Advancements in Wireless Security Its About Time

#CLUS Advancements in Wireless Security Its about time

Stephen Orr Distinguished Systems Engineer

Bob Sayle Technical Solutions Architect BRKEWN-2006

#CLUS Session Presenters

Stephen Orr Bob Sayle Distinguished System Engineer Technical Solutions Architect US Public Sector West Area Ent Networking CCIE #12126 (R&S, Wireless) CCIE #10189 (Security) – Emeritus @StephenMOrr @Bob_In_IT

• Provide a foundation for the next generation of Wi-Fi Security

• Standards vs Certification process (IEEE and Wi-Fi Alliance)

• Understand WPA3, Enhanced Open and Wi-Fi Easy Connect

• The right tool in the tool bag for Wireless Security Requirements • Know where and when to deploy the various security options

• Understand the pros/cons and key drivers for positioning a solution

• Basic understanding of protocols used in WLANs • IEEE 802.11 and 802.1X • IETF - EAP Methods and RADIUS

• What we are not covering: • Configurations • ISE • SDA • BYOD

• Many 2 hour Wireless breakout sessions will focus strictly on areas this presentation touches on briefly

• A brief history of Wi-Fi security

• Wi-Fi Certified Enhanced Open™

• Wi-Fi CERTIFIED WPA3™

• Wi-Fi Certified Easy ConnectTM • So you lost your head… Now what?

• Conclusion

Questions? Use Cisco Webex Teams to chat with the speaker after the session How 1 Find this session in the Cisco Live Mobile App 2 Click “Join the Discussion” 3 Install Webex Teams or go directly to the team space 4 Enter messages/questions in the team space

Webex Teams will be moderated cs.co/ciscolivebot# BRKEWN-2006 by the speaker until June 16, 2019.

“now that we did that, we’re secure!”

interest attack is published

“Why do we need to do this security work?” You “Why did it take so long are to do that security work?” here “no attacks, we’re secure!”

window << typical program development time

Security needs to improve over time • Significant usage of weak protocols still exist End users think of security as a baseline product capability, but vendors think of security as features • Products are compared on functionality, performance, features, but generally not security • Consumers and Customers don’t buy “10% more secure,” but they do buy “10% faster” Wi-Fi Encryption had remained stagnant while other standards have evolved to use stronger and more efficient ciphers (AES-GCM, ECC): • IEEE 802.1AE – MACSec • IEEE 802.11ad • IETF TLS 1.3

Certification testing was based on interoperability: more important to be bug-compatible with testbed than be correct in protocol implementation • Exact opposite of what you need in security, which is to get the implementation right Many devices switch between high-security enterprise and lower- security consumer settings Because security is not a feature, industry approach has historically been reactive • Current method of improving security is: (1) wait for break, (2) scramble to fix • Security is only top of mind when it is lacking – and that is also when competitive technologies become compelling

• …medicine or a vaccine • Tastes bad • Shots hurt • About the only thing that’s good about them is not being sick

• The Challenge – drive awareness and adoption of “better” security

• Consumers do not ask for anything that is not branded! • More post-WPA2 feature enhancements than in WPA1 to WPA2 transition • Manufacturers/Vendors are hesitant to adopt things that customers aren’t demanding. • Chicken and Egg – we know security enhancements are needed, consumers look to the brand for assurance • Keep consumers and networks vaccinated against future attacks to stop outbreaks

#CLUS BRKEWN-2006 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 14 The permutations and combinations of WPA Personal WPA2 Wireless Security Enterprise HS2.0 WPS DPP How do consumers TKIP know they are secure EAP and using the best AES WPA3 security possible? PMF

Building a Castle

• IF I make PMF mandatory I can mitigate deauth attacks

• IF I use high entropy PSK – it should increase the time it takes for offline dictionary attacks but not prevent it

• IF I use AES it WILL mitigate the TKIP attacks

Not every Network Operator or home user is a crypto expert

Its all about compromise

#CLUS BRKEWN-2006 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 17 Wi-Fi Alliance Security History Security Enhancements have typically taken a reactive approach (something was broken and then we fixed it):

• WEP – first exploits 2001 • WPS (2006)

• WPA (2003) • Created for the consumer to easily adopt Security

• attempted to bridge security gap from WEP to • 2011 – Brute force pin attack (compromises 802.11i network access)

