WPA3 security has now been with us for three years. The Wi-Fi Alliance mandates support for WPA3 security for the Wi-Fi 6 certification, meaning that all 802.11ax radios must support WPA3. Furthermore, as of July 1, 2020, the Wi-Fi Alliance mandates support of WPA3 security for all future certifications. In other words, the bulk of the Wi-Fi radios currently hitting the market support WPA3.
The adoption of WPA3 is another matter. Most enterprise WLAN access points fully support WPA3; however, in most cases, WPA2 is still used in the 2.4 and 5 GHz frequency bands. Despite the transitional modes offered by WPA3 for backward compatibility, currently, tactical deployments of WPA3 security are rare in the enterprise. The question is, why? And the answer is simple. The biggest issue is problems caused by legacy client devices. I will explain, but first, let’s summarize the enhancements that WPA3 security offers.
In August 2019, the Wi-Fi Alliance began testing APs and clients for the Wi-Fi Certified WPA3 certification. Wi-Fi Protected Access 3 (WPA3) defines enhancements to the existing WPA2 security capabilities for 802.11 radios. It supports new security methods, disallows outdated legacy protocols, and requires the use of management frame protection (MFP) to maintain the resiliency of mission-critical networks. WPA3-Personal leverages Simultaneous Authentication of Equals (SAE) to protect users against password-guessing attacks. WPA3- Enterprise now offers an optional equivalent of 192-bit cryptographic strength.
By far, the most significant change defined by WPA3 is the replacement of PSK authentication with Simultaneous Authentication of Equals (SAE), which is resistant to offline dictionary attacks. SAE is based on a Dragonfly key exchange. Dragonfly is a patent-free and royalty-free technology that uses a zero-knowledge proof key exchange, which means a user or device must prove knowledge of a password without revealing the password. Think of SAE as a more secure PSK authentication method. The goal is to provide the same user experience by still using a passphrase. However, the SAE protocol exchange protects the passphrase from brute-force dictionary attacks. The passphrase is never sent between Wi-Fi devices during the SAE exchange.
As shown in Figure 1, an SAE process consists of a commitment message exchange and a confirmation message exchange. The commitment exchange is used to force each radio to commit to a single guess of the passphrase. Next, the confirmation exchange is used to prove that the password guess was correct. The passphrase is used in SAE to deterministically compute a secret password element used for the authentication and key exchange protocol. Once the SAE exchanges are complete, a unique pairwise master key (PMK) is derived and installed on both the AP and the client station. The PMK is the seeding material for the 4-Way Handshake that is used to generate dynamic encryption keys. SAE authentication is performed prior to association. Once the PMK is created and the association process completes, the AP and the client can then commence a 4-Way Handshake to create a pairwise transient key (PTK). The PTK is the dynamically generated key used to encrypt unicast traffic.
Figure 1 - Simultaneous Authentication of Equals
WPA3-Personal enhances Wi-Fi security for home users and environments where 802.1X is not an option. From the perspective of the user, the connection experience remains the same. A passphrase is still used to connect; however, the SAE protocol exchange protects the passphrase from brute-force dictionary attacks. WPA3-Personal defines two modes of operation:
Unlike WPA3-Personal, where an entirely new authentication method has been designated, WPA3-Enterprise still leverages 802.1X/EAP for enterprise-grade authentication. In other words, the enterprise-grade authentication process remains the same. The two main enhancements are support for MFP and an optional enhanced cryptographic mode. WPA3-Enterpise defines three modes of operation:
So, the more robust security sounds great, and one might assume that most enterprises are now all using WPA3. In reality, the adoption of WPA3 security in the enterprise remains sparse in the 2.4 and 5 GHz frequency bands. The bulk of the enterprise Wi-Fi client population supports and continues to use WPA2 security. Despite the transitional modes offered by WPA3 for backward compatibility, currently, tactical deployments of WPA3 security are rare in the enterprise. Once again, the question is why?
In the enterprise, hardware refresh cycles are typically about every 4-5 years for access points. However, client devices stick around a lot longer, and refresh cycles for client devices can be as long as 10 years. The good news is that in most cases, a hardware upgrade is not needed, and WPA3 security can be available via a simple firmware update. However, there are still problems. Even though WPA3 firmware upgrades are possible for older client devices, most vendors may never offer a WPA3 firmware update for a client device three or more years old. In other words, you might still be using client devices from 2015, and there is no WPA3 firmware update available.
