WPA3 - What is it, and what's new?
An open wireless network - one without any authentication or encryption allows anyone within range to intercept and view any other user's sent or received data. Today, it's likely that much of that data itself is encrypted as we secure TLS-secured web sites (HTTPS), use VPNs or other secure protocols and for that reason, using such services in a public or shared Wi-Fi facility is still acceptable.
Even using secure protocols over an unencrypted Wi-Fi connection does still expose various telemetry and parts of your activity footprint. The TLS handshakes themselves make it clear which web sites you're visiting. This means it's still far from ideal, but often a necessary compromise for the convenience. You can, of course, pass all of your services through a VPN - and that is recommended on any public network and using 2FA (two factor authentication) for any service that allows it is also recommended.
Within a corporate environment, however, less of the services will be secured by default - files loaded from your server, database access, printer data, telnet, FTP, internal email - all of those services may travel over your LAN and Wireless LAN in clear text. If you're using Wi-Fi there, encryption becomes essential.
Wi-Fi Protected Access or WPA was formally ratified in 2004 though it took a few years for it to become mainstream. Its predecessor, Wired Equivalent Privacy (WEP) was the previous 'standard' but by 2008 WPA had been partially cracked and soon after, off-the-shelf tools were available to crack it completely.
WPA2 has been promoted as the industry standard ever since, and our advice has always been to use it and never the older WEP or WPA protocols which are considered obsolete and insecure. Sometimes users are 'forced' to use the older WEP or WPA where they have very old hardware which doesn't support anything better. In those circumstances we'd recommend having a separate SSID for those devices so that devices which can use WPA2 can do so.
Fast forward to 2017 and, perhaps predictably, WPA2, the previous 'gold standard' was cracked. A researcher in the Netherlands (Mathy Vanhoef - remember the name, he'll be back...) published details of a vulnerability they named Krack. Krack was a vulnerability in WPA2 in the wireless clients (phones, laptops, printers etc.) not the Wi-Fi Base/router (unless it was set up as a client). Device manufacturers were able to issue firmware upgrades, however many devices, notably older ones or those no longer in production did not get patched firmware so WPA2 remains vulnerable to Krack there. As it's the client device that needed upgrading, patching the wireless AP or router wouldn't make any difference.
WPA3, the successor to WPA2 had already been ratified in 2017. WPA3 can provide these enhancements (not all are mandatory):
- Simultaneous Authentication of Equals (SAE). SAE replaces the pre-shared key methodology of WPA2 and is designed to mitigate against dictionary or brute-force attacks. A brute force attack is one where an attacker will try millions of key combinations in the hope of hitting a successful match. Where password choices are weak (obvious or short), dictionary attacks can be very effective. Brute force attacks could even be performed without live access to the WLAN once sufficient WLAN sample data had been captured. WPA3's SAE system makes use of the Dragonfly protocol (RFC 7664).
- Opportunistic Wireless Encryption (OWE, also known as 'Enhanced Open') is an automatic encryption method. Earlier, we mentioned how public Wi-Fi is commonly not encrypted - you don't need a password (PSK - Pre-Shared Key) to connect. Even if there's a registration for the service, the data is still not encrypted which means that anyone can connect to the Wi-Fi and capture your data. OWE, when enabled (it's optional) encrypts all connections even when there is no specific Wi-Fi password set. With OWE, when your device (laptop, phone) authenticates with the WLAN, it applies public-key (or asymmetric) cryptography to secure that connection. Each device will have its own key-pair so cannot listen in to another connection. This method applies to connections which have an encryption password too - the benefit there is that a user who knows the PSK still cannot intercept the wireless traffic of another user. Note that OWE does not authenticate users; anyone can still connect. Where a password is in use, OWE can still be used, ensuring that even someone with the right Wi-Fi password cannot decrypt other users' traffic.
- Higher level encryption. WPA3 now uses 128-bit encryption, or 192-bits in WPA3-Enterprise.
- Perfect Forward Secrecy. New session keys are used continuously in order to prevent previous communication being decrypted if the key of a current session is compromised.
- Wi-Fi Easy Connect. This is a system designed to make adding devices to your Wi-Fi network easier, without having to enter the Wi-Fi password, particularly for devices which don't have a keyboard or their own user interface such as IoT devices. One device, with a rich user interface such as a mobile phone is used as the 'configurator' and the new device is the 'enrolee'. The enrolee will have a QR code, which can be captured by the phones camera or the user enters some other identifying code printed on the device. The configurator will then search for the enrolee and provide it with the necessary credentials to connect to the secure Wi-Fi network.
- WPA3-Enterprise mode. For larger organisations or those requiring higher level security, WPA3-Enterprise mode (as opposed the regular WPA3-Personal) builds upon WPA2-Enterprise security. Stronger 192-bit encryption is required and there are updated secure ciphers for the EAP (Extensible Authentication Protocol) authentication process. See the section below for further details.
- Protected Management Frames (PMF) prevent de-authentication attacks. This is also now available in WPA2, however in WPA3 it is mandated in the Wi-Fi certification.
- DoS and Brute-Force lockouts. WPA3 recommends that vendors implement mechanisms to help prevent DoS attacks and refuse new connections from a client after several failed connection attempts. Furthermore, WPA3 recommends that connections should fail-closed to mitigate against an overwhelmed CPU failing open.
WPA3 is not universally supported yet but more new products will start to support it and some existing products through a firmware upgrade. We'd recommend you switch the WPA3 when your Wi-Fi base/router and client devices are able to support it, or consider upgrading them.
