
Wi-Fi Alliance Introduces Wi-Fi Certified WPA3 Security - nikolay
https://www.wi-fi.org/news-events/newsroom/wi-fi-alliance-introduces-wi-fi-certified-wpa3-security
======
amluto
I'm not optimistic. I believe that the underlying crypto protocol is this:

[https://ieeexplore.ieee.org/document/4622764/](https://ieeexplore.ieee.org/document/4622764/)

It's "secure authentication of equals", which is a protocol that kind of looks
like it's trying to be a PAKE (Password Authenticated Key Exchange), but the
paper does not mention PAKE anywhere in its abstract, and I'm not at all
confident that SAE's design or analysis takes into account the properties that
PAKE protocols should have.

I think that the original WPA key exchange was supposed to use the SRP
protocol, which is a PAKE, but that was dropped due to patent issues. Since
then, as I understand it, quite a few very nice PAKE protocols have had their
patents expire, so I don't see what the problem is now.

So color me extremely skeptical.

~~~
tptacek
That's a Dan Harkins protocol; Harkins is a little notorious for Dragonfly, a
PAKE he tried to get "approved" by IETF CFRG before being slagged by Trevor
Perrin†, who wrote up a particularly simple and nasty side channel attack on
the elliptic curve point generation technique Dragonfly used. SAE includes
what looks like the same "hunt-and-peck" point generator.

† [https://www.ietf.org/mail-
archive/web/tls/current/msg10922.h...](https://www.ietf.org/mail-
archive/web/tls/current/msg10922.html)

 _Later_ :

All I ever read about the Dragonfly PAKE was trevp taking it apart on CFRG,
but from a quick skim of this paper and the IETF draft Harkins wrote for
Dragonfly, this looks like it's just an instantiation of Dragonfly.

That would be pretty funny.

What is it about WiFi security that makes it such a backwater?

~~~
ergothus
I don't think I've ever heard cryptosecurity disputes being described in such
a...visceral manner.

~~~
pvg
Visceral would be 'fetid pile of maggot-ridden pig intestines'. 'Backwater' is
practically bucolic.

~~~
tptacek
I assumed they were referring to Trevor's IETF posts; the Igoe and Dragonfly
comments he posted are about as intemperate as I've ever seen him, in any
venue. He is not an angry dude.

~~~
pvg
Oh! I only read the first thing you linked at first so maybe misunderstood. It
does heat up a bit after but only seems 'visceral' in the way showing a bit of
ankle is 'racy'. Then again, I don't know anything about the civility baseline
of the list or people involved.

~~~
twr
I mean, if you want visceral, there is this shameful email from Dan Harkins:

[https://www.ietf.org/mail-
archive/web/tls/current/msg10971.h...](https://www.ietf.org/mail-
archive/web/tls/current/msg10971.html)

~~~
pvg
I didn't really follow it very far, I did notice Dan Harkins quickly got
assholier-than-thou. But there's no shortage of crypto or general tech talk
that is worse.

------
excalibur
> Wi-Fi Alliance is also introducing Wi-Fi CERTIFIED Easy Connect™, a new
> program that reduces the complexity of onboarding Wi-Fi devices with limited
> or no display interface – such as devices coming to market for Internet of
> Things (IoT) – while still maintaining high security standards. Wi-Fi Easy
> Connect™ enables users to securely add any device to a Wi-Fi network using
> another device with a more robust interface, such as a smartphone, by simply
> scanning a product quick response (QR) code. Wi-Fi Easy Connect and WPA3
> represent the latest evolution in Wi-Fi Alliance programs to ensure users
> receive a positive experience while remaining securely connected as the
> security landscape evolves.

This is highly reminiscent of WPS. The language indicates that they've learned
their lesson and focused on making the standard secure, at least in theory.
Time will tell how well it's implemented, but history says to be skeptical and
disable it for the time being.

~~~
sandworm101
It is allowing any device already on the network to vouch for new devices.
What could possibly go wrong? WPS had flaws in its implementation, but was
reasonable on a theoretical level. This seems foolhardy at best.

