Advancements in Wireless

Security
Its about time
Stephen Orr
Distinguished Systems Engineer
@StephenMOrr

BRKEWN-2006
Cisco Webex Teams

Questions?
Use Cisco Webex Teams to chat
with the speaker after the session

How
1 Find this session in the Cisco Events Mobile App
2 Click “Join the Discussion”
3 Install Webex Teams or go directly to the team space
4 Enter messages/questions in the team space

BRKEWN-2006 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 3
Session Presenter

Stephen Orr
Distinguished System
Engineer
US Public Sector
CCIE #12126 (R&S,
Wireless)
@StephenMOrr

BRKEWN-2006 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 4
What we hope to achieve in this session

• Provide a foundation for the next generation of Wi-Fi Security

• Standards vs Certification process (IEEE and Wi-Fi Alliance)
• Understand WPA3, Enhanced Open and the evolution of Wireless
Security
• The right tool in the tool bag for Wireless Security Requirements
• Know where and when to deploy the various security options
• Understand the pros/cons and key drivers for positioning a solution

BRKEWN-2006 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 5
Session Assumptions and Disclaimers

Basic understanding of IEEE 802.11 and 802.1X

protocols used in WLANs IETF - EAP Methods and RADIUS

Configurations
ISE
What we are not covering: SDA
BYOD

Many 2 hour Wireless breakout sessions will focus

strictly on areas this presentation touches on briefly

BRKEWN-2006 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 6
Agenda

• A brief history of Wi-Fi security

• Wi-Fi Certified Enhanced Open™
• Wi-Fi CERTIFIED WPA3™
• Wi-Fi Certified Easy ConnectTM
• Conclusion

BRKEWN-2006 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 7
History of Wireless
Security Part 1
Why do we need Security ?

BRKEWN-2006 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 9
Interest in Security Technologies

“now that we did that,

interest

we’re secure!”

attack is published

“Why do we need to do
this security work?”
You “Why did it take so long
are to do that security work?”
here

“no attacks, we’re secure!”

window << typical program development time
BRKEWN-2006 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 10
Security threats/risks are constantly evolving

BRKEWN-2006 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 11
 Security needs to improve over time
• Significant usage of weak protocols still
exist
End users think of security as a baseline
product capability, but vendors think of
security as features
• Products are compared on functionality,
performance, features, but generally
not security

Problem Statement • Consumers and Customers don’t buy

“10% more secure,” but they do buy
“10% faster”
Wi-Fi Encryption had remained stagnant
while other standards have evolved to use
stronger and more efficient ciphers (AES-
GCM, ECC):
• IEEE 802.1AE – MACSec
• IEEE 802.11ad
• IETF TLS 1.3

BRKEWN-2006 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 12
Security Challenges for Wi-Fi

Certification testing was based on interoperability: more important to be bug-

compatible with testbed than be correct in protocol implementation
• Exact opposite of what you need in security, which is to get the implementation right

Many devices switch between high-security enterprise and lower-security consumer

settings
Because security is not a feature, industry approach has historically been reactive
• Current method of improving security is: (1) wait for break, (2) scramble to fix
• Security is only top of mind when it is lacking – and that is also when competitive technologies become
compelling

BRKEWN-2006 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 13
Security is like…

• …medicine or a vaccine
• Tastes bad
• Shots hurt
• About the only thing that’s good about them is not being sick
• The Challenge – drive awareness and adoption of “better” security
• Consumers do not ask for anything that is not branded!
• More post-WPA2 feature enhancements than in WPA1 to WPA2 transition
• Manufacturers/Vendors are hesitant to adopt things that customers aren’t demanding.
• Chicken and Egg – we know security enhancements are needed, consumers look to the
brand for assurance
• Keep consumers and networks vaccinated against future attacks to stop outbreaks

BRKEWN-2006 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 14
The permutations
and combinations of WPA Personal

WPA2
Wireless Security Enterprise HS2.0
WPS DPP
How do consumers TKIP
EAP
know they are secure
AES
and using the best WPA3
security possible? PMF

BRKEWN-2006 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 15
Security needs to be like:
Not every Network Operator or home user is a crypto expert

• Building a Castle
• IF I make PMF mandatory I can mitigate
deauth attacks
• IF I use high entropy PSK – it should
increase the time it takes for offline
dictionary attacks but not prevent it
• IF I use AES it WILL mitigate the TKIP
attacks

BRKEWN-2006 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 16
The Road to Wi-Fi Protected Access

Its all about compromise

BRKEWN-2006 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 17
Wi-Fi Alliance Security History
Security Enhancements have typically taken a reactive approach (something was broken and then we fixed it):

• WEP – first exploits 2001 • WPS (2006)

• WPA (2003) • Created for the consumer to easily adopt Security
• attempted to bridge security gap from WEP to • 2011 – Brute force pin attack (compromises
802.11i network access)
• 2008 – Beck-Tews attacks shows vulnerabilities in • 2014 – Weak Random Number Generator
TKIP (compromises confidentiality) implementations compromises WPS
• WPA-PSK brute force attacks (compromises • KRACK(2017)
network access and confidentiality)
• WPA2 Security Enhancements (2018)
• WPAv2 (2004)
• WPA3 (2018)
• Integrated security enhancements from 802.11i
(added AES) • Enhanced Open (2018)
• WPA2-PSK: brute force attacks still exist • Wi-Fi Easy Connect (2018)
• Still maintains a TKIP only mode of operation • Dragonblood (2019)
• Inconsistent cryptography strength (SHA-1 <80 bits • WPA3 Enhancements (Dec 2019)
of security)
What comes next on this list?

