Wi-Fi Gets More Secure: Everything You Need to Know About WPA3

WPA3, Enhanced Open, Easy Connect: The Wi-Fi Alliance’s trio of new protocols explained

The biggest Wi-Fi security update in 14 years was recently unveiled by the Wi-Fi Alliance. The Wi-Fi Protected Access 3 (WPA3) security certificate protocol provides some much-needed updates to the WPA2 protocol introduced in 2004. Rather than a wholesale reworking of Wi-Fi security, WPA3 is focused on bringing new techniques to bear against the cracks that have begun to show in WPA2.

The Wi-Fi Alliance also announced two additional, separate certification protocols alongside WPA3. The Enhanced Open and Easy Connect protocols are not dependent on WPA3, but they do improve security for specific types of networks and certain situations.

All of these protocols are now available for manufacturers to incorporate into their devices. If WPA2 is anything to go by, these protocols will eventually see universal adoption, but the Wi-Fi Alliance has not set any sort of timeline on when that should happen. Most likely, as new devices make their way into the market, we will eventually see a tipping point where WPA3, Enhanced Open, and Easy Connect are new mainstays.

So, what do all these new certification protocols do? There are a lot of details, and since most of them deal with wireless encryption, a lot of complicated math too, but here’s the gist of the four main changes these protocols will be bringing to wireless security.

Simultaneous Authentication of Equals

This is the biggest change that WPA3 brings to the table. The most important moment in any network’s defense is when a new device or user tries to connect. The enemy should remain outside the gate, which is why WPA2, and now WPA3, put a lot of emphasis on authenticating new connections and ensuring they aren’t attempts by attackers to gain access.

Simultaneous Authentication of Equals (SAE) is a new method of authenticating a device trying to connect to a network. A variation of the so-called dragonfly handshake that uses cryptography to prevent an eavesdropper guessing a password, SAE dictates exactly how a new device, or user, should “greet” a network router when they exchange cryptographic keys.

SAE replaces the Pre-Shared Key (PSK) method that has been in use since WPA2 was introduced in 2004. PSK is also known as a four-way handshake, after the number of back-and-forth handshakes, or messages, that had to pass between a router and a connecting device for both sides to prove they knew a previously agreed upon password without either side actually revealing it outright. Until 2016, PSK seemed secure, until Key Reinstallation Attacks (KRACK) were discovered.

A KRACK interrupts the series of handshakes by pretending to temporarily lose the connection to the router. In actuality, it is using the repeated connection opportunities to analyze the handshakes until it pieces together what the password must be. SAE blocks this kind of attack, as well as more common offline dictionary attacks, where a computer churns through hundreds, thousands, or millions of passwords to determine which password matches the verification information provided by the PSK handshakes. [READ MORE]