Wi-Fi Alliance Launches WPA3 Security Standard (securityweek.com)

← Back to Stories (view on slashdot.org)

Wi-Fi Alliance Launches WPA3 Security Standard (securityweek.com)

Posted by msmash on Tuesday June 26, 2018 @03:20AM from the it's-here dept.

wiredmikey writes: The Wi-Fi Alliance, the organization responsible for maintaining Wi-Fi technology, announced the launch of the WPA3 security standard. The latest version of the Wi-Fi Protected Access (WPA) protocol brings significant improvements in terms of authentication and data protection.

WPA3 has two modes of operation: Personal and Enterprise. WPA3-Personal's key features include enhanced protection against offline dictionary attacks and password guessing attempts. WPA3-Enterprise provides 192-bit encryption for extra security, improved network resiliency, and greater consistency when it comes to the deployment of cryptographic tools.

97 comments

Min score:

Reason:

Sort:

Some info by Artem+S.+Tashkinov · 2018-06-26 03:22 · Score: 5, Informative
Too bad, my submission has been rejected even though it had a lot more information which I'll post anyways:
New security features include:
- WPA3 uses the Simultaneous Authentication of Equals (SAE) algorithm, which replaces Pre-shared Key (PSK) in WPA2-Personal, while WPA3-Enterprise uses a more complex set of features that replace IEEE 802.1X from WPA2-Enterprise. These are: authenticated encryption, key derivation and confirmation, key establishment and authentication, robust management frame protection.
- WPA3 is resistant to dictionary attacks. The Wi-Fi Alliance says that WPA3's SAE is resistant to offline dictionary attacks where an attacker tries to guess a Wi-Fi network's password by trying various passwords in a quick succession.
- Wi-Fi Easy Connect for WPA2 and WPA3: This feature is aimed at smart (Internet of Things) devices that don't have a screen where a user can configure its Wi-Fi network settings. For example, a user will be able to use his phone or tablet to configure the WiFi WPA3 options of another device that doesn't have a screen, such as tiny IoT equipment like smart locks, smart light bulbs, and others.
- Wi-Fi Enhanced Open: a proprietary technology, which uses an algorithm known as Opportunistic Wireless Encryption (OWE) to encrypt each connection between a WiFi user and the router/access point with its own custom encryption key. This per-user encryption prevents local attackers from snooping on other users' traffic, even if the network doesn't require a password to join.
Source
1. Re:Some info by Anonymous Coward · 2018-06-26 03:28 · Score: 2, Interesting
  
  its a poorly kept secret that wiredmikey is banging msmash
  your submission had no chance
2. Re:Some info by TeknoHog · 2018-06-26 05:17 · Score: 1
  Wi-Fi Enhanced Open: a proprietary technology, which uses an algorithm known as Opportunistic Wireless Encryption (OWE) to encrypt each connection between a WiFi user and the router/access point with its own custom encryption key. This per-user encryption prevents local attackers from snooping on other users' traffic, even if the network doesn't require a password to join.
  War is Peace
  Freedom is Slavery
  Ignorance is Strength
  Open is Proprietary
  --
  Escher was the first MC and Giger invented the HR department.
3. Re:Some info by thegarbz · 2018-06-26 05:35 · Score: 1
  
  With a word salad like that I'm not surprised it was rejected. That was incredibly hard to read. Summaries and formatting exist for a reason and a Slashdot Sunday shouldn't take up my entire screen.
She has huuuuge tracts of land... by the_skywise · 2018-06-26 03:24 · Score: 4, Funny

WEP sank into the swamp
So we built WPA on top of it and it sank into the swamp
Then we build WPA2 on top of it and it caught fire and sank into the swamp
But WPA3.. WPA3 will stand the test of time!
1. Re:She has huuuuge tracts of land... by Anonymous Coward · 2018-06-26 03:29 · Score: 0
  
  But WPA3.. WPA3 will stand the test of time!
  Anybody selling that lie needs to understand that ALL cryto based security techniques are temporary, regardless of how well they are envisioned and implemented.
2. Re:She has huuuuge tracts of land... by fred6666 · 2018-06-26 03:35 · Score: 1
  
  WPA2 with CCMP (not TKIP) is still secure enough
3. Re:She has huuuuge tracts of land... by Anonymous Coward · 2018-06-26 03:37 · Score: 0
  
  But WPA3.. WPA3 will stand the test of time!
  No. It's DOA, next!
4. Re:She has huuuuge tracts of land... by Anonymous Coward · 2018-06-26 03:57 · Score: 0
  
  Yes it will, until WPA 4 introduces OWE (Opportunistic Wireless Encryption).
5. Re: She has huuuuge tracts of land... by Anonymous Coward · 2018-06-26 04:24 · Score: 0
  
  That whooshing noise you just heard was both the joke and the OP's sarcasm going right over your head
6. Re:She has huuuuge tracts of land... by Anonymous Coward · 2018-06-26 04:39 · Score: 0
  
  And replacing 802.1X, another working and well-adopted standard with something more complex and limited at this time is a bad idea.
  In light of advancement costs and uncertainties, stick with what is known-good.
7. Re:She has huuuuge tracts of land... by Tony+Isaac · 2018-06-26 04:58 · Score: 1
  
  It's an arms race. Each new iteration of security is presumably stronger, but the bad actors also get smarter. There will never be a "final" version.
8. Re: She has huuuuge tracts of land... by CyberRacer · 2018-06-26 05:42 · Score: 1
  
  Life is a GAN.
9. Re:She has huuuuge tracts of land... by WaffleMonster · 2018-06-26 05:49 · Score: 1
  
  Anybody selling that lie needs to understand that ALL cryto based security techniques are temporary, regardless of how well they are envisioned and implemented.
  Which is why Wi-Fi Alliance has no business rolling their own. They should use TLS at least to derive session keys if for no other reason than crypto agility.
10. Re:She has huuuuge tracts of land... by Anonymous Coward · 2018-06-26 06:47 · Score: 0
  