BRKEWN-2006 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 18
History of Wireless
Security Part 2
AKA WPA2 – the good the
bad and the ugly
History of Post-WPA efforts to improve security
• When security is optional and there is no tangible
benefit, it will be postponed
• WPA preshared keys are well known to be a problem
• Increased computing power every year makes them
easier to attack
• Should be deprecated because “Password” is not a
secure password
• TKIP still in widespread use
• 2013 paper showed that 71% of encrypted networks
used it instead of good cryptography
http://people.cs.kuleuven.be/~mathy.vanhoef/papers
/wpatkip.pdf
• Can anyone believe WEP is still in use

BRKEWN-2006 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 20
 • The GOOD
• WPA2 was created with the
sole purpose of fixing the
issues in WPA
• TKIP was broken

WPA2 – The Good • AES was adopted in the

radios by enough vendors
The Bad and the • 802.1x and RADIUS are too
Ugly complex to set up for home
use so we still needed a
simple password based
method
• My Mom can create her own
WPA2 home network!

BRKEWN-2006 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 21
WPA(2)-PSK: The BAD
• With WPA(2) – the password or PSK us used for both “authentication” and encryption
• Susceptible to attacks and tools to crack a password are easily downloadable from the
Internet
• Given the messages from the 4-way Handshake, the attacker loops through all passwords
in the database computing values using a candidate password until it is able to verify
message 3 or message 4
• No forward secrecy– guess the password and get the session keys for all past, present,
and future exchanges
• When used for network access through an AP it allows anyone in “earshot” to crack the
password and connect
• Brute force attacks/Dictionary Attacks: Amazon Cloud attack: performs 2,400,000
password checks per minute at $0.23/min– the size of the dictionary really doesn’t
matter now!

BRKEWN-2006 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 22
What is wrong with good ol’ WPA2 PSK?

• With WPA2 PSK, your password is used to generate the Pairwise Master Key (PMK)
• This is how the exchange works:
1. On both sides, make your weak passphrase (“password”) a bit stronger: PSK = pseudorandom (PBKDF2
algorithm) of Passphrase, SSID, SSIDlength, to produce a 256-bit string
2. The process is done the same way on the AP and client, so they have the same PSK. This PSK is the PMK.

PSK = PBKDF2 (PassPhrase, ssid, ssidLength, 4096, 256) PSK = PBKDF2 (PassPhrase, ssid, ssidLength, 4096, 256)

BRKEWN-2006 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 23
WPA2 – The UGLY
Why did we do a transition mode for WPA/WPA2
REMEMBER – at the time not all AP’s could support Multiple BSS’s
• A transition mode was created to preserve interoperability with WPA and help with end user experience.

• What did we inherit with a transition mode:

• Group Cipher still uses TKIP
• Lowest common denominator
• Still susceptible to dictionary attacks

• Security is typically sacrificed for simplicity of adoption

• Or we don’t read the fine print

Note – with regards to security: nothing good ever comes out of

transition modes (ever)

BRKEWN-2006 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 24
Why is it easy to crack WPA2-Personal?

• All I need is a capture of the

4-Way handshake
• How?– deauth the client
• Upload the entire pcap
• Customers/end users deploy weak
passwords
• Results in a easy access to the Wired
network (I don’t care about capturing
over the air data)
• If my intent is to get wired side
access MAC based auth + PSK is
trivial to bypass
Think IoT, Medical devices, TV’s etc etc

BRKEWN-2006 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 25
 What About WPA2-Enterprise

Wireless LAN Controller Identity Services Engine

AES CAPWAP RADIUS

PMK EAP Success EAP

EAP Success
Success (PMK) PMK
ANonce
PTK SNonce, MIC PTK, GTK Four-Way
ANonce, MIC, GTK, Sequence # Handshake

ACK

PTK = SHA(PMK + ANonce + SNonce + AP MAC + STA MAC)

Caution: Threat shifts from a weak PSK to weak user passwords for logon

BRKEWN-2006 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 26
Release the KRACKen
Key Reinstallation AttaCK (KRACK)

In Oct 2017, a researcher published 10

possible “attacks” against WPA2

All of them are about “small prints” in the WPA2

testing method:
• Cases that were possible with 802.11, but not tested
• Patches are available for most platforms, but this shows that
WPA2 is aging

WPA2 was released in 2004; it was time to update it

BRKEWN-2006 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 27
Key Reinstallation AttaCK (KRACK) cont
• KRACK is an attack against the 4-way handshake (specifically nonce reuse)
• What does the 4-way handshake do?
• Mutual authentication between AP and STA
• Negotiates fresh Pairwise Transient Keys

• Where is the 4-way handshake used?

