As we mentioned in a previous post, Wi-Fi Alliance, a joint venture comprised of various device makers such as Apple, Microsoft and Qualcomm, announced on January 9 the Next Generation Wireless Security Model WPA3.
The standard will replace WPA2, a security protocol that has been around for nearly two decades and is built in to protect nearly every wirelessof devices today, such as phones, laptops, and Internet of Things (IoT) devices.
One of the key improvements in WPA3 is aimed at solving a common security problem: open Wi-Fi networks. Open Wi-Fi networks in coffee shops and airports are very convenient but unencrypted, allowing anyone on the same network to monitor your data sent by other devices.
This week, Qualcomm has announced that it will incorporate WPA3 into its portfolio of mobile and networking products, such as chipset for routers, smartphones, tablets and computers. So we will soon see the successor of WPA2, the security protocol that can be violated by the famous Key Reinforcement AttackKRACK) revealed at the end of last year.
What is WPA?
Το WPA, προέρχεται από το Wi-Fi Protected Access, και ασφαλίζει συσκευές με κρυπτογραφημένο κώδικα χρησιμοποιώντας το πρωτόκολλο Advanced Encryption Standard (AES). Συγκεκριμένα, χρησιμοποιεί ένα handshake τεσσάρων κατευθύνσεων για να εμποδίσει κάθε πιθανή παρακολούθηση της κυκλοφορίας δικτύου μεταξύ ενός Wi-Fi access point (όπως το router) και ενός Wi-Fi client (όπως ένα smartphone ή ένα laptop). Η κρυπτογράφηση εμποδίζει θεωρητικά τις επιθέσεις man-in-the-middle που επιχειρούν να “πιάσουν” δεδομένα κατά τη μεταφορά.
But WPA2 is not perfect. Last October, security researchers uncovered KRACK, a vulnerability that interferes with the initial handshake between a device and the router in a way that allows intruders to view, decrypt, or even manage network data.
Most of the new devices (phones, laptops and Wi-Fi routers) were updated with a new firmware that protects KRACK, but old devices are vulnerable.
The new WPA3 is expected to support a one-touch setup system, which will make it easier to protect devices without screens (Internet of Things devices and smart speakers like Google Home and Amazon's Echo).
WPA3 supports a much more powerful encryption algorithm than WPA2 - although it is intended for industrial, defense, and government applications rather than for homes and offices. Specifically, the new protocol includes a 192-bit security suite that aligns with the CNSA (Commercial National Algorithm Suite), a feature requested by the National Security Systems Commission (CNSS) for the National Security Agency (NSA).
WPA3 will use a very powerful handshake that is not vulnerable to exploits like KRACK. It is called the Dragonfly protocol and will enhance security when exchanging the network key between a device and the router.
WPA3 also imposes strict limits on the number of attempts someone can use to guess the network's password. This means that even networks with weak codeaccess will be less vulnerable to brute force attacks.
As Qualcomm says Press release which he published, is the first company to announce the implementation of WPA3. The company says it will incorporate support for the new protocol in Snapdragon 845 in June and Qualcomm's Access Point platforms in July.