While I still see some open WiFi access points from time to time in the wild, most people are using WPA2 authentication to connect securely to their own WiFi router, or public ones instead of WEP that has been found to be insecure many years ago.
WPA2 is not quite secure as it once was, as last year WPA2-PSK was cracked. It’s not that bad, as it may still take several days with a strong password requiring a large password file for the hack to work. Still a new revision was needed, and the WiFi alliance has just introduced Wi-Fi WPA3 security.
Just like with WPA2, there are personal and enterprise modes for WPA3
WPA3-Personal
WPA2-Personal Pre-shared Key (PSK) is replaced with Simultaneous Authentication of Equals (SAE), which is said to be resistant to offline dictionary attacks where an adversary tries possible passwords without further network interaction. WPA3-Personal/SAE enables:
- Natural password selection – Allows users to choose passwords that are easier to remember
- Ease of use – Delivers enhanced protections with no change to the way users connect to a network
- Forward secrecy – Protects data traffic even if a password is compromised after the data was transmitted
I’m not sure whether that means “password” and “12345678” will now be suitable WiFi passwords with WPA3, but at least the typical weaker password will be suitable since SAE then relies on strong passwords. You can find more details in Private SAE patent.
WPA3-Enterprise
WPA3-Enterprise offers 192-bit minimum-strength security protocols and cryptographic tools. Some of the key features include
- Authenticated encryption – 256-bit Galois/Counter Mode Protocol (GCMP-256)
- Key derivation and confirmation – 384-bit Hashed Message Authentication Mode (HMAC) with Secure Hash Algorithm (HMAC-SHA384)
- Key establishment and authentication – Elliptic Curve Diffie-Hellman (ECDH) exchange and Elliptic Curve Digital Signature Algorithm (ECDSA) using a 384-bit elliptic curve
- Robust management frame protection – 256-bit Broadcast/Multicast Integrity Protocol Galois Message Authentication Code (BIP-GMAC-256)
WPA2 is just not dead yet, as it continues to be mandatory for all Wi-Fi CERTIFIED devices, and it’s only later on, as WPA3 market adoption grows, that Wi-Fi CERTIFIED WPA3 will become mandatory. WPA3 is also backward compatible with WPA2 devices through a transitional mode of operation. All that means it may take several years before WPA3 becomes common place.
WiFi Easy Connect
The Wi-Fi Alliance also introduced Wi-Fi Easy Connect that aims to simplify on-boarding of Wi-Fi devices with limited or no display interface such as IoT or automation devices. Right now, in most cases, such devices start in access point mode in order to let you configure your WiFi router credentials (ESSID and password) in a web interface / or mobile app, before switching to client mode. WiFi Easy Connect instead relies on a device with a display such as a smartphone using a quick response (QR) code for faster and simpler configuration.
Further information, including WPA3 Technology Overview and WPA3 Specification v1.0, can be found on WiFi Alliance’s security page.
Via Liliputing
Jean-Luc started CNX Software in 2010 as a part-time endeavor, before quitting his job as a software engineering manager, and starting to write daily news, and reviews full time later in 2011.
Support CNX Software! Donate via cryptocurrencies, become a Patron on Patreon, or purchase goods on Amazon or Aliexpress
“With Wi-Fi Easy Connect, a network owner chooses one device as the central point of configuration. Usually this device is one with a rich user interface, such as a smartphone or tablet, but could be any device capable of scanning a quick response (QR) code and running the protocol developed by Wi-Fi Alliance, the Device Provisioning Protocol (DPP). ”
Its a bit of a “chicken and egg” problem since you have to connect a wifi device (smartphone/tablet) before you can connect a wifi device.
WPA3 is here but will it protect you from connecting an open WiFi that is actually set up by eavesdropper? It will still have this vulnerability so having some encryption is necessary.
That’s what WPA enterprise does by deploying a key pair on router, radius server and phone to auth and encrypt the communication. But VPN is more flexible and easier to maintain for both homes, enterprises and governments so everyone ends up either air gaping when there’s a creditable threat or using a VPN when they want to be on the safe side.
If you really care about security as a home user, just stick to HTTPS (over HTTP) and look up how to switch to a secure DNS. Google is going to downgrade insecure HTTP very soon in Chrome as well as in their search results so unless you don’t trust the key authorities you really don’t need anything else.
WPA3 hacked not even one year after announcement: https://www.zdnet.com/article/dragonblood-vulnerabilities-disclosed-in-wifi-wpa3-standard/