• WPA Personal and Enterprise
• WPA2 Personal and Enterprise
• 802.11r Fast BSS transition (FT)
• 802.11ai Fast Initial Link Setup (FILS)

BRKEWN-2006 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 28
What is a Key Reinstallation AttaCK (KRACK)

10 Vulnerabilities were discovered

Only 1 impacts APs using 802.11r (Fast CVE-2017-13082

BSS Transition)

These vulnerabilities may allow the reinstallation of a pairwise transient key, a group key,
or an integrity key on either a wireless client or a wireless access point. Additional
research also led to the discovery of three additional vulnerabilities

This is an industry wide issue – not specific to any one vendor

BRKEWN-2006 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 29
 802.1X Authentication
AP WLC Radius
Probe Request
Probe Response

Auth Request
Auth Response
Association Request
Association Response
EAP Start
EAP ID Request
EAP ID Response
EAP Method

EAP Success
EAPoL 4 way Exchange
Look Here
DATA

BRKEWN-2006 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 30
 4-way handshake messages (over-simplified)
Message 1:
• EAPoL frame containing A-Nonce
(authenticator nonce)
• Supplicant can derive PTK because it now
has A-Nonce, S-Nonce and PMK
Message 2:
• Supplicant sends Authenticator S-Nonce
• Authenticator can now generate PTK, GTK
and IGTK
Message 3:
• GTK, IGTK delivered to Supplicant
encrypted with PTK
• Tells supplicant to install temporal keys
Message 4:
• Supplicant informs authenticator that keys
have been installed

Key reinstallation occurs by replaying Message 3

BRKEWN-2006 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 31
Whatever happened to Protected Management
Frames?
• Implementing Protected Management Frame (802.11w) will helps mitigate
Man-in-the-Middle attacks
• The 802.11w protocol applies only to a set of robust management frames
that are protected by the Protected Management Frames ( PMF) service.
• These include: Disassociation, De-authentication, and Robust Action frames
(Like FT).

Our Bad – we broke it.

• We specified that when PMF was enabled the only hash algorithm used
could be SHA1 (for everything)…
• Guess what Fast Transition requires SHA2
• Subsequently the PMF requirement broke other things
The Good news is – we fixed it.

BRKEWN-2006 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 32
History of Wireless
Security Part 2.5*
Open Networks Get an Upgrade

Wi-Fi CERTIFIED Enhanced Open

*not quite WPA3 (yet)

What’s wrong with Open Networks?

BRKEWN-2006 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 34
What problem are we trying to solve??

• Passive Eavesdropping – that’s it!!

• Something better than Open Networks to
provide privacy.
• Similar End User Experience to Open but with
encryption
• Privacy – not Security
• No we do not claim Man-In-The-Middle
prevention

BRKEWN-2006 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 35
 Wi-Fi CERTIFIED Enhanced Open

• Based on Opportunistic Wireless Encryption (OWE) STA, AP,

– Defined in RFC 8110– https://tools.ietf.org/html/rfc8110 Supplicant Authenticator

Probe request

• Provides integrity and confidentiality, albeit unauthenticated, to Probe response

wireless traffic Open system authentication request

• Alternative to Open networks, focused on Privacy Open system authentication response

Association request,
• Requires no provisioning, no user entry– it just works! embedded Diffie-Hellmann key exchange

Association response,

Security in OWE:
embedded Diffie-Hellmann key exchange
• EAPOL-Key (ANonce)

⎯ Computationally infeasible for a 3rd party to determine EAPOL-Key (SNonce)

encryption keys EAPOL-Key (Install PTK)
• Diffie-Hellman group: 19, NIST p256 elliptic curve EAPOL-Key
– Fast and compact EAPOL-Key (Install GTK)
– Widely implemented EAPOL-Key

– Suitable security for 128-bit encryption (CCMP or GCMP)

⎯ PMF Required
⎯ Susceptible to active attack, resistant to passive attack

BRKEWN-2006 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 36
Enhanced Open – only mode
Beacon Frame

Group Cipher AES-CCM-128

Pairwise Cipher AES-CCM-128

AKM 00:0f:ac:18 (OWE)

Management Frame Protection

Required

Broadcast Integrity Protocol (BI)

AES-CMAC-128

BRKEWN-2006 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 37
Shhhhh!!!

• Enhanced Open actually provides more

privacy than WPA2-PSK using a shared PSK
in public venues
• If everyone has the PSK with WPA2-
Personal its trivial to decode all of the traffic
(past and future)…its just about as effective
as an Open network to a hacker
• Enhanced Open – each client generates it
own keys via ephemeral DH exchange

BRKEWN-2006 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 38
Enhanced Open Transition Mode

• When an Open SSID is enabled on an Enhanced Open AP – it shall create a separate

hidden BSS with the same properties as the Open BSS
• The Open BSS will include an OWE Transition Mode Element to direct Enhanced
Open capable STAs to the Enhanced Open BSS
• Why did we do this???
• Legacy STA behavior – some see an Enhanced Open BSS as “Open, dot1x or PSK” leading to a poor user
experience

Note – with regards to security: nothing good ever comes out of

transition modes (ever)

BRKEWN-2006 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 39
 Enhanced Open Transition Mode

Open SSID “Open”

Enhanced Open SSID “E-Open”

OWE Transition Mode Element

• Open network advertises BSS and SSID of
Enhanced Open Network
• Enhanced Open network advertises BSS and SSID
of Open Network

