Let’s talk about wireless encryption.
What is WPA?¶
Wi-Fi Protected Access (WPA) security protocols and security certification programs developed by the Wi-Fi Alliance to secure wireless computer networks.
What’s the problem with WPA2 and why we need WPA3?¶
Pre-shared key WPA and WPA2 remain vulnerable to password cracking attacks if users rely on a weak password or passphrase. Brute forcing of simple passwords can be attempted using the Aircrack Suite starting from the four-way authentication handshake exchanged during association or periodic re-authentication. To further protect against intrusion, the network’s SSID should not match any entry in the top 1,000 SSIDs as downloadable rainbow tables have been pre-generated for them and a multitude of common passwords.
How does WPA3 help?
WPA3 replaces cryptographic protocols susceptible to off-line analysis with protocols that require interaction with the infrastructure for each guessed password, so that the infrastructure may place temporal limits on the number of guesses.
Lack of forward secrecy:¶
WPA and WPA2 don’t provide forward secrecy, meaning that once an adverse person discovers the pre-shared key, they can potentially decrypt all packets encrypted using that PSK transmitted in the future and even past, which could be passively and silently collected by the attacker. This also means an attacker can silently capture and decrypt others’ packets if a WPA-protected access point is provided free of charge at a public place, because its password is usually shared to anyone in that place. In other words, WPA only protects from attackers who don’t have access to the password. Because of that, it’s safer to use Transport Layer Security (TLS) or similar on top of that for the transfer of any sensitive data.
How does WPA3 help?
Starting from WPA3, this issue has been addressed.
WPS PIN recovery:¶
A more serious security flaw was revealed in December 2011 by Stefan Viehböck that affects wireless routers with the Wi-Fi Protected Setup (WPS) feature, regardless of which encryption method they use. Most recent models have this feature and enable it by default. Many consumer Wi-Fi device manufacturers had taken steps to eliminate the potential of weak passphrase choices by promoting alternative methods of automatically generating and distributing strong keys when users add a new wireless adapter or appliance to a network. These methods include pushing buttons on the devices or entering an 8-digit PIN. The Wi-Fi Alliance standardized these methods as Wi-Fi Protected Setup; however the PIN feature as widely implemented introduced a major new security flaw. The flaw allows a remote attacker to recover the WPS PIN and, with it, the router’s WPA/WPA2 password in a few hours. Users have been urged to turn off the WPS feature, although this may not be possible on some router models. Also, the PIN is written on a label on most Wi-Fi routers with WPS, and cannot be changed if compromised.
How does WPA3 help?
WPA3 introduces a new alternative for configuration of devices that lack sufficient user interface capabilities by allowing nearby devices to serve as an adequate UI for network provisioning purposes, thus mitigating the need for WPS.
Are WPA3 wifi systems compatible with WPA2 devices?¶
What are the available encryption options for WPA2?¶
- used by most consumers and small-sized businesses
- used by medium-sized businesses and enterprises
What are the available encryption options for WPA3?¶
- will replace WPA2-Personal
- will be used most consumers and small-sized businesses
- will replace WPA2-Enterprise
- will be used by medium-sized businesses and enterprises
What is Opportunistic Wireless Encryption (OWE)?¶
The purpose of OWE is to mitigate attacks on open unencrypted wireless networks that present significant security threats to users, from passive packet capture and sniffing.
What are the limitations of OWE?¶
OWE does not provide authentication, and therefore does not guard against man-in-the-middle attacks that lure clients to connect to a rogue, or evil-twin, access point (AP). However, OWE does protect against passive eavesdropping, as well as unsophisticated packet injection such as deauthentication storm attacks or layer-2 injection of data into insecure HTTP sessions. Use of OWE results in a shared, pairwise, unique secret used to negotiate session keys, protecting unicast data frames and unicast robust management frames using Wi-Fi Protected Management Frames (PMF).
Which 802.11ac (wifi 5) models already support WPA3?¶
- As of ArubaOS 8.4.0.x, which was released on 2018-12-20, Aruba added support for WPA3 and Enhanced Open for their 802.11ac (wifi5) Access Points.
- Specifically, the 300, 310, 320, 340, 360, 370 Series, AP-514, and AP-515 access points.
Because WPA3 will replace WPA2, make sure to login into the dashboard, and enable WPA3.
Unofficially confirmed wifi systems to be getting the WPA3 update?¶
- Cisco Aironet
- Cisco Meraki
- Ubiquiti Unifi
Which 802.11ax (wifi 6) models already support WPA3?¶
All of them, it’s a requirement to ship 802.11ax wifi systems with WPA3-personal and WPA3-enterprise.