Summary
Wi-Fi Protected Access 3 (WPA3), introduced by the Wi-Fi Alliance in 2018 as Wi-Fi CERTIFIED WPA3, marks the latest advancement in Wi-Fi security. It offers enhanced protections for personal, enterprise, and open Wi-Fi networks, addressing vulnerabilities present in the previous standard, WPA2.
Wi-Fi Adapters, certified for WPA3, have been rigorously tested for interoperability and performance with leading access point vendors, ensuring a secure and seamless experience for both consumer and enterprise users. All WPA3 security modes and related components have undergone thorough evaluation to ease the transition to the new standard. Additionally, transition mode ensures backward compatibility with WPA2-only clients, providing an intermediary option before fully committing to WPA3.
Upgrading to WPA3 can be straightforward for personal, small-business, or enterprise networks, with many existing devices and infrastructure supporting the new standard. While some devices may have initially had limited roaming capabilities between WPA3 and WPA2 networks, effective network planning can address this. Overall, WPA3 offers robust protocols that significantly enhance wireless network security, making the upgrade worthwhile.
A Look Back at Wireless Security
Wi-Fi has become an indispensable part of our lives, connecting billions of devices worldwide and facilitating critical tasks in work, education, healthcare, and government. Ensuring the security of Wi-Fi networks has been a persistent goal and challenge since its inception. Security standards have continually evolved, leading to the robust WPA3 standard we have today.
Wi-Fi Security Standards Timeline
The high-level Wi-Fi security release timeline highlights this progression. The original security standard, Wired Equivalent Privacy (WEP), was established in 1997. It required complex 10-digit or 26-digit hexadecimal keys, which were difficult for users to remember, and had significant cryptographic weaknesses that made it easy to exploit. In 2003, Wi-Fi Protected Access (WPA) was introduced alongside the 802.11g Wi-Fi standard. WPA brought in the concept of user-friendly Wi-Fi passwords and the Temporal Key Integrity Protocol (TKIP), designed to prevent replay attacks that WEP was vulnerable to.
However, WPA soon revealed vulnerabilities to various attacks, including man-in-the-middle attacks. In response to these security issues, the IEEE introduced the 802.11i security standard in 2004. Concurrently, the Wi-Fi Alliance launched the WPA2 certification program for Wi-Fi products. This significant update included new encryption standards and ciphers, notably the Advanced Encryption Standard (AES) and the Counter Mode Cipher Block Chaining Message Authentication Code Protocol (CCMP). These advancements provided a much more secure framework for Wi-Fi networks and became the cornerstone of Wi-Fi security for the next decade and beyond. Today, WPA2 remains the most widely used Wi-Fi security standard.
In 2012, an important update to WPA2 introduced Protected Management Frames (PMF) as an optional feature. PMF was designed to protect management frames, which are critical for the operation and security of Wi-Fi networks. By safeguarding these frames, PMF helps prevent various types of attacks, such as spoofing and disconnect attacks. Recognizing the importance of this protection, the Wi-Fi Alliance made PMF support mandatory for Wi-Fi 5 devices.
This emphasis on security laid the groundwork for WPA3, which builds on the foundation of WPA2 while incorporating mandatory PMF usage across all Wi-Fi networks, including personal, enterprise, and open networks. WPA3 also introduces additional security enhancements, such as more robust encryption algorithms and simplified security protocols, ensuring that Wi-Fi networks are better equipped to handle the increasingly sophisticated threats of today’s digital landscape. With these advancements, WPA3 provides a higher level of security, making it a critical update for maintaining secure and reliable wireless connections in a variety of environments.
Moving Security Forward with WPA3
WPA3 is the next-generation Wi-Fi security standard designed for both personal and enterprise networks. It offers significant updates while maintaining backward compatibility with WPA2 clients using preexisting authentication and encryption types.
| Features | WPA2 | WPA3 |
|---|---|---|
| Encryption | AES-CCMP | GCMP-256 / AES-CCMP |
| Authentication | PSK / 802.1 with EAP | SAE / 802.1x with EAP |
| Key Length | 128-bit | 192-bit |
| Protected Management Frames (PMF) | Optional | Mandatory |
| Attack Resiliency | Included |
- Enhanced Standards: WPA3 mandates the use of robust standards such as AES and the latest security methods. It introduces a 192-bit security mode and eliminates the use of legacy protocols like TKIP.
