Embed Size (px)
Citation preview
#ArubaAirheads
Wireless SecurityWPA3
14 November 2018, Utrecht
2#ArubaAirheads
Disclaimer
HPE Confidential—For Illustrative Purposes Only—Subject to Local Law
This presentation contains forward looking statements regarding future operations, product development, product capabilities, and availability dates. This information is subject to substantial uncertainties and is subject to change at any time without prior notification. Statements contained in this document concerning these matters only reflect HPE’s predictions and/or expectations as of the date of this document, and actual results and future plans of HPE may differ significantly as a result of, among other things, changes in product strategy resulting from technological, internal corporate, market, and other changes. This is not a commitment to deliver any material, code, or functionality and should not be relied upon in making purchasing decisions. This document is for informational purposes only; HPE makes no warranties, express or implied, in this document.
3#ArubaAirheads
AgendaProblems with WPA2 and open networks
Wi-Fi Alliance: OWEWi-Fi Alliance: WPA3
4#ArubaAirheads
–WPA2 is past retirement (beyond a senior citizen in Internet years)⎻ Released over 10 years ago!⎻WPA2-personal was ‘broken on arrival’ and every couple years someone “rediscovers”
off-line dictionary attacks and releases a much hyped paper⎻WPA2-enterprise is still solid security-wise, but can be used in ways that lessen its
overall security and makes it more complicated to provision⎻Many shortcomings only become apparent after a few years
WHY WI-FI SECURITY NEEDS AN UPGRADE
5#ArubaAirheads
–There are use cases for which WPA2 is ill-suited⎯Captive portals for guest or BYOD onboarding use Open SSIDs⎯Coffee shops use WPA2-PSK with a shared and public PSK⎯Enterprises, banks, schools, hospitals use WPA2-PSK for IoT (or people!)⎯Hotspots have no way of offering server-side (infrastructure) only authentication
WI-FI SECURITY NEEDS AN UPGRADE
6
7
8#ArubaAirheads
9#ArubaAirheads
–Two new Wi-Fi Alliance certifications–Open is replaced by OWE – Opportunistic Wireless Encryption⎯ Problem: all wireless traffic is passed in the clear⎯ Solution: all wireless traffic gets encrypted⎯ However, OWE is an optional part for WPA3 certification
–WPA2-PSK mode is replaced by WPA3-SAE – Simultaneous Authentication of Equals⎯ Problem: passive attack results in off-line dictionary attack to discover PSK⎯ Solution: protocol is resistant to active, passive, and dictionary attack
WPA3 & ENHANCED OPEN: WHAT ARE THEY?
10#ArubaAirheads
–WPA3–Enterprise now with Suite B/CNSA grade ciphers⎯Problem: mix-and-match nature of WPA2-Enterprise can result is less-than-
optimal security⎯Solution: create a cipher suite and a set of rules to ensure consistent primitive
security
–Enhancements to certification testing⎯ Too many WPA2-Enterprise certified devices did not properly check cert chains⎯Management frame protection, optional for WPA2, is mandatory for WPA3
WPA3 ENTERPRISE & TESTING
11#ArubaAirheads
–Opportunistic Wireless Encryption (RFC 8110) –OWE performs an unauthenticated Diffie-Hellman at association time⎯Associate Request and Response exchange ephemeral (short living) keys via Diffie-Hellman⎯STA and AP calculate a unique PMK as a result of association⎯PMK is used in 4-way handshake post association to generate traffic encryption keys
ENHANCED OPEN: NO MORE CLEARTEXT
12#ArubaAirheads
Alice (STA) Bob (AP)x ß random private keyX = public key = x * G
y ß random private keyY = public key = y * G
z = F(DH(y,X))PMK = HKDF(z, label)
z = F(DH(x,Y))PMK = HKDF(z, label)
4 Way HandshakePMK+Anonce+Snonce PMK+Anonce+Snonce
Traffic Keys Traffic KeysGCMP/CCMP-protected
data data
OWE PROTOCOL FLOW
13#ArubaAirheads
From RFC 8110
+------------+----------+------------+------------------------+ | Element ID | Length | Element ID | element-specific | | | | Extension | data | +------------+----------+------------+---------+--------------+ | 255 | variable | 32 | group | public key | +------------+----------+------------+---------+--------------+
Once the client and AP have finished 802.11 association, they then complete the Diffie-Hellman key exchange and create a Pairwise Master Key (PMK) and its associated identifier, PMKID [IEEE802.11]. Given a private key x and the peer's (AP's if client, client's if AP) public key Y, the following are generated:
z = F(DH(x, Y))
prk = HKDF-extract(C | A | group, z)
PMK = HKDF-expand(prk, "OWE Key Generation", n)
14#ArubaAirheads
Frame capture with Wireshark*: OWE
* Wireshark 2.9.0 beta for WPA3/OWE attributes
AKM: 18 = OWE
15#ArubaAirheads
–Opportunistic Wireless Encryption (RFC 8110) –Completely transparent to users & admins – looks just like Open, no
provisioning–Unauthenticated, isn’t that insecure?⎯Strictly speaking yes, there are no assurances regarding who is connecting to what⎯But it’s more secure than a shared and public PSK in a coffee shop!
