WPA3: How and why the Wi-Fi standard matters

Wi-Fi Protected Access II, or WPA2, is the standard behind wireless security networking. It protects users everywhere, from coffee shops to college campuses to corporate headquarters. WPA2 may be the most widespread security standard in the world that ordinary people encounter.

With all that’s gone on since 2004, when the specification behind WPA2 was adopted, it must be considered a successful standard. But WPA2 does have some important limitations. A new version, WPA3, is a significant improvement. Products to use it are being built now, and certification for them will begin in the third quarter of 2018.

I spoke to Dan Harkins, distinguished technologist at Aruba, a Hewlett Packard Enterprise company, and author of many of the basic standards behind WPA3 to gain insights on what really matters in WPA3.

Harkins says that most of what matters in WPA3 will affect consumer deployments rather than enterprises. The improvements to consumer Wi-Fi use will be substantial and, importantly, invisible to the user.

However, key new enterprise features will appeal to the federal government and organizations that work with government agencies. 

Working anywhere

I am writing this in a big-chain coffee shop using its Wi-Fi. The coffee shop doesn't brag about the fact, but the Wi-Fi security features have been turned off. Completely. There is nothing protecting my communications from the preying eyes of others on the network—other than the use of application-level encryption, like TLS on websites, or a VPN. This is a common configuration of public Wi-Fi. Another common one is where the password for the network is posted on a sign. This is better, but it’s no longer a defense against a capable attacker.

WPA3 solves this problem by implementing a new standard called Opportunistic Wireless Encryption (OWE), an author of which is none other than Harkins. An OWE-capable client and access point will behave just as with an open network like the one I’m using now, but the traffic will be strongly encrypted, even without a password.

Harkins says OWE is perfect for public Wi-Fi because it provides strong encryption and demands nothing of users nor staff. The specification recommends (but does not mandate) that the presentation of the SSID (network name) to the user be exactly as it is with an open network. OWE is a replacement for open networks.

Good, but not good enough

For many years, there have been attacks against WPA2-PSK (Pre-Shared Key) networks, meaning those with shared passwords. This is a configuration used by home and small business networks, not on managed networks. Some of the attacks use old methods like dictionary attacks, which guess passwords based on a list of common ones, and many attack tools have been developed for WPA2-PSK.

But it wasn’t until late 2017 that an effective attack against enterprise Wi-Fi appeared. KRACK (Key Reinstallation Attack) does not actually exploit a flaw in the WPA2-protocol but rather an extremely common implementation error. In the third step of the WPA2 four-way handshake, the KRACK attacker prevents delivery of the fourth message and replays the third. The end result is that the attacker can reconstruct the keychain, leading to the ability to conduct “...arbitrary packet decryption and injection, TCP connection hijacking, HTTP content injection, or the replay of unicast and group-addressed frames,” according to US-CERT.

Almost all implementations implemented the flaw in the same way, making the vulnerability widespread. The changes in WPA3 and certification will ensure that implementations are correct.

WPA3 addresses other weaknesses in WPA2 through a combination of improved standards and tightened specification requirements. For instance, clients authenticating a server based on a certificate often did not check the certificate chain all the way to the root, but WPA3 requires that.

PSK in WPA3 uses a new authentication method called SAE (Simultaneous Authentication of Equals; see the original specification proposal by—guess who—Harkins). SAE is basically an implementation of another Harkins specification, Dragonfly Key Exchange, on 802.11 networks that is resistant to dictionary attacks. It’s still a bad idea to use "password" or "12345" as a password, but Dragonfly does not transmit the hash of the password in the clear, so a rainbow table-style playback of hash values won’t work.

The way Dragonfly works is fascinating and demonstrates the ingenuity that is necessary to make modern cryptography practical. Dragonfly solves what is known as a zero-knowledge problem, meaning that the two parties attempting to connect on the network must prove to each other that they both know the secret without actually divulging the secret.

