh network standards. In addition to thwarting offline password cracking attempts, SAE provides forward secrecy so that an attacker cannot decrypt previously recorded sessions even if the WPA3 passphrase is known.

Another huge enhancement in this announcement is the Wi-Fi Device Provisioning Protocol (DPP) to replace the readily exploitable Wi-Fi Protected Setup (WPS).

With DPP, devices can be authenticated to join a network without a password through various means including QR codes or NFC tags. Unlike existing options, however, this is not simply a mechanism for communicating the password but rather it is a way for devices to perform mutual authentication without a password.

WPA3 also promises to improve security for open networks such as guest or customer networks in coffee shops, airports, and hotels. Although the standard does not appear to protect against a rogue access point, it should prevent passive nearby attackers from being able to monitor communication in the air. This is because WPA3 supports password-free encryption between stations and access points, but does not seem to provide a way for devices to discern between legitimate and rogue access points.

Despite these vast improvements, there is likely no reason for anyone to be rushing out to buy a new router for WPA3 support. For starters, it is important to recognize that Wi-Fi has a long history (Read more...)