OK, so you cannot have a “pure” WPA3 security environment in the 2.4 and 5 GHz frequency bands, so the answer is using the transitional modes that allow WPA2 clients to connect to the same SSID as WPA3 clients. These transition modes sound great… right? In theory, WPA2 and WPA3 clients can live harmoniously together on the same SSID. But in the real world, many enterprises have quickly discovered that legacy clients often have connectivity issues despite the promise of co-existence offered by the transition modes. I refer you to a blog that I wrote, Backward Compatibility: The Double-Edged Sword of Wi-Fi Performance and Connectivity.
Many enterprises have quickly discovered that when transition modes are enabled, many legacy clients that support WPA2 begin to have connectivity issues. For whatever reason, the legacy client drivers do not play nice with the transition SSID and cannot connect.
If clients cannot connect to an SSID that supports both WPA3 and WPA2, the enterprise will almost certainly roll back to WPA2 security. In truth, any enterprise using WPA2-Enterprise with 802.1X security is only sacrificing the mandated management frame protection of WPA3-Enterprise. However, we should always strive for the best security and WPA3 offers the best protection,
So how do you solve this problem, and how can we offer WPA3 in the 2.4 and 5 GHz frequency bands? The easy answer is to control the client population and replace all the legacy clients, thus ensuring all clients support WPA3. That is easier said than done. Despite often spending millions of WLAN infrastructure upgrades, client upgrades often drag on for years. Also, we live in a bring-your-own-device (BYOD) world. Most enterprises cannot mandate what devices employees bring to the office. Bottom line, for the time being, most enterprises are still choosing to use WPA2 security in the 2.4 and 5 GHz frequency bands. Later in this blog, I will discuss how the introduction of the 6 GHz frequency band may eventually drive stronger security in the legacy bands.
Traditionally, Wi-Fi hotspots and guest WLANs have used open security without encryption or authentication. (Although Passpoint security is catching on fast in the Wi-Fi public access marketplace). The Wi-Fi CERTIFIED Enhanced Open certification defines improved data privacy in open Wi-Fi networks. This certification is based on the Opportunistic Wireless Encryption (OWE) protocol. OWE is defined in the IETF RFC 8110. The OWE protocol integrates established cryptography mechanisms to provide each user with unique individual encryption, protecting the data exchange between the user and the access point. As shown in Figure 2, standard open authentication and association occur, and then the 4-Way Handshake process generates the necessary keys for encryption.
Figure 2 - Opportunistic Wireless Encryption
The OWE experience for the user is the same as open security because there is no need to enter a password or passphrase before joining the network. Data privacy is provided, and malicious eavesdropping attacks are mitigated because the 802.11 data frames are encrypted. But please understand that there is zero authentication security. Enhanced Open is not part of WPA3 and is an entirely different and optional security certification for 2.4 GHz and 5 GHz frequency bands. There are two modes of operation for OWE:
You should understand that Enhanced Open meets only half of the requirements for well-rounded Wi-Fi security. OWE does provide encryption and data privacy, but there is no authentication whatsoever. As previously mentioned, Enhanced Open is an optional security certification for the 2.4 and 5 GHz frequency bands. As a result, many WLAN vendors still do not support OWE, and client-side support is marginal at best. For example, as of this writing, iPhones still do not support OWE. And trust me, nobody wants to use the “two-SSID” solution required by Enhanced Open transition. Therefore, tactical deployments of OWE in the 2.4 and 5 GHz frequency bands are currently almost non-existent in the enterprise.
There are security considerations when deploying Wi-Fi in the 6 GHz frequency band. The Wi-Fi Alliance requires WPA3 security certification for Wi-Fi 6E devices that will operate in the 6 GHz band. However, there is no backward compatibility support for WPA2 security. Furthermore, the Enhanced Open certification is also mandated to support for Opportunistic Wireless Encryption (OWE) in 6 GHz.
As a result, there are some key 6 GHz security takeaways:
But what are the critical takeaways when implementing Wi-Fi security in the 6 GHz band?
Figure 3 - Different SSIDs and Security across three frequency bands
One potential drawback of this scenario is that it prohibits intra-band roaming. A newer Wi-Fi 6E client can potentially roam between all three bands if the same SSID with the same security is used. Intra-band roaming is not always a good thing; segmenting users by frequency band often has advantages. However, if intra-band roaming is a requirement, a WPA3-only SSID could be deployed across the bands, while a WPA2-only SSID could still be offered on the legacy bands.
I think it will take time, but the anticipated wide adoption of 6 GHz enterprise deployments hopefully will accelerate the transition to WPA3 security in the other frequency bands. In the meantime, I expect various levels of security across the three bands.
And guess what? Wi-Fi 7 will also change the dynamic further. In the near future, Wi-Fi 7 will use a multi-link discovery and setup process that will allow for the use of the same dynamically generated encryption key across all three bands. I will discuss the implications of multi-link operation (MLO) in future blogs.