Over the last several months, we have started to see one vulnerability after another released around the WPA2 protocol. Some of these have been simple things like replaying frames in the KRACK vulnerability, but recently we’ve seen more aggressive brute force attacks using any information that can be gathered from the key exchange process. Many months before any of these attacks were released, the WiFi Alliance knew that something had to be done about the strength of presently available wireless security protocols. Yet, many think that the WiFi Alliance didn’t go far enough to help the effort. Aruba, a Hewlett-Packard Enterprise Company, took it upon themselves to lead the charge with WPA3 and another key piece that was left out of WPA3.
So why did we need an upgrade? Well, how often do you change the locks on your doors?For those of you that don’t track dates very well (myself included) the WPA2 protocol was released over 10 years ago. I don’t know about you, but that’s quite a long time ago considering how fast things in IT move these days. It was inevitable that sooner or later, breakdowns of the protocol would be identified with the increasing capabilities of processors these days to crack algorithms and passwords. And think about PSK networks. One password for a multitude of users and the hassles of trying to change a production PSK easily just simply didn’t exist. Even a PPSK network (or whatever your vendor calls their version) is susceptible to the same vulnerabilities, even though it’s hopefully a smaller scale.
So what changes with WPA3? First, WPA2-PSK mode is replaced with SAE (Simultaneous Authentication of Equals) which is truly resistant to active, passive, & dictionary attacks. No longer can someone take a PCAP of your wireless traffic for offline efforts to crack the encryption/password. Next, WPA3-ENT has been upgraded to use Suite B ciphers that help increase the strength by using a common set of rules for security implementation. Finally, management frame protection is no longer OPTIONAL, but REQUIRED in WPA3.
So what happened to OWE?
While many of the features included in WPA3 are MUCH improved over where we had been, we were greatly disheartened when Opportunistic Wireless Encryption (OWE) was left out of WPA3. Instead it was pushed off into it’s own optionally supported feature, WiFi Enhanced Open. It was one solution that brought data security to open networks by providing for anonymous encryption of user data over wireless. That’s right, no more need for VPN connections over an Open network since the data would no longer traverse the airwaves without encryption. While I won’t get into the technical details for brevity of this post, I’ll throw in a a slide here that may appease the nerds tuning in.
Aruba has spent a lot of time leading the charge within the industry to see OWE implemented fully by all wireless vendors. They truly understand the need for better security throughout the network, especially wireless. During Mobility Field Day 3 (#MFD3 on twitter) Aruba showed off their work on OWE and how it operates. After all, Dan Harkins with Aruba, was one of the original people responsible for RFC 8110 to the IEEE that outlined the need for OWE. You can read the RFC here. We were even privy to a demo of OWE using a special supplicant (compiled in Linux since it is presently not supported out of the box so to speak on the client side) so we could see just how easy it is to provide a higher level of security.
As you seen see above, there is a LOT that goes on behind the scenes. For many that provide wireless service to the general public, including this would be a massive statement that you truly care about your customers. I applaud Aruba for taking this stand, and I encourage anyone reading this to reach out to your vendors and push them to support OWE, WiFi Enhanced Open. We can’t continue down the path that we’ve been on. If so, we’re only asking for something bad to happen to our data.
Comments and questions welcome,
*slides courtesy of Aruba
**For more information on WPA3, check out this article: https://www.comparitech.com/blog/information-security/what-is-wpa3/#gref