wlan security - home - data connectors...gtk created gtk delivered gtk temporal keys installed...
TRANSCRIPT
1 | copy 2018 Aerohive Networks All Rights Reserved
David Coleman
WLAN SecurityOverview and Whatrsquos Next
2 | copy 2018 Aerohive Networks All Rights Reserved
Who is this guy
David ColemanSenior Technical Evangelist - Aerohive
Networks
CWNE 4
mistermultipath
3 | copy 2018 Aerohive Networks All Rights Reserved
Sybex CWSP Study Guide2nd Edition
ISBN 978-1119211082
Amazon httpamzncom1119211085
Who is this guy
4 | copy 2018 Aerohive Networks All Rights Reserved
Five Tenets of WLAN Security
I Data Privacy and Integrity
II Authentication Authorization and Accounting
(AAA)
III Segmentation (Access Control)
IV Monitoring
V Policy
80211 Networking Basics
copy Aerohive Networks Proprietary amp Confidential 5
1 Physical
7 Application
6 Presentation
5 Session
4 Transport
3 Network
2 Data Link
OSI Model
Remember that Wi-Fi operates at Layer 1 and the
MAC sublayer of Layer 2
Robust Security Network (RSN) security mechanisms
operate at the MAC
WLAN Security
6 | copy 2018 Aerohive Networks All Rights Reserved
Data Privacy and Integrity
The 80211-2016 standard defines
authentication and key management
(AKM) services
Authentication required for key
creation
Robust Security Network (RSN)
dynamic encryption
4-Way Handshake
Supplicant
PMK
PTK created
PTK created
GTK created
GTK delivered
GTK
Temporal keys installed
Controlled port unblocked
EAPOL-KEY message 1
EAPOL-KEY message 3
EAPOL-KEY message 2
EAPOL-KEY message 4
PTK
Master Keys PMK and GMK
Temporal Keys PTK and GTK
PMK GMK
Authenticator
GTK
Temporal keys installed
PTK
7 | copy 2018 Aerohive Networks All Rights Reserved
Data Privacy and Integrity
MAC Protocol Data Unit (MPDU) = 80211 frame
MAC Service Data Unit (MSDU) = upper layer payload
MSDU = LLC + Layers 3-7 information
MSDU can be encrypted by WEP TKIP CCMP or GCMP
8 | copy 2018 Aerohive Networks All Rights Reserved
AAA
Authentication Validate userdevice identity
Authorization Authorize userdevice identity
Accounting Paper trail
80211 security requires an authentication and
key management protocol (AKMP) that can be
either a preshared key (PSK) or an EAP protocol
used during 8021X authentication
9 | copy 2018 Aerohive Networks All Rights Reserved
Validating identity is important
bull David Coleman
bull Wi-Fi Geek
bull Born February
1960
bull David Coleman Headley
bull Convicted terrorist
bull Born June1960
10 | copy 2018 Aerohive Networks All Rights Reserved
Wi-Fi Security ndash 8021XEAP authentication
LDAP
EAP EAP
RADIUSCLIENT AP
Root CA cert Server cert
bull Extensible Authentication
Protocol (EAP)
bull Server certificate and Root CA
certificate
bull Tunneled authentication using
SSLTLS
bull 8021X Port based access control
bull Authorization Framework
bull Supplicant
bull Authenticator
bull Authentication Server
bull Integrates with LDAP
11 | copy 2018 Aerohive Networks All Rights Reserved
Role Based Access Control
user-1
user-2
user-3
SSID Corp-Wi-Fi
AP RADIUS
VLAN 10
firewall-policy-A
bandwidth unlimited
VLAN 20
firewall-policy-B
bandwidth 4 Mbps
VLAN 30
firewall-policy-C
bandwidth 2 Mbps
If AD group = sales
then send AVP = Role-A
LDAP
Role-AVLAN 10
firewall-policy-A
bandwidth unlimited
Role-BVLAN 20
firewall-policy-B
bandwidth 4 Mbps
Role-CVLAN 30
firewall-policy-C
bandwidth 2 Mbps
Active Directory groups
sales
marketing
finance
If AD group = marketing
then send AVP = Role-B
If AD group = finance
then send AVP = Role-C
12 | copy 2018 Aerohive Networks All Rights Reserved
Wi-Fi Security ndash Fast Secure Roaming - Voice Enterprise
Roam
RADIUS Server
13 | copy 2018 Aerohive Networks All Rights Reserved
WPA2 Personal ndash Static PSK Security
Consider a traditional PSK SSID
8-63 character shared passphrase
Never intended for use in the
enterprise
Susceptible to offline dictionary attacks
Wi-Fi Alliance recommends 20 strong
characters or more
Biggest weakness is that the PSK
credential is ldquostaticrdquo
PSK = passphrase123
PSK = passphrase123
14 | copy 2018 Aerohive Networks All Rights Reserved
Private Pre-Shared Key (PPSK)
User 1
User 2
User 3
SSID Corp-Wi-Fi
Authentication Private PSK
PPSK1 amp-334dfg
PPSK2 99iK3-3jkl
PPSK3 uuampamp$tY39Df
SSID Corp-Wi-Fi
passphrase amp-334dfg
SSID Corp-Wi-Fi
passphrase 99iK3-3jkl
SSID Corp-Wi-Fi
passphrase uuampamp$tY39Df
AP
All users and devices have unique credentials
If a user leaves or device is lost the PPSK credential is
simply changed for that one user or device
15 | copy 2018 Aerohive Networks All Rights Reserved
Private Pre-Shared Key (PPSK)
User 1
User 2
User 3
SSID Corp-Wi-Fi
SSID Corp-Wi-Fi
SSID Corp-Wi-Fi
AP
User Profile-AVLAN 10 and FW-Policy-5
User Profile-AVLAN 10 and FW-Policy-5
User Profile-BVLAN 20 and FW-Policy-6
User Profile-BVLAN 20 and FW-Policy-6
User Profile-CVLAN 30 and FW-Policy-7User Profile-C
VLAN 30 and FW-Policy-7
Multiple user profiles can be linked to a single SSID
PPSK User Groups can be leveraged to assign different
groups of users or devices to different user traffic settings
SSID Corp-Wi-Fi
Authentication Private PSK
16 | copy 2018 Aerohive Networks All Rights Reserved
Private Pre-Shared Key (PPSK)
Multiple per-user and per-
device PSKs assigned to a
single SSID
Easy to deploy
No need for PKI certificates or
RADIUS servers
Can be time-based credentials
Solves the ldquostaticrdquo PSK
problem
17 | copy 2018 Aerohive Networks All Rights Reserved
PPSK Use Cases
Guest Access Provide guest users with unique and secure
credentials
BYOD Onboarding personal andor company issued mobile
devices with unique and secure credentials
IoT Devices Provide unique and secure credentials for IoT
devices Many IoT devices andor devices only support WPA2
Personal (PSK)
18 | copy 2018 Aerohive Networks All Rights Reserved
WIPS
19 | copy 2018 Aerohive Networks All Rights Reserved
Protocol Security ndash Cooperative Control
20 | copy 2018 Aerohive Networks All Rights Reserved
Protocol Security ndash CAPWAP
21 | copy 2018 Aerohive Networks All Rights Reserved
Hardware Security
22 | copy 2018 Aerohive Networks All Rights Reserved
WPA3
23 | copy 2018 Aerohive Networks All Rights Reserved
Wi-Fi Alliance Security Certification
WPA3 - Enterprise
EAP-TLS
WPA3 - Personal
SAE
AES-128AES-256
192-bit
Security
PMF
EAP-xx
Optional
Optional
WPA3
AES-128
WPA2
Enhancements
WPA2 (required for WPA3)
PMF
Key Reinstallation
Vulnerability Detection
lsquoKRACKrsquo ProtectedReplaces
PSK
Disallow
WEPTKIP
WPA2 Security
Improvements
24 | copy 2018 Aerohive Networks All Rights Reserved
WPA2 Enhancements
Mandates support of Protected Management Frames (PMF)
Digital certificate validation checking is performed by stations
Multiple AKM support validation
Patched against the KRACK attack against WPA2
25 | copy 2018 Aerohive Networks All Rights Reserved
WPA3 Personal
Disallows WEP amp TKIP protocols
Requires the use of Protected Management Frames
Replaces PSK with Simultaneous Authentication of Equals (SAE)
bull SAE is based on IEEE 80211s (Mesh)
bull Password is never shared during the key exchange protocol
bull Uses lsquoZero knowledge proofrsquo
bull Resistant to dictionary attacks you only get to guess the password once
26 | copy 2018 Aerohive Networks All Rights Reserved
WPA3 Enterprise
Disallows WEP amp TKIP protocols
Requires the use of Protected Management Frames
Optional Suite B Security certification provides greater security
bull Based on US Government cryptographic tools for sensitive networks
bull 192-bit Security suite of protocols includes
bull AES-GCM-256 for authenticated encryption
bull HMAC-SHA384 for key derivation and key confirmation
bull ECDHE and ECDSA using a 384-bit elliptic curve
bull RSA key lengths of 3k-bits or greater
bull BIP-GMAC-256 for robust management frame protection
27 | copy 2018 Aerohive Networks All Rights Reserved
SAE
WPA3 replacement for PSK
authentication
Secure Authentication of Equals
(SAE)
SAE is a variant of Dragonfly a
password authentication key
exchange based on a zero-
knowledge proof
SAE commit
SAE commit
SAE confirm
SAE confirm
Select passphrase Select passphrase
28 | copy 2018 Aerohive Networks All Rights Reserved
SAE
SAE commit
SAE commit
SAE confirm
SAE confirm
Select passphrase Select passphrase
Prove you know the
credentials without
compromising the credentials
No forging modification or
replay attacks
No offline dictionary attacks
29 | copy 2018 Aerohive Networks All Rights Reserved
The future 80211ax
80211ax ndash High Efficiency(HE)
80211ax uses PHY and MAC
layer enhancements for
better traffic management
The goal is to increase
average throughput 4X per
user in high-density scenarios
WPA3 security is required for 80211ax certification
30 | copy 2018 Aerohive Networks All Rights Reserved
The future 80211ax
80211ax blog series
httpsblogaerohivecomtag11ax
80211ax for Dummies Booklet httpscontentaerohivecom80211ax_dummies_book
31 | copy 2018 Aerohive Networks All Rights Reserved
Questions
32 | copy 2018 Aerohive Networks All Rights Reserved
Thank you
2 | copy 2018 Aerohive Networks All Rights Reserved
Who is this guy
David ColemanSenior Technical Evangelist - Aerohive
Networks
CWNE 4
mistermultipath
3 | copy 2018 Aerohive Networks All Rights Reserved
Sybex CWSP Study Guide2nd Edition
ISBN 978-1119211082
Amazon httpamzncom1119211085
Who is this guy
4 | copy 2018 Aerohive Networks All Rights Reserved
Five Tenets of WLAN Security
I Data Privacy and Integrity
II Authentication Authorization and Accounting
(AAA)
III Segmentation (Access Control)
IV Monitoring
V Policy
80211 Networking Basics
copy Aerohive Networks Proprietary amp Confidential 5
1 Physical
7 Application
6 Presentation
5 Session
4 Transport
3 Network
2 Data Link
OSI Model
Remember that Wi-Fi operates at Layer 1 and the
MAC sublayer of Layer 2
Robust Security Network (RSN) security mechanisms
operate at the MAC
WLAN Security
6 | copy 2018 Aerohive Networks All Rights Reserved
Data Privacy and Integrity
The 80211-2016 standard defines
authentication and key management
(AKM) services
Authentication required for key
creation
Robust Security Network (RSN)
dynamic encryption
4-Way Handshake
Supplicant
PMK
PTK created
PTK created
GTK created
GTK delivered
GTK
Temporal keys installed
Controlled port unblocked
EAPOL-KEY message 1
EAPOL-KEY message 3
EAPOL-KEY message 2
EAPOL-KEY message 4
PTK
Master Keys PMK and GMK
Temporal Keys PTK and GTK
PMK GMK
Authenticator
GTK
Temporal keys installed
PTK
7 | copy 2018 Aerohive Networks All Rights Reserved
Data Privacy and Integrity
MAC Protocol Data Unit (MPDU) = 80211 frame
MAC Service Data Unit (MSDU) = upper layer payload
MSDU = LLC + Layers 3-7 information
MSDU can be encrypted by WEP TKIP CCMP or GCMP
8 | copy 2018 Aerohive Networks All Rights Reserved
AAA
Authentication Validate userdevice identity
Authorization Authorize userdevice identity
Accounting Paper trail
80211 security requires an authentication and
key management protocol (AKMP) that can be
either a preshared key (PSK) or an EAP protocol
used during 8021X authentication
9 | copy 2018 Aerohive Networks All Rights Reserved
Validating identity is important
bull David Coleman
bull Wi-Fi Geek
bull Born February
1960
bull David Coleman Headley
bull Convicted terrorist
bull Born June1960
10 | copy 2018 Aerohive Networks All Rights Reserved
Wi-Fi Security ndash 8021XEAP authentication
LDAP
EAP EAP
RADIUSCLIENT AP
Root CA cert Server cert
bull Extensible Authentication
Protocol (EAP)
bull Server certificate and Root CA
certificate
bull Tunneled authentication using
SSLTLS
bull 8021X Port based access control
bull Authorization Framework
bull Supplicant
bull Authenticator
bull Authentication Server
bull Integrates with LDAP
11 | copy 2018 Aerohive Networks All Rights Reserved
Role Based Access Control
user-1
user-2
user-3
SSID Corp-Wi-Fi
AP RADIUS
VLAN 10
firewall-policy-A
bandwidth unlimited
VLAN 20
firewall-policy-B
bandwidth 4 Mbps
VLAN 30
firewall-policy-C
bandwidth 2 Mbps
If AD group = sales
then send AVP = Role-A
LDAP
Role-AVLAN 10
firewall-policy-A
bandwidth unlimited
Role-BVLAN 20
firewall-policy-B
bandwidth 4 Mbps
Role-CVLAN 30
firewall-policy-C
bandwidth 2 Mbps
Active Directory groups
sales
marketing
finance
If AD group = marketing
then send AVP = Role-B
If AD group = finance
then send AVP = Role-C
12 | copy 2018 Aerohive Networks All Rights Reserved
Wi-Fi Security ndash Fast Secure Roaming - Voice Enterprise
Roam
RADIUS Server
13 | copy 2018 Aerohive Networks All Rights Reserved
WPA2 Personal ndash Static PSK Security
Consider a traditional PSK SSID
8-63 character shared passphrase
Never intended for use in the
enterprise
Susceptible to offline dictionary attacks
Wi-Fi Alliance recommends 20 strong
characters or more
Biggest weakness is that the PSK
credential is ldquostaticrdquo
PSK = passphrase123
PSK = passphrase123
14 | copy 2018 Aerohive Networks All Rights Reserved
Private Pre-Shared Key (PPSK)
User 1
User 2
User 3
SSID Corp-Wi-Fi
Authentication Private PSK
PPSK1 amp-334dfg
PPSK2 99iK3-3jkl
PPSK3 uuampamp$tY39Df
SSID Corp-Wi-Fi
passphrase amp-334dfg
SSID Corp-Wi-Fi
passphrase 99iK3-3jkl
SSID Corp-Wi-Fi
passphrase uuampamp$tY39Df
AP
All users and devices have unique credentials
If a user leaves or device is lost the PPSK credential is
simply changed for that one user or device
15 | copy 2018 Aerohive Networks All Rights Reserved
Private Pre-Shared Key (PPSK)
User 1
User 2
User 3
SSID Corp-Wi-Fi
SSID Corp-Wi-Fi
SSID Corp-Wi-Fi
AP
User Profile-AVLAN 10 and FW-Policy-5
User Profile-AVLAN 10 and FW-Policy-5
User Profile-BVLAN 20 and FW-Policy-6
User Profile-BVLAN 20 and FW-Policy-6
User Profile-CVLAN 30 and FW-Policy-7User Profile-C
VLAN 30 and FW-Policy-7
Multiple user profiles can be linked to a single SSID
PPSK User Groups can be leveraged to assign different
groups of users or devices to different user traffic settings
SSID Corp-Wi-Fi
Authentication Private PSK
16 | copy 2018 Aerohive Networks All Rights Reserved
Private Pre-Shared Key (PPSK)
Multiple per-user and per-
device PSKs assigned to a
single SSID
Easy to deploy
No need for PKI certificates or
RADIUS servers
Can be time-based credentials
Solves the ldquostaticrdquo PSK
problem
17 | copy 2018 Aerohive Networks All Rights Reserved
PPSK Use Cases
Guest Access Provide guest users with unique and secure
credentials
BYOD Onboarding personal andor company issued mobile
devices with unique and secure credentials
IoT Devices Provide unique and secure credentials for IoT
devices Many IoT devices andor devices only support WPA2
Personal (PSK)
18 | copy 2018 Aerohive Networks All Rights Reserved
WIPS
19 | copy 2018 Aerohive Networks All Rights Reserved
Protocol Security ndash Cooperative Control
20 | copy 2018 Aerohive Networks All Rights Reserved
Protocol Security ndash CAPWAP
21 | copy 2018 Aerohive Networks All Rights Reserved
Hardware Security
22 | copy 2018 Aerohive Networks All Rights Reserved
WPA3
23 | copy 2018 Aerohive Networks All Rights Reserved
Wi-Fi Alliance Security Certification
WPA3 - Enterprise
EAP-TLS
WPA3 - Personal
SAE
AES-128AES-256
192-bit
Security
PMF
EAP-xx
Optional
Optional
WPA3
AES-128
WPA2
Enhancements
WPA2 (required for WPA3)
PMF
Key Reinstallation
Vulnerability Detection
lsquoKRACKrsquo ProtectedReplaces
PSK
Disallow
WEPTKIP
WPA2 Security
Improvements
24 | copy 2018 Aerohive Networks All Rights Reserved
WPA2 Enhancements
Mandates support of Protected Management Frames (PMF)
Digital certificate validation checking is performed by stations
Multiple AKM support validation
Patched against the KRACK attack against WPA2
25 | copy 2018 Aerohive Networks All Rights Reserved
WPA3 Personal
Disallows WEP amp TKIP protocols
Requires the use of Protected Management Frames
Replaces PSK with Simultaneous Authentication of Equals (SAE)
bull SAE is based on IEEE 80211s (Mesh)
bull Password is never shared during the key exchange protocol
bull Uses lsquoZero knowledge proofrsquo
bull Resistant to dictionary attacks you only get to guess the password once
26 | copy 2018 Aerohive Networks All Rights Reserved
WPA3 Enterprise
Disallows WEP amp TKIP protocols
Requires the use of Protected Management Frames
Optional Suite B Security certification provides greater security
bull Based on US Government cryptographic tools for sensitive networks
bull 192-bit Security suite of protocols includes
bull AES-GCM-256 for authenticated encryption
bull HMAC-SHA384 for key derivation and key confirmation
bull ECDHE and ECDSA using a 384-bit elliptic curve
bull RSA key lengths of 3k-bits or greater
bull BIP-GMAC-256 for robust management frame protection
27 | copy 2018 Aerohive Networks All Rights Reserved
SAE
WPA3 replacement for PSK
authentication
Secure Authentication of Equals
(SAE)
SAE is a variant of Dragonfly a
password authentication key
exchange based on a zero-
knowledge proof
SAE commit
SAE commit
SAE confirm
SAE confirm
Select passphrase Select passphrase
28 | copy 2018 Aerohive Networks All Rights Reserved
SAE
SAE commit
SAE commit
SAE confirm
SAE confirm
Select passphrase Select passphrase
Prove you know the
credentials without
compromising the credentials
No forging modification or
replay attacks
No offline dictionary attacks
29 | copy 2018 Aerohive Networks All Rights Reserved
The future 80211ax
80211ax ndash High Efficiency(HE)
80211ax uses PHY and MAC
layer enhancements for
better traffic management
The goal is to increase
average throughput 4X per
user in high-density scenarios
WPA3 security is required for 80211ax certification
30 | copy 2018 Aerohive Networks All Rights Reserved
The future 80211ax
80211ax blog series
httpsblogaerohivecomtag11ax
80211ax for Dummies Booklet httpscontentaerohivecom80211ax_dummies_book
