Wi-Fi Security for Next Generation Connectivity. Perry Correll Aerohive, Wi-Fi Alliance member October 2018

Similar documents
Chapter 24 Wireless Network Security

Wireless LAN Security. Gabriel Clothier

Wireless Network Security

Chapter 17. Wireless Network Security

White paper. Combatant command (COCOM) next-generation security architecture

D. The bank s web server is using an X.509 certificate that is not signed by a root CA, causing the user ID and password to be sent unencrypted.

WPA Passive Dictionary Attack Overview

Network Encryption 3 4/20/17

Wireless Security. Comp Sci 3600 Security. Attacks WEP WPA/WPA2. Authentication Encryption Vulnerabilities

Introduction to Device Trust Architecture

Authentication Technology for a Smart eid Infrastructure.

Frequently Asked Questions WPA2 Vulnerability (KRACK)

Wireless technology Principles of Security

Wireless Network Security

Configuring the Client Adapter through Windows CE.NET

Configuring Layer2 Security

What is Eavedropping?

Security in NFC Readers

Wi-Fi CERTIFIED WiGig : Wi-Fi expands to 60 GHz October 2016

Aerohive Private PSK. solution brief

BYOD: BRING YOUR OWN DEVICE.

Cisco Start. IT solutions designed to propel your business

WPA-GPG: Wireless authentication using GPG Key

PROTECTED EXTENSIBLE AUTHENTICATION PROTOCOL

HW/Lab 4: IPSec and Wireless Security. CS 336/536: Computer Network Security DUE 11 am on 12/01/2014 (Monday)

Configuring a WLAN for Static WEP

Configuring Wireless Security Settings on the RV130W

The World Wide Web is widely used by businesses, government agencies, and many individuals. But the Internet and the Web are extremely vulnerable to

Aerohive and IntelliGO End-to-End Security for devices on your network

Configuring the Client Adapter through the Windows XP Operating System

Network Security and Cryptography. December Sample Exam Marking Scheme

Achieving End-to-End Security in the Internet of Things (IoT)

Secure, cloud-based workflow, alert, and notification platform built on top of Amazon Web Services (AWS)

CYBER ATTACKS EXPLAINED: WIRELESS ATTACKS

Computer Security. 10r. Recitation assignment & concept review. Paul Krzyzanowski. Rutgers University. Spring 2018

White Paper for Wacom: Cryptography in the STU-541 Tablet

Wireless Attacks and Countermeasures

L13. Reviews. Rocky K. C. Chang, April 10, 2015

Security+ SY0-501 Study Guide Table of Contents

MTAT Applied Cryptography

About FIPS, NGE, and AnyConnect

Request for Comments: 5422 Category: Informational H. Zhou Cisco Systems March 2009

Cryptographic Protocols 1

Network Access Flows APPENDIXB

COPYRIGHTED MATERIAL. Contents

ARM Security Solutions and Numonyx Authenticated Flash

Chapter 1 Describing Regulatory Compliance

Connecting Securely to the Cloud

The following chart provides the breakdown of exam as to the weight of each section of the exam.

Transport Level Security

Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2. Mathy Vanhoef, PhD Wi-Fi Alliance meeting Bucharest, 24 October 2017

Internet Engineering Task Force (IETF) ISSN: January Suite B Profile for Transport Layer Security (TLS)

Data Loss Prevention Whitepaper. When Mobile Device Management Isn t Enough. Your Device Here. Good supports hundreds of devices.

WLAN Roaming and Fast-Secure Roaming on CUWN

The Next Generation of Credential Technology

KRACKing WPA2 in Practice Using Key Reinstallation Attacks. Mathy BlueHat IL, 24 January 2018

Securing Network Communications

Securing Wireless LANs with Certificate Services

The RNS (Robust Secure Network) IE must be enabled with an AES Cipher.

Csci388. Wireless and Mobile Security Access Control: 802.1X, EAP, and RADIUS. Importance of Access Control. WEP Weakness. Wi-Fi and IEEE 802.

