WPA3: What’s New in the Next Wi-Fi Security Standard

By Ava McKinneyOnline Safety

WPA3: What’s New in the Next Wi-Fi Security Standard and a Look Back at Previous Ones

Last year, a critical vulnerability was discovered in WPA2—the security protocol used by nearly every Wi-Fi access point. Few people were alarmed by this, but they should have been! In this article, I’ll explain the new WPA3 protocol, which is immune to the KRACK attack, and also review previous Wi-Fi security standards.

WPA One, WPA Two, WPA Three

Before diving into what’s new in WPA3, let’s briefly review the earlier protocols, starting with WEP. You might wonder why we’re starting with such an outdated technology, but all existing Wi-Fi security protocols (there are four) are, to some extent, built on their predecessors. Plus, WEP is still used in some places, so it’s worth remembering.

WEP

WEP’s security relied on methods similar to those used in wired networks, which ultimately became its downfall. To intercept Ethernet traffic, an attacker would need physical access to the victim’s home or office. With Wi-Fi, all you need is to be within signal range.

You might ask, “But what about encryption?”—and you’d be right. WEP uses a key stream generated by mixing the password with an initialization vector (IV) to encrypt traffic.

The IV in WEP is a constantly changing 24-bit number. It might seem that this makes brute-forcing the password impossible. The developers thought so too, but this encryption method, combined with the ability to intercept packets, became WEP’s Achilles’ heel. As computers became more powerful, the IV length became insufficient. By collecting enough frames, you could find ones with the same IV. This made it possible to decrypt any transmission after statistical analysis of enough intercepted packets (just tens of thousands, which isn’t much for an active network). Eventually, cracking WEP took only minutes.

WPA

To address these issues, the Wi-Fi Alliance introduced an upgrade to WEP that fixed vulnerabilities without requiring new hardware. The first idea was to change keys before enough data could be collected for an attack. WPA was developed based on existing IEEE 802.11i work, with TKIP as its core protocol. TKIP significantly strengthened WEP with a two-level IV system.

For each new frame, the lower IV increases (as in WEP), but after all combinations are used, the higher IV increases and a new key is generated. This prevents attackers from gathering enough data to break the key.

WPA also introduced WPS, which allows devices to easily connect to Wi-Fi if they have physical access to the router. Unfortunately, WPS became the first exploited WPA vulnerability. Another issue was found in TKIP: to quickly patch critical WEP vulnerabilities, access points were required to block all connections for 60 seconds if a key-guessing attempt was detected. This led to the Michael attack, where sending just two corrupted packets could disable the entire network for a minute.

Still, after these vulnerabilities were discovered, WPA wasn’t considered broken. Disabling WPS made data interception impossible, and the choice between convenience and security wasn’t seen as a critical protocol flaw.

In 2006, new vulnerabilities allowed attackers to manipulate the network by exploiting known data in encrypted frames, such as ARP requests or QoS frames. These exploits let attackers read data sent from the access point to the client and inject fake data. However, this required the network to use QoS.

WPA2

By 2006, WPA2 was already implemented in many devices, so the cracking of WPA didn’t cause much panic. The main difference in WPA2 was per-user data encryption and the use of the stronger AES algorithm.

For a long time, the main ways to break WPA2 routers were brute-forcing the WPS PIN or capturing the handshake and using brute force. Disabling WPS and setting a strong password kept users safe, so WPA2 was considered reliable until recently.

In October 2017, the KRACK attack was published, showing how to break Wi-Fi networks using WPA2. From that point, experts considered WPA2 insecure, though there had been earlier warning signs.

KRACK

KRACK (Key Reinstallation Attack) was published in October 2017 and caused a major stir. This attack works against all modern Wi-Fi networks and, depending on configuration, can allow data manipulation.

The attack targets the four-way handshake that occurs when a client connects to a protected network. During this handshake, the client and access point confirm they share credentials and negotiate a new encryption key for future traffic.

Without going into all the keys involved, here’s the gist: after the third handshake packet, the client installs encryption keys and resets the packet nonce counter. The fourth handshake packet tells the router that keys are set and data exchange can begin.

The attacker intercepts the third handshake packet and retransmits it to the client, causing the client to reinstall the same key and reset the nonce counter. The nonce is used to generate the key stream for encrypting packets. Changing the nonce ensures unique key streams for each packet, but after the attack, the next packet is encrypted with the same key stream as the first. This brings back the same problems WEP had.

