WPA3 Announcement: Wi-Fi Alliance Introduces Security Update
Group Wi-Fi Alliance, which includes Apple, Microsoft and Qualcomm, introduced a new security protocol for wireless networks - WPA3. Details of its implementation will appear later (this year), but already there is information about several functions. For example, in WPA3, brute-force protection and the possibility of “personalized data encryption” will appear. In more detail about these and several other features we will tell under a cat.
/ Flickr / Metropolitan Transportation Authority / CC
In a sense, the update was a response to the bug in the WPA2 protocol used in billions of devices around the world. Critical vulnerability was named KRACK , and it was discovered by Belgian researcher Mattie Vanhoef last fall.
')
KRACK is a replay attack on a wireless network that allows attackers to conduct a MITM attack and “listen” on the channel between the client and the Wi-Fi point.
When a WPA2 connection is established, a four-step handshake is performed, during which a cryptographic key is generated to encrypt the traffic. The hacker, by manipulating the messages of the handshakes, forces the victim to override the already “approved” key. Next, the numbers of the transmitted and received packet are set to initial values. Then the attacker can decrypt the information and even implement its code in TCP.
To eliminate this vulnerability and enhance the security of Wi-Fi networks in general, the Alliance introduces several security updates that will become part of WPA3.
The first function is brute force protection . New rules limit the number of attempts to enter a password, which increases protection against dictionary attacks (it is also impossible to pick up an offline password).
It will also be possible to configure Wi-Fi-compatible devices using third-party gadgets. For example, you can configure WPA3 on the Internet of Things device from a smartphone or tablet.
WPA3 will also introduce support for "personalized data encryption." Mattie Vanhoef on Twitter suggested that we are talking about implementing the Opportunistic Wireless Encryption (OWE). This is an enhancement proposed for the 802.11 standard. OWE uses the Diffie-Hellman cryptographic protocol to obtain the shared secret key, which replaces the vulnerable PSK method.
Vanhoef also suggested that improved password protection will be implemented using SAE or Dragonfly mechanisms used in mesh networks.
Finally, representatives of the W-Fi Alliance presented a 192-bit security package implemented according to the requirements of the Commercial National Security Algorithm (CNSA) Suite. They were developed by the National Security Systems Committee (CNSS) to protect public and industrial wireless networks.
And although the detailed protocol specification will be published this year, it will take some time before it becomes possible to buy certified equipment with WPA3 support.
Due to the mass nature of WPA2, the implementation of WPA3 will take place in stages, so the old protocol will remain in demand for the time being. For those who continue to use WPA2, the Alliance will compile a list of tips for enhancing network security.
As Matthew Vanhoef says, the standards that have been implemented in WPA3 have been around for a long time, but are not always used in real systems. Mattie hopes that manufacturers' desire to get the WPA3 specification (at least for commercial reasons) will change the situation and have a positive impact on the security of the ecosystem of wireless networks.
/ Flickr / Metropolitan Transportation Authority / CC
Why upgrade required
In a sense, the update was a response to the bug in the WPA2 protocol used in billions of devices around the world. Critical vulnerability was named KRACK , and it was discovered by Belgian researcher Mattie Vanhoef last fall.
')
KRACK is a replay attack on a wireless network that allows attackers to conduct a MITM attack and “listen” on the channel between the client and the Wi-Fi point.
When a WPA2 connection is established, a four-step handshake is performed, during which a cryptographic key is generated to encrypt the traffic. The hacker, by manipulating the messages of the handshakes, forces the victim to override the already “approved” key. Next, the numbers of the transmitted and received packet are set to initial values. Then the attacker can decrypt the information and even implement its code in TCP.
WPA3 new features
To eliminate this vulnerability and enhance the security of Wi-Fi networks in general, the Alliance introduces several security updates that will become part of WPA3.
The first function is brute force protection . New rules limit the number of attempts to enter a password, which increases protection against dictionary attacks (it is also impossible to pick up an offline password).
It will also be possible to configure Wi-Fi-compatible devices using third-party gadgets. For example, you can configure WPA3 on the Internet of Things device from a smartphone or tablet.
WPA3 will also introduce support for "personalized data encryption." Mattie Vanhoef on Twitter suggested that we are talking about implementing the Opportunistic Wireless Encryption (OWE). This is an enhancement proposed for the 802.11 standard. OWE uses the Diffie-Hellman cryptographic protocol to obtain the shared secret key, which replaces the vulnerable PSK method.
Vanhoef also suggested that improved password protection will be implemented using SAE or Dragonfly mechanisms used in mesh networks.
Finally, representatives of the W-Fi Alliance presented a 192-bit security package implemented according to the requirements of the Commercial National Security Algorithm (CNSA) Suite. They were developed by the National Security Systems Committee (CNSS) to protect public and industrial wireless networks.
When to wait for the standard
And although the detailed protocol specification will be published this year, it will take some time before it becomes possible to buy certified equipment with WPA3 support.
Due to the mass nature of WPA2, the implementation of WPA3 will take place in stages, so the old protocol will remain in demand for the time being. For those who continue to use WPA2, the Alliance will compile a list of tips for enhancing network security.
As Matthew Vanhoef says, the standards that have been implemented in WPA3 have been around for a long time, but are not always used in real systems. Mattie hopes that manufacturers' desire to get the WPA3 specification (at least for commercial reasons) will change the situation and have a positive impact on the security of the ecosystem of wireless networks.
Additional materials on the topic
Security update from the Wi-Fi Alliance
- The official release from the Alliance with a description of the functions being implemented.
KRACK - replay attack
- Mattie Vanhoef’s website, in which he explains in detail the principles of the attack he has implemented and shows its implementation in practice.
Wi-Fi: demand is growing, and opportunities are limited
- Material from our corporate blog, in which we talk about the prospects of Wi-Fi networks and analyze the traffic sent through them.
Wi-Fi Alliance announced the development of standard Wi-Fi 802.11ax
- Post in a nearby corporate blog, which contains information about the implemented protective measures and the development of a new standard Wi-Fi 802.11ax.
How to identify a subscriber in a Wi-Fi network by phone number
- We tell how to fulfill the requirement of the Ministry of Communications, according to which it is necessary to identify the user and register his device in a public wireless network.
Hacker News: WPA3 Announced
- Thematic thread on HN, where innovations and features of their implementation are discussed. Inside there are additional links on the topic.
Public Wi-Fi: how to control using DPI
- Our material, in which we talk about traffic prioritization in Wi-Fi-networks
Source: https://habr.com/ru/post/344126/
All Articles