Choosing the correct form of encryption will always be a game with moving goalposts. Encryption algorithms and associated transport protocols are found to have weaknesses or computing flaws as new power becomes available to brute force the hard math that encryption is generally built upon.
We are now stepping into the next stage of cryptography for both personal and enterprise level wireless networks. WPA3 is the latest evolution in the family and offers several unique features that address known issues with its predecessors that may allow it to stand the test of time.
Before addressing its new developments, it is important to have some concept of the history of Wi-Fi encryption. It all started with WEP (Wired Equivalent Privacy) in 1999: a form of encryption that's name explains its sole purpose. WEP provides the same level of security that you would get through an Ethernet connection. This method did not last very long; POC breaches were available by 2001, and by 2005, WEP was considered trivially hackable.
Thus, in 2003, WPA (Wi-Fi Protected Access) was born. WPA provides a better software security component for Wi-Fi enabled devices, but it had a fundamental flaw. In order to be deployed to existing hardware that was built for WEP, WPA's encryption was initially TKIP (Temporal Key Integrity Protocol): an algorithm designed for backward comparability with such hardware. TKIP was ultimately found to be similarly ineffective. Even when using the newer AES crypto instead of TKIP, WPA still has weaknesses—one of which is a sister protocol for making the configuration of devices to work with an access point easier. Exploiting WPS is one of the most popular ways for WPA to be breached.
In 2006, the current, state-of-the-art WPA2 arrived. WPA2 migrated the best of both worlds by updating the software and hardware components. AES must be available, but TKIP can be used as a fall back. Direct attacks against WPA2 are obscure and require that you already have access to gain unauthorized further access.
Now, we introduce WPA3 which is providing the following features:
- Separate Personal & Enterprise encryption methods
- A toggle option between WPA2 & WPA3
- Easy Connect for on-boarding new devices
- Robust authentication
- Increased crypto strength
- Offline password guessing prevention
- Forward secrecy
Let’s break down the most important changes: personal and enterprise WPA3.
Personal-WPA3—where your access point and wire clients share a password—has been strengthened by providing the SAE (Simultaneous Authentication of Equals) protocol to replace PSK (Pre Shared Key). SAE provides secure key establishment between devices to eliminate password guessing attempts by attackers. This means that users can create passwords that are easier to remember.
Enterprise-WPA3 offers an enhanced 192-bit encryption for industries that transmit sensitive data on a frequent basis (government, finance, etc). This extra layer of protection gives WPA3 networks a suite of crypto tools at its disposal.
Why is it important to use?
It is normally a security best practice to use the most recent encryption ciphers available as the prior versions are at higher risk of having been cracked. Using WPA3 would be an extra step towards furthering your security as WPA2 is still considered a strong encryption algorithm. Personal-WPA3’s biggest strength is that it is moving towards taking the human factor out of the equation with SAE. It is proactive against access point attacks with its new feature for preventing offline password attacks. This ensures that attacker cannot capture data and have unlimited time trying to brute force it in private, off network. WPA3 only allows one offline attempt; the next attempt would have to be on the network. This ensures that an attacker would have to be in physical proximity to your network to dictionary or brute force attack your network password, and the access point can detect and prevent this.
Another advantage with WPA3 is its feature on forward secrecy, which ensures that older data cannot be decrypted if the SAE is breached—only current network transmission moving forward. This lowers the scope/risk of what the attacker may gain from a compromise. Just like the offline password attacks prevention, WPA3 is forcing the attacker to remain present and patient to gather data and eliminate the stale data.
Is WPA2 still considered strong encryption? How do I get on board?
WPA2 is still considered secure as it has not been cracked in the wild like its predecessors: WEP and WPA. The biggest gains from upgrading to WPA3 enabled devices are the advanced security features that come along with it. Starting late 2018, you will see WPA3 integrated with more networking devices, cell phones, and IoT devices. It would be best practice to disable WPA2 once you purchase a WPA3 enabled device moving forward in to 2019.
Most importantly, disable WPS now.