The network type Wi-Fi Protected Access (WPA) has been upgraded once since its inception in 1999. In 2004, it was replaced by WPA2, which has stood as the standard for highly secure wireless networks ever since. To say that the technology market has changed significantly since its inception would be a gross understatement, but for most of this time, WPA2 with 802.1X authentication has been a near-impenetrable network type.
However, the monetary value of data is continually increasing and drawing more and more people to hacking and data theft. Sophisticated tactics, outdated tech, missing patches, and the ingenuity of people have exposed weaknesses in WPA2’s defense and prompted the creation of WPA3.
WPA3 is still fairly new and only really used by highly sensitive environments like governments and large corporations. But as more devices and infrastructure are built to accommodate WPA3, it will become more commonly used by smaller organizations. If you are considering adopting WPA3-Enterprise, check out our blog where we test all the operating systems against enterprise access points, and weigh the costs and benefits so you can learn if it’s right for your organization
So how does this new network type improve upon past iterations, and how must your wireless network change to adapt to the upcoming standard in secure wireless?
The Migration from WPA2 to WPA3
An intuitive question to ask about WPA networks is why the upgrade from WPA2 to WPA3 has taken 14 years? The answer is simple; WPA2-Enterprise has been a solid method for protecting your network. Though not without its faults (specifically WPA2-PSK, but more on that later), WPA2 has been the network security standard because it prevents a huge range of attacks, from brute force to man-in-the-middle.
It was not until the last couple years that WPA2 exposed some vulnerabilities, but even these were not a major detriment to WPA2. Attackers would take advantage of users with improperly configured devices or security lapses within old and outdated devices to break into WPA2. If your users are properly configured and your network does not host devices with weak security, WPA2 is highly effective, mainly because of WPA2-Enterprise.
WPA2 Shortcomings
The primary reason for WPA2 shortcomings lies not with WPA2-Enterprise, but with WPA2-PSK. The problems with PSK revolve around the shortcomings of passwords.
To connect to a WPA2-PSK network, users are authorized access by obtaining a Pre-Shared Key (PSK), or password. Passwords have been around long enough that more sophisticated hacks can easily bypass any system relying on password security.
Since its release, PSK has been plagued with security vulnerabilities and susceptible to offline dictionary attacks and brute force attacks. Basically, a hacker could keep guessing passwords until they found a match. With enough computing power, an attacker could attempt nearly infinite password combinations.
To combat this, PSKs had to be long and complex strings of digits so they’re harder to guess. However, this didn’t account for the human element. Requiring complex PSKs may be more secure, but complicated passwords are easy to forget or mistype. This resulted in many people writing down passwords, defeating the whole purpose of security.
When Will WPA3 Be Implemented?
We will probably see the migration for WPA3-PSK roll out in the next few years. It’s likely organizations will start offering WPA3 once they’ve purchased the new APs and when users have WPA3 compatible devices.
All major wireless solution providers support WPA3, both in their latest products and in their software releases. But there still is limited WPA3 compatibility on end devices, certainly on the hardware level. IoT devices also have to be accounted for and since they can last for years it will probably be awhile before the release of WPA3-exclusive devices. There will be a long transition period with both WPA2 and WPA3 devices connecting to your Wi-Fi.
How WPA3 Improves WPA2
So if WPA2 is still a viable security method, how exactly does WPA3 improve WPA2’s two modes: WPA2-PSK and WPA2-Enterprise?
WPA3-SAE
WPA3 replaces PSK with Simultaneous Authentication of Equals (SAE). At its core, SAE requires user interaction every time they enter credentials. This small addition is a foolproof method for denying dictionary attacks.
When an attacker executes a dictionary attack, they will instantaneously send countless software-generated credentials in hopes that one is correct and grants access. With SAE, a unique key is established each time the user and server interact; without SAE, a single key is used to establish trust. If an attacker obtains that key, each password attempt will be trusted, and they can send virtually unlimited password attempts. By requiring a new, unique key with each attempt, an attacker can only make one dictionary attack guess at a time, rendering the attack useless.
Another WPA2-PSK issue that will be addressed is eliminating the use of vulnerable legacy protocols. Networking is a combination of countless tools, software, and protocols working together seamlessly. While each component has a specific task, they work in conjunction towards specific goals; in this case, that goal is protecting the network.
As technology ages, it generally becomes less secure and could be a weak point in the network’s security. WPA3 will have specific protocols that are acceptable and others that are unacceptable to guarantee stronger overall security.
WPA3-Enterprise
There are far fewer improvements for WPA3-Enterprise because WPA2-Enterprise is still a secure method. It includes the optional use of 192-bit key security, increasing the complexity of keys used.
