Why WPA3? And What Is It?
What is WPA3?
WPA3 (Wi-Fi Protected Access 3) represents the latest generation in mainstream security for wireless networks. It improves the level of security compared to the widely popular WPA2 standard (released in 2004), yet maintains backward compatibility.
However, supporting backward compatibility does not come without its challenges.
WPA3 comes in three main forms:
- WPA3 Personal (WPA-3 SAE) Mode is a static passphrase-based method. It provides better security than what WPA2 previously provided, even when a non-complex password is used, thanks to Simultaneous Authentication of Equals (SAE), the personal authentication process of WPA3.
- WPA3 Enterprise Mode (WPA3 ENT): Much like its predecessor, WPA2 Enterprise, WPA3 ENT is different because it requires management frame protection. An optional, stronger 192bit consistent cryptographic suite is also provided for those who are more security conscious.
- Wi-Fi Enhanced Open Mode increases privacy in open networks. It prevents passive eavesdropping by encrypting traffic even when a password is not used, but does not bring security – anyone can still connect to the network.
What are the Key Features of WPA3?
- Management Frame Protection (MFP): The unicast management frames are encrypted, preventing, for example, illegitimate de-authorization of clients (for operating man-in-the-middle attack, or for IDS/IPS systems to kick clients out. This means WIDS/WIPS systems now have less brute-force ways to enforce clients’ policies and will rely more heavily on notifying the system admin about rogue/honeypot APs, for example.
- Simultaneous Authentication of Equals (SAE): SAE provides a more secure, password-based authentication and key agreement mechanism even when passwords are not following complexity requirements. It protects from brute-force attacks and makes unwanted decrypting of sessions (during or after the session) a lot harder – just knowing the passphrase isn’t enough to decrypt the session.
- Transition mode: Personal, Enterprise and Enhanced Open Modes can also operate in Transition Mode. This means falling back to WPA2 for connecting clients that don’t support WPA3.
What’s So Good About WPA3?
The new WPA3 standard has several advantages. These include:
- The fact that WPA3 has been designed for the security challenges of businesses, although it has two modes of operation: Personal and Enterprise.
- The equivalent of 192-bit cryptographic strength, thereby offering a higher level of security than WPA2.
- The addition of Easy Connect, which allows a user to add any device to a Wi-Fi network using a secondary device already on the network via a QR code. This makes the connection more secure and helps simplify IoT device protection.
- WPA3-Personal mode offers enhanced protection against offline dictionary attacks and password guessing attempts through the introduction of a feature called Simultaneous Authentication of Equals (SAE). Some commentators have suggested that it ‘saves users from themselves’ by offering improved security even if a user chooses a more simple password. It also offers ‘forward secrecy’ to protect communications even if a password has been compromised.
What gotchas are there with WPA3?
Not many, really.
- First and foremost, do your homework first: It’s not advised to blindly switch to WPA3 and certainly not without Transition Mode enabled. Your clients may not support it. There may be early driver or compatibility issues, even with Transition Mode enabled, which can affect connection quality.
- With Transition Mode, hackers can still utilize WPA2 to get to the network if they see it as a more “hackable” option. However, even if someone breaches his/her way to the network using WPA2, the WPA3 sessions will remain secure.