2.3 Given a scenario, select and configure wireless devices and technologies
Encryption
📘CompTIA Network+ (N10-009)
What Is WPA3?
WPA3 (Wi-Fi Protected Access 3) is the latest and most secure wireless security standard used to protect Wi-Fi networks. It improves the weaknesses found in earlier versions like WPA2 and provides much stronger protection for both personal and enterprise wireless environments.
The main goal of WPA3 is to make wireless security more resistant to attacks, harder to crack, and easier to configure securely.
CompTIA expects you to understand WPA3 features, benefits, differences from WPA2, and when it should be used.
Why WPA3 Was Introduced
WPA2 had several vulnerabilities:
- Weaknesses during the 4-way handshake process
- Vulnerability to offline dictionary attacks
- Problems with open (public) networks that lacked encryption
- Issues with device onboarding and authentication in enterprise environments
WPA3 addresses all these issues with modern cryptographic methods.
Key Features of WPA3 (for the exam)
1. SAE (Simultaneous Authentication of Equals)
This is one of the most important exam topics.
SAE replaces WPA2’s PSK (Pre-Shared Key) method.
SAE provides:
- Protection against offline dictionary attacks (attackers cannot capture handshake data and try passwords later)
- Forward secrecy, meaning even if a password is stolen in the future, past traffic cannot be decrypted
- Stronger authentication, especially for weak passwords
- More resistance to brute-force attempts
SAE is the main authentication method used in WPA3-Personal networks.
2. WPA3-Personal
This version is used for typical small networks that do not use RADIUS servers.
Features:
- Uses SAE instead of PSK
- Stronger encryption
- Improved protection even if users choose weak passwords
- Prevents attackers from capturing wireless handshakes to crack passwords offline
CompTIA may ask:
“Which authentication method does WPA3-Personal use?”
Answer: SAE
3. WPA3-Enterprise
Used in organizations that authenticate through a RADIUS server (802.1X environments).
Improvements over WPA2-Enterprise:
- Support for 192-bit security level, following CNSA (Commercial National Security Algorithm Suite) cryptographic requirements
- Stronger encryption for sensitive networks
- More protection for large user bases and enterprise environments
CompTIA may ask about:
“WPA3 mode that provides 192-bit encryption?”
Answer: WPA3-Enterprise 192-bit mode
4. Enhanced Open (Opportunistic Wireless Encryption – OWE)
This is not the same as a normal “open” Wi-Fi network.
OWE encrypts data even when no password is used.
Key points:
- Provides automatic encryption on public/open networks
- Prevents passive eavesdropping
- Does not require user authentication
CompTIA may refer to this as:
- Enhanced Open
- OWE
- WPA3’s open network protection
5. Protected Management Frames (PMF) – Required
WPA3 requires PMF, which protects Wi-Fi management frames from attacks.
PMF prevents:
- Deauthentication attacks
- Disassociation attacks
- Spoofed management frame attacks
WPA2 only recommended PMF, but WPA3 enforces it.
Exam tip:
If PMF is mandatory → WPA3
6. Stronger Encryption
WPA3 uses more advanced cryptographic standards, including:
- 128-bit minimum encryption (WPA3-Personal)
- 192-bit encryption (WPA3-Enterprise 192-bit mode)
This makes traffic harder to decode even if captured.
7. Improved Device Onboarding – Wi-Fi Easy Connect
This is important for environments with devices that have:
- No screen
- Limited configuration options
Easy Connect allows secure onboarding using:
- A QR code
- A trusted device that acts as a configurator
This is helpful in IT environments where IoT devices or network equipment need quick but secure onboarding.
WPA3 vs. WPA2 – Exam Comparison Table
| Feature | WPA2 | WPA3 |
|---|---|---|
| Authentication Method | PSK | SAE |
| Offline Dictionary Attack Resistance | Weak | Strong |
| Forward Secrecy | No | Yes |
| PMF | Optional | Required |
| Encryption Strength | 128-bit | 128-bit (personal), 192-bit (enterprise) |
| Open Network Encryption | None | Enhanced Open / OWE |
| Device Onboarding | WPS (weak) | Easy Connect |
CompTIA loves these comparison questions.
Deployment Scenarios (Exam-Focused)
Use WPA3 When:
- Setting up new wireless networks with modern devices
- Protecting sensitive data
- Preventing brute-force and offline password attacks
- Deploying secure enterprise environments using 802.1X
- Configuring secure open networks in public or guest areas
Use WPA3-Enterprise When:
- A business uses RADIUS and identity-based authentication
- A network needs maximum security (192-bit mode)
Use WPA3-Personal When:
- Configuring small or medium networks without RADIUS
- You want protection against weak passwords
- You need stronger encryption and handshake security
Backward Compatibility: WPA3-Transition Mode
Some networks support:
- WPA3 + WPA2 simultaneously
This is called Transition Mode.
Useful when some devices do not yet support WPA3.
Exam tip:
Transition Mode allows both WPA2 and WPA3 clients to connect.
Common WPA3 Exam Questions to Expect
1. What authentication method does WPA3-Personal use?
→ SAE
2. What feature protects open Wi-Fi networks under WPA3?
→ Enhanced Open (OWE)
3. What protects against offline dictionary attacks?
→ SAE
4. What level of encryption does WPA3-Enterprise (192-bit mode) use?
→ 192-bit CNSA-compliant encryption
5. What protects management frames in WPA3?
→ PMF (mandatory)
Summary (Easy to Remember)
- WPA3 is the newest wireless security standard.
- WPA3-Personal uses SAE for stronger authentication.
- WPA3-Enterprise supports 192-bit encryption.
- Enhanced Open encrypts open networks using OWE.
- PMF is required in WPA3.
- Transition Mode allows WPA2 and WPA3 support together.
If you understand these points, you will be well prepared for the Network+ exam questions related to WPA3.
