Wi-Fi Protected Access 2, or WPA2, had a good run. But after 14 years as the go-to wireless security protocol, cracks inevitably start to show. That’s why, over the summer, the Wi-Fi Alliance announced the protocol’s successor, WPA3, after teasing its capabilities in press releases since the beginning of the year.
But the Wi-Fi Alliance, which is the organization responsible for certifying products that use Wi-Fi, might not have done everything it could have done to bring wireless security entirely up to date, at least according to one outside researcher. Mathy Vanhoef, the researcher at KU Leuven in Belgium who discovered the WPA2-crippling KRACK attack in 2016, believes the Wi-Fi Alliance could have done a better job of investigating alternatives for security protocols and certifications.
The big change from WPA2 to WPA3 is in the way devices greet a router or other access point to which they are trying to connect. WPA3 introduces a greeting, or handshake, called a Simultaneous Authentication of Equals (SAE). There are more details in this post, but the upshot is that SAE, also known as a dragonfly handshake, prevents attacks (like KRACK) that interrupt the handshake method in WPA2. It ensures that the exchange of keys to prove each device’s identity can’t be interrupted by treating both the device and the router as equals, as the name implies. Previously, such exchanges had an inquirer (typically the device) and an authorizer (the router).
So SAE solves some big vulnerabilities of WPA2—an important step, but maybe not enough. According to Vanhoef, the scuttlebutt in the security community is that the dragonfly handshake will prevent debilitating attacks like KRACK, but questions remain regarding whether it is good enough beyond that.
Vanhoef says mathematical analyses of dragonfly handshakes suggest that they should be secure. “On the other hand, there were some comments and critiques [suggesting] that there were other options,” he says. “The chance that there could be some small issues is higher than with other handshakes.”
One concern that’s been raised is the possibility of side-channel attacks, specifically timing attacks. While SAE is resilient to attacks that interrupt the greeting directly, it could be vulnerable to more passive attacks that observe the timing of the authentication and glean some information about the password based on that.
In 2013, researchers at Newcastle University found in their cryptanalysis of SAE that the handshake is vulnerable to so-called small subgroup attacks. These attacks force the keys exchanged by the router and the connecting device to be limited to a much smaller, more solvable subgroup of options than the very large amount traditionally available. To patch this vulnerability, the researchers suggested that SAE be augmented with an additional key validation step, sacrificing some of the handshake’s efficiency in the process.
SAE does protect against the attacks that exploited WPA2’s shortcomings though. Kevin Robinson, the Vice-President of Marketing for the Wi-Fi Alliance, says it renders offline dictionary attacks impossible. These attacks are possible when an attacker can test thousands or hundreds of thousands of possible passwords in quick succession without raising the network’s suspicions. SAE also offers forward secrecy—if an attacker does gain access to a network, any data sent to or from the network before that point will remain secure, which was not the case in WPA2.
When the Wi-Fi Alliance first announced WPA3 in a press release last January, they announced a “suite of features” to improve security. The release hinted at four features in particular. One, SAE, became the core of WPA3. Another, a 192-bit encryption scheme, is optional for large corporations or financial institutions making the switch to WPA3. The other two features never made it to WPA3.
The features that didn’t make the cut exist as entirely separate certification programs. The first, Easy Connect, makes it simpler for users to connect their IoT devices to their home networks. The other, Enhanced Open, provides more protection for open networks, like the ones at airports and coffee shops.
