{"id":85702,"date":"2018-03-24T12:37:21","date_gmt":"2018-03-24T16:37:21","guid":{"rendered":"http:\/\/rbachnet.wwwmi3-ss40.a2hosted.com\/index.php\/"},"modified":"2022-09-19T12:48:08","modified_gmt":"2022-09-19T16:48:08","slug":"will-wi-fi-be-secure-this-time","status":"publish","type":"post","link":"https:\/\/rbach.net\/index.php\/will-wi-fi-be-secure-this-time\/","title":{"rendered":"Will Wi-Fi Be Secure This Time"},"content":{"rendered":"

\"Will<\/a>One event at CES 2018<\/a><\/strong> that was overlooked\u00a0by many people was the Wi-Fi Alliance<\/a><\/strong> announcement<\/a> of WPA3<\/strong>, a long overdue update to Wi-Fi Protected Access<\/strong> (WPA). This increases the strength of a security protocol that hasn\u2019t been updated in 14 years.<\/p>\n

\"Wi-Fi<\/a>The Wi-Fi Alliance says Wi-Fi carries more than half of the internet\u2019s traffic, so improvements to WPA are\u00a0good news<\/strong>. The WPA3 update is a response to the evolution of Wi-Fi usage and WPA2 vulnerabilities. There are four improvements<\/strong> to Wi-Fi Protected Access<\/a> via WPA3 over the current standard (WPA2).<\/p>\n

Stronger passwords<\/h3>\n

WPA3 gets a new layer of protection so its security is not contingent on passwords (as followers of the <\/em>Bach Seat<\/em><\/a> know, <\/em>passwords suck<\/em><\/a>). WPA3 is an improvement on WPA2\u2019s largest vulnerability the handshake when the key is being exchanged. KRACK<\/a> (K<\/strong>ey R<\/strong>einstallation A<\/strong>ttack<\/strong>) is a major vulnerability discovered in 2017 in WPA2 and WPA. It exploits the Wi-Fi handshake. KRACK<\/a> allows attackers to snoop on encrypted data being transferred between computers and wireless access points (WAP).<\/p>\n

\"WPA2<\/a>Brute force \u201cdictionary attacks<\/a>” are the backbone of the KRACK attack. WPA3 implements IEEE<\/a> 802.11s<\/a>, Simultaneous Authentication of Equals (SAE) to provide protection against this flaw. SAE is also known as the Dragonfly protocol. The\u00a0Internet Engineering Task Force<\/a> (IETF) describes\u00a0Dragonfly,<\/a>\u201c employs discrete logarithm cryptography to perform an efficient exchange in a way that performs mutual authentication using a password that is probably resistant to an offline dictionary attack.<\/em>\u201d<\/p>\n

This improvement will offer better security even if poor passwords<\/strong> are used. This feature is very useful since we know that users have difficulties creating<\/a>\u00a0strong and hard-to-guess passwords<\/a>. The Wi-Fi Alliance claims WPA3 makes it almost impossible to breach a Wi-Fi network using the current dictionary and brute-force attacks. \u00a0Mathy Vanhoef, the security researcher who discovered KRACK, appears very enthusiastic<\/a>\u00a0about the security improvements in WPA3.<\/p>\n

Secure public Wi-Fi<\/h3>\n

\"Secure<\/a>WPA3 secured open networks will offer more privacy than ever before. Everything transmitted over today’s open Wi-Fi networks at airports, coffee shop, libraries, are sent in plain text\u00a0that people can intercept<\/a>. WPA3 will apply encryption<\/strong> to each user on the public Wi-Fi to eliminate clear text with \u201cindividualized data encryption<\/strong>\u201d.<\/p>\n

