11

It seems Wi-Fi Alliance announced WPA3 for the end of 2018.

  • Anybody knows exactly what is new? features, security improvements, etc...
  • Is it because of Krack attack? I thought patching WPA2 is enough.
  • Is WPA3 really needed because of its security improvements? or is just a "not mandatory" upgrade?
Anders
  • 64,406
  • 24
  • 178
  • 215
OscarAkaElvis
  • 5,185
  • 3
  • 17
  • 48
  • 7
    There are a number of unfortunate things about WPA/WPA2, such as the ability for a non-authenticated attacker to knock users off the network, or the fact that in a PSK setup, anyone with access to the network can eavesdrop on everyone else on the network. I don't know of WPA3 fixes them. – Mark Jan 10 '18 at 08:52
  • 2
    https://www.theregister.co.uk/2018/01/09/wi_fi_wpa3/ provides some details and then *"A spokesperson for the Wi-Fi Alliance told The Register in an email that __further information will be made available once the WPA3 program launches__."* – Steffen Ullrich Jan 10 '18 at 09:25
  • 1
    I didn't look at wp3 yet, but an improvement is sorely needed, considering how much wpa2 Personal sucks. – CodesInChaos Jan 10 '18 at 12:59
  • @Mark Both unfortunate and plain old silly. The fact that the ESSID is used as the salt has always made me want to cry. – forest Mar 02 '18 at 10:22
  • @Mark, WPA3 does not address the ability to deauth/disassoc clients from a wireless network. However 802.11w does do so and is already required by the WFA to get their ac or Passpoint certifications. Please see [my answer here](https://security.stackexchange.com/a/64440/24467) if you want more specific details. – YLearn May 10 '18 at 22:14

2 Answers2

13

According to The Hacker News, here are major improvements :

  • WPA3 protocol strengthens user privacy in open networks through individualised data encryption.
  • WPA3 protocol will also protect against brute-force dictionary attacks, preventing hackers from making multiple login attempts by
    using commonly used passwords.
  • WPA3 protocol also offers simplified security for devices that often have no display for configuring security settings, i.e. IoT devices.
  • Finally, there will be a 192-bit security suite for protecting WiFi users’ networks with higher security requirements, such as
    government, defence and industrial organisations.

Thus I think it has some security improvements over WPA2

Soufiane Tahiri
  • 2,667
  • 12
  • 27
  • This is pretty much the [press release](https://www.wi-fi.org/news-events/newsroom/wi-fi-alliance-introduces-security-enhancements) in a nutshell. If anyone is a [member](https://www.wi-fi.org/membership) and has more information, please add what you know. – Tom K. Jan 10 '18 at 09:01
  • Nice answer! I'm curious what "individualised data encryption" might mean... I guess we will have to wait and see. – Anders Jan 10 '18 at 10:12
  • 6
    @Anders "individualized data encryption" simply means that hotspots or open access points will issue unique keys to each unauthenticated client, instead of using no encryption for unauthenticated clients. This will prevent the guy in the cafe next to you from using wireshark to view your traffic. – John Deters Jan 10 '18 at 14:07
  • 1
    "WPA3 protocol will also protect against brute-force dictionary attacks, preventing hackers from making multiple login attempts by using commonly used passwords". This seems odd, are they saying it will protect against a handshake capture and offline cracking? If not, this doesn't really help. – multithr3at3d Jan 10 '18 at 21:49
  • What if a handshake capture is possible and cracked offline? Doesn't enterprise WPA2 already offer the extra protection needed by enterprises? – AXANO Jan 12 '18 at 13:14
  • @multithr3at3d Yes it does. Unlike WPA/WPA2, the _password_ is used for authentication, not encryption. The encryption key is created using public key cryptography so it will not be possible to brute force it (it has a 192 bit keyspace). A brute force attack against the _password_ is likewise not possible to do offline, and when online, the access point can simply rate limit connection attempts. – forest Mar 02 '18 at 10:24
  • 1
    @AXANO WPA2 Enterprise can provide some of these improvements (e.g. by using EAP-TLS), but it requires a complex setup with a bloated RADIUS server. – forest Mar 02 '18 at 10:25
6

Anybody knows exactly what is new? features, security improvements, etc...

From what I have been able to gather so far, it appears to be a couple of required new features and a couple of optional features.

  • Opportunistic Wireless Encryption (OWE) - required. Based on RFC 8110, this is meant to ultimately displace open wireless networks. This adds a simple encryption to clients without the need to configure a PSK. However the lack of a PSK appears to leave this vulnerable to MitM attacks. Better than transmitting in the clear, but not by much.
  • Simultaneous Authentication of Equals (SAE) - required. A modification to the handshake to help prevent dictionary style attacks on PSKs.
  • AES 192-bit encryption - optional. A boost from the cryptographic strength used on wireless today (128-bit encryption).
  • Device Provisioning Protocol (DPP) - optional. A way to add devices to a secure network easily. Looks to be a replacement of the WPS, which has been broken for a while.

So far, nothing dramatically changing the face of wireless security, rather more enhancements than a new protocol. However it is a new certification from the WFA that devices will have to meet if they want to use WPA3 in their documentation/marketing.

