WPA3 Overview

WPA3 Overview

So what's different and what matters with WPA3. Two modes are available in WPA3 just like in previous versions, Personal and Enterprise.

Let's start off with WPA3-Personal. Personal mode  networks are just that… "Personal". They have no real place in enterprise networks and should be kept that way.  I know this is wishful thinking as I myself have had to compromise and deploy many WPA2-Personal networks at customer sites. At some point I hope device manufactures start offering the option for WPA3-Enterpise in everything!  Until then we are stuck using Personal mode networks with their draw backs but thankfully with WPA3-Personal they get a little more secure… for now.

• WPA3-Personal mode uses Simultaneous Authentication of Equals (SAE) instead of Pre-Shared Key (PSK)

As opposed to PSK, SAE is a password for the network and that password is not used to derive the Pairwise Master Key (PMK) like PSK was.  What this means is that if an attacker gets the SAE password somehow, they only have a way onto the network and not a way of decrypting the traffic of other devices using the network. Which brings me to the next point..

• SAE like PSK generates a new PMK per session. The difference being SAE provides forward secrecy by insuring the PMK cannot be obtained if the password is compromised.

A compromised password is only going to allow an attacker access to the network which could be damaging enough but because SAE provides forward secrecy, PMKs cannot be obtained to decrypt other device sessions over the air.

Now on to WPA3-Enterprise. Not a lot has changed here except for the requirement of Protected Management Frames (PMF).  Disabling PMF for WPA3-Enterprise networks is not an option. PMF can only be set to capable or required.

WPA3-Enterprise also has a new optional security mode, 192-bit security mode. The security mode is meant for highly secure environments and doesn't allow for any backward compatibility with lesser security protocols.