WPA2, when properly implemented, is very secure. I'm not sure of WPA3's real
purpose. Is strong encryption of wifi signals of any benefit? The days of
banking passwords being send in html gets should be behind us. Anything
important will be protected by other encryption layers than wifi. Is WPA3
meant to protect unauthorized network access? WPA2 isn't exactly easy to
crack. Do we really need a new scheme, and the inevitable new flaws that come
with it? Or is this really about streamlining the user experience, about
making wifi that little bit less complicated, so that people can attached
their smart toasters to the home network without having to actually remember
the password.

To clarify for those who obviously do not understand the difference between
protocol and concept implementation: Errors in the protocol would have been
inconsequential if WPS was implemented properly. Had it not been left on 24/7,
the temporary use of shorter keys would have been a good thing. It would have
allowed home networks to adopt much more complex keys without having to type
them into every new device (a big deal on things like printers which didn't
have keyboards). WPS could have contributed to greater WPA2 security. But
instead the concept was improperly _implemented_ , allowing the inevitable
errors discovered in the adopted protocol to be leveraged.

~~~
d33
> WPA2, when properly implemented, is very secure

Not really:

[https://github.com/d33tah/call-for-wpa3/](https://github.com/d33tah/call-for-
wpa3/)

~~~
gruez
>Anyone can disconnect you

so can someone with a jammer. I'm not sure how a protocol upgrade would
protect against that.

>The password can be cracked offline

true, but the solutions presented don't really address the issue. they're
variants of key stretching (using a better kdf, mandating stronger passwords,
etc.). at the end he mentions "Contemporary cryptography provides tools that
could solve this problem.", but that's hand wavy at best. i'm not quite sure
it's even possible to implement such a feature in a PSK setting.

>Once you know the password, you can sniff traffic and spoof anyone

>This problem could be solved by using Diffie–Hellman key exchange (DH).

Doubt it. DHE does not offer protection against MITM attacks, which an active
attacker can certainly do with a powerful enough antenna.

>From the user's perspective, unless you really know what you're doing, I
advise you not to browse any sensitive websites (especially banking) over
wireless

this is fearmongering. most "sensitive" websites already use https, which
makes this an non-issue.

>It won't let you secure a passwordless network

>How could this be solved? The new WPA security standard could support the
"passwordless" mode that requires no authentication, but keeps an encrypted
channel of communication so that the anonymous user can identify himself and
make traffic only readable by the access point.

how does this protect against MITM? that is, a rogue router pretending to be
an hotspot?

> Silly "terms of service" in your cafe can break your applications and expose
> you to risk

valid point, but already solved: [https://en.wikipedia.org/wiki/Hotspot_(Wi-
Fi)#Hotspot_2.0](https://en.wikipedia.org/wiki/Hotspot_\(Wi-Fi\)#Hotspot_2.0)

~~~
da_chicken
EDIT: Ignore me I've confused terminology.

> Doubt it. DHE does not offer protection against MITM attacks, which an
> active attacker can certainly do with a powerful enough antenna.

Huh? That's precisely what Diffie-Hellman is for. It's a protocol for
establishing a shared secret over an insecure channel. Have you got an antenna
big enough to read the private key? Sure, you can argue that pure DH is weak
compared to ECDH or PKCS, but this is exactly what the system does.

No, DH doesn't stop impersonation or spoofing attacks. It doesn't do
authentication. That much I agree with you on. You need something like ECDSA
for that. But those types of attacks aren't MITM.

~~~
sandworm101
DHE protects against eavesdroppers, not middlemen.

~~~
da_chicken
Oh, fair enough. Dang, I get those confused far too often for my own good.

------
d33
Pardon my negative comment, but given their history of absolutely terrible
crypto, I can't wait to see how they mess it up this time.

Some thoughts on WPA2: [https://github.com/d33tah/call-for-
wpa3/](https://github.com/d33tah/call-for-wpa3/)

~~~
keeperofdakeys
WPA3 appears to solve these issues.
[https://www.mathyvanhoef.com/2018/03/wpa3-technical-
details....](https://www.mathyvanhoef.com/2018/03/wpa3-technical-details.html)

------
kevingrahl
If I understood everything, you have to be a Wi-Fi Alliance member in order to
develop/contribute/vote on all things WiFi. The smallest membership that
allows you to participate is US$7,500/year for 2018 (next year it’ll be
$7,725/year). And that’s only for small businesses and they won’t have all
voting rights. The actual membership is a whopping US$15,000/year ($450 more
next year).

