Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

Wi-Fi Alliance Launches WPA2 Enhancements and Debuts WPA3

WPA2 protocol enhancements bring stronger security protection and best practices, while new WPA3 protocol offers new security capabilities.

In a one-two punch, the Wi-Fi Alliance today introduced several key enhancements to its Wi-Fi Protected Access II (WPA2) security protocol and unveiled its next security protocol WPA3.

"WPA2 has been around since 2003 and the Wi-Fi Alliance has constantly updated and enhanced it. WPA3 will build on the core components of WPA2 and add additional capabilities," says Kevin Robinson, vice president of marketing for the Wi-Fi Alliance.

The Wi-Fi Alliance is a global network of companies that collaborate and set standards for the Wi-Fi industry. WPA2 is the organization's family of Wi-Fi CERTIFIED security technologies, which is widely adopted among more than 35,000 Wi-Fi products, and WPA2 will run concurrently as WPA3 gains adoption, Robinson says.

During the early part of the year, the alliance will roll out three key WPA2 enhancements and four new WPA3 security capabilities.

"These new WPA2 enhancements generally take place 'under the hood' of Wi-Fi devices," Robinson says, noting most users will not notice the changes. However, network operators, service providers, and managers of BYOD employees will likely notice the changes.

WPA2 Enhancements

The three key enhancements to the WPA2 protocol will address authentication, encryption, and configuration issues.

The first enhancement is related to the use of Protected Management Frames (PMF) in Wi-Fi devices. The Protected Management Frames feature, which is already broadly adopted in Wi-Fi devices, is designed to ensure the integrity of network management traffic on a Wi-Fi network and maintains the resiliency of networks, Robinson explains.

"Wi-Fi Alliance is implementing changes around when Wi-Fi CERTIFIED devices must use Protected Management Frames, essentially refining the set of acceptable Wi-Fi CERTIFIED device configurations to further raise the bar and ensure devices utilize the highest possible security," he says.

A second WPA2 enhancement calls for companies to conduct additional checks on all of their Wi-Fi CERTIFIED devices to ensure they are incorporating the best practices on the way they use Wi-Fi security protocols and closely related network protocols. For example, Wi-Fi tests will evaluate expected behaviors when devices validate network authentication server certificates, Robinson says. This enhancement is designed to reduce potential vulnerabilities due to misconfiguration of networks or devices.

The third enhancement aims to deliver better consistency in network security configuration by standardizing 128-bit level cryptographic suite configurations, similar to those defined for the new 192-bit level.

"Often people may focus exclusively on the level of encryption when evaluating security of a technology, but there are a number of components—such as information protection (encryption), key establishment, digital signatures, and condensed representations of information—that work together as a system to deliver strong security," Robinson notes.

As a result, the third enhancement is designed to ensure all Wi-Fi CERTIFIED devices use cryptographic components of similar strength as the security level that is configured. Robinson compared this enhancement to preventing a weak link in a chain.

"Depending on its intended use, a chain could be made of plastic, aluminum, or hardened steel. However, the chain is only as good as its weakest link. This enhancement will ensure there is consistency across all security elements utilized in a given configuration," he says.

Although the vast majority of Wi-Fi devices already meet most of these requirements, the alliance notes by having them in its Wi-Fi certification program it can be certain that all Wi-Fi CERTIFIED devices will meet this higher level of security protection.

WP3 Capabilities

Broad adoption of WPA3's four capabilities is expected to take some time, but when it occurs it is expected to yield greater security for a number of years, Robinson says.

The first capability aims to protect users who choose weak passwords. Under WPA3 certification, companies would need to use technology that informs the network every time an attacker guesses at a password. "Previously, before a handshake could happen on a network, an attacker could do their guessing offline," explains Robinson.

WPA3 also aims to simplify the configuration process and security for devices with limited display interfaces, which are typically associated with sensor or IoT devices. WPA3 certified devices would allow users to tap their smartphone against a sensor device or IoT device, or scan a QR code, and then provision the device onto the network.

Improved privacy on open networks is a third standard for WPA3-supported devices.  

"With this new capability supported by WPA3 devices, every user on an open network gets individualized data encryption without the need to configure a network password. The experience is identical to connecting to any open network with the benefit of a higher level of privacy because an attacker cannot passively monitor network traffic," Robinson says.

Lastly, WPA3 aims to deliver stronger security for government, defense, and industrial networks with a new set of protocols using 192-bit security, or Commercial National Security Algorithm (CNSA) Suite. CNSA, previously known as Suite B, is designed to support security-sensitive networks, such as those transmitting top secret information, the Alliance announced.

"WPA3 will emerge in 2018, but broad adoption is not expected for some time," Robinson says. "WPA2 will continue to be deployed in Wi-Fi CERTIFIED devices for the foreseeable future, and the Wi-Fi Alliance will continue enhancing WPA2 to ensure it delivers strong security protections to Wi-Fi users as the security landscape evolves."

Related Content:

 

Dawn Kawamoto is an Associate Editor for Dark Reading, where she covers cybersecurity news and trends. She is an award-winning journalist who has written and edited technology, management, leadership, career, finance, and innovation stories for such publications as CNET's ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
How Attackers Infiltrate the Supply Chain & What to Do About It
Shay Nahari, Head of Red-Team Services at CyberArk,  7/16/2019
US Mayors Commit to Just Saying No to Ransomware
Robert Lemos, Contributing Writer,  7/16/2019
The Problem with Proprietary Testing: NSS Labs vs. CrowdStrike
Brian Monkman, Executive Director at NetSecOPEN,  7/19/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-12551
PUBLISHED: 2019-07-22
In SweetScape 010 Editor 9.0.1, improper validation of arguments in the internal implementation of the Memcpy function (provided by the scripting engine) allows an attacker to overwrite arbitrary memory, which could lead to code execution.
CVE-2019-12552
PUBLISHED: 2019-07-22
In SweetScape 010 Editor 9.0.1, an integer overflow during the initialization of variables could allow an attacker to cause a denial of service.
CVE-2019-3414
PUBLISHED: 2019-07-22
All versions up to V1.19.20.02 of ZTE OTCP product are impacted by XSS vulnerability. Due to XSS, when an attacker invokes the security management to obtain the resources of the specified operation code owned by a user, the malicious script code could be transmitted in the parameter. If the front en...
CVE-2019-10102
PUBLISHED: 2019-07-22
tcpdump.org tcpdump 4.9.2 is affected by: CWE-126: Buffer Over-read. The impact is: May expose Saved Frame Pointer, Return Address etc. on stack. The component is: line 234: "ND_PRINT((ndo, "%s", buf));", in function named "print_prefix", in "print-hncp.c". Th...
CVE-2019-10102
PUBLISHED: 2019-07-22
aubio 0.4.8 and earlier is affected by: null pointer. The impact is: crash. The component is: filterbank. The attack vector is: pass invalid arguments to new_aubio_filterbank. The fixed version is: after commit eda95c9c22b4f0b466ae94c4708765eaae6e709e.