BRKEWN-2006 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 40
History of Wireless
Security Part 3
WPA3

AKA The evolution of Wi-Fi

Security
WPA3 continues the
evolution of Wi-Fi security
and maintains the brand
promise of Wi-Fi Protected
Access®

BRKEWN-2006 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 42
 • “Security combinatorics” refers to the number of
options available for connecting to networks
• Advertising IEs (2): WPA, WPA2
• AKMs (18): PSK, SAE, 802.1x, Suite B, FT,
FILS etc…
• Unicast ciphers (6): WEP, TKIP, CCMP-128,
CCMP-256, GCMP-128, GCMP-256
• Broadcast ciphers (4): WEP, TKIP, CCMP,
GCMP

Problem statement •
•
Integrity ciphers (3): none, CMAC, GMAC
Hash algorithms (4): SHA-1, SHA-256,

for WPA3 •
SHA384, SHA512

Also includes the KDFs for PMK as well as the

TLS cipher suites for EAP types

• Not all of these combinations are created equal:

• Each configuration combination is a possibility
for end users to get wrong and prevent
devices from connecting and generating a
support call
• AP/RADIUS server sets security policies, STA
chooses from options available

BRKEWN-2006 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 43
Wi-Fi CERTIFIED WPA3™ builds on
widespread adoption of WPA2 for 10+ years

Unify the WFA Security efforts into something which consumers/vendors can
recognize

Provide a solid technology foundation for the future of Wi-Fi security

eliminate the mix and match error prone patchwork of

Decrease complexity and use of legacy security protocols that consumers are expected understand
security protocols Provide them with the most secure options

User Experience Make Wireless Secure and easier to use

WPA3 is a fundamental shift from interoperability testing to conformance testing

(make sure bad stuff doesn’t happen)

BRKEWN-2006 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 44
WPA3 supports the market through two distinct modes

WPA3-Personal: WPA3-Enterprise:
Robust, password-based Enterprise-grade security for
authentication sensitive data networks
• Resistant to offline dictionary attacks; • Available 192-bit cryptographic strength for
stronger protections for users against networks transmitting sensitive data
password guessing attempts by third parties
• 192-bit Security suite provides additional
• Protection even when users choose security for networks like government and
passwords that fall short of complexity finance
recommendations
• Greater consistency in application of security
• No change to the way users connect to a protocols
network
• Better network resiliency
• Provides forward secrecy; protects data
traffic even if a password is later
compromised

BRKEWN-2006 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 45
WPA3 Main components

• Replacement of WPA2-PSK with WPA3-SAE (Simultaneous Authentication of Equals)

• Mitigates offline dictionary attacks
• Suite B – more than just Fed Govt
• Addition of GCM & ECC for crypto and better hash functions (SHA384)
• Consistent cryptographic strength rules to avoid misconfiguration
• Protected Management Frames mandatory

• General Security Enhancements

BRKEWN-2006 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 46
 • WPA3-Personal
• WPA3-SAE Mode
• PMF Required
• WPA3-SAE Transition Mode
• Configuration Rules: On an AP, whenever
WPA2-PSK is enabled, the WPA3-SAE
Transition Mode must also be enabled by

WPA3 Modes
default, unless explicitly overridden by the
administrator to operate in WPA2-PSK Only
Mode.

Because a mode is • WPA3-Enterprise

• WPA3-Enterprise Only Mode

different than the •

• PMF SHALL be negotiated for all WPA3 connections
WPA3-Enterprise Transition Mode

brand
• PMF shall be negotiated for a WPA3 connection
• PMF optional for a WPA2 connecction
• WPA3-Enterprise “192-bit” mode (CNSA)
• More than just for the Federal Government
• Consistent cryptographic cipher suites to avoid
misconfiguration
• Addition of GCM & ECC for crypto and better hash
functions (SHA384)
• PMF Required

BRKEWN-2006 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 47
WPA3-Personal
(aka WPA3-SAE)
WPA3-Personal Properties

1. The successful termination of the protocol results in a PMK shared between the two STAs.

2. An attacker is unable to determine either the password or the resulting PMK by passively observing an
exchange or by interposing itself into the exchange by faithfully relaying messages between the two
STAs.

3. An attacker is unable to determine either the password or the resulting shared key by modifying,
forging, or replaying frames to an honest, uncorrupted STA.

4. An attacker is unable to make more than one guess at the password per attack. This implies that the
attacker cannot make one attack and then go offline and make repeated guesses at the password until
successful. In other words, SAE is resistant to dictionary attack.

5. Compromise of a PMK from a previous run of the protocol does not provide any advantage to an
adversary attempting to determine the password or the shared key from any other instance.

6. Compromise of the password does not provide any advantage to an adversary in attempting to
determine the PMK from the previous instance.

