The most obvious extension is the introduction of a new encryption process, namely AES-CCM. As the name already suggests this encryption scheme is based on AES, the successor to DES, unlike WEP and TKIP, which are both based on RC4. Not all older WLAN clients support TKIP, so 802.11i continues to specify TKIP, although with the opposite prerequisites: Any 802.11i-compliant hardware must support AES, while TKIP is optional. In WPA, this was exactly the other way around, with the use of AES being optional. With WPA3, the only permitted security methods are those considered to be secure at the time of adoption. Methods such as TKIP, with known security vulnerabilities, may no longer be used.
The suffix CCM denotes the way in which AES is used in WLAN packets. The process is actually quite complicated, for which reason CCM is only sensibly implemented in hardware—software-based implementations are possible, but would result in significant speed penalties due to the processors commonly used in access points.
In contrast to TKIP, AES only requires a 128-bit key for the encryption and protection against packet falsification. Furthermore, CCM is fully symmetric, i.e. the same key is used in both communications directions—a standards compliant TKIP implementation, on the other hand, requires the use of different Michael keys in the send and receive directions, meaning that CCM is significantly easier in use than TKIP.
Like TKIP, CCM uses a 48-bit Initial Vector in each packet—an IV repetition is impossible in practice. As in TKIP, the receiver notes the last IV used and drops packets with an IV which is equal to or less than the comparison value.