31 | copy 2018 Aerohive Networks All Rights Reserved
Questions
32 | copy 2018 Aerohive Networks All Rights Reserved
Thank you
3 | copy 2018 Aerohive Networks All Rights Reserved
Sybex CWSP Study Guide2nd Edition
ISBN 978-1119211082
Amazon httpamzncom1119211085
Who is this guy
4 | copy 2018 Aerohive Networks All Rights Reserved
Five Tenets of WLAN Security
I Data Privacy and Integrity
II Authentication Authorization and Accounting
(AAA)
III Segmentation (Access Control)
IV Monitoring
V Policy
80211 Networking Basics
copy Aerohive Networks Proprietary amp Confidential 5
1 Physical
7 Application
6 Presentation
5 Session
4 Transport
3 Network
2 Data Link
OSI Model
Remember that Wi-Fi operates at Layer 1 and the
MAC sublayer of Layer 2
Robust Security Network (RSN) security mechanisms
operate at the MAC
WLAN Security
6 | copy 2018 Aerohive Networks All Rights Reserved
Data Privacy and Integrity
The 80211-2016 standard defines
authentication and key management
(AKM) services
Authentication required for key
creation
Robust Security Network (RSN)
dynamic encryption
4-Way Handshake
Supplicant
PMK
PTK created
PTK created
GTK created
GTK delivered
GTK
Temporal keys installed
Controlled port unblocked
EAPOL-KEY message 1
EAPOL-KEY message 3
EAPOL-KEY message 2
EAPOL-KEY message 4
PTK
Master Keys PMK and GMK
Temporal Keys PTK and GTK
PMK GMK
Authenticator
GTK
Temporal keys installed
PTK
7 | copy 2018 Aerohive Networks All Rights Reserved
Data Privacy and Integrity
MAC Protocol Data Unit (MPDU) = 80211 frame
MAC Service Data Unit (MSDU) = upper layer payload
MSDU = LLC + Layers 3-7 information
MSDU can be encrypted by WEP TKIP CCMP or GCMP
8 | copy 2018 Aerohive Networks All Rights Reserved
AAA
Authentication Validate userdevice identity
Authorization Authorize userdevice identity
Accounting Paper trail
80211 security requires an authentication and
key management protocol (AKMP) that can be
either a preshared key (PSK) or an EAP protocol
used during 8021X authentication
9 | copy 2018 Aerohive Networks All Rights Reserved
Validating identity is important
bull David Coleman
bull Wi-Fi Geek
bull Born February
1960
bull David Coleman Headley
bull Convicted terrorist
bull Born June1960
10 | copy 2018 Aerohive Networks All Rights Reserved
Wi-Fi Security ndash 8021XEAP authentication
LDAP
EAP EAP
RADIUSCLIENT AP
Root CA cert Server cert
bull Extensible Authentication
Protocol (EAP)
bull Server certificate and Root CA
certificate
bull Tunneled authentication using
SSLTLS
bull 8021X Port based access control
bull Authorization Framework
bull Supplicant
bull Authenticator
bull Authentication Server
bull Integrates with LDAP
11 | copy 2018 Aerohive Networks All Rights Reserved
Role Based Access Control
user-1
user-2
user-3
SSID Corp-Wi-Fi
AP RADIUS
VLAN 10
firewall-policy-A
bandwidth unlimited
VLAN 20
firewall-policy-B
bandwidth 4 Mbps
VLAN 30
firewall-policy-C
bandwidth 2 Mbps
If AD group = sales
then send AVP = Role-A
LDAP
Role-AVLAN 10
firewall-policy-A
bandwidth unlimited
Role-BVLAN 20
firewall-policy-B
bandwidth 4 Mbps
Role-CVLAN 30
firewall-policy-C
bandwidth 2 Mbps
Active Directory groups
sales
marketing
finance
If AD group = marketing
then send AVP = Role-B
If AD group = finance
then send AVP = Role-C
12 | copy 2018 Aerohive Networks All Rights Reserved
Wi-Fi Security ndash Fast Secure Roaming - Voice Enterprise
Roam
RADIUS Server
13 | copy 2018 Aerohive Networks All Rights Reserved
WPA2 Personal ndash Static PSK Security
Consider a traditional PSK SSID
8-63 character shared passphrase
Never intended for use in the
enterprise
Susceptible to offline dictionary attacks
Wi-Fi Alliance recommends 20 strong
characters or more
Biggest weakness is that the PSK
credential is ldquostaticrdquo
PSK = passphrase123
PSK = passphrase123
14 | copy 2018 Aerohive Networks All Rights Reserved
Private Pre-Shared Key (PPSK)
User 1
User 2
User 3
SSID Corp-Wi-Fi
Authentication Private PSK
PPSK1 amp-334dfg
PPSK2 99iK3-3jkl
PPSK3 uuampamp$tY39Df
SSID Corp-Wi-Fi
passphrase amp-334dfg
SSID Corp-Wi-Fi
passphrase 99iK3-3jkl
SSID Corp-Wi-Fi
passphrase uuampamp$tY39Df
AP
All users and devices have unique credentials
If a user leaves or device is lost the PPSK credential is
simply changed for that one user or device
15 | copy 2018 Aerohive Networks All Rights Reserved
Private Pre-Shared Key (PPSK)
User 1
User 2
User 3
SSID Corp-Wi-Fi
SSID Corp-Wi-Fi
SSID Corp-Wi-Fi
AP
User Profile-AVLAN 10 and FW-Policy-5
User Profile-AVLAN 10 and FW-Policy-5
User Profile-BVLAN 20 and FW-Policy-6
User Profile-BVLAN 20 and FW-Policy-6
User Profile-CVLAN 30 and FW-Policy-7User Profile-C
VLAN 30 and FW-Policy-7
Multiple user profiles can be linked to a single SSID
PPSK User Groups can be leveraged to assign different
groups of users or devices to different user traffic settings
SSID Corp-Wi-Fi
Authentication Private PSK
16 | copy 2018 Aerohive Networks All Rights Reserved
Private Pre-Shared Key (PPSK)
Multiple per-user and per-
device PSKs assigned to a
single SSID
Easy to deploy
No need for PKI certificates or
RADIUS servers
Can be time-based credentials
Solves the ldquostaticrdquo PSK
problem
17 | copy 2018 Aerohive Networks All Rights Reserved
PPSK Use Cases
Guest Access Provide guest users with unique and secure
credentials
BYOD Onboarding personal andor company issued mobile
devices with unique and secure credentials
IoT Devices Provide unique and secure credentials for IoT
devices Many IoT devices andor devices only support WPA2
Personal (PSK)
18 | copy 2018 Aerohive Networks All Rights Reserved
WIPS
19 | copy 2018 Aerohive Networks All Rights Reserved
Protocol Security ndash Cooperative Control
20 | copy 2018 Aerohive Networks All Rights Reserved
Protocol Security ndash CAPWAP
21 | copy 2018 Aerohive Networks All Rights Reserved
Hardware Security
22 | copy 2018 Aerohive Networks All Rights Reserved
WPA3
23 | copy 2018 Aerohive Networks All Rights Reserved
Wi-Fi Alliance Security Certification
WPA3 - Enterprise
EAP-TLS
WPA3 - Personal
SAE
AES-128AES-256
192-bit
Security
PMF
EAP-xx
Optional
Optional
WPA3
AES-128
WPA2
Enhancements
WPA2 (required for WPA3)
PMF
Key Reinstallation
Vulnerability Detection
lsquoKRACKrsquo ProtectedReplaces
PSK
Disallow
WEPTKIP
WPA2 Security
Improvements
24 | copy 2018 Aerohive Networks All Rights Reserved
WPA2 Enhancements
Mandates support of Protected Management Frames (PMF)
Digital certificate validation checking is performed by stations
Multiple AKM support validation
Patched against the KRACK attack against WPA2
25 | copy 2018 Aerohive Networks All Rights Reserved
WPA3 Personal
Disallows WEP amp TKIP protocols
Requires the use of Protected Management Frames
Replaces PSK with Simultaneous Authentication of Equals (SAE)
bull SAE is based on IEEE 80211s (Mesh)
bull Password is never shared during the key exchange protocol
bull Uses lsquoZero knowledge proofrsquo
bull Resistant to dictionary attacks you only get to guess the password once
26 | copy 2018 Aerohive Networks All Rights Reserved
WPA3 Enterprise
Disallows WEP amp TKIP protocols
Requires the use of Protected Management Frames
Optional Suite B Security certification provides greater security
bull Based on US Government cryptographic tools for sensitive networks
bull 192-bit Security suite of protocols includes
bull AES-GCM-256 for authenticated encryption
bull HMAC-SHA384 for key derivation and key confirmation
bull ECDHE and ECDSA using a 384-bit elliptic curve
bull RSA key lengths of 3k-bits or greater
bull BIP-GMAC-256 for robust management frame protection
27 | copy 2018 Aerohive Networks All Rights Reserved
SAE
WPA3 replacement for PSK
authentication
Secure Authentication of Equals
(SAE)
SAE is a variant of Dragonfly a
password authentication key
exchange based on a zero-
knowledge proof
SAE commit
SAE commit
SAE confirm
SAE confirm
Select passphrase Select passphrase
28 | copy 2018 Aerohive Networks All Rights Reserved
SAE
SAE commit
SAE commit
SAE confirm
SAE confirm
Select passphrase Select passphrase
Prove you know the
credentials without
compromising the credentials
No forging modification or
replay attacks
No offline dictionary attacks
29 | copy 2018 Aerohive Networks All Rights Reserved
The future 80211ax
80211ax ndash High Efficiency(HE)
80211ax uses PHY and MAC
layer enhancements for
better traffic management
The goal is to increase
average throughput 4X per
user in high-density scenarios
WPA3 security is required for 80211ax certification
30 | copy 2018 Aerohive Networks All Rights Reserved
The future 80211ax
80211ax blog series
httpsblogaerohivecomtag11ax
80211ax for Dummies Booklet httpscontentaerohivecom80211ax_dummies_book
31 | copy 2018 Aerohive Networks All Rights Reserved
Questions
32 | copy 2018 Aerohive Networks All Rights Reserved
Thank you
4 | copy 2018 Aerohive Networks All Rights Reserved
Five Tenets of WLAN Security
I Data Privacy and Integrity
II Authentication Authorization and Accounting
(AAA)
III Segmentation (Access Control)
IV Monitoring
V Policy
80211 Networking Basics
copy Aerohive Networks Proprietary amp Confidential 5
1 Physical
7 Application
6 Presentation
5 Session
4 Transport
3 Network
2 Data Link
OSI Model
Remember that Wi-Fi operates at Layer 1 and the
MAC sublayer of Layer 2
Robust Security Network (RSN) security mechanisms
operate at the MAC
WLAN Security
6 | copy 2018 Aerohive Networks All Rights Reserved
Data Privacy and Integrity
The 80211-2016 standard defines
authentication and key management
(AKM) services
Authentication required for key
creation
Robust Security Network (RSN)
dynamic encryption
4-Way Handshake
Supplicant
PMK
PTK created
PTK created
GTK created
GTK delivered
GTK
Temporal keys installed
Controlled port unblocked
EAPOL-KEY message 1
EAPOL-KEY message 3
EAPOL-KEY message 2
EAPOL-KEY message 4
PTK
Master Keys PMK and GMK
Temporal Keys PTK and GTK
PMK GMK
Authenticator
GTK
Temporal keys installed
PTK
7 | copy 2018 Aerohive Networks All Rights Reserved
Data Privacy and Integrity
MAC Protocol Data Unit (MPDU) = 80211 frame
MAC Service Data Unit (MSDU) = upper layer payload
MSDU = LLC + Layers 3-7 information
MSDU can be encrypted by WEP TKIP CCMP or GCMP
8 | copy 2018 Aerohive Networks All Rights Reserved
AAA
Authentication Validate userdevice identity
Authorization Authorize userdevice identity
Accounting Paper trail
80211 security requires an authentication and
key management protocol (AKMP) that can be
either a preshared key (PSK) or an EAP protocol
used during 8021X authentication
9 | copy 2018 Aerohive Networks All Rights Reserved
Validating identity is important
bull David Coleman
bull Wi-Fi Geek
bull Born February
1960
bull David Coleman Headley
bull Convicted terrorist
bull Born June1960
10 | copy 2018 Aerohive Networks All Rights Reserved
Wi-Fi Security ndash 8021XEAP authentication
LDAP
EAP EAP
RADIUSCLIENT AP
Root CA cert Server cert
bull Extensible Authentication
Protocol (EAP)
bull Server certificate and Root CA
certificate
bull Tunneled authentication using
SSLTLS
bull 8021X Port based access control
bull Authorization Framework
bull Supplicant
bull Authenticator
bull Authentication Server
bull Integrates with LDAP
11 | copy 2018 Aerohive Networks All Rights Reserved
Role Based Access Control
user-1
user-2
user-3
SSID Corp-Wi-Fi
AP RADIUS
VLAN 10
firewall-policy-A
bandwidth unlimited
VLAN 20
firewall-policy-B
bandwidth 4 Mbps
VLAN 30
firewall-policy-C
bandwidth 2 Mbps
If AD group = sales
then send AVP = Role-A
LDAP
Role-AVLAN 10
firewall-policy-A
bandwidth unlimited
Role-BVLAN 20
firewall-policy-B
bandwidth 4 Mbps
Role-CVLAN 30
firewall-policy-C
bandwidth 2 Mbps
Active Directory groups
sales
marketing
finance
If AD group = marketing
then send AVP = Role-B
If AD group = finance
then send AVP = Role-C
12 | copy 2018 Aerohive Networks All Rights Reserved
Wi-Fi Security ndash Fast Secure Roaming - Voice Enterprise
Roam
RADIUS Server
13 | copy 2018 Aerohive Networks All Rights Reserved
WPA2 Personal ndash Static PSK Security
Consider a traditional PSK SSID
8-63 character shared passphrase
Never intended for use in the
enterprise
Susceptible to offline dictionary attacks
Wi-Fi Alliance recommends 20 strong
characters or more
Biggest weakness is that the PSK
credential is ldquostaticrdquo
PSK = passphrase123
PSK = passphrase123
14 | copy 2018 Aerohive Networks All Rights Reserved
Private Pre-Shared Key (PPSK)
User 1
User 2
User 3
SSID Corp-Wi-Fi
Authentication Private PSK
PPSK1 amp-334dfg
PPSK2 99iK3-3jkl
PPSK3 uuampamp$tY39Df
SSID Corp-Wi-Fi
passphrase amp-334dfg
SSID Corp-Wi-Fi
passphrase 99iK3-3jkl
SSID Corp-Wi-Fi
passphrase uuampamp$tY39Df
AP
All users and devices have unique credentials
If a user leaves or device is lost the PPSK credential is
simply changed for that one user or device
15 | copy 2018 Aerohive Networks All Rights Reserved
Private Pre-Shared Key (PPSK)
User 1
User 2
User 3
SSID Corp-Wi-Fi
SSID Corp-Wi-Fi
SSID Corp-Wi-Fi
AP
User Profile-AVLAN 10 and FW-Policy-5
User Profile-AVLAN 10 and FW-Policy-5
User Profile-BVLAN 20 and FW-Policy-6
User Profile-BVLAN 20 and FW-Policy-6
User Profile-CVLAN 30 and FW-Policy-7User Profile-C
VLAN 30 and FW-Policy-7
Multiple user profiles can be linked to a single SSID
PPSK User Groups can be leveraged to assign different
groups of users or devices to different user traffic settings
SSID Corp-Wi-Fi
Authentication Private PSK
16 | copy 2018 Aerohive Networks All Rights Reserved
Private Pre-Shared Key (PPSK)
Multiple per-user and per-
device PSKs assigned to a
single SSID
Easy to deploy
No need for PKI certificates or
RADIUS servers
Can be time-based credentials
Solves the ldquostaticrdquo PSK
problem
17 | copy 2018 Aerohive Networks All Rights Reserved
PPSK Use Cases
Guest Access Provide guest users with unique and secure
credentials
BYOD Onboarding personal andor company issued mobile
devices with unique and secure credentials
IoT Devices Provide unique and secure credentials for IoT
devices Many IoT devices andor devices only support WPA2
Personal (PSK)
18 | copy 2018 Aerohive Networks All Rights Reserved
WIPS
19 | copy 2018 Aerohive Networks All Rights Reserved
Protocol Security ndash Cooperative Control
20 | copy 2018 Aerohive Networks All Rights Reserved
Protocol Security ndash CAPWAP
21 | copy 2018 Aerohive Networks All Rights Reserved
Hardware Security
22 | copy 2018 Aerohive Networks All Rights Reserved
WPA3
23 | copy 2018 Aerohive Networks All Rights Reserved
Wi-Fi Alliance Security Certification
WPA3 - Enterprise
EAP-TLS
WPA3 - Personal
SAE
AES-128AES-256
192-bit
Security
PMF
EAP-xx
Optional
Optional
WPA3
AES-128
WPA2
Enhancements
WPA2 (required for WPA3)
PMF
Key Reinstallation
Vulnerability Detection
lsquoKRACKrsquo ProtectedReplaces
PSK
Disallow
WEPTKIP
WPA2 Security
Improvements
24 | copy 2018 Aerohive Networks All Rights Reserved
WPA2 Enhancements
Mandates support of Protected Management Frames (PMF)
Digital certificate validation checking is performed by stations
Multiple AKM support validation
Patched against the KRACK attack against WPA2
25 | copy 2018 Aerohive Networks All Rights Reserved
WPA3 Personal
Disallows WEP amp TKIP protocols
Requires the use of Protected Management Frames
Replaces PSK with Simultaneous Authentication of Equals (SAE)
bull SAE is based on IEEE 80211s (Mesh)
bull Password is never shared during the key exchange protocol
bull Uses lsquoZero knowledge proofrsquo
bull Resistant to dictionary attacks you only get to guess the password once
26 | copy 2018 Aerohive Networks All Rights Reserved
WPA3 Enterprise
Disallows WEP amp TKIP protocols
Requires the use of Protected Management Frames
Optional Suite B Security certification provides greater security
bull Based on US Government cryptographic tools for sensitive networks
bull 192-bit Security suite of protocols includes
bull AES-GCM-256 for authenticated encryption
bull HMAC-SHA384 for key derivation and key confirmation
bull ECDHE and ECDSA using a 384-bit elliptic curve
bull RSA key lengths of 3k-bits or greater
bull BIP-GMAC-256 for robust management frame protection
27 | copy 2018 Aerohive Networks All Rights Reserved
SAE
WPA3 replacement for PSK
authentication
Secure Authentication of Equals
(SAE)
SAE is a variant of Dragonfly a
password authentication key
exchange based on a zero-
knowledge proof
SAE commit
SAE commit
SAE confirm
SAE confirm
Select passphrase Select passphrase
28 | copy 2018 Aerohive Networks All Rights Reserved
SAE
SAE commit
SAE commit
SAE confirm
SAE confirm
Select passphrase Select passphrase
Prove you know the
credentials without
compromising the credentials
No forging modification or
replay attacks
No offline dictionary attacks
29 | copy 2018 Aerohive Networks All Rights Reserved
The future 80211ax
80211ax ndash High Efficiency(HE)
80211ax uses PHY and MAC
layer enhancements for
better traffic management
The goal is to increase
average throughput 4X per
user in high-density scenarios
WPA3 security is required for 80211ax certification
30 | copy 2018 Aerohive Networks All Rights Reserved
The future 80211ax
80211ax blog series
httpsblogaerohivecomtag11ax
80211ax for Dummies Booklet httpscontentaerohivecom80211ax_dummies_book
31 | copy 2018 Aerohive Networks All Rights Reserved
Questions
32 | copy 2018 Aerohive Networks All Rights Reserved
Thank you
80211 Networking Basics
copy Aerohive Networks Proprietary amp Confidential 5
1 Physical
7 Application
6 Presentation
5 Session
4 Transport
3 Network
2 Data Link
OSI Model
Remember that Wi-Fi operates at Layer 1 and the
MAC sublayer of Layer 2
Robust Security Network (RSN) security mechanisms
operate at the MAC
WLAN Security
6 | copy 2018 Aerohive Networks All Rights Reserved
Data Privacy and Integrity
The 80211-2016 standard defines
