For a technology novice, the terms WPA2 and WPA3 do not mean anything. One might have come across these terms when browsing for wireless networks. In simple terms, these two are security systems developed by the Wi-Fi Alliance. WPA is the acronym for Wi-Fi Protected Access. It is a security system for Wi-Fi and protects computer wireless networks from unauthorized attacks. There have been many systems to protect networks over the years. WEP, WPA (released in 2003), WPA2 (released in 2004), and WPA3 (released in 2018). The WPA2 is an improvement over the initial WPA and WPA3 is an advanced version of WPA2. With each new version, the security features are improved.
WPA3 vs WPA2
WPA2 and WPA3 are both security standards to protect user devices from hackers. The WPA2 is an upgraded version of WPA, released in 2004. It replaced the WEP and WPA key with an advanced program, the Advanced Encryption Standard (AES). WPA2 uses the Wi-Fi Protected Setup (WPS) to help speed up the connection between wireless devices and routers. For authentication purposes, the WPA2 uses the 802.1x Open Authentication and the Extensible Authentication Protocol (EAP).
The WPA3 is an upgraded version of WPA2, released in 2018. The WPA3 replaced the “Pre-Shared Key exchange” with the more secure “Simultaneous Authentication of Equals.” It uses the AES with GCMP (Galois/ Counter Mode Protocol). WPA3 uses the Wi-Fi Device Provisioning Protocol (DPP) allowing users to connect to networks using QR codes and NFC tags. For authentication, the WPA3 uses Opportunistic Wireless Encryption (OWE).
Difference between WPA3 and WPA2 in Tabular Form
|Parameters of Comparison||WPA3||WPA2|
|Full form||Wi-Fi Protected Access 3||Wi-Fi Protected Access 2|
|Released year||Released in the year 2018||Released in the year 2004|
|Methods currently in use and replaced ones||128 bit encryption in the WPA3 personal mode; 192-bit encryption is used in the WPA3 Enterprise WPA3 replaced the "Pre-Shared Key exchange" with the more secure "Simultaneous Authentication of Equals."||WPA2 makes use of the AES standard. The CCMP (Counter Mode Cipher Block Chaining Message Authentication Code Protocol) replaces TKIP (Temporal Key Integrity Protocol)|
|Security Levels||More secure than WPA2||More secure than WPA and WEP. Less secure than WPA3|
|Speed||Faster than WPA2||Slower than wap3, but faster than WPA|
|Encryption standards||Advanced Encryption Standard with GCMP||Advanced Encryption Standard (AES)|
|Wireless protocol||Uses the Wi-Fi Device Provisioning Protocol (DPP)||Uses the Wi-Fi Protected Setup technology|
|Authentication||Pre-shared key (PSK) handshake mechanism||Simultaneous Authentication of Equals (SAE)|
|Encrypting Wireless Information||Opportunistic Wireless Encryption (OWE)||Open Authentication and Extensible Authentication Protocol (EAP)|
What is WPA3?
WPA3 is an acronym for Wi-Fi Protected Access III. This version of Wi-Fi security was released in June 2018. It rectifies many of the drawbacks of WPA2 and contains additional security features. WPA3 improved security features and made it impossible to decrypt data.
Features of WPA3
The Wi-Fi Protected Access III contains many additional security features compared to its predecessors, WPA2, WPA, and WEP. WPA3 uses the Protected Management Frames. It uses longer and stronger encryption keys. In addition, WPA3 uses the Simultaneous Authentication of Equals (SAE), Opportunistic Wireless Encryption (OWE), and the Device Provisioning Protocol (DPP).
Simultaneous Authentication of Equals
The simultaneous authentication of equals is a handshake mechanism used for authenticating a Wi-Fi network. This handshake mechanism is also known as the "Dragonfly Key Exchange." Two important advantages of Dragonfly Key Exchange are as follows,
Resistance to Offline Decryption
This feature prevents adversaries from gaining any information about the user passwords; excluding information related to whether a single guess transmitted from a protocol run is right or wrong.