• 2008 – Beck-Tews attacks shows vulnerabilities in • 2014 – Weak Random Number Generator TKIP (compromises confidentiality) implementations compromises WPS

• WPA-PSK brute force attacks (compromises • KRACK(2017) network access and confidentiality) • WPA2 Security Enhancements (2018) • WPAv2 (2004) • WPA3 (2018) • Integrated security enhancements from 802.11i (added AES) • Enhanced Open (2018) • • WPA2-PSK: brute force attacks still exist Wi-Fi Easy Connect (2018)

• Still maintains a TKIP only mode of operation • Dragonblood (2019) • Inconsistent cryptography strength (SHA-1 <80 bits What comes next on this list? of security)

#CLUS BRKEWN-2006 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 18 History of Wireless Security Part 2 AKA WPA2 – the good the bad and the ugly History of Post-WPA efforts to improve security

• When security is optional and there is no tangible benefit, it will be postponed

• WPA preshared keys are well known to be a problem • Increased computing power every year makes them easier to attack • Should be deprecated because “Password” is not a secure password

• TKIP still in widespread use • 2013 paper showed that 71% of encrypted networks used it instead of good cryptography http://people.cs.kuleuven.be/~mathy.vanhoef/papers /wpatkip.pdf

• Can anyone believe WEP is still in use

• The GOOD • WPA2 was created with the sole purpose of fixing the issues in WPA • TKIP was broken • AES was adopted in the radios by enough vendors • 802.1x and RADIUS are too complex to set up for home use so we still needed a simple password based method • My Mom can create her own WPA2 home network!

• With WPA(2) – the password or PSK us used for both “authentication” and encryption • Susceptible to attacks and tools to crack a password are easily downloadable from the Internet • Given the messages from the 4-way Handshake, the attacker loops through all passwords in the database computing values using a candidate password until it is able to verify message 3 or message 4 • No forward secrecy– guess the password and get the session keys for all past, present, and future exchanges • When used for network access through an AP it allows anyone in “earshot” to crack the password and connect • Brute force attacks/Dictionary Attacks: Amazon Cloud attack: performs 2,400,000 password checks per minute at $0.23/min– the size of the dictionary really doesn’t matter now!

• With WPA2 PSK, your password is used to generate the Pairwise Master Key (PMK)

• This is how the exchange works: 1. On both sides, make your weak passphrase (“password”) a bit stronger: PSK = pseudorandom (PBKDF2 algorithm) of Passphrase, SSID, SSIDlength, to produce a 256-bit string 2. The process is done the same way on the AP and client, so they have the same PSK. This PSK is the PMK.

PSK = PBKDF2 (PassPhrase, ssid, ssidLength, 4096, 256) PSK = PBKDF2 (PassPhrase, ssid, ssidLength, 4096, 256)

REMEMBER – at the time not all AP’s could support Multiple BSS’s • A transition mode was created to preserve interoperability with WPA and help with end user experience. • What did we inherit with a transition mode: • Group Cipher still uses TKIP • Lowest common denominator • Still susceptible to dictionary attacks

• Security is typically sacrificed for simplicity of adoption • Or we don’t read the fine print

Note – with regards to security: nothing good ever comes out of transition modes (ever)

• All I need is a capture of the 4-Way handshake • How?– deauth the client

• Upload the entire pcap

• Customers/end users deploy weak passwords

• Results in a easy access to the Wired network (I don’t care about capturing over the air data)

• If my intent is to get wired side access MAC based auth + PSK is trivial to bypass Think IoT, Medical devices, TV’s etc etc

Wireless LAN Controller Identity Services Engine AES CAPWAP RADIUS

PMK EAP Success EAPEAP Success Success (PMK) PMK ANonce PTK SNonce, MIC PTK, GTK Four-Way ANonce, MIC, GTK, Sequence # Handshake ACK PTK = SHA(PMK + ANonce + SNonce + AP MAC + STA MAC)

Caution: Threat shifts from a weak PSK to weak user passwords for logon

In Oct 2017, a researcher published 10 possible “attacks” against WPA2

All of them are about “small prints” in the WPA2 testing method: •Cases that were possible with 802.11, but not tested •Patches are available for most platforms, but this shows that WPA2 is aging