authentication and key management
(AKM) services
Authentication required for key
creation
Robust Security Network (RSN)
dynamic encryption
4-Way Handshake
Supplicant
PMK
PTK created
PTK created
GTK created
GTK delivered
GTK
Temporal keys installed
Controlled port unblocked
EAPOL-KEY message 1
EAPOL-KEY message 3
EAPOL-KEY message 2
EAPOL-KEY message 4
PTK
Master Keys PMK and GMK
Temporal Keys PTK and GTK
PMK GMK
Authenticator
GTK
Temporal keys installed
PTK
7 | copy 2018 Aerohive Networks All Rights Reserved
Data Privacy and Integrity
MAC Protocol Data Unit (MPDU) = 80211 frame
MAC Service Data Unit (MSDU) = upper layer payload
MSDU = LLC + Layers 3-7 information
MSDU can be encrypted by WEP TKIP CCMP or GCMP
8 | copy 2018 Aerohive Networks All Rights Reserved
AAA
Authentication Validate userdevice identity
Authorization Authorize userdevice identity
Accounting Paper trail
80211 security requires an authentication and
key management protocol (AKMP) that can be
either a preshared key (PSK) or an EAP protocol
used during 8021X authentication
9 | copy 2018 Aerohive Networks All Rights Reserved
Validating identity is important
bull David Coleman
bull Wi-Fi Geek
bull Born February
1960
bull David Coleman Headley
bull Convicted terrorist
bull Born June1960
10 | copy 2018 Aerohive Networks All Rights Reserved
Wi-Fi Security ndash 8021XEAP authentication
LDAP
EAP EAP
RADIUSCLIENT AP
Root CA cert Server cert
bull Extensible Authentication
Protocol (EAP)
bull Server certificate and Root CA
certificate
bull Tunneled authentication using
SSLTLS
bull 8021X Port based access control
bull Authorization Framework
bull Supplicant
bull Authenticator
bull Authentication Server
bull Integrates with LDAP
11 | copy 2018 Aerohive Networks All Rights Reserved
Role Based Access Control
user-1
user-2
user-3
SSID Corp-Wi-Fi
AP RADIUS
VLAN 10
firewall-policy-A
bandwidth unlimited
VLAN 20
firewall-policy-B
bandwidth 4 Mbps
VLAN 30
firewall-policy-C
bandwidth 2 Mbps
If AD group = sales
then send AVP = Role-A
LDAP
Role-AVLAN 10
firewall-policy-A
bandwidth unlimited
Role-BVLAN 20
firewall-policy-B
bandwidth 4 Mbps
Role-CVLAN 30
firewall-policy-C
bandwidth 2 Mbps
Active Directory groups
sales
marketing
finance
If AD group = marketing
then send AVP = Role-B
If AD group = finance
then send AVP = Role-C
12 | copy 2018 Aerohive Networks All Rights Reserved
Wi-Fi Security ndash Fast Secure Roaming - Voice Enterprise
Roam
RADIUS Server
13 | copy 2018 Aerohive Networks All Rights Reserved
WPA2 Personal ndash Static PSK Security
Consider a traditional PSK SSID
8-63 character shared passphrase
Never intended for use in the
enterprise
Susceptible to offline dictionary attacks
Wi-Fi Alliance recommends 20 strong
characters or more
Biggest weakness is that the PSK
credential is ldquostaticrdquo
PSK = passphrase123
PSK = passphrase123
14 | copy 2018 Aerohive Networks All Rights Reserved
Private Pre-Shared Key (PPSK)
User 1
User 2
User 3
SSID Corp-Wi-Fi
Authentication Private PSK
PPSK1 amp-334dfg
PPSK2 99iK3-3jkl
PPSK3 uuampamp$tY39Df
SSID Corp-Wi-Fi
passphrase amp-334dfg
SSID Corp-Wi-Fi
passphrase 99iK3-3jkl
SSID Corp-Wi-Fi
passphrase uuampamp$tY39Df
AP
All users and devices have unique credentials
If a user leaves or device is lost the PPSK credential is
simply changed for that one user or device
15 | copy 2018 Aerohive Networks All Rights Reserved
Private Pre-Shared Key (PPSK)
User 1
User 2
User 3
SSID Corp-Wi-Fi
SSID Corp-Wi-Fi
SSID Corp-Wi-Fi
AP
User Profile-AVLAN 10 and FW-Policy-5
User Profile-AVLAN 10 and FW-Policy-5
User Profile-BVLAN 20 and FW-Policy-6
User Profile-BVLAN 20 and FW-Policy-6
User Profile-CVLAN 30 and FW-Policy-7User Profile-C
VLAN 30 and FW-Policy-7
Multiple user profiles can be linked to a single SSID
PPSK User Groups can be leveraged to assign different
groups of users or devices to different user traffic settings
SSID Corp-Wi-Fi
Authentication Private PSK
16 | copy 2018 Aerohive Networks All Rights Reserved
Private Pre-Shared Key (PPSK)
Multiple per-user and per-
device PSKs assigned to a
single SSID
Easy to deploy
No need for PKI certificates or
RADIUS servers
Can be time-based credentials
Solves the ldquostaticrdquo PSK
problem
17 | copy 2018 Aerohive Networks All Rights Reserved
PPSK Use Cases
Guest Access Provide guest users with unique and secure
credentials
BYOD Onboarding personal andor company issued mobile
devices with unique and secure credentials
IoT Devices Provide unique and secure credentials for IoT
devices Many IoT devices andor devices only support WPA2
Personal (PSK)
18 | copy 2018 Aerohive Networks All Rights Reserved
WIPS
19 | copy 2018 Aerohive Networks All Rights Reserved
Protocol Security ndash Cooperative Control
20 | copy 2018 Aerohive Networks All Rights Reserved
Protocol Security ndash CAPWAP
21 | copy 2018 Aerohive Networks All Rights Reserved
Hardware Security
22 | copy 2018 Aerohive Networks All Rights Reserved
WPA3
23 | copy 2018 Aerohive Networks All Rights Reserved
Wi-Fi Alliance Security Certification
WPA3 - Enterprise
EAP-TLS
WPA3 - Personal
SAE
AES-128AES-256
192-bit
Security
PMF
EAP-xx
Optional
Optional
WPA3
AES-128
WPA2
Enhancements
WPA2 (required for WPA3)
PMF
Key Reinstallation
Vulnerability Detection
lsquoKRACKrsquo ProtectedReplaces
PSK
Disallow
WEPTKIP
WPA2 Security
Improvements
24 | copy 2018 Aerohive Networks All Rights Reserved
WPA2 Enhancements
Mandates support of Protected Management Frames (PMF)
Digital certificate validation checking is performed by stations
Multiple AKM support validation
Patched against the KRACK attack against WPA2
25 | copy 2018 Aerohive Networks All Rights Reserved
WPA3 Personal
Disallows WEP amp TKIP protocols
Requires the use of Protected Management Frames
Replaces PSK with Simultaneous Authentication of Equals (SAE)
bull SAE is based on IEEE 80211s (Mesh)
bull Password is never shared during the key exchange protocol
bull Uses lsquoZero knowledge proofrsquo
bull Resistant to dictionary attacks you only get to guess the password once
26 | copy 2018 Aerohive Networks All Rights Reserved
WPA3 Enterprise
Disallows WEP amp TKIP protocols
Requires the use of Protected Management Frames
Optional Suite B Security certification provides greater security
bull Based on US Government cryptographic tools for sensitive networks
bull 192-bit Security suite of protocols includes
bull AES-GCM-256 for authenticated encryption
bull HMAC-SHA384 for key derivation and key confirmation
bull ECDHE and ECDSA using a 384-bit elliptic curve
bull RSA key lengths of 3k-bits or greater
bull BIP-GMAC-256 for robust management frame protection
27 | copy 2018 Aerohive Networks All Rights Reserved
SAE
WPA3 replacement for PSK
authentication
Secure Authentication of Equals
(SAE)
SAE is a variant of Dragonfly a
password authentication key
exchange based on a zero-
knowledge proof
SAE commit
SAE commit
SAE confirm
SAE confirm
Select passphrase Select passphrase
28 | copy 2018 Aerohive Networks All Rights Reserved
SAE
SAE commit
SAE commit
SAE confirm
SAE confirm
Select passphrase Select passphrase
Prove you know the
credentials without
compromising the credentials
No forging modification or
replay attacks
No offline dictionary attacks
29 | copy 2018 Aerohive Networks All Rights Reserved
The future 80211ax
80211ax ndash High Efficiency(HE)
80211ax uses PHY and MAC
layer enhancements for
better traffic management
The goal is to increase
average throughput 4X per
user in high-density scenarios
WPA3 security is required for 80211ax certification
30 | copy 2018 Aerohive Networks All Rights Reserved
The future 80211ax
80211ax blog series
httpsblogaerohivecomtag11ax
80211ax for Dummies Booklet httpscontentaerohivecom80211ax_dummies_book
31 | copy 2018 Aerohive Networks All Rights Reserved
Questions
32 | copy 2018 Aerohive Networks All Rights Reserved
Thank you
6 | copy 2018 Aerohive Networks All Rights Reserved
Data Privacy and Integrity
The 80211-2016 standard defines
authentication and key management
(AKM) services
Authentication required for key
creation
Robust Security Network (RSN)
dynamic encryption
4-Way Handshake
Supplicant
PMK
PTK created
PTK created
GTK created
GTK delivered
GTK
Temporal keys installed
Controlled port unblocked
EAPOL-KEY message 1
EAPOL-KEY message 3
EAPOL-KEY message 2
EAPOL-KEY message 4
PTK
Master Keys PMK and GMK
Temporal Keys PTK and GTK
PMK GMK
Authenticator
GTK
Temporal keys installed
PTK
7 | copy 2018 Aerohive Networks All Rights Reserved
Data Privacy and Integrity
MAC Protocol Data Unit (MPDU) = 80211 frame
MAC Service Data Unit (MSDU) = upper layer payload
MSDU = LLC + Layers 3-7 information
MSDU can be encrypted by WEP TKIP CCMP or GCMP
8 | copy 2018 Aerohive Networks All Rights Reserved
AAA
Authentication Validate userdevice identity
Authorization Authorize userdevice identity
Accounting Paper trail
80211 security requires an authentication and
key management protocol (AKMP) that can be
either a preshared key (PSK) or an EAP protocol
used during 8021X authentication
9 | copy 2018 Aerohive Networks All Rights Reserved
Validating identity is important
bull David Coleman
bull Wi-Fi Geek
bull Born February
1960
bull David Coleman Headley
bull Convicted terrorist
bull Born June1960
10 | copy 2018 Aerohive Networks All Rights Reserved
Wi-Fi Security ndash 8021XEAP authentication
LDAP
EAP EAP
RADIUSCLIENT AP
Root CA cert Server cert
bull Extensible Authentication
Protocol (EAP)
bull Server certificate and Root CA
certificate
bull Tunneled authentication using
SSLTLS
bull 8021X Port based access control
bull Authorization Framework
bull Supplicant
bull Authenticator
bull Authentication Server
bull Integrates with LDAP
11 | copy 2018 Aerohive Networks All Rights Reserved
Role Based Access Control
user-1
user-2
user-3
SSID Corp-Wi-Fi
AP RADIUS
VLAN 10
firewall-policy-A
bandwidth unlimited
VLAN 20
firewall-policy-B
bandwidth 4 Mbps
VLAN 30
firewall-policy-C
bandwidth 2 Mbps
If AD group = sales
then send AVP = Role-A
LDAP
Role-AVLAN 10
firewall-policy-A
bandwidth unlimited
Role-BVLAN 20
firewall-policy-B
bandwidth 4 Mbps
Role-CVLAN 30
firewall-policy-C
bandwidth 2 Mbps
Active Directory groups
sales
marketing
finance
If AD group = marketing
then send AVP = Role-B
If AD group = finance
then send AVP = Role-C
12 | copy 2018 Aerohive Networks All Rights Reserved
Wi-Fi Security ndash Fast Secure Roaming - Voice Enterprise
Roam
RADIUS Server
13 | copy 2018 Aerohive Networks All Rights Reserved
WPA2 Personal ndash Static PSK Security
Consider a traditional PSK SSID
8-63 character shared passphrase
Never intended for use in the
enterprise
Susceptible to offline dictionary attacks
Wi-Fi Alliance recommends 20 strong
characters or more
Biggest weakness is that the PSK
credential is ldquostaticrdquo
PSK = passphrase123
PSK = passphrase123
14 | copy 2018 Aerohive Networks All Rights Reserved
Private Pre-Shared Key (PPSK)
User 1
User 2
User 3
SSID Corp-Wi-Fi
Authentication Private PSK
PPSK1 amp-334dfg
PPSK2 99iK3-3jkl
PPSK3 uuampamp$tY39Df
SSID Corp-Wi-Fi
passphrase amp-334dfg
SSID Corp-Wi-Fi
passphrase 99iK3-3jkl
SSID Corp-Wi-Fi
passphrase uuampamp$tY39Df
AP
All users and devices have unique credentials
If a user leaves or device is lost the PPSK credential is
simply changed for that one user or device
15 | copy 2018 Aerohive Networks All Rights Reserved
Private Pre-Shared Key (PPSK)
User 1
User 2
User 3
SSID Corp-Wi-Fi
SSID Corp-Wi-Fi
SSID Corp-Wi-Fi
AP
User Profile-AVLAN 10 and FW-Policy-5
User Profile-AVLAN 10 and FW-Policy-5
User Profile-BVLAN 20 and FW-Policy-6
User Profile-BVLAN 20 and FW-Policy-6
User Profile-CVLAN 30 and FW-Policy-7User Profile-C
VLAN 30 and FW-Policy-7
Multiple user profiles can be linked to a single SSID
PPSK User Groups can be leveraged to assign different
groups of users or devices to different user traffic settings
SSID Corp-Wi-Fi
Authentication Private PSK
16 | copy 2018 Aerohive Networks All Rights Reserved
Private Pre-Shared Key (PPSK)
Multiple per-user and per-
device PSKs assigned to a
single SSID
Easy to deploy
No need for PKI certificates or
RADIUS servers
Can be time-based credentials
Solves the ldquostaticrdquo PSK
problem
17 | copy 2018 Aerohive Networks All Rights Reserved
PPSK Use Cases
Guest Access Provide guest users with unique and secure
credentials
BYOD Onboarding personal andor company issued mobile
devices with unique and secure credentials
IoT Devices Provide unique and secure credentials for IoT
devices Many IoT devices andor devices only support WPA2
Personal (PSK)
18 | copy 2018 Aerohive Networks All Rights Reserved
WIPS
19 | copy 2018 Aerohive Networks All Rights Reserved
Protocol Security ndash Cooperative Control
20 | copy 2018 Aerohive Networks All Rights Reserved
Protocol Security ndash CAPWAP
21 | copy 2018 Aerohive Networks All Rights Reserved
Hardware Security
22 | copy 2018 Aerohive Networks All Rights Reserved
WPA3
23 | copy 2018 Aerohive Networks All Rights Reserved
Wi-Fi Alliance Security Certification
WPA3 - Enterprise
EAP-TLS
WPA3 - Personal
SAE
AES-128AES-256
192-bit
Security
PMF
EAP-xx
Optional
Optional
WPA3
AES-128
WPA2
Enhancements
WPA2 (required for WPA3)
PMF
Key Reinstallation
Vulnerability Detection
lsquoKRACKrsquo ProtectedReplaces
PSK
Disallow
WEPTKIP
WPA2 Security
Improvements
24 | copy 2018 Aerohive Networks All Rights Reserved
WPA2 Enhancements
Mandates support of Protected Management Frames (PMF)
Digital certificate validation checking is performed by stations
Multiple AKM support validation
Patched against the KRACK attack against WPA2
25 | copy 2018 Aerohive Networks All Rights Reserved
WPA3 Personal
Disallows WEP amp TKIP protocols
Requires the use of Protected Management Frames
Replaces PSK with Simultaneous Authentication of Equals (SAE)
bull SAE is based on IEEE 80211s (Mesh)
bull Password is never shared during the key exchange protocol
bull Uses lsquoZero knowledge proofrsquo
bull Resistant to dictionary attacks you only get to guess the password once
26 | copy 2018 Aerohive Networks All Rights Reserved
WPA3 Enterprise
Disallows WEP amp TKIP protocols
Requires the use of Protected Management Frames
Optional Suite B Security certification provides greater security
bull Based on US Government cryptographic tools for sensitive networks
bull 192-bit Security suite of protocols includes
bull AES-GCM-256 for authenticated encryption
bull HMAC-SHA384 for key derivation and key confirmation
bull ECDHE and ECDSA using a 384-bit elliptic curve
bull RSA key lengths of 3k-bits or greater
bull BIP-GMAC-256 for robust management frame protection
27 | copy 2018 Aerohive Networks All Rights Reserved
SAE
WPA3 replacement for PSK
authentication
Secure Authentication of Equals
(SAE)
SAE is a variant of Dragonfly a
password authentication key
exchange based on a zero-
knowledge proof
SAE commit
SAE commit
SAE confirm
SAE confirm
Select passphrase Select passphrase
28 | copy 2018 Aerohive Networks All Rights Reserved
SAE
SAE commit
SAE commit
SAE confirm
SAE confirm
Select passphrase Select passphrase
Prove you know the
credentials without
compromising the credentials
No forging modification or
replay attacks
No offline dictionary attacks
29 | copy 2018 Aerohive Networks All Rights Reserved
The future 80211ax
80211ax ndash High Efficiency(HE)
80211ax uses PHY and MAC
layer enhancements for
better traffic management
The goal is to increase
average throughput 4X per
user in high-density scenarios
WPA3 security is required for 80211ax certification
30 | copy 2018 Aerohive Networks All Rights Reserved
The future 80211ax
80211ax blog series
httpsblogaerohivecomtag11ax
80211ax for Dummies Booklet httpscontentaerohivecom80211ax_dummies_book
31 | copy 2018 Aerohive Networks All Rights Reserved
Questions
32 | copy 2018 Aerohive Networks All Rights Reserved
Thank you
7 | copy 2018 Aerohive Networks All Rights Reserved
Data Privacy and Integrity
MAC Protocol Data Unit (MPDU) = 80211 frame
MAC Service Data Unit (MSDU) = upper layer payload
MSDU = LLC + Layers 3-7 information
MSDU can be encrypted by WEP TKIP CCMP or GCMP
8 | copy 2018 Aerohive Networks All Rights Reserved
AAA
Authentication Validate userdevice identity
Authorization Authorize userdevice identity
Accounting Paper trail
80211 security requires an authentication and
key management protocol (AKMP) that can be
either a preshared key (PSK) or an EAP protocol
used during 8021X authentication
9 | copy 2018 Aerohive Networks All Rights Reserved
Validating identity is important
bull David Coleman
bull Wi-Fi Geek
bull Born February
1960
bull David Coleman Headley
bull Convicted terrorist
bull Born June1960
10 | copy 2018 Aerohive Networks All Rights Reserved
Wi-Fi Security ndash 8021XEAP authentication
LDAP
EAP EAP
RADIUSCLIENT AP
Root CA cert Server cert
bull Extensible Authentication
Protocol (EAP)
bull Server certificate and Root CA
certificate
bull Tunneled authentication using
SSLTLS
bull 8021X Port based access control
bull Authorization Framework
bull Supplicant
bull Authenticator
bull Authentication Server
bull Integrates with LDAP
11 | copy 2018 Aerohive Networks All Rights Reserved
Role Based Access Control
user-1
user-2
user-3
SSID Corp-Wi-Fi
AP RADIUS
VLAN 10
firewall-policy-A
bandwidth unlimited
VLAN 20
firewall-policy-B
bandwidth 4 Mbps
VLAN 30
firewall-policy-C
bandwidth 2 Mbps
If AD group = sales
then send AVP = Role-A
LDAP
Role-AVLAN 10
firewall-policy-A
bandwidth unlimited
Role-BVLAN 20
firewall-policy-B
bandwidth 4 Mbps
Role-CVLAN 30
firewall-policy-C
bandwidth 2 Mbps
Active Directory groups
sales
marketing
finance
If AD group = marketing
then send AVP = Role-B
If AD group = finance
then send AVP = Role-C
12 | copy 2018 Aerohive Networks All Rights Reserved