Lab Configure Enterprise Security on AP

Applying biometric authentication to physical access control systems

Exam : PW Title : Certified wireless security professional(cwsp) Version : DEMO

Appendix E Wireless Networking Basics

Device Provisioning Protocol Specification

AIT 682: Network and Systems Security

Authentication. Identification. AIT 682: Network and Systems Security

WAP Security. Helsinki University of Technology S Security of Communication Protocols

ClearPass QuickConnect 2.0

The Xirrus Wi Fi Array XS4, XS8 Security Policy Document Version 1.0. Xirrus, Inc.

Configuring the Client Adapter through the Windows XP Operating System


Meru Networks. Security Gateway SG1000 Cryptographic Module Security Policy Document Version 1.2. Revision Date: June 24, 2009

VPN Overview. VPN Types

Prepare Your Network for BYOD. Meraki Webinar Series

NWD2705. User s Guide. Quick Start Guide. Dual-Band Wireless N450 USB Adapter. Version 1.00 Edition 1, 09/2012

Network Security: TLS/SSL. Tuomas Aura T Network security Aalto University, Nov-Dec 2010

Trust and Security Issues in Decentralised Wireless Networks

Network Security Essentials

1.0 Basic RF Characteristics (15%) 1.1 Describe RF signal characteristics Frequency Amplitude Phase 1.1.

Secure Wireless LAN Design and Deployment

Network Security: WLAN Mobility. Tuomas Aura CS-E4300 Network security Aalto University, Autumn 2017

BEYOND TRADITIONAL PASSWORD AUTHENTICATION: PKI & BLOCKCHAIN

Wireless Network Security Spring 2015

BlackVault Hardware Security Platform SECURE TRUSTED INTUITIVE. Cryptographic Appliances with Integrated Level 3+ Hardware Security Module

NIST Cryptographic Toolkit

Bluetooth low energy security, how good is it? Petter Myhre Bluetooth World, San Jose March 2017

Chapter 10 : Private-Key Management and the Public-Key Revolution

Securing today s identity and transaction systems:! What you need to know! about two-factor authentication!

KALASALINGAM UNIVERSITY

Cisco Systems 5760 Wireless LAN Controller

CPSC 467b: Cryptography and Computer Security

Addressing Cybersecurity in Infusion Devices

Transport Layer Security

FAQ on Cisco Aironet Wireless Security

Using Mobile Computers Lesson 12

FIPS Security Policy for Cisco Aironet Lightweight AP1131, AP1142, AP1242, AP1252, AP1262, CAP3502e, and CAP3502i Wireless LAN Access Points

Installation and usage of SSL certificates: Your guide to getting it right

Designing Network Encryption for the Future Emily McAdams Security Engagement Manager, Security & Trust Organization BRKSEC-2015

A NEW MODEL FOR AUTHENTICATION

Transcription:

Perry Correll Aerohive, Wi-Fi Alliance member October 2018 1

Value of Wi-F1 The value Wi-Fi provides to the global economy rivals the combined market value of Apple Inc. and Amazon. The fact that Wi-Fi has become a key complementary technology for enterprise and carrier networks and an essential part of the home indicates this value will only rise as next generation products and deployments become available over the next several years. Wi-Fi is one of the greatest success stories of the technology era, and its societal benefits have long been known. 2

Agenda About Wi-Fi Alliance Recent program activity Wi-Fi CERTIFIED WPA3 : Next generation Wi-Fi security Wi-Fi CERTIFIED Easy Connect : Simple IoT device connection Wi-Fi CERTIFIED Enhanced Open : Better data protections in open networks 3

The worldwide network of companies that brings you Wi-Fi Effective global collaboration 800+ member companies Constant evolution Driving industry growth 4

5

One of the greatest success stories of the high tech era 9+ billion devices in use 3+ billion shipments per year Nonstop innovation Primary medium for global internet traffic Source: ABI Research, 2018 6

