WPA 3 - The new Wi-Fi Security Protocol

What is WPA 3?

WPA 3 is a new encryption standard, for WLANs based on IEEE specifications 802.11, and was introduced in June 2018 as an addition to the existing WPA 2 standard. This is essentially to improve authentication and encryption. WPA 2 is not intended to be eliminated by any means, but simply to further improve security and integrate new features. WPA 3 stands for Wi-Fi Protected Access 3. WPA 2 and WPA 3 are available in parallel, and WPA 2 continues to be developed further and implemented in devices. WPA 3 has simplified the configuration of WLAN devices and significantly increased security at public hotspots. Thanks to 192-bit encryption, WPA 3 is particularly suitable for wireless networks with the highest security requirements. This includes, for example, authorities, the military, governments or industrial companies. The KRACK security vulnerability of WPA 2 is eliminated by the improved handshake procedure of WPA 3 encryption.

WPA 3 Innovations and Improvements

The new features of WPA 3 can be divided into 4 areas. These are:

• A higher level of WLAN protection, even when using passwords that do not follow the recommendations for strong passwords.
• A simplified WLAN configuration, especially for devices that do not have their own screen.
• Improved security in public WLANs or guest WLANs thanks to individual encryption of data.
• The use of WPA 3 WLANs in particularly security-relevant areas thanks to 192-bit encryption.

The security of the key exchange with the handshake method is ensured by implementing the so-called Dragonfly protocol with Simultaneous Authentication of Equals (SAE). This ensures security even when weak passwords are used. The handshake procedure makes brute-force or dictionary attacks impossible, and the KRACK attack method is also rendered ineffective.
With regard to public hotspots or guest WLANs, the Opportunistic Wireless Encryption method (OWE) is used. This method is based on RFC 8110 and allows data to be encrypted even without a password. In comparison, WLAN access points and WLAN clients use a pairwise master key (PMK) that can only be used once. In this case, each connection uses an individual and unique key to encrypt the data. This makes it impossible for unauthorized persons to read data in a public network. Man-in-the-middle attacks are minimized.
Due to the new 192-bit encryption of WPA 3, which places higher demands on the computing capacity of the WLAN interfaces, new hardware will probably be required in many cases and older devices in particular will therefore not receive an upgrade to WPA 3.

How do I enable WPA 3?

In order to use WPA 3 in the home WLAN network, you should know the requirements. From the device side, the operating system as well as the driver of the device must support WPA 3.

• Windows 10: Support from version 1903, different for device drivers.
• macOS: support from version 10.15.
• iOS and iPadOS: Support from version 13.
• Android: Introduction of WPA 3 with Android 10. However, support may vary depending on the smartphone or tablet.

For FRITZ!Box and FRITZ!Repeater WPA 3 is available from FRITZ!OS 7.20. Enable WPA 3 can here under the security settings. The setting "WPA 2 + WPA 3" allows devices to connect with WPA 2 or also WPA 3.

WLAN Problems with WPA 3

Many users have had issues with WPA 3. WPA 3 enabled devices have often continued to connect with WPA 2 and some devices have stopped working on the WLAN altogether. If the device continues to connect to WPA 2, the solution is relatively simple: contrary to expectations, the device continues to connect to WPA 2. On the affected device, you now simply need to delete the existing WLAN and set up the WLAN connection again. After that, the device should now connect with WPA 3.
If the device no longer works with the WLAN, the problem is more difficult to solve: WLAN printers are often affected by this. With WPA 3 came the requirement of PMFs. However, if a client does not support PMFs, the only option is to return to WPA 2 or replace the device.
With the Fritzbox it is easy to test if PMFs are the problem: Simply set WPA 2 as encryption and disable PMFs in the security settings. Test the affected device and then enable PMFs and run the test again.

The Vulnerabilities of WPA 3

Shortly after the release of WPA 3 2018, a number of vulnerabilities were discovered in the handshake process. Access points and clients could find out the session key for the connection here in WPA3 personal mode. Potential attacks and vulnerabilities are based on design weaknesses in the Simultaneous Authentication of Equals (SAE) protocol. An attacker can use side-channel and downgrade attacks to read out secret information, reconstruct the WLAN password from it and thus decrypt the data traffic. The handshake between the access point and the client, which takes too long, is enough to calculate the password from a recording of the handshake. The prerequisite is sufficient computing power.

WPA 3 SAE - Simultaneous Authentication Equals

The WPA 2 Pre-Shared Key (PSK) feature is replaced by the Simulatneous Athentication Equals protocol of WPA 3, also called Dragonfly. SAE forms the basis for secure negotiation of the session key between WLAN client and access point. The actual secret is not transmitted at all with WPA 3, but only the result of a calculation. SAE ensures that if the WLAN password is known, no pre-recorded data packets can be subsequently decrypted.

The Advantages of WPA 3

Advantages of WPA 3 include:

• Old methods known to be insecure, such as WEP and TKIP, are no longer supported by WPA 3.
• Improved cryptography and more robust authentication.
• Easier configuration for devices without controls.
• Individual encryption for each device.
• Interoperability with WPA 2 devices.