The successor to wpa2 is coming – How are we moving forward with wpa3?
There is a reasonable chance that you are familiar with the wpa2 phenomenon. That’s not surprising, because we’ve been doing it since about 2006. It is therefore ubiquitous if you have anything to do with wireless networks. However, a certification is only valid for a certain period of time, so it will be time for an update at some point.
That moment has now arrived. For example, the Wi-Fi Alliance recently introduced the certification program for wpa3, in which the organization imposes requirements on manufacturers that they must meet in order to be able to stick the corresponding sticker on their packaging. The alliance published an announcement, but the details were not discussed in great detail. Enough reason to take a look at what exactly will change. For example, the question is whether security is improving and what exactly is part of the wpa3 set of requirements.
The impact of such a change is difficult to overestimate. For example, the database of Wigle, a service that maps Wi-Fi networks worldwide, contains approximately 460 million unique Wi-Fi networks. A large part of them, almost two thirds, now use wpa2. It will therefore take some time before the majority of devices have switched to wpa3.
A short review
To understand how we got to this point, it’s good to look back at the development of wireless networks and their security. Don’t worry, we’re not going to talk about wireless fidelity . Let’s start with the Wi-Fi Alliance, which was founded in the late 1990s. This non-profit organization administers Wi-Fi certifications and was originally created under the name of the Wireless Ethernet Compatibility Alliance. This name already betrays one of the goals of the organization: making different wireless devices compatible. Six companies, including 3Com and Nokia, were involved in the creation of the alliance. It now has more than five hundred members, which are divided into a number of categories. Of these, ‘sponsor’ is the smallest category, with fourteen companies. These are major players, such as Apple, Qualcomm, Broadcom, Microsoft, LG, Samsung and Cisco.
If we look at the security of wireless networks, wep is the first. This stands for wired equivalent privacy and, according to the name, had to offer the same security as a wired connection. In the end, that turned out not to work at all. Wep was part of the original 802.11 specifications, which described wireless networks. There are now many variants of this, of which 802.11ac must currently be known, because it is widely distributed. Its successor is 802.11ax. Wep used encryption via rc4, which is no longer considered secure, and offered key sizes of 40 and 104bit. WEP’s security left much to be desired and from 2001 onwards, more and more attacks appeared that exploited vulnerabilities in the technology. For example, an attack from 2007 was able to retrieve a key in under a minute .
In the meantime, things had not been idle and a replacement for WEP had to be found quickly. This took the form of the 802.11i protocol, the first draft of which was approved in 2004. Initially there was WPA, which stands for Wi-Fi Protected Access and should be seen as a quick interim measure to eliminate WEP’s most serious shortcomings. Wpa basically boils down to tkip , which in turn stands for temporal key integrity protocol , but has been referred to as deprecated since 2012 . This still used rc4.
However, wpa only implemented part of the final 802.11i specification, while wpa2 refers to the entire one. Wpa2 brought with it the ccmp protocol, which uses aes for encryption instead of rc4. This option therefore offered a higher degree of security than tkip. The wpa2 specification also brought another innovation in the form of a so-called 4-way handshake, which devices perform when they want to join a wireless network, for example. Wpa2 was made mandatory in 2006 for the certification of wireless devices.
For a long time, things remained relatively quiet around the security of wpa2, until that handshake in 2017 turned out to cause problems.
Crack
Thanks to Mathy Vanhoef and Frank Piessens, affiliated with KU Leuven, the world discovered in October last year that wpa2 was not infallible. The researchers presented the attack Krack, which stands for Key reinstallation attack . This means that an attacker can get a target, such as a smartphone, to use a network traffic encryption key that is already in use. This allows it to decrypt and manipulate network traffic. The attack targets wpa2’s 4-way handshake, by repeating a particular message during that four-step process. The attacker can force this by capturing packets and retransmitting them. With this method, an attacker cannot discover the encryption key itself.
