WPA3 – SAE in Action

In my previous blog , I have discussed some of the concepts of Diffie Hellman (DH) key exchange and elliptic curve cryptography. In this post, I will be discussing how these work together to enable secure connectivity with WPA3-SAE. To understand this better, I have configured an SSID on juniper mist access point with authentication protocol setting toggled between WPA3-PSK + WPA2 and WPA3-PSK modes for different packet captures. WPA3-PSK+WPA2 is the transition mode in which the SSID supports both legacy WPA2(PSK) only clients and WPA3 SAE supported client devices whereas WPA3-PSK mode supports SAE only. Juniper mist access point AP41 is on version 0.9.22801 and the client device iPhone XR which supports WPA3 is on iOS version 14.7.1.

First lets examine the RSN Information element (IE) in the beacons with transition mode.

RSN IE SSID in Transition Mode

Notice the Authentication key management suite had two elements: 00-0F-AC-02 for PSK and 00-0F-AC-08 for Simultaneous Authentication of Equals (SAE). The management frame protection is enabled but not mandatory in transition mode. This enables backward compatibility with WPA2 PSK devices that don’t support management frame protection. The group management cipher suite has a suite type 00-0F-AC-06 indicating it uses BIP-CMAC-128 for management frame encryption.

Now lets look at the RSN information element when the SSID is configured for WPA3-PSK mode.

RSN IE SSID in WPA3-SAE mode

The main differences between the transition mode and this one is it supports only one type of authentication key management which is 00-0F-AC-08: SAE and management frame protection is mandatory. Examining the RSN IE on the beacons should help in identifying the SSID authentication settings.

Now lets look into the SAE between access point and client device.

Authentication Frame Exchanges

After the initial probe request and response, there are four frames exchanged in SAE in place of two frames in case WPA2-PSK which uses open system authentication. This four frame exchange is embodied by the principles of public key cryptography and Elliptic Curve Diffie Hellman (ECDH) Groups. The first two frames are commit messages and the last two are confirm messages. Below is a snippet of authentication element from a commit message.

Frame 1: Commit message 1

The authentication element of the frame has 6 fields. The first field indicates the type of authentication algorithm which in this case is SAE followed by a sequence number and status code. The next field, Group ID plays a critical role in the SAE process. This ID refers to a set of parameters defined by IANA that will help both client device and access point determine the point on an elliptic curve without having to exchange the password and other details over an insecure channel. Group ID 19 uses ECP that defines the math behind mapping the PSK to a point P on an elliptic curve (EC) and mandates the use of 256 bit keys for high security. ECP provides higher security with less compute than other DH groups with MODP which uses modulus functions to determine P. Diffie Hellman exchange only works when both parties can agree to a common variable, in this case a point on an elliptic curve. The next field elements are scalar and finite field element. Scalar is randomly chosen by the device and finite field element (FFE) is a result of calculation with P determined by using ECP.

The second commit frame is from the access point to the client device that contains the same elements with a scalar and FFE of its own.

Frame 2: Commit message 2

The third frame in the sequence is the commit message from client device to the access point.

Frame 3: Confirm message 1

The fourth frame is the commit message from access point to client device.

Frame 4: Confirm message 2

Each device uses the scalar and FFE received from the other device to calculate the shared secret that is the seeding material for PMK calculation and send these confirm messages. It is important to note that the confirm field value in frames 3 and 4 is different because the order of values hashed by client and AP is different. However, each device can calculate the hash of other device to confirm they are using the same key. The entire SAE exchange that calculates the shared secret and confirms is also called dragon fly key exchange. If you are interested in specific math details of the exchange they can be found here . After the SAE exchange, the devices proceed with association process followed by the 4 way handshake. The following summarizes SAE frame exchange process.

Client             --Commit-->           Access Point
Client             <--Commit--           Access Point
Client             --Confirm-->          Access Point
Client             <--Confirm--          Access Point

Comparing this with the DH paint analogy makes it easier to understand better.

