Endpoint

Wi-Fi Alliance Launches WPA2 Enhancements and Debuts WPA3

WPA2 protocol enhancements bring stronger security protection and best practices, while new WPA3 protocol offers new security capabilities.

In a one-two punch, the Wi-Fi Alliance today introduced several key enhancements to its Wi-Fi Protected Access II (WPA2) security protocol and unveiled its next security protocol WPA3.

"WPA2 has been around since 2003 and the Wi-Fi Alliance has constantly updated and enhanced it. WPA3 will build on the core components of WPA2 and add additional capabilities," says Kevin Robinson, vice president of marketing for the Wi-Fi Alliance.

The Wi-Fi Alliance is a global network of companies that collaborate and set standards for the Wi-Fi industry. WPA2 is the organization's family of Wi-Fi CERTIFIED security technologies, which is widely adopted among more than 35,000 Wi-Fi products, and WPA2 will run concurrently as WPA3 gains adoption, Robinson says.

During the early part of the year, the alliance will roll out three key WPA2 enhancements and four new WPA3 security capabilities.

"These new WPA2 enhancements generally take place 'under the hood' of Wi-Fi devices," Robinson says, noting most users will not notice the changes. However, network operators, service providers, and managers of BYOD employees will likely notice the changes.

WPA2 Enhancements

The three key enhancements to the WPA2 protocol will address authentication, encryption, and configuration issues.

The first enhancement is related to the use of Protected Management Frames (PMF) in Wi-Fi devices. The Protected Management Frames feature, which is already broadly adopted in Wi-Fi devices, is designed to ensure the integrity of network management traffic on a Wi-Fi network and maintains the resiliency of networks, Robinson explains.

"Wi-Fi Alliance is implementing changes around when Wi-Fi CERTIFIED devices must use Protected Management Frames, essentially refining the set of acceptable Wi-Fi CERTIFIED device configurations to further raise the bar and ensure devices utilize the highest possible security," he says.

A second WPA2 enhancement calls for companies to conduct additional checks on all of their Wi-Fi CERTIFIED devices to ensure they are incorporating the best practices on the way they use Wi-Fi security protocols and closely related network protocols. For example, Wi-Fi tests will evaluate expected behaviors when devices validate network authentication server certificates, Robinson says. This enhancement is designed to reduce potential vulnerabilities due to misconfiguration of networks or devices.

The third enhancement aims to deliver better consistency in network security configuration by standardizing 128-bit level cryptographic suite configurations, similar to those defined for the new 192-bit level.

"Often people may focus exclusively on the level of encryption when evaluating security of a technology, but there are a number of components—such as information protection (encryption), key establishment, digital signatures, and condensed representations of information—that work together as a system to deliver strong security," Robinson notes.

As a result, the third enhancement is designed to ensure all Wi-Fi CERTIFIED devices use cryptographic components of similar strength as the security level that is configured. Robinson compared this enhancement to preventing a weak link in a chain.

"Depending on its intended use, a chain could be made of plastic, aluminum, or hardened steel. However, the chain is only as good as its weakest link. This enhancement will ensure there is consistency across all security elements utilized in a given configuration," he says.

Although the vast majority of Wi-Fi devices already meet most of these requirements, the alliance notes by having them in its Wi-Fi certification program it can be certain that all Wi-Fi CERTIFIED devices will meet this higher level of security protection.

WP3 Capabilities

Broad adoption of WPA3's four capabilities is expected to take some time, but when it occurs it is expected to yield greater security for a number of years, Robinson says.

The first capability aims to protect users who choose weak passwords. Under WPA3 certification, companies would need to use technology that informs the network every time an attacker guesses at a password. "Previously, before a handshake could happen on a network, an attacker could do their guessing offline," explains Robinson.

WPA3 also aims to simplify the configuration process and security for devices with limited display interfaces, which are typically associated with sensor or IoT devices. WPA3 certified devices would allow users to tap their smartphone against a sensor device or IoT device, or scan a QR code, and then provision the device onto the network.

Improved privacy on open networks is a third standard for WPA3-supported devices.  

"With this new capability supported by WPA3 devices, every user on an open network gets individualized data encryption without the need to configure a network password. The experience is identical to connecting to any open network with the benefit of a higher level of privacy because an attacker cannot passively monitor network traffic," Robinson says.

Lastly, WPA3 aims to deliver stronger security for government, defense, and industrial networks with a new set of protocols using 192-bit security, or Commercial National Security Algorithm (CNSA) Suite. CNSA, previously known as Suite B, is designed to support security-sensitive networks, such as those transmitting top secret information, the Alliance announced.

"WPA3 will emerge in 2018, but broad adoption is not expected for some time," Robinson says. "WPA2 will continue to be deployed in Wi-Fi CERTIFIED devices for the foreseeable future, and the Wi-Fi Alliance will continue enhancing WPA2 to ensure it delivers strong security protections to Wi-Fi users as the security landscape evolves."

Related Content:

 

Dawn Kawamoto is an Associate Editor for Dark Reading, where she covers cybersecurity news and trends. She is an award-winning journalist who has written and edited technology, management, leadership, career, finance, and innovation stories for such publications as CNET's ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Crowdsourced vs. Traditional Pen Testing
Alex Haynes, Chief Information Security Officer, CDL,  3/19/2019
New Mirai Version Targets Business IoT Devices
Dark Reading Staff 3/19/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Reading Schneier's Friday Squid Blog again?
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
The State of Cyber Security Incident Response
The State of Cyber Security Incident Response
Organizations are responding to new threats with new processes for detecting and mitigating them. Here's a look at how the discipline of incident response is evolving.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-6149
PUBLISHED: 2019-03-18
An unquoted search path vulnerability was identified in Lenovo Dynamic Power Reduction Utility prior to version 2.2.2.0 that could allow a malicious user with local access to execute code with administrative privileges.
CVE-2018-15509
PUBLISHED: 2019-03-18
Five9 Agent Desktop Plus 10.0.70 has Incorrect Access Control (issue 2 of 2).
CVE-2018-20806
PUBLISHED: 2019-03-17
Phamm (aka PHP LDAP Virtual Hosting Manager) 0.6.8 allows XSS via the login page (the /public/main.php action parameter).
CVE-2019-5616
PUBLISHED: 2019-03-15
CircuitWerkes Sicon-8, a hardware device used for managing electrical devices, ships with a web-based front-end controller and implements an authentication mechanism in JavaScript that is run in the context of a user's web browser.
CVE-2018-17882
PUBLISHED: 2019-03-15
An Integer overflow vulnerability exists in the batchTransfer function of a smart contract implementation for CryptoBotsBattle (CBTB), an Ethereum token. This vulnerability could be used by an attacker to create an arbitrary amount of tokens for any user.