1Wi-Fi® Security for Next Generation ConnectivityProprietary | © Wi-Fi AllianceProprietary | © Wi-Fi Alliance

Wi-Fi® Security for Next Generation Connectivity

Perry Correll

Aerohive, Wi-Fi Alliance® member

October 2018

2Wi-Fi® Security for Next Generation ConnectivityProprietary | © Wi-Fi Alliance

Value of Wi-F1

• The value Wi-Fi provides to the global

economy rivals the combined market value

of Apple Inc. and Amazon.

• The fact that Wi-Fi has become a key

complementary technology for enterprise

and carrier networks and an essential part

of the home indicates this value will only

rise as next generation products and

deployments become available over the

next several years.

• Wi-Fi is one of the greatest success stories

of the technology era, and its societal

benefits have long been known.

3Wi-Fi® Security for Next Generation ConnectivityProprietary | © Wi-Fi Alliance

Agenda

• About Wi-Fi Alliance®

• Recent program activity

• Wi-Fi CERTIFIED WPA3™: Next generation Wi-Fi® security

• Wi-Fi CERTIFIED Easy Connect™: Simple IoT device connection

• Wi-Fi CERTIFIED Enhanced Open™: Better data protections in open networks

4Wi-Fi® Security for Next Generation ConnectivityProprietary | © Wi-Fi Alliance

The worldwide network of companies that brings you Wi-Fi

Effective global collaboration

Driving industry growth

800+ member companies

Constant evolution

5Wi-Fi® Security for Next Generation ConnectivityProprietary | © Wi-Fi Alliance

6Wi-Fi® Security for Next Generation ConnectivityProprietary | © Wi-Fi Alliance

One of the greatest success stories of the high tech era

• 9+ billion devices in use

• 3+ billion shipments per year

• Nonstop innovation

• Primary medium for global internet traffic

Source: ABI Research, 2018

7Wi-Fi® Security for Next Generation ConnectivityProprietary | © Wi-Fi Alliance

Recent Wi-Fi Alliance program releases

• Wi-Fi CERTIFIED Optimized Connectivity™: Part of the Wi-Fi CERTIFIED Vantage™

program, Wi-Fi Optimized Connectivity™ leverages Wi-Fi features that bring users a seamless connectivity experience when traveling across networks.

• Wi-Fi CERTIFIED Wi-Fi Aware™: New capabilities and optimization for dense environments enable Wi-Fi Aware™ to provide more personalized mobility experiences. Native support available in Android Oreo operating systems.

• Wi-Fi CERTIFIED EasyMesh™: Harmonizing the burgeoning multiple-AP system market, Wi-Fi EasyMesh™ brings a standards-based approach to full coverage, self-adapting residential Wi-Fi.

• Wi-Fi CERTIFIED Enhanced Open: Wi-Fi Enhanced Open™ devices provide data encryption to users, preserving the convenience open networks offer while reducing some of the risks associated with accessing an unsecured network.

• Wi-Fi CERTIFIED Easy Connect: Connecting devices to Wi-Fi networks has never been simpler; Wi-Fi Easy Connect™ makes secure device provisioning as easy as scanning a product QR code.

Proprietary | © Wi-Fi Alliance

Wi-Fi Protected Access®

Next generation Wi-Fi security

9Wi-Fi® Security for Next Generation ConnectivityProprietary | © Wi-Fi Alliance

Consumer and enterprise confidence

in Wi-Fi security is essential

to continued growth in Wi-Fi use

10Wi-Fi® Security for Next Generation ConnectivityProprietary | © Wi-Fi Alliance

Wi-Fi CERTIFIED WPA3: Next generation Wi-Fi security

• Wi-Fi CERTIFIED WPA3 is next generation Wi-Fi security for personal and enterprise networks

• Delivers suite of features to simplify Wi-Fi security configuration and enhance network security protections

• WPA3™ Brings robust authentication, increased cryptographic strength

• Offers protections in ever-changing threat landscape

• WPA3 and Wi-Fi Easy Connect™ provide good experience, secure connections

Wi-Fi security highlights

11Wi-Fi® Security for Next Generation ConnectivityProprietary | © Wi-Fi Alliance

WPA3 protects users in Wi-Fi CERTIFIED™ networks

• WPA3 networks use latest security methods and disallow legacy protocols, such as Temporal Key Integrity Protocol (TKIP)

