Article - WPA3 – The Next Generation of Wi-Fi Protection

What is WPA3?

Back in June 2018, the Wi-Fi Alliance announced WPA3, which was designed to be the successor to WPA2, a standard that is now over a decade old. The main objective was to resolve the many problems of its predecessor.

In particular, this next generation of Wi-Fi security aims to bring new capacities that enhance Wi-Fi protections in a personal and enterprise environment. More specifically, it will add new features that simplify Wi-Fi security, enable more robust authentication, and deliver increased cryptographic strength for highly sensitive data markets. To achieve this, WPA3 will improve upon individual data encryption, strengthen privacy in open networks, and provide a standard of security expected for any network environment.

Therefore WPA3 adds four new technologies; Simultaneous Authentication of Equals (SAE), 192-bit Security Protocols, Easy Connect, and Enhanced Open, all of which are described in detail below.

Simultaneous Authentication of Equals (SAE)

The main security update included with WPA3 is Simultaneous Authentication of Equals (SAE). This is designed to replace the existing Pre-Shared Key (PSK) used by WPA2.

This improvement uses a variant of the dragonfly handshake that uses cryptography in order to prevent an eavesdropper from guessing a password, as a result SAE dictates exactly how a new client device, or user should communicate with a network router when exchanging cryptographic keys.

In addition SAE offers an additional security feature over PSK; forward secrecy, which will protect against an attacker that has obtained access to encrypted data that a router is sending and receiving from the Internet. Before SAE, an attacker could retain this information and if they manage to obtain a password they could decrypt the data. However SAE ensures that the encryption password is changed every time there is a new connection is established, making the previously obtained data useless. 

This will also protect against brute-force dictionary attacks, and therefore stop hackers from trying to guess every possible combination of a password. This could be compared to the current smartphone passcode security system, in which where repeated incorrect entries will lead to a user been refused entry to the Smart Phone’s interface. The same principle applies here.  

192-Bit Security Protocols

192-Bit encryption is exclusive to WPA3-Enterprise, and is aimed towards financial institutions, governments, and large organisations that require security beyond what is typically used in a SOHO environment. More specifically it is aimed at networks that have traffic that contains sensitive information, and although this protocol is not mandatory, the Wi-Fi Alliance is placing emphasise on enterprise networks to have a strong level of cryptographic strength throughout the entire network. The argument is that the overall strength of a system’s security is often dependent on the weakest link.

So in order to ensure the entire security of a network, from the beginning to the end is consistent with it’s security requirements, WPA3-Enterprise will use a 256-bit Galois / Counter Mode Protocol for encryption, a 384-bit Hashed Message Authentication Mode to create and confirm keys, and an Elliptic Curve Diffie-Hellman exchange and Elliptic Curve Digital Signature Algorithm to authenticate the keys.

In layman terms, it simply means that all aspects of a network will now have a minimum of 192-bit encryption, which is essential for privacy-conscious organisations.

Easy Connect

Easy Connect is an effort by the Wi-Fi Alliance to make connecting client devices more intuitive, for example instead of entering passwords when connecting to a network, you would instead scan a unique QR code functioning as a public key. Usually, this would be done by a device that can scan QR, such as a smartphone.  The only requirement is that the client device has to have already connected to the network.

Since Easy Connect is a separate protocol to WPA3, any Easy Connect clients can be certified providing that they are using either WPA2 or WPA3.

Enhanced Open

Enhanced Open is another protocol, but this one is designed to protect client devices on an open network. For example, in the existing open network protocol, it is possible for an attacker to gain data by simply from sifting through the data that is going in and out.

Therefore Enhanced Open now uses Opportunistic Wireless Encryption (OWE) to protect against any passive eavesdropping. It does not require any additional authentication protection and is designed to encrypt data sent over public networks.  In addition it can protect against an unsophisticated packet injection, this is when an attacker can attempt to subvert the network’s operations by constructing and transmitting data packets that mimic typical network traffic. In other words, pretending to be a wireless access point or wireless client in order to gain data from other wireless clients on the open network.

Problems With WPA2

Since WPA2 is over a decade old, it was never designed for the Internet-connected world we now live in, and thus one of the main shortcomings of WPA2 is security. One example of lapse security is IoT devices, many of which do not have the functionality for displaying or configuring security settings. WPA3 resolves this problem by allowing other client devices such as phones or tablets to configure these settings. 

Furthermore, a well known WPA2 vulnerability is KRACK (Key Reinstallation AttaCK), discovered by security researchers in October  2017. This flaw exploits the vulnerabilities in the four-way handshake of WPA2, this typically takes place when a client device wants to join a protected Wi-Fi network. WPA3 is not vulnerable to this. 


So in conclusion, WPA3 was designed to build on the foundation of WPA2 and resolve the security flaws of a decade-old protocol, and make wireless security more consistent with the predominately IoT world we now live in. However it will be a while before WPA3 becomes the norm, so in the meantime, WPA3 was designed to be backwards compatible with WPA2 devices and vice versa.