  Final secure version: ethernet cable.
11. Re:She has huuuuge tracts of land... by jrumney · 2018-06-26 15:17 · Score: 1
  
  How do you propose that the Transport Layer be used to provide security for the Data Link Layer?
12. Re:She has huuuuge tracts of land... by WaffleMonster · 2018-06-26 18:02 · Score: 1
  
  How do you propose that the Transport Layer be used to provide security for the Data Link Layer?
  TLS is transport agnostic. Just needs something that acts like a byte stream to work. TLS is for example is commonly negotiated over 802.1x/EAPOL which in-turn provides encryption keys to lower layers.
Upgrading existing WPA2 WiFI APs by Anonymous Coward · 2018-06-26 03:27 · Score: 2, Interesting

Is this something a router/access point running OpenWRT could upgrade to? Or would WPA3 require a driver/firmware upgrade as well?
1. Re:Upgrading existing WPA2 WiFI APs by blahbooboo · 2018-06-26 03:39 · Score: 1
  
  Strange the article doesn't mention about upgrade ability. I assume there is none like last time for WPA to WPA2.
2. Re: Upgrading existing WPA2 WiFI APs by Anonymous Coward · 2018-06-26 03:48 · Score: 0
  
  I imagine it could be software upgradable. The question is does it use the same ciphers? A lot of wifi network gear uses hardware encryption acceleration. If the existing wifi gear can't use the hardware acceleration for wpa3, then you're going to be implementing that encryption in software which will likely be slow as balls.
3. Re:Upgrading existing WPA2 WiFI APs by Artem+S.+Tashkinov · 2018-06-26 03:52 · Score: 1
  
  It will definitely require a new version of the wpa_supplicant daemon and probably drivers will have to be updated as well, but other than that, I see no issues.
4. Re: Upgrading existing WPA2 WiFI APs by Anonymous Coward · 2018-06-26 03:53 · Score: 0
  
  Probably the only reason there weren't upgrade paths is due to the all mighty dollar. A new WPA standard is a reason to get people to pay to upgrade their decade old wifi gear. Why cannibalise your sales by releasing upgraded drivers/firmware. Probably the only stuff that will see software upgrades to wpa3 is expensive commercial/enterprise wifi gear
5. Re: Upgrading existing WPA2 WiFI APs by Artem+S.+Tashkinov · 2018-06-26 03:55 · Score: 1
  
  WPA3 still uses AES but with some additional quirks which shouldn't take too much CPU power 'cause the WPA standard takes low power/low performance devices into consideration.
6. Re:Upgrading existing WPA2 WiFI APs by pak9rabid · 2018-06-26 03:59 · Score: 1
  
  I would imagine new hardware would be required, IF you want to offload the new features off of the CPU, otherwise updated drivers/wpa_supplicant daemon should probably be sufficient.
7. Re: Upgrading existing WPA2 WiFI APs by Anonymous Coward · 2018-06-26 04:00 · Score: 0
  
  Maybe also the gear provided by your Telco/cable provider. People will want wpa3 and those providers aren't going to want to shell out the dollars for new gear and truck rolls to install it. They'll work out deals with the hardware makers for a software update
8. Re:Upgrading existing WPA2 WiFI APs by Anonymous Coward · 2018-06-26 04:02 · Score: 0
  
  Do you expect the new protocol, which is not on your device yet, to somehow upgrade you?
  Hardware vendors will be happy to sell you a new device that supports WPA3, and some might even give you a free a software update.
9. Re:Upgrading existing WPA2 WiFI APs by skids · 2018-06-26 07:07 · Score: 1
  
  Yes, pretty sure. WPA3 development for hostapd has been proceeding abreast the standard development process. Perhaps some chipsets may not be able to pull off the 192-bit crypto suite in hardware... but nearly nobody will deploy that I would guess. No idea on timelines... you can watch for code commits on w1.fi/cgit but you need to know a whole buttload of acronyms to understand WTH is going on.
  
  --
  Someone had to do it.
10. Re: Upgrading existing WPA2 WiFI APs by Anonymous Coward · 2018-06-26 12:11 · Score: 0
  
  Cheaper to work out a deal with the standards body to declare WPA3 baseline as WPA2, or Wep, in fallback mode.
  Bam WPA3 reverse compatible, logo approved.
11. Re: Upgrading existing WPA2 WiFI APs by Anonymous Coward · 2018-06-28 10:23 · Score: 0
  
  The existing hardware is going to have limited buffers and crunching power (key slots and such). New hardware will be needed to avoid software overhead.
Why are there two? by Anonymous Coward · 2018-06-26 03:29 · Score: 1

Why are there separate Personal and Enterprise ones?
1. Re:Why are there two? by Anonymous Coward · 2018-06-26 03:38 · Score: 0
  
  Enterprise usually means it is integrated to work with a domain controller.
2. Re:Why are there two? by iTrawl · 2018-06-26 03:38 · Score: 1
  
  What's the difference between Personal and Enterprise profiles?
  
  --
  "Everybody's naked underneath" -- The Doctor
3. Re:Why are there two? by Anonymous Coward · 2018-06-26 03:39 · Score: 0
  
  Money.
  One OBVIOUSLY costs more and is OBVIOUSLY better.
4. Re:Why are there two? by chris234 · 2018-06-26 03:52 · Score: 1
  
  With luck this time devices will need to support both personal and enterprise to be considered WPA3 compliant. Lack of enterprise support is one of the big pain points in supporting consumer-grade devices on a campus network.
5. Re:Why are there two? by EndlessNameless · 2018-06-26 03:56 · Score: 2
  
  It depends on whether you're willing to spend money for additional security.
  Personal authentication is less secure, but you don't need anything besides the router.
  Enterprise authentication is more secure but requires additional infrastructure. E.g., the 802.1X authentication for WPA2 Enterprise requires a RADIUS server or equivalent to authenticate users. Since enterprise authentication is unique for each user, you can assign network access with per-user profiles with more equipment (e.g., Cisco ISE).
  
