Endpoint

1/8/2018
02:30 PM
50%
50%

Wi-Fi Alliance Launches WPA2 Enhancements and Debuts WPA3

WPA2 protocol enhancements bring stronger security protection and best practices, while new WPA3 protocol offers new security capabilities.

In a one-two punch, the Wi-Fi Alliance today introduced several key enhancements to its Wi-Fi Protected Access II (WPA2) security protocol and unveiled its next security protocol WPA3.

"WPA2 has been around since 2003 and the Wi-Fi Alliance has constantly updated and enhanced it. WPA3 will build on the core components of WPA2 and add additional capabilities," says Kevin Robinson, vice president of marketing for the Wi-Fi Alliance.

The Wi-Fi Alliance is a global network of companies that collaborate and set standards for the Wi-Fi industry. WPA2 is the organization's family of Wi-Fi CERTIFIED security technologies, which is widely adopted among more than 35,000 Wi-Fi products, and WPA2 will run concurrently as WPA3 gains adoption, Robinson says.

During the early part of the year, the alliance will roll out three key WPA2 enhancements and four new WPA3 security capabilities.

"These new WPA2 enhancements generally take place 'under the hood' of Wi-Fi devices," Robinson says, noting most users will not notice the changes. However, network operators, service providers, and managers of BYOD employees will likely notice the changes.

WPA2 Enhancements

The three key enhancements to the WPA2 protocol will address authentication, encryption, and configuration issues.

The first enhancement is related to the use of Protected Management Frames (PMF) in Wi-Fi devices. The Protected Management Frames feature, which is already broadly adopted in Wi-Fi devices, is designed to ensure the integrity of network management traffic on a Wi-Fi network and maintains the resiliency of networks, Robinson explains.

"Wi-Fi Alliance is implementing changes around when Wi-Fi CERTIFIED devices must use Protected Management Frames, essentially refining the set of acceptable Wi-Fi CERTIFIED device configurations to further raise the bar and ensure devices utilize the highest possible security," he says.

A second WPA2 enhancement calls for companies to conduct additional checks on all of their Wi-Fi CERTIFIED devices to ensure they are incorporating the best practices on the way they use Wi-Fi security protocols and closely related network protocols. For example, Wi-Fi tests will evaluate expected behaviors when devices validate network authentication server certificates, Robinson says. This enhancement is designed to reduce potential vulnerabilities due to misconfiguration of networks or devices.

The third enhancement aims to deliver better consistency in network security configuration by standardizing 128-bit level cryptographic suite configurations, similar to those defined for the new 192-bit level.

"Often people may focus exclusively on the level of encryption when evaluating security of a technology, but there are a number of components—such as information protection (encryption), key establishment, digital signatures, and condensed representations of information—that work together as a system to deliver strong security," Robinson notes.

As a result, the third enhancement is designed to ensure all Wi-Fi CERTIFIED devices use cryptographic components of similar strength as the security level that is configured. Robinson compared this enhancement to preventing a weak link in a chain.

"Depending on its intended use, a chain could be made of plastic, aluminum, or hardened steel. However, the chain is only as good as its weakest link. This enhancement will ensure there is consistency across all security elements utilized in a given configuration," he says.

Although the vast majority of Wi-Fi devices already meet most of these requirements, the alliance notes by having them in its Wi-Fi certification program it can be certain that all Wi-Fi CERTIFIED devices will meet this higher level of security protection.

WP3 Capabilities

Broad adoption of WPA3's four capabilities is expected to take some time, but when it occurs it is expected to yield greater security for a number of years, Robinson says.

The first capability aims to protect users who choose weak passwords. Under WPA3 certification, companies would need to use technology that informs the network every time an attacker guesses at a password. "Previously, before a handshake could happen on a network, an attacker could do their guessing offline," explains Robinson.

WPA3 also aims to simplify the configuration process and security for devices with limited display interfaces, which are typically associated with sensor or IoT devices. WPA3 certified devices would allow users to tap their smartphone against a sensor device or IoT device, or scan a QR code, and then provision the device onto the network.

Improved privacy on open networks is a third standard for WPA3-supported devices.  

"With this new capability supported by WPA3 devices, every user on an open network gets individualized data encryption without the need to configure a network password. The experience is identical to connecting to any open network with the benefit of a higher level of privacy because an attacker cannot passively monitor network traffic," Robinson says.

Lastly, WPA3 aims to deliver stronger security for government, defense, and industrial networks with a new set of protocols using 192-bit security, or Commercial National Security Algorithm (CNSA) Suite. CNSA, previously known as Suite B, is designed to support security-sensitive networks, such as those transmitting top secret information, the Alliance announced.

"WPA3 will emerge in 2018, but broad adoption is not expected for some time," Robinson says. "WPA2 will continue to be deployed in Wi-Fi CERTIFIED devices for the foreseeable future, and the Wi-Fi Alliance will continue enhancing WPA2 to ensure it delivers strong security protections to Wi-Fi users as the security landscape evolves."

Related Content:

 

Dawn Kawamoto is an Associate Editor for Dark Reading, where she covers cybersecurity news and trends. She is an award-winning journalist who has written and edited technology, management, leadership, career, finance, and innovation stories for such publications as CNET's ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Want Your Daughter to Succeed in Cyber? Call Her John
John De Santis, CEO, HyTrust,  5/16/2018
Don't Roll the Dice When Prioritizing Vulnerability Fixes
Ericka Chickowski, Contributing Writer, Dark Reading,  5/15/2018
New Mexico Man Sentenced on DDoS, Gun Charges
Dark Reading Staff 5/18/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: "Security through obscurity"
Current Issue
Flash Poll
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
Enterprises are spending more of their IT budgets on cybersecurity technology. How do your organization's security plans and strategies compare to what others are doing? Here's an in-depth look.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-2607
PUBLISHED: 2018-05-21
jenkins before versions 2.44, 2.32.2 is vulnerable to a persisted cross-site scripting vulnerability in console notes (SECURITY-382). Jenkins allows plugins to annotate build logs, adding new content or changing the presentation of existing content while the build is running. Malicious Jenkins users...
CVE-2018-1108
PUBLISHED: 2018-05-21
kernel drivers before version 4.17-rc1 are vulnerable to a weakness in the Linux kernel's implementation of random seed data. Programs, early in the boot sequence, could use the data allocated for the seed before it was sufficiently generated.
CVE-2018-11330
PUBLISHED: 2018-05-21
An issue was discovered in Pluck before 4.7.6. There is authenticated stored XSS because the character set for filenames is not properly restricted.
CVE-2018-11331
PUBLISHED: 2018-05-21
An issue was discovered in Pluck before 4.7.6. Remote PHP code execution is possible because the set of disallowed filetypes for uploads in missing some applicable ones such as .phtml and .htaccess.
CVE-2018-7687
PUBLISHED: 2018-05-21
The Micro Focus Client for OES before version 2 SP4 IR8a has a vulnerability that could allow a local attacker to elevate privileges via a buffer overflow in ncfsd.sys.