WPA3 Opportunistic Wireless Encryption – frame format – Basics

Posted on Posted in WPA3

New Wi-Fi Enhanced Open™ technology infuses no-hassle advanced cryptography for open networks

We’ve all come to expect fast, reliable, and secure wireless access everywhere. Wi‑Fi® has steadily delivered increasing performance, and it is essential that privacy and security evolve as well to meet ongoing threats.

Wi-Fi CERTIFIED Enhanced Open™ is the first in a series of programs Wi-Fi Alliance® is launching to address the unique demands of modern connection scenarios. It provides confidentiality for over-the-air communications, while maintaining simplicity, in areas where we all collaborate, such as coffee shops and restaurants, as well as airports, hotels and sports arenas.

New capabilities for personal and enterprise Wi-Fi networks will emerge later this year as part of
Wi-Fi CERTIFIED WPA3™.

Wi-Fi Enhanced Open™ is based on the Opportunistic Wireless Encryption (OWE) standard. A product of the Internet Engineering Task Force (IETF), OWE, defined in RFC 8110, specifies an extension to IEEE 802.11 that uses a cryptographic handshake to encrypt the devices connecting open network access points. OWE uses some of the same underlying cryptography developed for the Simultaneous Authentication of Equals (SAE). SAE was previously included in the IEEE 802.11s standard and is in the process of being incorporated into WPA3.

reference – https://www.wi-fi.org/beacon/dan-harkins/wi-fi-certified-enhanced-open-transparent-wi-fi-protections-without-complexity

reference https://tools.ietf.org/html/rfc8110

This memo specifies an extension to IEEE Std 802.11 to provide for
   opportunistic (unauthenticated) encryption to the wireless media.

An access point advertises support for OWE using an Authentication and Key Management (AKM) suite selector for OWE. This AKM is illustrated in the capture below and is added to the Robust Security Network(RSN) element, defined in [IEEE802.11], in all beacons and probe response frames the AP issues.

AKM in the RSN element but does not have not a Diffie-Hellman
   Parameter element.

   For interoperability purposes, a compliant implementation MUST
   support group nineteen (19), a 256-bit elliptic curve group.  If the
   AP does not support the group indicated in the received 802.11
   association request, it MUST respond with an 802.11 association
   response with a status code of seventy-seven (77) indicating an
   unsupported finite cyclic group.  A client that receives an 802.11
   association response with a status code of seventy-seven SHOULD retry
   OWE with a different supported group and, due to the unsecured nature
   of 802.11 association, MAY request association again using the group
   that resulted in failure.  This failure SHOULD be logged, and if the
   client abandons association due to the failure to agree on any group,
   notification of this fact SHOULD be provided to the user.
A client wishing to do OWE MUST indicate the OWE AKM in the RSN
   element portion of the 802.11 association request and MUST include a
   Diffie-Hellman Parameter element to its 802.11 association request. (see wireshark packet capture below)
   An AP agreeing to do OWE MUST include the OWE AKM in the RSN element
   portion of the 802.11 association response.

OWE Flow – reference – https://d2cpnw0u24fjm4.cloudfront.net/wp-content/uploads/WLPC_2019_WPA3-OWE-and-DDP_Hemant-Chaskar.pdf . Page (8)

Association request


Association response



Once the keys are agreed upon and are validated the STA will go through the 4-way-handshake

OWE Cisco WLC 8.10 – Ensure that you have created at least one WLAN with Layer 2 Security set to Enhanced Open.

Beacons


Aruba – OWE

With Aruba 8.4 a single SSID is created

Aruba OWE – Frame format

Beacons – defined OWEABURA and broadcast SSIDs. Analysis of the packet capture reveals that the defined OWEABURA SSID does NOT carry the RSN info. However the frame does carry a vendor specific WI-FI alliance field that does specify “OWE transition mode” and a “SSID field”

The second beacon that is being identified as “SSID=Wildcard” does carry the the RSN field that identifies the Auth Key Management (AKM) suite info.


Client stats
Clients that DO NOT support OWE will still be able to utilize the WLAN but their data will not be encrypted.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.