This post may contain affiliate links/ads and I may earn a small commission when you click on the links/ads at no additional cost to you. As an Amazon Affiliate, I earn from qualifying purchases. Techsphinx also participates in the StationX Affiliate program. You can read my full disclaimer here.
WPA3 is the latest Wi-Fi security protocol released by the Wi-Fi alliance to tackle the shortcomings of its predecessor WPA2. It aims to provide better security for both personal and enterprise wireless networks.
This guide will help you understand What is WPA3? How it is better than WPA2? And Is it the right time to upgrade to a WPA3 compatible router?
First things First, let’s get familiar with WPA3.
What is WPA3?
Wireless Protected Access (WPA) is a security protocol released back in 2003 to address the shortcomings of Wireless Encryption Protocol (WEP). After a year, the second version of WPA security (WPA2) was released with better protection than the original WPA security.
WPA3 is the latest in the line of WPA security. It is released in 2018 (after 14 years since the release of WPA2).
This is a much-awaited release in terms of Wi-Fi security as it addresses many shortcomings and exploits discovered in WPA2 security over the past decade.
WPA3 brings better security, robust password protection and encryption for personal networks (WPA3-Personal), and increase cryptographic strength of networks for governments, large enterprises and financial institutions for secure transmitting of sensitive data via WPA3-Enterprise.
How WPA3 security is better than WPA2?
Let’s have a look at the major changes WPA3 security offers in terms of both WPA3-Personal and WP3-Enterprise networks.
Below mentioned are some major changes of WPA3-Personal over WPA2-Personal:
- Robust Password Protection
With WPA3-Personal comes more robust password-based authentication. It replaces the old PSK (Pre-Shared key) in WPA2-Personal with the SAE (Simultaneous Authentication of Equals).
- Better Security
WPA3-Personal is also resistant to offline dictionary attacks, this means no one can determine the password by trying possible passwords (brute force) without further network interactions.
- Forward Secrecy
WPA3 will even protect your data even if the password is compromised after the data has been transmitted.
- Easy to remember Passwords
One of the most annoying problems with WPA2-Personal was to remember the complex passwords you’ve created for better security.
WPA3-Personal allows us to choose an easy to remember passwords, thanks to its robust password protection.
- Easy for Users
After going through all the above points you may be wondering about the complexity of using this new and enhanced protocol for a user.
Well’s there’s good news, a user doesn’t have to change the way he/she connects to a network. There is no additional complexity involved on the user’s side.
Let’s have a look at the new features of WPA3-Enterprise:
- Minimum Level of Security
To better protect sensitive data of governments, financial institutions and enterprises, a minimum 192-bit security mode and cryptographic tools are introduced.
- Authenticated encryption
Normal encryption provides the privacy of data but not the authenticity of the sender or receiver.
Authenticated encryption aims to achieve both privacy and authenticity simultaneously for the sensitive data that is transmitted over the network.
WPA3-Enterprise uses 256-bit Galois/Counter Mode Protocol (GCMP-256) to provide authenticated encryption.
- Key establishment and authentication
In order to send an encrypted message or decrypt the received message, cryptographic keys have to be exchanged between the sender and receiver. This is known as “key establishment” in terms of cryptography.
WPA3-Enterprise uses Elliptic Curve Diffie-Hellman (ECDH) exchange and Elliptic Curve Digital Signature Algorithm (ECDSA) using a 384-bit elliptic curve for key establishment and authentication.
- Key derivation and confirmation
Key derivation is the process of obtaining one or more keys from a secret value (usually a password or passphrase).
For Key derivation and confirmation, WPA3-Enterprise has 384-bit Hashed Message Authentication Mode (HMAC) with Secure Hash Algorithm (HMAC-SHA384).
- Robust management frame protection
Management frames are broadcast frames used by IEEE 802.11 to permit a wireless client to negotiate with a Wireless Access Point (WAP). MFP provides security for unencrypted broadcast frames and management messages passed between wireless devices.
WPA3-Enterprise uses 256-bit Broadcast/Multicast Integrity Protocol Galois Message Authentication Code (BIP-GMAC-256) for management frame protection.
With MFP disabled an attacker might be able to carry on some attacks like denial of service (DOS), Man-In-The-Middle (MITM), Evil Twin Router and spoof the MFP of the Access Point to attack all clients associated with that access point.