  --
  
  ---
  According to the latest ruleset, this post should be modded as Vorpal Flamebait +5.
6. Re:Why are there two? by Anonymous Coward · 2018-06-26 05:02 · Score: 0
  
  Fortunately that is not longer a problem. We haven't had any such devices reported on our network in the last 4 years and the last one was some obscure 32-bit only netbook.
7. Re:Why are there two? by omnichad · 2018-06-26 05:08 · Score: 2
  
  Short version: because when you fire an employee you want to cut their wifi access without changing everyone else's password.
8. Re:Why are there two? by David_Hart · 2018-06-26 05:10 · Score: 1
  
  It depends on whether you're willing to spend money for additional security.
  Personal authentication is less secure, but you don't need anything besides the router.
  Enterprise authentication is more secure but requires additional infrastructure. E.g., the 802.1X authentication for WPA2 Enterprise requires a RADIUS server or equivalent to authenticate users. Since enterprise authentication is unique for each user, you can assign network access with per-user profiles with more equipment (e.g., Cisco ISE).
  And if you want to do Corporate certificate authentication it requires a certificate infrastructure, certificate management, and a way to install certificates on devices (i.e. AD policies, Airwatch, etc.).
9. Re:Why are there two? by SuiteSisterMary · 2018-06-26 05:48 · Score: 3, Informative
  
  The very reductive, overly-simplified short form is 'personal asks you for THE wi-fi password. Enterprise asks you for YOUR wi-fi password.'
  
  --
  Vintage computer games and RPG books available. Email me if you're interested.
10. Re: Why are there two? by CyberRacer · 2018-06-26 06:03 · Score: 1
  
  Because the message is "Corps are important, you're not."
11. Re:Why are there two? by WaffleMonster · 2018-06-26 06:07 · Score: 1
  
  Personal authentication is less secure, but you don't need anything besides the router.
  The F**** it is. If you select a PSK with sufficient entropy and successfully guard it from "undesirables" it's way more secure than enterprise.
  
  Enterprise authentication is more secure but requires additional infrastructure. E.g., the 802.1X authentication for WPA2 Enterprise requires a RADIUS server or equivalent to authenticate users.
  LOL... is this the same ultra secure protocol that encrypts session encryption keys between authenticator and AP with MD5 xor? Give me a break.
12. Re:Why are there two? by skids · 2018-06-26 07:13 · Score: 1
  
  It's all the little TV-attached gadgets these days. No laptops or phones ship without WPA2-Enterprise.
  Now, tons of them still arrive with an insecurable PEAP-MSCHAP/TTLS implementation (thanks tons Google) but that's a different issue.
  
  --
  Someone had to do it.
13. Re:Why are there two? by skids · 2018-06-26 07:22 · Score: 1
  
  The F**** it is. If you select a PSK with sufficient entropy and successfully guard it from "undesirables" it's way more secure than enterprise.
  It's the guarding it from undesirables part that makes WPA2 less secure. Otherwise it is as secure, not more secure, than properly implemented WPA2-Enterprise.
  The trick to properly implementing WPA2-Enterprise is mostly in the client setup, as long as you follow some pretty well understoof best practices on the server side.
  As to the GP: if your OpenWRT box has enough RAM and flash, you can get the entire WPA2-Enterprise stack up on a single device.
  
  --
  Someone had to do it.
14. Re:Why are there two? by WaffleMonster · 2018-06-26 07:40 · Score: 1
  
  The trick to properly implementing WPA2-Enterprise is mostly in the client setup, as long as you follow some pretty well understoof best practices on the server side.
  I disagree. With one or a small number of individuals WPA2 provides superior security.
  I've never seen a properly configured supplicant in my life.
  Basic things like linking cert identity to what your connecting to have been punted to clueless end users. The only reasonable way WPA2-Enterprise works in practice is by pushing configuration to clients in advance.
  I've also never seen a secure authenticator in my life. I very much doubt a secure implementation even exists in the field. Encryption keys for the channel between authenticator and AP are literally encrypted with MD5(secret + authvector + salt) XOR key.
15. Re:Why are there two? by skids · 2018-06-26 08:00 · Score: 1
  
  I've never seen a properly configured supplicant in my life.
  If you have few enough users that you can safely share the PSK among them, you have few enough
  users to go secure their supplicants. Also, even misconfigured OSX users are relatively safe assuming they
  connect safely the first time, given the supplicant's pinning behavior.
  
  I've also never seen a secure authenticator in my life.
  ...you ain't been around. Most systems these days authenticate from the controller, not the AP,
  so the RADIUS all happens in the DC, behind locked doors. AP/Controller comms is by IPSec
  or a vendor's minor perversion of IPSec, usually built on top of a hardware TPM loaded with a
  factory device cert. Also a lot of the controllers support either terminating IPSec generically,
  or RadSec for RADIUS.
  (in the case of the OpenWRT setup I mentioned, RADIUS traffic never leaves the box, but
  of course you could do RADSec or IPSec if you needed to.)
  
  --
  Someone had to do it.
16. Re:Why are there two? by WaffleMonster · 2018-06-26 08:37 · Score: 1
  
  ...you ain't been around. Most systems these days authenticate from the controller, not the AP,
  so the RADIUS all happens in the DC, behind locked doors. AP/Controller comms is by IPsec or a vendor's minor perversion of IPSec,
  You're right, I've not been around. I've never seen an environment where any of this has occurred. All I see are APs terminating RADIUS and RADIUS over insecure WAN/LAN and even Internet links.
  
