In 2004, as a successor of relatively weak Wired Equivalent Privacy (WEP), Wi-Fi Alliance adopted certain measures called Wi-Fi Protected Access II (or simply WPA2) based on IEEE 802.11i to certify security in Wi-Fi devices. Since then, almost all the Wi-Fi access points and Wi-Fi-enabled devices have implemented this standard globally. In addition, we continued to believe WPA2 to be a safe Wi-Fi security standard. Only until 2016 – until a security researcher from Belgium pointed out a flaw in implementing the WPA2 security protocol. This flaw led to what is called The KRACK or The Key Reinstallation Attack that exploited the imperfect four-way handshake protocol used by WPA2 to enable encrypted connections between Wi-Fi access points and clients.
To address the lacunas in WPA2, Wi-Fi Alliance announced an enhanced Wi-Fi security framework – the next-generation of Wi-Fi Security WPA3 – in 2018.
WPA3 brings new capabilities to enhance Wi-Fi security for both personal and enterprise Wi-Fi networks. While maintaining interoperability with WPA2 devices, WPA3 adds many new features, including simplifying Wi-Fi security, more robust authentication mechanism, and increased cryptographic strength, thereby eliminating all the security risks known in WPA2, including the KRACK vulnerability.
It was predicted that it would take many years for WPA 3 to become commercially available in Wi-Fi products. Yet, today in less than 3 years of WPA3 security framework definition, all HFCL IO Wi-Fi products – be it Wi-Fi 5 or Wi-Fi 6; Indoor or outdoor – come equipped with support for WPA 3, making these very robust and highly secure against any attacks or security loopholes.
WPA3-Personal brings better protections to individual users by providing more robust password-based authentication, even when users choose passwords that fall short of typical complexity recommendations. This capability is enabled through Simultaneous Authentication of Equals (SAE), which replaces Pre-shared Key (PSK) in WPA2-Personal. The technology is resistant to offline dictionary attacks where an adversary attempts to determine a network password by trying possible passwords without further network interaction. In other words, the encryption with WPA3-Personal is more individualized. Users on a WPA3-Personal network cannot ever snoop on another’s WPA3-Personal traffic, even when the user has the Wi-Fi password and is successfully connected. Furthermore, if an outsider determines the password, passively observing an exchange and determining the session keys is not possible, providing forward secrecy of network traffic. In addition, they cannot decrypt any data captured prior to the cracking either.
WPA3-Enterprise brings greater security for enterprises, governments, and financial institutions. WPA3-Enterprise also offers an optional mode using 192-bit minimum-strength security protocols and cryptographic tools to better protect sensitive data:
- Authenticated encryption: 256-bit Galois/Counter Mode Protocol (GCMP-256)
- Key derivation and confirmation: 384-bit Hashed Message Authentication Mode (HMAC) with Secure Hash Algorithm (HMAC-SHA384)
- Key establishment and authentication: Elliptic Curve Diffie-Hellman (ECDH) exchange and Elliptic Curve Digital Signature Algorithm (ECDSA) using a 384-bit elliptic curve
- Robust management frame protection: 256-bit Broadcast/Multicast Integrity Protocol Galois Message Authentication Code (BIP-GMAC-256)
The 192-bit security mode offered by WPA3-Enterprise ensures the right combination of cryptographic tools is used and sets a consistent security baseline within a WPA3 network. HFCL IO Wi-Fi products offer integration with external data encryption devices, firewalls, etc., for further enhancement of data security.