New Wi-Fi Enhanced Open™ technology infuses no-hassle advanced cryptography for open networks
We’ve all come to expect fast, reliable, and secure wireless access everywhere. Wi‑Fi® has steadily delivered increasing performance, and it is essential that privacy and security evolve as well to meet ongoing threats.
Wi-Fi CERTIFIED Enhanced Open™ is the first in a series of programs Wi-Fi Alliance® is launching to address the unique demands of modern connection scenarios. It provides confidentiality for over-the-air communications, while maintaining simplicity, in areas where we all collaborate, such as coffee shops and restaurants, as well as airports, hotels and sports arenas.
New capabilities for personal and enterprise Wi-Fi networks will emerge later this year as part of
Wi-Fi CERTIFIED WPA3™.
Wi-Fi Enhanced Open™ is based on the Opportunistic Wireless Encryption (OWE) standard. A product of the Internet Engineering Task Force (IETF), OWE, defined in RFC 8110, specifies an extension to IEEE 802.11 that uses a cryptographic handshake to encrypt the devices connecting open network access points. OWE uses some of the same underlying cryptography developed for the Simultaneous Authentication of Equals (SAE). SAE was previously included in the IEEE 802.11s standard and is in the process of being incorporated into WPA3.
reference – https://tools.ietf.org/html/rfc8110
This memo specifies an extension to IEEE Std 802.11 to provide for opportunistic (unauthenticated) encryption to the wireless media.
An access point advertises support for OWE using an Authentication and Key Management (AKM) suite selector for OWE. This AKM is illustrated in the capture below and is added to the Robust Security Network(RSN) element, defined in [IEEE802.11], in all beacons and probe response frames the AP issues.
AKM in the RSN element but does not have not a Diffie-Hellman Parameter element. For interoperability purposes, a compliant implementation MUST support group nineteen (19), a 256-bit elliptic curve group. If the AP does not support the group indicated in the received 802.11 association request, it MUST respond with an 802.11 association response with a status code of seventy-seven (77) indicating an unsupported finite cyclic group. A client that receives an 802.11 association response with a status code of seventy-seven SHOULD retry OWE with a different supported group and, due to the unsecured nature of 802.11 association, MAY request association again using the group that resulted in failure. This failure SHOULD be logged, and if the client abandons association due to the failure to agree on any group, notification of this fact SHOULD be provided to the user.
A client wishing to do OWE MUST indicate the OWE AKM in the RSN
element portion of the 802.11 association request and MUST include a
Diffie-Hellman Parameter element to its 802.11 association request. (see wireshark packet capture below)
An AP agreeing to do OWE MUST include the OWE AKM in the RSN element
portion of the 802.11 association response.
OWE Flow – reference – https://d2cpnw0u24fjm4.cloudfront.net/wp-content/uploads/WLPC_2019_WPA3-OWE-and-DDP_Hemant-Chaskar.pdf . Page (8)
Association request
Association response
Once the keys are agreed upon and are validated the STA will go through the 4-way-handshake
OWE Cisco WLC 8.10 – Ensure that you have created at least one WLAN with Layer 2 Security set to Enhanced Open.
Beacons
Aruba – OWE
With Aruba 8.4 a single SSID is created
Aruba OWE – Frame format
Beacons – defined OWEABURA and broadcast SSIDs. Analysis of the packet capture reveals that the defined OWEABURA SSID does NOT carry the RSN info. However the frame does carry a vendor specific WI-FI alliance field that does specify “OWE transition mode” and a “SSID field”
The second beacon that is being identified as “SSID=Wildcard” does carry the the RSN field that identifies the Auth Key Management (AKM) suite info.
Client stats
Clients that DO NOT support OWE will still be able to utilize the WLAN but their data will not be encrypted.
