WLAN Security Enhancements:

WPA3, OWE, DPP

Hemant Chaskar
@CHemantC
Arista Networks

Hemant Chaskar -- 1 -- Networks

 Agenda

• OWE / Enhanced OpenTM

• SAE / WPA3TM- Personal
• 192-bit Security / WPA3TM- Enterprise
• DPP / Easy ConnectTM

Hemant Chaskar -- 2 -- Networks

 Diffie-Hellman Key Generation

• Generates common secret between two parties

• No pre-shared secret required

• MITM cannot generate the common secret

Whitfield Diffie
• Based on public key cryptography

• Used in SSH, TLS, IPSec and now in OWE,

WPA3 and DPP
Martin Hellman

Hemant Chaskar -- 3 -- Networks

 Key Generation Steps
Known Values: Generator g, Modulus p
Random Priv Key: x Random Priv Key: y
Compute Pub Key: gx Send gx Compute Pub Key: gy

Send gy
Common Secret Common Secret
Impractical to compute s from gx & gy s = (gx)y = gxy
s = (gy)x = gxy
Symmetric Keys Encryption, auth and integrity Symmetric Keys
k = Hash (s, labels) protection of messages with k k = Hash (s, labels)

Delete x, s, k Delete y, s, k
FS: Forward Secrecy
Recorded messages cannot be decrypted
in future even if endpoint is compromised

Hemant Chaskar -- 4 -- Networks

 Mathematical Schemes

Finite Field Crypto (FFC) Elliptic Curve Crypto (ECC)

Era Classical Modern

Elliptic Curves:
Math MODP Groups P-256 (secp256r1),
P-384 (secp384r1) etc.

Referred as DH ECDH

IANA has assigned Group IDs to standard triplets of (scheme, g, p):

RFCs 3526, 5114, 5903.
Hemant Chaskar -- 5 -- Networks
 Public Key Sizes for High Quality Key Generation
Group ID
15360 bits
None
Symmetric Key Size

256 bits AES ID: 21

521 bits
192 bits AES 8192 bits ID: 18
ID: 20
384 bits
128 bits AES 3072 bits ID: 15
ID: 19
256 bits

112 bits TDES 2048 bits ID: 14

224 bits ID: 26

Public Key Size

DH ECDH (For Private Key Size = 2 x Symmetric Key Size)

• Ref: NIST Special Publication 800-57, Table 2 and RFC 3766.

Hemant Chaskar -- 6 -- Networks
 OWE (Opportunistic Wireless Encryption)

• Encryption for hitherto OPEN wireless links

• Idea: Carry ECDH public keys in Association Req/Res to

generate symmetric encryption key

• OWE is defined in RFC 8110

• Enhanced OpenTM: Wi-Fi Alliance certification of OWE

Hemant Chaskar -- 7 -- Networks

 OWE Message Flow
Open Auth Req & Res

ECDH priv/pub key pair Assoc Req [Group ID, client ECDH pub key] Group 19 (P-256 Curve)
mandatory to support.
Assoc Res [AP ECDH pub key] ECDH priv/pub key pair

s = Common secret AKM Suite Selector 00-0F-AC:18 for OWE

s = Common secret
PMK = HMAC (s, labels) PMK = HMAC (s, labels)
(256 bits master key) (256 bits master key)
PTK = [KCK | KEK | TK] = EAPOL 4-way handshake PTK = [KCK | KEK | TK] =
HMAC(PMK, MACs, Nonces) HMAC(PMK, MACs, Nonces)
Transport random GTK, IGTK
CCMP with 128 bits TK & GTK
BIP CMAC with 128 bits IGTK
(Others optional)
Hemant Chaskar -- 8 -- Networks
 OWE Packet Trace

Assoc Req/Res

AKM: 00-0F-AC:18 (Hex 12)

ECDH Public Key

Hemant Chaskar -- 9 -- Networks

 Enhanced Open Supplemental Requirements
• Protected Management Frame (PMF)
• PMK caching to avoid ECDH computation on reassociation
• OWE Transition Mode
Beacon #1 (shows up in client scan) Beacon #2 (used for OWE connection)
BSSID: BSSID-OPEN BSSID: BSSID-OWE
SSID: SSID-OPEN SSID: Length = 0
BSSID-OWE, SSID-OWE, BSSID-OPEN, SSID-OPEN,
OTME: OTME:
OWE band, OWE channel OPEN band, OPEN channel
AKM Suite = 00-0F-AC:18
OTME: OWE Transition Mode Element RSNE: MFPR = 1, MFPC = 1
RSNE: Robust Security Network Element Group, Pairwise, BIP Ciphers

Hemant Chaskar -- 10 -- Networks

 OWE Security Forecast: Sunny, but Cold!
Encryption better than not (e.g., for HTTP browsing).