Any protocol, particularly one as universally used as the WPA family will always be subject to great scrutiny - by researchers (the good guys) or hackers/criminals or other bad actors. The fact that WPA3 is an open standard so clearly documented makes such scrutiny within the reach of anyone smart enough to understand the protocol and creative enough to see flaws.
By 2019, the first such flaws had already been found in WPA3 by...Mathy Vanhoef - yes, him again! This time he, together with another researcher, found flaws within WPA3's Dragonfly handshake released as 'Dragonblood'. Fortunately, the flaws were correctable (they were within implementations of the Dragonfly protocol, but not flaws in the protocol itself). As WPA3 is not widely supported yet, most new devices are likely to include fixes.
So, WPA3 is the latest and greatest Wi-Fi encryption system - there's nothing stronger for Wi-Fi and so we'd recommend its adoption when available (remember, your AP and your devices both need to support it). WPA2 does still provide security and should be used when WPA3 isn't an option. If you need a mixed mode environment, you can have mixed mode on a BSS but also you could consider separate SSIDs.
Even with WPA3 you can, of course, add additional protections such as always using secure transport protocols or using a VPN. If your organisation supports it (see later section).
WPA3-Enterprise
WPA3-Enterprise requires a back-end RADIUS server, the use of the 802.1x authentication method and mandates higher order (192-bit) encryption and other security enhancements including:
- Authenticated encryption : 256-bit Galois Counter Mode Protocol (GCMP-256)
- Key derivation: 384-bit Hashed Message Authentication Mode (HMAC) with Secure Hash Algorithm (SHA)
- Key establishment: Elliptic Curve Diffie-Hellman (ECDH) exchange and Elliptic Curve Digital Signature Algorithm (ECDSA)
- Frame protection: 256-bit Broadcast/Multicast Integrity Protocol Galois Message Authentication Code (BIP-GMAC-256)
SAE vs. PSK
Earlier, we stated that WPA3 uses a method called Simultaneous Authentication of Equals (SAE), replacing the Pre-Shared Key (PSK) used in WPA2 and earlier. In both methods, users have a password to connect to the Wi-Fi network.
Where SAE and PSK differ is in their ability to protect against brute force attacks. With PSK and a relatively weak password, you could capture a load of wireless data and then run the dictionary attack on it offline - i.e. against the data set on a computer, not against the live wireless network itself. Once you have the password, you can then use it to connect to the live WLAN.
SAE authentication cannot work 'offline' - it has to operate on the live WLAN, so a brute force attack can be detected by an AP and shut off after only a few failed attempts.
How does a Wi-Fi brute force attack work?
If a hacker wants to access your network wirelessly, he/she will need its password. They might just be able to get it by seeing it written on a whiteboard, post-it note or by using another social engineering method. If they can't get the Wi-Fi password, just as if a burglar doesn't have a key to your apartment, he/she has to use brute force to get in.
When authenticating with a password protected network, the client doesn't send the actual password across the link as that would be easy to intercept before the encryption is active and make the encryption pointless (like saying a password out loud!). Instead, the AP router and client device both generate a code called the Preshared Master Key (PMK) using a process called Password-Based Key Derivation (PBKD). The PBKD function itself is computationally costly, deliberately, to increase the computational cost of brute-force attacks (i.e. you need a powerful computer to run attacks quickly enough).
The PMK is not sent across the link either. A 4-way handshake is performed in which both ends confirm that they know the same PMK without actually disclosing what it is across the link. The 4-way handshake sends a Message Integrity Code (MIC) value between the two ends. This type of key establishment is known as a Zero Knowledge Proof (ZKP). Both ends then generate a Pairwise Transient Key (PTK) which they use to actually encrypt your data.
A hacker wishing to attack your WLAN will firstly capture data from the live target wireless LAN. He/She can do that from anywhere that they can get a signal, so typically outside of your building. That capture includes the elements within the 4-way handshake which forms the ZKP routine. The 4-way handshake only occurs when a legitimate client authenticates so the capture must include a period when that occurs. Alternatively, one can run a de-authentication attack, forcing clients to reconnect and instigate the 4-way handshake again, for you to capture.
A dictionary is a large file of commonly used passwords (11111, password, qwerty, abc123 etc). A widely used (popular) such file contains 15 million used passwords and those 15 million can be run through very quickly. It's for that reason that you should use complex passwords - mixtures of words, numbers and symbols, e.g. "drAytek%_routERS" - if you made that up, it would be unique and never in any dictionary.
In the case of a dictionary attack, a password from the dictionary is read and the PMK and the PTK values are calculated for that password. The PTK is then used to calculate a MIC value. If the MIC value calculated is equal to that within the 4-way handshake, then you've got a match - you now know the wireless password.
Cracking a password using brute force is very complicated; requiring a detailed understanding of many different protocols and the underlying maths - it's simply beyond most people., However there are off-the-shelf tools, downloadable free of charge which automate the whole process. That make it easy for someone with little technical knowledge to crack a network. It does, however, still require a lot of computing power. This blog suggests it's many years even on a cloud GPU, which is beyond the casual hacker's means.
WPA2 was also vulnerable to the Krack attack - check that your wireless client has been updated to protect against that.
To protect against brute force attacks, use complex passwords - long, with mixed alphanumeric, upper/lower case and special characters and control who you give those passwords to or where they are written. In a corporate environment, you may also consider 802.1x/WPA-Enterprise methods.
The new WPA3 protocol, a replacement for the current wireless security method, WPA2, mitigates against brute force attacks by using a different cryptographic method, Simultaneous Authentication of Equals (SAE) whereby authentication has to happen on a live network, allowing any brute-force attacks to be actively observed & stopped by a wireless Access Point.
Tags