  Also a lot of the controllers support either terminating IPSec generically,
  or RadSec for RADIUS.
  Now I know you are just fucking with me. A lot of nothing currently supports RadSec.
17. Re:Why are there two? by Anonymous Coward · 2018-06-26 08:37 · Score: 0
  
  What makes enterprise more secure is the fact that the encryption key changes with each user session. So even if someone manages to break your WPA2 Ent. key, they can only get data from that single session, next time you sign on you are on a new key and they have to break it all over again. It also means each device uses a different key. Yet again this protects against a key that gets broken.
18. Re:Why are there two? by WaffleMonster · 2018-06-26 09:32 · Score: 1
  
  What makes enterprise more secure is the fact that the encryption key changes with each user session. So even if someone manages to break your WPA2 Ent. key, they can only get data from that single session
  There are two avenues of attack either one is sufficient to completely retroactively defeat session encryption.
  The first and most difficult avenue is defeating session keys derived between authenticator and supplicant.
  Session keys are derived from the TLS sessions premaster secret + peer randoms. If the authenticator's private key is compromised you can do the exact same shit and compromise all prior sessions for the case where TLS premaster secret was not derived from a forward secure cipher suite. Depending on your environment this may be a much safer bet than you realize given the amount of legacy BS tolerated and lack of visibility and tools to detect these kinds of configuration problems.
  
  next time you sign on you are on a new key and they have to break it all over again
  The second approach is defeating the transport of session keys between authenticator and whatever is terminating encryption. This typically means link between RADIUS server and access point.
  The only secret information is RADIUS secret everything else is sent in the clear unless the link was protected separately. If I have the encryption key and the encrypted version of it I can now attack the servers secret with impunity offline. If my attack is successful and I successfully compromise the RADIUS secret every damn session that ever used that key I instantly have access to even if the best cipher suite in the world with super forward security was used.
19. Re:Why are there two? by skids · 2018-06-26 10:06 · Score: 1
  
  I guess HPE-Aruba counts as a lot of nothing?
  https://www.arubanetworks.com/...
  
  --
  Someone had to do it.
20. Re:Why are there two? by WaffleMonster · 2018-06-26 11:53 · Score: 1
  
  I guess HPE-Aruba counts as a lot of nothing?
  Did some trolling of vendor sites and while most vendors in our orbit of the world don't support RadSec I did find two that do. This is really nice to see and somewhat unexpected. I hope adoption picks up rapidly.
21. Re:Why are there two? by skids · 2018-06-26 12:19 · Score: 1
  
  Yeah... the generic IPSec support for control plane stuff is even better, but I'll take RADSec when I can't get that.
  (We were actually running it from FreeRADIUS with the eduroam TLRs for a while but they stopped supporting it. Hopefully to return some day.)
  Was just reading up on EAP-PWD as a result of this thread... needs a password change mechanism and identity privacy but good to see something
  else practical gaining some small toehold (on Android).
  Maybe wrap it in an opportunistic unauthenticated TLS session to gain fast resumption and identity privacy against passive (but not active) attackers, but that still leaves you without an inline password-change mechanism...
  
  --
  Someone had to do it.
22. Re:Why are there two? by WaffleMonster · 2018-06-26 14:43 · Score: 1
  
  Was just reading up on EAP-PWD as a result of this thread... needs a password change mechanism and identity privacy but good to see something
  else practical gaining some small toehold (on Android).
  EAP-PWD = Dragonfly = Flawed = Fixed protocol = Mistake.
  Just use EAP-TLS yet rather than or in addition to certs use a PAKE at TLS layer like TLS-SRP. It is drop in compatible with existing RFCs, you just need to write a couple of callbacks to make it work and it will benefit from generic interfaces for other PAKE like ciphers to provide crypto-agility in TLS 1.3 and beyond so your not constantly chasing protocols.
  
  Maybe wrap it in an opportunistic unauthenticated TLS session to gain fast resumption and identity privacy against passive (but not active) attackers, but that still leaves you without an inline password-change mechanism...
  The nice thing about TLS-SRP it allows you to do both RSA and SRP so identity doesn't have to be in the clear.
23. Re:Why are there two? by Anonymous Coward · 2018-06-26 17:12 · Score: 0
  
  You keep demonstrating your stupidity. You should probably find a hole to crawl into and die.
Personal and Enterprise bs. by Anonymous Coward · 2018-06-26 03:49 · Score: 2

continuing the bs... It should be as good as it can be... no need for half arsed Personal version
1. Re:Personal and Enterprise bs. by jeff4747 · 2018-06-26 04:28 · Score: 1
  
  To make use of the additional features of the enterprise version you need additional servers and networking equipment.
  Without that additional equipment, you're running the personal version anyway.
2. Re:Personal and Enterprise bs. by Anonymous Coward · 2018-06-26 06:07 · Score: 0
  
  Why can't it all be built in to a single device?
3. Re:Personal and Enterprise bs. by Anonymous Coward · 2018-06-26 07:24 · Score: 0
  
  It sure can be, but to use it you still need multiple *services* like the user repository.
4. Re:Personal and Enterprise bs. by Anonymous Coward · 2018-06-26 08:41 · Score: 0
  
  The only additional thing you need to run WPA2 Ent is a radius server. Something that can run on the router itself on both ddwrt and openwrt. Of you can use a separate radius server if you wish
5. Re:Personal and Enterprise bs. by jeff4747 · 2018-06-26 12:43 · Score: 1
  
  And this is WPA3. It offers more than WPA2. RTFA.
And in 5 years it will be finally be everywhere by Anonymous Coward · 2018-06-26 03:52 · Score: 0

- one year after it's been CrAcKeD!
Opportunistic Wireless Encryption by crow · 2018-06-26 03:53 · Score: 4, Insightful