In TLS (e.g., HTTPS), sensitive traffic is encrypted e2e.

• OWE can protect against one off situations, e.g., HTTPS
cookies installed in browser without secure flag set later
get sent in HTTP request.

No protection from wireless MITM:

• OWE does not provide AP authentication.
• Honeypot / Evil Twin AP threat in public WiFi is
not addressed by OWE.
Hemant Chaskar -- 11 -- Networks
 SAE (Simultaneous Authentication of Equals)
• Eliminates offline dictionary attack on WiFi passwords
• SAE is specified in IEEE 802.11 Standard
• Based on Dragonfly protocol (IRTF RFC 7664)
• Dragonfly is based on SPEKE protocol, circa 1996
• These types of schemes are called PAKE

• WPA3TM- Personal: Wi-Fi Alliance SAE certification

SPEKE: Simple Password Exponential Key Exchange
PAKE: Password Authenticated Key Exchange

Hemant Chaskar -- 12 -- Networks

 Offline Dictionary Attack on WPA2-Personal

Password  PMK -- Begin 4-Way handshake --

[ANonce, …]
PTK = [KCK | KEK | TK] =
HMAC(PMK, MAC adrs, ANonce,
SNonce) [SNonce, …, MIC Computed with KCK]

Use Information
from sniffed frames • Decrypt frames
sniffed on air
Guess Compute Compute MIC Y Password (past and future)
Password PMK, PTK MIC Match? Cracked! • Unauthorized
N access to
Next Guess network

Hemant Chaskar -- 13 -- Networks

 Offline Dictionary Attack: Root Cause Analysis

• WPA2-Personal: Password converted to PMK via PBKDF2:

• PMK = Hash(Password, SSID, counters)_4096 times (RFC 2898)

PMK Entry Method Key Combinations

256 bits PMK (= PSK) directly entered 2256
8-character alphanumeric password  256 bits PMK 248
Dictionary words, short/weak passwords, social Even smaller
engineering etc. search space

• SAE: Ensures PMK combinations space of 2128 or more

• Irrespective of size or quality of password

Hemant Chaskar -- 14 -- Networks

 PMK Generation Analogy
Wheel Size Readout PMK guess is over at least 2128 values [random
(Sectors) Position spin on large wheel], independent of password.
• Forward Secrecy: Impractical to decrypt
sniffed traffic even if password is revealed.
• Password Crack Resistance: Password
guess indistinguishable as right or wrong.
Password is for mutual authentication only
[readout position].
Spin

WPA2-Personal SAE
Readout Position Static Password Dependent
Wheel Size (Sectors) Password Combinations 2128 or more
Spin Password Actual Random (ECDH Private Key)

Hemant Chaskar -- 15 -- Networks

 SAE = OWE + Password
• g is derived as function of password (and MAC
adrs). It is called PWE (PassWord Element).
• p is still taken from standard set.

ECDH parameters = g,
g p
Random: x Random: y
Compute: gx Send gx Compute: gy
Send gy
Common Secret Common Secret
Impractical to compute s from gx & gy s = (gx)y = gxy
s = (gy)x = gxy
PMK = PMK =
Hash (s, labels) -- Begin 4-Way handshake -- Hash (s, labels)
Hemant Chaskar -- 16 -- Networks
 SAE Message Flow
Password  PWE
Auth Commit [Group ID, client ECDH pub key]
ECDH priv/pub key pair Password  PWE
Auth Algo Number = 3
ECDH priv/pub key pair
Auth Commit [AP ECDH pub key] Group 19 support must
s = Common Secret s = Common Secret
[PMK,CK] = HMAC(s, labels) Auth Confirm [HMAC of CK and labels1] [PMK,CK] = HMAC(s, labels)

Auth Confirm [HMAC of CK and labels2] Client authenticated to AP

AP authenticated to client
Assoc Req/Res [AKM: 00-0F-AC:8]

EAPOL 4-way handshake

PTK = [KCK | KEK | TK] PTK = [KCK | KEK | TK]
CCMP with 128 bits TK & GTK GTK, IGTK
BIP CMAC with 128 bits IGTK
(Others optional)
Hemant Chaskar -- 17 -- Networks
 SAE Packet Trace (Auth Commit)