Wi-Fi Security ndash Fast Secure Roaming - Voice Enterprise
Roam
RADIUS Server
13 | copy 2018 Aerohive Networks All Rights Reserved
WPA2 Personal ndash Static PSK Security
Consider a traditional PSK SSID
8-63 character shared passphrase
Never intended for use in the
enterprise
Susceptible to offline dictionary attacks
Wi-Fi Alliance recommends 20 strong
characters or more
Biggest weakness is that the PSK
credential is ldquostaticrdquo
PSK = passphrase123
PSK = passphrase123
14 | copy 2018 Aerohive Networks All Rights Reserved
Private Pre-Shared Key (PPSK)
User 1
User 2
User 3
SSID Corp-Wi-Fi
Authentication Private PSK
PPSK1 amp-334dfg
PPSK2 99iK3-3jkl
PPSK3 uuampamp$tY39Df
SSID Corp-Wi-Fi
passphrase amp-334dfg
SSID Corp-Wi-Fi
passphrase 99iK3-3jkl
SSID Corp-Wi-Fi
passphrase uuampamp$tY39Df
AP
All users and devices have unique credentials
If a user leaves or device is lost the PPSK credential is
simply changed for that one user or device
15 | copy 2018 Aerohive Networks All Rights Reserved
Private Pre-Shared Key (PPSK)
User 1
User 2
User 3
SSID Corp-Wi-Fi
SSID Corp-Wi-Fi
SSID Corp-Wi-Fi
AP
User Profile-AVLAN 10 and FW-Policy-5
User Profile-AVLAN 10 and FW-Policy-5
User Profile-BVLAN 20 and FW-Policy-6
User Profile-BVLAN 20 and FW-Policy-6
User Profile-CVLAN 30 and FW-Policy-7User Profile-C
VLAN 30 and FW-Policy-7
Multiple user profiles can be linked to a single SSID
PPSK User Groups can be leveraged to assign different
groups of users or devices to different user traffic settings
SSID Corp-Wi-Fi
Authentication Private PSK
16 | copy 2018 Aerohive Networks All Rights Reserved
Private Pre-Shared Key (PPSK)
Multiple per-user and per-
device PSKs assigned to a
single SSID
Easy to deploy
No need for PKI certificates or
RADIUS servers
Can be time-based credentials
Solves the ldquostaticrdquo PSK
problem
17 | copy 2018 Aerohive Networks All Rights Reserved
PPSK Use Cases
Guest Access Provide guest users with unique and secure
credentials
BYOD Onboarding personal andor company issued mobile
devices with unique and secure credentials
IoT Devices Provide unique and secure credentials for IoT
devices Many IoT devices andor devices only support WPA2
Personal (PSK)
18 | copy 2018 Aerohive Networks All Rights Reserved
WIPS
19 | copy 2018 Aerohive Networks All Rights Reserved
Protocol Security ndash Cooperative Control
20 | copy 2018 Aerohive Networks All Rights Reserved
Protocol Security ndash CAPWAP
21 | copy 2018 Aerohive Networks All Rights Reserved
Hardware Security
22 | copy 2018 Aerohive Networks All Rights Reserved
WPA3
23 | copy 2018 Aerohive Networks All Rights Reserved
Wi-Fi Alliance Security Certification
WPA3 - Enterprise
EAP-TLS
WPA3 - Personal
SAE
AES-128AES-256
192-bit
Security
PMF
EAP-xx
Optional
Optional
WPA3
AES-128
WPA2
Enhancements
WPA2 (required for WPA3)
PMF
Key Reinstallation
Vulnerability Detection
lsquoKRACKrsquo ProtectedReplaces
PSK
Disallow
WEPTKIP
WPA2 Security
Improvements
24 | copy 2018 Aerohive Networks All Rights Reserved
WPA2 Enhancements
Mandates support of Protected Management Frames (PMF)
Digital certificate validation checking is performed by stations
Multiple AKM support validation
Patched against the KRACK attack against WPA2
25 | copy 2018 Aerohive Networks All Rights Reserved
WPA3 Personal
Disallows WEP amp TKIP protocols
Requires the use of Protected Management Frames
Replaces PSK with Simultaneous Authentication of Equals (SAE)
bull SAE is based on IEEE 80211s (Mesh)
bull Password is never shared during the key exchange protocol
bull Uses lsquoZero knowledge proofrsquo
bull Resistant to dictionary attacks you only get to guess the password once
26 | copy 2018 Aerohive Networks All Rights Reserved
WPA3 Enterprise
Disallows WEP amp TKIP protocols
Requires the use of Protected Management Frames
Optional Suite B Security certification provides greater security
bull Based on US Government cryptographic tools for sensitive networks
bull 192-bit Security suite of protocols includes
bull AES-GCM-256 for authenticated encryption
bull HMAC-SHA384 for key derivation and key confirmation
bull ECDHE and ECDSA using a 384-bit elliptic curve
bull RSA key lengths of 3k-bits or greater
bull BIP-GMAC-256 for robust management frame protection
27 | copy 2018 Aerohive Networks All Rights Reserved
SAE
WPA3 replacement for PSK
authentication
Secure Authentication of Equals
(SAE)
SAE is a variant of Dragonfly a
password authentication key
exchange based on a zero-
knowledge proof
SAE commit
SAE commit
SAE confirm
SAE confirm
Select passphrase Select passphrase
28 | copy 2018 Aerohive Networks All Rights Reserved
SAE
SAE commit
SAE commit
SAE confirm
SAE confirm
Select passphrase Select passphrase
Prove you know the
credentials without
compromising the credentials
No forging modification or
replay attacks
No offline dictionary attacks
29 | copy 2018 Aerohive Networks All Rights Reserved
The future 80211ax
80211ax ndash High Efficiency(HE)
80211ax uses PHY and MAC
layer enhancements for
better traffic management
The goal is to increase
average throughput 4X per
user in high-density scenarios
WPA3 security is required for 80211ax certification
30 | copy 2018 Aerohive Networks All Rights Reserved
The future 80211ax
80211ax blog series
httpsblogaerohivecomtag11ax
80211ax for Dummies Booklet httpscontentaerohivecom80211ax_dummies_book
31 | copy 2018 Aerohive Networks All Rights Reserved
Questions
32 | copy 2018 Aerohive Networks All Rights Reserved
Thank you
8 | copy 2018 Aerohive Networks All Rights Reserved
AAA
Authentication Validate userdevice identity
Authorization Authorize userdevice identity
Accounting Paper trail
80211 security requires an authentication and
key management protocol (AKMP) that can be
either a preshared key (PSK) or an EAP protocol
used during 8021X authentication
9 | copy 2018 Aerohive Networks All Rights Reserved
Validating identity is important
bull David Coleman
bull Wi-Fi Geek
bull Born February
1960
bull David Coleman Headley
bull Convicted terrorist
bull Born June1960
10 | copy 2018 Aerohive Networks All Rights Reserved
Wi-Fi Security ndash 8021XEAP authentication
LDAP
EAP EAP
RADIUSCLIENT AP
Root CA cert Server cert
bull Extensible Authentication
Protocol (EAP)
bull Server certificate and Root CA
certificate
bull Tunneled authentication using
SSLTLS
bull 8021X Port based access control
bull Authorization Framework
bull Supplicant
bull Authenticator
bull Authentication Server
bull Integrates with LDAP
11 | copy 2018 Aerohive Networks All Rights Reserved
Role Based Access Control
user-1
user-2
user-3
SSID Corp-Wi-Fi
AP RADIUS
VLAN 10
firewall-policy-A
bandwidth unlimited
VLAN 20
firewall-policy-B
bandwidth 4 Mbps
VLAN 30
firewall-policy-C
bandwidth 2 Mbps
If AD group = sales
then send AVP = Role-A
LDAP
Role-AVLAN 10
firewall-policy-A
bandwidth unlimited
Role-BVLAN 20
firewall-policy-B
bandwidth 4 Mbps
Role-CVLAN 30
firewall-policy-C
bandwidth 2 Mbps
Active Directory groups
sales
marketing
finance
If AD group = marketing
then send AVP = Role-B
If AD group = finance
then send AVP = Role-C
12 | copy 2018 Aerohive Networks All Rights Reserved
Wi-Fi Security ndash Fast Secure Roaming - Voice Enterprise
Roam
RADIUS Server
13 | copy 2018 Aerohive Networks All Rights Reserved
WPA2 Personal ndash Static PSK Security
Consider a traditional PSK SSID
8-63 character shared passphrase
Never intended for use in the
enterprise
Susceptible to offline dictionary attacks
Wi-Fi Alliance recommends 20 strong
characters or more
Biggest weakness is that the PSK
credential is ldquostaticrdquo
PSK = passphrase123
PSK = passphrase123
14 | copy 2018 Aerohive Networks All Rights Reserved
Private Pre-Shared Key (PPSK)
User 1
User 2
User 3
SSID Corp-Wi-Fi
Authentication Private PSK
PPSK1 amp-334dfg
PPSK2 99iK3-3jkl
PPSK3 uuampamp$tY39Df
SSID Corp-Wi-Fi
passphrase amp-334dfg
SSID Corp-Wi-Fi
passphrase 99iK3-3jkl
SSID Corp-Wi-Fi
passphrase uuampamp$tY39Df
AP
All users and devices have unique credentials
If a user leaves or device is lost the PPSK credential is
simply changed for that one user or device
15 | copy 2018 Aerohive Networks All Rights Reserved
Private Pre-Shared Key (PPSK)
User 1
User 2
User 3
SSID Corp-Wi-Fi
SSID Corp-Wi-Fi
SSID Corp-Wi-Fi
AP
User Profile-AVLAN 10 and FW-Policy-5
User Profile-AVLAN 10 and FW-Policy-5
User Profile-BVLAN 20 and FW-Policy-6
User Profile-BVLAN 20 and FW-Policy-6
User Profile-CVLAN 30 and FW-Policy-7User Profile-C
VLAN 30 and FW-Policy-7
Multiple user profiles can be linked to a single SSID
PPSK User Groups can be leveraged to assign different
groups of users or devices to different user traffic settings
SSID Corp-Wi-Fi
Authentication Private PSK
16 | copy 2018 Aerohive Networks All Rights Reserved
Private Pre-Shared Key (PPSK)
Multiple per-user and per-
device PSKs assigned to a
single SSID
Easy to deploy
No need for PKI certificates or
RADIUS servers
Can be time-based credentials
Solves the ldquostaticrdquo PSK
problem
17 | copy 2018 Aerohive Networks All Rights Reserved
PPSK Use Cases
Guest Access Provide guest users with unique and secure
credentials
BYOD Onboarding personal andor company issued mobile
devices with unique and secure credentials
IoT Devices Provide unique and secure credentials for IoT
devices Many IoT devices andor devices only support WPA2
Personal (PSK)
18 | copy 2018 Aerohive Networks All Rights Reserved
WIPS
19 | copy 2018 Aerohive Networks All Rights Reserved
Protocol Security ndash Cooperative Control
20 | copy 2018 Aerohive Networks All Rights Reserved
Protocol Security ndash CAPWAP
21 | copy 2018 Aerohive Networks All Rights Reserved
Hardware Security
22 | copy 2018 Aerohive Networks All Rights Reserved
WPA3
23 | copy 2018 Aerohive Networks All Rights Reserved
Wi-Fi Alliance Security Certification
WPA3 - Enterprise
EAP-TLS
WPA3 - Personal
SAE
AES-128AES-256
192-bit
Security
PMF
EAP-xx
Optional
Optional
WPA3
AES-128
WPA2
Enhancements
WPA2 (required for WPA3)
PMF
Key Reinstallation
Vulnerability Detection
lsquoKRACKrsquo ProtectedReplaces
PSK
Disallow
WEPTKIP
WPA2 Security
Improvements
24 | copy 2018 Aerohive Networks All Rights Reserved
WPA2 Enhancements
Mandates support of Protected Management Frames (PMF)
Digital certificate validation checking is performed by stations
Multiple AKM support validation
Patched against the KRACK attack against WPA2
25 | copy 2018 Aerohive Networks All Rights Reserved
WPA3 Personal
Disallows WEP amp TKIP protocols
Requires the use of Protected Management Frames
Replaces PSK with Simultaneous Authentication of Equals (SAE)
bull SAE is based on IEEE 80211s (Mesh)
bull Password is never shared during the key exchange protocol
bull Uses lsquoZero knowledge proofrsquo
bull Resistant to dictionary attacks you only get to guess the password once
26 | copy 2018 Aerohive Networks All Rights Reserved
WPA3 Enterprise
Disallows WEP amp TKIP protocols
Requires the use of Protected Management Frames
Optional Suite B Security certification provides greater security
bull Based on US Government cryptographic tools for sensitive networks
bull 192-bit Security suite of protocols includes
bull AES-GCM-256 for authenticated encryption
bull HMAC-SHA384 for key derivation and key confirmation
bull ECDHE and ECDSA using a 384-bit elliptic curve
bull RSA key lengths of 3k-bits or greater
bull BIP-GMAC-256 for robust management frame protection
27 | copy 2018 Aerohive Networks All Rights Reserved
SAE
WPA3 replacement for PSK
authentication
Secure Authentication of Equals
(SAE)
SAE is a variant of Dragonfly a
password authentication key
exchange based on a zero-
knowledge proof
SAE commit
SAE commit
SAE confirm
SAE confirm
Select passphrase Select passphrase
28 | copy 2018 Aerohive Networks All Rights Reserved
SAE
SAE commit
SAE commit
SAE confirm
SAE confirm
Select passphrase Select passphrase
Prove you know the
credentials without
compromising the credentials
No forging modification or
replay attacks
No offline dictionary attacks
29 | copy 2018 Aerohive Networks All Rights Reserved
The future 80211ax
80211ax ndash High Efficiency(HE)
80211ax uses PHY and MAC
layer enhancements for
better traffic management
The goal is to increase
average throughput 4X per
user in high-density scenarios
WPA3 security is required for 80211ax certification
30 | copy 2018 Aerohive Networks All Rights Reserved
The future 80211ax
80211ax blog series
httpsblogaerohivecomtag11ax
80211ax for Dummies Booklet httpscontentaerohivecom80211ax_dummies_book
31 | copy 2018 Aerohive Networks All Rights Reserved
Questions
32 | copy 2018 Aerohive Networks All Rights Reserved
Thank you
9 | copy 2018 Aerohive Networks All Rights Reserved
Validating identity is important
bull David Coleman
bull Wi-Fi Geek
bull Born February
1960
bull David Coleman Headley
bull Convicted terrorist
bull Born June1960
10 | copy 2018 Aerohive Networks All Rights Reserved
Wi-Fi Security ndash 8021XEAP authentication
LDAP
EAP EAP
RADIUSCLIENT AP
Root CA cert Server cert
bull Extensible Authentication
Protocol (EAP)
bull Server certificate and Root CA
certificate
bull Tunneled authentication using
SSLTLS
bull 8021X Port based access control
bull Authorization Framework
bull Supplicant
bull Authenticator
bull Authentication Server
bull Integrates with LDAP
11 | copy 2018 Aerohive Networks All Rights Reserved
Role Based Access Control
user-1
user-2
user-3
SSID Corp-Wi-Fi
AP RADIUS
VLAN 10
firewall-policy-A
bandwidth unlimited
VLAN 20
firewall-policy-B
bandwidth 4 Mbps
VLAN 30
firewall-policy-C
bandwidth 2 Mbps
If AD group = sales
then send AVP = Role-A
LDAP
Role-AVLAN 10
firewall-policy-A
bandwidth unlimited
Role-BVLAN 20
firewall-policy-B
bandwidth 4 Mbps
Role-CVLAN 30
firewall-policy-C
bandwidth 2 Mbps
Active Directory groups
sales
marketing
finance
If AD group = marketing
then send AVP = Role-B
If AD group = finance
then send AVP = Role-C
12 | copy 2018 Aerohive Networks All Rights Reserved
Wi-Fi Security ndash Fast Secure Roaming - Voice Enterprise
Roam
RADIUS Server
13 | copy 2018 Aerohive Networks All Rights Reserved
WPA2 Personal ndash Static PSK Security
Consider a traditional PSK SSID
8-63 character shared passphrase
Never intended for use in the
enterprise
Susceptible to offline dictionary attacks
Wi-Fi Alliance recommends 20 strong
characters or more
Biggest weakness is that the PSK
credential is ldquostaticrdquo
PSK = passphrase123
PSK = passphrase123
14 | copy 2018 Aerohive Networks All Rights Reserved
Private Pre-Shared Key (PPSK)
User 1
User 2
User 3
SSID Corp-Wi-Fi
Authentication Private PSK
PPSK1 amp-334dfg
PPSK2 99iK3-3jkl
PPSK3 uuampamp$tY39Df
SSID Corp-Wi-Fi
passphrase amp-334dfg
SSID Corp-Wi-Fi
passphrase 99iK3-3jkl
SSID Corp-Wi-Fi
passphrase uuampamp$tY39Df
AP
All users and devices have unique credentials
If a user leaves or device is lost the PPSK credential is
simply changed for that one user or device
15 | copy 2018 Aerohive Networks All Rights Reserved
Private Pre-Shared Key (PPSK)
User 1
User 2
User 3
SSID Corp-Wi-Fi
SSID Corp-Wi-Fi
SSID Corp-Wi-Fi
AP
User Profile-AVLAN 10 and FW-Policy-5
User Profile-AVLAN 10 and FW-Policy-5
User Profile-BVLAN 20 and FW-Policy-6
User Profile-BVLAN 20 and FW-Policy-6
User Profile-CVLAN 30 and FW-Policy-7User Profile-C
VLAN 30 and FW-Policy-7
Multiple user profiles can be linked to a single SSID
PPSK User Groups can be leveraged to assign different
groups of users or devices to different user traffic settings
SSID Corp-Wi-Fi
Authentication Private PSK
16 | copy 2018 Aerohive Networks All Rights Reserved
Private Pre-Shared Key (PPSK)
Multiple per-user and per-
device PSKs assigned to a
single SSID
Easy to deploy
No need for PKI certificates or
RADIUS servers
Can be time-based credentials
Solves the ldquostaticrdquo PSK
problem
17 | copy 2018 Aerohive Networks All Rights Reserved
PPSK Use Cases
Guest Access Provide guest users with unique and secure
credentials
BYOD Onboarding personal andor company issued mobile
devices with unique and secure credentials
IoT Devices Provide unique and secure credentials for IoT
devices Many IoT devices andor devices only support WPA2
Personal (PSK)
18 | copy 2018 Aerohive Networks All Rights Reserved
WIPS
19 | copy 2018 Aerohive Networks All Rights Reserved
Protocol Security ndash Cooperative Control
20 | copy 2018 Aerohive Networks All Rights Reserved
Protocol Security ndash CAPWAP
21 | copy 2018 Aerohive Networks All Rights Reserved
Hardware Security
22 | copy 2018 Aerohive Networks All Rights Reserved
WPA3
23 | copy 2018 Aerohive Networks All Rights Reserved
Wi-Fi Alliance Security Certification
WPA3 - Enterprise
EAP-TLS
WPA3 - Personal
SAE
AES-128AES-256
192-bit
Security
PMF
EAP-xx
Optional
Optional
WPA3
AES-128
WPA2
Enhancements
WPA2 (required for WPA3)
PMF
Key Reinstallation
Vulnerability Detection
lsquoKRACKrsquo ProtectedReplaces
PSK
Disallow
WEPTKIP
WPA2 Security
Improvements
24 | copy 2018 Aerohive Networks All Rights Reserved
WPA2 Enhancements
Mandates support of Protected Management Frames (PMF)
Digital certificate validation checking is performed by stations
Multiple AKM support validation
Patched against the KRACK attack against WPA2
25 | copy 2018 Aerohive Networks All Rights Reserved
WPA3 Personal
Disallows WEP amp TKIP protocols
Requires the use of Protected Management Frames
Replaces PSK with Simultaneous Authentication of Equals (SAE)
bull SAE is based on IEEE 80211s (Mesh)
bull Password is never shared during the key exchange protocol
bull Uses lsquoZero knowledge proofrsquo
bull Resistant to dictionary attacks you only get to guess the password once
26 | copy 2018 Aerohive Networks All Rights Reserved
WPA3 Enterprise
Disallows WEP amp TKIP protocols
Requires the use of Protected Management Frames
