Released in 2018, WPA3 is an updated and more secure version of the Wi-Fi Protected Access Protocol for securing wireless networks. As I described in the comparison between WPA2 and WPA, WPA2 has been the recommended way to secure your wireless network since 2004 because it is more secure than WEP and WPA. WPA3 brings new security enhancements that make it harder to enter networks by guessing passwords. it is also impossible to decrypt the data captured in the past, i.e. before the key (password) is decrypted.
When the Wi-Fi alliance announced the technical details of WPA3 in early 2018, its press release had four main features: a new, more secure handshake for making connections, a simple method to safely add new ones devices to a network, basic protection when using open access points, and ultimately increasing the size of keys.
The final spec only mandates the new handshake, but some manufacturers will implement the other features as well.
New handshake: Simultaneous Peer-to-Peer (SAE) authentication
When a device tries to connect to a password protected Wi-Fi network, the steps for providing and verifying the password are followed through a 4-way link. In WPA2, this part of the protocol was vulnerable to KRACK attacks:
In a key reinstallation attack [KRACK], the adversary tricks a victim into reinstalling a key that has already been used. This is achieved by manipulating and replaying cryptographic negotiation messages. When the victim reinstalls the key, associated parameters such as incremental transmit packet number (i.e. nonce) and receive packet number (replay counter) are reset to their original value. To ensure security, a key should only be installed and used once.
Even with updates to WPA2 to mitigate vulnerabilities in KRACK, WPA2-PSK can still be cracked. There are even how-to guides for WPA2-PSK password hacking.
WPA3 addresses this vulnerability and mitigates other issues by using a different negotiation mechanism for authentication over a Wi-Fi network: simultaneous peer-to-peer authentication, also known as Dragonfly key exchange.
Technical details of how WPA3 uses Dragonfly key exchange, which itself is a variant of SPEKE (Exponential Key Exchange with Simple Password), are described in this video.
The advantages of Dragonfly key exchange are transmission secrecy and resistance to offline decryption.
Resistant to offline decryption
A vulnerability of the WPA2 protocol is that the attacker does not have to stay connected to the network to be able to guess the password. The attacker can detect and capture the 4-way negotiation of an initial WPA2-based connection when in close proximity to the network. This captured traffic can then be used offline in a dictionary-based attack to guess the password. This means that if the password is weak, it is easily broken. In fact, alphanumeric passwords up to 16 characters long can be cracked quite quickly for WPA2 networks.
WPA3 uses the Dragonfly Key Exchange system to resist dictionary attacks. This is defined as follows:
Resistance to dictionary attacks means that any advantage an opponent can gain must be directly related to the number of interactions they make with an honest protocol participant, and not through a calculation. The adversary will not be able to obtain password information unless an estimate given by a protocol is correct or incorrect.
This feature of WPA3 protects networks where the network password, i.e. the pre-shared key (PSDK), is lower than the recommended complexity.
Wireless networking uses a radio signal to transmit information (data packets) between a client device (for example, a phone or laptop) and the wireless access point (router). These radio signals are broadcast openly and can be intercepted or “received” by anyone nearby. When the wireless network is password protected (WPA2 or WPA3), the signals are encrypted, so that a third party intercepting the signals will not be able to understand the data.
However, an attacker can save all the data that he intercepts. And if they are able to guess the password in the future (which is possible via a dictionary attack on WPA2, as we saw above), they can use the key to decrypt the traffic from data recorded in the past on this network.
WPA3 ensures the secrecy of transfers. The protocol is designed so that even with the network password, it is impossible for a spy spy to monitor the traffic between the access point and another client device.
Opportunistic Wireless Encryption (OWE)
Described in this white paper (RFC 8110), Wireless Opportunistic Encryption (OWE) is a new feature in WPA3 that replaces 802.11 “open” authentication widely used in public access points and public networks.