Most of this is incremental security improvements, as for most users, WPA2 is still sufficiently secure. However, the big deal here is the opportunistic encryption that will encrypt connections that don't require authentication. That's a big deal.
I like to leave my WiFi open for guests, but I have to set up a separate network in order to keep my regular use encrypted. Once everything supports opportunistic encryption, I can just have one network. That's not particularly important.
Where this matters is public WiFi. Many stores have free WiFi with no password. Often they have a login after you connect (annoying, but a separate issue), but there is no encryption on the link. Anyone who knows what they're doing can see every packet you send. When this technology becomes widespread, it will become a bit harder for evesdroppers.
Of course, using public WiFi, you should be using end-to-end encryption on anything important. This is pretty much standard these days for most things, but too often something slips through.
1. Re:Opportunistic Wireless Encryption by Artem+S.+Tashkinov · 2018-06-26 04:06 · Score: 1
  
  WPA2 is still sufficiently secure
  
  Aside from open networks like you've mentioned. Also, WPA2 allows offline password recovery when authentication is enabled and that's a really bad thing since many people like to use very simple digit only passwords which can be trivially guessed using a modern GPU and hashcat or using a service like GPUHash.
2. Re:Opportunistic Wireless Encryption by WaffleMonster · 2018-06-26 05:52 · Score: 1
  
  However, the big deal here is the opportunistic encryption that will encrypt connections that don't require authentication. That's a big deal.
  That's an oxymoron.
3. Re:Opportunistic Wireless Encryption by Anonymous Coward · 2018-06-26 06:20 · Score: 0
  
  Anyone who knows what they're doing can see every packet you send. When this technology becomes widespread, it will become a bit harder for evesdroppers.
  Until it gets nixed by the various Eyes. Can't exactly fork over those keys if they are auto generated per session. I'm also sure that there will be a regional block too in the UK, with the settings probably stored in the radio firmware so they can't be altered. The real fun is what happens when a US wifi radio, say on a smartphone, tries to connect to a UK AP. Does it disable the opportunistic encryption and not say anything to the user? Or does it block the wifi connections? Or does it attempt, but the UK radio denies the connection? Or does the UK radio violate it's own region's laws for that specific device? Can't wait to see that play out here in the news. I'll have the popcorn on standby.
4. Re:Opportunistic Wireless Encryption by crow · 2018-06-26 06:29 · Score: 1
  
  No, it's not.
  Encryption means a third party eavesdropping can't parse the communication.
  Authentication means the host validates the identity of the client, typically using a password.
  There's no requirement that these be linked. Of course, authentication without encryption is quite difficult to do securely. Encryption without authentication does leave the door open for a man-in-the-middle attack, but it does block passive monitoring.
5. Re:Opportunistic Wireless Encryption by skids · 2018-06-26 06:54 · Score: 1
  
  It's an improvement, and I'd much rather have it than not, but without any authentication you have no way of knowing in a public WiFi hotspot if the AP you connected to is the one operated by the hotspot, or the one running off the laptop of the guy next to you sipping a latte he payed for from the bank account of the last guy who sat where you are sitting. Same goes for anything using a symmetric key, so adding a WiFi password that you then tell to everyone does not help things.
  It's TBD whether the extra safety it provides will balance out the extra risk assumed because everyone feels compelled to use unauthenticated WiFi systems for customer convenience... but since nearly none of them were doing WPA2-E with a known guest user/password and a CA-signed AAA cert to begin with, it's probably a net plus.
  
  --
  Someone had to do it.
6. Re:Opportunistic Wireless Encryption by WaffleMonster · 2018-06-26 07:07 · Score: 1
  
  No, it's not.
  Yes it is.
  
  Encryption means a third party eavesdropping can't parse the communication.
  Encryption without trust is an oxymoron. "Third party" is a rather meaningless concept when you have no earthly clue who the "first party" is in the first place.
  
  There's no requirement that these be linked.
  Trust is a core requirement of EVERY secure system with NO EXCEPTIONS.
  
  Encryption without authentication does leave the door open for a man-in-the-middle attack, but it does block passive monitoring.
  Who cares? If I can receive a signal I can transmit one just as easily. All WiFi radios are transceivers.
  Given proliferation of https the salient threat to end users from unsecured Wi-Fi has always taken the form of ACTIVE adversaries doing a hell of a lot more than just passively listening in.
  Opportunistic encryption is better than nothing yet it isn't a solution to any problem. The biggest fear I have is the word "encryption" has a completely different meaning to the general public. When someone uses the phrase. "It's encrypted" what the public hears is "It's secure"... Having no security is better than transmitting a false impression of one. I refuse to believe "encrypted" won't be speciously advertised where no actual security exists.
7. Re:Opportunistic Wireless Encryption by Anonymous Coward · 2018-06-26 10:04 · Score: 0
  
  An active attack (e.g. a MITM attack) is detectable. A passive attack (e.g. eavesdropping on a WPA2 encrypted connection when you know the PSK) is undetectable. That's an important difference and encryption without authentication makes this difference. Preventing active and passive attacks is better than only preventing passive attacks, but only preventing passive attacks is better than not preventing any attacks.
8. Re:Opportunistic Wireless Encryption by WaffleMonster · 2018-06-26 11:37 · Score: 1
  
  An active attack (e.g. a MITM attack) is detectable.
  If active attacks are so detectable why are they allowed to happen? Why are they not "detected"? Did the attacker forget to set evil bit?
  
  A passive attack (e.g. eavesdropping on a WPA2 encrypted connection when you know the PSK) is undetectable.
  I think I understand in narrow must be true by construction of argument sense if nothing transmits a signal then a transmitted signal can't be detected. Otherwise in any context with real life import this assertion is most certainly false.
  In the real world there must be time and effort expended to prepare attacks. The receiver must have a physical presence and associated resource requirements (power, backhaul or storage). Someone has to transport it into place and possibly remove it.
  Generally there will also be some kind of consequence associated with being hacked that can be detected even if no signal is transmitted. For example if everyone at Harbucks who purchased something from "e-bay.com" had their card account wiped out there is still opportunity for detection.
  