BRKEWN-2006 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 49
WPA3-Personal
Simultaneous Authentication of Equals (SAE)

• Based on the Dragonfly Key Exchange

• Balanced Password Authenticated Key Exchange (PAKE)
• Shared password
• Security of SAE not tied to the complexity of the shared password
• SAE exchanges results in a 32-byte PMK
• Protects against offline dictionary attacks
• Forward secrecy protects traffic even if password is later compromised

• Requires Protected Management Frames

• WPA3-SAE Transition Mode supports both WPA2-PSK and

WPA3-SAE on the same SSID

BRKEWN-2006 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 50
WPA3-Personal Only
Beacon

Group Cipher AES-CCM-128

Pairwise Cipher AES-CCM-128

AKM 00:0f:ac:08 (SAE)

Management Frame Protection

Required

Broadcast Integrity Protocol (BI)

AES-CMAC-128

BRKEWN-2006 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 51
 SAE Authentication Commit Message
Occurs prior to 802.11 Association

SAE Commit Message from STA to AP

• DH Group Exchange
• Element
• Scalar

BRKEWN-2006 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 52
 SAE Authentication Confirm Message
Occurs prior to 802.11 Association

SAE Confirm Message from STA to AP

• Upon completion of the SAE Confirm Message the
PMK is generated on both AP and STA

BRKEWN-2006 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 53
Association Request from AP

Group Cipher AES-CCM-128

Pairwise Cipher AES-CCM-128

AKM 00:0f:ac:08 (SAE)

Management Frame Protection Required

BRKEWN-2006 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 54
4-Way Handshake Begins
Message 1 AP->STA

Message 1

Pairwise Key

AP Nonce

At the end of M1 – the STA can derive the PTK

BRKEWN-2006 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 55
4-Way Handshake
Message 2 STA->AP

Message 2

MIC Set

STA Nonce

MIC

RSN Chosen
SAE with AES-CCMP-128

At the end of M2 – the AP can derive the PTK

BRKEWN-2006 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 56
4-Way Handshake
Message 3 AP->STA

Message 3

AP Signals STA to Install PTK

BRKEWN-2006 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 57
4-Way Handshake
Message 4 STA->AP

Message 4

MIC Set

STA sends MIC to AP

BRKEWN-2006 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 58
WPA3-Personal Transition Mode
Why did we do a transition mode for WPA2/WPA3

WAIT – AP’s that support WPA3 should support Multiple BSS’s – its 2020
• A transition mode was created to preserve interoperability with WPA2 and help with end user
experience.
• What did we inherit with a transition mode:
• Single BSS -Enabled by default when a WPA2-PSK BSS is enabled on a WPA3-Personal AP
• Same passphrase exists between WPA2-PSK and WPA3-PSK
• WPA2-PSK is still vulnerable to all the classic issues

• The upside
• WPA3-Personal connections are secure – knowing the passphrase gets that hacker access to the
WLAN not the ability to decrypt the sessions

Note – with regards to security: nothing good ever comes out of

transition modes (ever)

BRKEWN-2006 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 59
WPA3-Personal Transition Mode

Group Cipher AES-CCM-128

Pairwise Cipher AES-CCM-128

Multiple AKMs:
AKM 00:0f:ac:2 PSK
AKM 00:0f:ac:6 PSK (SHA256)
AKM 00:0f:ac:8 (SAE)

Management Frame Protection

Capable

Broadcast Integrity Protocol (BI)

AES-CMAC-128

BRKEWN-2006 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 60
 Enter DragonBlood
WPA3-Personal (SAE) Vulnerabilities

• A researcher found 5 vulnerabilities in the SAE protocol used as part of WPA3-Personal

(Simultaneous Authentication of Equals is defined in IEEE 802.11-2016)

• These vulnerabilities allow an attacker to perform:

• Attacks on the STA
• Switch clients from WPA3-Personal to WPA2-Personal on transition mode BSS
• Downgrade Diffie-Hellman Groups used in SAE
• ECC and MODP side-channel timing attacks
• Attacks on the AP
• DoS from flooding spoofed authentication frames to AP

BRKEWN-2006 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 61
WPA3-Enterprise
What’s the difference?

• WPA2 vs WPA3 Enterprise

• All WPA3 connections shall negotiate PMF

• This means if I have a WPA2 Client and it negotiates PMF it should be considered
WPA3 Enterprise (MFPC)
• However to be considered WPA3 Enterprise Only – Management Frame Protection
would be set to Required (MFPR)
• Identical to WPA3-Personal and Enhanced Open

BRKEWN-2006 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 63
WPA3-Enterprise-
192 Mode
Rise of the Quantum Computers….

BRKEWN-2006 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 65
Why we should care

• Quantum Computing – a different paradigm in computing

• Quantum Computers can efficiently factor large numbers – DH key exchange

is vulnerable
• A quantum computer could break public key cryptography standards in use
today.
• Information with long-term confidentiality requirements should be protected
against future decryption (i.e., capture now, decrypt when quantum
computers become viable.)
• Data-in-transit (e.g., capture data communications)
• Data-at-rest (e.g., capture file images)

BRKEWN-2006 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 66
A 1000 words about consistency in selecting
cryptographic primitives

BRKEWN-2006 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 67
A few more words about consistency in selecting
cryptographic primitives
• An attacker will target the weakest component in a system
• To achieve a consistent level of system security it’s necessary to ensure that the
work factor for each cryptographic primitive meets or exceeds a selected level:
• For a security level 192:
• AES-GCM-256 for authenticated encryption
• HMAC-SHA384 for key derivation and key confirmation
• ECDH and ECDSA using a 384-bit elliptic curve for key establishment and
authentication
• Consistency affords misuse resistance since Suite B cannot be configured in a way
to not provide the indicated level of security

BRKEWN-2006 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 68
WPA3 Consistent more Efficient Security
Enter Elliptic Curve Cryptography
Elliptic Curves
• EC Cryptography uses the formula y3=x3+ax+b
• Replaces “power” with lines
• Pick P1, P2, there is only 1 point P3
• Jump to its reflection (R)
• Then redo (Find the intersection between
P1 and R, jump to the reflection etc.
• You can also use “modulo” by letting points bounce
when the vector reaches the green line

Why Elliptic Curves?

