As we mentioned in a previous post, Wi-Fi Alliance, a joint venture comprised of various device makers such as Apple, Microsoft and Qualcomm, announced on January 9 the Next Generation Wireless Security Model WPA3.
The standard will replace WPA2, one protocol security that has been around for nearly two decades and is built in to protect nearly every wireless device today, including phones, laptops, and Internet of Things (IoT) devices.
One of the key improvements to WPA3 is to solve a common security problem: open Wi-Fi networks. Open Wi-Fi networks at cafes and airports are very convenient but unencrypted, allowing anyone on the same network to monitor data sent from other devices.
This week, Qualcomm has announced that it will incorporate WPA3 into its portfolio of mobile and networking products, such as chipset for routers, smartphones, tablets and computers. So we will soon see the successor of WPA2, the security protocol that can be violated by the famous Key Reinforcement AttackKRACK) revealed at the end of last year.
What is WPA?
Το WPA, προέρχεται από το Wi-Fi Protected Access, και ασφαλίζει συσκευές με κρυπτογραφημένο κώδικα χρησιμοποιώντας το πρωτόκολλο Advanced Encryption Standard (AES). Συγκεκριμένα, χρησιμοποιεί ένα handshake τεσσάρων κατευθύνσεων για να εμποδίσει κάθε πιθανή παρακολούθηση της κυκλοφορίας δικτύου μεταξύ ενός Wi-Fi access point (όπως το router) και ενός Wi-Fi client (όπως ένα smartphone ή ένα laptop). Η encryption εμποδίζει θεωρητικά τις επιθέσεις man-in-the-middle που επιχειρούν να “πιάσουν” δεδομένα κατά τη μεταφορά.
But WPA2 is not perfect. Last October, security researchers uncovered KRACK, a vulnerability that interferes with the initial handshake between a device and the router in a way that allows intruders to view, decrypt, or even manage network data.
Most of the new devices (phones, laptops and Wi-Fi routers) were updated with a new firmware that protects KRACK, but old devices are vulnerable.
The new WPA3 is expected to support a one-touch setup that will make it easier to protect devices without screens (Internet of Things devices and smart speakers like Google Home and Amazon's Echo).
WPA3 supports a much stronger encryption algorithm than WPA2 – although it is intended for industrial, defense and government applications rather than homeand offices. Specifically, the new protocol includes a 192-bit security suite aligned with the Commercial National Algorithm Suite (CNSA), a feature requested by the Committee on National Security Systems (CNSS), for the National Security Agency (NSA).
WPA3 will use a very powerful handshake that is not vulnerable to exploits like KRACK. It is called the Dragonfly protocol and will enhance security when exchanging the network key between a device and the router.
WPA3 also imposes strict limits on the number of attempts someone can use to guess the network's password. This means that even networks with weak codeaccess will be less vulnerable to brute force attacks.
As Qualcomm says Press release which he published, is the first company to announce the implementation of WPA3. The company says it will incorporate support for the new protocol in Snapdragon 845 in June and Qualcomm's Access Point platforms in July.