But the largest improvement is the requirement of server certificate validation if a RADIUS server is in use. In the past, organizations may omit using server certificate validation, or they could lack onboarding software and end users could misconfigure it. WPA3-Enterprise avoids this potential issue because without server certificate validation, end users are at high risk for over-the-air credential theft.
WPA3 and 802.1X Authentication
WPA2-Enterprise with 802.1X allows admins to choose how they will authenticate network users; either with digital certificates or user credentials.
Certificates can be configured to do many different things, but a key component is how they are used for network security. Once a user has a valid certificate, they are automatically reconnected to the secure network every time. The user never has to enter a password to reconnect, and the certificate cannot be stolen by an outside attacker. If you’d like to learn more about the numerous benefits of certificates, click here.
When compared to WPA2-PSK, WPA2-Enterprise is a much more secure network type. Given that there are no credentials, SAE does not apply to WPA2-Enterprise. But for WPA3-Enterprise, new 802.1X upgrades have been developed to improve authentication security.
CNSA
Commercial National Security Algorithms (CNSA) is a configuration developed by the NSA to protect government information and is now a new 802.1X configuration option introduced with WPA3.
CNSA requires specific algorithms that all have about the same level of security. This eliminates potential 802.1X misconfigurations, cipher downgrades, and mix-and-matching algorithms. For now, CNSA is only being used by large enterprises that require strong security measures.
WPA3 and Wi-Fi Enhanced Open
Enhanced Open is an improvement upon public venues that use WPA2-PSK, such as coffee shops, bars, or any public place with Wi-Fi. Many hackers have taken advantage of open networks to eavesdrop on others’ connections and steal personal data.
Wi-Fi Enhanced Open provides Opportunistic Wireless Encryption (OWE), which basically is an encrypted open network. To the user, nothing has changed — they connect to the open Wi-Fi, accept the rules, and gain Wi-Fi access. Underneath the surface, OWE uses the Diffie-Hellman key exchange, a unique key that is only known by the connecting client and the AP. Since no other party knows the key, eavesdropping on the connection is impossible.
How does it relate to WPA3?
While Wi-Fi Enhanced Open is not technically part of WPA3, they are likely being released at the same time and seen as a “dynamic duo” of network security.
Using Digital Certificates with WPA3-Enterprise
The persistent myth regarding the hassle of digital certificates is outdated. It’s true that it used to be difficult and expensive to implement on-premise, but managed Public Key Infrastructure (PKI) services have adequately addressed those issues. PKIs are cheaper to build now than they were a decade ago, and cloud-based options are more affordable and versatile than on-prem options.
Server Certificate Validation
Server Certificate Validation (SCV) will be required with WPA3-Enterprise, which may seem troubling for a lot of network administrators, but it’s actually a good thing.
We already saw the impact SCV had when Google required it with their Android updated in December 2020. In short, SCV requires a device to verify the server’s identity before attempting to connect. While many organizations probably ignored it, SCV is actually a huge security improvement because it prevents users from connecting to the wrong server.
In the past, many organizations instructed their users to use the “Do not validate” setting as a work around to avoid implementing proper EAP SCV. However, not validating can put users at risk of leaking their credentials. Google understood this and hopes that others will follow suit.
Organizations with WPA2-Enterprise have two ways to approach SCV: hiring trained IT staff to help end users connect or use a device onboarding service pre-built with SCV.
Enrolling Devices with Certificates
Managed devices can be easy to configure and enroll with certificates, but the same can’t be said for BYODs because they typically involve the end user. Plus, BYODs cover numerous operating systems (iOS, macOS, Windows, Android), each with their own configuration methods.
Luckily, the JoinNow onboarding solution allows you to push a customizable configuration client with a foolproof self-enrollment wizard that guides the end user through the confusion of configuring their device. End users can download the JoinNow app and after clicking a few buttons, their device is configured for 802.1X and enrolled with a certificate. These certificates can be used to authenticate users for Wi-Fi, remote workers for VPN, and much more.
WPA2-Enterprise Still A Good Option
The arrival of WPA3 networks is a long-anticipated upgrade that has become more necessary in recent years. However, WPA2 with 802.1X authentication continues to be sufficient security for most, although those that want a highly secure network will certainly benefit from WPA3. The improvements within WPA3 address many of the specific vulnerabilities that have plagued WPA2 in recent years.
For now, WPA3 is mainly for large organizations with hundreds of thousands of devices to manage. But just because your organization might not be ready for WPA3 doesn’t mean you should skimp out on network security. SecureW2 has solutions to make your WPA2-Enterprise network as safe as possible. Check out our pricing page.