Optional Suite B Security certification provides greater security
bull Based on US Government cryptographic tools for sensitive networks
bull 192-bit Security suite of protocols includes
bull AES-GCM-256 for authenticated encryption
bull HMAC-SHA384 for key derivation and key confirmation
bull ECDHE and ECDSA using a 384-bit elliptic curve
bull RSA key lengths of 3k-bits or greater
bull BIP-GMAC-256 for robust management frame protection
27 | copy 2018 Aerohive Networks All Rights Reserved
SAE
WPA3 replacement for PSK
authentication
Secure Authentication of Equals
(SAE)
SAE is a variant of Dragonfly a
password authentication key
exchange based on a zero-
knowledge proof
SAE commit
SAE commit
SAE confirm
SAE confirm
Select passphrase Select passphrase
28 | copy 2018 Aerohive Networks All Rights Reserved
SAE
SAE commit
SAE commit
SAE confirm
SAE confirm
Select passphrase Select passphrase
Prove you know the
credentials without
compromising the credentials
No forging modification or
replay attacks
No offline dictionary attacks
29 | copy 2018 Aerohive Networks All Rights Reserved
The future 80211ax
80211ax ndash High Efficiency(HE)
80211ax uses PHY and MAC
layer enhancements for
better traffic management
The goal is to increase
average throughput 4X per
user in high-density scenarios
WPA3 security is required for 80211ax certification
30 | copy 2018 Aerohive Networks All Rights Reserved
The future 80211ax
80211ax blog series
httpsblogaerohivecomtag11ax
80211ax for Dummies Booklet httpscontentaerohivecom80211ax_dummies_book
31 | copy 2018 Aerohive Networks All Rights Reserved
Questions
32 | copy 2018 Aerohive Networks All Rights Reserved
Thank you
10 | copy 2018 Aerohive Networks All Rights Reserved
Wi-Fi Security ndash 8021XEAP authentication
LDAP
EAP EAP
RADIUSCLIENT AP
Root CA cert Server cert
bull Extensible Authentication
Protocol (EAP)
bull Server certificate and Root CA
certificate
bull Tunneled authentication using
SSLTLS
bull 8021X Port based access control
bull Authorization Framework
bull Supplicant
bull Authenticator
bull Authentication Server
bull Integrates with LDAP
11 | copy 2018 Aerohive Networks All Rights Reserved
Role Based Access Control
user-1
user-2
user-3
SSID Corp-Wi-Fi
AP RADIUS
VLAN 10
firewall-policy-A
bandwidth unlimited
VLAN 20
firewall-policy-B
bandwidth 4 Mbps
VLAN 30
firewall-policy-C
bandwidth 2 Mbps
If AD group = sales
then send AVP = Role-A
LDAP
Role-AVLAN 10
firewall-policy-A
bandwidth unlimited
Role-BVLAN 20
firewall-policy-B
bandwidth 4 Mbps
Role-CVLAN 30
firewall-policy-C
bandwidth 2 Mbps
Active Directory groups
sales
marketing
finance
If AD group = marketing
then send AVP = Role-B
If AD group = finance
then send AVP = Role-C
12 | copy 2018 Aerohive Networks All Rights Reserved
Wi-Fi Security ndash Fast Secure Roaming - Voice Enterprise
Roam
RADIUS Server
13 | copy 2018 Aerohive Networks All Rights Reserved
WPA2 Personal ndash Static PSK Security
Consider a traditional PSK SSID
8-63 character shared passphrase
Never intended for use in the
enterprise
Susceptible to offline dictionary attacks
Wi-Fi Alliance recommends 20 strong
characters or more
Biggest weakness is that the PSK
credential is ldquostaticrdquo
PSK = passphrase123
PSK = passphrase123
14 | copy 2018 Aerohive Networks All Rights Reserved
Private Pre-Shared Key (PPSK)
User 1
User 2
User 3
SSID Corp-Wi-Fi
Authentication Private PSK
PPSK1 amp-334dfg
PPSK2 99iK3-3jkl
PPSK3 uuampamp$tY39Df
SSID Corp-Wi-Fi
passphrase amp-334dfg
SSID Corp-Wi-Fi
passphrase 99iK3-3jkl
SSID Corp-Wi-Fi
passphrase uuampamp$tY39Df
AP
All users and devices have unique credentials
If a user leaves or device is lost the PPSK credential is
simply changed for that one user or device
15 | copy 2018 Aerohive Networks All Rights Reserved
Private Pre-Shared Key (PPSK)
User 1
User 2
User 3
SSID Corp-Wi-Fi
SSID Corp-Wi-Fi
SSID Corp-Wi-Fi
AP
User Profile-AVLAN 10 and FW-Policy-5
User Profile-AVLAN 10 and FW-Policy-5
User Profile-BVLAN 20 and FW-Policy-6
User Profile-BVLAN 20 and FW-Policy-6
User Profile-CVLAN 30 and FW-Policy-7User Profile-C
VLAN 30 and FW-Policy-7
Multiple user profiles can be linked to a single SSID
PPSK User Groups can be leveraged to assign different
groups of users or devices to different user traffic settings
SSID Corp-Wi-Fi
Authentication Private PSK
16 | copy 2018 Aerohive Networks All Rights Reserved
Private Pre-Shared Key (PPSK)
Multiple per-user and per-
device PSKs assigned to a
single SSID
Easy to deploy
No need for PKI certificates or
RADIUS servers
Can be time-based credentials
Solves the ldquostaticrdquo PSK
problem
17 | copy 2018 Aerohive Networks All Rights Reserved
PPSK Use Cases
Guest Access Provide guest users with unique and secure
credentials
BYOD Onboarding personal andor company issued mobile
devices with unique and secure credentials
IoT Devices Provide unique and secure credentials for IoT
devices Many IoT devices andor devices only support WPA2
Personal (PSK)
18 | copy 2018 Aerohive Networks All Rights Reserved
WIPS
19 | copy 2018 Aerohive Networks All Rights Reserved
Protocol Security ndash Cooperative Control
20 | copy 2018 Aerohive Networks All Rights Reserved
Protocol Security ndash CAPWAP
21 | copy 2018 Aerohive Networks All Rights Reserved
Hardware Security
22 | copy 2018 Aerohive Networks All Rights Reserved
WPA3
23 | copy 2018 Aerohive Networks All Rights Reserved
Wi-Fi Alliance Security Certification
WPA3 - Enterprise
EAP-TLS
WPA3 - Personal
SAE
AES-128AES-256
192-bit
Security
PMF
EAP-xx
Optional
Optional
WPA3
AES-128
WPA2
Enhancements
WPA2 (required for WPA3)
PMF
Key Reinstallation
Vulnerability Detection
lsquoKRACKrsquo ProtectedReplaces
PSK
Disallow
WEPTKIP
WPA2 Security
Improvements
24 | copy 2018 Aerohive Networks All Rights Reserved
WPA2 Enhancements
Mandates support of Protected Management Frames (PMF)
Digital certificate validation checking is performed by stations
Multiple AKM support validation
Patched against the KRACK attack against WPA2
25 | copy 2018 Aerohive Networks All Rights Reserved
WPA3 Personal
Disallows WEP amp TKIP protocols
Requires the use of Protected Management Frames
Replaces PSK with Simultaneous Authentication of Equals (SAE)
bull SAE is based on IEEE 80211s (Mesh)
bull Password is never shared during the key exchange protocol
bull Uses lsquoZero knowledge proofrsquo
bull Resistant to dictionary attacks you only get to guess the password once
26 | copy 2018 Aerohive Networks All Rights Reserved
WPA3 Enterprise
Disallows WEP amp TKIP protocols
Requires the use of Protected Management Frames
Optional Suite B Security certification provides greater security
bull Based on US Government cryptographic tools for sensitive networks
bull 192-bit Security suite of protocols includes
bull AES-GCM-256 for authenticated encryption
bull HMAC-SHA384 for key derivation and key confirmation
bull ECDHE and ECDSA using a 384-bit elliptic curve
bull RSA key lengths of 3k-bits or greater
bull BIP-GMAC-256 for robust management frame protection
27 | copy 2018 Aerohive Networks All Rights Reserved
SAE
WPA3 replacement for PSK
authentication
Secure Authentication of Equals
(SAE)
SAE is a variant of Dragonfly a
password authentication key
exchange based on a zero-
knowledge proof
SAE commit
SAE commit
SAE confirm
SAE confirm
Select passphrase Select passphrase
28 | copy 2018 Aerohive Networks All Rights Reserved
SAE
SAE commit
SAE commit
SAE confirm
SAE confirm
Select passphrase Select passphrase
Prove you know the
credentials without
compromising the credentials
No forging modification or
replay attacks
No offline dictionary attacks
29 | copy 2018 Aerohive Networks All Rights Reserved
The future 80211ax
80211ax ndash High Efficiency(HE)
80211ax uses PHY and MAC
layer enhancements for
better traffic management
The goal is to increase
average throughput 4X per
user in high-density scenarios
WPA3 security is required for 80211ax certification
30 | copy 2018 Aerohive Networks All Rights Reserved
The future 80211ax
80211ax blog series
httpsblogaerohivecomtag11ax
80211ax for Dummies Booklet httpscontentaerohivecom80211ax_dummies_book
31 | copy 2018 Aerohive Networks All Rights Reserved
Questions
32 | copy 2018 Aerohive Networks All Rights Reserved
Thank you
11 | copy 2018 Aerohive Networks All Rights Reserved
Role Based Access Control
user-1
user-2
user-3
SSID Corp-Wi-Fi
AP RADIUS
VLAN 10
firewall-policy-A
bandwidth unlimited
VLAN 20
firewall-policy-B
bandwidth 4 Mbps
VLAN 30
firewall-policy-C
bandwidth 2 Mbps
If AD group = sales
then send AVP = Role-A
LDAP
Role-AVLAN 10
firewall-policy-A
bandwidth unlimited
Role-BVLAN 20
firewall-policy-B
bandwidth 4 Mbps
Role-CVLAN 30
firewall-policy-C
bandwidth 2 Mbps
Active Directory groups
sales
marketing
finance
If AD group = marketing
then send AVP = Role-B
If AD group = finance
then send AVP = Role-C
12 | copy 2018 Aerohive Networks All Rights Reserved
Wi-Fi Security ndash Fast Secure Roaming - Voice Enterprise
Roam
RADIUS Server
13 | copy 2018 Aerohive Networks All Rights Reserved
WPA2 Personal ndash Static PSK Security
Consider a traditional PSK SSID
8-63 character shared passphrase
Never intended for use in the
enterprise
Susceptible to offline dictionary attacks
Wi-Fi Alliance recommends 20 strong
characters or more
Biggest weakness is that the PSK
credential is ldquostaticrdquo
PSK = passphrase123
PSK = passphrase123
14 | copy 2018 Aerohive Networks All Rights Reserved
Private Pre-Shared Key (PPSK)
User 1
User 2
User 3
SSID Corp-Wi-Fi
Authentication Private PSK
PPSK1 amp-334dfg
PPSK2 99iK3-3jkl
PPSK3 uuampamp$tY39Df
SSID Corp-Wi-Fi
passphrase amp-334dfg
SSID Corp-Wi-Fi
passphrase 99iK3-3jkl
SSID Corp-Wi-Fi
passphrase uuampamp$tY39Df
AP
All users and devices have unique credentials
If a user leaves or device is lost the PPSK credential is
simply changed for that one user or device
15 | copy 2018 Aerohive Networks All Rights Reserved
Private Pre-Shared Key (PPSK)
User 1
User 2
User 3
SSID Corp-Wi-Fi
SSID Corp-Wi-Fi
SSID Corp-Wi-Fi
AP
User Profile-AVLAN 10 and FW-Policy-5
User Profile-AVLAN 10 and FW-Policy-5
User Profile-BVLAN 20 and FW-Policy-6
User Profile-BVLAN 20 and FW-Policy-6
User Profile-CVLAN 30 and FW-Policy-7User Profile-C
VLAN 30 and FW-Policy-7
Multiple user profiles can be linked to a single SSID
PPSK User Groups can be leveraged to assign different
groups of users or devices to different user traffic settings
SSID Corp-Wi-Fi
Authentication Private PSK
16 | copy 2018 Aerohive Networks All Rights Reserved
Private Pre-Shared Key (PPSK)
Multiple per-user and per-
device PSKs assigned to a
single SSID
Easy to deploy
No need for PKI certificates or
RADIUS servers
Can be time-based credentials
Solves the ldquostaticrdquo PSK
problem
17 | copy 2018 Aerohive Networks All Rights Reserved
PPSK Use Cases
Guest Access Provide guest users with unique and secure
credentials
BYOD Onboarding personal andor company issued mobile
devices with unique and secure credentials
IoT Devices Provide unique and secure credentials for IoT
devices Many IoT devices andor devices only support WPA2
Personal (PSK)
18 | copy 2018 Aerohive Networks All Rights Reserved
WIPS
19 | copy 2018 Aerohive Networks All Rights Reserved
Protocol Security ndash Cooperative Control
20 | copy 2018 Aerohive Networks All Rights Reserved
Protocol Security ndash CAPWAP
21 | copy 2018 Aerohive Networks All Rights Reserved
Hardware Security
22 | copy 2018 Aerohive Networks All Rights Reserved
WPA3
23 | copy 2018 Aerohive Networks All Rights Reserved
Wi-Fi Alliance Security Certification
WPA3 - Enterprise
EAP-TLS
WPA3 - Personal
SAE
AES-128AES-256
192-bit
Security
PMF
EAP-xx
Optional
Optional
WPA3
AES-128
WPA2
Enhancements
WPA2 (required for WPA3)
PMF
Key Reinstallation
Vulnerability Detection
lsquoKRACKrsquo ProtectedReplaces
PSK
Disallow
WEPTKIP
WPA2 Security
Improvements
24 | copy 2018 Aerohive Networks All Rights Reserved
WPA2 Enhancements
Mandates support of Protected Management Frames (PMF)
Digital certificate validation checking is performed by stations
Multiple AKM support validation
Patched against the KRACK attack against WPA2
25 | copy 2018 Aerohive Networks All Rights Reserved
WPA3 Personal
Disallows WEP amp TKIP protocols
Requires the use of Protected Management Frames
Replaces PSK with Simultaneous Authentication of Equals (SAE)
bull SAE is based on IEEE 80211s (Mesh)
bull Password is never shared during the key exchange protocol
bull Uses lsquoZero knowledge proofrsquo
bull Resistant to dictionary attacks you only get to guess the password once
26 | copy 2018 Aerohive Networks All Rights Reserved
WPA3 Enterprise
Disallows WEP amp TKIP protocols
Requires the use of Protected Management Frames
Optional Suite B Security certification provides greater security
bull Based on US Government cryptographic tools for sensitive networks
bull 192-bit Security suite of protocols includes
bull AES-GCM-256 for authenticated encryption
bull HMAC-SHA384 for key derivation and key confirmation
bull ECDHE and ECDSA using a 384-bit elliptic curve
bull RSA key lengths of 3k-bits or greater
bull BIP-GMAC-256 for robust management frame protection
27 | copy 2018 Aerohive Networks All Rights Reserved
SAE
WPA3 replacement for PSK
authentication
Secure Authentication of Equals
(SAE)
SAE is a variant of Dragonfly a
password authentication key
exchange based on a zero-
knowledge proof
SAE commit
SAE commit
SAE confirm
SAE confirm
Select passphrase Select passphrase
28 | copy 2018 Aerohive Networks All Rights Reserved
SAE
SAE commit
SAE commit
SAE confirm
SAE confirm
Select passphrase Select passphrase
Prove you know the
credentials without
compromising the credentials
No forging modification or
replay attacks
No offline dictionary attacks
29 | copy 2018 Aerohive Networks All Rights Reserved
The future 80211ax
80211ax ndash High Efficiency(HE)
80211ax uses PHY and MAC
layer enhancements for
better traffic management
The goal is to increase
average throughput 4X per
user in high-density scenarios
WPA3 security is required for 80211ax certification
30 | copy 2018 Aerohive Networks All Rights Reserved
The future 80211ax
80211ax blog series
httpsblogaerohivecomtag11ax
80211ax for Dummies Booklet httpscontentaerohivecom80211ax_dummies_book
31 | copy 2018 Aerohive Networks All Rights Reserved
Questions
32 | copy 2018 Aerohive Networks All Rights Reserved
Thank you
12 | copy 2018 Aerohive Networks All Rights Reserved
Wi-Fi Security ndash Fast Secure Roaming - Voice Enterprise
Roam
RADIUS Server
13 | copy 2018 Aerohive Networks All Rights Reserved
WPA2 Personal ndash Static PSK Security
Consider a traditional PSK SSID
8-63 character shared passphrase
Never intended for use in the
enterprise
Susceptible to offline dictionary attacks
Wi-Fi Alliance recommends 20 strong
characters or more
Biggest weakness is that the PSK
credential is ldquostaticrdquo
PSK = passphrase123
PSK = passphrase123
14 | copy 2018 Aerohive Networks All Rights Reserved
Private Pre-Shared Key (PPSK)
User 1
User 2
User 3
SSID Corp-Wi-Fi
Authentication Private PSK
PPSK1 amp-334dfg
PPSK2 99iK3-3jkl
PPSK3 uuampamp$tY39Df
SSID Corp-Wi-Fi
passphrase amp-334dfg
SSID Corp-Wi-Fi
passphrase 99iK3-3jkl
SSID Corp-Wi-Fi
passphrase uuampamp$tY39Df
AP
All users and devices have unique credentials
If a user leaves or device is lost the PPSK credential is
simply changed for that one user or device
15 | copy 2018 Aerohive Networks All Rights Reserved
Private Pre-Shared Key (PPSK)
User 1
User 2
User 3
SSID Corp-Wi-Fi
SSID Corp-Wi-Fi
SSID Corp-Wi-Fi
AP
User Profile-AVLAN 10 and FW-Policy-5
User Profile-AVLAN 10 and FW-Policy-5
User Profile-BVLAN 20 and FW-Policy-6
User Profile-BVLAN 20 and FW-Policy-6
User Profile-CVLAN 30 and FW-Policy-7User Profile-C
VLAN 30 and FW-Policy-7
Multiple user profiles can be linked to a single SSID
PPSK User Groups can be leveraged to assign different
groups of users or devices to different user traffic settings
SSID Corp-Wi-Fi
Authentication Private PSK
16 | copy 2018 Aerohive Networks All Rights Reserved
Private Pre-Shared Key (PPSK)
Multiple per-user and per-
device PSKs assigned to a
single SSID
Easy to deploy
No need for PKI certificates or
RADIUS servers
Can be time-based credentials
Solves the ldquostaticrdquo PSK
problem
17 | copy 2018 Aerohive Networks All Rights Reserved
PPSK Use Cases
Guest Access Provide guest users with unique and secure
credentials
BYOD Onboarding personal andor company issued mobile
devices with unique and secure credentials
IoT Devices Provide unique and secure credentials for IoT
devices Many IoT devices andor devices only support WPA2
Personal (PSK)
18 | copy 2018 Aerohive Networks All Rights Reserved
WIPS
19 | copy 2018 Aerohive Networks All Rights Reserved
Protocol Security ndash Cooperative Control
20 | copy 2018 Aerohive Networks All Rights Reserved
Protocol Security ndash CAPWAP
21 | copy 2018 Aerohive Networks All Rights Reserved
Hardware Security
22 | copy 2018 Aerohive Networks All Rights Reserved
WPA3
23 | copy 2018 Aerohive Networks All Rights Reserved
Wi-Fi Alliance Security Certification
WPA3 - Enterprise
EAP-TLS
WPA3 - Personal
SAE
AES-128AES-256
192-bit
Security
PMF
EAP-xx
Optional
Optional
WPA3
AES-128
WPA2
Enhancements
WPA2 (required for WPA3)
PMF
Key Reinstallation
Vulnerability Detection
lsquoKRACKrsquo ProtectedReplaces
PSK
Disallow
WEPTKIP
WPA2 Security
Improvements
24 | copy 2018 Aerohive Networks All Rights Reserved
WPA2 Enhancements
Mandates support of Protected Management Frames (PMF)
Digital certificate validation checking is performed by stations
Multiple AKM support validation
Patched against the KRACK attack against WPA2
25 | copy 2018 Aerohive Networks All Rights Reserved
