安全性

Wi-Fi®已经成为日常生活中不可或缺的组成部分。全世界数十亿人的生活和工作都要依靠Wi-Fi,他们通过Wi-Fi购物、办理银行业务、安排生活并保持联系。保护Wi-Fi连接的安全对于个人数据安全保护发挥了重要作用。随着Wi-Fi设备在全球的使用量持续上升,Wi-Fi Alliance®已经站在增强Wi-Fi安全性的前沿。

自2003年以来,Wi-Fi Alliance已经通过Wi-Fi Protected Access®技术系列,帮助个人和企业增强了对流经Wi-Fi网络的信息的保护。Wi-Fi Protected Access安全功能不断发展,以随着安全环境的变化,增加更强大的保护能力和新的安全实践。

Wi-Fi Protected Access安全系列包括面向个人和企业网络的解决方案。

Wi-Fi CERTIFIED WPA3™

WPA3™是下一代Wi-Fi安全技术,向市场提供了最先进的安全协议。WPA3在成功获得广泛采用的Wi-Fi CERTIFIED WPA2™的基础上,增加了新的功能,以简化Wi-Fi安全保障方法、实现更可靠的身份验证、为高度敏感的数据市场提高加密强度并保持关键任务型网络的弹性。所有WPA3网络都:

  • 采用最新的安全保障方法;
  • 禁止使用过时的传统协议;
  • 要求使用“受保护的管理帧(Protected Management Frames,简称PMF)。

因为不同Wi-Fi网络的用途和安全需求有所不同,所以WPA3专门为个人网络和企业级网络提供了额外功能。WPA3-Personal针对密码猜测企图增强了对用户的保护,而WPA3-Enterprise的用户现在则能够利用更高级的安全协议,保护敏感数据网络的安全。

WPA3保留了与WPA2™设备的互操作性,目前是Wi-Fi CERTIFIED设备的可选认证项目。随着时间推移和市场采用率提高,WPA3将成为必选认证项目。

WPA3-Personal

即使用户选择的密码达不到所建议的典型复杂度,WPA3-Personal也能够提供更可靠的基于密码的身份验证,因此可以更好地保护个人用户的安全。这种保护能力是通过“对等实体同时验证(Simultaneous Authentication of Equals,简称SAE)“实现的,SAE取代了”WPA2-Personal中采用的“预共享密钥(Pre-shared Key,简称PSK)”。SAE可以抵御离线字典式攻击,在这种攻击中,攻击者企图通过尝试可能的密码而不进行进一步的网络互动,来确定网络密码。

  • 自然密码选择:允许用户选择更易于记住的密码;
  • 易用:无需更改用户与网络的连接方式,就可提供更强的保护;
  • 正向保密:即使在数据发出后密码遭到泄漏,也可保护数据安全。

WPA3-Enterprise

企业、政府和金融机构采用WPA3-Enterprise能够提高安全性。WPA3-Enterprise以WPA2为基础,可在整个网络内确保一致地应用安全协议。

WPA3-Enterprise还提供一种可选模式,该模式采用192位最低加密强度的安全协议和加密工具,以更好地保护敏感数据。

  • 经过验证的加密:256位GCMP(Galois/Counter Mode Protocol);
  • 密钥导出和确认:采用SHA(Secure Hash Algorithm)的384位HMAC(Hashed Message Authentication Mode);
  • 密钥建立和验证:采用384位椭圆曲线的ECDH(Elliptic Curve Diffie-Hellman)交换和ECDSA(Elliptic Curve Digital Signature Algorithm);
  • 可靠的管理帧保护:256位BIP-GMAC(Broadcast/Multicast Integrity Protocol Galois Message Authentication Code)。

WPA3-Enterprise提供的192位安全模式可确保使用恰当的加密工具组合,并在WPA网络内设定了一致的安全基准。

Wi-Fi CERTIFIED WPA2

WPA2继续在Wi-Fi生态系统内为Wi-Fi网络和设备提供安全及隐私保护。WPA2设备将继续保持互操作性,并提供10多年来已成为其标志的、倍受认可的安全性。

WPA2认证计划不断发展,以随着安全环境变化满足不断变化的安全需求。2018年,Wi-Fi Alliance通过配置、验证和加密功能,增强了现有网络的安全保护。增强对厂商安全措施的验证,以降低可能由网络错误配置导致的漏洞,并利用集中式验证服务,进一步保护运营商Wi-Fi网络的安全。

从2006年开始,所有Wi-Fi CERTIFIED™设备都采用了WPA2。

WPA2将继续发展,以使所有Wi-Fi CERTIFIED设备满足互操作性和安全性标准。在可预见的未来,WPA2仍将用于Wi-Fi CERTIFIED设备,而所有支持WPA3的设备将继续与WPA2设备保持互操作性。

