WLAN Security Enhancements: WPA3, OWE, DPP Hemant Chaskar @CHemantC Arista Networks Hemant Chaskar -- 1 -- Networks Agenda • OWE / Enhanced OpenTM • SAE / WPA3TM- Personal • 192-bit Security / WPA3TM- Enterprise • DPP / Easy ConnectTM Hemant Chaskar -- 2 -- Networks Diffie-Hellman Key Generation • Generates common secret between two parties • No pre-shared secret required • MITM cannot generate the common secret Whitfield Diffie • Based on public key cryptography • Used in SSH, TLS, IPSec and now in OWE, WPA3 and DPP Martin Hellman Hemant Chaskar -- 3 -- Networks Key Generation Steps Known Values: Generator g, Modulus p Random Priv Key: x Random Priv Key: y Compute Pub Key: gx Send gx Compute Pub Key: gy Send gy Common Secret Common Secret Impractical to compute s from gx & gy x y xy s = (gy)x = gxy s = (g ) = g Symmetric Keys Encryption, auth and integrity Symmetric Keys k = Hash (s, labels) protection of messages with k k = Hash (s, labels) Delete Delete x, s, k FS: Forward Secrecy y, s, k Recorded messages cannot be decrypted in future even if endpoint is compromised Hemant Chaskar -- 4 -- Networks Mathematical Schemes Finite Field Crypto (FFC) Elliptic Curve Crypto (ECC) Era Classical Modern Elliptic Curves: Math MODP Groups P-256 (secp256r1), P-384 (secp384r1) etc. Referred as DH ECDH IANA has assigned Group IDs to standard triplets of (scheme, g, p): RFCs 3526, 5114, 5903. Hemant Chaskar -- 5 -- Networks Public Key Sizes for High Quality Key Generation Group ID 15360 bits None 256 bits AES ID: 21 521 bits 192 bits AES 8192 bits ID: 18 ID: 20 384 bits 3072 bits ID: 15 128 bits AES ID: 19 256 bits 112 bits TDES 2048 bits ID: 14 Symmetric Key Size Key Symmetric 224 bits ID: 26 Public Key Size DH ECDH (For Private Key Size = 2 x Symmetric Key Size) • Ref: NIST Special Publication 800-57, Table 2 and RFC 3766. Hemant Chaskar -- 6 -- Networks OWE (Opportunistic Wireless Encryption) • Encryption for hitherto OPEN wireless links • Idea: Carry ECDH public keys in Association Req/Res to generate symmetric encryption key • OWE is defined in RFC 8110 • Enhanced OpenTM: Wi-Fi Alliance certification of OWE Hemant Chaskar -- 7 -- Networks OWE Message Flow Open Auth Req & Res ECDH priv/pub key pair Assoc Req [Group ID, client ECDH pub key] Group 19 (P-256 Curve) mandatory to support. Assoc Res [AP ECDH pub key] ECDH priv/pub key pair AKM Suite Selector 00-0F-AC:18 for OWE s = Common secret s = Common secret PMK = HMAC (s, labels) PMK = HMAC (s, labels) (256 bits master key) (256 bits master key) PTK = [KCK | KEK | TK] = EAPOL 4-way handshake PTK = [KCK | KEK | TK] = HMAC(PMK, MACs, Nonces) HMAC(PMK, MACs, Nonces) Transport random GTK, IGTK CCMP with 128 bits TK & GTK BIP CMAC with 128 bits IGTK (Others optional) Hemant Chaskar -- 8 -- Networks OWE Packet Trace Assoc Req/Res AKM: 00-0F-AC:18 (Hex 12) ECDH Public Key Hemant Chaskar -- 9 -- Networks Enhanced Open Supplemental Requirements • Protected Management Frame (PMF) • PMK caching to avoid ECDH computation on reassociation • OWE Transition Mode Beacon #1 (shows up in client scan) Beacon #2 (used for OWE connection) BSSID: BSSID-OPEN BSSID: BSSID-OWE SSID: SSID-OPEN SSID: Length = 0 BSSID-OWE, SSID-OWE, BSSID-OPEN, SSID-OPEN, OTME: OTME: OWE band, OWE channel OPEN band, OPEN channel AKM Suite = 00-0F-AC:18 OTME: OWE Transition Mode Element RSNE: MFPR = 1, MFPC = 1 RSNE: Robust Security Network Element Group, Pairwise, BIP Ciphers Hemant Chaskar -- 10 -- Networks OWE Security Forecast: Sunny, but Cold! Encryption better than not (e.g., for HTTP browsing). In TLS (e.g., HTTPS), sensitive traffic is encrypted e2e. • OWE can protect against one off situations, e.g., HTTPS cookies installed in browser without secure flag set later get sent in HTTP request. No protection from wireless MITM: • OWE does not provide AP authentication. • Honeypot / Evil Twin AP threat in public WiFi is not addressed by OWE. Hemant Chaskar -- 11 -- Networks SAE (Simultaneous Authentication of Equals) • Eliminates offline dictionary attack on WiFi passwords • SAE is specified in IEEE 802.11 Standard • Based on Dragonfly protocol (IRTF RFC 7664) • Dragonfly is based on SPEKE protocol, circa 1996 • These types of schemes are called PAKE • WPA3TM- Personal: Wi-Fi Alliance SAE certification SPEKE: Simple Password Exponential Key Exchange PAKE: Password Authenticated Key Exchange Hemant Chaskar -- 12 -- Networks Offline Dictionary Attack on WPA2-Personal Password PMK -- Begin 4-Way handshake -- [ANonce, …] PTK = [KCK | KEK | TK] = HMAC(PMK, MAC adrs, ANonce, SNonce) [SNonce, …, MIC Computed with KCK] Use Information from sniffed frames • Decrypt frames sniffed on air Guess Compute Compute MIC Y Password (past and future) Password PMK, PTK MIC Match? Cracked! • Unauthorized N access to Next Guess