- Mandatory PMF Usage: WPA3 enforces the use of Protected Management Frames (PMF) to improve network resiliency.
- Transition Mode: WPA3 provides a transition mode, allowing legacy WPA2 clients to connect to most WPA3 networks.
WPA3-Personal
WPA3-Personal introduces Simultaneous Authentication of Equals (SAE), a more secure and robust method of authentication for personal networks, replacing the Pre-Shared Key (PSK) method. SAE is resistant to offline dictionary attacks and protects users even when they choose short Wi-Fi passwords. Additionally, it offers forward secrecy, protecting data traffic even if the password is compromised later.
WPA3-Enterprise
WPA3-Enterprise builds on WPA2 by mandating the use of PMF across networks, adding new encryption protocols such as the Galois Counter Mode Protocol (GCMP), and introducing a 192-bit security mode. This mode ensures the highest level of authentication and cryptography, incorporating the Commercial National Security Algorithm Suite (CNSA), also known as SuiteB.
Enhanced Open Networks
Parallel to WPA3, the Wi-Fi Alliance introduced the Wi-Fi CERTIFIED Enhanced Open program to bring higher security to open Wi-Fi networks. This program uses Opportunistic Wireless Encryption (OWE) to provide unauthenticated data encryption, reducing some of the privacy risks associated with open networks.
By incorporating these advancements, WPA3 significantly enhances Wi-Fi security, providing robust protection for a wide range of network environments.
Industry Verified Security
Wi-Fi adapters certified for WPA3 support all the major improvements brought by WPA3 and Enhanced Open. Additionally, all supported WPA3 security modes and related components have been thoroughly verified for interoperability and performance with major Wi-Fi access point vendors.
WPA3 supported and verified modes and combinations.
- WPA3-Personal/SAE: This new standard for personal Wi-Fi security is most secure when used exclusively for a personal SSID, but it can coexist with WPA2 PSK authentication, offering a backward-compatible option for legacy WPA2 clients lacking SAE support. Using a dragonfly key exchange, this method is resilient to offline dictionary attacks and provides forward secrecy. Even if an attacker guesses the password later, they cannot decrypt users’ data. SAE is the only authentication method for personal security supported in Wi-Fi 6E.
- OWE/Enhanced Open: This new standard for open Wi-Fi networks provides some security even without authentication and eliminates plaintext transmissions. It supports transition mode, allowing legacy clients to connect to a legacy open network. Wi-Fi 6E eliminates legacy open networks to ensure that all Wi-Fi sessions have at least a minimum level of privacy and protection.
- WPA3-Enterprise/AES-CCMP 802.1x: This builds on current WPA2 enterprise protocols but mandates the use of PMF for WPA3 clients to enhance network resiliency. It allows backward compatibility by advertising PMF-capable networks in transition mode, rather than PMF-required networks in WPA3-only mode, ensuring that legacy WPA2 clients can connect.
- WPA3-Enterprise/GCMP-256 192-bit with Secure Hash Algorithm (HMAC-SHA384): This new, highly secure mode is designed for security-sensitive environments. It does not allow a transition mode to maintain the high level of security intended, making it available only for WPA3 clients, with no backward compatibility for legacy WPA2 clients.
The previously released Wi-Fi 6e, and newly released Wi-Fi 7 standard mandates the use of WPA3 security, highlighting the clear and significant benefits of upgrading Wi-Fi networks to this advanced security protocol.
Conclusion
WPA3 is the latest and most secure option for Wi-Fi security, designed to be simpler to use and more robust than ever. This new standard offers a higher level of protection and privacy for personal, enterprise, and even open networks. Personal Wi-Fi networks using WPA3 are more resilient to classic replay and offline dictionary attacks. Enterprise networks benefit from mandatory use of Protected Management Frames (PMF) and higher-bit security for environments requiring the utmost level of security. Enhanced Open networks add privacy even without authentication, replacing plaintext data transmission.
Wi-Fi adapters certified for WPA3 have been thoroughly validated for interoperability and performance with major access point vendors, ensuring a smooth and more secure Wi-Fi experience for both consumer and enterprise customers. All supported WPA3 security modes and related components have been evaluated with a wide range of access points to address concerns associated with transitioning to a new security standard. Additionally, transition mode, which provides backward compatibility for legacy WPA2-only clients, has been verified, giving customers the flexibility to adopt the latest security standard without compromising connectivity for older devices.