The Wi-Fi Alliance has announced the impending launch of WPA3, a revised variant of its Wi-Fi Protected Access (WPA) security standard which promises simplified configuration yet enhanced protection.
Released in 2003 as an emergency replacement for Wired Equivalent Privacy (WEP) following the disclosure of serious security vulnerabilities and quickly replaced with the more robust WPA2 in 2004, the Wi-Fi Protected Access family of security protocols is the de facto default for Wi-Fi authentication and encryption. It isn't, however, entirely perfect: The Key Reinstallation Attack (KRACK), publicly released in October last year, exposed vulnerabilities within the standard which allow for the capture and decryption of supposedly protected traffic, packet replay and injection, and connection hijacking.
Although patches have been released, the Wi-Fi Alliance is working on a more robust solution: WPA3, which will replace WPA2 as the standard Wi-Fi security protocol. As well as addressing the issues surrounding KRACK, WPA3 is claimed to offer four key new capabilities over its predecessor: the introduction of techniques for improving security even when users pick too-simple passphrases, simplified configuration for headless devices which lack display capabilities, per-client rather than per-network encryption, and a new 192-bit security cipher suite designed to align with the US Committe on National Security Systems' Commercial National Security Algorithm (CNSA) requirements.
Due for release this year, WPA3 will be included in the Wi-Fi Alliance's Wi-Fi Certified programme which checks the quality and correctness of the implementation for guaranteed cross-vendor compatibility. The Wi-Fi Alliance has yet to confirm whether WPA3 will be a firmware or hardware upgrade for existing devices - though the availability of a whole new cipher suite suggests the latter is most likely, at least for full-fat WPA3 implementations.
More information is available on the official website.
March 25 2020 | 14:00