<img height="1" width="1" src="https://www.facebook.com/tr?id=1046809342117480&amp;ev=PageView &amp;noscript=1">

VSEC Blog: IT Security Channel News brought to you by Infinigate UK

Share the Infinigate UK Blog on LinkedIn Share the Infinigate UK Blog on Twitter Share the Infinigate UK Blog on Facebook Share the Infinigate UK Blog on Google+ Share the Infinigate UK Blog via Email

WPA3: Is it just filling in the KRACKs?

Topics: Online Security, Wireless Security, KRACK, WPA2, Vulnerability, WPA3

Posted: 07 February 2018

WPA3 and KRACK Wireless Security

At the recent Consumer Electronics Show (CES) the Wi-Fi alliance announced WPA3; a new security certification which promises to address the weaknesses of WPA2 and adds a range of much needed enhancements to wireless security.

Wireless security has taken a beating over the years. Back in 2001 WEP (Wired Equivalent Privacy) was cracked and rendered useless. Its replacement WPA had weaknesses identified and was promptly replaced with WPA2. WPA2 held its own for a fair while (14 years), right up until October 2017 when the KRACK vulnerabilities were identified. Although the KRACK vulnerabilities could be mitigated with vendor patches, for me it highlighted the fact that WPA2 is a bit long in tooth and in need of an update. In total there are 4 new features in the new WPA3 certification which weren’t in WPA2, which are detailed below.

Shake on it...

First up there are enhancements that address the weaknesses in the 4-way handshake which the KRACK exploit utilised to execute. Mathy Vanhoef, one of the researchers behind the WPA2 KRACK vulnerability, speculates that the handshake process being utilised is most likely SAE (Simultaneous Authentication of Equals) also known as Dragonfly.

Enhancements to the 4-way handshake process aim to “deliver robust protections even when users choose passwords that fall short of typical complexity recommendations”. As a result this means that a brute force dictionary attack will no longer work. This is great news as although the KRACK exploit required a special set of circumstances, it’s good to know that a known exploit has been addressed and mitigated, as well as alleviating the age old problem of weak PSK’s (Pre Shared Key's) being used by the less tech savvy users out there.

Publicly private...

Next up, we finally have a secure way of connecting to public Wi-Fi networks without passing traffic over an unencrypted connection. Currently when we connect to a public Wi-Fi network, we are sending all traffic over the connection in clear text and as such this traffic can be intercepted. Although the increase in HTTPS enabled websites has helped with this issue, there are still sites which use HTTP therefore are still susceptible to traffic interception. WPA3 addresses this with “individualised data encryption”. What this means is that even though you will connect to a public hotspot without entering a passphrase (PSK), the connection between your device and the access point will be encrypted.

Secure thingies...

The third feature added to the WPA3 certification addresses securely connecting those pesky IoT devices without displays. This usually entails the use of a smartphone app to enter your network details and is generally a lot more painful than it needs to be. WPA3 will “simplify the process of configuring security for devices that have limited or no display interface” (Wi-Fi Alliance).  This feature is likely to be similar to the current WPS (Wi-Fi protected Setup) feature we have at the moment, whereby the device is connected to the network by pushing a button on the device and your WPS enabled router or by entering a PIN number. WPS vulnerabilities were identified back in 2012, so a secure alternative is very much needed.

National Security...

The fourth and final feature announced by the Wi-Fi alliance as part of the new WPA3 certification is the addition of “192-bit security suite, aligned with the Commercial National Security Algorithm (CNSA) Suite from the Committee on National Security Systems”. Feel free to switch off at this point, this feature is of no interest to home / enterprise users and was added at the request of the US government (CNSS Committee on National Security Systems) to provide stronger encryption for their critical wireless systems.

Roll out...

According to the Wi-Fi alliance we will start seeing WPA3 certified devices later this year. As with WPA2 certified devices, any vendors wishing to sport the Wi-Fi certified logo must apply for and be granted the certification. With this in mind it is doubtful that current wireless devices will be updated to support WPA3 and far more likely that the next wave of devices will be put through the certification process. That being said, client devices will also need to be certified in the same way to be able to take advantage of the new certification.

Although it may take a fair while for WPA3 to become the norm, we are at least on our way to a more secure wireless world!

8 Ways to Cloud Managed Security Services  

Dion Phillips Senior Technical Consultant, Infinigate UK
Posted by: Dion Phillips
Senior Technical Consultant, Infinigate UK
Share via:

Subscribe to VSEC Blog Updates

Terms and Conditions:
  • When completing this form, you are indicating your consent for this processing activity. By doing this you are providing Infinigate UK with lawful consent to process your submitted personal data for one or both of the marketing purposes below:
    • We will use your details to send you blog updates.
    • We will match your answers to areas of interest which believe you have and may send you additional marketing materials related to those areas.
  • We will keep your personal data for nine months, upon which we will delete your personal data unless you have consented to further processing or we have legitimate interests to retain it. You are free to withdraw your consent at any time by contacting our marketing department or using one of our unsubscribe links in our communications.
  • In some cases where you indicate consent for supplying you with additional promotional marketing material, we will share your personal data with one of our reseller partners, should your areas of interest match a solution or service they provide. We instruct all our reseller partners to communicate this data transfer with data subject affected.
  • Your personal data is stored in a marketing automation solution database, access to this is limited to authorised users and all necessary steps to ensure data security is maintained.

For further information about this form, your rights under the General Data Protection Regulation or how to exercise them, please contact Infinigate's marketing department here.

Popular Posts