–Use cases:⎯Coffee shops, bars, anywhere that encryption is needed but authentication is not⎯Captive portals which throw away keys from HTTPS and then do Open 802.11
–Backward compatible via “Transition Mode”
ENHANCED OPEN: NO MORE CLEARTEXT
16#ArubaAirheads
– Advertisement and Discovery– Administrator configures a single open SSID and virtual AP– AP automatically creates two BSSes with separate beacons
– BSS1 = Normal “Open” network for non-OWE stations. New IE to indicate BSS2.– BSS2 = Hidden OWE RSN with AKM=18. New IE to indicate BSS1.
– OWE STA does active or passive scanning to discover OWE-capable AP via RSN IE– Authentication and Association
– 802.11 “Open” Authentication– Diffie-Hellman Parameter element added to Association Request/Response– STA and AP derive a PMK (that is truly pairwise, unique, and unknowable by a third party) from ephemeral
private key and other party’s public key– Post-Association
– STA and AP perform 4-way Handshake to derive Traffic Encryption Keys– Mobility
– Supports PMK caching
HOW DOES OWE TRANSITION MODE WORK?
17#ArubaAirheads
Frame capture with Wireshark*: OWE Transition Mode (Open...)
* Wireshark 2.9.0 beta for WPA3/OWE attributes
18#ArubaAirheads
Frame capture with Wireshark*: OWE Transition Mode (+hidden)
* Wireshark 2.9.0 beta for WPA3/OWE attributes
19#ArubaAirheads
OWE Association request contains Diffie-Hellman Parameter
20#ArubaAirheads
OWE Association response contains Diffie-Hellman Parameter
21#ArubaAirheads
OWE Then the 4-way handshake
22#ArubaAirheads
OWE Data Encrypted
23#ArubaAirheads
–Problem with WPA2-PSK: off-line dictionary attack⎯Susceptible to passive attack: adversary records 4-way handshake⎯Runs through all possible passwords –up to 400,000 per second– to find right one
–WPA2-PSK is replaced by SAE (802.11-2016, section 12.4)⎯Originally intended for mesh security (802.11s)⎯Password-based authentication based on Dragonfly key exchange (RFC 7664)⎯Resistant to active, passive, and dictionary attack
WPA3-PERSONAL: STRONG SECURITY FROM WEAK PASSWORDS
24#ArubaAirheads
WPA2-Personal: The dictionary attack problem
Source: Wikipedia IEEE 802.11i-2004CWSP Study Guide, 2nd Edition
PSK = PBKDF2(PassPhrase, ssid, ssidLength, 4096, 256)PMK = PSKPTK = PRF (PMK + ANonce + SNonce + Authenicator MAC + Supplicant MAC)
4-Way handshakeMIC=Message Integrity Code (Signature)
25#ArubaAirheads
WPA2-Personal: The dictionary attack problem
Source: Wikipedia IEEE 802.11i-2004CWSP Study Guide, 2nd Edition
PSK = PBKDF2(PassPhrase, ssid, ssidLength, 4096, 256)PMK = PSKPTK = PRF (PMK + ANonce + SNonce + Authenicator MAC + Supplicant MAC)
4-Way handshakeMIC=Message Integrity Code (Signature)
Brute force the PassPhrase toget the correct MIC:
26#ArubaAirheads
–SAE uses new 802.11 authentication frames⎯Authentication generates a PMK, association indicates the PMKID⎯Post-association 4-way handshake generates traffic encryption keys
–SAE provisioning is identical to WPA2-PSK⎯User enters password just like always but gets improved security behind the scenes ⎯Allows more natural passwords to be used securely⎯Soon to have password identifiers
WPA3-PERSONAL: STRONG SECURITY FROM WEAK PASSWORDS
27#ArubaAirheads
WPA3-SAE
Source: CWSP Study Guide, 2nd Edition
Elliptic CurveZero Knowledge ProofBased on Dragonfly RFC7664
28#ArubaAirheads
Frame capture with Wireshark*: SAE (Open Auth 802.11)
29#ArubaAirheads
Frame capture with Wireshark*: SAE (Association)
30#ArubaAirheads
Frame capture with Wireshark*: SAE (Commit)
31#ArubaAirheads