Is it because of Krack attack? I thought patching WPA2 is enough.

Directly no. Indirectly, I would say yes. Consider that WPA2 (802.11i) is nearly a decade and a half old. While (patched) it remains secure today, this is a long time for a security protocol and KRACK caused many people to once again reconsider the role of wireless security.

The WiFi Alliance is simply strengthening the security that currently exists.

I will take a moment to note that unlike previous versions of WPA, WPA3 is not based on an IEEE ammendment to 802.11 (WPA based on draft 802.11i, WPA2 based on 802.11i). I don't doubt that there is discussion of a new IEEE working group to look into updating wireless security, but I am not aware of any formed at the moment.

Is WPA3 really needed because of its security improvements? or is just a "not mandatory" upgrade?

Not mandatory. However, WPA3 does help to strengthen wireless security.

Keep in mind that WPA3 doesn't really seem to be a replacement of WPA2, rather just additional features that the WFA will require to get their certifications.

YLearn
  • 3,967
  • 1
  • 17
  • 34
  • While OWE may in theory be vulnerable to MITM, I would not be surprised if many hotspots included, rather than a password, a fingerprint that you must enter to verify the hotspot before connecting. – forest May 10 '18 at 07:16
  • 2
    @forest, from [RFC8110](https://tools.ietf.org/html/rfc8110) section 7, "Security Considerations": *OWE is susceptible to an active attack in which an adversary impersonates an access point and induces a client to connect to it via OWE while it makes a connection to the legitimate access point. In this particular attack, the adversary is able to inspect, modify, and forge any data between the client and legitimate access point.* Therefore it is vulnerable to MitM. – YLearn May 10 '18 at 22:02
  • 1
    Actually, on further consideration, this may make clients MORE vulnerable to MitM for at least the short term (until most open networks are OWE capable). WPA3 Clients will likely prefer OWE networks over legacy open networks, so an attacker will simply need to impersonate an open network with a OWE network to get WPA3 capable clients to connect to it over the actual network. – YLearn May 10 '18 at 22:55
  • 1
    You're right, I read through the RFC and saw nothing about even optional fingerprint-based authentication. That is really sad because businesses could provide a QR code to scan which gives the figerprint, but the protocol doesn't even support that. That also means that "access point pinning" might not be possible. I don't think OWE would be _more_ vulnerable though, because an active attacker can equally violate confidentiality, integrity, and availability completely for both OWE and legacy open networks. There is no need for them to use OWE to become a "preferred" network. – forest May 11 '18 at 01:16
  • I wonder if OWE will be supported for... ah what is that feature called that allows an AP to mediate a direct connection between two devices in a LAN, like DCC on IRC? – forest May 11 '18 at 01:19
  • 1
    @forest, my though is regarding OWE being less secure is that given two networks with the same name, clients will likely be programmed to prefer an OWE network rather than a legacy open network (since it is "more secure"). An attacker setting up a rogue network with OWE in the area of a legacy open network will not have to do anything "extra" to get clients to connect to their MitM placement. Clients may even prefer to automatically roam to the OWE network, negating the need to send disassoc'/death frames to get clients to reconnect (or in the presence of 802.11w where they cannot do so). – YLearn May 11 '18 at 04:17
  • Not sure what you mean by AP mediating a direct connection, although you may mean WiFi Direct (aka WiFi P2P) which uses a "soft AP" on a wireless client to allow two clients to connect to each other (you could also mean ad-hoc mode, but that doesn't even use a soft AP). Like WPA3, WiFi Direct is a WFA extension and not an IEEE 802.11 amendment and it has no "need" to use OWE as it uses WPS (another WFA extension) to establish a "secure" connection. If anything, the WFA may replace WPS with DPP for a next generation WiFi Direct 2.0. – YLearn May 11 '18 at 04:18
  • Looks like what I was thinking of was TDLS. – forest Jun 01 '18 at 00:23
  • 1
    @forest, I had forgotten about 802.11z/TDLS as I personally have seldom seen it used. Thanks for the reminder, I will have to go do some research to refresh my memory when I get a chance. While TDLS is a means of two devices negotiating a direct connection over a common network, IIRC this is entirely done by the end client devices themselves with no interaction from the AP. When they establish the connection, they in essence tell the AP they are going to sleep and use that time to communicate directly while "waking" up to listen to the AP every DTIM period. – YLearn Jun 01 '18 at 05:28
  • Is it seldom used? I see it displayed as supported on most cards (at least Atheros and Ralink). I would assume that most devices would take advantage of it automatically when, e.g. transferring a large amount of data to another system on the same LAN. – forest Jun 01 '18 at 13:07
  • @forest, I said personally. My professional work with wireless is largely in the enterprise and I just don’t see it used often (especially as being on the same LAN in such cases does not indicate close proximity between client devices). It is my understanding that TDLS needs to be triggered by the application, not the network stack (which by its nature has no idea about the size of a data transfer at L2). Taking a quick look now, it seems to largely be used in multimedia cases (for example smart TVs with mobile devices - phones/tablets). – YLearn Jun 01 '18 at 13:40