Over the last few years, Wi-Fi has become the primary mode for network access. This is especially true in the consumer market where the rapid adoption of Smart Home technology, streaming media and IoT devices has increased the number of devices in the home. The need for flexible workspace and ubiquitous mobility has driven the adoption of Wi-Fi in the enterprise. The exponential growth of the “bring your own device” (BYOD) and IoT markets has added the requirement for high density, efficiency and security.
Security is a concern for any network but with wireless being the primary method to access the network, security and the continued success of Wi-Fi both become a critical requirement to the network. . This requirement is particularly challenging for Wi-Fi, as users take their devices that they use at home and personal environments into the enterprise. These two domains have different constraints and requirements when it comes to security.
Typically, consumer electronics, IoT and home deployments use a simple password for access to the network. In the Enterprise settings, stronger security mechanisms such as username and password or certificates are used.
Wi-Fi Protected Access (WPA) has been a continual security evolution within the Wi-Fi Alliance. WPA2 was created 14 years ago to fill in some of the gaps within the original WPA implementation and continues to secure Wi-Fi communications today. Multiple enhancements have been done to WPA2 over the years such as the addition of Protected Management Frames, Fast BSS Transition and utilization of stronger cryptographic algorithms under the covers. However, a blog that published last October and referred to the “KRACK attack” shined a spotlight on Wi-Fi security that highlighted a need for the industry to move to a new generation of authentication and encryption mechanisms. This is a new generation that could resist modern attack techniques and incredibly powerful attack computers and position Wi-Fi security to keep pace with the ever changing threat landscape. This brought forward a need for enhancements to the existing WPA2 features, creating the next iteration called WPA3….
What is WPA3 and what are the driving factors for its evolution?
At last January’s Consumer Electronics Show (CES) in Las Vegas, the Wi-Fi Alliance® announced new security enhancements for Wi-Fi Protected Access. These new enhancements were released under the WPA3 label, with supporting products expected to start appearing throughout 2018. In this blog, we will focuses on two major areas of WPA3, all aiming at better protecting Wi-Fi communications:
The goal of WPA3-personal is to maintain the same capabilities and user experience as WPA2. The new enhancement is the added benefit of making it difficult to find the passphrase used for authenticating to the WLAN from just viewing traffic or associations.
- WPA2-Personal deployments use a password called pre-shared key (PSK). The PSK is used for both the authentication to the WLAN as well as the key to generate other encryption keys. Attackers can eavesdrop on a WPA2 valid initial “handshake”, and attempt to use brute force to deduce the PSK. With the PSK, the attacker can connect to the network, but also decrypt passed captured traffic. The ease of finding the PSK relies on the strength of the attacker computing power and the PSK strength. WPA2-Personal is prone to dictionary attacks due to the “human factor” of using simple passwords that people can remember to secure their networks. So, there was a need for more secure approach and at same time not increasing the End-User operational complexity.
- WPA3-Personal utilizes Simultaneous Authentication of Equals as defined in the IEEE 802.11-2016 standard. With SAE, the user experience is the same (choose a passphrase, use it to connect), but SAE automatically adds a step to the “handshake” that makes brute force attacks ineffective. With SAE, the passphrase is never exposed, making it impossible for an attacker to find the passphrase through brute force dictionary attacks. The other added benefit of WPA3-Personal is that Protected Management Frames (PMF) are required to be utilized for all WPA3 personal connections. In the past PMF was an optional capability that was left up to the user to enable. With WPA3, PMF must be negotiated for all WPA3 connections providing an additional layer of protection from deauthentication and disassociation attacks.
- Within the enterprise, one of the subtle changes that will be evident to end users is in keeping in line with the WPA3 goal for PMF to be enabled and negotiated for all WPA3 connections.
- WPA3 also introduces a 192-bit cryptographic security suite. This level of security provides consistent cryptography and eliminates the “mixing and matching of security protocols” that are defined in the 802.11 standard. This security suite is aligned with the recommendations from the Commercial National Security Algorithm (CNSA) Suite, commonly in place in high-security Wi-Fi networks in government, defense, finance and industrial verticals.
Open Networks get an upgrade
Two other areas the Wi-Fi Alliance has focused on from a security perspective are Open Networks and Device Provision/Onboarding.
- In shopping malls, restaurants and other public places, Wi-Fi networks are often “Open”—sometimes directly, sometimes based on a simple web signup page. As a result, Wi-Fi traffic is not encrypted and visible to any eavesdropper. The upgrade to WPA3 Open Networks includes an additional mechanism for public Wi-Fi, Opportunistic Wireless Encryption (OWE). With this mechanism, the End-User experience is unchanged, but the Wi-Fi communication is automatically encrypted, even if the Wi-Fi network is Open.
IoT secure onboarding – Device Provisioning Protocol (DPP) –
- DPP is an exciting development for provisioning Internet of Things (IOT), making on-boarding of such devices easier. DPP allows an IoT device to be provisioned with the SSID name and secure credentials through an out-of-band connection. This is based on QR code, and in the future Bluetooth, NFC or other connections.
WPA3 deployment readiness
Per the announcement this past January, WPA3 will be backward compatible with WPA2 meaning your WPA3 devices will be able to run WPA2. However, it is expected that it will take a few years for vendors to fully transition to WPA3 only modes, therefore WPA2 transition capabilities may be in use for the near future.
Meanwhile please stay tuned for an upcoming announcement that will highlight how to integrate WPA3 features into our Aironet Access Points and Wireless Controllers via a firmware upgrade so that our existing and new customers to take advantage of these new capabilities.