CTS 229: Introduction to WPA3
Clear To Send: Wireless Network Engineering - A podcast by Rowell Dionicio and François Vergès
Categories:
In this episode, we are providing an introduction to WPA3. We also show how to configure it on a Cisco controller as well as how you could validate it by looking at Wi-Fi frames: Introduction WPA3 is the improved version of Wi-Fi security. It updates WPA2 which is commonly used everywhere in Wi-Fi networks. Why the need for WPA3? * KRACK Attack* https://www.cleartosend.net/cts-094-sealing-krack-attack/* WPA2-PSK is subject to dictionary attacks WPA3 brings the following: * Increased crypto strength* Dumps legacy protocols* Mandates Protected Management Frames (PMF)* https://www.cleartosend.net/802-11w-management-frame-protection/* Mandatory for Wi-Fi 6 (more and more devices will support WPA3) There are two versions of WPA3 which are similarly named from WPA2: * WPA3-Personal* Pre-shared Key* Simultaneous Authentication of Equals (SAE) is used* WPA3-Enterprise* Builds upon WPA2-Enterprise* Enhanced encryption* WPA3-Enterprise also offers an optional mode using 192-bit minimum-strength security protocols and cryptographic tools to better protect sensitive data:* Authenticated encryption: 256-bit Galois/Counter Mode Protocol (GCMP-256)* Key derivation and confirmation: 384-bit Hashed Message Authentication Mode (HMAC) with Secure Hash Algorithm (HMAC-SHA384)* Key establishment and authentication: Elliptic Curve Diffie-Hellman (ECDH) exchange and Elliptic Curve Digital Signature Algorithm (ECDSA) using a 384-bit elliptic curve* Robust management frame protection: 256-bit Broadcast/Multicast Integrity Protocol Galois Message Authentication Code (BIP-GMAC-256) WPA3 Modes There are a few modes WPA3 can be implemented * WPA3-Personal only* WPA3-Personal transition* WPA3-Enterprise only* WPA3-Enterprise transition* WPA3-Enterprise 192-bit* WPA3 Fast BSS Transition* WPA3-Enterprise Server Certificate Validation WPA3-Personal * Mandatory* AP enables at least AKM suite selector of 00-0F-AC:8 (SAE Authentication)* STA allows at least AKM 00-0F-AC:8 for association* AP and STA must use PMF* AP and STA sets MFPC and MFPR to 1* Must use only DH groups 15-21, group 19* Requirement* AP and STA does not enable AKM 00-0F-AC:2 (WPA2-PSK) and 00-0F-AC:6 (PSK using SHA-256)* AP doesn’t enable WPA on same BSS with WPA3-Personal* No WEP and TKIP on same BSS as WPA3-Personal* STA will use SAE when AP supports SAE and PSK WPA3-Personal Transition * Mandatory* AP enables at least AKM 00-0F-AC:2 (WPA2-PSK) and 00-0F-AC:8 (WPA3-Personal)* STA allows at least AKM 00-0F-AC:2 (WPA2-PSK) and 00-0F-AC:8* AP sets MFPC to 1, MFPR to 0* STA sets MFPC to 1, MFPR to 0* AP rejects association for SAE if PMF is not negotiated* STA negotiates PMF when associating to AP using SAE* Recommended* AP enables AKM 00-0F-AC:6* STA allows 00-0F-AC:6* Requirement* AP doesn’t enable WPA on same BSS with WPA3-Personal* No WEP and TKIP on same BSS as WPA3-Personal* STA will use SAE when AP supports SAE and PSK WPA3-Enterprise Only * PMF will be set to capable which is the MFPC bit set to 1 and MFPR bit set to 1 in the RSN Capabilities field* No WPA version 1 enabled on the same BSS on WPA3-Enterprise WPA3-Enterprise transition mode * WPA2-Enterprise and WPA3-Enterprise transition mode on same BSS, PMF will be set to capable which is the MFPC bit set to 1 and MFPR bit set to 0 in the RSN Capabili...