What Is WPA3?

Security Risks Faced by WPA2

WPA2 is the second-generation Wi-Fi encryption protocol released by the Wi-Fi Alliance in 2004. Before WPA3, WPA2 has been widely used for 14 years. To meet application scenarios and security requirements of Wi-Fi networks, WPA2 is classified into WPA2-Personal and WPA2-Enterprise, which use pre-shared key (PSK) and advanced encryption standard (AES), respectively, to encrypt Wi-Fi networks. WPA2 ensures the security of Wi-Fi networks to some extent, but it also exposes many security risks:

• Key Reinstallation Attack (KRACK): Security weaknesses were discovered in 2017, which work against all WPA2-encrypted Wi-Fi networks. An attacker within range of a victim can exploit these weaknesses to using KRACKs. Consequently, victims may reinstall used keys so that attackers crack the user keys to achieve complete access to the user network.
• Offline dictionary or brute force cracking attack: The key complexity of WPA2 is positively correlated with the cracking difficulty. Especially, individuals or home Wi-Fi networks often use a simple key. Such Wi-Fi networks are vulnerable to offline dictionary attacks (attempting possible passwords in the user-defined dictionary one by one) or brute force cracking attacks (attempting all possible combinations of passwords one by one).

To address the preceding security risks, the Wi-Fi Alliance released WPA3 — the third-generation Wi-Fi encryption protocol — in 2018.

What Are the Advantages of WPA3 over WPA2?

Similar to WPA2, WPA3 includes WPA3-Personal and WPA3-Enterprise. WPA3-Personal applies to small-scale networks such as individual and home networks, and further enhances user password security compared with WPA2. WPA3-Enterprise applies to medium- and large-sized networks with higher requirements on network management, access control, and security, and uses more advanced security protocols to protect sensitive data of users. Additionally, WPA3 introduces OWE authentication to improve data transmission security on open networks. The specific advantages of WPA3 over WPA2 are as follows:

WPA3-Personal: Enhanced Password Protection

WPA3-Personal uses Simultaneous Authentication of Equals (SAE) to replace PSK authentication in WPA2-Personal.

In WPA2, PSK authentication involves a 4-way handshake for key negotiation. Before the negotiation, a PMK is generated based on the service set identifier (SSID) and PSK, which are both fixed. Therefore, the generated PMK is fixed and can be calculated. As a result, the same key is used for each reinstallation. The SAE protocol used by WPA3 adds an SAE handshake before the original PSK 4-way handshake and introduces a dynamic random variable in the PMK generation process. Therefore, the PMK negotiated each time is different, ensuring the randomness of the key. As such, SAE provides a more secure key authentication mechanism for WPA3 to resolve the security risks exposed by WPA2.

• Protection against KRACKs: SAE considers devices as peers. Either party can initiate a handshake and send authentication information independently. Without the message exchange process, no opportunity is left for KRACKs.
• Protection against offline dictionary and brute force cracking attacks: SAE directly rejects services for STAs that attempt to connect to the device for multiple times, preventing brute force or password cracking. In addition, SAE provides the forward secrecy function. Even if an attacker obtains the password in a certain way, the key is random each time a connection is set up. As a result, the attacker cannot decrypt the obtained data traffic because the key has been changed when the attacker attempts to reestablish a connection.

SAE enables individuals or home users to set Wi-Fi passwords that are easier to remember and provide the same security protection even if the passwords are not complex enough.

WPA3-Enterprise: Enhanced Security

Based on WPA2-Enterprise, WPA3-Enterprise provides WPA3-Enterprise 192-bit, a more secure optional mode. This mode provides the following security protection measures:

• Data protection: The 192-bit Suite-B security suite is used. Compared with the 128-bit key used by WPA2, this suite increases the key length to 192 bits, further improving the password defense strength.
• Key protection: The more secure HMAC-SHA-384 algorithm is used to export and confirm keys in the 4-way handshake phase. (HMAC: hash-based message authentication code; SHA: secure hash algorithm)
• Traffic protection: The more secure Galois-Counter Mode Protocol-256 (GCMP-256) is used to protect wireless traffic after STAs go online.
• Protected management frame (PMF): The Galois Message Authentication Code-256 (GMAC-256) of GCMP is used to protect multicast management frames.

OWE Authentication: Open Network Protection

Most Wi-Fi networks in public venues, such as airports, stations, and cafes, use the traditional open authentication mode. With OWE, users can access Wi-Fi networks without entering passwords, and data transmitted between users and Wi-Fi networks is not encrypted. This increases the risk of unauthorized network access.

WPA3 introduces an Enhanced Open network authentication mode for open networks. This allows users to access the network without entering the password, facilitating user access to the open Wi-Fi networks. Additionally, OWE uses the Diffie-Hellman key exchange algorithm to exchange keys between users and Wi-Fi devices, encrypting transmitted data and protecting user data security.