WPA2 was released in 2004; it was time to update it

• KRACK is an attack against the 4-way handshake (specifically nonce reuse) • What does the 4-way handshake do? • Mutual authentication between AP and STA • Negotiates fresh Pairwise Transient Keys • Where is the 4-way handshake used? • WPA Personal and Enterprise • WPA2 Personal and Enterprise • 802.11r Fast BSS transition (FT) • 802.11ai Fast Initial Link Setup (FILS)

Auth Request Auth Response

Association Request Association Response

EAP Start EAP ID Request EAP ID Response

EAP Method

EAP Success

Look Here EAPoL 4 way Exchange

DATA

Message 1: • EAPoL frame containing A-Nonce (authenticator nonce) • Supplicant can derive PTK because it now has A-Nonce, S-Nonce and PMK Message 2: • Supplicant sends Authenticator S-Nonce • Authenticator can now generate PTK, GTK and IGTK Message 3: • GTK, IGTK delivered to Supplicant encrypted with PTK • Tells supplicant to install temporal keys Message 4: • Supplicant informs authenticator that keys have been installed Key reinstallation occurs by replaying Message 3

• Implementing Protected Management Frame (802.11w) will helps mitigate Man-in- the-Middle attacks • The 802.11w protocol applies only to a set of robust management frames that are protected by the Protected Management Frames ( PMF) service. • These include: Disassociation, De-authentication, and Robust Action frames (Like FT).

• Our Bad – we broke it. • We specified that when PMF was enabled the only hash algorithm used could be SHA1 (for everything)… • Guess what Fast Transition requires SHA2 • Subsequently the PMF requirement broke other things

• The Good news is – we fixed it.

Open Networks Get an Upgrade

Wi-Fi CERTIFIED Enhanced Open

*not quite WPA3 (yet) What problem are we trying to solve??

• Passive Eavesdropping – that’s it!!

• Something better than Open Networks to provide privacy.

• Similar End User Experience to Open but with encryption

• Privacy – not Security • No we do not claim Man-In-The- Middle prevention

• Based on Opportunistic Wireless Encryption (OWE) STA, AP, – Defined in RFC 8110– https://tools.ietf.org/html/rfc8110 Supplicant Authenticator Probe request

• Provides integrity and confidentiality, albeit unauthenticated, to Probe response

wireless traffic Open system authentication request

• Alternative to Open networks, focused on Privacy Open system authentication response

Association request, • Requires no provisioning, no user entry– it just works! embedded Diffie-Hellmann key exchange Association response, embedded Diffie-Hellmann key exchange • Security in OWE: EAPOL-Key (ANonce) rd ⎯ Computationally infeasible for a 3 party to determine EAPOL-Key (SNonce)

encryption keys EAPOL-Key (Install PTK)

• Diffie-Hellman group: 19, NIST p256 elliptic curve EAPOL-Key – Fast and compact EAPOL-Key (Install GTK) – Widely implemented EAPOL-Key – Suitable security for 128-bit encryption (CCMP or GCMP) ⎯ PMF Required ⎯ Susceptible to active attack, resistant to passive attack

• Enhanced Open actually provides more privacy than WPA2-PSK using a shared PSK in public venues • If everyone has the PSK with WPA2- Personal its trivial to decode all of the traffic (past and future)…its just about as effective as an Open network to a hacker • Enhanced Open – each client generates it own keys via ephemeral DH exchange

• When an Open SSID is enabled on an Enhanced Open AP – it shall create a separate hidden BSS with the same properties as the Open BSS

• The Open BSS will include an OWE Transition Mode Element to direct Enhanced Open capable STAs to the Enhanced Open BSS

• Why did we do this??? • Legacy STA behavior – some see an Enhanced Open BSS as “Open, do1x or PSK” leading to a poor user experience

Note – with regards to security: nothing good ever comes out of transition modes (ever)

AKA The evolution of Wi-Fi Security WPA3 continues the evolution of Wi-Fi security and maintains the brand promise of Wi-Fi Protected Access®

• “Security combinatorics” refers to the number of options available for connecting to networks • Advertising IEs (2): WPA, WPA2 • AKMs (18): PSK, SAE, 802.1x, Suite B, FT, FILS etc… • Unicast ciphers (6): WEP, TKIP, CCMP-128, CCMP-256, GCMP-128, GCMP-256 • Broadcast ciphers (4): WEP, TKIP, CCMP, GCMP • Integrity ciphers (3): none, CMAC, GMAC • Hash algorithms (4): SHA-1, SHA-256, SHA384, SHA512

