In January 2018, the Wi-Fi Alliance (WFA) announced WPA3 as an enhancement to WPA2. The WFA is an industry organization that labels compatible 802.11-based products as Wi-Fi Certified and holds the trademark for the Wi-Fi moniker. The WFA standards are mostly built on IEEE 802.11 standards, but sometimes it pushes standards that 802.11 adopts. Many of the same companies and people are involved in both organizations, so ideas flow both ways.
By now, you’ve probably seen the bullet points from the press release reiterated, but if you haven’t, read this Airheads Blog that was recently posted. The most interesting points are:
- Higher level of protection in open networks using Opportunistic Wireless Encryption (OWE)
- More protection for users regardless of password complexity using Simultaneous Authentication of Equals (SAE)
- Device Provisioning Protocol (DPP) will provide easier and more secure onboarding of IoT devices (such as devices with no display)
There’s not much in the way of technical details here, but it all sounds promising. However, if you actually start looking around for the key phrases, you can find out some interesting technical details.
Opportunistic Wireless Encryption
Let’s start with OWE. If you read RFC 8110, you’ll discover that it is titled Opportunistic Wireless Encryption and describes exactly what the WFA is talking about, but with the technical details. It’s actually pretty simple. The client will add its Diffie-Hellman (DH) public key to the association request and the AP will add its DH public key to the association response. After the association is complete, they will complete their DH key exchange and create a Pairwise Master Key (PMK) to use for the usual 4-way handshake, at which point everything else works as it does today.
Simultaneous Authentication of Equals
How does Simultaneous Authentication of Equals (SAE) improve security, even when passwords aren’t very complex? Well, SAE is more complex and I won’t pretend to fully understand it. However, it was part of the 802.11s (Mesh Networking) amendment, so the concept is really just being extended to non-mesh clients. The reason it is authentication of "equals" is that there is no concept of an initiator or responder; both sides are equals and authenticate each other simultaneously. This came out of an Aruba protocol called Dragonfly, which you can read more about here. According to the description of SAE in 802.11-2016 (page 1935), the protocol has some pretty impressive security features:
- An attacker is unable to determine either the password or the resulting PMK by passively observing an exchange or by interposing itself into the exchange by faithfully relaying messages between the two STAs.
- An attacker is unable to determine either the password or the resulting shared key by modifying, forging, or replaying frames to an honest, uncorrupted STA.
- An attacker is unable to make more than one guess at the password per attack. This implies that the attacker cannot make one attack and then go offline and make repeated guesses at the password until successful. In other words, SAE is resistant to dictionary attack.
- Compromise of a PMK from a previous run of the protocol does not provide any advantage to an adversary attempting to determine the password or the shared key from any other instance.
- Compromise of the password does not provide any advantage to an adversary in attempting to determine the PMK from the previous instance.
Very impressive. I look forward to gaining a better understanding of how this works.
Device Provisioning Protocol
This one appears to actually be new. There is a DRAFT technical specification that is public, which you can download from the WFA (registration required). It looks like the idea here is for essentially an automated onboarding system. The network has a Configurator which supports the setup of Enrollees (devices). This is bootstrapped via some form of OOB mechanism, such as a QR code or NFC. Everything is encrypted in the enrollment process, so part of the bootstrap info includes the enrollee’s public key.
The DPP protocol uses the bootstrap information to authenticate the enrollee, after which DPP switches to a configuration phase. During DPP configuration, the device is configured with the required information to allow it to associate with an 802.11 network. This one is also complex enough that I’m still working to understand it. It’s being billed as a way to get IoT devices on to the network more easily, but it seems like it might be a good fit for a lot more than that.
Closing Thoughts
That’s great, but when will we see this implemented? Well, there are several variables here. The biggest variable is when the WFA starts certifying WPA3 devices and publishes the requirements. They say certification will begin in 2018.
Fortunately, fairly recent existing hardware should be able to support WPA3 through a software upgrade. One question will be what features are optional and which are mandatory. It seems like optional features often don’t get implemented (PCF, anyone?). The last update I saw from the WFA said that DPP was optional, so I’m hopeful that means OWE and SAE will be required. Since the authors for the OWE RFC work for HPE and Google, the odds seem good (wild speculation here!) that Aruba APs and Android devices will support that pretty quickly. Since SAE is already a part of 802.11 mesh networking, that may be relatively easy to add on the infrastructure side.
However, it will be a while before WPA3 is widespread. There are older devices that either won’t be able to support WPA3 or will just never get upgraded to support it. Infrastructure will need to be upgraded as well as a lot of clients before it really takes off. Hopefully it takes off quickly!
