In a one-two punch, the Wi-Fi Alliance today introduced several key enhancements to its Wi-Fi Protected Access II (WPA2) security protocol and unveiled its next security protocol WPA3.
"WPA2 has been around since 2003 and the Wi-Fi Alliance has constantly updated and enhanced it. WPA3 will build on the core components of WPA2 and add additional capabilities," says Kevin Robinson, vice president of marketing for the Wi-Fi Alliance.
The Wi-Fi Alliance is a global network of companies that collaborate and set standards for the Wi-Fi industry. WPA2 is the organization's family of Wi-Fi CERTIFIED security technologies, which is widely adopted among more than 35,000 Wi-Fi products, and WPA2 will run concurrently as WPA3 gains adoption, Robinson says.
During the early part of the year, the alliance will roll out three key WPA2 enhancements and four new WPA3 security capabilities.
"These new WPA2 enhancements generally take place 'under the hood' of Wi-Fi devices," Robinson says, noting most users will not notice the changes. However, network operators, service providers, and managers of BYOD employees will likely notice the changes.
The three key enhancements to the WPA2 protocol will address authentication, encryption, and configuration issues.
The first enhancement is related to the use of Protected Management Frames (PMF) in Wi-Fi devices. The Protected Management Frames feature, which is already broadly adopted in Wi-Fi devices, is designed to ensure the integrity of network management traffic on a Wi-Fi network and maintains the resiliency of networks, Robinson explains.
"Wi-Fi Alliance is implementing changes around when Wi-Fi CERTIFIED devices must use Protected Management Frames, essentially refining the set of acceptable Wi-Fi CERTIFIED device configurations to further raise the bar and ensure devices utilize the highest possible security," he says.
A second WPA2 enhancement calls for companies to conduct additional checks on all of their Wi-Fi CERTIFIED devices to ensure they are incorporating the best practices on the way they use Wi-Fi security protocols and closely related network protocols. For example, Wi-Fi tests will evaluate expected behaviors when devices validate network authentication server certificates, Robinson says. This enhancement is designed to reduce potential vulnerabilities due to misconfiguration of networks or devices.
The third enhancement aims to deliver better consistency in network security configuration by standardizing 128-bit level cryptographic suite configurations, similar to those defined for the new 192-bit level.
"Often people may focus exclusively on the level of encryption when evaluating security of a technology, but there are a number of components—such as information protection (encryption), key establishment, digital signatures, and condensed representations of information—that work together as a system to deliver strong security," Robinson notes.
As a result, the third enhancement is designed to ensure all Wi-Fi CERTIFIED devices use cryptographic components of similar strength as the security level that is configured. Robinson compared this enhancement to preventing a weak link in a chain.
"Depending on its intended use, a chain could be made of plastic, aluminum, or hardened steel. However, the chain is only as good as its weakest link. This enhancement will ensure there is consistency across all security elements utilized in a given configuration," he says.
Although the vast majority of Wi-Fi devices already meet most of these requirements, the alliance notes by having them in its Wi-Fi certification program it can be certain that all Wi-Fi CERTIFIED devices will meet this higher level of security protection.
Broad adoption of WPA3's four capabilities is expected to take some time, but when it occurs it is expected to yield greater security for a number of years, Robinson says.
The first capability aims to protect users who choose weak passwords. Under WPA3 certification, companies would need to use technology that informs the network every time an attacker guesses at a password. "Previously, before a handshake could happen on a network, an attacker could do their guessing offline," explains Robinson.
WPA3 also aims to simplify the configuration process and security for devices with limited display interfaces, which are typically associated with sensor or IoT devices. WPA3 certified devices would allow users to tap their smartphone against a sensor device or IoT device, or scan a QR code, and then provision the device onto the network.
Improved privacy on open networks is a third standard for WPA3-supported devices.
"With this new capability supported by WPA3 devices, every user on an open network gets individualized data encryption without the need to configure a network password. The experience is identical to connecting to any open network with the benefit of a higher level of privacy because an attacker cannot passively monitor network traffic," Robinson says.
Lastly, WPA3 aims to deliver stronger security for government, defense, and industrial networks with a new set of protocols using 192-bit security, or Commercial National Security Algorithm (CNSA) Suite. CNSA, previously known as Suite B, is designed to support security-sensitive networks, such as those transmitting top secret information, the Alliance announced.
"WPA3 will emerge in 2018, but broad adoption is not expected for some time," Robinson says. "WPA2 will continue to be deployed in Wi-Fi CERTIFIED devices for the foreseeable future, and the Wi-Fi Alliance will continue enhancing WPA2 to ensure it delivers strong security protections to Wi-Fi users as the security landscape evolves."