• Also includes the KDFs for PMK as well as the TLS cipher suites for EAP types

• Not all of these combinations are created equal: • Each configuration combination is a possibility for end users to get wrong and prevent devices from connecting and generating a support call • AP/RADIUS server sets security policies, STA chooses from options available

• Unify the WFA Security efforts into something which consumers/vendors can recognize

• Provide a solid technology foundation for the future of Wi-Fi security

• Decrease complexity and use of legacy security protocols • eliminate the mix and match error prone patchwork of security protocols that consumers are expected understand • Provide them with the most secure options

• User Experience • Make Wireless Secure and easier to use

WPA3 is a fundamental shift from interoperability testing to conformance testing (make sure bad stuff doesn’t happen)

WPA3-Personal: WPA3-Enterprise: Robust, password-based Enterprise-grade security for authentication sensitive data networks

• Resistant to offline dictionary attacks; • Available 192-bit cryptographic strength for stronger protections for users against networks transmitting sensitive data password guessing attempts by third parties • 192-bit Security suite provides additional • Protection even when users choose security for networks like government and passwords that fall short of complexity finance recommendations • Greater consistency in application of security • No change to the way users connect to a protocols network • Better network resiliency • Provides forward secrecy; protects data traffic even if a password is later compromised

• Replacement of WPA2-PSK with WPA3-SAE (Simultaneous Authentication of Equals) • Mitigates offline dictionary attacks

• Suite B – more than just Fed Govt • Addition of GCM & ECC for crypto and better hash functions (SHA384) • Consistent cryptographic strength rules to avoid misconfiguration

• Protected Management Frames mandatory

• General Security Enhancements

• WPA3-Personal • WPA3-SAE Mode • PMF Required • WPA3-SAE Transition Mode • Configuration Rules: On an AP, whenever WPA2-PSK is enabled, the WPA3-SAE Transition Mode must also be enabled by default, unless explicitly overridden by the administrator to operate in WPA2-PSK Only Mode.

• WPA3-Enterprise Mode • PMF SHALL be negotiated for all WPA3 connections

• WPA3-Enterprise “192-bit” mode (CNSA) • More than just for the Federal Government • Consistent cryptographic cipher suites to avoid misconfiguration • Addition of GCM & ECC for crypto and better hash functions (SHA384) • PMF Required

44 Password Security Requirements

• Resistance to Passive Attacks: An attacker must not be able to glean any information about the password or the resulting shared secret from a passive (eavesdropping) attack.

• Resistance to Active Attacks: an attacker takes part in the protocol by impersonating an honest peer.

• Resistance to Dictionary attacks: an attacker takes information gleaned from an exchange and tries to determine the password by running through all possible candidate passwords until successful.

• Compromise of the shared secret from a previous run of the protocol won’t help an attacker in an attack on another run of the protocol (the “Denning-Sacco attack”).

• Compromise of the password will not allow an attacker to know anything about the shared secret from a previous run of the protocol (“forward secrecy”).

• Based on the Dragonfly Key Exchange

• Balanced Password Authenticated Key Exchange (PAKE)

• Shared password

• Security of SAE not tied to the complexity of the shared password

• SAE exchanges results in a 32-byte PMK

• Protects against offline dictionary attacks

• Forward secrecy protects traffic even if password is later compromised

• Requires Protected Management Frames

• WPA3-SAE Transition Mode supports both WPA2- PSK and WPA3-SAE on the same SSID

WAIT – AP’s that support WPA3 should support Multiple BSS’s – its 2019 • A transition mode was created to preserve interoperability with WPA2 and help with end user experience. • What did we inherit with a transition mode: • Single BSS -Enabled by default when a WPA2-PSK BSS is enabled on a WPA3-Personal AP • Same passphrase exists between WPA2-PSK and WPA3-PSK • WPA2-PSK is still vulnerable to all the classic issues • The upside • WPA3-Personal connections are secure – knowing the passphrase gets that hacker access to the WLAN not the ability to decrypt the sessions

Note – with regards to security: nothing good ever comes out of transition modes (ever)

• A researcher found 5 vulnerabilities in the SAE protocol used as part of WPA3-Personal (Simultaneous Authentication of Equals is defined in IEEE 802.11-2016)

