As a certified network engineer, I’ve had the WPA2 standard mostly ingrained in my noggin for the last seven years. WPA2 has been a decent barrier for network security, allowing us to enjoy encrypted communications on our devices without requiring too much horsepower to run the calculations. Compared to previous security standards like WPA and WEP, WPA2 was more resilient against attacks from hackers, protected users better against wardriving, and was generally the default solution for consumer’s needs. WPA2, however, was launched in 2004 as a draft standard. In computing terms, much less netsec, 14 years is considered an aeon, and we’re finally seeing the cracks in WPA2 security. Just in time, the Wi-Fi Alliance has finally introduced their WPA3 draft standard, and it won’t be long before we can start to secure our networks better.
WPA2 has not had a good year. The Krack vulnerability revealed last year has opened up enormous loopholes in network security for any router that had not received security updates for a good while, and the GTK vulnerability in 2016 showed that the encryption used by most routers at the time could be easily refactorised to figure out what secret key it used to encrypt communications. Routers are low-power devices by design, needing to work in all sorts of environments and through Power over Ethernet (PoE), and they can’t spare the power to encrypt communications with unique keys and numbers all the time. The only solution is to make the work harder for attackers.
That’s essentially the WPA3 standard in a nutshell – it’s everything that WPA2 was, with a few new tricks up its sleeve and a much more demanding workload for attackers to try gain access to the system. WPA3 introduces 128-bit encryption for client devices and up to 192-bit encryption for enterprise networks, a doubling of the key lengths used for WPA2. Security keys are now also exchanged in a very different fashion using a new algorithm called Simultaneous Authentication of Equals. This is equivalent to the way your accounts on the net are protected by apps like the Google and Microsoft Authenticators. Using SAoE, devices need to always have matching key combinations that are shared between devices the first time they join the network, and are unique to each device. The key is a hash of a password and the device’s MAC address. This feature, says the Wi-Fi Alliance, is far more secure than the previous solution that WPA3 used.
In addition to the heavier workloads, the WPA3 standard (also known as 802.11s) is also capable of interfacing with WPA2 devices just fine. It has a backwards compatibility mode that allows users to benefit from the higher level of security from the new standard, whilst still being able to use their existing devices on the new network. This mode is still secured through SAoE, but devices don’t have to know that they’re connecting to a WPA3 network instead of the expected WPA2. In addition to SAoE, the WPA3 standard will also be a better standard for IoT devices, allowing you to add new IoT devices to your network by just scanning a QR code. The QR code provides the necessary information for the router to recognise the new device and add it to the network.
The new standard won’t be available in routers shipping to consumers until later this year, but custom firewalls like PFSense already have initial support for the WPA3 standard built into the Linux kernel. Support for this is still sort of sketchy, and enthusiasts are still looking for hardware that supports the standard, but it won’t be long now. Some routers might also get experimental support, but keep in mind that the jump from 64-bit encryption to 128-bit encryption might be too much even for current high-end routers to handle.