Opportunistic Wireless Encryption

Last updated
Screenshot of Android Wi-Fi configuration with the Security set to "Enhanced Open" Android-WiFi-Security-Enhanced-Open.jpg
Screenshot of Android Wi-Fi configuration with the Security set to "Enhanced Open"

Opportunistic Wireless Encryption (OWE) is a Wi-Fi standard which ensures that communication between a public hotspot and end devices is protected from other end devices. In contrast to conventional public hotspots, the data is transmitted in encrypted form. OWE was introduced by the Wi-Fi Alliance in 2018 as part of the Wi-Fi Certified Enhanced Open program. [1]

Contents

OWE is an extension to IEEE 802.11. [2] it is an encryption technique similar to that of Simultaneous Authentication of Equals (SAE) and is specified by Internet Engineering Task Force (IETF) in RFC 8110 with devices certified as Wi-Fi Certified Enhanced Open by the Wi-Fi Alliance. [3] [4]

With a network without a password, each WPA3 device that connects to it will still have its connection encrypted, OWE does encryption, not authentication, Evil twin (wireless networks) attack protection requires either WPA3-Personal or WPA3-Enterprise. [5]

Unlike conventional Wi-Fi, it provides "Individualized Data Protection" such that data traffic between a client and access point is "individualized". Other clients can still sniff and record this traffic, but they can't decrypt it.

"OWE is a means of adding encryption to open networks...OWE only protects against passive attacks." [6]

Opportunistic Wireless Encryption is a Wi-Fi Enhanced Open authentication mode, as a part of Wi-Fi Protected Access 3. [7] OWE performs an unauthenticated Diffie–Hellman (DH) key exchange at association time. [7]

For the wireless client to know the WLAN supports OWE, it must receive a Probe Response from the wireless access point in response to its Probe Request. OWE still uses 802.11 Open System Authentication, then the Elliptic Curve Diffie-Hellman Ephemeral exchange occurs in the Association process. After Association is successful the 4-way handshake can occur, and from then on data frames are encrypted. [8]

See also

Related Research Articles

<span class="mw-page-title-main">IEEE 802.11</span> Wireless network standard

IEEE 802.11 is part of the IEEE 802 set of local area network (LAN) technical standards, and specifies the set of medium access control (MAC) and physical layer (PHY) protocols for implementing wireless local area network (WLAN) computer communication. The standard and amendments provide the basis for wireless network products using the Wi-Fi brand and are the world's most widely used wireless computer networking standards. IEEE 802.11 is used in most home and office networks to allow laptops, printers, smartphones, and other devices to communicate with each other and access the Internet without connecting wires. IEEE 802.11 is also a basis for vehicle-based communication networks with IEEE 802.11p.

<span class="mw-page-title-main">Wireless LAN</span> Computer network that links devices using wireless communication within a limited area

A wireless LAN (WLAN) is a wireless computer network that links two or more devices using wireless communication to form a local area network (LAN) within a limited area such as a home, school, computer laboratory, campus, or office building. This gives users the ability to move around within the area and remain connected to the network. Through a gateway, a WLAN can also provide a connection to the wider Internet.

<span class="mw-page-title-main">Wi-Fi</span> Wireless local area network

Wi-Fi is a family of wireless network protocols based on the IEEE 802.11 family of standards, which are commonly used for local area networking of devices and Internet access, allowing nearby digital devices to exchange data by radio waves. These are the most widely used computer networks, used globally in home and small office networks to link devices and to provide Internet access with wireless routers and wireless access points in public places such as coffee shops, restaurants, hotels, libraries, and airports.

<span class="mw-page-title-main">Wireless access point</span> Device that allows wireless devices to connect to a wired network

In computer networking, a wireless access point (WAP) is a networking hardware device that allows other Wi-Fi devices to connect to a wired network or wireless network. As a standalone device, the AP may have a wired or wireless connection to a switch or router, but in a wireless router it can also be an integral component of the networking device itself. A WAP and AP is differentiated from a hotspot, which can be a physical location or digital location where Wi-Fi or WAP access is available.