• In the end, you have what DH needs:
• An initial number (P1), a secret number (n, how many jumps
did I do) and a final number (where I end up, e.g. R if n=1)
• With EC, cracking ‘n’ is much harder than with static RSA

BRKEWN-2006 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 69
WPA3 Stronger Security – Finding a better way

You can still use RSA

• But with at least 3072 bit-keys
• These are long keys, computationally
expensive
The alternative is to use ECC
• Less computationally expensive for the same
strength
• ECC 256 = RSA3K = 128 bits of security

• ECC 384 = RSA 7K = 192 bits of security

• Need to evaluate the end-to-end

cryptographic strength

BRKEWN-2006 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 70
Cisco Next Generation Encryption vs Suite B

AES-256-GCM ECDH-P521
ECDSA-
SHA-512 Encryption
P521
Data Authentication

Key Establishment
AES-192-GCM ECDH-P384 ECDSA-P384 SHA-384 Suite B mLoS 192
Signatures

Hashing
AES-128-
ECDH-P256 ECDSA-P256 SHA-256 Suite B mLoS 128
GCM

BRKEWN-2006 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 71
Suite B Cryptography Recommendations
– QC resistant
Algorithm
Operation Quantum Computer
Acceptable Preferred Resistant
Encryption AES-CBC-256 mode — ✅ (256-bit)
Authenticated encryption — AES-GCM-256 mode ✅ (256-bit)

Integrity SHA-256 SHA-384 / 512 ✅ (384/512)

Integrity HMAC-SHA-1 HMAC-SHA-256 ✅ (256-bit key)

RSA: Key exchange /

DH / RSA / DSA - 3072 /
Encryption / ECDH / ECDSA-384 / 521*
4096
Authentication

ECC: Key exchange /

ECDH / ECDSA-256 ECDH / ECDSA-384 / 521
Authentication

*ECC algorithms have significant performance advantages over RSA. Such efficiency makes them very suitable for low-power devices (i.e. sensors) with limited resources and computational power.

BRKEWN-2006 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 72
How Suite B is supported in 802.11
• Through AKM and cipher suite negotiation
• 192-bit security level restricted to:
• AKM 00-0F-AC:12 – authentication with a Suite B EAP-TLS method supporting ECDH and ECDSA with p384, and key
derivation and key management using SHA384
• Cipher suite 00-0F-AC:9– AES-GCM-256 and 00-0F-AC:12– BIP-GMAC-256
• When doing Suite B, one and only one AKM (plus permissible cipher suites) is allowed

• Consistency enforcement on AP to inform AAA server of negotiated AKM

• WLAN-AKM-Suite attribute: RADIUS attribute value 188 (assigned by IANA)
• The Authenticator (AP) informs the AAA server of the AKM the client selected
• Only AP side (if not terminating EAP) is required to support this attribute

• ECDSA certificates using appropriate curve (p384) are required

• AAA server requires EAP-TLS with an AKM-appropriate TLS cipher suite
• 192 bit: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 with p384 elliptic curve

BRKEWN-2006 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 73
WPA3-Enterprise-192

Group Cipher AES-GCM-256

Pairwise Cipher AES-GCMP-256

AKM 00:0f:ac:12 SHA384

Management Frame Protection

Required

Broadcast Integrity Protocol (BI)

AES-GMAC-256

BRKEWN-2006 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 74
WPA3-Enterprise-192 Stronger Authentication

WPA-3 Enterprise 192-bit mode mandates EAP-TLS to be used for EAP

method and the TLS ciphers as required by the CNSA suite .

Permitted EAP cipher suites for use with WPA3-Enterprise 192-bit Mode are:

• TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 - ECDHE and ECDSA using the

384-bit prime modulus curve P-384

• TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 - ECDHE using the 384-bit prime

modulus curve P-384 - RSA ≥ 3072-bit modulus

• TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 - RSA ≥ 3072-bit

modulus - DHE ≥ 3072-bit modulus

BRKEWN-2006 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 75
WPA3-Enterprise-192
GCMP More Robust Encryption method

You also need for good measure a better MIC (128 bits instead of 64)
WPA-3 needed to use faster more efficient encryption
• Here Galois Counter Mode Protocol presents the solution

A great strength of GCMP mechanism is that you can calculate (still using AES)
the different elements needed for the MIC determination in parallel, saving an
enormous amount of time
GCMP was allowed in 802.11ac, it is mandatory with WPA3-Enterprise-192
• It is much faster than CCMP, which allows for longer keys if needed

BRKEWN-2006 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 76
Quick WPA3
Roadmap
WPA3 support on Cisco hardware and software