  That's an important difference and encryption without authentication makes this difference
  Here is where things go off the rails. If you have such magical ability to determine whether a transmitter is associated with a "good" person rather than a "bad" person then why not leverage such ability to prevent bad people from doing something bad in the first place?
  At present most WiFi attacks worth pulling off are in fact active attacks and have been such for quite some time. In the era of proliferation of E2E encryption (e.g. https) passive sniffing is not a profitable enterprise. You won't get any passwords or credit card numbers or anything of value by passively sniffing wires because most data is encrypted anyway regardless of whether wireless link is or is not encrypted.
  
  Preventing active and passive attacks is better than only preventing passive attacks, but only preventing passive attacks is better than not preventing any attacks.
  Opportunistic encryption is better than nothing yet it also solves nothing and is therefore pointless and not worth mentioning or advertising.
  If this is ever sold or advertised to end users as a "security" or "encryption" feature then I would argue that YES opportunistic encryption is actually worse than nothing because misleading indications are being fed to the public and people may assume something is secure when in fact no such assumption is warranted.
9. Re:Opportunistic Wireless Encryption by Anonymous Coward · 2018-06-26 12:37 · Score: 0
  
  At present most WiFi attacks worth pulling off are in fact active attacks and have been such for quite some time.
  Allow me to present an analogy: Government spies do "full take" surveillance. They just record everything. This is a passive attack and it's thwarted even by encryption without authentication. You may think that most Wifi attacks worth pulling off are active attacks, but I posit that you only think so because you don't hear much about passive attacks, as they are practically impossible to detect. (And by detect I don't mean infer from something else that an attack must have happened, but noticing the ongoing attack itself.)
10. Re:Opportunistic Wireless Encryption by AHuxley · 2018-06-26 13:56 · Score: 1
  
  Re "f active attacks are so detectable why are they allowed to happen? Why are they not "detected"? Did the attacker forget to set evil bit?"
  Once the crypto over wifi is working its working well and strong. Thats not the way in.
  The trick was that very first part when wifi had to talk for the first time to a new wifi communications attempt.
  The very first attempt at a reach out and before the start of encryption could be overpowered as to allow a third party to become part of that later "secure" wifi network.
  Keep trying, blocking and forcing both sides to restart the network setup negotiations and a third party might just be accepted. They are then part of the new wifi network. A way into a computer.
  
  --
  Domestic spying is now "Benign Information Gathering"
11. Re:Opportunistic Wireless Encryption by WaffleMonster · 2018-06-26 14:53 · Score: 1
  
  Allow me to present an analogy: Government spies do "full take" surveillance. They just record everything. This is a passive attack and it's thwarted even by
  So now I'm supposed to think that stalking is "attacking" or were the goal posts installed in shifting sands? Where do I file a criminal complaint against Google and Microsoft for "attacking" me?
  Government spies are pulling everything enmasse from fiber taps of all the tier 1 carriers. They don't give a crap about local Harbucks wifi except to collect MAC addresses and perform trivial flow analysis to deduce your address and what your doing regardless of your use of encryption.
  
  encryption without authentication. You may think that most Wifi attacks worth pulling off are active attacks, but I posit that you only think so because you don't hear much about passive attacks, as they are practically impossible to detect.
  I posit invisible fire breathing dragons exist but you don't hear much about them since of course they are invisible.
12. Re:Opportunistic Wireless Encryption by Anonymous Coward · 2018-06-26 16:56 · Score: 0
  
  How much paint have you been huffing?
13. Re:Opportunistic Wireless Encryption by Anonymous Coward · 2018-06-26 17:58 · Score: 0
  
  Are you daft? We know that passive attacks on WPA/2 exist.
14. Re:Opportunistic Wireless Encryption by WaffleMonster · 2018-06-26 18:18 · Score: 1
  
  Are you daft? We know that passive attacks on WPA/2 exist.
  The thread has nothing to do with attacking WPA2. It's all about stupid pointless quibbling over the relative uselessness of "opportunistic encryption".
  OP incorrectly believes it's a "big deal".
  I think it's better than nothing and worth doing but only if kept quiet and not advertised to the public as a security measure.
15. Re: Opportunistic Wireless Encryption by lsatenstein · 2018-06-27 07:35 · Score: 1
  
  I am a home desktop user. For my passwords, I run a sha256sum against a text string that I can easily remember for a given website and I use that sha256sum hash as my password. The hash from sha256sum is long enough that they can't figure out my initial text input. My simple text string is easy to remember as I can't ever remember what my hashed value waz or would be.
  
  --
  Leslie Satenstein Montreal Quebec Canada
Will enterprise still be a clusterfuck to setup? by Anonymous Coward · 2018-06-26 03:55 · Score: 2, Interesting

I understand that WPA Enterprise is built off existing technologies but holy fuck setting up it's infrastructure should not be like pulling teeth.
If someone could figure out a way to create an easy to implement, reasonable cost WPA enterprise-as-a-service they would literally print fucking money. Bonus if you could tie it in to an SSO service.
Most important feature by Anonymous Coward · 2018-06-26 03:55 · Score: 5, Interesting

Knowledge of the pre-shared key in personal mode no longer give an attacker the opportunity to decrypt everything on the network. In WPA and WPA2, an attacker who knows the PSK (for example that of a public hotspot) can passively record the handshake frames and recover the keys used by other clients. WPA3 prevents this, so even when you use a public hotspot, the connections between your computer and the access point are secure against passive attacks. (An attacker can still perform a MITM attack because there is no way to authenticate a public hotspot with a non-secret PSK.)
Re: Professor Fritzen Posten by Anonymous Coward · 2018-06-26 04:02 · Score: 1

