1Wi-Fi® Security for Next Generation ConnectivityProprietary | © Wi-Fi AllianceProprietary | © Wi-Fi Alliance
Wi-Fi® Security for Next Generation Connectivity
Perry Correll
Aerohive, Wi-Fi Alliance® member
October 2018
2Wi-Fi® Security for Next Generation ConnectivityProprietary | © Wi-Fi Alliance
Value of Wi-F1
• The value Wi-Fi provides to the global
economy rivals the combined market value
of Apple Inc. and Amazon.
• The fact that Wi-Fi has become a key
complementary technology for enterprise
and carrier networks and an essential part
of the home indicates this value will only
rise as next generation products and
deployments become available over the
next several years.
• Wi-Fi is one of the greatest success stories
of the technology era, and its societal
benefits have long been known.
3Wi-Fi® Security for Next Generation ConnectivityProprietary | © Wi-Fi Alliance
Agenda
• About Wi-Fi Alliance®
• Recent program activity
• Wi-Fi CERTIFIED WPA3™: Next generation Wi-Fi® security
• Wi-Fi CERTIFIED Easy Connect™: Simple IoT device connection
• Wi-Fi CERTIFIED Enhanced Open™: Better data protections in open networks
4Wi-Fi® Security for Next Generation ConnectivityProprietary | © Wi-Fi Alliance
The worldwide network of companies that brings you Wi-Fi
Effective global collaboration
Driving industry growth
800+ member companies
Constant evolution
5Wi-Fi® Security for Next Generation ConnectivityProprietary | © Wi-Fi Alliance
6Wi-Fi® Security for Next Generation ConnectivityProprietary | © Wi-Fi Alliance
One of the greatest success stories of the high tech era
• 9+ billion devices in use
• 3+ billion shipments per year
• Nonstop innovation
• Primary medium for global internet traffic
Source: ABI Research, 2018
7Wi-Fi® Security for Next Generation ConnectivityProprietary | © Wi-Fi Alliance
Recent Wi-Fi Alliance program releases
• Wi-Fi CERTIFIED Optimized Connectivity™: Part of the Wi-Fi CERTIFIED Vantage™
program, Wi-Fi Optimized Connectivity™ leverages Wi-Fi features that bring users a seamless connectivity experience when traveling across networks.
• Wi-Fi CERTIFIED Wi-Fi Aware™: New capabilities and optimization for dense environments enable Wi-Fi Aware™ to provide more personalized mobility experiences. Native support available in Android Oreo operating systems.
• Wi-Fi CERTIFIED EasyMesh™: Harmonizing the burgeoning multiple-AP system market, Wi-Fi EasyMesh™ brings a standards-based approach to full coverage, self-adapting residential Wi-Fi.
• Wi-Fi CERTIFIED Enhanced Open: Wi-Fi Enhanced Open™ devices provide data encryption to users, preserving the convenience open networks offer while reducing some of the risks associated with accessing an unsecured network.
• Wi-Fi CERTIFIED Easy Connect: Connecting devices to Wi-Fi networks has never been simpler; Wi-Fi Easy Connect™ makes secure device provisioning as easy as scanning a product QR code.
