The world has come to our fingertips, thanks to the technology called Wireless Fidelity or more commonly known as Wi-Fi. We know what’s going on in the world, can stay connected with a larger community, keep a tab on our professional circle and even get trained on the latest skills. All this and more at an affordable price. The possibilities that Wi-Fi can bring to us seem endless. 

Wi-Fi devices are everywhere today. With such intensive use enabled by this technology, security is, and always has been a key concern. WPA3 is the next-generation security of Wi-Fi devices. With increasing applications and data being exchanged over Wi-Fi, there is a huge attention that will go to the networks that enable this transfer. WPA3 is expected to roll out in 2020. Client and AP devices manufactured henceforth will support WPA3 modes of operation. The new modes will not require any additional knowledge or configuration on the part of the user. However, underlying Integrity Check & Encryption methods and procedures are expected to be more robust and not susceptible to known security attacks.

 

WPA3 introduces improvements in all 3 types of security modes in the previous generation

 

Old New
Open systems Opportunistic Wireless Encryption (OWE)
WPA2 PSK (Pre-Shared Key) WPA3 PSK (also called WPA3-Simultaneous Authentication of Equals (SAE) mode)
WPA2 Enterprise WPA3 Enterprise 192 bit

 

Wi-Fi alliance has made it mandatory for WPA3 devices to support PMF (Protected Management Frames). PMF implies that management frames (E.G. – Deauthentication) are protected and would prevent spoofing by unauthenticated clients or rogue devices. 

Wi-Fi alliance has introduced WPA3 Transition mode in which they have procedures for WPA2 devices & WPA3 devices to co-exist and connect to newer APs[1]. This has been briefly described in the Wi-Fi alliance page in [10] and in detail in [6], [11]

 

Here, we will talk briefly about the things that will change for a typical field engineer with the above changes.

 

Open Systems Association via OWE:

 

Previously, open systems had only the usual Authentication & Association sequence. Now, this will have a four-way handshake mechanism where the data gets encrypted once the keys are established on both sides. This, in our opinion, is the most important change in WPA3 that would improve security for large number of users of Hotspots and Public Wi-Fi.

 

OWE exchange between Galaxy S10 and Aruba Wi-Fi 6 AP captured by WiCheck 6

Title: OWE exchange between Galaxy S10 and Aruba Wi-Fi 6 AP captured by WiCheck 

 

It will no longer be possible to see the management frames once the four way handshake is completed. To do this, one will need access to the Pairwise Master Key (PMK) used and support from wireshark. [4]

 

WPA3 Pre-Shared Key (PSK):

 

There will be four authentication messages instead of the earlier two, for the commit and confirm phases of SAE (Simultaneous Authentication of Equals). The four way handshake remains the same and data would be encrypted once the keys are established.

 

WPA3 exchange between Galaxy S10 and Aruba Wi-Fi 6 AP captured by WiCheck 6

Title: WPA3 exchange between Galaxy S10 and Aruba Wi-Fi 6 AP captured by WiCheck

 

Decrypting the data or management frames henceforth would not be possible by giving password to wireshark. Access to the PMK used is needed to decrypt frames further.

 

WPA3 enterprise:

 

No Handshake related changes here except that PMF support is made mandatory. The new 192 bit WPA3 Enterprise specification defines Suite B AKM and GCM-256 & CCM-256 cipher suites to be used for Authentication & Encryption.

 

 WPA2 Enterprise capabilities as seen in Probe response captured by WiCheck-6

Title: WPA2 Enterprise capabilities as seen in Probe response captured by WiCheck

 

 

WPA3 Enterprise capabilities as seen in Probe response captured by WiCheck-6

Title: WPA3 Enterprise capabilities as seen in Probe response captured by WiCheck

 

 

As seen above, when compared with WPA2, AKM changes from WPA to  SHA386-Suite B, the cipher suite CCM is replaced by the new cipher suites CCM-256, GCM, GCM-256. Decrypting the frames is as before, some modifications on wireshark may be needed. [4]

As pointed out in [7], WPA3 is not perfect yet. The Wi-Fi Alliance has taken in more changes in WPA3 to contain/resolve some of the issues pointed out and WPA3 is a big step forward in that direction for Wi-Fi security. This year was the 20th birth anniversary of Wi-Fi and we’ve seen the introduction of Wi-Fi 6. In 2018, Wi-Fi contributed nearly $2 trillion in global economic value, and that number is expected to surpass $3.47 trillion by 2023. In the next few years, there will be smarter homes, hospitals, stadiums and more that will operate on increased speeds and performance. Clearly, there is a lot more to happen in terms of technology and its applications that field engineers have to look out for.

 

Wi-Fi Alliance revised the WPA3 specifications in the latest version 2.0 released in December, 2019. We would like to explain the changes and how to test the those features in our next blog. Stay Tuned!!

 

Download Alethea’s Wi-Fi 6 Product Brochure to Learn More

References:
1.https://www.wi-fi.org/file/wpa3-specification-v10
2.https://www.wi-fi.org/file/wi-fi-certified-wpa3-technology-overview
3.https://www.wi-fi.org/file/wpa3-security-considerations
4.https://www.wireshark.org/lists/wireshark-dev/201903/msg00067.html
5.https://blogs.arubanetworks.com/industries/wpa3-the-next-generation-in-secure-mobility/
6.https://www.arubanetworks.com/assets/wp/WP_WPA3-Enhanced-Open.pdf
7.https://papers.mathyvanhoef.com/dragonblood.pdf
8.https://tools.ietf.org/html/rfc8110
9.https://tools.ietf.org/html/rfc7664
10.https://www.wi-fi.org/discover-wi-fi/security
11.https://twitter.com/wiresharknews/status/1046643547875803136?lang=en
12.https://wlan1nde.wordpress.com/2018/09/14/wpa3-improving-your-wlan-security/

 - 
Arabic
 - 
ar
Bengali
 - 
bn
German
 - 
de
English
 - 
en
French
 - 
fr
Hindi
 - 
hi
Indonesian
 - 
id
Portuguese
 - 
pt
Russian
 - 
ru
Spanish
 - 
es