Recent Wi-Fi Alliance program releases Wi-Fi CERTIFIED Optimized Connectivity : Part of the Wi-Fi CERTIFIED Vantage program, Wi-Fi Optimized Connectivity leverages Wi-Fi features that bring users a seamless connectivity experience when traveling across networks. Wi-Fi CERTIFIED Wi-Fi Aware : New capabilities and optimization for dense environments enable Wi-Fi Aware to provide more personalized mobility experiences. Native support available in Android Oreo operating systems. Wi-Fi CERTIFIED EasyMesh : Harmonizing the burgeoning multiple-ap system market, Wi-Fi EasyMesh brings a standards-based approach to full coverage, self-adapting residential Wi-Fi. Wi-Fi CERTIFIED Enhanced Open: Wi-Fi Enhanced Open devices provide data encryption to users, preserving the convenience open networks offer while reducing some of the risks associated with accessing an unsecured network. Wi-Fi CERTIFIED Easy Connect: Connecting devices to Wi-Fi networks has never been simpler; Wi-Fi Easy Connect makes secure device provisioning as easy as scanning a product QR code. 7

Wi-Fi Protected Access Next generation Wi-Fi security

Consumer and enterprise confidence in Wi-Fi security is essential to continued growth in Wi-Fi use 9

Wi-Fi CERTIFIED WPA3: Next generation Wi-Fi security Wi-Fi CERTIFIED WPA3 is next generation Wi-Fi security for personal and enterprise networks Delivers suite of features to simplify Wi-Fi security configuration and enhance network security protections WPA3 Brings robust authentication, increased cryptographic strength Offers protections in ever-changing threat landscape WPA3 and Wi-Fi Easy Connect provide good experience, secure connections Wi-Fi security highlights 10

WPA3 protects users in Wi-Fi CERTIFIED networks WPA3 networks use latest security methods and disallow legacy protocols, such as Temporal Key Integrity Protocol (TKIP) WPA3 requires use of Protected Management Frames (PMF) As WPA3 adoption grows, next generation Wi-Fi security will become mandatory WPA3 maintains interoperability with WPA2 devices through a transition mode WPA2, updated earlier this year, continues to be mandatory for Wi-Fi CERTIFIED devices 11

WPA3 supports the market through two distinct modes WPA3-Personal: Robust, password-based authentication WPA3-Enterprise: Enterprise-grade security for sensitive data networks Resistant to offline dictionary attacks; stronger protections for users against password guessing attempts by third parties Protection even when users choose passwords that fall short of complexity recommendations Provides forward secrecy; protects data traffic even if a password is later compromised No change to the way users connect to a network Available 192-bit cryptographic strength for networks transmitting sensitive data 192-bit security suite provides additional security for networks like government and finance Greater consistency in application of security protocols Better network resiliency 12

WPA3-Personal Password-based authentication with increased protections by replacing PSK with Simultaneous Authentication of Equals (SAE) from IEEE 802.11 specification WPA3-Personal uses passwords for authentication by proving knowledge of the password and not for key derivation SAE handshake negotiates a fresh Pairwise Master Key (PMK) per client, which is then used in a traditional Wi-Fi four-way handshake to generate session keys Neither the PMK nor the password credential used in the SAE exchange can be obtained by a passive attack, active attack, or offline dictionary attack Resistant to offline dictionary attacks because each instance of the authentication exchange only allows both parties to guess the password once Forward secrecy is provided because the SAE handshake assures the PMK cannot be recovered if the password becomes known Transition mode enables WPA2-Personal and WPA3-Personal simultaneously on a single basic service set (BSS) using same passphrase, and clients connect at highest security supported 13

WPA3-Enterprise WPA3-Enterprise does not fundamentally change the protocols defined in WPA2-Enterprise, and client devices will continue to interoperate with WPA3-Enterprise networks Disabling PMF for a WPA3-Enterprise network is not an option: PMF capable or required Optional 192-bit security provides additional security for segmented networks transmitting sensitive data, such as within government, healthcare, or finance 192-bit security suite certifies a consistent set of cryptographic tools, includes: GCMP-256 for authenticated encryption HMAC-SHA384 for key derivation and key confirmation ECDHE and ECDSA using a 384-bit elliptic curve for key establishment and authentication BIP-GMAC-256 for robust management frame protection RSA key lengths of 3K bits or greater for asymmetric cryptography and digital signatures may be offered for legacy interoperability WPA3-Enterprise 192-bit security ensures the right combination of cryptographic tools are used, and sets a consistent baseline of security, within a WPA3 network 14