Frame capture with Wireshark*: SAE (Confirm)
32#ArubaAirheads
Frame capture with Wireshark*: SAE (4-way handshake)
33#ArubaAirheads
–Too many options for WPA2-Enterprise, especially for EAP authentication⎯ Diffie-Hellman or RSA key exchange? 1024-bit authenticating 2048-bit? TLS1.0? SHA1?⎯ This can result in deployments that are not as secure as expected
–Suite B AKM and GCM-256 and CCM-256 ciphersuites defined for Wi-Fi –Requires Suite B TLS ciphersuites to be used in EAP-TLS ⎯ TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 using p384; or,⎯ TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 using p384 and RSA > 3k; or,⎯ TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 using RSA > 3k
–Policy is enforced by EAP server based on new RADIUS attributes⎯ Authenticator indicates the the Suite B AKM was negotiated
–4-way Handshake and KDF use SHA384 with Suite B AKM–Brings 256-bit encryption to Enterprise security even without Suite B
WPA3-ENTERPRISE: SuiteB/CNSA
34#ArubaAirheads
–Certificate chain testing⎯ Many WPA2-certified devices did not properly check a certificate chain⎯ Results in insecurities
–Protected Management Frames⎯ 802.11i only addressed data frame protection⎯ 802.11w (adopted the 2009 timeframe) addressed management frame protection⎯ Prevents forged disassociate/deauthenticate frames post association
–PMF is mandatory for all of WPA3 & Enhanced Open–Certificate chain validation is mandatory for WPA3-Enterprise
WPA3: ENHANCED CERTIFICATION TESTING
35#ArubaAirheads
CLIENT DEVICES
–WPA3 support required on clients for the security enhancements to be applied
– Additional requirement for clients using certificate-based EAP methods– Too many EAP servers did not properly check cert chains– WPA3 Enterprise certification will involve rigorous testing for certificate chaining
– Very few WPA3 certified clients today, increasing numbers expected from 2019
– Linux supplicant code today (version 2.6) includes WPA3 support
–Transition time of ~2 years expected for critical mass of WPA3 certified clients within Enterprises
36#ArubaAirheads
CLIENT DEVICES: LINUX, WINDOWS 10–Linux/Android: wpa_supplicant GIT version can be compiled with WPA3/OWE
–https://tweakers.net/nieuws/145427/komende-windows-10-versie-lijkt-wpa3-te-gaan-ondersteunen.html
GIT: http://w1.fi/hostap.gitecho "CONFIG_OWE=y" >> .configecho "CONFIG_SAE=y" >> .configecho "CONFIG_SUITEB=y" >> .configecho "CONFIG_SUITEB192=y" >> .config
07-11-2018 • 11:11
37#ArubaAirheads
ARUBA AND FUTURE SECURITY ENHANCEMENTS• Aruba seeking received WFA certification for ⎼ WPA3-Enterprise with CNSA Suite (requires WPA3-Personal/SAE certification)⎼ Enhanced Open/OWE⎼ Certification: https://www.wi-fi.org/product-finder-results?sort_by=default&sort_order=desc&capabilities=16&keywords=Aruba
• All modes require Management Frame Protection
• CNSA Suite implementation will be supported in AOS and Instant
• Controller managed APs will support all new enhancements in Tunnel and Decrypt-tunnel modes⎼ Controllers will perform all encryption and decryption of 802.11 traffic
38#ArubaAirheads
– 100% Encryption by default⎯ Privacy before identity credentials⎯ Encrypted walled gardens, coffee shops/bars
– New opportunities and longer lifespan for PSK⎯ Combine with strong profiling⎯ Basic IoT, Guest, BYOD, home
– Simplified 802.1X enterprise SSID with stronger encryption⎯ Leverage strong SuiteB ciphers⎯ If modern devices support it, leverage it
– Protected management frames
– Better security with no added complexity!
WHAT DOES WPA3 MEAN TO YOU?