network Hemant Chaskar -- 13 -- Networks Offline Dictionary Attack: Root Cause Analysis • WPA2-Personal: Password converted to PMK via PBKDF2: • PMK = Hash(Password, SSID, counters)_4096 times (RFC 2898) PMK Entry Method Key Combinations 256 bits PMK (= PSK) directly entered 2256 8-character alphanumeric password 256 bits PMK 248 Dictionary words, short/weak passwords, social Even smaller engineering etc. search space • SAE: Ensures PMK combinations space of 2128 or more • Irrespective of size or quality of password Hemant Chaskar -- 14 -- Networks PMK Generation Analogy Wheel Size Readout PMK guess is over at least 2128 values [random (Sectors) Position spin on large wheel], independent of password. • Forward Secrecy: Impractical to decrypt sniffed traffic even if password is revealed. • Password Crack Resistance: Password guess indistinguishable as right or wrong. Password is for mutual authentication only [readout position]. Spin WPA2-Personal SAE ReadoutPosition Static Password Dependent Wheel Size (Sectors) Password Combinations 2128 or more Spin Password Actual Random (ECDH Private Key) Hemant Chaskar -- 15 -- Networks SAE = OWE + Password • g is derived as function of password (and MAC adrs). It is called PWE (PassWord Element). • p is still taken from standard set. ECDH parameters = g,g p Random: x Random: y x Compute: gx Send g Compute: gy Send gy Common Secret Common Secret x y Impractical to compute s from g & g x y xy s = (gy)x = gxy s = (g ) = g PMK = PMK = Hash (s, labels) -- Begin 4-Way handshake -- Hash (s, labels) Hemant Chaskar -- 16 -- Networks SAE Message Flow Password PWE Auth Commit [Group ID, client ECDH pub key] ECDH priv/pub key pair Password PWE Auth Algo Number = 3 ECDH priv/pub key pair Auth Commit [AP ECDH pub key] Group 19 support must s = Common Secret s = Common Secret [PMK,CK] = HMAC(s, labels) Auth Confirm [HMAC of CK and labels1] [PMK,CK] = HMAC(s, labels) Auth Confirm [HMAC of CK and labels2] Client authenticated to AP AP authenticated to client Assoc Req/Res [AKM: 00-0F-AC:8] EAPOL 4-way handshake PTK = [KCK | KEK | TK] PTK = [KCK | KEK | TK] CCMP with 128 bits TK & GTK GTK, IGTK BIP CMAC with 128 bits IGTK (Others optional) Hemant Chaskar -- 17 -- Networks SAE Packet Trace (Auth Commit) Auth Handshake Auth Algo = 3 Auth Commit containing ECDH public key (FFE) Hemant Chaskar -- 18 -- Networks SAE Packet Trace (Auth Confirm) Auth Handshake Auth Algo = 3 Auth Confirm containing HMAC hash of (CK,labels1) Hemant Chaskar -- 19 -- Networks WPA3-Personal Supplemental Requirements • Protected Management Frame (PMF) • PMK caching to avoid ECDH computation on reassociation • Anti-clogging tokens: • Throttle Auth Commit flood from client with varying MAC addresses to prevent DoS on AP • Fast Transition (FT) not required for certification • Though SAE in 802.11 standard supports FT (AKM: 00-0F-AC:9) Hemant Chaskar -- 20 -- Networks What About Online Dictionary Attack? Online Dictionary Attack: Preventive Measures: Try pwd1 • Limit attempt rate by Try pwd2 introducing delay after failed attempts Try pwdN • Alert on multiple authentication failures • SAE does not prevent this attack. • Don’t use passwords like welcome123, abcd123, • With SAE though, password guest123 etc., which could cracking still does not result in traffic be the top attempt choices decryption, i.e., FS is achieved. Hemant Chaskar -- 21 -- Networks WPA3TM - Enterprise • Use at least 192-bit security strength across the protocol • 802.1x TLS, 4-way handshake, pairwise/group/BIP ciphers • N-bit security means bruteforcing requires searching 2N key values AES Key Key Space Some Comparable Orders of Magnitude 128 bits 2128 Number of water drops in earth’s oceans ~ 285 192 bits 2192 Number of atoms in sun ~ 2188 256 bits 2256 Number of atoms in known universe ~ 2257 • For public key crypto, we need private key size = 2 x N Hemant Chaskar -- 22 -- Networks 802.1x EAP-TLS 192-bit Security TLS_ECDHE_ECDSA_WITH_ AES_256_GCM_SHA384; [Server ECDSA static pub key]in x509 cert with P-384 [Server ECDH pub key]Sig by server ECDSA static priv key ECDHE_ECDSA with both being keys from P-384 curve (Group 20) [Client ECDSA static pub key]in x509 cert [Client ECDH pub key]Sig by client ECDSA static priv key ECDHE_ECDSA with both being keys from P-384 curve (Group 20) TLS tunnel with encryption and integrity protection Symmetric key gen with HMAC-SHA-384 AES-GCM with 256 bits key PMK PMK transport outside of WPA3 scope: Use IPSec, RadSec etc. 4-way handshake AKM #12: KCK 192 bits, KEK 256 bits Encrypted wireless link Ciphers #09 & #12: GCMP and BIP GMAC with 256 bits key Hemant Chaskar -- 23 -- Networks Summary of Ciphers for WPA3TM - Enterprise TLS Cipher RFC Static Keys Ephe. Keys Encryption Symmetric Key Gen TLS_ECDHE_ECDSA_WITH_ 8422 ECC