WPA3 Personal
Disallows WEP amp TKIP protocols
Requires the use of Protected Management Frames
Replaces PSK with Simultaneous Authentication of Equals (SAE)
bull SAE is based on IEEE 80211s (Mesh)
bull Password is never shared during the key exchange protocol
bull Uses lsquoZero knowledge proofrsquo
bull Resistant to dictionary attacks you only get to guess the password once
26 | copy 2018 Aerohive Networks All Rights Reserved
WPA3 Enterprise
Disallows WEP amp TKIP protocols
Requires the use of Protected Management Frames
Optional Suite B Security certification provides greater security
bull Based on US Government cryptographic tools for sensitive networks
bull 192-bit Security suite of protocols includes
bull AES-GCM-256 for authenticated encryption
bull HMAC-SHA384 for key derivation and key confirmation
bull ECDHE and ECDSA using a 384-bit elliptic curve
bull RSA key lengths of 3k-bits or greater
bull BIP-GMAC-256 for robust management frame protection
27 | copy 2018 Aerohive Networks All Rights Reserved
SAE
WPA3 replacement for PSK
authentication
Secure Authentication of Equals
(SAE)
SAE is a variant of Dragonfly a
password authentication key
exchange based on a zero-
knowledge proof
SAE commit
SAE commit
SAE confirm
SAE confirm
Select passphrase Select passphrase
28 | copy 2018 Aerohive Networks All Rights Reserved
SAE
SAE commit
SAE commit
SAE confirm
SAE confirm
Select passphrase Select passphrase
Prove you know the
credentials without
compromising the credentials
No forging modification or
replay attacks
No offline dictionary attacks
29 | copy 2018 Aerohive Networks All Rights Reserved
The future 80211ax
80211ax ndash High Efficiency(HE)
80211ax uses PHY and MAC
layer enhancements for
better traffic management
The goal is to increase
average throughput 4X per
user in high-density scenarios
WPA3 security is required for 80211ax certification
30 | copy 2018 Aerohive Networks All Rights Reserved
The future 80211ax
80211ax blog series
httpsblogaerohivecomtag11ax
80211ax for Dummies Booklet httpscontentaerohivecom80211ax_dummies_book
31 | copy 2018 Aerohive Networks All Rights Reserved
Questions
32 | copy 2018 Aerohive Networks All Rights Reserved
Thank you
13 | copy 2018 Aerohive Networks All Rights Reserved
WPA2 Personal ndash Static PSK Security
Consider a traditional PSK SSID
8-63 character shared passphrase
Never intended for use in the
enterprise
Susceptible to offline dictionary attacks
Wi-Fi Alliance recommends 20 strong
characters or more
Biggest weakness is that the PSK
credential is ldquostaticrdquo
PSK = passphrase123
PSK = passphrase123
14 | copy 2018 Aerohive Networks All Rights Reserved
Private Pre-Shared Key (PPSK)
User 1
User 2
User 3
SSID Corp-Wi-Fi
Authentication Private PSK
PPSK1 amp-334dfg
PPSK2 99iK3-3jkl
PPSK3 uuampamp$tY39Df
SSID Corp-Wi-Fi
passphrase amp-334dfg
SSID Corp-Wi-Fi
passphrase 99iK3-3jkl
SSID Corp-Wi-Fi
passphrase uuampamp$tY39Df
AP
All users and devices have unique credentials
If a user leaves or device is lost the PPSK credential is
simply changed for that one user or device
15 | copy 2018 Aerohive Networks All Rights Reserved
Private Pre-Shared Key (PPSK)
User 1
User 2
User 3
SSID Corp-Wi-Fi
SSID Corp-Wi-Fi
SSID Corp-Wi-Fi
AP
User Profile-AVLAN 10 and FW-Policy-5
User Profile-AVLAN 10 and FW-Policy-5
User Profile-BVLAN 20 and FW-Policy-6
User Profile-BVLAN 20 and FW-Policy-6
User Profile-CVLAN 30 and FW-Policy-7User Profile-C
VLAN 30 and FW-Policy-7
Multiple user profiles can be linked to a single SSID
PPSK User Groups can be leveraged to assign different
groups of users or devices to different user traffic settings
SSID Corp-Wi-Fi
Authentication Private PSK
16 | copy 2018 Aerohive Networks All Rights Reserved
Private Pre-Shared Key (PPSK)
Multiple per-user and per-
device PSKs assigned to a
single SSID
Easy to deploy
No need for PKI certificates or
RADIUS servers
Can be time-based credentials
Solves the ldquostaticrdquo PSK
problem
17 | copy 2018 Aerohive Networks All Rights Reserved
PPSK Use Cases
Guest Access Provide guest users with unique and secure
credentials
BYOD Onboarding personal andor company issued mobile
devices with unique and secure credentials
IoT Devices Provide unique and secure credentials for IoT
devices Many IoT devices andor devices only support WPA2
Personal (PSK)
18 | copy 2018 Aerohive Networks All Rights Reserved
WIPS
19 | copy 2018 Aerohive Networks All Rights Reserved
Protocol Security ndash Cooperative Control
20 | copy 2018 Aerohive Networks All Rights Reserved
Protocol Security ndash CAPWAP
21 | copy 2018 Aerohive Networks All Rights Reserved
Hardware Security
22 | copy 2018 Aerohive Networks All Rights Reserved
WPA3
23 | copy 2018 Aerohive Networks All Rights Reserved
Wi-Fi Alliance Security Certification
WPA3 - Enterprise
EAP-TLS
WPA3 - Personal
SAE
AES-128AES-256
192-bit
Security
PMF
EAP-xx
Optional
Optional
WPA3
AES-128
WPA2
Enhancements
WPA2 (required for WPA3)
PMF
Key Reinstallation
Vulnerability Detection
lsquoKRACKrsquo ProtectedReplaces
PSK
Disallow
WEPTKIP
WPA2 Security
Improvements
24 | copy 2018 Aerohive Networks All Rights Reserved
WPA2 Enhancements
Mandates support of Protected Management Frames (PMF)
Digital certificate validation checking is performed by stations
Multiple AKM support validation
Patched against the KRACK attack against WPA2
25 | copy 2018 Aerohive Networks All Rights Reserved
WPA3 Personal
Disallows WEP amp TKIP protocols
Requires the use of Protected Management Frames
Replaces PSK with Simultaneous Authentication of Equals (SAE)
bull SAE is based on IEEE 80211s (Mesh)
bull Password is never shared during the key exchange protocol
bull Uses lsquoZero knowledge proofrsquo
bull Resistant to dictionary attacks you only get to guess the password once
26 | copy 2018 Aerohive Networks All Rights Reserved
WPA3 Enterprise
Disallows WEP amp TKIP protocols
Requires the use of Protected Management Frames
Optional Suite B Security certification provides greater security
bull Based on US Government cryptographic tools for sensitive networks
bull 192-bit Security suite of protocols includes
bull AES-GCM-256 for authenticated encryption
bull HMAC-SHA384 for key derivation and key confirmation
bull ECDHE and ECDSA using a 384-bit elliptic curve
bull RSA key lengths of 3k-bits or greater
bull BIP-GMAC-256 for robust management frame protection
27 | copy 2018 Aerohive Networks All Rights Reserved
SAE
WPA3 replacement for PSK
authentication
Secure Authentication of Equals
(SAE)
SAE is a variant of Dragonfly a
password authentication key
exchange based on a zero-
knowledge proof
SAE commit
SAE commit
SAE confirm
SAE confirm
Select passphrase Select passphrase
28 | copy 2018 Aerohive Networks All Rights Reserved
SAE
SAE commit
SAE commit
SAE confirm
SAE confirm
Select passphrase Select passphrase
Prove you know the
credentials without
compromising the credentials
No forging modification or
replay attacks
No offline dictionary attacks
29 | copy 2018 Aerohive Networks All Rights Reserved
The future 80211ax
80211ax ndash High Efficiency(HE)
80211ax uses PHY and MAC
layer enhancements for
better traffic management
The goal is to increase
average throughput 4X per
user in high-density scenarios
WPA3 security is required for 80211ax certification
30 | copy 2018 Aerohive Networks All Rights Reserved
The future 80211ax
80211ax blog series
httpsblogaerohivecomtag11ax
80211ax for Dummies Booklet httpscontentaerohivecom80211ax_dummies_book
31 | copy 2018 Aerohive Networks All Rights Reserved
Questions
32 | copy 2018 Aerohive Networks All Rights Reserved
Thank you
14 | copy 2018 Aerohive Networks All Rights Reserved
Private Pre-Shared Key (PPSK)
User 1
User 2
User 3
SSID Corp-Wi-Fi
Authentication Private PSK
PPSK1 amp-334dfg
PPSK2 99iK3-3jkl
PPSK3 uuampamp$tY39Df
SSID Corp-Wi-Fi
passphrase amp-334dfg
SSID Corp-Wi-Fi
passphrase 99iK3-3jkl
SSID Corp-Wi-Fi
passphrase uuampamp$tY39Df
AP
All users and devices have unique credentials
If a user leaves or device is lost the PPSK credential is
simply changed for that one user or device
15 | copy 2018 Aerohive Networks All Rights Reserved
Private Pre-Shared Key (PPSK)
User 1
User 2
User 3
SSID Corp-Wi-Fi
SSID Corp-Wi-Fi
SSID Corp-Wi-Fi
AP
User Profile-AVLAN 10 and FW-Policy-5
User Profile-AVLAN 10 and FW-Policy-5
User Profile-BVLAN 20 and FW-Policy-6
User Profile-BVLAN 20 and FW-Policy-6
User Profile-CVLAN 30 and FW-Policy-7User Profile-C
VLAN 30 and FW-Policy-7
Multiple user profiles can be linked to a single SSID
PPSK User Groups can be leveraged to assign different
groups of users or devices to different user traffic settings
SSID Corp-Wi-Fi
Authentication Private PSK
16 | copy 2018 Aerohive Networks All Rights Reserved
Private Pre-Shared Key (PPSK)
Multiple per-user and per-
device PSKs assigned to a
single SSID
Easy to deploy
No need for PKI certificates or
RADIUS servers
Can be time-based credentials
Solves the ldquostaticrdquo PSK
problem
17 | copy 2018 Aerohive Networks All Rights Reserved
PPSK Use Cases
Guest Access Provide guest users with unique and secure
credentials
BYOD Onboarding personal andor company issued mobile
devices with unique and secure credentials
IoT Devices Provide unique and secure credentials for IoT
devices Many IoT devices andor devices only support WPA2
Personal (PSK)
18 | copy 2018 Aerohive Networks All Rights Reserved
WIPS
19 | copy 2018 Aerohive Networks All Rights Reserved
Protocol Security ndash Cooperative Control
20 | copy 2018 Aerohive Networks All Rights Reserved
Protocol Security ndash CAPWAP
21 | copy 2018 Aerohive Networks All Rights Reserved
Hardware Security
22 | copy 2018 Aerohive Networks All Rights Reserved
WPA3
23 | copy 2018 Aerohive Networks All Rights Reserved
Wi-Fi Alliance Security Certification
WPA3 - Enterprise
EAP-TLS
WPA3 - Personal
SAE
AES-128AES-256
192-bit
Security
PMF
EAP-xx
Optional
Optional
WPA3
AES-128
WPA2
Enhancements
WPA2 (required for WPA3)
PMF
Key Reinstallation
Vulnerability Detection
lsquoKRACKrsquo ProtectedReplaces
PSK
Disallow
WEPTKIP
WPA2 Security
Improvements
24 | copy 2018 Aerohive Networks All Rights Reserved
WPA2 Enhancements
Mandates support of Protected Management Frames (PMF)
Digital certificate validation checking is performed by stations
Multiple AKM support validation
Patched against the KRACK attack against WPA2
25 | copy 2018 Aerohive Networks All Rights Reserved
WPA3 Personal
Disallows WEP amp TKIP protocols
Requires the use of Protected Management Frames
Replaces PSK with Simultaneous Authentication of Equals (SAE)
bull SAE is based on IEEE 80211s (Mesh)
bull Password is never shared during the key exchange protocol
bull Uses lsquoZero knowledge proofrsquo
bull Resistant to dictionary attacks you only get to guess the password once
26 | copy 2018 Aerohive Networks All Rights Reserved
WPA3 Enterprise
Disallows WEP amp TKIP protocols
Requires the use of Protected Management Frames
Optional Suite B Security certification provides greater security
bull Based on US Government cryptographic tools for sensitive networks
bull 192-bit Security suite of protocols includes
bull AES-GCM-256 for authenticated encryption
bull HMAC-SHA384 for key derivation and key confirmation
bull ECDHE and ECDSA using a 384-bit elliptic curve
bull RSA key lengths of 3k-bits or greater
bull BIP-GMAC-256 for robust management frame protection
27 | copy 2018 Aerohive Networks All Rights Reserved
SAE
WPA3 replacement for PSK
authentication
Secure Authentication of Equals
(SAE)
SAE is a variant of Dragonfly a
password authentication key
exchange based on a zero-
knowledge proof
SAE commit
SAE commit
SAE confirm
SAE confirm
Select passphrase Select passphrase
28 | copy 2018 Aerohive Networks All Rights Reserved
SAE
SAE commit
SAE commit
SAE confirm
SAE confirm
Select passphrase Select passphrase
Prove you know the
credentials without
compromising the credentials
No forging modification or
replay attacks
No offline dictionary attacks
29 | copy 2018 Aerohive Networks All Rights Reserved
The future 80211ax
80211ax ndash High Efficiency(HE)
80211ax uses PHY and MAC
layer enhancements for
better traffic management
The goal is to increase
average throughput 4X per
user in high-density scenarios
WPA3 security is required for 80211ax certification
30 | copy 2018 Aerohive Networks All Rights Reserved
The future 80211ax
80211ax blog series
httpsblogaerohivecomtag11ax
80211ax for Dummies Booklet httpscontentaerohivecom80211ax_dummies_book
31 | copy 2018 Aerohive Networks All Rights Reserved
Questions
32 | copy 2018 Aerohive Networks All Rights Reserved
Thank you
15 | copy 2018 Aerohive Networks All Rights Reserved
Private Pre-Shared Key (PPSK)
User 1
User 2
User 3
SSID Corp-Wi-Fi
SSID Corp-Wi-Fi
SSID Corp-Wi-Fi
AP
User Profile-AVLAN 10 and FW-Policy-5
User Profile-AVLAN 10 and FW-Policy-5
User Profile-BVLAN 20 and FW-Policy-6
User Profile-BVLAN 20 and FW-Policy-6
User Profile-CVLAN 30 and FW-Policy-7User Profile-C
VLAN 30 and FW-Policy-7
Multiple user profiles can be linked to a single SSID
PPSK User Groups can be leveraged to assign different
groups of users or devices to different user traffic settings
SSID Corp-Wi-Fi
Authentication Private PSK
16 | copy 2018 Aerohive Networks All Rights Reserved
Private Pre-Shared Key (PPSK)
Multiple per-user and per-
device PSKs assigned to a
single SSID
Easy to deploy
No need for PKI certificates or
RADIUS servers
Can be time-based credentials
Solves the ldquostaticrdquo PSK
problem
17 | copy 2018 Aerohive Networks All Rights Reserved
PPSK Use Cases
Guest Access Provide guest users with unique and secure
credentials
BYOD Onboarding personal andor company issued mobile
devices with unique and secure credentials
IoT Devices Provide unique and secure credentials for IoT
devices Many IoT devices andor devices only support WPA2
Personal (PSK)
18 | copy 2018 Aerohive Networks All Rights Reserved
WIPS
19 | copy 2018 Aerohive Networks All Rights Reserved
Protocol Security ndash Cooperative Control
20 | copy 2018 Aerohive Networks All Rights Reserved
Protocol Security ndash CAPWAP
21 | copy 2018 Aerohive Networks All Rights Reserved
Hardware Security
22 | copy 2018 Aerohive Networks All Rights Reserved
WPA3
23 | copy 2018 Aerohive Networks All Rights Reserved
Wi-Fi Alliance Security Certification
WPA3 - Enterprise
EAP-TLS
WPA3 - Personal
SAE
AES-128AES-256
192-bit
Security
PMF
EAP-xx
Optional
Optional
WPA3
AES-128
WPA2
Enhancements
WPA2 (required for WPA3)
PMF
Key Reinstallation
Vulnerability Detection
lsquoKRACKrsquo ProtectedReplaces
PSK
Disallow
WEPTKIP
WPA2 Security
Improvements
24 | copy 2018 Aerohive Networks All Rights Reserved
WPA2 Enhancements
Mandates support of Protected Management Frames (PMF)
Digital certificate validation checking is performed by stations
Multiple AKM support validation
Patched against the KRACK attack against WPA2
25 | copy 2018 Aerohive Networks All Rights Reserved
WPA3 Personal
Disallows WEP amp TKIP protocols
Requires the use of Protected Management Frames
Replaces PSK with Simultaneous Authentication of Equals (SAE)
bull SAE is based on IEEE 80211s (Mesh)
bull Password is never shared during the key exchange protocol
bull Uses lsquoZero knowledge proofrsquo
bull Resistant to dictionary attacks you only get to guess the password once
26 | copy 2018 Aerohive Networks All Rights Reserved
WPA3 Enterprise
Disallows WEP amp TKIP protocols
Requires the use of Protected Management Frames
Optional Suite B Security certification provides greater security
bull Based on US Government cryptographic tools for sensitive networks
bull 192-bit Security suite of protocols includes
bull AES-GCM-256 for authenticated encryption
bull HMAC-SHA384 for key derivation and key confirmation
bull ECDHE and ECDSA using a 384-bit elliptic curve
bull RSA key lengths of 3k-bits or greater
bull BIP-GMAC-256 for robust management frame protection
27 | copy 2018 Aerohive Networks All Rights Reserved
SAE
WPA3 replacement for PSK
authentication
Secure Authentication of Equals
(SAE)
SAE is a variant of Dragonfly a
password authentication key
exchange based on a zero-
knowledge proof
SAE commit
SAE commit
SAE confirm
SAE confirm
Select passphrase Select passphrase
28 | copy 2018 Aerohive Networks All Rights Reserved
SAE
SAE commit
SAE commit
SAE confirm
SAE confirm
Select passphrase Select passphrase
Prove you know the
credentials without
compromising the credentials
No forging modification or
replay attacks
No offline dictionary attacks
29 | copy 2018 Aerohive Networks All Rights Reserved
The future 80211ax
80211ax ndash High Efficiency(HE)
80211ax uses PHY and MAC
layer enhancements for
better traffic management
The goal is to increase
average throughput 4X per
user in high-density scenarios
WPA3 security is required for 80211ax certification
30 | copy 2018 Aerohive Networks All Rights Reserved
The future 80211ax
80211ax blog series
httpsblogaerohivecomtag11ax
80211ax for Dummies Booklet httpscontentaerohivecom80211ax_dummies_book
31 | copy 2018 Aerohive Networks All Rights Reserved
Questions
32 | copy 2018 Aerohive Networks All Rights Reserved
Thank you
16 | copy 2018 Aerohive Networks All Rights Reserved
Private Pre-Shared Key (PPSK)
Multiple per-user and per-
device PSKs assigned to a
single SSID
Easy to deploy
No need for PKI certificates or
RADIUS servers
Can be time-based credentials
Solves the ldquostaticrdquo PSK
problem
17 | copy 2018 Aerohive Networks All Rights Reserved
PPSK Use Cases
Guest Access Provide guest users with unique and secure
credentials
BYOD Onboarding personal andor company issued mobile
devices with unique and secure credentials
IoT Devices Provide unique and secure credentials for IoT