开放式Wi-Fi 网络

用户在所有地方都要使用Wi-Fi网络:在家中、办公室、酒店、购物中心、公共交通中心和市政服务处。在这类地方使用不安全的网络是有风险的,个人数据可能被窃取,这也是为什么Wi-Fi Alliance强烈建议,只要可能,用户就应确保使用安全的、要求身份验证的网络。然而,在有些情况下,开放式Wi-Fi网络是惟一可行的选择。虽然世界各地很多消费者使用开放式网络都没有遇到任何问题,但重要的是,要意识到开放式网络是有风险的,要尽力保护用户数据。为了应对这种风险,Wi-Fi Alliance开发了一种有利于开放式Wi-Fi网络用户的解决方案。

Wi-Fi CERTIFIED Enhanced Open™是Wi-Fi Alliance的一项认证计划,在保留开放式网络使用便利这一特点的同时,降低了访问不安全的网络带来的某些风险。Wi-Fi Enhanced Open™网络无需进行身份验证,就为用户提供数据加密,这对根本不提供任何保护的传统开放式网络而言,是一大改进。这些保护对用户是透明的。Wi-Fi Enhanced Open™基于“互联网工程任务组(IETF)”RFC8110规范中定义的“机会性无线加密(Opportunistic Wireless Encryption,简称OWE)”协议和Wi-Fi Alliance的“机会性无线加密规范(Opportunistic Wireless Encryption Specification)”,在保持开放式网络易用性的同时提供数据加密,因此对用户有利,它对网络提供商也是有利的,因为无需网络提供商维护、分享或管理公共密码。

因为Wi-Fi Enhanced Open™是一项Wi-Fi CERTIFIED™计划,所以该技术与传统网络是兼容的,包括那些采用“强制主页(captive portal)”的传统网络。希望部署全功能身份验证和设备配置解决方案的网络运营商,应该考虑诸如Wi-Fi CERTIFIED Passpoint®这类方法。

Wi-Fi Alliance News See All
Media Coverage
Public Wi-Fi Is Safer Than Ever—But You Still Need to Be Careful
Product Finder
WPA3-Personal certified products
WPA3-Enterprise certified products
Download Additional Resources
Frequently Asked Questions
  • What does “security” mean in the context of Wi-Fi?

    In the context of Wi-Fi technology, security means two things. First, controlling who can connect to and configure your network and equipment. Second, it means securing the data travelling wirelessly across your Wi-Fi network from unauthorized view.

    Wi-Fi security is just one aspect of security for networks. A protected Wi-Fi network is a great start, but you should also consider measures to protect your computer (virus software, firewall, etc.) and your communications across the internet virtual private network (VPN), etc.

  • What is the KRACK attack?

    This term refers to a potential key reinstallation vulnerability detected in late 2017. Wi-Fi Alliance took steps immediately to ensure users can continue to count on Wi-Fi to deliver strong security protections. For more information on this issue view our security update.

  • What are Protected Management Frames?

    Wi-Fi CERTIFIED WPA2™ with Protected Management Frames and Wi-Fi CERTIFIED WPA3™ provide protection for unicast and multicast management action frames. Unicast management action frames are protected from both eavesdropping and forging, and multicast management action frames are protected from forging. Wi-Fi CERTIFIED™ ac, WPA3™, Passpoint®, Wi-Fi Agile Multiband™ and Wi-Fi Optimized Connectivity™ devices require Protected Management Frames. They augment privacy protections already in place for data frames with mechanisms to improve the resiliency of mission-critical networks.

  • Are Wi-Fi CERTIFIED products protected by security?

    Yes. All Wi-Fi CERTIFIED products are tested for WPA2 or WPA3. The only way to be sure that a product meets the latest security standards is to purchase only Wi-Fi CERTIFIED products.

     

  • What security measures should I take when working away from my home?

    Configure Wi-Fi client devices (laptops, handsets, and other Wi-Fi enabled products) to enable security protections.

    Configure for approved connections: Many devices are set by default to sense and automatically connect to any available wireless signal. Wi-Fi Alliance recommends that you configure your device to not automatically connect to an open network without your approval.

    Disable sharing: Wi-Fi enabled devices may automatically enable themselves to sharing / connecting with other devices when attaching to a wireless network. File and printer sharing may be common in business and home networks, but this should be avoided in a public network such as a hotel, restaurant, or airport hotspot.

    Users may also wish to use complementary security measures to improve the security of their activity over the internet including virtual private networks (VPNs), firewalls, etc.

  • What are “legacy protocols”?

    Other legacy protocols are earlier generations of Wi-Fi security, which have been updated or replaced over time due to the changing security landscape needs. The original security standard was Wired Equivalent Privacy (WEP). It was replaced by the original Wi-Fi Protected Access (WPA) in 2003 as an interim solution to the limited protection offered by WEP. The WPA program added support for Temporal Key Integrity Protocol (TKIP) encryption, an older form of security technology with some vulnerability to cryptographic attacks. WPA was replaced in 2004 with more advanced protocols of WPA2.

    Though the threat of a security compromise is small, users should not purchase new equipment which supports only WPA with TKIP. Only devices supporting WPA2 and WPA3 security should be purchased and used.