Public Key Cryptography Demonstration

Alice and Bob agree on using group ID that is defined by IANA to determine P on a curve which can be treated as common paint. They exchange scalar and FFE over public transport which can be treated as part of public key. It is not possible to determine private keys/secret colors from these values. They use this information to calculate the common secret and in turn PMK that is used to derive session keys using the 4 way hand shake. Because the secrets are device and session specific, even if the password is compromised, the attacker cannot decrypt the traffic of other users.

References:

  1. https://mrncciew.com/2019/11/29/wpa3-sae-mode/
  2. Presentation by Hemant Chaskar at WLPC 2019 https://www.youtube.com/watch?v=fCsR8aK4mqE
  3. https://sarwiki.informatik.hu-berlin.de/WPA3_Dragonfly_Handshake
  4. Packet Capture

Keys to Understanding WPA3 – SAE : Diffie-Hellman Key Exchange, Elliptic Curve Cryptography and Dragonfly Key Exchange

WPA3 certification is introduced by Wi-Fi Alliance in 2018 as a successor to WPA2. It aims to alleviate the vulnerabilities in WPA2 and provide more secure wireless networks.  It introduces new concepts like Simultaneous Authentication of Equals (SAE), dragonfly key exchange, NIST elliptical curve cryptography etc. To make it easier to understand WPA3 as a whole, I will be discussing each component individually in detail. WPA3 replaces Pre-Shared Key with Simultaneous Authentication of Equals (SAE) to derive the Pairwise Master Key (PMK) which enables secure communication even when the password is compromised. To understand how this is achieved, we need to understand how Diffie-Hellman key exchange and elliptical curve cryptography work in conjunction with Dragon fly key exchange.

Diffie-Hellman Key Exchange establishes session key between two entities without actually having to exchange any key information over a public insecure channel. Let’s get into the security terms of Alice and Bob being the two entities. Alice and Bob agree on two numbers g and p where p is a prime number. Alice chooses her private key to be a and Bob chooses b.

Alice calculates gamod p and sends it to Bob. Bob calculates gbmod p and sends it to Alice. This exchange happens over an insecure channel. Alice and Bob will perform the same multiplicative operation with modulo p against the values received.

Alice             <--agree on g and p-->           Bob
gamod p            <----Exchange---->           gbmod p
(gbmod p)amod p      --Derive key--     (gamod p)bmod p

For example, consider a=4 b=3 p=23 and g=5.

Alice             <--agree on g=5 and p=23-->   Bob
gamod p = 4          <----Exchange---->      gbmod p = 10
(gbmod p)amod p = 18   --Derive key--   (gamod p)bmod p = 18

The strength of the algorithm lies in the fact that (gbmod p)amod p is same as gbamod p and with large values of a,b and p it will be computationally close to impossible to obtain gbamod p without knowing the private keys a and b. This is an example of a trapdoor function which is nothing but a one-way function that states for a given x it is easy to calculate y = f(x) but very difficult to find x = f-1(y).  The basic concept of DH Exchange cannot be explained better without the paint analogy.

In this analogy g and p are common paint, a and b are secret colors and gabmod p is the common secret derived. This was one of the earliest implementations of Diffie Hellman algorithm. CWSP-206 study guide explains the same concept with different trapdoor function.

Here George and Billy agree on using 3 and 5 as their commonly agreed numbers and the operation they use is raised to the power.

George (35=243)           ------------         Billy (35=243)
secret 4, 2434           <------------>        secret 7,  2437
(2434)7                   ------------         (2437)4

Now that we have a good idea of what DH key exchange means, let’s take a look at Elliptic Curve Cryptography (ECC).

Elliptic curves like the one shown in the picture are set of points bound by the equation y2 = x3 + ax +b. Different curves use variations of this equation. To derive PMK, WPA2 uses a well-known hash function on the password whereas in WPA3, the password is indexed onto a point on the curve which is then used as generator to hash and derive the PMK. Hashing a password directly can be susceptible to dictionary attack. But it becomes very difficult doing it on generator points on an elliptic curve because change in a single character in the password can lead to a different generator point; hashing of which can result in a totally different PMK.

