The network type WPA has been upgraded once since its inception in 1999. In 2004, it was replaced by WPA2, which has stood as the standard for highly secure wireless networks ever since. To say that the technology market has changed significantly since this time would be a gross understatement, but for most of this time, WPA2 with 802.1X authentication has been a near-impenetrable network type when configured properly. However, the monetary value of data is continually increasing and drawing more and more people to hacking and data theft. Sophisticated tactics, outdated tech, missing patches, and the ingenuity of people have exposed weaknesses in WPA2’s defense and prompted the upgrade to WPA3. How does this new network type improve upon past iterations, and how must your wireless network change to adapt to the upcoming standard in secure wireless?
Why Has WPA3 Taken So Long?
An intuitive question to ask about WPA networks is why has the upgrade from WPA2 to WPA3 taken 14 years? The short answer to this question is simple; don’t fix what isn’t broken. For over a decade, WPA2 has been the network security standard that prevents a huge range of attacks. It was not until the last couple years that WPA2 exposed some vulnerabilities, but even these were not a major detriment to WPA2. Attackers would take advantage of users with improperly configured devices or security lapses within old and outdated devices to break into WPA2. If your users are properly configured and your network does not host devices with weak security, WPA2 is highly effective. So if WPA2 is still secure and only vulnerable in preventable circumstances, how does WPA3 improve upon the two major types of WPA2 networks: WPA2-PSK and WPA2-Enterprise?
WPA3 Vs. WPA2-PSK?
To connect to a WPA2-PSK network, users are authorized access by obtaining a Pre-Shared Key (PSK), or password. A major improvement that WPA3-PSK will offer is the introduction of Simultaneous Authentication of Equals (SAE). At its core, SAE requires user interaction every time they enter credentials. This small addition is a foolproof method for denying dictionary attacks. When an attacker executes a dictionary attack, they will instantaneously send countless software-generated credentials in hopes that one is correct and grants access. With SAE, a unique key is established each time the user and server interact. Without SAE, a single key is used to establish trust. If an attacker obtains that key, each password attempt will be trusted, and they can send virtually unlimited password attempts. By requiring a new, unique key with each attempt, an attacker can only make one dictionary attack guess at a time, rendering the attack useless.
Another of WPA2-PSK’s weak points that will be addressed is eliminating the use of vulnerable legacy protocols. Networking is a combination of countless tools, software, and protocols working together seamlessly. While each component has a specific task, they work in conjunction towards specific goals; in this case, that goal is protecting the network. As technology ages, it generally becomes less secure and could be a weak point in the network’s security. WPA3 will have specific protocols that are acceptable to be used with it to guarantee stronger overall security.
An important vulnerability to address is the ability of attackers to imitate the identity of a network AP. Someone could claim the identity of the AP by creating a forged management frame that targets network users. A management frame permits a wireless client to communicate with an AP. By disrupting this process and acting as if they are the AP, it becomes easy to convince users to give up valuable information because they believe it is the legitimate network. WPA3 requires the use of Protected Management Frames (PMF) to prevent the unauthorized use of management frames. An attacker attempting to create a forged management frame would be thwarted and unable to complete the attack.
How Does WPA3 Improve WPA2-Enterprise?
WPA2-Enterprise with 802.1X allows admins to choose how they will authenticate network users; either with EAP-TLS digital certificates or credentials. Compared to credentials, certificates are a far superior form of security. While certificates can be configured to do many different things, a key component is how it is used for network security. Once a user has a valid certificate, they are automatically reconnected to the secure network every time. The user never has to enter a password to reconnect, and the certificate cannot be stolen by an outside attacker. If you’d like to learn more about the numerous benefits of certificates, click here.
When compared to WPA2-PSK, WPA2-Enterprise is a much more secure network type. Given that there are no credentials, SAE does not apply WPA2-Enterprise. Additionally, PMF are required for both WPA3 types. As a result, there are far fewer improvements for WPA3-Enterprise. It includes the optional use of 192-bit key security, increasing the complexity of keys used. If the network utilizes a RADIUS server, the network must be configured for server certificate validation. For WPA3-Enterprise, this is likely the largest improvement. When the configuration of WPA2-Enterprise is left to end users without onboarding software, misconfiguring or omitting server certificate validation leaves end users at high risk for over-the-air credential theft.
Overall, WPA3-Enterprise is not a major update because WPA2-Enterprise is still an effective and widely used secure network type, and will be for the foreseeable future. Since it doesn’t bring major improvements, it’s not likely to be a quick transition to WPA3. WPA3 can be configured on some older hardware, but it is not as universal as WPA2 and may require some organizations to implement upgrades to their network infrastructure. Also, many devices in use today are not compatible with WPA3 because it hadn’t been released when the device was manufactured. Although several upgrades and updates are slated for 2019 and 2020, it will take some time before all network users’ devices are compatible with the network type. The transition to WPA3 will not be overnight; it may take decades before it is a commonly used network type.
WPA2-Enterprise is Sticking Around For Now
The arrival of WPA3 networks is a long-anticipated upgrade that has become more necessary in recent years. However, WPA2 with 802.1X authentication continues to be sufficient security for most, although those that want a highly secure network will certainly benefit from WPA3. The improvements within WPA3 address many of the specific vulnerabilities that have plagued WPA2 in recent years.
Just because the world isn’t quite ready for WPA3 doesn’t mean your network needs to be insecure. SecureW2 has solutions to make your WPA2-Enterprise network as safe as possible. Check out our pricing information here.