WPA3 continues the evolution of Wi-Fi security and maintains the brand promise of Wi-Fi Protected Access 15

Complementary programs

Wi-Fi CERTIFIED Easy Connect: simple, secure way to connect smart home and IoT devices Wi-Fi Easy Connect simplifies process of adding Wi-Fi devices with limited or no display interface to Wi-Fi network Enables the utilization of device with more robust interface to easily provision and configure devices Use smartphone or tablet to scan product QR code to add devices to a Wi-Fi network Provides standardized, consistent method for onboarding IoT devices Supports WPA2 and WPA3 networks Wi-Fi Easy Connect highlights 17

Wi-Fi Easy Connect enhances the user experience while maintaining secure connections Wi-Fi Easy Connect defines two roles Configurator: a trusted device, such as a smartphone, serving as a central point of configuration for all devices on the network Enrollee: device that a network owner wants to connect to the network, including APs 18

Wi-Fi Easy Connect basics Wi-Fi Easy Connect is based on the Wi-Fi Alliance Device Provisioning Protocol Specification, which consists of a four-step process: bootstrapping, authentication, configuration, and network access Bootstrapping and authentication Every device ships with an identify in the form of public/private keys Establishes a trust relationship through exchange of public keys (one-way or mutual) Performed by scanning QR code or exchanging human-readable string Public keys are not part of security credential received during configuration Device Provisioning Protocol (DPP) authentication protocol establishes a secure Wi-Fi connection using public keys Configuration Configurator passes configuration object to enrollee over secure connection Configuration object includes credential, which may be signed enrollee connector Signed enrollee connector consists of public key (not the bootstrapping public key), network role, and group attributes, and it is unique to the Wi-Fi device owning it 19

Wi-Fi Easy Connect basics Network access Network introduction protocol allows an enrollee client device to securely connect to an enrollee AP using connectors provided by a configurator Enrollee client device and enrollee AP validate that each connector is signed by the configurator and that their roles are complementary, such as client and AP Enrollees validate that the group attributes match Enrollee client and enrollee AP mutually derive a unique pairwise master key (PMK) based on their public connector keys Enrollee client and enrollee AP establish connectivity 20

Wi-Fi CERTIFIED Enhanced Open: Better data protections in open networks Preserves convenience of open networks while reducing associated risks Provides protections in scenarios where user authentication is not desired, distribution of credentials impractical Protections against passive eavesdropping without a password or extra steps to join the network Integrates established cryptography mechanisms to provide each user with unique individual encryption Wi-Fi Alliance recommends using Wi-Fi Protected Access security when possible; when it is not, Wi-Fi Enhanced Open brings protections that traditional open networks do not 21

Wi-Fi Enhanced Open Wi-Fi Enhanced Open technology is based on Opportunistic Wireless Encryption (OWE), defined in the Internet Engineering Task Force (IETF) RFC8110 OWE overlays an Elliptic-curve Diffie-Hellman (ECDH) key exchange on top of association to a Wi-Fi network OWE does not provide authentication, and does not guard against man-in-the-middle attacks that lure clients to connect to a rogue AP OWE does protect against passive eavesdropping, as well as unsophisticated packet injection such as deauthentication storm attacks or layer-2 injection of data into insecure HTTP sessions Network managers must remain vigilant in monitoring for rogue APs and active attackers that modify information being transmitted on a network Certain types of insider attacks, such as ARP spoofing, might be mitigated on Wi-Fi Enhanced Open networks by configuring the network to isolate clients 22

Thank you! Wi-Fi Alliance introduces next generation, WPA3 security for personal and enterprise networks WPA3 brings simplified security, robust authentication, increased cryptographic strength WPA2 remains mandatory for Wi-Fi CERTIFIED devices. As WPA3 adoption grows, WPA3 will become mandatory. Wi-Fi Easy Connect delivers a simple, secure way to connect smart home, IoT devices Wi-Fi Alliance always recommends Wi-Fi security. In scenarios where authentication is not possible/desired, Wi-Fi Enhanced Open provides additional data protections 23

Wi-Fi: Cornerstone of connected life today, and into the future Please provide your feedback on today s presentation https://www.surveymonkey.com/r/wifipresentation 24

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback