WPA3 - Improved security in WiFi for Enterprises & Personal/Public

WiFi is taking its stride much needed for next generation networks, as technology is evolving with much advance features in 802.11 ax, the much spotted arena of security is also taking its new avatar with improved features in WPA3.

WPA3™ is the next generation of Wi-Fi security and provides cutting-edge security protocols to the market. Building on the widespread success and adoption of Wi-Fi CERTIFIED WPA2™, WPA3 adds new features to simplify Wi-Fi security, enable more robust authentication, deliver increased cryptographic strength for highly sensitive data markets, and maintain resiliency of mission critical networks. All WPA3 networks:

• Use the latest security methods
• Disallow outdated legacy protocols
• Require use of Protected Management Frames (PMF)
• Users of WPA3-Personal receive increased protections from password guessing attempts, 
• While WPA3-Enterprise users can now take advantage of higher grade security protocols for sensitive data networks.

WPA3-Personal

WPA3-Personal brings better protections to individual users by providing more robust password-based authentication, even when users choose passwords that fall short of typical complexity recommendations. This capability is enabled through Simultaneous Authentication of Equals (SAE), which replaces Pre-shared Key (PSK) in WPA2-Personal. The technology is resistant to offline dictionary attacks where an adversary attempts to determine a network password by trying possible passwords without further network interaction. 

• Natural password selection: Allows users to choose passwords that are easier to remember
• Ease of use: Delivers enhanced protections with no change to the way users connect to a network
• Forward secrecy: Protects data traffic even if a password is compromised after the data was transmitted

WPA3-Enterprise

Enterprise, governments, and financial institutions have greater security with WPA3-Enterprise. WPA3-Enterprise builds upon WPA2 and ensures the consistent application of security protocols across the network.

WPA3-Enterprise also offers an optional mode using 192-bit minimum-strength security protocols and cryptographic tools to better protect sensitive data:

• Authenticated encryption: 256-bit Galois/Counter Mode Protocol (GCMP-256)
• Key derivation and confirmation: 384-bit Hashed Message Authentication Mode (HMAC) with Secure Hash Algorithm (HMAC-SHA384)
• Key establishment and authentication: Elliptic Curve Diffie-Hellman (ECDH) exchange and Elliptic Curve Digital Signature Algorithm (ECDSA) using a 384-bit elliptic curve
• Robust management frame protection: 256-bit Broadcast/Multicast Integrity Protocol Galois Message Authentication Code (BIP-GMAC-256)

The 192-bit security mode offered by WPA3-Enterprise ensures the right combination of cryptographic tools are used and sets a consistent baseline of security within a WPA3 network.

WPA3, which retains interoperability with WPA2™ devices, is currently an optional certification for Wi-Fi CERTIFIED devices. It will become required over time as market adoption grows. 

WPA2 will continue to evolve to meet standards for interoperability and security in all Wi-Fi CERTIFIED devices. WPA2 will be available in Wi-Fi CERTIFIED devices for the foreseeable future, and all devices supporting WPA3 will continue to work with WPA2 devices.

WPA2 continues to provide security and privacy for Wi-Fi networks and devices throughout the Wi-Fi ecosystem. WPA2 devices will continue to interoperate and provide recognized security that has been its hallmark for more than a decade.

In 2018, Wi-Fi Alliance augmented existing security protections for networks through these configuration, authentication, and encryption enhancements:

• Mandatory use of Protected Management Frames, available in all current generation Wi-Fi CERTIFIED devices, maintains the resiliency of mission-critical networks
• Enhanced validation of vendor security implementations reduce the potential for vulnerabilities due to network misconfiguration and further safeguard managed networks with centralized authentication services

Open WiFi Security Improvements 

WiFi Alliance is continuously focusing on WiFi security and for open WiFi where most of public WiFi is accessed the security improvements are also provided under WiFi Alliance Wi‑Fi CERTIFIED Enhanced Open™ Certification.   Wi‑Fi CERTIFIED Enhanced Open™  is a Wi-Fi Alliance certification that preserves the convenience open networks offer while reducing some of the risks associated with accessing an unsecured network. Wi-Fi Enhanced Open™ networks provide unauthenticated data encryption to users, an improvement over traditional open networks with no protections at all. These protections are transparent to the user. Based on Opportunistic Wireless Encryption (OWE) defined in the Internet Engineering Task Force (IETF) RFC8110 specification and the Wi‑Fi Alliance Opportunistic Wireless Encryption Specification, Wi-Fi Enhanced Open benefits users by providing data encryption that maintains the ease of use of open networks, and benefits network providers because there are no public passphrases to maintain, share, or manage.

Because Wi-Fi Enhanced Open is a Wi-Fi CERTIFIED^™ program, the technology is interoperable with legacy networks, even those using a captive portal. Network operators wishing to deploy a fully-featured authentication and device-provisioning solution should consider approaches such as Wi‑Fi CERTIFIED Passpoint^®.