• WPA3 requires use of Protected Management Frames (PMF)

• As WPA3 adoption grows, next generation Wi-Fi security will become mandatory

• WPA3 maintains interoperability with WPA2™

devices through a transition mode

• WPA2, updated earlier this year, continues to be mandatory for Wi-Fi CERTIFIED devices

12Wi-Fi® Security for Next Generation ConnectivityProprietary | © Wi-Fi Alliance

WPA3 supports the market through two distinct modes

• Resistant to offline dictionary attacks; stronger protections for users against password guessing attempts by third parties

• Protection even when users choose passwords that fall short of complexity recommendations

• Provides forward secrecy; protects data traffic even if a password is later compromised

• No change to the way users connect to a network

WPA3-Personal: Robust, password-based

authentication

• Available 192-bit cryptographic strength for networks transmitting sensitive data

• 192-bit security suite provides additional security for networks like government and finance

• Greater consistency in application of security protocols

• Better network resiliency

WPA3-Enterprise: Enterprise-grade security for

sensitive data networks

13Wi-Fi® Security for Next Generation ConnectivityProprietary | © Wi-Fi Alliance

WPA3-Personal

• Password-based authentication with increased protections by replacing PSK with Simultaneous Authentication of Equals (SAE) from IEEE 802.11 specification

• WPA3-Personal uses passwords for authentication by proving knowledge of the password and not for key derivation

• SAE handshake negotiates a fresh Pairwise Master Key (PMK) per client, which is then used in a traditional Wi-Fi four-way handshake to generate session keys

• Neither the PMK nor the password credential used in the SAE exchange can be obtained by a passive attack, active attack, or offline dictionary attack

• Resistant to offline dictionary attacks because each instance of the authentication exchange only allows both parties to guess the password once

• Forward secrecy is provided because the SAE handshake assures the PMK cannot be recovered if the password becomes known

• Transition mode enables WPA2-Personal and WPA3-Personal simultaneously on a single basic service set (BSS) using same passphrase, and clients connect at highest security supported

14Wi-Fi® Security for Next Generation ConnectivityProprietary | © Wi-Fi Alliance

WPA3-Enterprise

• WPA3-Enterprise does not fundamentally change the protocols defined in WPA2-Enterprise, and client devices will continue to interoperate with WPA3-Enterprise networks

• Disabling PMF for a WPA3-Enterprise network is not an option: PMF capable or required

• Optional 192-bit security provides additional security for segmented networks transmitting sensitive data, such as within government, healthcare, or finance

• 192-bit security suite certifies a consistent set of cryptographic tools, includes:

– GCMP-256 for authenticated encryption

– HMAC-SHA384 for key derivation and key confirmation

– ECDHE and ECDSA using a 384-bit elliptic curve for key establishment and authentication

– BIP-GMAC-256 for robust management frame protection

– RSA key lengths of 3K bits or greater for asymmetric cryptography and digital signatures may be offered for legacy interoperability

• WPA3-Enterprise 192-bit security ensures the right combination of cryptographic tools are used, and sets a consistent baseline of security, within a WPA3 network

15Wi-Fi® Security for Next Generation ConnectivityProprietary | © Wi-Fi Alliance

WPA3 continues the evolution of Wi-Fi security

and maintains the brand promise of

Wi-Fi Protected Access

Proprietary | © Wi-Fi Alliance

Complementary programs

17Wi-Fi® Security for Next Generation ConnectivityProprietary | © Wi-Fi Alliance

Wi-Fi CERTIFIED Easy Connect: simple, secure way to

connect smart home and IoT devices

• Wi-Fi Easy Connect simplifies process of adding Wi-Fi devices with limited or no display interface to Wi-Fi network

• Enables the utilization of device with more robust interface to easily provision and configure devices

• Use smartphone or tablet to scan product QR code to add devices to a Wi-Fi network

• Provides standardized, consistent method for onboarding IoT devices

• Supports WPA2 and WPA3 networks

Wi-Fi Easy Connect highlights

18Wi-Fi® Security for Next Generation ConnectivityProprietary | © Wi-Fi Alliance

Wi-Fi Easy Connect enhances the user experience

while maintaining secure connections

Wi-Fi Easy Connect defines two roles

• Configurator: a trusted device, such as a smartphone, serving as a central point of

configuration for all devices on the network

• Enrollee: device that a network owner wants to connect to the network, including APs