devices Many IoT devices andor devices only support WPA2
Personal (PSK)
18 | copy 2018 Aerohive Networks All Rights Reserved
WIPS
19 | copy 2018 Aerohive Networks All Rights Reserved
Protocol Security ndash Cooperative Control
20 | copy 2018 Aerohive Networks All Rights Reserved
Protocol Security ndash CAPWAP
21 | copy 2018 Aerohive Networks All Rights Reserved
Hardware Security
22 | copy 2018 Aerohive Networks All Rights Reserved
WPA3
23 | copy 2018 Aerohive Networks All Rights Reserved
Wi-Fi Alliance Security Certification
WPA3 - Enterprise
EAP-TLS
WPA3 - Personal
SAE
AES-128AES-256
192-bit
Security
PMF
EAP-xx
Optional
Optional
WPA3
AES-128
WPA2
Enhancements
WPA2 (required for WPA3)
PMF
Key Reinstallation
Vulnerability Detection
lsquoKRACKrsquo ProtectedReplaces
PSK
Disallow
WEPTKIP
WPA2 Security
Improvements
24 | copy 2018 Aerohive Networks All Rights Reserved
WPA2 Enhancements
Mandates support of Protected Management Frames (PMF)
Digital certificate validation checking is performed by stations
Multiple AKM support validation
Patched against the KRACK attack against WPA2
25 | copy 2018 Aerohive Networks All Rights Reserved
WPA3 Personal
Disallows WEP amp TKIP protocols
Requires the use of Protected Management Frames
Replaces PSK with Simultaneous Authentication of Equals (SAE)
bull SAE is based on IEEE 80211s (Mesh)
bull Password is never shared during the key exchange protocol
bull Uses lsquoZero knowledge proofrsquo
bull Resistant to dictionary attacks you only get to guess the password once
26 | copy 2018 Aerohive Networks All Rights Reserved
WPA3 Enterprise
Disallows WEP amp TKIP protocols
Requires the use of Protected Management Frames
Optional Suite B Security certification provides greater security
bull Based on US Government cryptographic tools for sensitive networks
bull 192-bit Security suite of protocols includes
bull AES-GCM-256 for authenticated encryption
bull HMAC-SHA384 for key derivation and key confirmation
bull ECDHE and ECDSA using a 384-bit elliptic curve
bull RSA key lengths of 3k-bits or greater
bull BIP-GMAC-256 for robust management frame protection
27 | copy 2018 Aerohive Networks All Rights Reserved
SAE
WPA3 replacement for PSK
authentication
Secure Authentication of Equals
(SAE)
SAE is a variant of Dragonfly a
password authentication key
exchange based on a zero-
knowledge proof
SAE commit
SAE commit
SAE confirm
SAE confirm
Select passphrase Select passphrase
28 | copy 2018 Aerohive Networks All Rights Reserved
SAE
SAE commit
SAE commit
SAE confirm
SAE confirm
Select passphrase Select passphrase
Prove you know the
credentials without
compromising the credentials
No forging modification or
replay attacks
No offline dictionary attacks
29 | copy 2018 Aerohive Networks All Rights Reserved
The future 80211ax
80211ax ndash High Efficiency(HE)
80211ax uses PHY and MAC
layer enhancements for
better traffic management
The goal is to increase
average throughput 4X per
user in high-density scenarios
WPA3 security is required for 80211ax certification
30 | copy 2018 Aerohive Networks All Rights Reserved
The future 80211ax
80211ax blog series
httpsblogaerohivecomtag11ax
80211ax for Dummies Booklet httpscontentaerohivecom80211ax_dummies_book
31 | copy 2018 Aerohive Networks All Rights Reserved
Questions
32 | copy 2018 Aerohive Networks All Rights Reserved
Thank you
17 | copy 2018 Aerohive Networks All Rights Reserved
PPSK Use Cases
Guest Access Provide guest users with unique and secure
credentials
BYOD Onboarding personal andor company issued mobile
devices with unique and secure credentials
IoT Devices Provide unique and secure credentials for IoT
devices Many IoT devices andor devices only support WPA2
Personal (PSK)
18 | copy 2018 Aerohive Networks All Rights Reserved
WIPS
19 | copy 2018 Aerohive Networks All Rights Reserved
Protocol Security ndash Cooperative Control
20 | copy 2018 Aerohive Networks All Rights Reserved
Protocol Security ndash CAPWAP
21 | copy 2018 Aerohive Networks All Rights Reserved
Hardware Security
22 | copy 2018 Aerohive Networks All Rights Reserved
WPA3
23 | copy 2018 Aerohive Networks All Rights Reserved
Wi-Fi Alliance Security Certification
WPA3 - Enterprise
EAP-TLS
WPA3 - Personal
SAE
AES-128AES-256
192-bit
Security
PMF
EAP-xx
Optional
Optional
WPA3
AES-128
WPA2
Enhancements
WPA2 (required for WPA3)
PMF
Key Reinstallation
Vulnerability Detection
lsquoKRACKrsquo ProtectedReplaces
PSK
Disallow
WEPTKIP
WPA2 Security
Improvements
24 | copy 2018 Aerohive Networks All Rights Reserved
WPA2 Enhancements
Mandates support of Protected Management Frames (PMF)
Digital certificate validation checking is performed by stations
Multiple AKM support validation
Patched against the KRACK attack against WPA2
25 | copy 2018 Aerohive Networks All Rights Reserved
WPA3 Personal
Disallows WEP amp TKIP protocols
Requires the use of Protected Management Frames
Replaces PSK with Simultaneous Authentication of Equals (SAE)
bull SAE is based on IEEE 80211s (Mesh)
bull Password is never shared during the key exchange protocol
bull Uses lsquoZero knowledge proofrsquo
bull Resistant to dictionary attacks you only get to guess the password once
26 | copy 2018 Aerohive Networks All Rights Reserved
WPA3 Enterprise
Disallows WEP amp TKIP protocols
Requires the use of Protected Management Frames
Optional Suite B Security certification provides greater security
bull Based on US Government cryptographic tools for sensitive networks
bull 192-bit Security suite of protocols includes
bull AES-GCM-256 for authenticated encryption
bull HMAC-SHA384 for key derivation and key confirmation
bull ECDHE and ECDSA using a 384-bit elliptic curve
bull RSA key lengths of 3k-bits or greater
bull BIP-GMAC-256 for robust management frame protection
27 | copy 2018 Aerohive Networks All Rights Reserved
SAE
WPA3 replacement for PSK
authentication
Secure Authentication of Equals
(SAE)
SAE is a variant of Dragonfly a
password authentication key
exchange based on a zero-
knowledge proof
SAE commit
SAE commit
SAE confirm
SAE confirm
Select passphrase Select passphrase
28 | copy 2018 Aerohive Networks All Rights Reserved
SAE
SAE commit
SAE commit
SAE confirm
SAE confirm
Select passphrase Select passphrase
Prove you know the
credentials without
compromising the credentials
No forging modification or
replay attacks
No offline dictionary attacks
29 | copy 2018 Aerohive Networks All Rights Reserved
The future 80211ax
80211ax ndash High Efficiency(HE)
80211ax uses PHY and MAC
layer enhancements for
better traffic management
The goal is to increase
average throughput 4X per
user in high-density scenarios
WPA3 security is required for 80211ax certification
30 | copy 2018 Aerohive Networks All Rights Reserved
The future 80211ax
80211ax blog series
httpsblogaerohivecomtag11ax
80211ax for Dummies Booklet httpscontentaerohivecom80211ax_dummies_book
31 | copy 2018 Aerohive Networks All Rights Reserved
Questions
32 | copy 2018 Aerohive Networks All Rights Reserved
Thank you
18 | copy 2018 Aerohive Networks All Rights Reserved
WIPS
19 | copy 2018 Aerohive Networks All Rights Reserved
Protocol Security ndash Cooperative Control
20 | copy 2018 Aerohive Networks All Rights Reserved
Protocol Security ndash CAPWAP
21 | copy 2018 Aerohive Networks All Rights Reserved
Hardware Security
22 | copy 2018 Aerohive Networks All Rights Reserved
WPA3
23 | copy 2018 Aerohive Networks All Rights Reserved
Wi-Fi Alliance Security Certification
WPA3 - Enterprise
EAP-TLS
WPA3 - Personal
SAE
AES-128AES-256
192-bit
Security
PMF
EAP-xx
Optional
Optional
WPA3
AES-128
WPA2
Enhancements
WPA2 (required for WPA3)
PMF
Key Reinstallation
Vulnerability Detection
lsquoKRACKrsquo ProtectedReplaces
PSK
Disallow
WEPTKIP
WPA2 Security
Improvements
24 | copy 2018 Aerohive Networks All Rights Reserved
WPA2 Enhancements
Mandates support of Protected Management Frames (PMF)
Digital certificate validation checking is performed by stations
Multiple AKM support validation
Patched against the KRACK attack against WPA2
25 | copy 2018 Aerohive Networks All Rights Reserved
WPA3 Personal
Disallows WEP amp TKIP protocols
Requires the use of Protected Management Frames
Replaces PSK with Simultaneous Authentication of Equals (SAE)
bull SAE is based on IEEE 80211s (Mesh)
bull Password is never shared during the key exchange protocol
bull Uses lsquoZero knowledge proofrsquo
bull Resistant to dictionary attacks you only get to guess the password once
26 | copy 2018 Aerohive Networks All Rights Reserved
WPA3 Enterprise
Disallows WEP amp TKIP protocols
Requires the use of Protected Management Frames
Optional Suite B Security certification provides greater security
bull Based on US Government cryptographic tools for sensitive networks
bull 192-bit Security suite of protocols includes
bull AES-GCM-256 for authenticated encryption
bull HMAC-SHA384 for key derivation and key confirmation
bull ECDHE and ECDSA using a 384-bit elliptic curve
bull RSA key lengths of 3k-bits or greater
bull BIP-GMAC-256 for robust management frame protection
27 | copy 2018 Aerohive Networks All Rights Reserved
SAE
WPA3 replacement for PSK
authentication
Secure Authentication of Equals
(SAE)
SAE is a variant of Dragonfly a
password authentication key
exchange based on a zero-
knowledge proof
SAE commit
SAE commit
SAE confirm
SAE confirm
Select passphrase Select passphrase
28 | copy 2018 Aerohive Networks All Rights Reserved
SAE
SAE commit
SAE commit
SAE confirm
SAE confirm
Select passphrase Select passphrase
Prove you know the
credentials without
compromising the credentials
No forging modification or
replay attacks
No offline dictionary attacks
29 | copy 2018 Aerohive Networks All Rights Reserved
The future 80211ax
80211ax ndash High Efficiency(HE)
80211ax uses PHY and MAC
layer enhancements for
better traffic management
The goal is to increase
average throughput 4X per
user in high-density scenarios
WPA3 security is required for 80211ax certification
30 | copy 2018 Aerohive Networks All Rights Reserved
The future 80211ax
80211ax blog series
httpsblogaerohivecomtag11ax
80211ax for Dummies Booklet httpscontentaerohivecom80211ax_dummies_book
31 | copy 2018 Aerohive Networks All Rights Reserved
Questions
32 | copy 2018 Aerohive Networks All Rights Reserved
Thank you
19 | copy 2018 Aerohive Networks All Rights Reserved
Protocol Security ndash Cooperative Control
20 | copy 2018 Aerohive Networks All Rights Reserved
Protocol Security ndash CAPWAP
21 | copy 2018 Aerohive Networks All Rights Reserved
Hardware Security
22 | copy 2018 Aerohive Networks All Rights Reserved
WPA3
23 | copy 2018 Aerohive Networks All Rights Reserved
Wi-Fi Alliance Security Certification
WPA3 - Enterprise
EAP-TLS
WPA3 - Personal
SAE
AES-128AES-256
192-bit
Security
PMF
EAP-xx
Optional
Optional
WPA3
AES-128
WPA2
Enhancements
WPA2 (required for WPA3)
PMF
Key Reinstallation
Vulnerability Detection
lsquoKRACKrsquo ProtectedReplaces
PSK
Disallow
WEPTKIP
WPA2 Security
Improvements
24 | copy 2018 Aerohive Networks All Rights Reserved
WPA2 Enhancements
Mandates support of Protected Management Frames (PMF)
Digital certificate validation checking is performed by stations
Multiple AKM support validation
Patched against the KRACK attack against WPA2
25 | copy 2018 Aerohive Networks All Rights Reserved
WPA3 Personal
Disallows WEP amp TKIP protocols
Requires the use of Protected Management Frames
Replaces PSK with Simultaneous Authentication of Equals (SAE)
bull SAE is based on IEEE 80211s (Mesh)
bull Password is never shared during the key exchange protocol
bull Uses lsquoZero knowledge proofrsquo
bull Resistant to dictionary attacks you only get to guess the password once
26 | copy 2018 Aerohive Networks All Rights Reserved
WPA3 Enterprise
Disallows WEP amp TKIP protocols
Requires the use of Protected Management Frames
Optional Suite B Security certification provides greater security
bull Based on US Government cryptographic tools for sensitive networks
bull 192-bit Security suite of protocols includes
bull AES-GCM-256 for authenticated encryption
bull HMAC-SHA384 for key derivation and key confirmation
bull ECDHE and ECDSA using a 384-bit elliptic curve
bull RSA key lengths of 3k-bits or greater
bull BIP-GMAC-256 for robust management frame protection
27 | copy 2018 Aerohive Networks All Rights Reserved
SAE
WPA3 replacement for PSK
authentication
Secure Authentication of Equals
(SAE)
SAE is a variant of Dragonfly a
password authentication key
exchange based on a zero-
knowledge proof
SAE commit
SAE commit
SAE confirm
SAE confirm
Select passphrase Select passphrase
28 | copy 2018 Aerohive Networks All Rights Reserved
SAE
SAE commit
SAE commit
SAE confirm
SAE confirm
Select passphrase Select passphrase
Prove you know the
credentials without
compromising the credentials
No forging modification or
replay attacks
No offline dictionary attacks
29 | copy 2018 Aerohive Networks All Rights Reserved
The future 80211ax
80211ax ndash High Efficiency(HE)
80211ax uses PHY and MAC
layer enhancements for
better traffic management
The goal is to increase
average throughput 4X per
user in high-density scenarios
WPA3 security is required for 80211ax certification
30 | copy 2018 Aerohive Networks All Rights Reserved
The future 80211ax
80211ax blog series
httpsblogaerohivecomtag11ax
80211ax for Dummies Booklet httpscontentaerohivecom80211ax_dummies_book
31 | copy 2018 Aerohive Networks All Rights Reserved
Questions
32 | copy 2018 Aerohive Networks All Rights Reserved
Thank you
20 | copy 2018 Aerohive Networks All Rights Reserved
Protocol Security ndash CAPWAP
21 | copy 2018 Aerohive Networks All Rights Reserved
Hardware Security
22 | copy 2018 Aerohive Networks All Rights Reserved
WPA3
23 | copy 2018 Aerohive Networks All Rights Reserved
Wi-Fi Alliance Security Certification
WPA3 - Enterprise
EAP-TLS
WPA3 - Personal
SAE
AES-128AES-256
192-bit
Security
PMF
EAP-xx
Optional
Optional
WPA3
AES-128
WPA2
Enhancements
WPA2 (required for WPA3)
PMF
Key Reinstallation
Vulnerability Detection
lsquoKRACKrsquo ProtectedReplaces
PSK
Disallow
WEPTKIP
WPA2 Security
Improvements
24 | copy 2018 Aerohive Networks All Rights Reserved
WPA2 Enhancements
Mandates support of Protected Management Frames (PMF)
Digital certificate validation checking is performed by stations
Multiple AKM support validation
Patched against the KRACK attack against WPA2
25 | copy 2018 Aerohive Networks All Rights Reserved
WPA3 Personal
Disallows WEP amp TKIP protocols
Requires the use of Protected Management Frames
Replaces PSK with Simultaneous Authentication of Equals (SAE)
bull SAE is based on IEEE 80211s (Mesh)
bull Password is never shared during the key exchange protocol
bull Uses lsquoZero knowledge proofrsquo
bull Resistant to dictionary attacks you only get to guess the password once
26 | copy 2018 Aerohive Networks All Rights Reserved
WPA3 Enterprise
Disallows WEP amp TKIP protocols
Requires the use of Protected Management Frames
Optional Suite B Security certification provides greater security
bull Based on US Government cryptographic tools for sensitive networks
bull 192-bit Security suite of protocols includes
bull AES-GCM-256 for authenticated encryption
bull HMAC-SHA384 for key derivation and key confirmation
bull ECDHE and ECDSA using a 384-bit elliptic curve
bull RSA key lengths of 3k-bits or greater
bull BIP-GMAC-256 for robust management frame protection
27 | copy 2018 Aerohive Networks All Rights Reserved
SAE
WPA3 replacement for PSK
authentication
Secure Authentication of Equals
(SAE)
SAE is a variant of Dragonfly a
password authentication key
exchange based on a zero-
knowledge proof
SAE commit
SAE commit
SAE confirm
SAE confirm
Select passphrase Select passphrase
28 | copy 2018 Aerohive Networks All Rights Reserved
SAE
SAE commit
SAE commit
SAE confirm
SAE confirm
Select passphrase Select passphrase
Prove you know the
credentials without
compromising the credentials
No forging modification or
replay attacks
No offline dictionary attacks
29 | copy 2018 Aerohive Networks All Rights Reserved
The future 80211ax
80211ax ndash High Efficiency(HE)
80211ax uses PHY and MAC
layer enhancements for
better traffic management
The goal is to increase
average throughput 4X per
user in high-density scenarios
WPA3 security is required for 80211ax certification
30 | copy 2018 Aerohive Networks All Rights Reserved
The future 80211ax
80211ax blog series
httpsblogaerohivecomtag11ax
80211ax for Dummies Booklet httpscontentaerohivecom80211ax_dummies_book
31 | copy 2018 Aerohive Networks All Rights Reserved
Questions
32 | copy 2018 Aerohive Networks All Rights Reserved
Thank you
21 | copy 2018 Aerohive Networks All Rights Reserved
Hardware Security
22 | copy 2018 Aerohive Networks All Rights Reserved
WPA3
23 | copy 2018 Aerohive Networks All Rights Reserved
Wi-Fi Alliance Security Certification
WPA3 - Enterprise
EAP-TLS
WPA3 - Personal
SAE
AES-128AES-256
192-bit
Security
PMF
EAP-xx
Optional
Optional
WPA3
AES-128
WPA2
Enhancements
WPA2 (required for WPA3)
PMF
Key Reinstallation
Vulnerability Detection
lsquoKRACKrsquo ProtectedReplaces
PSK
Disallow
WEPTKIP
WPA2 Security
Improvements
24 | copy 2018 Aerohive Networks All Rights Reserved
WPA2 Enhancements
Mandates support of Protected Management Frames (PMF)
Digital certificate validation checking is performed by stations
Multiple AKM support validation
Patched against the KRACK attack against WPA2
25 | copy 2018 Aerohive Networks All Rights Reserved
WPA3 Personal
Disallows WEP amp TKIP protocols
Requires the use of Protected Management Frames
Replaces PSK with Simultaneous Authentication of Equals (SAE)
bull SAE is based on IEEE 80211s (Mesh)
bull Password is never shared during the key exchange protocol
