WPA3 protocol: Should enterprises implement the changes?

The Wi-Fi Alliance this year introduced the long-awaited update to its Wi-Fi Protected Access specification, WPA3. What security enhancements are included in the WPA3 protocol? Should enterprises adopt it?

Like its precursors, the new version of the WPA3 protocol has two security modes: WPA3-Personal and WPA3-Enterprise. Both modes use modern security methods and have dropped the use of outdated legacy protocols.

WPA3-Personal is designed for personal Wi-Fi networks and is intended to offer protection against password-guessing attacks while also being more resilient. WPA3-Enterprise mode is designed to better protect sensitive data transmission over enterprise networks. Both WPA3 security modes remain backward-compatible with existing devices that support WPA2.

The WPA3-Enterprise version is the preferred user authentication technology for the government and finance sectors. WPA3-Enterprise mode uses the equivalent of 192-bit cryptographic strength with a combination of cryptographic protocols.

In the update, a set of four cryptographic tools replace Wi-Fi 802.1x for WPA2-Enterprise, and the tools are combined together to provide better protection against attacks, such as password cracking on Wi-Fi networks.

Among the additional cryptographic algorithms incorporated into WPA3-Enterprise are:

• Authenticated encryption with the 256-bit Galois/Counter Mode Protocol (GCMP-256), which better protects the integrity of messages sent to a group of destination computers simultaneously.
• Key derivation and confirmation using 384-bit Hashed Message Authentication Mode (HMAC) and HMAC-Secure Hash Algorithm (SHA) 384. The latter protocol is constructed from the SHA-384 hash function and is used as an HMAC.
• Key establishment and authentication using Elliptic Curve Diffie-Hellman Exchange (ECDHE) and 384-bit Elliptic Curve Digital Signature Algorithm. ECDHE is the Diffie-Hellman protocol that uses elliptic curve cryptography for faster performance. Most browsers support this protocol.
• Robust management frame protection using the 256-bit Broadcast/Multicast Integrity Protocol Galois Message Authentication Code.

Overall, enterprises should adopt the new WPA3 security protocol in order to reduce the risks present in Wi-Fi networks and to ensure that client systems have drivers installed that support GCMP-256. If these drivers are not available, authenticated encryption of Wi-Fi traffic will not work properly.

The 256-bit protocols are not backward-compatible, and they disable support for all non-802.11ac clients and all 802.11ac clients that support the mandatory 128-bit cipher suites.

Ask the expert:
Want to ask Judith Myerson a question about security? Submit your question now via email. (All questions are anonymous.)