Enhanced Open

Securing Open networks with automated encryption and PMF.

Wi-Fi networks with Open security transport and pass data in the clear offering no encryption or protection from passive eavesdroppers.

Enhanced Open provides unauthenticated data encryption and protects data from sniffers.

Protocol

Open security is one of the original IEEE 802.11 access methods for connecting clients to APs. Open uses an authentication architecture called Open System Authentication (OSA). OSA offers no encryption. When utilized independently, OSA permits WLAN access to any client.

sequenceDiagram
    Note over Client,AP: Discovery
    Note over Client,AP: Open System Authentication
    Note over Client,AP: Association

Enhanced Open adds automatic encryption without requiring credentials. Enabling private communication between client and AP. Encryption is provided by Opportunistic Wireless Encryption (OWE) defined in RFC 8110. With OWE, the client and AP performs an unauthenticated Diffie-Hellman key exchange which results in a unique pairwise secret key (PMK). The resulting key is used in a 4-way handshake post association to generate the traffic encryption keys.

sequenceDiagram
    Note over Client,AP: Discovery
    Note over Client,AP: Open System Authentication
    Client->>+AP:Association request with<br>Diffie-Hellman parameter<br>X (public key)
    Note left of AP:PMK generation:<br>y←random<br>Y=y*g<br>S=y*X<br>PMK=KDF(S,label)
    AP->>+Client:Association response with<br>Diffie-Hellman parameter<br>Y (public key)
    Note right of Client:PMK generation:<br>x←random<br>X=x*g<br>S=x*Y<br>PMK=KDF(S,label)
    Note over AP,Client: 4-way handshake

The resulting benefit is a Wi-Fi network more secure than a shared and public PSK (WPA2-Personal) because OWE is not susceptible to a passive attack which results in an attacker being able to eavesdrop, forge, and replay frames on the network. Enhanced Open is also easier to deploy because there is nothing to provision. There is no password.

Enhanced Open Only Mode

Enhanced Open advertises or negotiates the following capabilities in beacons, probe response, or association:

  • AKM suite selector as 00-0F-AC:18 (OWE).
  • Pairwise cipher suite selector as 00-0F-AC:4 (CCMP-128), 00-0F-AC:8 (GCMP-128),00-0F-AC:9 (GCMP-256), or00-0F-AC:1 (CCMP-256) could be negotiated.
  • Group data cipher suite selector as 00-0F-AC:4 (CCMP-128).
  • Group management cipher suite selector as 00-0F-AC:6 (BIP-CMAC-128).
  • Protected Management Frames are mandatory (MFPR=1 and MFPC=1).

Enhanced Open (OWE) RSNE example

Enhanced Open Transition Mode

Enhanced Open Transition Mode (OWETM) offers a backwards compatible transition from unencrypted Open Wi-Fi networks. OWETM provides the ability for non-OWE clients (Open) and OWE capable clients to connect to the same Wi-Fi network.

This is accomplished by creating and broadcasting two Basic Service Sets (BSSes) with separate beacons for each. Both BSSes point at the other through the OWE Transition Mode Vendor IE.

  • BSS-1 for Open for non-OWE clients with the IE to indicate BSS-2.
  • BSS-2 for “hidden” OWE with a zero length SSID (hidden) and the IE to indicate BSS-1.

Enhanced Open (OWE) Transition Mode RSNE example

The beacon and probe response frames of the Open BSS includes an OWE Transition Mode IE to encapsulate the BSSID and SSID of the OWE BSS.

  • The Open BSS and associated clients do not benefit from Protected Management Frames or data encryption.

The beacon and probe response frames from the OWE BSS include an OWE Transition Mode IE to encapsulate the BSSID and SSID of the Open BSS.

  • The beacon frame from the OWE BSS will be zero length and includes the OWE Authentication and Key Management (AKM) selector (00-0F-AC) of AKM:18 in the RSNE.
  • PMF is required (MFPR=1 and MFPC=1) for the OWE BSS.
  • The OWE client benefits from both encryption and PMF.

The OWE client discovers the OWE AP by using active or passive scanning.

MAC authentication

When using Enhanced Open and authorizing connecting devices using a MAC authentication method, note that the client association will be rejected if the MAC authentication returns a REJECT message on the authentication attempt. This is a change in behavior when compared against an Open network where the client device would stay associated and be left assigned in the logon user role. The MAC authentication service used by an Enhanced Open network will need to always allow the authentication attempt and return the appropriate user role for the session to continue, whether that be a user role that enforces a captive portal, allows full access to the network, or otherwise configured.

Best Practices

Enhanced Open is suitable for use-cases such as captive portals, coffee shops, cafés, schools, enterprises, public venues like airports, stadiums, etc., anywhere that encryption is needed but identity and authentication is not.


Last modified: March 28, 2024 (15e02ac)