Proprietary | © Wi-Fi Alliance
Wi-Fi Protected Access®
Next generation Wi-Fi security
9Wi-Fi® Security for Next Generation ConnectivityProprietary | © Wi-Fi Alliance
Consumer and enterprise confidence
in Wi-Fi security is essential
to continued growth in Wi-Fi use
10Wi-Fi® Security for Next Generation ConnectivityProprietary | © Wi-Fi Alliance
Wi-Fi CERTIFIED WPA3: Next generation Wi-Fi security
• Wi-Fi CERTIFIED WPA3 is next generation Wi-Fi security for personal and enterprise networks
• Delivers suite of features to simplify Wi-Fi security configuration and enhance network security protections
• WPA3™ Brings robust authentication, increased cryptographic strength
• Offers protections in ever-changing threat landscape
• WPA3 and Wi-Fi Easy Connect™ provide good experience, secure connections
Wi-Fi security highlights
11Wi-Fi® Security for Next Generation ConnectivityProprietary | © Wi-Fi Alliance
WPA3 protects users in Wi-Fi CERTIFIED™ networks
• WPA3 networks use latest security methods and disallow legacy protocols, such as Temporal Key Integrity Protocol (TKIP)
• WPA3 requires use of Protected Management Frames (PMF)
• As WPA3 adoption grows, next generation Wi-Fi security will become mandatory
• WPA3 maintains interoperability with WPA2™
devices through a transition mode
• WPA2, updated earlier this year, continues to be mandatory for Wi-Fi CERTIFIED devices
12Wi-Fi® Security for Next Generation ConnectivityProprietary | © Wi-Fi Alliance
WPA3 supports the market through two distinct modes
• Resistant to offline dictionary attacks; stronger protections for users against password guessing attempts by third parties
• Protection even when users choose passwords that fall short of complexity recommendations
• Provides forward secrecy; protects data traffic even if a password is later compromised
• No change to the way users connect to a network
WPA3-Personal: Robust, password-based
authentication
• Available 192-bit cryptographic strength for networks transmitting sensitive data
• 192-bit security suite provides additional security for networks like government and finance
• Greater consistency in application of security protocols
• Better network resiliency
WPA3-Enterprise: Enterprise-grade security for
sensitive data networks
13Wi-Fi® Security for Next Generation ConnectivityProprietary | © Wi-Fi Alliance
WPA3-Personal
• Password-based authentication with increased protections by replacing PSK with Simultaneous Authentication of Equals (SAE) from IEEE 802.11 specification
• WPA3-Personal uses passwords for authentication by proving knowledge of the password and not for key derivation
• SAE handshake negotiates a fresh Pairwise Master Key (PMK) per client, which is then used in a traditional Wi-Fi four-way handshake to generate session keys
• Neither the PMK nor the password credential used in the SAE exchange can be obtained by a passive attack, active attack, or offline dictionary attack
• Resistant to offline dictionary attacks because each instance of the authentication exchange only allows both parties to guess the password once
• Forward secrecy is provided because the SAE handshake assures the PMK cannot be recovered if the password becomes known
• Transition mode enables WPA2-Personal and WPA3-Personal simultaneously on a single basic service set (BSS) using same passphrase, and clients connect at highest security supported
14Wi-Fi® Security for Next Generation ConnectivityProprietary | © Wi-Fi Alliance
WPA3-Enterprise
• WPA3-Enterprise does not fundamentally change the protocols defined in WPA2-Enterprise, and client devices will continue to interoperate with WPA3-Enterprise networks
• Disabling PMF for a WPA3-Enterprise network is not an option: PMF capable or required
• Optional 192-bit security provides additional security for segmented networks transmitting sensitive data, such as within government, healthcare, or finance
• 192-bit security suite certifies a consistent set of cryptographic tools, includes:
– GCMP-256 for authenticated encryption
– HMAC-SHA384 for key derivation and key confirmation
– ECDHE and ECDSA using a 384-bit elliptic curve for key establishment and authentication
– BIP-GMAC-256 for robust management frame protection
– RSA key lengths of 3K bits or greater for asymmetric cryptography and digital signatures may be offered for legacy interoperability
• WPA3-Enterprise 192-bit security ensures the right combination of cryptographic tools are used, and sets a consistent baseline of security, within a WPA3 network
15Wi-Fi® Security for Next Generation ConnectivityProprietary | © Wi-Fi Alliance
WPA3 continues the evolution of Wi-Fi security
and maintains the brand promise of
Wi-Fi Protected Access
Proprietary | © Wi-Fi Alliance
Complementary programs
17Wi-Fi® Security for Next Generation ConnectivityProprietary | © Wi-Fi Alliance
Wi-Fi CERTIFIED Easy Connect: simple, secure way to
connect smart home and IoT devices
• Wi-Fi Easy Connect simplifies process of adding Wi-Fi devices with limited or no display interface to Wi-Fi network
