BlogWi-Fi NetworkingMobility
Blog6 minute read

WPA3 – What is it and what do I need to know?

As Wi-Fi speeds continue to increase, it's essential to understand how to protect your data from eavesdroppers and malicious actors. This blog post delves into the evolution of Wi-Fi security, from the early days of WEP to the advanced protections offered by WPA3. I explore the key milestones and innovations that have shaped Wi-Fi security over the past two decades and describe how to safeguard your network in an increasingly connected world.

Wi-Fi Security has been top of mind since its inception over two decades ago. As Wi-Fi speeds climb to newer and more unimaginable speeds, it is worth taking a moment out of your day to discuss ensuring that the critical traffic you are sending flying through the air is not picked up by eavesdroppers or that a malicious interloper cannot get access to the infrastructure that your Wi-Fi is connected to.

WEP (Wired Equivalent Privacy)

If you were in technology when the 802.11 protocol was ratified way back in 1997, you would have been exposed to all sorts of esoteric security mechanisms (Cranite, Fortress, and a few others) – but the flagship tool in our arsenal of the day was WEP and it came in 40 or 104 bits of robustness (it is not uncommon to see these as 64 bit WEP and 128 bit WEP). With the rc cipher suite being compromised in 2001, WEP was only considered viably secure for a very short time in the industry.

WPA (Wi-Fi Protected Access)

The industry needed newer encryption schemes, but this required hardware that older clients did not have. The 802.11 group was tasked with implementing a "more secure" method of encryption for older clients that would not be updated. With Temporal Keys shoring up some of the weaker parts of WEP, TKIP was born, and along with it – WPA, Wi-Fi Protected Access. Still using rc4, but with temporal keys, WPA began a new era in Wi-Fi security and has continued to evolve ever since.

WPA2 (Wi-Fi Protected Access version 2)

The next evolution of Wi-Fi security occurred when hardware encryption offloading became commonplace with newer Wi-Fi adapters. This new hardware could support the compute-intensive AES encryption at very high rates of speed. This became the foundation for WPA2, and WPA with TKIP was finally obsoleted. Since the 2004 ratification of WPA2, the industry has been working diligently to remove all traces of both WEP and TKIP (WPA1) from production environments.

It is worth noting that among the more esoteric combinations in the wild, you may find WPA1/AES or WPA2/TKIP in use, but those very uncommon configurations should be removed with all haste from modern networks.

WPA3 (Wi-Fi Protected Access version 3)

WPA3, ratified in 2018, has now been available for longer than WEP was available before it was compromised. WPA3, aside from obviously being the next iteration of Wi-Fi Security, brings several new features to the industry. All WPA3 networks:

  • Use the latest security methods
  • Disallow outdated legacy protocols
  • Require use of Protected Management Frames (PMF)

WPA3-Enterprise (802.1X authenticated Wi-Fi)

For .1X networks, there is no fundamental change in the way authentication functions in WPA3. WPA3 continues to support multiple EAP (Extensible Authentication Methods) types and makes PMF (Protected Management Frames) mandatory for all connections. This mode, which we expect all enterprises to operate for their critical Wi-Fi traffic, also supports:

  • Minimum 128-bit AES-CCMP for authentication encryption
  • Minimum 256-bit HMAC-SHA256 for key derivation and confirmation
  • Minimum 128-bit BIP-CMAC-128 for robust management frame protection

In addition to the above features, a new WPA3-Enterprise variation is supported in 192-bit mode supporting:

  • ECDH and ECDSA using a 384-bit elliptic curve for transport layer security
  • GCMP-256 for authentication encryption
  • HMAC-SHA384 for key derivation and confirmation
  • BIP-GMAC-256 for robust management frame protection

The WPA3 Enterprise with 192-bit mode is an optional mode of operation that requires hardware capable of handling the increased encryption demands. It is considered uncommon in most enterprises today.

WPA3-Personal (shared password authenticated Wi-Fi)

WPA2 with a Pre-Shared Key gets replaced with a more robust password-based authentication through Simultaneous Authentication of Equals (SAE). From an end-user perspective, there is no usability difference between WPA2 PSK and WPA3 Personal with SAE. The user selects an SSID and is prompted for a password. This password is shared out of band and while the password is valid, the Wi-Fi functions. This move to SAE brings with it the following benefits:

  • Security is provided through easy-to-remember passwords
  • Improved protections with no change in the way the users connect to the network
  • Forward secrecy for data protection – even if a password is compromised after the data was compromised

Open (password-less Wi-Fi)

While the Wi-Fi Alliance strongly recommends users connect to the most secure network possible when away from their enterprise premises - this may not always be possible. Arguably more pervasive than secure networks, Guest Wi-Fi is still a critical use case that also gets improvements with Enhanced Open. Enhanced Open Wi-Fi networks bring the following benefits to your enterprise:

  • Familiar "no password" interface for connecting to the Wi-Fi (select and go)
  • Data encryption of Guest Wi-Fi traffic
  • Full compatibility with existing captive portal-based functionality

Mandatory Adoption

Beyond "just being more secure", the industry push to adopt WPA3 is not just an incremental bump in security, it is also mandatory for any W-Fi operation in 6GHz (this includes Wi-Fi 6E, Wi-Fi 7, and beyond). This means that, if you are intending to deploy new infrastructure, you will run into blockers if you try to deploy your legacy security configuration on the new hardware. The Wi-Fi Alliance has coupled the demand for higher and faster speeds with the new security standards. If your enterprise operates Wi-Fi in 6GHz, you must operate WPA3. This is not the first time the Wi-Fi Alliance has mandated deprecation of a legacy security mode of operation:

  1. 802.11n modes of operation specifically prohibited WEP. If you configured WEP encryption on an 802.11n Access Point, it is downgraded to 802.11a/g modes of operation.
  2. In March of 2015 the Wi-Fi Alliance prohibited enabling TKIP from an infrastructure's primary configuration interface.

Transition Modes

Many vendors support a transition mode configuration that will retain compatibility with WPA2 configured clients while allowing WPA3 clients to connect. Transition modes vary by vendor implementation (some do not support it at all), but when in use, you should expect:

  • WPA2 compatibility in 2.4 and 5GHz
  • WPA3 compatibility in 2.4, 5, and 6GHz
  • WPA2 disallowed in 6GHz

When operating in transition mode, all legacy vulnerabilities present in WPA2 can be exploited, so this mode of operation should only be used with a deliberate and actionable plan to remove them expeditiously. All transition modes are not recommended for long-term operation.

If you are just getting started on your WPA3 journey, this primer should round out the need-to-know differences to help you on the way.