It disgusts me to see that in order to improve something that a crapton of
people use daily to protect them self, that’s currently broken, you’d have to
pay. I didn’t see any mention that individuals can become members on the
website of the Wi-Fi Alliance seems to be only businesses can participate.

I’d be alright with some open-source implementation instead.

/rant

~~~
datamingle
Seems like it would encounter same problem earlier in Wifi history

"Early 802.11 products suffered from interoperability problems because the
Institute of Electrical and Electronics Engineers (IEEE) had no provision for
testing equipment for compliance with its standards."

[https://en.wikipedia.org/wiki/Wi-
Fi_Alliance#History](https://en.wikipedia.org/wiki/Wi-Fi_Alliance#History)

------
Ajedi32
Wi-Fi enhanced open looks like a nice security enhancement for open networks,
but unfortunately (correct me if I'm wrong) it still doesn't look like it
protects users from rogue access points; it only stops eavesdropping if users
have already connected to the correct network.

I'd love to see a system similar to what Wi-Fi is already doing with Easy
Connect, where users can scan a public key embedded in a QR Code or NFC tag to
securely connect to a Wi-Fi network. (Or does Easy Connect already allow that?
It'd be great if it does.)

------
bjoli
Why wasn't this designed in the open like TLS 1.3? The process behind isn't
very confidence inspiring...

~~~
bcaa7f3a8bbc
Because IETF is NOT an industrial alliance, but Wi-Fi Alliance is. See the
differences?

see also: 3GPP.

~~~
bjoli
That is the obvious difference, but why don't they develop crypto protocol
with a more open model? They have had too many fiascos for me to trust their
current model.

------
IshKebab
> WPA3 leverages Simultaneous Authentication of Equals (SAE), a secure key
> establishment protocol between devices, to provide stronger protections for
> users against password guessing attempts by third parties.

Is that their term for PAKE?

Also I hope they have finally included an actual error message for incorrect
passwords, rather than just "connection failed" which is the best that seems
to be possible at the moment.

~~~
bwat49
I've seen some cases where I actually do get an authentication failed error
connecting to wifi, but other cases where it just gives me some generic
connection failed (even when the issue turns out to be authentication). It
seems quite random.

------
bo1024
Wow, I hadn't realized that WiFi standards were developed like this. Looking
down the page, I see a bunch of TM symbols, endorsements from massive
companies, and no technical details or even attempt to describe anything
related to security. Not very confidence-inspiring to an outsider.

------
auslander
Security of Wi-Fi will _always_ be a shit show, because standards are not
public.

Want to dig into TLS? RFCs are on internet, ietf.org, in nice courier fonts.

Want to dig into WPA2? IEEE wireless security standards carry a retail cost of
hundreds of dollars to access, and costs to review multiple interoperable
standards can quickly add up to thousands of dollars [0]

"IEEE working groups are a closed industry process."

[0] www.wired.com/story/krack-wi-fi-meltdown-open-standards/

------
sneak
Does this fix the primary problem with WPA presently: the lack of forward
secrecy?

~~~
supertrope
If you had followed the link in the PR release labeled "For further
information, please visit: [https://www.wi-fi.org/discover-wi-
fi/security"](https://www.wi-fi.org/discover-wi-fi/security")

you would have found the following statement: "Forward secrecy: Protects data
traffic even if a password is compromised after the data was transmitted"
under "WPA3-Personal"

------
sgc
Given the apparent state of affairs, it seems like the vendor or vendors who
care should bake a vpn into their firmware to provide better protection. Of
course it is possible to use a pi or perhaps integrate into an open source
firmware, but having a simple vendor provided config would be much better for
adoption rates.

------
westmeal
WPA2 isn't that bad as long as you use a password that isn't going to be pwned
by a dictionary attack in 2 seconds so does this prevent against that if
frames are captured? IDK.

~~~
amluto
It attempts to. Whether or not it succeeds depends on whether the highly
questionable SAE protocol actually works — see the other comments here.

------
auslander
Revolution is needed. Let IETF take over development of Wi-Fi standards. If
it's patents rigged, start from scratch.

------
yuhong
WPA3 Personal seems to be another name for SAE that was defined in 802.11s