• Enables the utilization of device with more robust interface to easily provision and configure devices
• Use smartphone or tablet to scan product QR code to add devices to a Wi-Fi network
• Provides standardized, consistent method for onboarding IoT devices
• Supports WPA2 and WPA3 networks
Wi-Fi Easy Connect highlights
18Wi-Fi® Security for Next Generation ConnectivityProprietary | © Wi-Fi Alliance
Wi-Fi Easy Connect enhances the user experience
while maintaining secure connections
Wi-Fi Easy Connect defines two roles
• Configurator: a trusted device, such as a smartphone, serving as a central point of
configuration for all devices on the network
• Enrollee: device that a network owner wants to connect to the network, including APs
19Wi-Fi® Security for Next Generation ConnectivityProprietary | © Wi-Fi Alliance
Wi-Fi Easy Connect basics
• Wi-Fi Easy Connect is based on the Wi-Fi Alliance Device Provisioning Protocol Specification, which consists of a four-step process: bootstrapping, authentication, configuration, and network access
• Bootstrapping and authentication– Every device ships with an identify in the form of public/private keys
– Establishes a trust relationship through exchange of public keys (one-way or mutual)
– Performed by scanning QR code or exchanging human-readable string
– Public keys are not part of security credential received during configuration
– Device Provisioning Protocol (DPP) authentication protocol establishes a secure Wi-Fi connection using public keys
• Configuration– Configurator passes configuration object to enrollee over secure connection
– Configuration object includes credential, which may be signed enrollee connector
– Signed enrollee connector consists of public key (not the bootstrapping public key), network role, and group attributes, and it is unique to the Wi-Fi device owning it
20Wi-Fi® Security for Next Generation ConnectivityProprietary | © Wi-Fi Alliance
Wi-Fi Easy Connect basics
• Network access
– Network introduction protocol allows an enrollee client device to securely connect to an enrollee AP using connectors provided by a configurator
– Enrollee client device and enrollee AP validate that each connector is signed by the configurator and that their roles are complementary, such as client and AP
– Enrollees validate that the group attributes match
– Enrollee client and enrollee AP mutually derive a unique pairwise master key (PMK) based on their public connector keys
– Enrollee client and enrollee AP establish connectivity
21Wi-Fi® Security for Next Generation ConnectivityProprietary | © Wi-Fi Alliance
Wi-Fi CERTIFIED Enhanced Open:
Better data protections in open networks
• Preserves convenience of open networks while reducing associated risks
• Provides protections in scenarios where user authentication is not desired, distribution of credentials impractical
• Protections against passive eavesdropping without a password or extra steps to join the network
• Integrates established cryptography mechanisms to provide each user with unique individual encryption
• Wi-Fi Alliance recommends using Wi-Fi Protected Access security when possible; when it is not, Wi-Fi Enhanced Open brings protections that traditional open networks do not
22Wi-Fi® Security for Next Generation ConnectivityProprietary | © Wi-Fi Alliance
Wi-Fi Enhanced Open
• Wi-Fi Enhanced Open technology is based on Opportunistic Wireless Encryption (OWE), defined in the Internet Engineering Task Force (IETF) RFC8110
• OWE overlays an Elliptic-curve Diffie-Hellman (ECDH) key exchange on top of association to a Wi-Fi network
• OWE does not provide authentication, and does not guard against man-in-the-middle attacks that lure clients to connect to a rogue AP
• OWE does protect against passive eavesdropping, as well as unsophisticated packet injection such as deauthentication storm attacks or layer-2 injection of data into insecure HTTP sessions
• Network managers must remain vigilant in monitoring for rogue APs and active attackers that modify information being transmitted on a network
• Certain types of “insider” attacks, such as ARP spoofing, might be mitigated on Wi-Fi Enhanced Open networks by configuring the network to isolate clients
23Wi-Fi® Security for Next Generation ConnectivityProprietary | © Wi-Fi Alliance
Thank you!
• Wi-Fi Alliance introduces next generation, WPA3 security for personal and enterprise networks
• WPA3 brings simplified security, robust authentication, increased cryptographic strength
• WPA2 remains mandatory for Wi-Fi CERTIFIED devices. As WPA3 adoption grows, WPA3 will become mandatory.
• Wi-Fi Easy Connect delivers a simple, secure way to connect smart home, IoT devices
• Wi-Fi Alliance always recommends Wi-Fi security. In scenarios where authentication is not possible/desired, Wi-Fi Enhanced Open provides additional data protections
24Wi-Fi® Security for Next Generation ConnectivityProprietary | © Wi-Fi Alliance
Wi-Fi: Cornerstone of connected life today,
and into the future
Please provide your feedback on today’s presentation
https://www.surveymonkey.com/r/wifipresentation
Top Related