The Wi-Fi Alliance, which certifies Wi-Fi products, has announced WPA3, a major upgrade to Wi-Fi security that will appear in 2018 and take care of known flaws while simultaneously requiring less effort on your part. Among other things, it will eliminate the nasty KRACK vulnerability and secure open Wi-Fi networks. (See “Wi-Fi Security Flaw Not As Bad As It’s KRACKed Up To Be,” 17 October 2017.)The Wi-Fi Alliance is a trade group that dates back nearly 20 years. It has long been responsible for keeping all the cats in the local wireless networking bag, preventing forks and proprietary standards that have plagued other technologies. Almost 15 years ago, the Wi-Fi Alliance worked to recover from the terrible flaws in its original network encryption standard, WEP, by getting the whole industry to switch to the far more secure WPA2.WPA2 encrypts traffic passed over the Wi-Fi wireless local area network to prevent anyone without the network passphrase or an enterprise login from being able to decipher the flow of data. On an enterprise network, even devices on the same Wi-Fi network can’t see each other’s data. It’s supposed to work that way on passphrase-only Wi-Fi networks too, like what you have in your home, but flaws in the protocol allow someone with the network’s shared password and a simple cracking tool to access data from other network users.While the WPA2 standard was largely designed well, it hasn’t changed in 15 years, which is a long time in the security world. Last year, a security researcher discovered a major flaw that he dubbed KRACK. It could allow someone in proximity to a Wi-Fi network to recover certain kinds of otherwise protected data. Major vendors, including Apple, released patches for Wi-Fi adapters and routers, but older hardware that is unpatched or unpatchable remains vulnerable, and the repairs were more bandages than curative surgery.The new WPA3 fixes the fundamental flaw related to KRACK by replacing the four-way handshake between a Wi-Fi device and a base station that turned out to be vulnerable. Precise details of WPA3’s redesigned method of establishing a secure connection aren’t yet available.The new WPA3 standard also adds the following:Even when a user picks a weak passphrase — like pass1234 — WPA3 will process it without user involvement so that the password can’t be extracted via brute-force attacks that rely on iterating through short, common, and dictionary-based passwords.WPA3 provides better security for devices with limited input methods, like printers, to join a network securely. That was supposed to be the job of WPS (Wi-Fi Protected Setup), but it never reached its potential, and the WPS spec has security flaws.Encryption key length in WPA3 rises from 128 bits to 192 bits to meet a level of protection required for U.S. government use.Joining a password-free network will now securely set up an encrypted connection.All connections will now be protected from other users of the same network, something that’s reliably available only with enterprise connections today.These last two points are a major improvement for public Wi-Fi networks. Unsecured networks are convenient because businesses and institutions don’t have to provide a Wi-Fi password to everyone who walks in. However, eliminating the need for a password also means that users send their traffic across unprotected connections that can be intercepted by anyone nearby with a Wi-Fi sniffer. With WPA3, Wi-Fi providers won’t have to choose between convenience and security.The Wi-Fi Alliance also said it’s upping its game with WPA2, adding more tests of how WPA2 is implemented by companies to provide better consistency and security.WPA3 will start appearing in hardware in 2018, but WPA2 will remain available for compatible devices for some time to come — almost certainly for several years, given its installed base. Unfortunately, most devices that run WPA2 likely can’t be updated to WPA3, possibly apart from some more recent devices that were designed with an idea of what hardware features WPA3 would require.That means that WPA2 will remain the weakest link in Wi-Fi security until WPA3 is supported by every device you use and all the base stations to which you connect. As we saw with the transition from WEP to WPA2, which involved the interim WPA standard, that can be a long process. Read and post comments about this article | Tweet this article Make friends and influence people by sponsoring TidBITS!Put your company and products in front of tens of thousands ofsavvy, committed Apple users who actually buy stuff.More information: <http://tidbits.com/advertising.html> Copyright © 2018 Glenn Fleishman. TidBITS is copyright © 2018 TidBITS Publishing Inc.
The Wi-Fi Alliance has announced WPA3, a replacement for its current local network encryption options. WPA3 both fixes an exploit and increases security for those using open networks, all while reducing the burden on users. But don’t expect it to take over from WPA2 in the near term.
Read the full article at TidBITS, the oldest continuously published technology publication on the Internet. To get a full-text RSS feed, help support our work and become a TidBITS member! Members also enjoy an ad-free version of our Web site, email delivery of individual articles, the ability to make long comments with live links, and discounts on Take Control orders and other Apple-related products.