WPA3 Wi-Fi security standard

What is WPA3?

In January 2018, the Wi-Fi Alliance announced WPA3 as a replacement to WPA2. The WPA3 Wi-Fi security standard tackles WPA2 shortcomings to better secure personal, enterprise, and IoT wireless networks.

The new standard uses an equivalent 192-bit cryptographic strength in WPA3-Enterprise mode (AES-256 in GCM mode with SHA-384 as HMAC), and still mandates the use of CCMP-128 (AES-128 in CCM mode) as the minimum encryption algorithm in WPA3-Personal mode.

The WPA3 standard also replaces the Pre-Shared Key exchange with Simultaneous Authentication of Equals as defined in IEEE 802.11-2016 resulting in a more secure initial key exchange in personal mode and forward secrecy. The Wi-Fi Alliance also claims that WPA3 will mitigate security issues posed by weak passwords and simplify the process of setting up devices with no display interface. Protection of management frames as specified in the IEEE 802.11w amendment is also enforced by the WPA3 specifications.

WPA3 vulnerabilities

Vulnerabilities have been found in the WPA3-Personal protocol. The vulnerabilities were identified by security researchers Mathy Vanhoef and Eyal Ronen.

The WPA3-Personal protocol comes with a secure method of authentication called Simultaneous Authentication of Equals (SAE), which replaces the Pre-shared Key (PSK) in WPA2-Personal. WA3 protocol is using much more secure “dragonfly” handshake. That was a the theory and reality seems to be a little different. The researchers found that even with WPA3, an attacker can still recover the password to the Wi-Fi network.

WPA3 timeline