Auth Handshake

Auth Algo = 3

Auth Commit containing

ECDH public key (FFE)

Hemant Chaskar -- 18 -- Networks

 SAE Packet Trace (Auth Confirm)

Auth Handshake

Auth Algo = 3

Auth Confirm containing

HMAC hash of (CK,labels1)

Hemant Chaskar -- 19 -- Networks

 WPA3-Personal Supplemental Requirements
• Protected Management Frame (PMF)
• PMK caching to avoid ECDH computation on reassociation
• Anti-clogging tokens:

• Throttle Auth Commit flood from client with varying MAC addresses
to prevent DoS on AP

• Fast Transition (FT) not required for certification

• Though SAE in 802.11 standard supports FT (AKM: 00-0F-AC:9)

Hemant Chaskar -- 20 -- Networks

 What About Online Dictionary Attack?
Online Dictionary Attack: Preventive Measures:
Try pwd1 • Limit attempt rate by
Try pwd2 introducing delay after failed
attempts

Try pwdN • Alert on multiple

authentication failures

• SAE does not prevent this attack. • Don’t use passwords like
welcome123, abcd123,
• With SAE though, password guest123 etc., which could
cracking still does not result in traffic be the top attempt choices
decryption, i.e., FS is achieved.

Hemant Chaskar -- 21 -- Networks

 WPA3TM - Enterprise

• Use at least 192-bit security strength across the protocol

• 802.1x TLS, 4-way handshake, pairwise/group/BIP ciphers

• N-bit security means bruteforcing requires searching 2N key values

AES Key Key Space Some Comparable Orders of Magnitude

128 bits 2128 Number of water drops in earth’s oceans ~ 285
192 bits 2192 Number of atoms in sun ~ 2188
256 bits 2256 Number of atoms in known universe ~ 2257

• For public key crypto, we need private key size = 2 x N

Hemant Chaskar -- 22 -- Networks

 802.1x EAP-TLS 192-bit Security TLS_ECDHE_ECDSA_WITH_
AES_256_GCM_SHA384;
[Server ECDSA static pub key]in x509 cert with P-384

[Server ECDH pub key]Sig by server ECDSA static priv key

ECDHE_ECDSA with both being
[Client ECDSA static pub key]in x509 cert keys from P-384 curve (Group 20)

[Client ECDH pub key]Sig by client ECDSA static priv key

ECDHE_ECDSA with both being
keys from P-384 curve (Group 20)

TLS tunnel with encryption and integrity protection Symmetric key gen with HMAC-SHA-384
AES-GCM with 256 bits key

PMK PMK transport outside of WPA3

scope: Use IPSec, RadSec etc.
4-way handshake
AKM #12: KCK 192 bits, KEK 256 bits
Encrypted wireless link
Ciphers #09 & #12: GCMP and BIP GMAC with 256 bits key
Hemant Chaskar -- 23 -- Networks
 Summary of Ciphers for WPA3TM - Enterprise
TLS Cipher RFC Static Keys Ephe. Keys Encryption Symmetric Key Gen
TLS_ECDHE_ECDSA_WITH_
8422 ECC 384 bits ECC 384 bits AES-GCM HMAC-SHA-384
AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_ RSA 3072
8422 ECC 384 bits AES-GCM HMAC-SHA-384
AES_256_GCM_SHA384 bits
TLS_DHE_RSA_WITH_ RSA 3072 FFC 3072
5288 AES-GCM HMAC-SHA-384
AES_256_GCM_SHA384 bits bits

AKM Suite (EAPOL) KCK MIC in EAPOL Frames KEK

00-0F-AC:12 192 bits key to 256 bits AES key to
HMAC-SHA-384
(FT AKM 13 not req for cert) generate MIC wrap GTK, IGTK

Pairwise and Group Cipher TK, GTK

00-0F-AC:09 256 bits keys for GCMP

BIP Cipher IGTK

00-0F-AC:12 256 bits key for GMAC

Hemant Chaskar -- 24 -- Networks

 Suite B, CNSA Suite, Quantum Cryptanalytics
• Suite B: Conventional NSA Security Policy
• Has algorithm selections for two levels of security: 128 and192 bits.

• CNSA Suite: New NSA Security Policy

• Keeps only 192 bits security level from Suite B.
• WPA3-Enterprise meets this.

• Quantum Resistance: Withstand futuristic (10+ years)

quantum computing based cracking
• Current public key crypto (RSA, ECDSA, DH/ECDH) projected to fail
against quantum. So, WPA3-Enterprise is NOT quantum resistant.
• Symmetric crypto (AES256, SHA384) projected to withstand quantum.

