Computer Security Researchers: WPA3 Could Have Been Better, Stronger

Wi-Fi Protected Access 2, or WPA2, had a good run. But after 14 years as the go-to wireless security protocol, cracks inevitably start to show. That’s why, over the summer, the Wi-Fi Alliance announced the protocol’s successor, WPA3, after teasing its capabilities in press releases since the beginning of the year.

But the Wi-Fi Alliance, which is the organization responsible for certifying products that use Wi-Fi, might not have done everything it could have done to bring wireless security entirely up to date, at least according to one outside researcher. Mathy Vanhoef, the researcher at KU Leuven in Belgium who discovered the WPA2-crippling KRACK attack in 2016, believes the Wi-Fi Alliance could have done a better job of investigating alternatives for security protocols and certifications.

The big change from WPA2 to WPA3 is in the way devices greet a router or other access point to which they are trying to connect. WPA3 introduces a greeting, or handshake, called a Simultaneous Authentication of Equals (SAE). There are more details in this post, but the upshot is that SAE, also known as a dragonfly handshake, prevents attacks (like KRACK) that interrupt the handshake method in WPA2. It ensures that the exchange of keys to prove each device’s identity can’t be interrupted by treating both the device and the router as equals, as the name implies. Previously, such exchanges had an inquirer (typically the device) and an authorizer (the router).

So SAE solves some big vulnerabilities of WPA2—an important step, but maybe not enough. According to Vanhoef, the scuttlebutt in the security community is that the dragonfly handshake will prevent debilitating attacks like KRACK, but questions remain regarding whether it is good enough beyond that.

Vanhoef says mathematical analyses of dragonfly handshakes suggest that they should be secure. “On the other hand, there were some comments and critiques [suggesting] that there were other options,” he says. “The chance that there could be some small issues is higher than with other handshakes.”

One concern that’s been raised is the possibility of side-channel attacks, specifically timing attacks. While SAE is resilient to attacks that interrupt the greeting directly, it could be vulnerable to more passive attacks that observe the timing of the authentication and glean some information about the password based on that.

In 2013, researchers at Newcastle University found in their cryptanalysis of SAE that the handshake is vulnerable to so-called small subgroup attacks. These attacks force the keys exchanged by the router and the connecting device to be limited to a much smaller, more solvable subgroup of options than the very large amount traditionally available. To patch this vulnerability, the researchers suggested that SAE be augmented with an additional key validation step, sacrificing some of the handshake’s efficiency in the process.

SAE does protect against the attacks that exploited WPA2’s shortcomings though. Kevin Robinson, the vice-president of marketing for the Wi-Fi Alliance, says it renders off-line dictionary attacks impossible. These attacks are possible when an attacker can test thousands or hundreds of thousands of possible passwords in quick succession without raising the network’s suspicions. SAE also offers forward secrecy—if an attacker does gain access to a network, any data sent to or from the network before that point will remain secure, which was not the case in WPA2.

When the Wi-Fi Alliance first announced WPA3 in a press release last January, it announced a “suite of features” to improve security. The release hinted at four features in particular. One, SAE, became the core of WPA3. Another, a 192-bit encryption scheme, is optional for large corporations or financial institutions making the switch to WPA3. The other two features never made it to WPA3.

The features that didn’t make the cut exist as entirely separate certification programs. The first, Easy Connect, makes it simpler for users to connect their IoT devices to their home networks. The other, Enhanced Open, provides more protection for open networks, like the ones at airports and coffee shops.

“The Wi-Fi Alliance, I think, purposefully kept their press release at the beginning of the year vague,” says Vanhoef. “They didn’t promise anything would be part of WPA3. The speculation was that all of it would be mandatory. Only the dragonfly handshake is mandatory, which is a shame, I think.”

Vanhoef’s worry is that three separate certification programs—WPA3, Easy Connect, and Enhanced Open—will confuse users rather than covering them all under the WPA3 umbrella. “You have to tell ordinary users to use Easy Connect and Enhanced Open,” he says.

For its part, the Wi-Fi Alliance believes the separate certification programs will reduce user confusion. “It’s important for the user to understand there is a difference between WPA3 and Enhanced Open, which is still ultimately an open network,” says Robinson. Likewise, he says the industry groups that make up the Wi-Fi Alliance felt it was important for Easy Connect to offer streamlined connections to devices that still used WPA2, rather than limit it to new devices.

Still, regardless of whether users are confounded or reassured by the Wi-Fi Alliance’s suite of new certification programs, Vanhoef believes the Wi-Fi Alliance could have been more open about its selection process. “They did it in a closed manner,” he says. “It made it hard for the security experts and cryptographers to comment on it,” leading to the concern over SAE’s potential vulnerabilities and the multiple certification programs.

Vanhoef also points out that an open process could have resulted in an even stronger WPA3. “What we see a lot is a very secretive process,” he says. “And then we find out the security is very weak. In general, we’ve found it’s better to be open.”