I showed up, but the professor was late. So we all went home.
Re: Will enterprise still be a clusterfuck to setu by Anonymous Coward · 2018-06-26 04:28 · Score: 0

If you are a Windows shop, there was a really easy to use article on how to set that up with MS services maybe 10 years back. I'll try to find it and reply back if I do.
Re: Will enterprise still be a clusterfuck to set by Anonymous Coward · 2018-06-26 04:34 · Score: 0

http://techgenix.com/setting-up-wi-fi-authentication-windows-server-2008-part2/
This isn't the one I was thinking of, but its similar.
Hope this helps.
It's just my opinion but... by Anonymous Coward · 2018-06-26 04:45 · Score: 0

There should be just one mode of operation the enterprise one. And why 192 bit?
Always use a VPN with wifi, period by Anonymous Coward · 2018-06-26 05:05 · Score: 0

Always use a VPN with wifi, period.
We've learned that the WiFi-Alliance doesn't have the sharpest people and our information is too valuable to trust to people like that.
These new standards will like just mean new ways for attacks to find issues.
Use a VPN.
1. Re:Always use a VPN with wifi, period by ledow · 2018-06-26 09:40 · Score: 1
  
  Yep. Anything radio is an untrusted medium. Hell, people use VPNs over leased lines, sure as hell you want a VPN over anything wireless purely for convenience (site-to-site interlinks, it goes without saying that you want VPN).
  Plus, it just gives you that double-layer. Sure, you might crack WPA but you've still then got to break through AES or whatever. And sure, AES might get a flaw but if you've got to be nearby and break the WPA to see that you're even using it, that's another layer of protection. The chances of both being so easily flawed simultaneously are miniscule, and gives you time to test and deploy updates that could potentially make the problem worse if you desperately need to shove them out because your only layer of protection was removed.
  For ten years, I gamed and ran CS servers... and my home connection was only ever a cheap wifi point with a VPN to the laptop run over local network, and everyone used to accuse me of having the advantage because my ping was so low, despite the server I ran being in another country. Latency was more than acceptable but I never once had to worry about something getting online, even with fake SSIDs cropping up and all kinds of attacks.
  There's no reason not to VPN over your Wifi and tell your software firewalls and anything else that it's an untrusted network and only the VPN is a trusted one. It also helps you secure yourself should you take a laptop to a cafe with open wifi. You idiots can all share a wifi session with a shared key, I'll just use it to VPN to my external server that I know only *I* have a key for, and that I can identify any MITM attack attempted on such a connection (i.e. the VPN won't be able to connect because the endpoints won't recognise each other).
WPA3 is flawed out of the gate by WaffleMonster · 2018-06-26 05:45 · Score: 2

WPA3 is resistant to dictionary attacks. The Wi-Fi Alliance says that WPA3's SAE is resistant to offline dictionary attacks where an attacker tries to guess a Wi-Fi network's password by trying various passwords in a quick succession.
WPA3 uses Dragonfly which was shown to be vulnerable to small subgroups that can be exploited to conduct offline dictionary attack.
https://en.wikipedia.org/wiki/...
RFC 7664 section 4 even provides optional advice for mitigation.
Amazing to see new security protocols out of the gate include crypto known to be flawed.
1. Re:WPA3 is flawed out of the gate by Anonymous Coward · 2018-06-26 08:02 · Score: 0
  
  NSA is happy
2. Re:WPA3 is flawed out of the gate by letsief · 2018-06-26 14:26 · Score: 1
  
  I think you're greatly exaggerating the problems. If you do public key validation, as we've long known you should do to protect against these kinds of attacks, the problem goes away. Or, if you use safe-prime groups, as the community has moved to for DH, the problem pretty much goes away. It should go away for ECC groups, too.
3. Re:WPA3 is flawed out of the gate by WaffleMonster · 2018-06-26 19:05 · Score: 1
  
  I think you're greatly exaggerating the problems.
  I never expressed an opinion with regards to severity. What I know is the flaw exists in Dragonfly while other PAKEs have addressed the specific problem.
  
  If you do public key validation, as we've long known you should do to protect against these kinds of attacks, the problem goes away.
  What this essentially says is that if you punt the problem to something else the original problem no longer matters.
  This isn't at all useful. The whole point of PAKEs are to securely leverage mutual password knowledge to establish a secure trusted channel not offload trust to something else. If a particular PAKE is incapable of doing what it is intended to do then FFS lets pick one that is.
  The utility of non-enterprise WPA3 is that it be beneficial to normal people. Asking people to deploy PKI in order to mitigate flaws in a PAKE is basically telling them to go fuck themselves. It makes the technology worthless to a non-trivial subset of users.
  
  Or, if you use safe-prime groups, as the community has moved to for DH, the problem pretty much goes away. It should go away for ECC groups, too.
  I don't know what the real world practical implications of the flaw are. If it can be reasonably mitigated that's great. Yet the question in my mind remains. If you are creating something new why not pick an algorithm that doesn't have the flaw in the first place?
4. Re:WPA3 is flawed out of the gate by letsief · 2018-06-27 01:46 · Score: 1
  
