Close

HPE Aruba Networking Blogs

Opportunistic Wireless Encryption…Um, What’s That Again?

By Dave Chen, Head of Campus Switching Product Marketing

By now you’ve heard countless stories for how insecure public Wi-Fi networks in coffee shops, bars, and large venues can be too dangerous for users – malware can infect personal devices, hackers can acquire usernames and passwords, and ransomware can hold private data hostage. In places like airports, potentially millions of travelers are at risk to these types of cyberattacks because of open networks. According to an assessment by Coronet in a CNBC article, you can put a stop to these problems by not joining an open, public Wi-Fi network at all – or if you do, update your device software and use different passwords for different accounts in the event you do get hacked.

While some of these recommendations may be sensible from a device-side perspective, the reality is that you connect to open networks with the expectation that businesses are taking care of things like security – would you expect big brands to risk their image on guest Wi-Fi that can be compromised? Typically, no – which is the type of mentality many users have, and you as an IT pro need to level-set.

It’s clear then, that the burden of security is not exclusive to the user. Enterprises are facing these challenges – increasingly because of new business cases in implementing guest networks, for instance, improving the experience for patients in order to score higher on satisfaction surveys, for retail customers to target in-store promotions, or especially for hotel guests who expect all the comforts of home. These use cases exemplify how businesses can drive growth by capitalizing on insight into user behavior – which then brings them under the jurisdiction of compliance and risk if open networks remain unprotected.

To help mitigate the inherent risk of open networks, organizations can use an encryption similar to that of WPA3’s SAE technology to negotiate the same level of encryption for open networks as secured ones. This addresses the question I asked in the title of the blog. Organizations can implement Opportunistic Wireless Encryption (OWE) technology, as a part of Wi-Fi CERTIFIED Enhanced Open™, a Wi-Fi Alliance certification program, to protect their users on public networks.

Wi-Fi CERTIFIED Enhanced Open™

Aruba hosted Mobility Field Day 3 recently on September 14, and used the opportunity to delve into how Wi-Fi security architecture is evolving with Wi-Fi CERTIFIED WPA3™ and Wi-Fi CERTIFIED Enhanced Open™, both Wi-Fi Alliance certified programs. Aruba has spearheaded industry conversations about WPA3 over the past year so let’s take a look at the promise of Enhanced Open to eliminate open networks once and for all.

 According to the Wi-Fi Alliance, Wi-Fi CERTIFIED Enhanced Open™ “provides protections in scenarios where user authentication is not desired or distribution of credentials impractical”, such as in locations like coffee shops, airports, hotels, and sports arenas. Based on OWE, which was defined in the Internet Engineering Task Force (IETF) RFC8110 specification, the standard effectively encrypts each user’s individual connections to a public Wi-Fi network using established cryptography mechanisms. In other words, as long as the network and the client device both support OWE, a user’s device doesn’t need any authentication or password to get protections from passive eavesdropping. If the network supports OWE but the client device doesn’t, users would simply connect to an open network as usual – to ensure a seamless, uninterrupted user experience.

Now, this begs a follow-up question – what do you need to do to have an OWE-capable client device? The short of it is that your device and operating system need to support it and be certified. Since WPA3 and OWE are classified as separate standards, make sure your next device supports both – or lobby your device manufacturers until they do.

From a network operations standpoint, because this is a standard, organizations can deploy OWE over existing network infrastructure, as long as it can support the latest network operating system updates. They can continue managing their network with existing management tools, and implement captive portals and guest or public networks as they normally would, without any public passphrases to maintain, share or manage. To my earlier point on user expectations for security, OWE helps substantiate that user sessions are in fact encrypted and secured – even if the lock symbol doesn’t show in the dropdown when you choose a Wi-Fi network.

Next Generation of Secure Mobility

Standards can be ratified by committee, but are only significant when leading vendors – from infrastructure providers like Aruba, client device vendors like Samsung or Apple, and chipset manufacturers like Marvell and Broadcom – deliver the technologies to make them relevant to the mainstream. It’s not surprising then when we respond to questions like “What’s OWE?” from MFD3 or customers, partners, and vendors alike – because this is a brand new space with technology that continues to evolve to make things better and more secure.

Aruba will be delivering these new wireless security standards to market, in order to enhance the protections, our solutions already provide our customers – both on Instant and ArubaOS. Check out our quick demo of OWE at Mobility Field Day 3, and encourage your favorite vendors to integrate OWE too.