The consequences of a Krack attack can be compared to someone listening in on an open Wi-Fi network without encryption. With unencrypted network traffic, for example with an HTTP server, the person can then sometimes receive sensitive information such as login details or encryption keys. If encryption is still used, for example by means of an https connection, that network traffic remains encrypted. Fortunately, it turned out to be possible to provide existing wpa2 devices with software updates to close the Krack-related vulnerabilities.
Also recently followed a discovery by the team behind the hacking tool Hashcat. According to the discoverers, this only works on wpa2 to crack pre-shared keys.
Wpa3
It wasn’t long before the Wi-Fi Alliance introduced a successor in the form of wpa3. That happened at the beginning of this year with a fairly general announcement . Subsequently, the corresponding certification program started in June, during which the alliance shared some more details about wpa3. It turned out that in fact only one of the initially mentioned properties is mandatory for devices that support wpa3 . The actual wpa3 specification, which can be found on the Wi-Fi Alliance’s site at the time of writing, therefore only has two pages of actual information.
First, let’s discuss the most interesting change wpa3 brings. The change required for personal networks under wpa3 is known as simultaneous authentication of equals , or sae. This method of authentication replaces the aforementioned pre-shared key of wpa2. This uses a new handshake called Dragonfly and is described in an rfc document . It describes that this way of exchanging a key offers protection against an attacker who wants to retrieve the key by means of an offline dictionary attack . Dragonfly is in the name of Dan Harkins and its creation was not without itblow or blow. Another feature, described in a security proof from Dragonfly, is that an attacker who learns the password of a wireless network cannot use it to decrypt traffic that he has received in the past. This property is also known as forward secrecy . This is not present in wpa2.
The Wi-Fi Alliance writes about sae: “In a Wi-Fi network, the sae handshake negotiates a new pairwise master key per client, which is then used in a traditional 4-way handshake to generate session keys. Neither the master key nor the password used in the sae exchange can be obtained by a passive attack, active attack or offline dictionary attack. Retrieving the password is only possible through repeated active attacks that guess a different password each time. In addition, forward secrecy is provided because the sae-handshake ensures that the master key cannot be retrieved if the password is compromised.”
In addition to wpa3-personal, there is a second variant, called wpa3-enterprise. As the name suggests, it is intended for business environments. A document on the engineering behind wpa3 states: “Wpa3 enterprise does not fundamentally change or replace the protocols in wpa2 enterprise or the underlying 802.11 standard.” The enterprise variant does introduce an optional mode that, according to the Wi-Fi Alliance, “must provide a minimum security of 192bit” with support for techniques such as hmac-sha384 and 384bit-ecdh.
One of the optional components of wpa3 is a technique called EasyConnect . According to the description of the Wi-Fi Alliance, this technology should make it easier to add a device to a wireless network. This should also apply to devices with a missing or minimal interface, such as internet-of-things equipment. The idea is that a device with an interface, such as a smartphone, takes on the role of a configurator already logged on to the network. He can then add other devices to the network by first scanning the QR code of the access point and then the QR code of the device to be added, such as a printer or doorbell. The configurator can also be the access point itself, with configuration taking place via the web interface. Also, it does not necessarily have to be a qr code, but a human-readable string of characters is also an option.
EasyConnect should therefore make it easier to add devices, with which it has similarities with wps , or wi-fi protected setup . You know, that button you had to press on the router to add a device. A known vulnerability in WPS has existed for a long time, in that an attacker can brute force the associated PIN code. It is therefore advisable to disable this function or to limit the number of attempts to enter a PIN code.
In addition to EasyConnect, there is a component known as enhanced open . According to the alliance, this is based on opportunistic wireless encryption , or owe. This is described in a specification and is in turn derived from opportunistic encryption . With the introduction of enhanced open, the Wi-Fi Alliance is attempting to protect open hotspots, which you often encounter in coffee shops and shops, for example. The technique ensures that the traffic between a client and an access point is encrypted, which should protect against passive attacks such as eavesdropping or injecting network packets. However, no authentication takes place, so a malicious person can still pose as an access point.