• These vulnerabilities allow an attacker to perform: • Attacks on the STA • Switch clients from WPA3-Personal to WPA2-Personal on transition mode BSS • Downgrade Diffie-Hellman Groups used in SAE • ECC and MODP side-channel timing attacks • Attacks on the AP • DoS from flooding spoofed authentication frames to AP

• WPA2 vs WPA3 Enterprise • All WPA3 connections shall use PMF

• This means if I have a WPA2 Client and it negotiates PMF it could be considered WPA3 Enterprise (MFPC)

• However to be considered WPA3 Enterprise Only – Management Frame Protection would be set to Requires (MFPR) • Identical to WPA3-Personal and Enhanced Open

• Quantum Computing – a different paradigm in computing

• Quantum Computers can efficiently factor large numbers – DH key exchange is vulnerable • A quantum computer could break public key cryptography standards in use today. • Information with long-term confidentiality requirements should be protected against future decryption (i.e., capture now, decrypt when quantum computers become viable.) • Data-in-transit (e.g., capture data communications) • Data-at-rest (e.g., capture file images)

• An attacker will target the weakest component in a system

• To achieve a consistent level of system security it’s necessary to ensure that the work factor for each cryptographic primitive meets or exceeds a selected level: • For a security level 192: • AES-GCM-256 for authenticated encryption • HMAC-SHA384 for key derivation and key confirmation • ECDH and ECDSA using a 384-bit elliptic curve for key establishment and authentication

• Consistency affords misuse resistance since Suite B cannot be configured in a way to not provide the indicated level of security

ECDSA- AES-256-GCM ECDH-P521 SHA-512 Encryption P521 Data Authentication

Key Establishment AES-192-GCM ECDH-P384 ECDSA-P384 SHA-384 Suite B mLoS 192 Signatures

Hashing AES-128- ECDH-P256 ECDSA-P256 SHA-256 Suite B mLoS 128 GCM

Algorithm Operation Quantum Computer Acceptable Preferred Resistant Encryption AES-CBC-256 mode — ✅ (256-bit) Authenticated encryption — AES-GCM-256 mode ✅ (256-bit)

Integrity SHA-256 SHA-384 / 512 ✅ (384/512)

Integrity HMAC-SHA-1 HMAC-SHA-256 ✅ (256-bit key)

RSA: Key exchange / DH / RSA / DSA - 3072 / Encryption / ECDH / ECDSA-384 / 521* 4096 Authentication ECC: Key exchange / ECDH / ECDSA-256 ECDH / ECDSA-384 / 521 Authentication

*ECC algorithms have significant performance advantages over RSA. Such efficiency makes them very suitable for low-power devices (i.e. sensors) with limited resources and computational power.

• Through AKM and cipher suite negotiation • 192-bit security level restricted to:

• AKM 00-0F-AC:12 – authentication with a Suite B EAP-TLS method supporting ECDH and ECDSA with p384, and key derivation and key management using SHA384

• Cipher suite 00-0F-AC:9– AES-GCM-256 and 00-0F-AC:12– BIP-GMAC-256 • When doing Suite B, one and only one AKM (plus permissible cipher suites) is allowed

• Consistency enforcement on AP to inform AAA server of negotiated AKM • WLAN-AKM-Suite attribute: RADIUS attribute value 188 (assigned by IANA) • The Authenticator (AP) informs the AAA server of the AKM the client selected • Only AP side (if not terminating EAP) is required to support this attribute

• ECDSA certificates using appropriate curve (p384) are required

• AAA server requires EAP-TLS with an AKM-appropriate TLS cipher suite • 192 bit: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 with p384 elliptic curve

You can still use RSA • But with at least 3072 bit-keys • These are long keys, computationally expensive The alternative is to use ECC • Less computationally expensive for the same strength • ECC 256 = RSA3K = 128 bits of security • ECC 384 = RSA 7K = 192 bits of security • Need to evaluate the end-to-end cryptographic strength

Good news! Such solutions exists • You can use Elliptic Curve Diffie- Hellman (ECDH) exchange and Elliptic Curve Digital Signature Algorithm (ECDSA) using a 384-bit elliptic curve • What does this mean? Let’s do some math

Elliptic Curves • EC Cryptography uses the formula y3=x3+ax+b • Replaces “power” with lines • Pick P1, P2, there is only 1 point P3 • Jump to its reflection (R) • Then redo (Find the intersection between P1 and R, jump to the reflection etc. • You can also use “modulo” by letting points bounce when the vector reaches the green line

Why Elliptic Curves? • In the end, you have what DH needs: • An initial number (P1), a secret number (n, how many jumps did I do) and a final number (where I end up, e.g. R if n=1) • With EC, cracking ‘n’ is much harder than with static RSA

WPA-3 Enterprise 192-bit mode mandates EAP-TLS to be used for EAP method and the TLS ciphers as required by the CNSA suite.