WPA3 also makes it impossible to derive PMK of individual sessions even when the password is compromised. Knowing the password can help the hacker identify the generator point on elliptic curve but due to the integration of Diffie-Hellman with ECC into Dragonfly key exchange makes it impossible to derive individual session PMK. The trap door function in this case could be scalar multiplication. According to discrete logarithmic problem, for two points Q and P on the elliptic curve where Q = n.P (n times P), it is impossible to determine ‘n’ based on only Q and P.

Let’s take a deeper dive into Dragonfly Key Exchange

The client device and access point in this diagram are both configured with a password for authentication. Client device chooses a secret A and access point chooses secret B. At this point let’s assume the password is already compromised and the hacker knows the generator point for PMK. Client hashes the secret A with generator point and transmits DH Hash A. Access point does similar process with secret B to create DH Hash B and transmits it to client. Having received DH Hash B, client hashes it with secret A to derive the PMK and access point hashes its secret B to derive the same PMK following the DH exchange as described earlier. Without knowing secret A and secret B, the hacker will not be able to derive PMK just from the password.

I hope this helped in understanding the WPA3 – SAE fundamentals. If you are interested in learning more I recommend the video playlist from Mojo networks on youtube which provides a simplified yet informative explanation on WPA3 concepts. I will be writing another blog post on frame exchanges during WPA3 – SAE authentication in the future.

References:

  1. CWSP-206 Study and Reference Guide from Certitrek
  2. Wikipedia
  3. Youtube playlist on WPA3 Enhancements by Mojo Networks

Hands-On Deep Dive into Opportunistic Key Caching

Opportunistic key caching (OKC) is a fast secure roaming technique that leverages sharing the Pairwise Master Key (PMK) across access points that are under an administrative control. After a client authenticates to an access point and derives a PMK, the access point shares this PMK along with a PMKID with other access points. Protocols defined to share this information between access points are often proprietary. The PMKID is a result of hash function  on the PMK , the client MAC address and the authenticator address. The PMKID allows the creation of unique security associations between the devices.

PMKID

In this demonstration, the client device (windows 10 machine) roams from AP1 to AP2. Both access points are from Aerohive and placed optimally to encourage  client roaming.  The mac address of client device is 0028:f8ab:cb51 and the authenticator address (BSSID) of AP1 is c413:e23d:40e5 and of AP2 is c413:e23d:8965. The following is a step by step procedure to demonstrate the process of roaming using OKC.

Step 1. The client connects to AP1 and uses the full 802.1X/EAP process to derive a PMK and PMKID #1.

Init AP1.PNG

Step 2: AP1 communicates this information to AP2 over LAN using proprietary protocols.

Init AP2

Notice the hop count is 0 on AP1 and 1 on AP2 because the device is initially connected to AP1.

Step 3: When the client device moves away from AP1 and closer to AP2, the client device calculates a new PMKID #2 using the PMK along with the AP2’s address and client mac address. This information in sent in the reassociation request packet.

Roaming process

The PMKID #2 can be found under the RSN information tag of the reassociation request packet.

RSN tag

Step 4: AP2 calculates the PMKID#2 from the client mac address information received through the reassociation request. If the PMKID #2 matches, then reauthentication is not required and AP2 sends a success code on the reassociation response. At this stage, AP2 has the new PMKID#2 and the PMK which will allow for a unique security association.

Post AP12.PNG

Step 5: The encryption keys are generated through the 4-way handshake after the re-association process and the client device sends a dissociation frame to AP1.

This procedure is summarized in the following picture.

OKC Roaming

OKC eliminates the need for 802.1X/EAP process resulting in a faster handoff between the access points. Time analysis of this demonstration indicated that it took only 2.96 milli seconds after the reassociation response to generate the keys while the initial authentication to AP1 using entire 802.1X/EAP process took about 93.87 milli seconds to generate keys after association phase.

Resources:

  1. CWSP Study Guide  by David A Coleman, David A. Westcott and Bryan Harkins
  2. Packet captures available for download here.