Wi-Fi Security Enhancements: Part 1 – WPA3-Personal (SAE)

If you hadn’t heard, there are some great updates coming to Wi-Fi security this year with improvements around robustness and ease of onboarding.  To get up to speed I highly recommend checking out the Cisco Live on-demand video of BRKEWN-2006 Advancements in Wireless Security from San Diego, presented by Distinguished SE Stephen Orr (@StephenMOrr) and TSA Bob Sayle (@Bob_In_IT).  Support for WPA3-Personal is a requirement of Wi-Fi 6 certification (support for WPA3-Enterprise and Enhanced Open/OWE is optional), so even if you may not be planning to deploy it anytime soon, it is important to understand how to configure and analyse it.  You might want to grab a coffee for this one!

brkewn-2006

In this multi-part blog series I will take a look at how to configure support for these new security features on your Cisco wireless network, cover device support, and look at packet captures to see what is going on behind the scenes.  Note: these articles assume you have CWAP or CWSP-level knowledge of 802.11 authentication processes.

First up, we’ll start with WPA3-Personal which uses Simultaneous Authentication of Equals (SAE).  This is the new version of WPA2-Personal, or WPA2-PSK, as most Wi-Fi networks use today in home/small office environments or when devices can’t support 802.1X authentication methods (we’ll cover WPA3-Enterprise with 802.1X in a future part).

As outlined in Cisco Live breakout BRKEWN-2006, SAE provides forward secrecy which essentially means the requirement for strong, complex passwords with WPA2-Personal no longer applies for WPA3-Personal.  SAE is resistant to offline dictionary attacks, and even protects data even if a password is later compromised.

So, how do we configure a WLAN to support SAE?

WPA3-Personal SSID Configuration

There are subtle differences in the configuration required from a WPA2-Personal WLAN on a Cisco Catalyst 9800 Wireless LAN Controller (note: WPA3 support comes in IOS-XE 16.12 & AireOS 8.10), and configuration on other WLAN infrastructure should be similar:

  1. Protected Management Frames (PMF) is Mandatory for WPA3, so we need to set this to ‘Required’,
  2. Fast Transition (802.11r) needs to be disabled (802.11r support has been left out of the current versions of WPA3-Personal & WPA3-Enterprise). Roaming will use a PMKID roam for now.

That’s it! Later in this post, I will cover configuring support for both WPA2 & WPA3 (aka Transition Mode) on the same SSID. For those of you interested in the IOS-XE CLI commands, here you go:

wlan coops-SAE 55 coops-SAE 
radio dot11a 
no security ft over-the-ds 
no security ft adaptive 
no security wpa wpa2 
security wpa psk set-key ascii 0 ***** 
no security wpa akm dot1x 
security wpa akm sae 
security wpa wpa3 
security pmf mandatory 
no shutdown

And here’s the AireOS equivalent:

config wlan create 55 coops-SAE coops-SAE
config wlan security wpa akm 802.1x disable 55
config wlan security wpa akm sae enable 55            
config wlan security pmf required 55
config wlan security wpa akm psk set-key ascii ***** 55
config wlan security wpa wpa2 disable 55
config wlan security wpa wpa3 enable 55 
config wlan security ft disable 55
config wlan enable 55

Client & SSID SAE Support

With the upcoming release of Apple iOS 13, iPadOS, and macOS Catalina; compatible iDevices will support these new security features.  As of iPadOS 13 public beta 2 WPA3-Personal is supported (this article was published on 29th July 2019).

Likewise, Samsung has introduced WPA3-Personal support in Android Pie (v9) with WLAN v1.0 Release 2 security software version.  Full support for WPA3 and OWE will come in Android Q.

WPA3-Personal is also supported in Windows 10 Insider Preview Building 18912 (20H1).

Now, how do we confirm these capabilities?  With a packet capture of course!

Samsung Galaxy S10e Probe Request

First let’s take a look at my Samsung Galaxy S10e.

This is Probe Request broadcast by the S10e (with a random MAC address and to a wildcard destination, i.e. see who responds), and we can see some of it’s 802.11 capabilities such as 802.11ax/HE element support, Fast Initial Link Setup (FILS), and some vendor specific elements including a Wi-Fi Alliance element.

iPad Probe Request

The iPad performs a directed Probe Request for the coops-SAE SSID, and advertises its capabilities.

Probe Response

Now we expect wireless networks within range to send a Probe Response, so here is the response for my WPA3-Personal SSID running on my Cisco Catalyst 9115AXI AP to the S10e:

We are looking at the 802.11i RSN (Robust Security Network) information and capabilities, and here we can see the SSID supports SAE with SHA256 for the Authentication Key Management (AKM).