Permitted EAP cipher suites for use with WPA3-Enterprise 192-bit Mode are:

 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 - ECDHE and ECDSA using the 384-bit prime modulus curve P-384

 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 - ECDHE using the 384-bit prime modulus curve P-384 - RSA ≥ 3072-bit modulus

 TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 - RSA ≥ 3072-bit modulus - DHE ≥ 3072-bit modulus

You also need for good measure a better MIC (128 bits instead of 64) WPA-3 needed to use a faster encryption • Here Galois Counter Mode Protocol presents the solution

A great strength of GCMP mechanism is that you can calculate (still using AES) the different elements needed for the MIC determination in parallel, saving an enormous amount of time GCMP was allowed in 802.11ac, it is mandatory with WPA3 • It is much faster than CCMP, which allows for longer keys if needed

Wi-Fi 6 Cisco DNA WPA3 support Wave 1 APs Wave 2 APs Cisco Prime® 802.11ax APs Center AireOS No 8.10 8.10 3.7 1.4 Cisco IOS® XE No 16.12 16.12 3.7 1.4

Configuration for WPA3 only on a WLAN wlan AA-WPA3 1 AA-WPA3 security wpa psk set-key ascii 0 1234567890 no security wpa akm dot1x security wpa akm sae security wpa wpa3 security pmf mandatory no shutdown

wlan AA-WPA3 1 AA-WPA3 security wpa psk set-key ascii 0 1234567890 no security wpa akm dot1x security wpa akm psk security wpa akm sae security wpa wpa3 security pmf mandatory no shutdown

#CLUS BRKEWN-2006 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 67 AireOS – Opportunistic Wireless Encryption For Enhanced Open Networks OWE is a mandatory feature for WPA-3 certification along with OWE Transition mode

If OWE Transition Mode is disabled. Open SSID filed is hidden from this page

OWE Transition Mode requires at least one Open SSID configured

WPA3 + WPA2 Enabled. All AKM’s can be WPA3 Enabled, WPA2 Disabled. PMF is required. configured based on the FT and PMF selection. FT can be selected as Enable/Disable/Adaptive. SAE is enabled by default. SAE is enabled by Default.

#CLUS BRKEWN-2006 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 69 AireOS – WPA-3 Enterprise Mode WPA3 + WPA2 Enabled. CCMP256 and GCMP128/256 Ciphers with AKM Suites are available. PMF is Optional

WPA3 Enabled + WPA2 Disabled. CCMP256 and GCMP128/256 Ciphers and AKM Suites are available. PMF is Required

• Current Plan of Record for WPA3 to become mandatory for all Wi-Fi CERTIFIED devices 2 years after program launch • Program launched April 2018 – target mandatory June 2020

• Current plan for Wi-Fi 6 • WPA3-Personal is mandatory • WPA3-Enterpris is Optional • Enhanced Open is optional

• Current plan of record is that all PHY/MAC moving forward past June 2020 will follow WPA3 requirements

When will I see Wi-Fi Certified WPA3 and Wi-Fi Certified Enhanced Open products? Vendors have already started certifying!!!!

• Unify the Wi-Fi Alliance security efforts • Mandatory Features

• To be part of Wi-Fi 6 certification • Security Improvements • Handle the unexpected • Provide a solid technology foundation for the • Protected Management Frames future of Wi-Fi security • Enabled by default

• Continuous Evolution of Security • WPA3-Personal (SAE)

• PSK replacement / Offline attack resistance • Decrease complexity and use of legacy security protocols • KRACK Testing • Mandatory for STAs • Eliminate the mix and match error prone patchwork of security protocols that consumers • Conditional mandatory for 11r/ai APs are expected understand • Optional Features • Provide them with the most secure options • WPA3-Enterprise

• Remove transition modes that compromise • WPA3-Enterprise-192 security (WEP, TKIP, SHA1) • Suite B Cryptography

• Negative testing • Quantum computer resistant encryption

• Ensure that bad acting AP/STA are identified early • Wi-Fi Certified Enhanced Open

• Opportunistic Wireless Encryption (OWE)

• Unauthenticated Encryption for SSIDs #CLUS BRKEWN-2006 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 73 So you lost your head… Now what? What’s a WPA2-Enterprise AES? Gimme a sec, dad. I’m talking to people.