19Wi-Fi® Security for Next Generation ConnectivityProprietary | © Wi-Fi Alliance

Wi-Fi Easy Connect basics

• Wi-Fi Easy Connect is based on the Wi-Fi Alliance Device Provisioning Protocol Specification, which consists of a four-step process: bootstrapping, authentication, configuration, and network access

• Bootstrapping and authentication– Every device ships with an identify in the form of public/private keys

– Establishes a trust relationship through exchange of public keys (one-way or mutual)

– Performed by scanning QR code or exchanging human-readable string

– Public keys are not part of security credential received during configuration

– Device Provisioning Protocol (DPP) authentication protocol establishes a secure Wi-Fi connection using public keys

• Configuration– Configurator passes configuration object to enrollee over secure connection

– Configuration object includes credential, which may be signed enrollee connector

– Signed enrollee connector consists of public key (not the bootstrapping public key), network role, and group attributes, and it is unique to the Wi-Fi device owning it

20Wi-Fi® Security for Next Generation ConnectivityProprietary | © Wi-Fi Alliance

Wi-Fi Easy Connect basics

• Network access

– Network introduction protocol allows an enrollee client device to securely connect to an enrollee AP using connectors provided by a configurator

– Enrollee client device and enrollee AP validate that each connector is signed by the configurator and that their roles are complementary, such as client and AP

– Enrollees validate that the group attributes match

– Enrollee client and enrollee AP mutually derive a unique pairwise master key (PMK) based on their public connector keys

– Enrollee client and enrollee AP establish connectivity

21Wi-Fi® Security for Next Generation ConnectivityProprietary | © Wi-Fi Alliance

Wi-Fi CERTIFIED Enhanced Open:

Better data protections in open networks

• Preserves convenience of open networks while reducing associated risks

• Provides protections in scenarios where user authentication is not desired, distribution of credentials impractical

• Protections against passive eavesdropping without a password or extra steps to join the network

• Integrates established cryptography mechanisms to provide each user with unique individual encryption

• Wi-Fi Alliance recommends using Wi-Fi Protected Access security when possible; when it is not, Wi-Fi Enhanced Open brings protections that traditional open networks do not

22Wi-Fi® Security for Next Generation ConnectivityProprietary | © Wi-Fi Alliance

Wi-Fi Enhanced Open

• Wi-Fi Enhanced Open technology is based on Opportunistic Wireless Encryption (OWE), defined in the Internet Engineering Task Force (IETF) RFC8110

• OWE overlays an Elliptic-curve Diffie-Hellman (ECDH) key exchange on top of association to a Wi-Fi network

• OWE does not provide authentication, and does not guard against man-in-the-middle attacks that lure clients to connect to a rogue AP

• OWE does protect against passive eavesdropping, as well as unsophisticated packet injection such as deauthentication storm attacks or layer-2 injection of data into insecure HTTP sessions

• Network managers must remain vigilant in monitoring for rogue APs and active attackers that modify information being transmitted on a network

• Certain types of “insider” attacks, such as ARP spoofing, might be mitigated on Wi-Fi Enhanced Open networks by configuring the network to isolate clients

23Wi-Fi® Security for Next Generation ConnectivityProprietary | © Wi-Fi Alliance

Thank you!

• Wi-Fi Alliance introduces next generation, WPA3 security for personal and enterprise networks

• WPA3 brings simplified security, robust authentication, increased cryptographic strength

• WPA2 remains mandatory for Wi-Fi CERTIFIED devices. As WPA3 adoption grows, WPA3 will become mandatory.

• Wi-Fi Easy Connect delivers a simple, secure way to connect smart home, IoT devices

• Wi-Fi Alliance always recommends Wi-Fi security. In scenarios where authentication is not possible/desired, Wi-Fi Enhanced Open provides additional data protections

24Wi-Fi® Security for Next Generation ConnectivityProprietary | © Wi-Fi Alliance

Wi-Fi: Cornerstone of connected life today,

and into the future

Please provide your feedback on today’s presentation

https://www.surveymonkey.com/r/wifipresentation