Endpoint

1/8/2018
02:30 PM
50%
50%

Wi-Fi Alliance Launches WPA2 Enhancements and Debuts WPA3

WPA2 protocol enhancements bring stronger security protection and best practices, while new WPA3 protocol offers new security capabilities.

In a one-two punch, the Wi-Fi Alliance today introduced several key enhancements to its Wi-Fi Protected Access II (WPA2) security protocol and unveiled its next security protocol WPA3.

"WPA2 has been around since 2003 and the Wi-Fi Alliance has constantly updated and enhanced it. WPA3 will build on the core components of WPA2 and add additional capabilities," says Kevin Robinson, vice president of marketing for the Wi-Fi Alliance.

The Wi-Fi Alliance is a global network of companies that collaborate and set standards for the Wi-Fi industry. WPA2 is the organization's family of Wi-Fi CERTIFIED security technologies, which is widely adopted among more than 35,000 Wi-Fi products, and WPA2 will run concurrently as WPA3 gains adoption, Robinson says.

During the early part of the year, the alliance will roll out three key WPA2 enhancements and four new WPA3 security capabilities.

"These new WPA2 enhancements generally take place 'under the hood' of Wi-Fi devices," Robinson says, noting most users will not notice the changes. However, network operators, service providers, and managers of BYOD employees will likely notice the changes.

WPA2 Enhancements

The three key enhancements to the WPA2 protocol will address authentication, encryption, and configuration issues.

The first enhancement is related to the use of Protected Management Frames (PMF) in Wi-Fi devices. The Protected Management Frames feature, which is already broadly adopted in Wi-Fi devices, is designed to ensure the integrity of network management traffic on a Wi-Fi network and maintains the resiliency of networks, Robinson explains.

"Wi-Fi Alliance is implementing changes around when Wi-Fi CERTIFIED devices must use Protected Management Frames, essentially refining the set of acceptable Wi-Fi CERTIFIED device configurations to further raise the bar and ensure devices utilize the highest possible security," he says.

A second WPA2 enhancement calls for companies to conduct additional checks on all of their Wi-Fi CERTIFIED devices to ensure they are incorporating the best practices on the way they use Wi-Fi security protocols and closely related network protocols. For example, Wi-Fi tests will evaluate expected behaviors when devices validate network authentication server certificates, Robinson says. This enhancement is designed to reduce potential vulnerabilities due to misconfiguration of networks or devices.

The third enhancement aims to deliver better consistency in network security configuration by standardizing 128-bit level cryptographic suite configurations, similar to those defined for the new 192-bit level.

"Often people may focus exclusively on the level of encryption when evaluating security of a technology, but there are a number of components—such as information protection (encryption), key establishment, digital signatures, and condensed representations of information—that work together as a system to deliver strong security," Robinson notes.

As a result, the third enhancement is designed to ensure all Wi-Fi CERTIFIED devices use cryptographic components of similar strength as the security level that is configured. Robinson compared this enhancement to preventing a weak link in a chain.

"Depending on its intended use, a chain could be made of plastic, aluminum, or hardened steel. However, the chain is only as good as its weakest link. This enhancement will ensure there is consistency across all security elements utilized in a given configuration," he says.

Although the vast majority of Wi-Fi devices already meet most of these requirements, the alliance notes by having them in its Wi-Fi certification program it can be certain that all Wi-Fi CERTIFIED devices will meet this higher level of security protection.

WP3 Capabilities

Broad adoption of WPA3's four capabilities is expected to take some time, but when it occurs it is expected to yield greater security for a number of years, Robinson says.

The first capability aims to protect users who choose weak passwords. Under WPA3 certification, companies would need to use technology that informs the network every time an attacker guesses at a password. "Previously, before a handshake could happen on a network, an attacker could do their guessing offline," explains Robinson.

WPA3 also aims to simplify the configuration process and security for devices with limited display interfaces, which are typically associated with sensor or IoT devices. WPA3 certified devices would allow users to tap their smartphone against a sensor device or IoT device, or scan a QR code, and then provision the device onto the network.

Improved privacy on open networks is a third standard for WPA3-supported devices.  

"With this new capability supported by WPA3 devices, every user on an open network gets individualized data encryption without the need to configure a network password. The experience is identical to connecting to any open network with the benefit of a higher level of privacy because an attacker cannot passively monitor network traffic," Robinson says.

Lastly, WPA3 aims to deliver stronger security for government, defense, and industrial networks with a new set of protocols using 192-bit security, or Commercial National Security Algorithm (CNSA) Suite. CNSA, previously known as Suite B, is designed to support security-sensitive networks, such as those transmitting top secret information, the Alliance announced.

"WPA3 will emerge in 2018, but broad adoption is not expected for some time," Robinson says. "WPA2 will continue to be deployed in Wi-Fi CERTIFIED devices for the foreseeable future, and the Wi-Fi Alliance will continue enhancing WPA2 to ensure it delivers strong security protections to Wi-Fi users as the security landscape evolves."

Related Content:

 

Dawn Kawamoto is an Associate Editor for Dark Reading, where she covers cybersecurity news and trends. She is an award-winning journalist who has written and edited technology, management, leadership, career, finance, and innovation stories for such publications as CNET's ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Election Websites, Back-End Systems Most at Risk of Cyberattack in Midterms
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/14/2018
Intel Reveals New Spectre-Like Vulnerability
Curtis Franklin Jr., Senior Editor at Dark Reading,  8/15/2018
Australian Teen Hacked Apple Network
Dark Reading Staff 8/17/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-15504
PUBLISHED: 2018-08-18
An issue was discovered in Embedthis GoAhead before 4.0.1 and Appweb before 7.0.2. The server mishandles some HTTP request fields associated with time, which results in a NULL pointer dereference, as demonstrated by If-Modified-Since or If-Unmodified-Since with a month greater than 11.
CVE-2018-15505
PUBLISHED: 2018-08-18
An issue was discovered in Embedthis GoAhead before 4.0.1 and Appweb before 7.0.2. An HTTP POST request with a specially crafted "Host" header field may cause a NULL pointer dereference and thus cause a denial of service, as demonstrated by the lack of a trailing ']' character in an IPv6 a...
CVE-2018-15492
PUBLISHED: 2018-08-18
A vulnerability in the lservnt.exe component of Sentinel License Manager version 8.5.3.35 (fixed in 8.5.3.2403) causes UDP amplification.
CVE-2018-15494
PUBLISHED: 2018-08-18
In Dojo Toolkit before 1.14, there is unescaped string injection in dojox/Grid/DataGrid.
CVE-2018-15495
PUBLISHED: 2018-08-18
/filemanager/upload.php in Responsive FileManager before 9.13.3 allows Directory Traversal and SSRF because the url parameter is used directly in a curl_exec call, as demonstrated by a file:///etc/passwd value.