Denys Rudyi - Fotolia
WPA3 protocol: Should enterprises implement the changes?
The Wi-Fi Alliance released the updated WPA3 protocol, adding security enhancements to the Wi-Fi access process. Learn why enterprises should update with Judith Myerson.
The Wi-Fi Alliance this year introduced the long-awaited update to its Wi-Fi Protected Access specification, WPA3. What security enhancements are included in the WPA3 protocol? Should enterprises adopt it?
Like its precursors, the new version of the WPA3 protocol has two security modes: WPA3-Personal and WPA3-Enterprise. Both modes use modern security methods and have dropped the use of outdated legacy protocols.
WPA3-Personal is designed for personal Wi-Fi networks and is intended to offer protection against password-guessing attacks while also being more resilient. WPA3-Enterprise mode is designed to better protect sensitive data transmission over enterprise networks. Both WPA3 security modes remain backward-compatible with existing devices that support WPA2.
The WPA3-Enterprise version is the preferred user authentication technology for the government and finance sectors. WPA3-Enterprise mode uses the equivalent of 192-bit cryptographic strength with a combination of cryptographic protocols.
In the update, a set of four cryptographic tools replace Wi-Fi 802.1x for WPA2-Enterprise, and the tools are combined together to provide better protection against attacks, such as password cracking on Wi-Fi networks.
Among the additional cryptographic algorithms incorporated into WPA3-Enterprise are:
- Authenticated encryption with the 256-bit Galois/Counter Mode Protocol (GCMP-256), which better protects the integrity of messages sent to a group of destination computers simultaneously.
- Key derivation and confirmation using 384-bit Hashed Message Authentication Mode (HMAC) and HMAC-Secure Hash Algorithm (SHA) 384. The latter protocol is constructed from the SHA-384 hash function and is used as an HMAC.
- Key establishment and authentication using Elliptic Curve Diffie-Hellman Exchange (ECDHE) and 384-bit Elliptic Curve Digital Signature Algorithm. ECDHE is the Diffie-Hellman protocol that uses elliptic curve cryptography for faster performance. Most browsers support this protocol.
- Robust management frame protection using the 256-bit Broadcast/Multicast Integrity Protocol Galois Message Authentication Code.
Overall, enterprises should adopt the new WPA3 security protocol in order to reduce the risks present in Wi-Fi networks and to ensure that client systems have drivers installed that support GCMP-256. If these drivers are not available, authenticated encryption of Wi-Fi traffic will not work properly.
The 256-bit protocols are not backward-compatible, and they disable support for all non-802.11ac clients and all 802.11ac clients that support the mandatory 128-bit cipher suites.
Ask the expert:
Want to ask Judith Myerson a question about security? Submit your question now via email. (All questions are anonymous.)
Dig Deeper on Network security
Related Q&A from Judith Myerson
Site-to-site VPN security benefits and potential risks
Not every enterprise needs the functionality of a standard VPN client. A site-to-site VPN may be a better choice for some companies, but it's not ... Continue Reading
Should I worry about the Constrained Application Protocol?
The Constrained Application Protocol underpins IoT networks. But the protocol could allow a threat actor to launch an attack. Continue Reading
How can I protect my self-encrypting drives?
Dutch researchers discovered flaws in ATA security and TCG Opal affecting self-encrypting drives. What steps can you take to guard data stored on ... Continue Reading