WLPC - 2019 - WPA3 OWE and DDP - Hemant Chaskar
WLPC - 2019 - WPA3 OWE and DDP - Hemant Chaskar
WLPC - 2019 - WPA3 OWE and DDP - Hemant Chaskar
Hemant Chaskar
@CHemantC
Arista Networks
Send gy
Common Secret Common Secret
Impractical to compute s from gx & gy s = (gx)y = gxy
s = (gy)x = gxy
Symmetric Keys Encryption, auth and integrity Symmetric Keys
k = Hash (s, labels) protection of messages with k k = Hash (s, labels)
Delete x, s, k Delete y, s, k
FS: Forward Secrecy
Recorded messages cannot be decrypted
in future even if endpoint is compromised
Elliptic Curves:
Math MODP Groups P-256 (secp256r1),
P-384 (secp384r1) etc.
Referred as DH ECDH
ECDH priv/pub key pair Assoc Req [Group ID, client ECDH pub key] Group 19 (P-256 Curve)
mandatory to support.
Assoc Res [AP ECDH pub key] ECDH priv/pub key pair
Assoc Req/Res
Use Information
from sniffed frames • Decrypt frames
sniffed on air
Guess Compute Compute MIC Y Password (past and future)
Password PMK, PTK MIC Match? Cracked! • Unauthorized
N access to
Next Guess network
WPA2-Personal SAE
Readout Position Static Password Dependent
Wheel Size (Sectors) Password Combinations 2128 or more
Spin Password Actual Random (ECDH Private Key)
ECDH parameters = g,
g p
Random: x Random: y
Compute: gx Send gx Compute: gy
Send gy
Common Secret Common Secret
Impractical to compute s from gx & gy s = (gx)y = gxy
s = (gy)x = gxy
PMK = PMK =
Hash (s, labels) -- Begin 4-Way handshake -- Hash (s, labels)
Hemant Chaskar -- 16 -- Networks
SAE Message Flow
Password PWE
Auth Commit [Group ID, client ECDH pub key]
ECDH priv/pub key pair Password PWE
Auth Algo Number = 3
ECDH priv/pub key pair
Auth Commit [AP ECDH pub key] Group 19 support must
s = Common Secret s = Common Secret
[PMK,CK] = HMAC(s, labels) Auth Confirm [HMAC of CK and labels1] [PMK,CK] = HMAC(s, labels)
AP authenticated to client
Assoc Req/Res [AKM: 00-0F-AC:8]
Auth Handshake
Auth Algo = 3
Auth Handshake
Auth Algo = 3
• Throttle Auth Commit flood from client with varying MAC addresses
to prevent DoS on AP
• SAE does not prevent this attack. • Don’t use passwords like
welcome123, abcd123,
• With SAE though, password guest123 etc., which could
cracking still does not result in traffic be the top attempt choices
decryption, i.e., FS is achieved.
TLS tunnel with encryption and integrity protection Symmetric key gen with HMAC-SHA-384
AES-GCM with 256 bits key
Configurator Enrollees