Hemant Chaskar -- 25 -- Networks

 OWE and WPA3 Device Implementation Impact
Popular crypto libraries such
Crypto Library: Algorithm APIs as OpenSSL provide crypto
and TLS APIs.
Call Crypto Algorithm APIs Call Crypto Algorithm APIs

OWE, SAE state machines WLAN Driver WPA3-Enterprise is policy

TLS Endpoint:
are in WLAN driver such as EAPOL, OWE, configuration in TLS
802.1x
hostap. SAE endpoint.
Program TK, GTK

Mainstream chips already

Radio Chipset: Inline Crypto support CCMP, GCMP
with 128 and 256 bit keys.

OWE, SAE and WPA3-Enterprise are implemented in software.

Hemant Chaskar -- 26 -- Networks
 DPP (Device Provisioning Protocol)
• Wirelessly provisions devices into secure WiFi

Configurator Enrollees

• Works in three phases:

1. Authentication
2. Configuration
3. Network Access

• Defined in Wi-Fi Alliance technical specification

• Easy ConnectTM: Wi-Fi Alliance DPP certification
Hemant Chaskar -- 27 -- Networks
 DPP Authentication Protocol
Configurator Read QR Code [ECDH static public key, Enrollee
MAC, config channels, SN number]
ECDH static key pair
Gen ECDH protocol key pair
k1 = Derived from common Auth Req [ECDH protocol public
secret of ECDH static and key, I-nonce protected with k1]
Compute k1, decrypt I-nonce
protocol keys
Gen ECDH protocol key pair
Auth Response [ECDH protocol
k2, ke = Derived from
public key, I-nonce and other things
Compute k2 common secret of ECDH
protected with ke and k2]
Compute ke: Session key protocol keys
I-nonce match means peer
Auth Confirm
owns public key on QR code
• Auth messages are formatted as 802.11 Public Action frames.
• Above messaging can be extended to perform mutual authentication too.
• Out of band (OOB) bootstrapping options: QR, NFC, Bluetooth. In-band option: PKEX.
Hemant Chaskar -- 28 -- Networks
 DPP Configuration Protocol
Configurator Enrollee
Config Request
These messages
Config Response are protected with
[Configuration Object] session key ke

• Config messages are formatted as 802.11 GAS Action frames.

• Configuration types:

AKM Configured Credentials DPP Connector:

WPA2 Pre-Shared Key or Net Access Key: Enrollee
psk
Passphrase ECDH protocol public key
sae Password Dig Sig on Net Access Key by
dpp DPP Connector, C-sign-Key Configurator’s signing key (private
counterpart of C-sign key)
Hemant Chaskar -- 29 -- Networks
 Network Access with Connector
Enrollee Access Point
Peer Discovery Request [Connector]
Check digital signature on
Connector using C-sign key
Peer Discovery Response [Connector]
Check digital signature on
Connector using C-sign key
s = Common secret
s = Common secret computed using Net Access
computed using Net Access Key from Connector
Key from Connector
PMK = HMAC(s, labels) EAPOL 4-way handshake PMK = HMAC(s, labels)

Discovery messages are formatted as 802.11 Public Action frames.

Hemant Chaskar -- 30 -- Networks
 Network Access with Connector
Enrollee Access Point
Peer Discovery Request [Connector]
Check digital signature on
Connector using C-sign key
Peer Discovery Response [Connector]
Check digital signature on
Connector using C-sign key
s = Common secret
s = Common secret computed using Net Access
computed using Net Access Key from Connector
Key from Connector
PMK = HMAC(s, labels) EAPOL 4-way handshake PMK = HMAC(s, labels)

Discovery messages are formatted as 802.11 Public Action frames.

Hemant Chaskar -- 31 -- Networks
 Summary
OWE WPA3-Personal WPA3-Enterprise DPP

Password + .1x, EAPOL, RSN ECDH for secure

ECDH with
Scheme ECDH with Auth parameters for device
Assoc Req/Res
Commit/Confirm 192 bits security provisioning

Encryption on Offline password Cryptography

Strength every wireless attack prevention, compliant with Comprehensive
link forward secrecy CNSA suite

Does not work Does not prevent

Not yet tried-and-
Weakness against Honeypot online password
tested
MITM AP attack
Time to Immediate with Immediate with Immediate with Medium, IOT
Market software revision software revision software revision implementations

Hemant Chaskar -- 32 -- Networks