Slashdot Mirror

← Back to Stories (view on slashdot.org)

Wi-Fi Alliance Launches WPA3 Security Standard (securityweek.com)

Posted by msmash on from the it's-here dept.

wiredmikey writes: The Wi-Fi Alliance, the organization responsible for maintaining Wi-Fi technology, announced the launch of the WPA3 security standard. The latest version of the Wi-Fi Protected Access (WPA) protocol brings significant improvements in terms of authentication and data protection.

WPA3 has two modes of operation: Personal and Enterprise. WPA3-Personal's key features include enhanced protection against offline dictionary attacks and password guessing attempts. WPA3-Enterprise provides 192-bit encryption for extra security, improved network resiliency, and greater consistency when it comes to the deployment of cryptographic tools.

12 of 97 comments (clear)

  1. Some info by Artem+S.+Tashkinov · · Score: 5, Informative

    Too bad, my submission has been rejected even though it had a lot more information which I'll post anyways:

    New security features include:

    • WPA3 uses the Simultaneous Authentication of Equals (SAE) algorithm, which replaces Pre-shared Key (PSK) in WPA2-Personal, while WPA3-Enterprise uses a more complex set of features that replace IEEE 802.1X from WPA2-Enterprise. These are: authenticated encryption, key derivation and confirmation, key establishment and authentication, robust management frame protection.
    • WPA3 is resistant to dictionary attacks. The Wi-Fi Alliance says that WPA3's SAE is resistant to offline dictionary attacks where an attacker tries to guess a Wi-Fi network's password by trying various passwords in a quick succession.
    • Wi-Fi Easy Connect for WPA2 and WPA3: This feature is aimed at smart (Internet of Things) devices that don't have a screen where a user can configure its Wi-Fi network settings. For example, a user will be able to use his phone or tablet to configure the WiFi WPA3 options of another device that doesn't have a screen, such as tiny IoT equipment like smart locks, smart light bulbs, and others.
    • Wi-Fi Enhanced Open: a proprietary technology, which uses an algorithm known as Opportunistic Wireless Encryption (OWE) to encrypt each connection between a WiFi user and the router/access point with its own custom encryption key. This per-user encryption prevents local attackers from snooping on other users' traffic, even if the network doesn't require a password to join.

    Source

    1. Re:Some info by Anonymous Coward · · Score: 2, Interesting

      its a poorly kept secret that wiredmikey is banging msmash
      your submission had no chance

  2. She has huuuuge tracts of land... by the_skywise · · Score: 4, Funny

    WEP sank into the swamp
    So we built WPA on top of it and it sank into the swamp
    Then we build WPA2 on top of it and it caught fire and sank into the swamp
    But WPA3.. WPA3 will stand the test of time!

  3. Upgrading existing WPA2 WiFI APs by Anonymous Coward · · Score: 2, Interesting

    Is this something a router/access point running OpenWRT could upgrade to? Or would WPA3 require a driver/firmware upgrade as well?

  4. Personal and Enterprise bs. by Anonymous Coward · · Score: 2

    continuing the bs... It should be as good as it can be... no need for half arsed Personal version

  5. Opportunistic Wireless Encryption by crow · · Score: 4, Insightful

    Most of this is incremental security improvements, as for most users, WPA2 is still sufficiently secure. However, the big deal here is the opportunistic encryption that will encrypt connections that don't require authentication. That's a big deal.

    I like to leave my WiFi open for guests, but I have to set up a separate network in order to keep my regular use encrypted. Once everything supports opportunistic encryption, I can just have one network. That's not particularly important.

    Where this matters is public WiFi. Many stores have free WiFi with no password. Often they have a login after you connect (annoying, but a separate issue), but there is no encryption on the link. Anyone who knows what they're doing can see every packet you send. When this technology becomes widespread, it will become a bit harder for evesdroppers.

    Of course, using public WiFi, you should be using end-to-end encryption on anything important. This is pretty much standard these days for most things, but too often something slips through.

  6. Will enterprise still be a clusterfuck to setup? by Anonymous Coward · · Score: 2, Interesting

    I understand that WPA Enterprise is built off existing technologies but holy fuck setting up it's infrastructure should not be like pulling teeth.

    If someone could figure out a way to create an easy to implement, reasonable cost WPA enterprise-as-a-service they would literally print fucking money. Bonus if you could tie it in to an SSO service.

  7. Most important feature by Anonymous Coward · · Score: 5, Interesting

    Knowledge of the pre-shared key in personal mode no longer give an attacker the opportunity to decrypt everything on the network. In WPA and WPA2, an attacker who knows the PSK (for example that of a public hotspot) can passively record the handshake frames and recover the keys used by other clients. WPA3 prevents this, so even when you use a public hotspot, the connections between your computer and the access point are secure against passive attacks. (An attacker can still perform a MITM attack because there is no way to authenticate a public hotspot with a non-secret PSK.)

  8. Re:Why are there two? by EndlessNameless · · Score: 2

    It depends on whether you're willing to spend money for additional security.

    Personal authentication is less secure, but you don't need anything besides the router.

    Enterprise authentication is more secure but requires additional infrastructure. E.g., the 802.1X authentication for WPA2 Enterprise requires a RADIUS server or equivalent to authenticate users. Since enterprise authentication is unique for each user, you can assign network access with per-user profiles with more equipment (e.g., Cisco ISE).

    --

    ---
    According to the latest ruleset, this post should be modded as Vorpal Flamebait +5.
  9. Re:Why are there two? by omnichad · · Score: 2

    Short version: because when you fire an employee you want to cut their wifi access without changing everyone else's password.

  10. WPA3 is flawed out of the gate by WaffleMonster · · Score: 2

    WPA3 is resistant to dictionary attacks. The Wi-Fi Alliance says that WPA3's SAE is resistant to offline dictionary attacks where an attacker tries to guess a Wi-Fi network's password by trying various passwords in a quick succession.

    WPA3 uses Dragonfly which was shown to be vulnerable to small subgroups that can be exploited to conduct offline dictionary attack.

    https://en.wikipedia.org/wiki/...

    RFC 7664 section 4 even provides optional advice for mitigation.

    Amazing to see new security protocols out of the gate include crypto known to be flawed.

  11. Re:Why are there two? by SuiteSisterMary · · Score: 3, Informative

    The very reductive, overly-simplified short form is 'personal asks you for THE wi-fi password. Enterprise asks you for YOUR wi-fi password.'

    --
    Vintage computer games and RPG books available. Email me if you're interested.