安全性

Wi-Fi®已經成為日常生活中不可或缺的組成部分。全世界數十億人的生活和工作都要依靠Wi-Fi,他們通過Wi-Fi購物、辦理銀行業務、安排生活並保持聯繫。保護Wi-Fi連接的安全對於個人資料安全保護發揮了重要作用。隨著Wi-Fi設備在全球的使用量持續上升,Wi-Fi Alliance®已經站在增強Wi-Fi安全性的前沿。

自2003年以來,Wi-Fi Alliance已經通過Wi-Fi Protected Access®技術系列,説明個人和企業增強了對流經Wi-Fi網路的資訊的保護。Wi-Fi Protected Access安全功能不斷發展,以隨著安全環境的變化,增加更強大的保護能力和新的安全實踐。

Wi-Fi Protected Access安全系列包括面向個人和企業網路的解決方案。

Wi-Fi CERTIFIED WPA3™

WPA3™是下一代Wi-Fi安全技術,向市場提供了最先進的安全協議。WPA3在成功獲得廣泛採用的Wi-Fi CERTIFIED WPA2™的基礎上,增加了新的功能,以簡化Wi-Fi安全保障方法、實現更可靠的身份驗證、為高度敏感的資料市場提高加密強度並保持關鍵任務型網路的彈性。所有WPA3網路都:

  • 採用最新的安全保障方法;
  • 禁止使用過時的傳統協定;
  • 要求使用“受保護的管理幀(Protected Management Frames,簡稱PMF)。

因為不同Wi-Fi網路的用途和安全需求有所不同,所以WPA3專門為個人網路和企業級網路提供了額外功能。WPA3-Personal針對密碼猜測企圖增強了對用戶的保護,而WPA3-Enterprise的用戶現在則能夠利用更高級的安全協定,保護敏感性資料網路的安全。

WPA3保留了與WPA2™設備的互通性,是Wi-Fi CERTIFIED™設備的強制認證專案。

WPA3-Personal

即使使用者選擇的密碼達不到所建議的典型複雜度,WPA3-Personal也能夠提供更可靠的基於密碼的身份驗證,因此可以更好地保護個人用戶的安全。這種保護能力是通過“對等實體同時驗證(Simultaneous Authentication of Equals,簡稱SAE)“實現的,SAE取代了”WPA2-Personal中採用的“預共用金鑰(Pre-shared Key,簡稱PSK)”。SAE可以抵禦離線字典式攻擊,在這種攻擊中,攻擊者企圖通過嘗試可能的密碼而不進行進一步的網路互動,來確定網路密碼。

  • 自然密碼選擇:允許使用者選擇更易於記住的密碼;
  • 易用:無需更改使用者與網路的連接方式,就可提供更強的保護;
  • 正向保密:即使在資料發出後密碼遭到洩漏,也可保護資料安全。

WPA3-Enterprise

企業、政府和金融機構採用WPA3-Enterprise能夠提高安全性。WPA3-Enterprise以WPA2為基礎,可在整個網路內確保一致地應用安全協議。

WPA3-Enterprise還提供一種可選模式,該模式採用192位元最低加密強度的安全協議和加密工具,以更好地保護敏感性資料。

  • 經過驗證的加密:256位GCMP(Galois/Counter Mode Protocol);
  • 金鑰匯出和確認:採用SHA(Secure Hash Algorithm)的384位HMAC(Hashed Message Authentication Mode);
  • 金鑰建立和驗證:採用384位元橢圓曲線的ECDH(Elliptic Curve Diffie-Hellman)交換和ECDSA(Elliptic Curve Digital Signature Algorithm);
  • 可靠的管理幀保護:256位BIP-GMAC(Broadcast/Multicast Integrity Protocol Galois Message Authentication Code)。

WPA3-Enterprise提供的192位元安全模式可確保使用恰當的加密工具組合,並在WPA網路內設定了一致的安全基準。

開放式Wi-Fi 網路

使用者在所有地方都要使用Wi-Fi網路:在家中、辦公室、酒店、購物中心、公共交通中心和市政服務處。在這類地方使用不安全的網路是有風險的,個人資料可能被竊取,這也是為什麼Wi-Fi Alliance強烈建議,只要可能,用戶就應確保使用安全的、要求身份驗證的網路。然而,在有些情況下,開放式Wi-Fi網路是惟一可行的選擇。雖然世界各地很多消費者使用開放式網路都沒有遇到任何問題,但重要的是,要意識到開放式網路是有風險的,要盡力保護使用者資料。為了應對這種風險,Wi-Fi Alliance開發了一種有利於開放式Wi-Fi網路使用者的解決方案。

