Enhanced Open
4 minute read
Wi-Fi networks with Open security transport and pass data in the clear offering no encryption or protection from passive eavesdroppers.
Enhanced Open provides unauthenticated data encryption and protects data from sniffers.
Protocol
Open security is one of the original IEEE 802.11 access methods for connecting clients to APs. Open uses an authentication architecture called Open System Authentication (OSA). OSA offers no encryption. When utilized independently, OSA permits WLAN access to any client.
sequenceDiagram Note over Client,AP: Discovery Note over Client,AP: Open System Authentication Note over Client,AP: Association
Enhanced Open adds automatic encryption without requiring credentials. Enabling private communication between client and AP. Encryption is provided by Opportunistic Wireless Encryption (OWE) defined in RFC 8110. With OWE, the client and AP performs an unauthenticated Diffie-Hellman key exchange which results in a unique pairwise secret key (PMK). The resulting key is used in a 4-way handshake post association to generate the traffic encryption keys.
sequenceDiagram Note over Client,AP: Discovery Note over Client,AP: Open System Authentication Client->>+AP:Association request with<br>Diffie-Hellman parameter<br>X (public key) Note left of AP:PMK generation:<br>y←random<br>Y=y*g<br>S=y*X<br>PMK=KDF(S,label) AP->>+Client:Association response with<br>Diffie-Hellman parameter<br>Y (public key) Note right of Client:PMK generation:<br>x←random<br>X=x*g<br>S=x*Y<br>PMK=KDF(S,label) Note over AP,Client: 4-way handshake
The resulting benefit is a Wi-Fi network more secure than a shared and public PSK (WPA2-Personal) because OWE is not susceptible to a passive attack which results in an attacker being able to eavesdrop, forge, and replay frames on the network. Enhanced Open is also easier to deploy because there is nothing to provision. There is no password.
Enhanced Open Only Mode
Enhanced Open advertises or negotiates the following capabilities in beacons, probe response, or association:
- AKM suite selector as
00-0F-AC:18
(OWE). - Pairwise cipher suite selector as
00-0F-AC:4
(CCMP-128),00-0F-AC:8
(GCMP-128),00-0F-AC:9
(GCMP-256), or00-0F-AC:1
(CCMP-256) could be negotiated. - Group data cipher suite selector as
00-0F-AC:4
(CCMP-128). - Group management cipher suite selector as
00-0F-AC:6
(BIP-CMAC-128). - Protected Management Frames are mandatory (MFPR=1 and MFPC=1).
Enhanced Open Transition Mode
Enhanced Open Transition Mode (OWETM) offers a backwards compatible transition from unencrypted Open Wi-Fi networks. OWETM provides the ability for non-OWE clients (Open) and OWE capable clients to connect to the same Wi-Fi network.
This is accomplished by creating and broadcasting two Basic Service Sets (BSSes) with separate beacons for each. Both BSSes point at the other through the OWE Transition Mode Vendor IE.
- BSS-1 for Open for non-OWE clients with the IE to indicate BSS-2.
- BSS-2 for “hidden” OWE with a zero length SSID (hidden) and the IE to indicate BSS-1.
What is that _owetm_
and 446f0799
?
Enhanced Open in Transition Mode produces two BSSes.
- The “Open” BSS which uses the SSID as configured.
- The OWE BSS which uses a unique auto-generated SSID.
Here is the makeup of the autogenerated SSID:
_owetm_
is the prefixwpa3technote_owe
is the SSID (or up to 16 characters of it in this case as the actual SSID in this example iswpa3technote_owe_compat
)446f0799
is a cyclic redundancy check (CRC)
The beacon and probe response frames of the Open BSS includes an OWE Transition Mode IE to encapsulate the BSSID and SSID of the OWE BSS.
- The Open BSS and associated clients do not benefit from Protected Management Frames or data encryption.
The beacon and probe response frames from the OWE BSS include an OWE Transition Mode IE to encapsulate the BSSID and SSID of the Open BSS.
- The beacon frame from the OWE BSS will be zero length and includes the OWE Authentication and Key Management (AKM) selector (
00-0F-AC
) of AKM:18 in the RSNE. - PMF is required (MFPR=1 and MFPC=1) for the OWE BSS.
- The OWE client benefits from both encryption and PMF.
The OWE client discovers the OWE AP by using active or passive scanning.
A drawback of Enhanced Open in transition mode is one additional BSS is advertised for every OWE BSS which needs to be accounted for.
Another drawback is the unencrypted Open BSS.
MAC authentication
When using Enhanced Open and authorizing connecting devices using a MAC authentication method, note that the client association will be rejected if the MAC authentication returns a REJECT message on the authentication attempt. This is a change in behavior when compared against an Open network where the client device would stay associated and be left assigned in the logon user role. The MAC authentication service used by an Enhanced Open network will need to always allow the authentication attempt and return the appropriate user role for the session to continue, whether that be a user role that enforces a captive portal, allows full access to the network, or otherwise configured.
Best Practices
Enhanced Open is suitable for use-cases such as captive portals, coffee shops, cafés, schools, enterprises, public venues like airports, stadiums, etc., anywhere that encryption is needed but identity and authentication is not.
Feedback
Was this page helpful?
Glad to hear it!
Sorry to hear that.