What Is WPA3?
Wi-Fi Protected Access 3 (WPA3) is a next-generation Wi-Fi (WiFi) encryption protocol released by the Wi-Fi Alliance in 2018. It introduces a variety of new functions based on WPA2, providing more powerful encryption protection for data transmitted between users and Wi-Fi networks. Based on application scenarios and security requirements of Wi-Fi networks, the following WPA3 modes are available: WPA3-Personal, WPA3-Enterprise, and Opportunistic Wireless Encryption (OWE).
WPA2 vs. WPA3
Security Risks Faced by WPA2
WPA2 is the second-generation Wi-Fi encryption protocol released by the Wi-Fi Alliance in 2004. Before WPA3, WPA2 has been widely used for 14 years. To meet application scenarios and security requirements of Wi-Fi networks, WPA2 is classified into WPA2-Personal and WPA2-Enterprise, which use pre-shared key (PSK) and advanced encryption standard (AES), respectively, to encrypt Wi-Fi networks. WPA2 ensures the security of Wi-Fi networks to some extent, but it also exposes many security risks:
- Key Reinstallation Attack (KRACK): Security weaknesses were discovered in 2017, which work against all WPA2-encrypted Wi-Fi networks. An attacker within range of a victim can exploit these weaknesses to using KRACKs. Consequently, victims may reinstall used keys so that attackers crack the user keys to achieve complete access to the user network.
- Offline dictionary or brute force cracking attack: The key complexity of WPA2 is positively correlated with the cracking difficulty. Especially, individuals or home Wi-Fi networks often use a simple key. Such Wi-Fi networks are vulnerable to offline dictionary attacks (attempting possible passwords in the user-defined dictionary one by one) or brute force cracking attacks (attempting all possible combinations of passwords one by one).
To address the preceding security risks, the Wi-Fi Alliance released WPA3 — the third-generation Wi-Fi encryption protocol — in 2018.
What Are the Advantages of WPA3 over WPA2?
Similar to WPA2, WPA3 includes WPA3-Personal and WPA3-Enterprise. WPA3-Personal applies to small-scale networks such as individual and home networks, and further enhances user password security compared with WPA2. WPA3-Enterprise applies to medium- and large-sized networks with higher requirements on network management, access control, and security, and uses more advanced security protocols to protect sensitive data of users. Additionally, WPA3 introduces OWE authentication to improve data transmission security on open networks. The specific advantages of WPA3 over WPA2 are as follows:
WPA3-Personal: Enhanced Password Protection
WPA3-Personal uses Simultaneous Authentication of Equals (SAE) to replace PSK authentication in WPA2-Personal.
In WPA2, PSK authentication involves a 4-way handshake for key negotiation. Before the negotiation, a PMK is generated based on the service set identifier (SSID) and PSK, which are both fixed. Therefore, the generated PMK is fixed and can be calculated. As a result, the same key is used for each reinstallation. The SAE protocol used by WPA3 adds an SAE handshake before the original PSK 4-way handshake and introduces a dynamic random variable in the PMK generation process. Therefore, the PMK negotiated each time is different, ensuring the randomness of the key. As such, SAE provides a more secure key authentication mechanism for WPA3 to resolve the security risks exposed by WPA2.
- Protection against KRACKs: SAE considers devices as peers. Either party can initiate a handshake and send authentication information independently. Without the message exchange process, no opportunity is left for KRACKs.
- Protection against offline dictionary and brute force cracking attacks: SAE directly rejects services for STAs that attempt to connect to the device for multiple times, preventing brute force or password cracking. In addition, SAE provides the forward secrecy function. Even if an attacker obtains the password in a certain way, the key is random each time a connection is set up. As a result, the attacker cannot decrypt the obtained data traffic because the key has been changed when the attacker attempts to reestablish a connection.
SAE enables individuals or home users to set Wi-Fi passwords that are easier to remember and provide the same security protection even if the passwords are not complex enough.
WPA3-Enterprise: Enhanced Security
Based on WPA2-Enterprise, WPA3-Enterprise provides WPA3-Enterprise 192-bit, a more secure optional mode. This mode provides the following security protection measures:
- Data protection: The 192-bit Suite-B security suite is used. Compared with the 128-bit key used by WPA2, this suite increases the key length to 192 bits, further improving the password defense strength.
- Key protection: The more secure HMAC-SHA-384 algorithm is used to export and confirm keys in the 4-way handshake phase. (HMAC: hash-based message authentication code; SHA: secure hash algorithm)
- Traffic protection: The more secure Galois-Counter Mode Protocol-256 (GCMP-256) is used to protect wireless traffic after STAs go online.
- Protected management frame (PMF): The Galois Message Authentication Code-256 (GMAC-256) of GCMP is used to protect multicast management frames.
OWE Authentication: Open Network Protection
Most Wi-Fi networks in public venues, such as airports, stations, and cafes, use the traditional open authentication mode. With OWE, users can access Wi-Fi networks without entering passwords, and data transmitted between users and Wi-Fi networks is not encrypted. This increases the risk of unauthorized network access.
WPA3 introduces an Enhanced Open network authentication mode for open networks. This allows users to access the network without entering the password, facilitating user access to the open Wi-Fi networks. Additionally, OWE uses the Diffie-Hellman key exchange algorithm to exchange keys between users and Wi-Fi devices, encrypting transmitted data and protecting user data security.
Do You Need to Upgrade to WPA3?
WPA3 is recommended because it is more secure than WPA2. However, the transition from WPA2 to WPA3 is gradual and may be caused by device or software updates. Before switching to WPA3, you can improve the security of Wi-Fi networks by updating security patches or increasing password complexity.
Which Devices Support WPA3?
All devices that support WPA3 must pass the Wi-Fi CERTIFIED WPA3™ certification of the Wi-Fi Alliance. You can log in to the official website of the Wi-Fi Alliance and enter the keyword of a device to check whether it supports WPA3. Huawei Wi-Fi devices start to support WPA3 from V200R019C00. In V200R020C10 and later versions, all Huawei Wi-Fi devices support WPA3.
To use WPA3 to protect Wi-Fi networks, Wi-Fi devices and STAs must support WPA3. What if Wi-Fi devices support WPA3 but STAs do not? To allow such STAs to access a WPA3-encrypted network, WPA3 provides the WPA3-Personal and OWE transition mode. In this manner, the user network is gradually migrated from WPA2 to WPA3.
- WPA2-Personal: uses WPA2-WPA3 hybrid authentication. WPA3-incapable STAs can use WPA2 for access, while WPA3-capable STAs use WPA3 for access.
- OWE transition mode: allows STAs that do not support OWE authentication to access the network in open authentication mode, and STAs that support OWE authentication to access the network in OWE authentication mode.
For WPA3 capabilities of Huawei devices, see AirEngine Wi-Fi 6 Products.
- Author： Zhou Qiang
- Updated on： 2021-09-02
- Views： 506
- Average rating：