Wi-Fi 6 Cisco DNA

WPA3 support Wave 1 APs Wave 2 APs Cisco Prime®
802.11ax APs Center

AireOS No 8.10 8.10 3.7 1.4

Cisco IOS® XE No 16.12 16.12 3.7 1.4

BRKEWN-2006 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 78
Cisco IOS XE C9800

Configuration for WPA3 only on a WLAN

wlan AA-WPA3 1 AA-WPA3
security wpa psk set-key ascii 0 1234567890
no security wpa akm dot1x
security wpa akm sae
security wpa wpa3
security pmf mandatory
no shutdown

BRKEWN-2006 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 79
Configuration for WPA2 and WPA3
on the same WLAN

wlan AA-WPA3 1 AA-WPA3

security wpa psk set-key ascii 0 1234567890
no security wpa akm dot1x
security wpa akm psk
security wpa akm sae
security wpa wpa3
security pmf mandatory
no shutdown

BRKEWN-2006 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 80
AireOS – Opportunistic Wireless Encryption
For Enhanced Open Networks
OWE is a mandatory feature for WPA-3 certification along with OWE Transition mode

If OWE Transition Mode is

disabled. Open SSID filed is
hidden from this page

OWE Transition Mode

requires at least one Open
SSID configured

BRKEWN-2006 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 81
AireOS – WPA-3 Personal aka SAE
WPA3 + WPA2 Enabled. All AKM’s can be WPA3 Enabled, WPA2 Disabled. PMF is required.
configured based on the FT and PMF selection. FT can be selected as Enable/Disable/Adaptive.
SAE is enabled by default. SAE is enabled by Default.

BRKEWN-2006 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 82
AireOS – WPA-3 Enterprise Mode
WPA3 + WPA2 Enabled.
CCMP256 and GCMP128/256 Ciphers with AKM Suites are available. PMF is Optional

WPA3 Enabled + WPA2

Disabled. CCMP256 and
GCMP128/256 Ciphers
and AKM Suites are
available. PMF is Required

BRKEWN-2006 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 83
Qualcomm mobile device Intel with Microsoft Windows

BRKEWN-2006 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 84
WPA3 and Wi-Fi 6 (11ax) alignment
• Current Plan of Record for WPA3 to become mandatory for all Wi-Fi CERTIFIED devices 2 years
after program launch
• Program launched April 2018 – target mandatory June 2020
• Current plan for Wi-Fi 6
• WPA3-Personal is mandatory
• WPA3-Enterprise is Optional
• Enhanced Open is optional

• Current plan of record is that all PHY/MAC moving forward past June 2020 will follow WPA3
requirements

BRKEWN-2006 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 85
WPA3 current and future certifications

When will I see Wi-Fi Certified WPA3 and Wi-Fi Certified Enhanced Open
products?
Vendors have already started certifying!!!!
• In July of 2020 – all new certifications will require WPA3-Personal
• WPA2-Personal is a pre-requisite for WPA3-Personal
• WPA3-Enterprise – like WPA2-Enterprise will still be optional

BRKEWN-2006 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 86
 In new greenfield MAC/PHY/Bands
• WPA3 is the starting point
• WPA3-Personal required
• WPA3-Enterprise and WPA3-
Enterprise-192 optional
High Level – what’s • Legacy WPA2/WPA shall not be
on the horizon •
supported (Personal or Enterprise)
Open Networks - eliminated
If open access without authentication
6GHz, 60GHz and
•
is needed, Enhanced Open must be

others •
used
The following transition modes won’t be
supported
• WPA3-Personal Transition Mode
• OWE Transition mode
• WEP and TKIP shall not be supported

BRKEWN-2006 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 87
WPA3 and Enhanced Open in a nutshell
• Unify the Wi-Fi Alliance security efforts • Mandatory Features
• To be part of Wi-Fi 6 certification • Security Improvements
• Handle the unexpected
• Provide a solid technology foundation for the • Protected Management Frames
future of Wi-Fi security • Enabled by default
• Continuous Evolution of Security • WPA3-Personal (SAE)
PSK replacement / Offline attack resistance
• Decrease complexity and use of legacy •

security protocols • KRACK Testing

• Mandatory for STAs
• Eliminate the mix and match error prone
Conditional mandatory for 11r/ai APs
patchwork of security protocols that consumers •

are expected understand • Optional Features

• Provide them with the most secure options • WPA3-Enterprise
• Remove transition modes that compromise • WPA3-Enterprise-192
security (WEP, TKIP, SHA1)
• Suite B Cryptography
• Negative testing • Quantum computer resistant encryption

• Ensure that bad acting AP/STA are identified early • Wi-Fi Certified Enhanced Open
• Opportunistic Wireless Encryption (OWE)
• Unauthenticated Encryption for SSIDs

BRKEWN-2006 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 88
Wi-Fi EasyConnect
or
Device
Provisioning
Protocol
Wi-Fi CERTIFIED Easy Connect™: A simple, secure way to
connect smart home and IoT devices

• Wi-Fi Easy Connect™ simplifies process

of adding Wi-Fi devices with limited or
no display interface to Wi-Fi networks
• Enables the utilization of device with
more robust interface to easily provision
and configure devices
• Utilizes smartphone or tablet to scan
product QR code and add devices to a
Wi-Fi network
• Provides standardized, consistent
method for onboarding IoT devices
• Supports WPA2 and WPA3 networks