#CLUS BRKEWN-2006 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 76 What happens when you have no head? #CLUS BRKEWN-2006 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 78 #CLUS BRKEWN-2006 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 79 Think this can’t happen at work? IoT is happening in your workplace right now

Push-button on-boarding

Brute force PIN attack Weak random number generator

aabbcc

IOT Devices

xxyyzz Access Point Wireless LAN Controller ISE Sensors

WLAN PSK

Employees #CLUS BRKEWN-2006 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 86 This is all very interesting son, but am I connected No, dad, but yet with that there’s a WPA2 thing? better way to do this.

Standardized Creates unique Solves for varied user June 2018 credentials for each interfaces device

Uses the Device Leverages public- Provisioning Protocol private key cryptography (DPP)

• Initiator (I) • Starts an authentication exchange

• Responder (R) • Responds to an authentication request

• Enrollee • Device requesting to join a network (STA)

• Configurator • Device used to configure enrollees

Bootstrapping

Derive bootstrapping keys out-of-band

Initiator Bootstrapping key Protocol key Responder (I) (B,b) (P,p) (R)

Public key B B P I B , B R I P , P PR (Upper case) I R I R

Private key bI, bR pI, pR (Lower case)

#CLUS BRKEWN-2006 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 91 DPP Step 1: Bootstrapping QR Code Yay! I now have the pump’s public bootstrapping key. I can securely authenticate it.

QR Code PKEX BLE NFC DPPoTCP

2018 2019 2020

Bootstrapping

Authentication

Exchange protocol keys for creating credentials

#CLUS BRKEWN-2006 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 95 DPP Authentication Roles • Intitiator (I) • Responder (R) • Starts the authentication • Responds to the exchange authentication exchange • Can be the enrollee or the • Can be the enrollee or the configurator configurator

• Has a bootstrapping key (BI) • Has a bootstrapping key (BR) BI BR

Responder Initiator

DPP Authentication Request (SHA256(BR), SHA256(BI), PI, {I-nonce, I-capabilities}k1)

Enrollee successfully receives the DPP Authentication Request and matches H(BR)

DPP Authentication Response (DPP Status, SHA256(BR), [SHA256(BI),] PR, {R-nonce, I-nonce, R-capabilities, {R-auth}ke}k2)

DPP Authentication Confirm (DPP Status, SHA256(BR), [SHA256(BI),] {I-auth}ke)

BI PI BR

BR PR

Bootstrapping

Authentication

Configuration

Add credentials and connection details

Will you please configure me?

You bet. Let’s do this!

SSID Credentials Infrastructure Type WPA2-PSK WPA3-SAE DPP connector

Unique Network Expiration Groups Access Key Date

Enrollee Configurator

DPP Configuration Request ({E-nonce, configuration attributes}ke)

DPP Configuration Response (DPP Status, {E-nonce, configuration object}ke)

DPP Configuration Result ({DPP Status, E-nonce}ke)

Good. I’m gonna go download some malware now.

Complex configuration Simple one-step on- steps boarding

Same experience even Varied user interfaces when headless

Weak security with Stronger security using shared passwords unique credentials

Identify where DPP can help you at work

Ask your vendors to certify equipment

Adopt Wi-Fi Alliance EasyConnect™

• Wi-Fi Security is evolving to keep up with the pace of attacks

• WPA3 and Enhanced Open are just the start

• Wi-Fi Easy Connect simplifies the onboarding process

• Choose the right tool in the tool bag to meet your Wireless Security Requirements

#CLUS Complete your online session • Please complete your session survey after each session. Your feedback evaluation is very important.

• Complete a minimum of 4 session surveys and the Overall Conference survey (starting on Thursday) to receive your Cisco Live water bottle.

• All surveys can be taken in the Cisco Live Mobile App or by logging in to the Session Catalog on ciscolive.cisco.com/us.

Cisco Live sessions will be available for viewing on demand after the event at ciscolive.cisco.com.

Demos in the Walk-in labs Cisco campus

Meet the engineer Related sessions 1:1 meetings