  First, keep in mind the WiFi Alliance isn't developing standards. The standards are developed in IEEE 802.11. The WiFi Alliance is basically creating a profile of the 802.11 standards that they'll cover as part of their certification program. Dragonfly is used because that's what's specified in 802.11.
  Are there better ones? Perhaps, although Dragonfly has been around for a while and has been the subject of third-party analysis. There's something to be said for preferring an older scheme with well-understood implementation considerations (which you're calling "flaws") over newer proposals that might seem to have better properties, but whose implementations haven't been fully considered. In other words, prefer the devil you know.
  Public key validation doesn't refer to a PKI. It just means when you're doing a Diffie-Hellman key exchange you should check that the public key you receive is in the subgroup its supposed to be in.
  Honestly, I'm no expert in PAKEs, but a lot of them are built on Diffie-Hellman where this sort of check has been long known as needed depending on the group you're working in and whether its a static or ephemeral exchange. It seems disingenuous to call that a "flaw."
  Some of the skepticism surrounding Dragonfly in practice seems to be more related to concerns with how the security review went down in the CFRG, and some connections to the NSA, than with the protocol itself. I understand there are other PAKEs that seem to have better security properties, like J-PAKE, but they all have other problems (JPAKE, for example, is rather slow). It's mostly a non-issue for the WiFi Alliance, as they have to work within what's supported in the IEEE specs (which basically means sticking with PSK or using Dragonfly), but I don't know why IEEE chose what they did.
5. Re:WPA3 is flawed out of the gate by WaffleMonster · 2018-06-27 06:28 · Score: 1
  
  Are there better ones? Perhaps, although Dragonfly has been around for a while and has been the subject of third-party analysis. There's something to be said for preferring an older scheme with well-understood implementation considerations (which you're calling "flaws") over newer proposals that might seem to have better properties, but whose implementations haven't been fully considered. In other words, prefer the devil you know.
  SRP-6 is now something like 16 years old. The only excuses in various WGs for not using it last decade were unspecified patent fears from company "L" too lazy to perform an internal search and state a public position. All of that is history now.
  
  Public key validation doesn't refer to a PKI. It just means when you're doing a Diffie-Hellman key exchange you should check that the public key you receive is in the subgroup its supposed to be in.
  I don't understand the difference. Who creates the public key? How does the peer validate/trust it?
  When I hear use public key I think of cipher suites which leverage both the PAKE and RSA et el together in a single TLS handshake. This requires servers to possess a private key and clients to posses a trustworthy public key with a verifiable trust path linking the two.
  
  Honestly, I'm no expert in PAKEs, but a lot of them are built on Diffie-Hellman where this sort of check has been long known as needed depending on the group you're working in and whether its a static or ephemeral exchange. It seems disingenuous to call that a "flaw."
  This position makes sense. If a problem can be reasonably avoided and made to work as intended then great.
  My perspective is comparative. Dragonfly vs alternatives. For example if there were two competing standards say AES and BES. Both were the same in all known respects except BES was not vulnerable to timing attacks then picking AES wouldn't make much sense even though the "flaw" in AES could be effectively mitigated with blinding.
  
  Some of the skepticism surrounding Dragonfly in practice seems to be more related to concerns with how the security review went down in the CFRG, and some connections to the NSA, than with the protocol itself.
  Dragonfly also requires server storage of passwords in a reversible form which is an unnecessary risk. If I steal your password database I can login as your users. Any salting or transform schemes over the top don't alter this basic equation.
  With other systems if I steal your password database I can perform offline attack and pose as intended party but I can't login as your users unless my offline brute force campaign bears some fruit.
Deep NSA Backdoors by Anonymous Coward · 2018-06-26 06:37 · Score: 0

The WiFi Alliance are traitors to freedom and should be hung or shot for their global beyrayal and traitorous actions against liberty and security.
Re:Will enterprise still be a clusterfuck to setup by Anonymous Coward · 2018-06-26 06:45 · Score: 1

If someone could figure out a way to create an easy to implement, reasonable cost WPA enterprise-as-a-service they would literally print fucking money. Bonus if you could tie it in to an SSO service.
They did, it's called FreeRADIUS.
The only thing missing is a Wizard to set up the server, and a easy way of getting the certs installed on endpoint machines.
Smart devices work perfectly fine. Just install the cert and go.
Windows needs GP to do this without seeing windows' ugly side. A.K.A. Non-descriptive Dialog boxes and random GUI widgets need to be set correctly.
Most linux distros are crap as NetworkManager loves trying to install the certs as per-user certs, and mandates that any keys be password protected with the password stored in the user's keyring. (Which if they have access to the physical storage media, putting a password on the file isn't going to do jack, but network manager's devs refuse to realize this...) The alternative is to manually configure WPA supplicant's config file assuming you can do so, as many distros don't include it anymore as it's auto configured via DBUS from NM.
Chromebooks require a convoluted set up that has a PKI only signing a cert request made on the individual device. That is to say the Chromebook generates a CSR and then submits it to a signing server to create the cert it will use to connect, it will then use that cert until it expires after which it will generate a brand new CSR and key because we can't allow more than one signing attempt by the TPM generated and sealed private key. Also did I mention you have to write the extension for Chrome to be able to do this? And Deploy it via an enterprise policy set in GSuite? No you can't just install the extension from the Chrome Store, it has to be pushed via forced install otherwise it lacks the permissions needed to access the TPM to generate the CSR. BTW, You can't use your own pre-made certs. Why? Well that would give too much power to an Admin and they just couldn't handle it. Heck an Admin wouldn't know what to do with such power! You had best thank the Chrome developers for being such generous handholders and giving Their guidance to you on this huge ordeal.
So it's not so much the server as it is the clients that need the most help. My greatest recommendation would be to fire the existing developers and get some competent people in there to fix the mess.
Forward Secrecy by emil · 2018-06-26 07:30 · Score: 1

I also understand that WPA3 will get forward secrecy, and sessions will negotiate a temporary ("ephemeral") key for symmetric cryptography (assuming AES).
Should the traffic be recorded, it cannot be decrypted later if the password is broken.

The other benefit comes in the event that your password gets compromised nonetheless. With this new handshake, WPA3 supports forward secrecy, meaning that any traffic that came across your transom before an outsider gained access will remain encrypted. With WPA2, they can decrypt old traffic as well.
Hopefully won't repeat WPS debacle but by Anonymous Coward · 2018-06-27 20:30 · Score: 0

now that they have that IoT quick join thing, I have a feeling we'll see something similar to the WPS attacks again...