bull Uses lsquoZero knowledge proofrsquo
bull Resistant to dictionary attacks you only get to guess the password once
26 | copy 2018 Aerohive Networks All Rights Reserved
WPA3 Enterprise
Disallows WEP amp TKIP protocols
Requires the use of Protected Management Frames
Optional Suite B Security certification provides greater security
bull Based on US Government cryptographic tools for sensitive networks
bull 192-bit Security suite of protocols includes
bull AES-GCM-256 for authenticated encryption
bull HMAC-SHA384 for key derivation and key confirmation
bull ECDHE and ECDSA using a 384-bit elliptic curve
bull RSA key lengths of 3k-bits or greater
bull BIP-GMAC-256 for robust management frame protection
27 | copy 2018 Aerohive Networks All Rights Reserved
SAE
WPA3 replacement for PSK
authentication
Secure Authentication of Equals
(SAE)
SAE is a variant of Dragonfly a
password authentication key
exchange based on a zero-
knowledge proof
SAE commit
SAE commit
SAE confirm
SAE confirm
Select passphrase Select passphrase
28 | copy 2018 Aerohive Networks All Rights Reserved
SAE
SAE commit
SAE commit
SAE confirm
SAE confirm
Select passphrase Select passphrase
Prove you know the
credentials without
compromising the credentials
No forging modification or
replay attacks
No offline dictionary attacks
29 | copy 2018 Aerohive Networks All Rights Reserved
The future 80211ax
80211ax ndash High Efficiency(HE)
80211ax uses PHY and MAC
layer enhancements for
better traffic management
The goal is to increase
average throughput 4X per
user in high-density scenarios
WPA3 security is required for 80211ax certification
30 | copy 2018 Aerohive Networks All Rights Reserved
The future 80211ax
80211ax blog series
httpsblogaerohivecomtag11ax
80211ax for Dummies Booklet httpscontentaerohivecom80211ax_dummies_book
31 | copy 2018 Aerohive Networks All Rights Reserved
Questions
32 | copy 2018 Aerohive Networks All Rights Reserved
Thank you
22 | copy 2018 Aerohive Networks All Rights Reserved
WPA3
23 | copy 2018 Aerohive Networks All Rights Reserved
Wi-Fi Alliance Security Certification
WPA3 - Enterprise
EAP-TLS
WPA3 - Personal
SAE
AES-128AES-256
192-bit
Security
PMF
EAP-xx
Optional
Optional
WPA3
AES-128
WPA2
Enhancements
WPA2 (required for WPA3)
PMF
Key Reinstallation
Vulnerability Detection
lsquoKRACKrsquo ProtectedReplaces
PSK
Disallow
WEPTKIP
WPA2 Security
Improvements
24 | copy 2018 Aerohive Networks All Rights Reserved
WPA2 Enhancements
Mandates support of Protected Management Frames (PMF)
Digital certificate validation checking is performed by stations
Multiple AKM support validation
Patched against the KRACK attack against WPA2
25 | copy 2018 Aerohive Networks All Rights Reserved
WPA3 Personal
Disallows WEP amp TKIP protocols
Requires the use of Protected Management Frames
Replaces PSK with Simultaneous Authentication of Equals (SAE)
bull SAE is based on IEEE 80211s (Mesh)
bull Password is never shared during the key exchange protocol
bull Uses lsquoZero knowledge proofrsquo
bull Resistant to dictionary attacks you only get to guess the password once
26 | copy 2018 Aerohive Networks All Rights Reserved
WPA3 Enterprise
Disallows WEP amp TKIP protocols
Requires the use of Protected Management Frames
Optional Suite B Security certification provides greater security
bull Based on US Government cryptographic tools for sensitive networks
bull 192-bit Security suite of protocols includes
bull AES-GCM-256 for authenticated encryption
bull HMAC-SHA384 for key derivation and key confirmation
bull ECDHE and ECDSA using a 384-bit elliptic curve
bull RSA key lengths of 3k-bits or greater
bull BIP-GMAC-256 for robust management frame protection
27 | copy 2018 Aerohive Networks All Rights Reserved
SAE
WPA3 replacement for PSK
authentication
Secure Authentication of Equals
(SAE)
SAE is a variant of Dragonfly a
password authentication key
exchange based on a zero-
knowledge proof
SAE commit
SAE commit
SAE confirm
SAE confirm
Select passphrase Select passphrase
28 | copy 2018 Aerohive Networks All Rights Reserved
SAE
SAE commit
SAE commit
SAE confirm
SAE confirm
Select passphrase Select passphrase
Prove you know the
credentials without
compromising the credentials
No forging modification or
replay attacks
No offline dictionary attacks
29 | copy 2018 Aerohive Networks All Rights Reserved
The future 80211ax
80211ax ndash High Efficiency(HE)
80211ax uses PHY and MAC
layer enhancements for
better traffic management
The goal is to increase
average throughput 4X per
user in high-density scenarios
WPA3 security is required for 80211ax certification
30 | copy 2018 Aerohive Networks All Rights Reserved
The future 80211ax
80211ax blog series
httpsblogaerohivecomtag11ax
80211ax for Dummies Booklet httpscontentaerohivecom80211ax_dummies_book
31 | copy 2018 Aerohive Networks All Rights Reserved
Questions
32 | copy 2018 Aerohive Networks All Rights Reserved
Thank you
23 | copy 2018 Aerohive Networks All Rights Reserved
Wi-Fi Alliance Security Certification
WPA3 - Enterprise
EAP-TLS
WPA3 - Personal
SAE
AES-128AES-256
192-bit
Security
PMF
EAP-xx
Optional
Optional
WPA3
AES-128
WPA2
Enhancements
WPA2 (required for WPA3)
PMF
Key Reinstallation
Vulnerability Detection
lsquoKRACKrsquo ProtectedReplaces
PSK
Disallow
WEPTKIP
WPA2 Security
Improvements
24 | copy 2018 Aerohive Networks All Rights Reserved
WPA2 Enhancements
Mandates support of Protected Management Frames (PMF)
Digital certificate validation checking is performed by stations
Multiple AKM support validation
Patched against the KRACK attack against WPA2
25 | copy 2018 Aerohive Networks All Rights Reserved
WPA3 Personal
Disallows WEP amp TKIP protocols
Requires the use of Protected Management Frames
Replaces PSK with Simultaneous Authentication of Equals (SAE)
bull SAE is based on IEEE 80211s (Mesh)
bull Password is never shared during the key exchange protocol
bull Uses lsquoZero knowledge proofrsquo
bull Resistant to dictionary attacks you only get to guess the password once
26 | copy 2018 Aerohive Networks All Rights Reserved
WPA3 Enterprise
Disallows WEP amp TKIP protocols
Requires the use of Protected Management Frames
Optional Suite B Security certification provides greater security
bull Based on US Government cryptographic tools for sensitive networks
bull 192-bit Security suite of protocols includes
bull AES-GCM-256 for authenticated encryption
bull HMAC-SHA384 for key derivation and key confirmation
bull ECDHE and ECDSA using a 384-bit elliptic curve
bull RSA key lengths of 3k-bits or greater
bull BIP-GMAC-256 for robust management frame protection
27 | copy 2018 Aerohive Networks All Rights Reserved
SAE
WPA3 replacement for PSK
authentication
Secure Authentication of Equals
(SAE)
SAE is a variant of Dragonfly a
password authentication key
exchange based on a zero-
knowledge proof
SAE commit
SAE commit
SAE confirm
SAE confirm
Select passphrase Select passphrase
28 | copy 2018 Aerohive Networks All Rights Reserved
SAE
SAE commit
SAE commit
SAE confirm
SAE confirm
Select passphrase Select passphrase
Prove you know the
credentials without
compromising the credentials
No forging modification or
replay attacks
No offline dictionary attacks
29 | copy 2018 Aerohive Networks All Rights Reserved
The future 80211ax
80211ax ndash High Efficiency(HE)
80211ax uses PHY and MAC
layer enhancements for
better traffic management
The goal is to increase
average throughput 4X per
user in high-density scenarios
WPA3 security is required for 80211ax certification
30 | copy 2018 Aerohive Networks All Rights Reserved
The future 80211ax
80211ax blog series
httpsblogaerohivecomtag11ax
80211ax for Dummies Booklet httpscontentaerohivecom80211ax_dummies_book
31 | copy 2018 Aerohive Networks All Rights Reserved
Questions
32 | copy 2018 Aerohive Networks All Rights Reserved
Thank you
24 | copy 2018 Aerohive Networks All Rights Reserved
WPA2 Enhancements
Mandates support of Protected Management Frames (PMF)
Digital certificate validation checking is performed by stations
Multiple AKM support validation
Patched against the KRACK attack against WPA2
25 | copy 2018 Aerohive Networks All Rights Reserved
WPA3 Personal
Disallows WEP amp TKIP protocols
Requires the use of Protected Management Frames
Replaces PSK with Simultaneous Authentication of Equals (SAE)
bull SAE is based on IEEE 80211s (Mesh)
bull Password is never shared during the key exchange protocol
bull Uses lsquoZero knowledge proofrsquo
bull Resistant to dictionary attacks you only get to guess the password once
26 | copy 2018 Aerohive Networks All Rights Reserved
WPA3 Enterprise
Disallows WEP amp TKIP protocols
Requires the use of Protected Management Frames
Optional Suite B Security certification provides greater security
bull Based on US Government cryptographic tools for sensitive networks
bull 192-bit Security suite of protocols includes
bull AES-GCM-256 for authenticated encryption
bull HMAC-SHA384 for key derivation and key confirmation
bull ECDHE and ECDSA using a 384-bit elliptic curve
bull RSA key lengths of 3k-bits or greater
bull BIP-GMAC-256 for robust management frame protection
27 | copy 2018 Aerohive Networks All Rights Reserved
SAE
WPA3 replacement for PSK
authentication
Secure Authentication of Equals
(SAE)
SAE is a variant of Dragonfly a
password authentication key
exchange based on a zero-
knowledge proof
SAE commit
SAE commit
SAE confirm
SAE confirm
Select passphrase Select passphrase
28 | copy 2018 Aerohive Networks All Rights Reserved
SAE
SAE commit
SAE commit
SAE confirm
SAE confirm
Select passphrase Select passphrase
Prove you know the
credentials without
compromising the credentials
No forging modification or
replay attacks
No offline dictionary attacks
29 | copy 2018 Aerohive Networks All Rights Reserved
The future 80211ax
80211ax ndash High Efficiency(HE)
80211ax uses PHY and MAC
layer enhancements for
better traffic management
The goal is to increase
average throughput 4X per
user in high-density scenarios
WPA3 security is required for 80211ax certification
30 | copy 2018 Aerohive Networks All Rights Reserved
The future 80211ax
80211ax blog series
httpsblogaerohivecomtag11ax
80211ax for Dummies Booklet httpscontentaerohivecom80211ax_dummies_book
31 | copy 2018 Aerohive Networks All Rights Reserved
Questions
32 | copy 2018 Aerohive Networks All Rights Reserved
Thank you
25 | copy 2018 Aerohive Networks All Rights Reserved
WPA3 Personal
Disallows WEP amp TKIP protocols
Requires the use of Protected Management Frames
Replaces PSK with Simultaneous Authentication of Equals (SAE)
bull SAE is based on IEEE 80211s (Mesh)
bull Password is never shared during the key exchange protocol
bull Uses lsquoZero knowledge proofrsquo
bull Resistant to dictionary attacks you only get to guess the password once
26 | copy 2018 Aerohive Networks All Rights Reserved
WPA3 Enterprise
Disallows WEP amp TKIP protocols
Requires the use of Protected Management Frames
Optional Suite B Security certification provides greater security
bull Based on US Government cryptographic tools for sensitive networks
bull 192-bit Security suite of protocols includes
bull AES-GCM-256 for authenticated encryption
bull HMAC-SHA384 for key derivation and key confirmation
bull ECDHE and ECDSA using a 384-bit elliptic curve
bull RSA key lengths of 3k-bits or greater
bull BIP-GMAC-256 for robust management frame protection
27 | copy 2018 Aerohive Networks All Rights Reserved
SAE
WPA3 replacement for PSK
authentication
Secure Authentication of Equals
(SAE)
SAE is a variant of Dragonfly a
password authentication key
exchange based on a zero-
knowledge proof
SAE commit
SAE commit
SAE confirm
SAE confirm
Select passphrase Select passphrase
28 | copy 2018 Aerohive Networks All Rights Reserved
SAE
SAE commit
SAE commit
SAE confirm
SAE confirm
Select passphrase Select passphrase
Prove you know the
credentials without
compromising the credentials
No forging modification or
replay attacks
No offline dictionary attacks
29 | copy 2018 Aerohive Networks All Rights Reserved
The future 80211ax
80211ax ndash High Efficiency(HE)
80211ax uses PHY and MAC
layer enhancements for
better traffic management
The goal is to increase
average throughput 4X per
user in high-density scenarios
WPA3 security is required for 80211ax certification
30 | copy 2018 Aerohive Networks All Rights Reserved
The future 80211ax
80211ax blog series
httpsblogaerohivecomtag11ax
80211ax for Dummies Booklet httpscontentaerohivecom80211ax_dummies_book
31 | copy 2018 Aerohive Networks All Rights Reserved
Questions
32 | copy 2018 Aerohive Networks All Rights Reserved
Thank you
26 | copy 2018 Aerohive Networks All Rights Reserved
WPA3 Enterprise
Disallows WEP amp TKIP protocols
Requires the use of Protected Management Frames
Optional Suite B Security certification provides greater security
bull Based on US Government cryptographic tools for sensitive networks
bull 192-bit Security suite of protocols includes
bull AES-GCM-256 for authenticated encryption
bull HMAC-SHA384 for key derivation and key confirmation
bull ECDHE and ECDSA using a 384-bit elliptic curve
bull RSA key lengths of 3k-bits or greater
bull BIP-GMAC-256 for robust management frame protection
27 | copy 2018 Aerohive Networks All Rights Reserved
SAE
WPA3 replacement for PSK
authentication
Secure Authentication of Equals
(SAE)
SAE is a variant of Dragonfly a
password authentication key
exchange based on a zero-
knowledge proof
SAE commit
SAE commit
SAE confirm
SAE confirm
Select passphrase Select passphrase
28 | copy 2018 Aerohive Networks All Rights Reserved
SAE
SAE commit
SAE commit
SAE confirm
SAE confirm
Select passphrase Select passphrase
Prove you know the
credentials without
compromising the credentials
No forging modification or
replay attacks
No offline dictionary attacks
29 | copy 2018 Aerohive Networks All Rights Reserved
The future 80211ax
80211ax ndash High Efficiency(HE)
80211ax uses PHY and MAC
layer enhancements for
better traffic management
The goal is to increase
average throughput 4X per
user in high-density scenarios
WPA3 security is required for 80211ax certification
30 | copy 2018 Aerohive Networks All Rights Reserved
The future 80211ax
80211ax blog series
httpsblogaerohivecomtag11ax
80211ax for Dummies Booklet httpscontentaerohivecom80211ax_dummies_book
31 | copy 2018 Aerohive Networks All Rights Reserved
Questions
32 | copy 2018 Aerohive Networks All Rights Reserved
Thank you
27 | copy 2018 Aerohive Networks All Rights Reserved
SAE
WPA3 replacement for PSK
authentication
Secure Authentication of Equals
(SAE)
SAE is a variant of Dragonfly a
password authentication key
exchange based on a zero-
knowledge proof
SAE commit
SAE commit
SAE confirm
SAE confirm
Select passphrase Select passphrase
28 | copy 2018 Aerohive Networks All Rights Reserved
SAE
SAE commit
SAE commit
SAE confirm
SAE confirm
Select passphrase Select passphrase
Prove you know the
credentials without
compromising the credentials
No forging modification or
replay attacks
No offline dictionary attacks
29 | copy 2018 Aerohive Networks All Rights Reserved
The future 80211ax
80211ax ndash High Efficiency(HE)
80211ax uses PHY and MAC
layer enhancements for
better traffic management
The goal is to increase
average throughput 4X per
user in high-density scenarios
WPA3 security is required for 80211ax certification
30 | copy 2018 Aerohive Networks All Rights Reserved
The future 80211ax
80211ax blog series
httpsblogaerohivecomtag11ax
80211ax for Dummies Booklet httpscontentaerohivecom80211ax_dummies_book
31 | copy 2018 Aerohive Networks All Rights Reserved
Questions
32 | copy 2018 Aerohive Networks All Rights Reserved
Thank you
28 | copy 2018 Aerohive Networks All Rights Reserved
SAE
SAE commit
SAE commit
SAE confirm
SAE confirm
Select passphrase Select passphrase
Prove you know the
credentials without
compromising the credentials
No forging modification or
replay attacks
No offline dictionary attacks
29 | copy 2018 Aerohive Networks All Rights Reserved
The future 80211ax
80211ax ndash High Efficiency(HE)
80211ax uses PHY and MAC
layer enhancements for
better traffic management
The goal is to increase
average throughput 4X per
user in high-density scenarios
WPA3 security is required for 80211ax certification
30 | copy 2018 Aerohive Networks All Rights Reserved
The future 80211ax
80211ax blog series
httpsblogaerohivecomtag11ax
80211ax for Dummies Booklet httpscontentaerohivecom80211ax_dummies_book
31 | copy 2018 Aerohive Networks All Rights Reserved
Questions
32 | copy 2018 Aerohive Networks All Rights Reserved
Thank you
29 | copy 2018 Aerohive Networks All Rights Reserved
The future 80211ax
80211ax ndash High Efficiency(HE)
80211ax uses PHY and MAC
layer enhancements for
better traffic management
The goal is to increase
average throughput 4X per
user in high-density scenarios
WPA3 security is required for 80211ax certification
30 | copy 2018 Aerohive Networks All Rights Reserved
The future 80211ax
80211ax blog series
httpsblogaerohivecomtag11ax
80211ax for Dummies Booklet httpscontentaerohivecom80211ax_dummies_book
31 | copy 2018 Aerohive Networks All Rights Reserved
Questions
32 | copy 2018 Aerohive Networks All Rights Reserved
Thank you
30 | copy 2018 Aerohive Networks All Rights Reserved
The future 80211ax
80211ax blog series
httpsblogaerohivecomtag11ax
80211ax for Dummies Booklet httpscontentaerohivecom80211ax_dummies_book
31 | copy 2018 Aerohive Networks All Rights Reserved
Questions
32 | copy 2018 Aerohive Networks All Rights Reserved
Thank you
31 | copy 2018 Aerohive Networks All Rights Reserved
Questions
32 | copy 2018 Aerohive Networks All Rights Reserved
Thank you
32 | copy 2018 Aerohive Networks All Rights Reserved
Thank you