Are we moving forward?
We spoke with Mathy Vanhoef, the researcher behind Krack, about the introduction of wpa3 and his expectations of it.
On the length of the specification published by the Wi-Fi Alliance, Vanhoef says, “It makes sense that it is short, because the alliance basically only refers to existing standards.” Wpa3 is therefore not a new standard, but if you want to stick the corresponding sticker on the router, you must meet the standards stated in the specification. So it is a certification program.
“The improvement that is guaranteed is the updated handshake. It is better than the 4-way handshake that is now used in wpa2. What is no longer possible is that an attacker intercepts data and then goes home to crack it offline .” By this he means that with wpa2 it is possible to monitor the traffic between an access point and a client and to record the handshake using readily available tools.
Once an attacker has it, he no longer needs to be near the wireless network to perform a brute force attack on the captured file. For example, he can carry out a dictionary attack , in which all kinds of possible passwords are tried at great speed. A relatively simple password does not require particularly heavy hardware. There are several large glossaries on the Internet specifically aimed at cracking wpa2 passwords. Obtaining a handshake was often facilitated by simply taking a user off a wireless network with a deauthentication attack and then reconnecting. This attack must be made more difficult in wpa3 by usingprotected management frames.
According to Vanhoef, the updated handshake does not mean that an attacker no longer has any options to retrieve the password. “For example, he could try out different handshakes one by one. Then he has to be nearby. But it is also possible to build in protection against this, for example because a router has a limit on the allowed number of incorrect attempts.”
Crack and implementations
When asked whether the new handshake immediately eliminates Krack, Vanhoef replies: “Dragonfly does not avoid Krack, but the Wi-Fi Alliance will test it in the certification program. It has also been doing this since January within the wpa2 certification program. .” The alliance is therefore continuing those tests at wpa3.
Vanhoef not only investigated the handshake of wpa2, but also looked at its implementation in the past . He did this by applying fuzzing . When asked whether this approach is also suitable for wpa3, he says that his project is ‘certainly worth repeating’. The researcher also points out another point that may be important for the safety of the new handshake. “It is good that wpa3 is now available, but there was discussion about its creation. There are better alternatives to the Dragonfly handshake that has now been chosen.”
When asked where this handshake falls short, Vanhoef returns to the implementation by manufacturers. “It is more likely that [Dragonfly, ed.] implementation errors occur. These could then, for example, enable a timing attack , with which an attacker could find out details about the password.” In addition, Vanhoef is critical of the closed attitude of the Wi-Fi Alliance. For example, it would have been better to let the wpa3 process go public instead of behind closed doors.
Missed opportunity
Vanhoef has previously called the wpa3 certification program a ‘missed opportunity’ in a blog post . For example, he would have liked to see EasyConnect included in the program instead of offering it as an optional extra program. “A name like EasyConnect means little to an average user. So now you also have to pay attention to that second label. It would have been better if this had also been included in wpa3, so that you could have told people that they only need to use that one name to watch.”
When asked about other examples, Vanhoef replies that mac address randomizationcould have been included in wpa3. This offers protection against tracking based on the MAC address. “Operating systems, for example, already use this technique, something like that would have been useful. It could also have been placed under the wpa3 umbrella.” Finally, the program could have pushed people not to set their SSID to “hidden.” For example, by making this less easy in the configuration options of routers. According to Vanhoef, this would also benefit the privacy of users. He explains that if people hide their SSID, their devices will actively search for that network at certain intervals. This can be picked up by others. “If you have a fairly unique name for your wireless network, that makes it easier to follow,” says Vanhoef.
Finally
It looks like the security of wireless networks will improve with the introduction of wpa3, although it cannot be assumed that all possible shortcomings have been eliminated. Moreover, it will probably take some time before wpa3 has caught up with its predecessor. The transition should be facilitated by a transition mode , where access points support both wpa3 and wpa2 devices. However, legacy protocols such as tkip are excluded.