This feature protects networks wherein the pre-shared key (PSK), that is, the network password, is weaker than the advocated level for security.
Most wireless devices make use of radio signals to channel information between a user’s devices (phone, laptop) and the wireless access point. When the signals are being channelled, they are open and vulnerable. The signals can be intercepted by any individual in the surrounding area. A method to protect user information is to protect the wireless network with a password. This method will encrypt the signal thereby preventing malicious hackers from intercepting the data. However, this method has a drawback. If the adversary records all the intercepted data, they can decrypt it in the future, if they can find out the password.
The “forward secrecy” feature of WPA3 protects users against this kind of attack. The programs are developed to make it impossible for an attacker to intercept information when it is being channelled between the wireless access point and the user’s devices (phone, laptop).
Opportunistic Wireless Encryption (OWE)
This feature has been added to WPA3 to replace the 802.11 open authentication system. Opportunistic wireless encryption uses a Diffie-Hellman key exchange system to encrypt communication flowing between a user device and the router. Every person connected to the access point (router) has a different decryption key for communication. This encryption feature makes sure that no one else can decrypt the ongoing communication. This process is called "Individualized Data Protection because the data transfer happening between the user and the access point is individualized.”
Further advantage given by opportunistic wireless encryption is that it safeguards all networks irrespective of whether they are password protected or not. This is beneficial for unsecured networks such as the wireless networks provided at libraries. OWE does not require any provisioning, credentials, or negotiation; it automatically makes users browsing secure.
However, the OWE is not without its drawbacks. It cannot protect the user against rogue access points. For example, honeypot APs and evil twins AP. These types of access points can deceive the user to connect with them. After the user connects with their access points, the hackers can steal information.
Another drawback is that, while the WPA3 supports unauthenticated encryption, it is not mandated. Therefore, manufacturers can produce WPA3 without unauthenticated encryption. Buyers must caution themselves while purchasing WPA3 and search for the Wi-Fi Certified Enhanced Open label, to ensure their WPA3 has unauthenticated encryption.
Device Provisioning Protocol (DPP)
The device provisioning protocol validates devices to the Wi-Fi network without using a password. These connections are made using a QR code or Near-field communication (NFC).
Just like with OWE, the DPP is also not mandated by the Wi-Fi alliance. Therefore, buyers need to search for the “Wi-Fi certified Easy Connect program” label when buying WPA3 devices.
The encryption keys used in WPA3 are longer than the ones used by WPA2. The WPA3 personal mode uses 128-bit encryption and the WPA3 Enterprise uses the 192-bit encryption.
What is WPA2?
The Wi-Fi Protected Access II (WPA2) is an updated version of WPA. It was created by the Wi-Fi Alliance in 2004 to protect wireless networks against malicious activity. It is more secure than WPA and WEP. WPA2 has two forms, personal and enterprise.
WPA2’s predecessors, the WPA and WEP used the RC4 as a security protocol. Unfortunately, this succumbed to hacking and failed to provide protection. WPA added an extra security measure, the Temporal Key Integrity Protocol (TKIP) to increase protection.
WPA2 replaced both RC4 and TKIP and uses AES (Advanced Encryption Standard) and CCMP (Counter Mode Cipher Block Chaining Message Authentication Code Protocol). However, the WPA2 does support the TKIP as a fallback option, in case of a device that cannot support CCMP.
The Advanced Encryption Standard is said to provide the highest level of security. It is said that even a supercomputer will take millions of years to crack its encryption. The United States government developed AES encryption, as a means to protect classified information. The AES contains three symmetric block cyphers. Each one of these cyphers encrypts and decrypts information in chunks of 128 bits, making use of the 128-bit key, 192-bit key, and 256-bit key.