BRKEWN-2006 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 90
Feature rich technical jargon

BRKEWN-2006 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 91
What happens when you have no head?
BRKEWN-2006 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 93
BRKEWN-2006 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 94
Think this can’t happen at work?
IoT is happening in your workplace right now

BRKEWN-2006 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 96
How will you on-board all these things?
Wi-Fi CERTIFIED Protected SetupTM

Push-button on-boarding

Brute force PIN attack

Weak random number generator

BRKEWN-2006 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 98
Cisco Identity PSK – One SSID, Multiple PSKs

aabbcc

IOT Devices

xxyyzz
Access Point Wireless LAN Controller ISE
Sensors

WLAN PSK

Employees
BRKEWN-2006 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 99
 Use Wi-Fi Alliance EasyConnect™

Standardized Creates unique Solves for varied user

June 2018 credentials for each interfaces
device

Uses the Device Leverages public-

Provisioning Protocol private key cryptography
(DPP)

BRKEWN-2006 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 100
DPP Terminology

• Initiator (I)
• Starts an authentication exchange

• Responder (R)
• Responds to an authentication request

• Enrollee
• Device requesting to join a network (STA)

• Configurator
• Device used to configure enrollees

BRKEWN-2006 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 101
Device Provisioning Protocol
3 Simple Steps: Step 1

Bootstrapping

Derive bootstrapping keys

out-of-band

BRKEWN-2006 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 102
DPP Keys

Initiator Bootstrapping key Protocol key

Responder (I) (B,b) (P,p)
(R)

Public key BI BR PI PR
BI, BR PI, PR
(Upper case)

Private key bI, bR pI, pR

(Lower case)

BRKEWN-2006 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 103
DPP Step 1: Bootstrapping
QR Code
Yay! I now have
the pump’s public
bootstrapping
key. I can
securely
authenticate it.

BR

BRKEWN-2006 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 104
Bootstrapping Methods

QR Code PKEX BLE NFC DPPoTCP

2018 2019 2020

BRKEWN-2006 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 105
Device Provisioning Protocol
3 Simple Steps: Step 2

Bootstrapping

Authentication

Exchange protocol keys

for creating credentials

BRKEWN-2006 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 106
DPP Authentication
Roles

• Intitiator (I) • Responder (R)

• Starts the authentication • Responds to the
exchange authentication exchange
• Can be the enrollee or the • Can be the enrollee or the
configurator configurator
• Has a bootstrapping key (BI) • Has a bootstrapping key (BR)
BI BR

BRKEWN-2006 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 107
DPP Step2: Authentication

Responder Initiator

DPP Authentication Request (SHA256(BR),

SHA256(BI), PI, {I-nonce, I-capabilities}k1)

Enrollee successfully receives the DPP

Authentication Request and matches H(B R)

DPP Authentication Response (DPP Status, SHA256(BR),

[SHA256(BI),] PR, {R-nonce, I-nonce, R-capabilities, {R-auth}ke}k2)

DPP Authentication Confirm (DPP Status,

SHA256(BR), [SHA256(BI),] {I-auth}ke)

BI PI BR
BR PR

BRKEWN-2006 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 108
Device Provisioning Protocol
3 Simple Steps: Step 3

Bootstrapping

Authentication

Configuration

Add credentials and

connection details

BRKEWN-2006 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 109
Device Provisioning Protocol
Role change

Enrollee Configurator

Will you please

configure me?

You bet.
Let’s do this!

BRKEWN-2006 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 110
What can DPP configure?

SSID Credentials Infrastructure

WPA2-PSK
Type
WPA3-SAE
DPP connector

BRKEWN-2006 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 111
DPP Step 3: Configuration

Enrollee Configurator

DPP Configuration Request ({E-nonce, configuration

attributes}ke)

DPP Configuration Response (DPP Status,

{E-nonce, configuration object} ke)

DPP Configuration Result ({DPP Status, E-nonce}ke)

BRKEWN-2006 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 112
Wi-Fi EasyConnect Recap

Simplified on-boarding and configuration experience

Supports WPA2 and WPA3 Personal

Uses strong Public Key cryptography

EasyConnect augments your existing deployments

BRKEWN-2006 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 113
Session Recap
Session Recap

Wi-Fi Security is evolving to keep up with the pace of attacks

WPA3 and Enhanced Open are just the start

Wi-Fi Easy Connect simplifies the onboarding process

Choose the right tool in the tool bag to meet your Wireless Security Requirements

BRKEWN-2006 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 115
Complete your
online session
survey • Please complete your session survey
after each session. Your feedback
is very important.
• Complete a minimum of 4 session
surveys and the Overall Conference
survey (starting on Thursday) to
receive your Cisco Live t-shirt.
• All surveys can be taken in the Cisco Events
Mobile App or by logging in to the Content
Catalog on ciscolive.com/emea.

Cisco Live sessions will be available for viewing on

demand after the event at ciscolive.com.

BRKEWN-2006 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 116
Continue your education

Demos in the
Walk-in labs
Cisco campus

Meet the engineer

Related sessions
1:1 meetings

BRKEWN-2006 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 117
Thank you