You can read more about MFP in Cisco’s FAQ section
Wi-Fi Enhanced Open
Note: This is not related to WPA3 security but to the security of open wireless networks.
Open Wi-Fi networks are a hunting ground for hackers. You are exposed to risks related to your personal data and privacy when accessing public wi-fi networks in hotels, airports, cafes or any other public place.
Wi-Fi Alliance has addressed some of these risks and developed a solution to benefit users of open Wi-Fi networks.
Now, your data is even encrypted even if you don’t use any password or passphrase to connect with an open network. Each connection between the user and the access point will be encrypted with a unique key. This is also called unauthenticated data encryption.
This is a great improvement compared to the traditional open networks where there is no protection at all for open network users.
This will also prevent many common man-in-the-middle attacks, therefore providing better security on open networks.
So, next time before connecting to open wifi at a public place, make sure it has got Wi-Fi Enhanced Open certification.
Potential Limitations of WPA3 security
Now time to address some potential limitations of WPA3 security.
WPA3 security adoption may take years
Devices need to support WPA3 security in order to take full advantage of it. The release of WPA3 security doesn’t mean all the devices will switch to WPA3 security overnight.
You have to replace all the old devices (like routers, PCI-e WiFi cards of PC and WiFi cards of Laptops etc.) with the new one that supports WPA3. It is not possible for everyone to replace all their old devices in order to use WPA3.
Now, just think about the businesses and large enterprises, how many devices they will have to replace for this new security protocol?
This long adoption time leads to the next potential limitation of WPA3.
Co-Existing WPA3 and WPA2
Since not everyone will replace all the old devices for WPA3, WPA3 devices are made backwards compatible with WPA2. This means if you have a WPA3 router, WPA2 devices can also connect with it.
Therefore, all the shortcomings of WPA2 will exist and a downgrade attack will compromise the security of the WPA3 device.
Enhanced Open Still Means Open
Wi-Fi Enhanced open may encrypt your data even on open networks but the security may never be good as using WPA3 security.
Unless your device gives a clear indication of the security of the network you’re connecting to, you should be careful. Fake open wifi honeypots claiming to use Enhanced open still pose a threat to your data.
If I were you, I will still hang on to a good VPN in case of open networks.
A Great Insight into WPA3 security
If you are interested in the latest developments related to WiFi security, there is no better place than the Wi-fi alliance’s official website wi-fi.org
If you want to know about WPA3 security, design flaws and even the tools you can use against WPA3 supported devices then read the following paper:
By Mathy Vanhoef (NYUAD) and Eyal Ronen (Tel Aviv University & KU Leuven)
Is this the right time to Upgrade to a WPA3 supported router?
One of the most frequently asked questions about WPA3:
Is it the right time to upgrade to a WPA3 router or should I wait?
There is no good reason to not upgrade to the WPA3 router. WPA3 security still has an edge over the old WPA2 security and addresses most of the shortcomings of the WPA2 protocol. WPA3 is also backwards compatible with WPA2, so if any of your devices don’t support WPA3 security. It can still connect using the WPA2 protocol.
You can check my other post for the list of Best WPA3 routers.
I hope this guide helped you to understand the new WPA3 security. Here is a comparison table to summarise the differences between WPA2 and WPA3.
|WPA2 was released to address the shortcomings of the original WPA protocol.||WPA3 is released to address the shortcomings of the WPA2 protocol.|
|Released in 2004.||WPA3 is released in 2018.|
|WPA2 uses the Pre-Shared Key (PSK) handshake for authentication.||WPA3 uses Simultaneous Authentication of Equals (SAE).|
|No Forward Secrecy.||WPA3 uses Forward Secrecy to protect data even after the password is compromised.|
|Vulnerable to offline dictionary attacks.||Safe from offline dictionary attacks.|
|WPA2 uses the Extensible Authentication Protocol (EAP) to encrypt wireless traffic.||WPA3 uses Opportunistic Wireless Encryption to encrypt wireless traffic.|
|WPA2 uses powerful Advanced Encryption Standard (AES).||WPA3 uses more robust AES encryption with the GCMP (Galois/Counter Mode Protocol)|
Are you using WPA3 security? What are your thoughts on WPA3?
Tell me in the comments!