Wired Equivalent Privacy (WEP) is an obsolete, severely flawed security algorithm for 802.11 wireless networks. Introduced as part of the original IEEE 802.11 standard ratified in 1997, its intention was to provide security/privacy comparable to that of a traditional wired network. WEP, recognizable by its key of 10 or 26 hexadecimal digits, was at one time widely used, and was often the first security choice presented to users by router configuration tools.

Wi-Fi Protected Access (WPA), Wi-Fi Protected Access 2 (WPA2), and Wi-Fi Protected Access 3 (WPA3) are the three security certification programs developed after 2000 by the Wi-Fi Alliance to secure wireless computer networks. The Alliance defined these in response to serious weaknesses researchers had found in the previous system, Wired Equivalent Privacy (WEP).

IEEE 802.11i-2004, or 802.11i for short, is an amendment to the original IEEE 802.11, implemented as Wi-Fi Protected Access II (WPA2). The draft standard was ratified on 24 June 2004. This standard specifies security mechanisms for wireless networks, replacing the short Authentication and privacy clause of the original standard with a detailed Security clause. In the process, the amendment deprecated broken Wired Equivalent Privacy (WEP), while it was later incorporated into the published IEEE 802.11-2007 standard.

<span class="mw-page-title-main">Wi-Fi Alliance</span> Non-profit organization that owns the Wi-Fi trademark

The Wi-Fi Alliance is a non-profit organization that owns the Wi-Fi trademark. Manufacturers may use the trademark to brand products certified for Wi-Fi interoperability. It is based in Austin, Texas.

<span class="mw-page-title-main">Wi-Fi hotspot</span> Wi-Fi access point

A hotspot is a physical location where people can obtain Internet access, typically using Wi-Fi technology, via a wireless local-area network (WLAN) using a router connected to an Internet service provider.

Extensible Authentication Protocol (EAP) is an authentication framework frequently used in network and internet connections. It is defined in RFC 3748, which made RFC 2284 obsolete, and is updated by RFC 5247. EAP is an authentication framework for providing the transport and usage of material and parameters generated by EAP methods. There are many methods defined by RFCs, and a number of vendor-specific methods and new proposals exist. EAP is not a wire protocol; instead it only defines the information from the interface and the formats. Each protocol that uses EAP defines a way to encapsulate by the user EAP messages within that protocol's messages.

<span class="mw-page-title-main">Forward secrecy</span> Practice in cryptography

In cryptography, forward secrecy (FS), also known as perfect forward secrecy (PFS), is a feature of specific key-agreement protocols that gives assurances that session keys will not be compromised even if long-term secrets used in the session key exchange are compromised, limiting damage. For HTTPS, the long-term secret is typically the private key of the server. Forward secrecy protects past sessions against future compromises of keys or passwords. By generating a unique session key for every session a user initiates, the compromise of a single session key will not affect any data other than that exchanged in the specific session protected by that particular key. This by itself is not sufficient for forward secrecy which additionally requires that a long-term secret compromise does not affect the security of past session keys.

<span class="mw-page-title-main">Wireless security</span> Aspect of wireless networks

Wireless security is the prevention of unauthorized access or damage to computers or data using wireless networks, which include Wi-Fi networks. The term may also refer to the protection of the wireless network itself from adversaries seeking to damage the confidentiality, integrity, or availability of the network. The most common type is Wi-Fi security, which includes Wired Equivalent Privacy (WEP) and Wi-Fi Protected Access (WPA). WEP is an old IEEE 802.11 standard from 1997. It is a notoriously weak security standard: the password it uses can often be cracked in a few minutes with a basic laptop computer and widely available software tools. WEP was superseded in 2003 by WPA, a quick alternative at the time to improve security over WEP. The current standard is WPA2; some hardware cannot support WPA2 without firmware upgrade or replacement. WPA2 uses an encryption device that encrypts the network with a 256-bit key; the longer key length improves security over WEP. Enterprises often enforce security using a certificate-based system to authenticate the connecting device, following the standard 802.11X.

IEEE 802.11u-2011 is an amendment to the IEEE 802.11-2007 standard to add features that improve interworking with external networks.

wpa_supplicant Open-source implementation of IEEE 802.11i

wpa_supplicant is a free software implementation of an IEEE 802.11i supplicant for Linux, FreeBSD, NetBSD, QNX, AROS, Microsoft Windows, Solaris, OS/2 and Haiku. In addition to being a WPA3 and WPA2 supplicant, it also implements WPA and older wireless LAN security protocols.