Harkins gives this analogy:

The secret is a number between 1 and 50. We take a stack of 51 business cards. While the second party looks away, the first party marks the Xth card on the left (where X is between 1 and 50, and the top card doesn't count). Then, while the first party looks away, the second party marks the Yth card on the right. Now, while both parties are looking, the stack is turned upside-down and shuffled. Then the cards are looked through, and if a single card has a mark on both sides (X == Y), they agreed on the secret. If one card has a mark on the left and a different card has a mark on the right (X != Y), they did not agree on the secret. But neither side knows what the other thought the secret was—the second party has no way of determining what X was and the first party has no way of determining what Y was. Now imagine that instead of a stack of 51 cards, it is a stack of 2²⁵⁶ cards—the ability to guess the number just became infinitely harder.

So what does WPA3 offer the enterprise?

One of the common ways attackers attempt to breach corporate networks is to set up a fake access point in the proximity of the facility, such as in a parking lot. The fake AP may be able to modify 802.11 management frames to trick clients and the network into treating it as legitimate. Then clients connecting to it can be monitored. WPA3 makes protection of management frames mandatory.

More significant is WPA3’s simplification of configuration. Enterprise administrators know that WPA2-Enterprise provisioning and configuration is extremely complicated. They must pay attention to a great deal of minute detail having to do with matching protocols and options on the client and network. This is why we attempt to automate the process as much as possible, particularly on the client end.

For this reason, the new WPA3-CNSA mode (Commercial National Security Agency) was introduced. This is a set of best-of-breed encryption settings and features that must be supported as a whole, with no options. Cryptography experts, particularly those who work in the U.S. Department of Defense and organizations that interact with it, will recognize the CNSA features as the proven Suite B TLS cipher suites profile for TLS, developed by the NSA. The NSA now recommends CNSA for protection of secure Internet communications.

The problem with WPA3-CNSA is that it doesn’t play nice with WPA2-Enterprise. The network must be all one thing or all the other, and so Harkins says WPA3-CNSA requires a “flag day,” meaning a day when everything switches over; there is no incremental migration option. If you’re in enterprise IT, you can see the problem, even if you crave the simplicity and power of WPA3-CNSA. In the very long term, this should change. In the meantime, the Defense Department and other organizations that have been adopting Suite B will adopt CNSA when it becomes available.

Another deficiency in WPA2, though no fault of the protocol, is the lack of a good way to enroll devices, particularly devices without a clear user interface. There is a standard way, called Wi-Fi Protected Setup (WPS), but it’s just not a good way. A steady flow of vulnerabilities in WPS over the years has led experts to recommend avoiding it. Harkins calls WPS broken and a lost cause.

Enter Device Provisioning Protocol (DPP), yet another Harkins specification. It makes the provisioning of devices, such as most IoT devices, which have no built-in user interface, easier. Each device has a built-in public key, and a trusted administrator can bring it onto the network in one of several ways, typically by scanning a QR code on the device with a phone. DPP will completely supplant WPS over time. DPP isn’t strictly part of WPA3, but it is part of the general push to enhance the security and usability of Wi-Fi, of which WPA3 is a part.

IoT considerations informed the design of WPA3 in other ways, such as reliance on elliptic curve cryptography (ECC) in addition to the classic methods of finite field cryptography (FFC). The devices are small, often with low-power processors. ECC can achieve cryptographic strength with smaller keys and less processing than FFC.

The built-in support for ECC is emblematic of how WPA3 is designed for the long haul, as experts believe it to be more resistant to the attack methods that are forcing FFC key sizes up into the many thousands of bits. Nobody wants to have to update IoT devices attached to an industrial pump or a traffic light. If WPA3’s designers have done a good job and we have 14 more years of service and security, we will have been well-served.

WPA3: Lessons for leaders

• WPA2's implementation issues have caused problems.
• It's an easy upgrade process from WPA2 to WPA3
• DPP will bring benefits to headless device technologies such as IoT.

Related links:

The role of 5G, LTE and Wi-fi in the Industrial IoT