Malwarebytes Lab<\/a> speculates<\/a> that WPA3 will include\u00a0Opportunistic Wireless Encryption<\/a><\/strong>. OWE enables connection on an open network without a shared and public Pre-Shared Key<\/a> (PSK).\u00a0That\u2019s important because a PSK can give hackers easy access to the Traffic Encryption Keys (TEKs), allowing them access to a data stream. OWE implements a Diffie-Hellman key exchange<\/a> during network sign-on and uses the resulting secret for the 4-way 802.11 handshake<\/strong> and not the shared, public Pre-Shared Key (PSK) that can be easily exploited. WPA3 will be more difficult for people to snoop on your web browsing without actually cracking the encryption while you\u2019re at Starbucks<\/a>.<\/p>\n

Stronger encryption<\/h3>\n

\"\"<\/p>\n

WPA3 will use stronger cryptographic algorithms. The new security protocol will use the\u00a0 Commercial National Security Algorithm (CNSA) 192-bit encryption<\/strong> mandated by the U.S. government for secure Wi-Fi networks. Experts speculate WPA3 will use a 48-bit initialization vector to support backward compatibility with WPA and WPA2\u00a0 The 192-bit encryption will make WPA3 compliant with the highest security standards and fit for use in networks with the most stringent security requirements. (rb-<\/strong> Ironic – Go to the CNSA site and get an invalid cert warning in Chrome<\/em>) The CNSS<\/a> is part of the US National Security Agency<\/strong>.<\/p>\n

Easier IoT security<\/h3>\n

The WPA3 update simplifies setting up secure Wi-Fi connections for devices that don\u2019t have a graphical user interface. This is critical the secure the 30.7 billion IoT devices<\/a><\/strong> that will be on the network by 2020. The new protocol will add Device Provisioning Protocol<\/a><\/strong> (DPP) which sets up a simple, secure and consistent method for securing devices with limited or no display. NetworkWorld<\/a><\/em> reports<\/a> that You will be able to tap a smartphone against a device or sensor and then provision the device on\u00a0the network.<\/p>\n

What happens to WPA2 devices<\/h3>\n

So far, most manufacturers have been quiet about legacy device support. We do know that future W-Fi certified WPA3 routers will be backward compatible to support WPA2. The question remains whether current WPA2 devices will be capable of connecting to WPA3.<\/p>\n

WPA2 devices are not immediately obsolete<\/strong>. The Wi-Fi Alliance explained that current WPA2 devices will be able to connect with WPA3 hardware.\u00a0The Alliance also announced that it will continue to do security tests on WPA2 to further protect wireless networks. WPA3 is not an immediate replacement for WPA2<\/p>\n

<\/a>Even after you get a WPA3 enabled router, you\u2019ll need WPA3 compatible client devices<\/strong>\u2014your laptop, phone, refrigerator<\/a>, security camera,<\/a>\u00a0industrial temperature sensor<\/a>,\u00a0or anything<\/a> that connects to Wi-Fi\u2014to fully take advantage of the WPA3 features. The good news is that shiny new router will accept both WPA2 and WPA3 connections at the same time.<\/p>\n

Even when WPA3 is widespread, expect a long transition period<\/strong> where some devices are connecting to your router with WPA2 and others are connecting with WPA3.\u00a0Once all your devices support WPA3, you should disable WPA2 connectivity on your router to improve security.<\/p>\n

rb-<\/em><\/strong><\/p>\n

I am suspicious about the NSA link to the new WPA3 encryption. The NSA has introduced weaknesses<\/a> in other encryption protocols.<\/em><\/p>\n

Until we get our hands on real hardware, it is safe to speculate that like all things Wi-Fi, backward compatibility will cost your performance. What will the impact of one legacy device have on the capabilities of the WAP? Have a pair and turn off 802.11, 802.11b, WEP, and WPA connections on your current router.<\/em><\/p>\n

It’s about time to update WPA. But as the 802.11n process proved, if you want to get nothing done, turn it over to an industry consortium. Andy Patrizio<\/a> at NetworkWorld<\/a> explained<\/a>\u00a0that\u2019s where standards go to die because everyone wants their IP used so they make money off every sale. The end result is nothing gets done.<\/em><\/p>\n

Related article<\/strong><\/p>\n