In 2010, another vulnerability called hole196 was found. On page 196 of the 802.11 standard, it was revealed that all authorized users in a network use the same encryption key for broadcast requests. This enabled ARP/DHCP spoofing attacks, but since attackers had to be authorized on the network and the issue could be fixed with a firewall, it wasn’t considered critical.

What Is WPA3?

On June 27, 2018, the Wi-Fi Alliance announced the completion of WPA3, a new security standard and certification program. Before any device can be labeled “WPA3,” it must pass extensive testing to ensure compatibility with other WPA3 devices. For users, WPA3 is a security protocol, but it refers to compliance with standards, not a specific hardware implementation.

How WPA3 Differs from WPA2

WPA3’s creators aimed to fix conceptual flaws exposed by KRACK. Like previous standards, WPA3 builds on its predecessor’s technologies. The Wi-Fi Alliance announced four new technologies for WPA3, but only one is mandatory for manufacturers.

Since the main vulnerability was in the four-way handshake, WPA3 requires support for a more secure connection method—SAE (Simultaneous Authentication of Equals), also known as Dragonfly. SAE, already used in mesh networks and described in IEEE 802.11s, is based on the Diffie-Hellman key exchange using finite cyclic groups.

SAE is a PAKE (Password Authenticated Key Exchange) protocol, allowing two or more parties to establish cryptographic keys based on a password known to one or more parties. The resulting session key is chosen based on the password, keys, and both parties’ MAC addresses. If one party’s key is compromised, the session key remains secure. Even if an attacker learns the password, they can’t decrypt packets.

Another WPA3 feature is support for PMF (Protected Management Frames) to ensure traffic integrity. In the future, PMF will also become mandatory for WPA2.

Wi-Fi Easy Connect and Wi-Fi Enhanced Open didn’t make it into mandatory WPA3 certification. Wi-Fi Easy Connect allows easy setup of screenless devices using another, more advanced device already connected to the network. For example, you can configure sensors or smart home devices from your smartphone by scanning a QR code. Easy Connect uses public key authentication (the QR code contains the public key) and works with both WPA2 and WPA3 networks. It also allows you to replace the access point without reconfiguring all devices.

Wi-Fi Enhanced Open encrypts all data streams between the client and access point, protecting user privacy in public networks that don’t require authentication. Key generation uses the Opportunistic Wireless Encryption extension. Support for both technologies is optional for WPA3 certification, but manufacturers can include them if they wish.

Like WPA2, WPA3 has two modes: WPA3-Personal and WPA3-Enterprise.

  • WPA3-Personal provides strong protection, especially if the user sets a robust password that can’t be guessed with a dictionary attack. If the password isn’t trivial, a new limit on authentication attempts per handshake helps prevent offline brute-force attacks. Instead of PSK, WPA3 uses SAE.
  • WPA3-Enterprise uses at least 192-bit keys, meeting CNSA requirements (set by the NSS committee for government, military, and industrial networks). For authenticated encryption, 256-bit GCMP-256 keys are recommended; HMAC with SHA-384 hashes is used for key transmission and confirmation; ECDH and ECDSA with 384-bit elliptic curves are used for key agreement and authentication; and BIP-GMAC-256 is used for frame integrity protection.

When Will WPA3 Arrive?

There’s no official information yet about which devices will get WPA3 support. It’s unlikely that many routers will get WPA3 via firmware updates, since manufacturers would have to certify old devices, which they probably won’t do. They’ll likely focus on releasing new models instead.

The Wi-Fi Alliance’s official website already lists devices supporting WPA3, but there are only six so far. However, the existence of this list means WPA3 will arrive as soon as it’s integrated into new devices. According to the Wi-Fi Alliance, WPA3 devices are expected to become widespread in 2019, alongside Wi-Fi 802.11ax (or Wi-Fi 6, under the new naming scheme).

Conclusion

The fact that WPA3 is backward compatible with WPA2 has already drawn criticism from Mathy Vanhoef, the creator of the KRACK attack. He believes the Wi-Fi Alliance didn’t do enough to improve security for the sake of compatibility. Researchers are confident that there will be ways to bypass PMF and forcibly disconnect clients. While SAE makes dictionary attacks harder, it doesn’t eliminate them—just makes them slower. Attackers can still set up rogue access points in open networks to intercept traffic.

Researcher Dan Harkins has also sparked debate about Dragonfly’s reliability, and there are rumors that Kevin Igoe, chair of the cryptographic standards group that approved Dragonfly, works for the NSA. So, the reliability of SAE is still somewhat in question.

Despite these concerns, WPA3 is a major step forward in wireless security. Will it have its own critical flaws? Time will tell!

Leave a Reply