WPA3: What You Need To Know
The State of Security
Earlier this month, the Wi-Fi Alliance issued a press release announcing the availability of WPA3.
Built on top of several existing but not widely deployed technologies, WPA3 makes several vast improvements over the security provided by WPA2. Most notably, WPA3 should close the door on offline dictionary-based password cracking attempts by leveraging a more modern key establishment protocol called Simultaneous Authentication of Equals (SAE).
This mechanism has some commonality with the Diffie-Hellman key exchange and has already been deployed in some mesh network standards. In addition to thwarting offline password cracking attempts, SAE provides forward secrecy, so that an attacker cannot decrypt previously recorded sessions – even if the WPA3 passphrase is known.
Another huge enhancement in this announcement is the Wi-Fi Device Provisioning Protocol (DPP) to replace the readily exploitable Wi-Fi Protected Setup (WPS).
With DPP, devices can be authenticated to join a network without a password through various means, including QR codes or NFC tags. Unlike existing options, however, this is not simply a mechanism for communicating the password but rather it is a way for devices to perform mutual authentication without a password.