Wave Systems Corp. (fka WAVXQ)

[Genz2]

Serious flaws leave WPA3 vulnerable to hacks that steal Wi-Fi passwords

https://arstechnica.com/information-technology/2019/04/serious-flaws-leave-wpa3-vulnerable-to-hacks-that-steal-wi-fi-passwords/

Excerpts below:

Next-gen standard was supposed to make password cracking a thing of the past. It won't.

The next-generation Wi-Fi Protected Access protocol released 15 months ago was once hailed by key architects as resistant to most types of password-theft attacks that threatened its predecessors. On Wednesday, researchers disclosed several serious design flaws in WPA3 that shattered that myth and raised troubling new questions about the future of wireless security, particularly among low-cost Internet-of-things devices.

Same as the old boss

A research paper titled Dragonblood: A Security Analysis of WPA3’s SAE Handshake disclosed several vulnerabilities in WPA3 that open users to many of the same attacks that threatened WPA2 users. The researchers warned that some of the flaws are likely to persist for years, particularly in lower-cost devices. They also criticized the WPA3 specification as a whole and the process that led to its formalization by the Wi-Fi Alliance industry group.

Please see link for full article -
==================================================================
Battered, but not broken: understanding the WPA crack

https://arstechnica.com/civis/viewtopic.php?f=2&t=15735

One other note that anyone looking to imporve their wireless protection and or control should consider. Any current AES implementation leveraging radius the client side keys should be put in the TPM. The trusted platform Module can provide the same level of assurance for WIFI keys that a sim module provides for Phones. By using machine certificates in the TPM there are no additional passwords or pin numbers and only authorized machines can be connected. The Keys on the TPM can be non migratable and as a result can only be deleted but never copied or moved. Using the TPM is simple as long as the client software is installed and the TPM is on all one has to do is select the TPM's CSP when the keys are requested from the Certificate authority and the rest just works. Almost all APs support this functionality. There is a good White paper on this subject at http://www.wave.com/about/whit...SecureWirelessWP.pdf
The TPM is already in over 275 million PCs and all corporate PCs have one. It is a vendor neutral Industry standard. The White paper above is done by my company who builds the software on all DELL PCs but the same methods would work with our competitors on HP and lenovo PCs

This simple step of leveraging the PC gives any WIFI network administator the same level of authentication security that exisits on a few billion cell phones

What we should have in the future is a method to just bond a consumer PC to a consumer AP using a proximity or USB so that the AP can put keys in the TPM. This would make it as easy to use WIFI as it is to use a portable phone.

Steven Sprague
CEO
Wave Systems Corp.
==================================================================
https://www.wavesys.com/products/embassy%C2%AE-remote-administration-server-tpm-management

Superior User Experience
• No more tokens or smart cards to achieve two-factor authentication
• Eliminate VPN/WiFi/website passwords for faster access to resources
• No add-on software means improved OS performance
==================================================================
Wave VSC 2.0 and the TPM should have a large positive impact on WPA2 and WPA3! When Steven Sprague wrote about the WPA crack, there were over 275 million TPMs in computers and now there are well over 1 billion!! Many uses for the TPM for a LOT of computers. It's a shame that so many lie dormant or inactivated when they could be put to good use!!!