<span class="mw-page-title-main">Aircrack-ng</span> Software suite

Aircrack-ng is a network software suite consisting of a detector, packet sniffer, WEP and WPA/WPA2-PSK cracker and analysis tool for 802.11 wireless LANs. It works with any wireless network interface controller whose driver supports raw monitoring mode and can sniff 802.11a, 802.11b and 802.11g traffic. Packages are released for Linux and Windows.

<span class="mw-page-title-main">Wireless repeater</span> Wireless computer networking device

A wireless repeater is a device that takes an existing signal from a wireless router or wireless access point and rebroadcasts it to create a second network. When two or more hosts have to be connected with one another over the IEEE 802.11 protocol and the distance is too long for a direct connection to be established, a wireless repeater is used to bridge the gap. It can be a specialized stand-alone computer networking device. Also, some wireless network interface controllers (WNIC)s optionally support operating in such a mode. Those outside of the primary network will be able to connect through the new "repeated" network. However, as far as the original router or access point is concerned, only the repeater MAC is connected, making it necessary to enable safety features on the wireless repeater. Wireless repeaters are commonly used to improve signal range and strength within homes and small offices.

IEEE 802.11s is a wireless local area network (WLAN) standard and an IEEE 802.11 amendment for mesh networking, defining how wireless devices can interconnect to create a wireless LAN mesh network, which may be used for relatively fixed topologies and wireless ad hoc networks. The IEEE 802.11s task group drew upon volunteers from university and industry to provide specifications and possible design solutions for wireless mesh networking. As a standard, the document was iterated and revised many times prior to finalization.

A Wi-Fi deauthentication attack is a type of denial-of-service attack that targets communication between a user and a Wi-Fi wireless access point.

<span class="mw-page-title-main">KRACK</span> Attack on the Wi-Fi Protected Access protocol

KRACK is a replay attack on the Wi-Fi Protected Access protocol that secures Wi-Fi connections. It was discovered in 2016 by the Belgian researchers Mathy Vanhoef and Frank Piessens of the University of Leuven. Vanhoef's research group published details of the attack in October 2017. By repeatedly resetting the nonce transmitted in the third step of the WPA2 handshake, an attacker can gradually match encrypted packets seen before and learn the full keychain used to encrypt the traffic.

In cryptography, Simultaneous Authentication of Equals (SAE) is a password-based authentication and password-authenticated key agreement method.

References

  1. Elkasri, Lee (15 August 2023). "Opportunistic Wireless Encryption (OWE): Everything You Need to Know to Secure Your Guest Wifi". Continental Computers. Retrieved 22 October 2024.
  2. Chen, Dave (December 4, 2018). "Opportunistic Wireless Encryption…Um, What's That Again?". Network World.
  3. "Wi-Fi CERTIFIED Enhanced Open™: Transparent Wi-Fi® protections without complexity | Wi-Fi Alliance". www.wi-fi.org.
  4. "WPA3: How and why the Wi-Fi standard matters". Hewlett Packard Enterprise . August 8, 2018. Archived from the original on 2018-08-08.
  5. "Evil Twin Attack: Definition and How to Prevent It". Mediacenter. Panda Security. 21 November 2023. Retrieved 22 October 2024.
  6. Ryan, Gabriel (20 December 2019). "War Never Changes: Attacks Against WPA3's Enhanced Open — Part 2: Understanding OWE". specterops. Medium. Retrieved 22 October 2024.
  7. 1 2 Mostafa, Ahmad (2022). "What WPA3 Brings to Wi-Fi with Focus on SAE and OWE: A Review and Explanation of Basic Operations" (PDF). CWNE Candidate Paper Series. Durham, NC: Certified Wireless Network Professionals. Retrieved 22 October 2024.
  8. "Wi-Fi Security Enhancements: Part 2 – Enhanced Open (OWE)". Wi-Fi Coops. 5 August 2019. Retrieved 22 October 2024.

Further reading

Crystal Clear app network.png

This computer networking article is a stub. You can help Wikipedia by expanding it.

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.