And as expected, the AP responds to the iPad with the same information and capabilities:

SAE Association & Authentication

SAE Authentication

The big difference between WPA2-Personal and WPA3-Personal to provide robustness and protection against key re-installation attacks (KRACK, which would happen at the Message 3 stage of the 4-Way Handshake) is that WPA3-Personal doesn’t use 802.11 Open System Authentication between the client and AP prior to Association.  Instead, WPA3-Personal uses SAE Authentication based on the Dragonfly Key Exchange to calculate the PMK with Elliptic Curve Cryptography (definitely time to watch the BRKEWN-2006 recording if you haven’t already!).

FYI the graphic above depicts a Cisco in FlexConnect mode + local authentication.

Flex + central auth would have the same SAE authentication between client & AP, Association request is forwarded to a WLC and the response is forwarded back to the AP, and the 4-way handshake occurs between client and WLC.

With a Local mode AP, almost all authentication and association flows between client and WLC.

S10e SAE Authentication

SAE Message 1 – Here in frame 924 we see the S10e send a Commit message to the AP with its Group ID, scalar and a new point on the Elliptic Curve (the Finite Field Element information).

SAE Message 2 – Next in frame 928 we see the AP send its Commit message back to the S10e with its scalar and ECC point.

SAE Message 3 – In frame 933 the S10e sends its Confirm message to the AP with a Confirmation token.

SAE Message 4 – Lastly, in frame 935 the AP responds with its Confirm and token and now Association can occur given a secure channel has been established.

iPad SAE Authentication

The iPad performs SAE authentication with the AP in the same manner.  Here are the 4 messages from the Authentication frames 118 to 129:

 

S10e Association

The S10e requests to associate to the coops-SAE SSID using SAE with SHA256 for AKM.

The Cisco AP responds with a successful Association Response.  Now, the 4-Way Handshake can occur between the AP and client.

iPad Association

Likewise, the iPad performs similar association with the AP:

S10e 4-Way Handshake

The authentication process for both PSK/SAE and 802.1X use EAPOL-Key frames to perform the 4-Way Handshake, and this occurs as we would expect similar to WPA2.  When can see the key messages and ACKs in frames 997 through to 1006.

iPad 4-Way Handshake

The iPad performs a successful 4-Way Handshake as expected in frames 135 through to 144:

WPA3-Personal Transition Mode

To allow interoperability with WPA2 devices without creating an additional SSID, WPA3-Personal can also advertise the WPA2-PSK capabilities in the information elements.  The key point to remember is that while SAE provides additional security around the passphrase/PSK used, this same passphrase needs to be shared for both WPA2 and WPA3 authentication.  There are also some vulnerabilities identified with Transition Mode, therefore I recommend using caution with this feature.  More information can be found here: https://wpa3.mathyvanhoef.com/#new

Transition SSID Configuration

To provide support for both WPA2-PSK and WPA3-SAE on an SSID, we simply need to add WPA2 support for authentication, PSK for key management, and set PMF to optional.  802.11r Fast Transition remains disabled.

Transition Beacon Elements

Now that I have configured support for both WPA2-PSK and WPA3-SAE on the SSID, let’s take a look at the beacon for coops-SAE and see what the RSN security capabilities are.

Here we can see that both PSK and SAE are supported for authentication key management.  Great!  Now let’s make sure we can connect a WPA2 and a WPA3 device to the SSID.  I’ll use the same Samsung Galaxy S10e and an iPhone 8 running iOS 12.4 (which doesn’t support WPA3).

Transition Clients

Here we can see the two clients connected in the 9800 WLC dashboard:

Let’s check the S10e is connected using SAE:

Success!  And now let’s check the iPhone 8:

Nice! Transition mode works just as expected.  Now, that doesn’t mean that all WPA2 clients will successfully work with a WPA3 transition mode SSID.  Some older clients may have issues with understanding the two AKM capabilities in a beacon or association response.  As always, test all your clients before you deploy!

What’s Next?

If you have devices and WLAN infrastructure that is capable of WPA3, then you could begin testing interoperability.  It will be some time before all modern clients will have driver/software support, and some will never introduce support.  But as WPA3-Personal is mandatory for Wi-Fi 6 certification, I’m sure within a year we will see enterprise networks beginning to run WPA3 in transition mode on their networks. However, we expect to see the Wi-Fi Alliance updating WPA3 operations to mitigate the vulnerabilities discovered by Mathy Vanhoef and Eyal Ronen to ensure these new security standards are definitely the way forward in secure wireless access.

Next in this series I will cover Wi-Fi Certified Enhanced Open which uses Opportunistic Wireless Encryption (OWE) for guest/open networks.

Hope you found this article useful!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s