Anybody knows exactly what is new? features, security improvements, etc...
From what I have been able to gather so far, it appears to be a couple of required new features and a couple of optional features.
- Opportunistic Wireless Encryption (OWE) - required. Based on RFC 8110, this is meant to ultimately displace open wireless networks. This adds a simple encryption to clients without the need to configure a PSK. However the lack of a PSK appears to leave this vulnerable to MitM attacks. Better than transmitting in the clear, but not by much.
- Simultaneous Authentication of Equals (SAE) - required. A modification to the handshake to help prevent dictionary style attacks on PSKs.
- AES 192-bit encryption - optional. A boost from the cryptographic strength used on wireless today (128-bit encryption).
- Device Provisioning Protocol (DPP) - optional. A way to add devices to a secure network easily. Looks to be a replacement of the WPS, which has been broken for a while.
So far, nothing dramatically changing the face of wireless security, rather more enhancements than a new protocol. However it is a new certification from the WFA that devices will have to meet if they want to use WPA3 in their documentation/marketing.
Is it because of Krack attack? I thought patching WPA2 is enough.
Directly no. Indirectly, I would say yes. Consider that WPA2 (802.11i) is nearly a decade and a half old. While (patched) it remains secure today, this is a long time for a security protocol and KRACK caused many people to once again reconsider the role of wireless security.
The WiFi Alliance is simply strengthening the security that currently exists.
I will take a moment to note that unlike previous versions of WPA, WPA3 is not based on an IEEE ammendment to 802.11 (WPA based on draft 802.11i, WPA2 based on 802.11i). I don't doubt that there is discussion of a new IEEE working group to look into updating wireless security, but I am not aware of any formed at the moment.
Is WPA3 really needed because of its security improvements? or is just a "not mandatory" upgrade?
Not mandatory. However, WPA3 does help to strengthen wireless security.
Keep in mind that WPA3 doesn't really seem to be a replacement of WPA2, rather just additional features that the WFA will require to get their certifications.