Enhancing Public Wi-Fi Security with Opportunistic Wireless Encryption (OWE)
The document discusses the use cases and implementation of Opportunistic Wireless Encryption (OWE) to improve security for users connecting to public Wi-Fi networks. OWE involves a key exchange process between clients and access points, without requiring user input for passwords. The approach also addresses challenges such as fake APs and middle-man attacks based on device ID manipulation. Overall, OWE aims to enhance the privacy and security of public Wi-Fi connections in various settings like coffee shops, airports, and hotels.
Download Presentation
Please find below an Image/Link to download the presentation.
The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. Download presentation by click this link. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.
E N D
Presentation Transcript
Feb 2022 Doc.: IEEE 802.11-23/22r0 Use cases discussion Date: 2023-01-09 Authors: Name Jay Yang Affiliations NOKIA Address Phone email Zhijie.yang@nokia-sbell.com Okan Mutgan okan.mutgan@nokia-sbell.com Submission Jay Yang, et al. (Nokia)
Feb 2022 Doc.: IEEE 802.11-23/22r0 Background OWE OWE (Opportunistic Wireless Encryption ,refer to RFC 8110 drafted by Dan) is an encryption method to enhance the security and privacy of users connecting to public Wi-Fi networks. Deployed in public place and offered over Open wireless network, like coffee shops, airports, hospitals, hotels, etc. The client and AP perform a Diffie-Hellman key exchange via association request/response and 4-way handshake to generate the PTK Device ID 11bh group proposed NW generated Device ID scheme to identify each returned STA in D0.2 Device ID is exchanged in 4-way handshake(association req/resp frame in FILS mode) Slide 2 Submission Jay Yang, et al. (Nokia)
Feb 2022 Doc.: IEEE 802.11-23/22r0 Frame exchange in OWE No password input by end user Open Auth Req & Resp STA AP Association req(STA pub key) Generate PMK Association resp(AP pub key) Generate PTK 4-way handshake Submission Slide 3 Jay Yang, et al. (Nokia)
Feb 2022 Doc.: IEEE 802.11-23/22r0 Device ID approach applied in OWE(normal case) No password input by end user Open Auth Req & Resp STA AP Association req & resp (STA & AP pub key) Generate PMK Key 3: device ID granted Open Auth Req & Resp Association req & resp (STA & AP pub key) Second association Key 2: provide old device ID for identification Key 3: grant new device ID Submission Slide 4 Jay Yang, et al. (Nokia)
Feb 2022 Doc.: IEEE 802.11-23/22r0 Fake AP issue in public place Several AP nodes deployed in the public place to enlarge Wi-Fi coverage 3rd party easy to mimic a legitimate AP around them(no password) STA doesn t have the ability to distinguish fake AP from legitimate AP Fake AP Submission Slide 5 Jay Yang, et al. (Nokia)
Feb 2022 Middle man attack based on device ID approach Doc.: IEEE 802.11-23/22r0 Open Auth Req & Resp Association req & resp (STA & AP pub key) Fake AP (Middle man) Returned ReturnedSTA STA Key 2: provide old device ID(ID1) from the legitimate AP for identification Key 3: grant a garbage device ID Legitimate AP Open Auth Req & Resp Association req & resp (STA & AP pub key) Mimics as a returned STA Key 2: provide ID1 for identification Key 3: grant a new device ID Slide 6 Jay Yang, et al. (Nokia) Submission
Feb 2022 Doc.: IEEE 802.11-23/22r0 Possible approach for OWE mode The returned STA should identify the AP before providing its device ID identify the AP via auth/association request/response frame exchange Submission Slide 7 Okan Mutgan, et al. (Nokia)
Feb 2022 Doc.: IEEE 802.11-23/22r0 SP1 Do you agree the returned STA shall identify AP/ESS in OWE mode via auth/association request/response frame exchange? Submission Slide 8 Okan Mutgan, et al. (Nokia)