This YouTube video provides a technical overview of OWE. The key idea is to use a Diffie-Hellman key exchange mechanism to encrypt all communication between a device and an access point (router). The decryption key for communication is different for each client connecting to the access point. Thus, none of the other devices on the network can decrypt this communication, even if they are listening to it (which is called a sniff). This benefit is called Individualized Data Protection – the data traffic between a client and an access point is “individualized”; So while other clients can sniff and record this traffic, they cannot decipher it.
The big advantage of OWA is that it doesn’t just protect networks that require a password to connect. it also protects open “insecure” networks that do not require a password, for example. wireless networks in libraries. OWE provides encryption to these networks without authentication. No provisioning, no negotiation, and no credentials required – it works without the user having to do anything or even knowing that their browsing is now more secure.
Disclaimer: OWE does not protect against “unwanted” access points, such as honeypot APs or evil twins, which try to trick the user into connecting with them and stealing information. .
Another drawback is that WPA3 supports unauthenticated encryption but does not require it. It is possible for a manufacturer to obtain the WPA3 tag without implementing unauthenticated encryption. The feature is now called Wi-Fi CERTIFIED Enhanced Open. So buyers should look for this tag in addition to the WPA3 tag to ensure that the device they are purchasing supports unauthenticated encryption.
DPP (Device Provisioning Protocol)
The Wi-Fi Device Provisioning Protocol (DPP) replaces the less secure Wi-Fi Protected Setup (WPS). Many home automation or Internet of Things (IoT) devices do not have an interface for entering a password and need to rely on smartphones to check their Wi-Fi configuration. Fi ..
Again, the caveat is that the Wi-Fi Alliance has not required this feature to be used to achieve WPA3 certification. So technically this is not part of WPA3. Instead, this feature is now part of their Easy Connect Wi-Fi CERTIFIED program. So, look for this label before purchasing any WPA3 certified material.
DPP allows devices to be authenticated over the Wi-Fi network without a password, using a QR code or NFC technology (near-field communication, the same technology used for wireless transactions on Apple Pay or Android Pay tags).
With Wi-Fi Protected Setup (WPS), the password is communicated from your phone to the IoT device, which then uses it to authenticate on the Wi-Fi network. But with the new DPP (Device Provisioning Protocol) ), devices perform mutual authentication without password.
As described above, over the years, WPA2 has become vulnerable to various forms of attack, including the famous KRACK technique for which patches are available, but not for all routers and little deployed by users as it requires a firmware upgrade ..
In August 2018, another attack vector of WPA2 was discovered.  This allows an attacker who sniffs WPA2 handshakes to obtain the hash of the pre-shared key (password). The attacker can then use a brute force technique to compare that hash against the list of commonly used passwords or a list of guesses trying all possible variations of variable-length letters and numbers. Using cloud computing resources, it is easy to guess a password under 16 characters long.
In short, WPA2 security is almost the same as security, but only for WPA2-Personal. WPA2-Enterprise is much more resistant. Until WPA3 is widely available, use a strong password for your WPA2 network.
If possible, choose WPA3 over WPA2.
1) When purchasing WPA3 certified hardware, also look for Wi-Fi Enhanced Open and Wi-Fi Easy Connect certifications. As described above, these features improve network security.
2) Choose a long and complex password (pre-shared key):
use numbers, upper and lower case letters, spaces and even “special” characters in your password.
Make it a password instead of a single word.
Make it long – 20 characters or more.
3) If you are purchasing a new wireless router or access point, choose one that supports WPA3 or plan to roll out a software update that supports WPA3 in the future. Wireless router vendors regularly release firmware updates for their products. Depending on the quality of the provider, they release upgrades more frequently. for example. After the KRACK vulnerability, TP-LINK was one of the first vendors to release patches for their routers. They also released fixes for older routers. Therefore, if you are looking for the router to buy, check the history of firmware versions released by that manufacturer.
4) Choose a company that is diligent about their upgrades.
5) Use a VPN when using a public Wi-Fi hotspot such as a cafe or library, whether or not the wireless network is password protected (secure).
I am sorry that this post was not useful for you!
Let me improve this post!
Tell me how i can improve this post?