The Counter Mode Cipher Block Chaining Message Authentication Code Protocol (CCMP) functions by protecting data confidentiality. It achieves this by, making sure only authorized network users can receive the data transmitted. The CCMP uses cypher block chaining message authentication code to guarantee message integrity.
Drawback of WPA2
When a device (phone, laptop) attempts to log in to a Wi-Fi network which is password protected, the 4-way handshake mechanism is responsible for providing and verifying the password. In the WPA2, this mechanism proved to be vulnerable to attacks.
A Wi-Fi connection is made with a cryptographic 4-way handshake which takes place between the access points (AP) and endpoints of the user device and routers. During the process, both devices transmit messages back and forth to prove they know the pre-established authentication code. After the authentication is completed, the access point transmits an encryption key to the user's device. If the endpoint of the user’s device does not acknowledge the key, the access point presumes a connectivity issue has taken place and sends the information again. It is at this point that KRACK attackers hack into the network and steal information.
Mathy Vanhoef, a Belgian security researcher discovered The Key Reinstallation Attack (KRACK) as a security flaw of the WPA2. It operates by deceiving a user to reinstall an already-in-use key. To achieve this, the hackers manipulate the 4-way handshake messages. When the unsuspecting user reinstalls the key, the incremental transmit packet number and the receive packet number get reset to the initial value. In this manner, the attackers gain access to the key. With the key, they can now decrypt and gain access to information.
A dictionary attack involves extensively trying thousands or millions of amassed possible passwords. For this to work, a hacker first takes charge of a WPA2 handshake. Next, the information collected is taken offline. Then a computer program is used to compare that information against a list of codes, to find the correct code that aligns with the available handshake data.
To prevent dictionary attacks, it is recommended to use strong and complex passwords which use numbers, special characters and both uppercase letters and lowercase letters.
Choosing a Wi-Fi Protected Access
- If you have the option to pick between, WPA3 and WPA2, always pick WPA3.
- Make sure the WPA3 hardware is certified with Wi-Fi Easy Connect and Wi-Fi Enhanced Connect.
- When setting passwords, choose complex passwords. The following steps can help to create strong passwords.
- Use both upper case letters and lower case letters.
- Include numbers, special characters and even spaces.
- Make the password a passphrase in place of using a single word.
- Try to make the password as long as possible. Passwords with 2o characters or more provide more security.
- When purchasing a wireless router pick one that supports WPA3.
- When connecting to public Wi-Fi make sure to utilize a VPN.
Main Differences between WPA3 and WPA2 (in Points)
- The WPA2 is an advanced version of WPA, while the WPA3 is the advanced version of WPA2.
- WPA2 was released in the year 2004, and the WPA3 was released in 2018.
- WPA2 replaced the Temporal Key Integrity Protocol (TKIP) of WPA with CCMP and Advanced Encryption Standard (AES). WPA3 replaced the Pre-Shared Key Exchange (PSK) with Simultaneous Authentication of Equals (SAE).
- WPA2 uses the Advanced Encryption Standard (AES), while WPA3 uses the AES with GCMP.
- The WPA2 uses the Wi-Fi Protected Setup (WPS) technology, while the WPA3 uses the Wi-Fi Device Provisioning Protocol (DPP).
- For authentication, the WPA2 uses the Pre-shared key (PSK) handshake mechanism, while the WPA3 uses the Simultaneous Authentication of Equals (SAE).
- For encrypting wireless information when they are being transferred, a WPA2 uses Open Authentication and Extensible Authentication Protocol (EAP), while the WPA3 uses Opportunistic Wireless Encryption (OWE).
- The WPA3 is safer and faster than the WPA2.
In short, while WPA2 and WPA3 are Wi-Fi protection mechanisms, the WPA3 is an improvement upon the WPA2. While the WPA2 does provide good encryption and security, it is still vulnerable to attacks, especially KRACK and dictionary attacks. In contrast, the WPA3 boasts unbreakable encryption and security features. Therefore, it is better to choose WPA3 if the choice presents itself.