Wi-Fi CERTIFIED Enhanced Open™是Wi-Fi Alliance的一項認證計畫,在保留開放式網路使用便利這一特點的同時,降低了訪問不安全的網路帶來的某些風險。Wi-Fi Enhanced Open™網路無需進行身份驗證,就為用戶提供資料加密,這對根本不提供任何保護的傳統開放式網路而言,是一大改進。這些保護對用戶是透明的。Wi-Fi Enhanced Open™基於“互聯網工程任務組(IETF)”RFC8110規範中定義的“機會性無線加密(Opportunistic Wireless Encryption,簡稱OWE)”協議和Wi-Fi Alliance的“機會性無線加密規範(Opportunistic Wireless Encryption Specification)”,在保持開放式網路易用性的同時提供資料加密,因此對使用者有利,它對網路提供商也是有利的,因為無需網路提供商維護、分享或管理公共密碼。

因為Wi-Fi Enhanced Open™是一項Wi-Fi CERTIFIED™計畫,所以該技術與傳統網路是相容的,包括那些採用“強制主頁(captive portal)”的傳統網路。希望部署全功能身份驗證和設備配置解決方案的網路運營商,應該考慮諸如Wi-Fi CERTIFIED Passpoint®這類方法。

Wi-Fi Alliance News See All
Media Coverage
8 things your security team needs to know about WPA3
Product Finder
WPA3-Personal certified products
WPA3-Enterprise certified products
Download Additional Resources
Frequently Asked Questions
  • What does “security” mean in the context of Wi-Fi?

    In the context of Wi-Fi technology, security means two things. First, controlling who can connect to and configure your network and equipment. Second, it means securing the data travelling wirelessly across your Wi-Fi network from unauthorized view.

    Wi-Fi security is just one aspect of security for networks. A protected Wi-Fi network is a great start, but you should also consider measures to protect your computer (virus software, firewall, etc.) and your communications across the internet virtual private network (VPN), etc.

  • What is the KRACK attack?

    This term refers to a potential key reinstallation vulnerability detected in late 2017. Wi-Fi Alliance took steps immediately to ensure users can continue to count on Wi-Fi to deliver strong security protections. For more information on this issue view our security update.

  • What are Protected Management Frames?

    Wi-Fi CERTIFIED WPA2™ with Protected Management Frames and Wi-Fi CERTIFIED WPA3™ provide protection for unicast and multicast management action frames. Unicast management action frames are protected from both eavesdropping and forging, and multicast management action frames are protected from forging. Wi-Fi CERTIFIED™ ac, WPA3™, Passpoint®, Wi-Fi Agile Multiband™ and Wi-Fi Optimized Connectivity™ devices require Protected Management Frames. They augment privacy protections already in place for data frames with mechanisms to improve the resiliency of mission-critical networks.

  • Are Wi-Fi CERTIFIED products protected by security?

    As of July 1, 2020, all new Wi-Fi CERTIFIED devices require WPA3. The only way to be sure that a product meets the latest security standards is to purchase only Wi-Fi CERTIFIED products.

  • What security measures should I take when working away from my home?

    Configure Wi-Fi client devices (laptops, handsets, and other Wi-Fi enabled products) to enable security protections.

    Configure for approved connections: Many devices are set by default to sense and automatically connect to any available wireless signal. Wi-Fi Alliance recommends that you configure your device to not automatically connect to an open network without your approval.

    Disable sharing: Wi-Fi enabled devices may automatically enable themselves to sharing / connecting with other devices when attaching to a wireless network. File and printer sharing may be common in business and home networks, but this should be avoided in a public network such as a hotel, restaurant, or airport hotspot.

    Users may also wish to use complementary security measures to improve the security of their activity over the internet including virtual private networks (VPNs), firewalls, etc.

  • What are “legacy protocols”?

    Other legacy protocols are earlier generations of Wi-Fi security, which have been updated or replaced over time due to the changing security landscape needs. The original security standard was Wired Equivalent Privacy (WEP). It was replaced by the original Wi-Fi Protected Access (WPA) in 2003 as an interim solution to the limited protection offered by WEP. The WPA program added support for Temporal Key Integrity Protocol (TKIP) encryption, an older form of security technology with some vulnerability to cryptographic attacks. WPA was replaced in 2004 with more advanced protocols of WPA2.

    Though the threat of a security compromise is small, users should not purchase new equipment which supports only WPA with TKIP. Only devices supporting WPA2 and WPA3 security should be purchased and used.

Wi-Fi Alliance Member Publications
Examining the Security of Wi-Fi 6 and 5G
Cisco