news wi fi alliance starts wpa3 security certification program

Wi-Fi Alliance starts WPA3 security certification program

The number and know-how of devices connected to Wi-Fi networks have both exploded since late 2004, but almost 15 years later, the Wi-Fi Protected Access II (WPA2) security protocols are still responsible for protecting them. Almost fifteen years down the line, the Wi-Fi Alliance has now started a list of devices certified for next-generation WPA3 security. Like its predecessor, WPA3 will operate in Personal mode for consumer applications and Enterprise mode for businesses.

The Wi-Fi Alliance says WPA3-Personal uses a technology called Simultaneous Authentication Equals (SAE) to secure the key establishment protocol between devices and increase the network's resistance to offline password-guessing attempts by potential intruders, even when the password isn't as complex as it should be. WPA3-Personal also includes forward secrecy, a scheme to prevent the decryption of intercepted and recorded data if the password is compromised after those packets have been intercepted. Protected Management Frames (PMF) protect wireless networks from forged management frames that can disrupt communications between clients and the access point.

WPA3-Enterprise has 192-bit minimum-strength encryption  for transmission of sensitive data on business and government networks. The mode employs GCMP-256, HMAC-SHA384, ECDH, ECDSA, and BIP-GMAC-256 technologies to help protect data. The Wi-Fi Alliance's security page has a decoder ring for that bowl full of alphanumeric soup.

Folks that have headless devices like a Wi-Fi speaker or smart switch know that getting these widgets connected to the local Wi-Fi network can be the trickiest part of the whole operation. The Wi-Fi Alliance is also introducing a technology called Wi-Fi Easy Connect that the group says will make this sometimes-tricky process easier and more consistent. The process involves scanning a QR code on the device to be added using a smartphone in order to add it to an existing Wi-Fi network.

The group also recently introduced Wi-Fi Certified Enhanced Open, a certification program for devices to provide some level of security for users on open Wi-Fi networks like those found in coffee shops and retail stores. The underlying technology is called Opportunistic Wireless Encryption (OWE). OWE establishes unique cryptography mechanisms for each client along with PMF to increase the overall reliability of the connection.

The group says that WPA3 Wi-Fi devices will maintain interoperability with existing WPA2 hardware. Given the 15-year-long accumulation of WPA2 devices, we suspect the transition to WPA3 will take a while. The Wi-Fi Alliance says it has the support of companies like Arris, Broadcom, Cisco, HP, Huawei, Intel, Marvel, Qualcomm, and Silicon Motion in this new effort. The group has certified over 40,000 Wi-Fi devices since 2000, and there will doubtless be many more to come.

0 responses to “Wi-Fi Alliance starts WPA3 security certification program

  1. Well, gotta give consumers reason to replace their [s<]wife[/s<] WiFi routers that work juuuussstt fine.

  2. It probably should require new hardware even if it doesn’t. I hate to get all spooky about it, but it’s been a number of years since WPA2 was released, and if vendors don’t make use of the advances in hardware since then I’m sure attackers will.

  3. I haven’t seen anything saying that new hardware is a requirement for a technical reason. Just the reality of the certification process. There’s probably plenty of existing wifi hardware capable of running the encryption methods specified in WPA3, if a suitable driver/firmware update were provided. That would at least allow older devices to connect using better security, even if you didn’t get the newer/easier connection methods of WiFi Easy Connect ™. If it truly requires all new hardware to make any use of the new standard, it’ll be several years before most sites can operate in pure WPA3 mode (AKA disabling WPA2 interoperability).

  4. From the comments around here and the web it appears most people don’t have much idea of what’s going on here. So here, read some about it. Hopefully these will help some people.

    [url<][/url<] [url<][/url<] edit: I should have included this previously but. [b<]Don't expect to see firmware or driver upgrades enabling WPA3 for your current collection of devices. WPA3 requires new hardware, so you'll need to buy new stuff.[/b<]

  5. Most of the crypto is done in hardware (though some chipsets allow it to be done in the driver). Since part of the standard is AES-192, some devices with hardwired AES-128 might not be able to use that hardware. Given the similarity amongst the different AES cyphers, the hardware might be generic enough to adapt with a firmware change. Or, it might punt it back to the driver. Or, it might be so hardwired that there’s no way to do it unless the hardware does it. It completely depends on how the hardware is designed and they don’t like to share those details.

    From discussion elsewhere, it seems they did this ‘in house’ and didn’t involve public scruitny nor did they invite notable cryptographers to help. So, that doesn’t inspire confidence. And it’s not like they have a good history of doing a good job of things.

    I’m starting to get a bad feeling about it.

  6. Assuming this is a software only update for most recent hardware, it could be in fairly widespread use before the end of the year I would think. I would especially love to see the Opportunistic Wireless Encryption enabled all over.

  7. More educated persons correct me, but this will be more a software WPA supplicant (and windows equivalent) issue. It should be something that is updateable in terms of NIC’s for basic devices with update-able OS’s.

  8. The big question is will this take hardware changes to implement or if it’s something that can be done in software/firmware.

    I hope it’s the case that it can otherwise a lot of older machines will never be updatable to this standard as mini-PCI-E wifi cards (or modern specs) are not being designed anymore. All the new cards are M.2.