What Is WPA3 and How Much Better Is It Than WPA2?
Good news, everybody: Wi-Fi Alliance® has officially announced WPA3, the successor of WPA2.
Many questions can emerge from this simple sentence. Who is Wi-Fi Alliance®? What is WPA3, and how is it different than WPA2? Why should I care? It's a long list, so we might as well crack on.
Established in 1999, Wi-Fi Alliance® is the organization that actually coined the term "Wi-Fi." You may or may not have noticed that a lot of the devices that can connect to your wireless network at home have a "Wi-Fi Certified" logo either on a sticker at the bottom or on the box they came in. This certification was issued by Wi-Fi Alliance® and its purpose is to make sure that your laptop, your smartphone, your internet-connected fridge, and the rest of your gadgets "know" how to communicate with your router. Wi-Fi Alliance® is responsible for choosing and developing the types of technology that will be used in wireless networks and ensuring that devices support it. WPA is one such type of technology.
What is WPA?
If your wireless network has a password, it most likely uses the WPA security protocol. As you probably know, when you're connected to a Wi-Fi network, your device communicates with the router and sends information its way. The router then transmits it over the wire to the relevant corner of the Internet. The job of WPA, or Wi-Fi Protected Access, is to ensure that the information that travels between your device and the router is encrypted.
WPA isn't the only protocol securing wireless networks. Back when Wi-Fi was still in its infancy, we had Wired Equivalent Privacy (or WEP), which used a cipher known as RC4 to encrypt the data coming from what back then were extremely heavy and not very portable laptops. While simple and fast, RC4 is not a very secure way of encrypting data as a whole, which means that WEP was inherently weak. In 2003, it was formally superseded by the first version of WPA.
The new protocol brought a few additional security features including integrity check for every single packet and Temporal Key Integrity Protocol (or TKIP) that made the encryption much more secure.
"Much more secure" wasn't secure enough, however, and in 2004, WPA2 was born which uses an encryption protocol based on AES (or Advanced Encryption Standard). In 2006, Wi-Fi Alliance® announced that from then on, all Wi-Fi certified products must support WPA2.
In October 2017, security researcher Mathy Vanhoef published details on a possible attack against WPA2 which he called KRACK (coming from Key Reinstallation Attack). He discovered that during the handshake process, adversaries can reset the Initialization Vectors responsible for creating encryption keys which, in turn, allows them to decrypt and possibly tamper with the information coming from and going to the device.
The attack isn't especially easy to pull off, and it must be said that responsible vendors did put out patches shortly after the public disclosure of the vulnerability. The security hole showed, however, that WPA2 is getting older. The stage was set for the arrival of WPA3.
WPA3: a step up
WPA3 isn't fundamentally different from WPA2, but it does come with a few advantages. A new "handshake" procedure, for example, renders KRACK attacks ineffective, and, as an added bonus, it also provides stronger protection against brute-forcing attempts, even when the password isn't complex or long enough.
Connecting smart "things" to the wireless network will also be easier with WPA3. Wi-Fi Alliance® has apparently paid close attention to the growing number of devices that have no displays and the challenges they pose when connecting to the Internet. WPA3 is supposed to address the issue.
The third change isn't going to help the home user very much, but it is quoted as another step forward. WPA3 comes with 192-bit network strength protocol which should provide much better security in the enterprise environment.
The last key advantage of WPA3 is perhaps the most important one. We've talked about public Wi-Fi networks in the past, and we've discussed the security issues they pose. The biggest problem is the fact that when a Wi-Fi network is not protected by a password, the information exchanged between your device and the router is not encrypted and therefore trivial to intercept, steal, and tamper with. With WPA3, the packets of data coming from and going to your device will be encrypted even if there is no password. This is great news, especially for people who spend a lot of time in cafés and airports. Nevertheless, optimism should be cautious, as we've yet to see what sort of attacks the bad guys will come up with. Before they can think of something, however, people will first need to adopt WPA3.
When will WPA3 become the norm?
The protocol was first announced in January, bu
t Wi-Fi Alliance® has only just started certifying devices, so unless you're ready to replace all your gadgets with WPA3 certified ones at once, you'll need to wait until you can take full advantage of the new protocol. The rate at which new devices come and go these days does suggest that it probably won't be too long.