Open SSIDs continue to be used across many networks. Prior to Opportunistic Wireless Encryption (OWE), communications between devices and access points were unencrypted. But we relied on applications to provide increased security.
An open SSID usually provides a device with network access after the 802.11 association.
OWE improves upon open networks, that don’t use a pre-shared key or 802.1X, by encrypting unicast and broadcast data. And in Wi-Fi 6E, an open SSID must be configured to use OWE.
Download the OWE Frame Exchange infographic PDF.
The magic of OWE lies within the Association frames. A Diffie-Hellman key exchange occurs during the 802.11 association. A Diffie-Hellman parameter element inserted, as can be seen in the screenshots below. Included is the Public Key of the transmitter. As a result, a pairwise secret is created and is used in the 4-Way Handshake.
Download my 6 GHz OWE pcap file.
An OWE SSID is identified by the RSN Information Element within the Auth Key Management (AKM) suite.
OWE includes a Diffie-Hellman Parameter element (ID 255) in the Association frame. The device will add its public key in the Association Request.
The Association Response looks similar, as the AP includes its public key:
The Diffie-Hellman Parameters are checked for validity, and once the device and AP move through association, the Diffie-Hellman key exchange is completed. As a result, a Pairwise Master Key (PMK) and PMKID is created.
Following the Association is the 4-Way Handshake in which the PMK is used.
The 4-way handshake generates a Key-Encrypting Key (KEK), Key-Confirmation Key (KCK), and Message Integrity Check (MIC) to protect the frames of the 4-Way Handshake.
At the end of the 4-Way Handshake we have the Pairwise Transient Key (PTK) encryption keys to protect unicast and broadcast data.
In my packet capture, these are the frame exchanges that occur between a Samsung S22+ and an OWE SSID configured on my EnGenius ECW336.
The exchange:
- Device sends probe request for SSID
- AP sends probe response
- Device sends an Authentication frame [Open System 802.11 Auth]
- AP sends acknowledgement frame [Open System 802.11 Auth]
- AP sends Authentication frame [Open System 802.11 Auth]
- Device sends acknowledgement frame [Open System 802.11 Auth]
- Device sends Association Request frame
- AP sends acknowledgement frame
- AP sends Association Response frame
- Device sends acknowledgement frame
- AP sends Message 1
- Device sends acknowledgement frame
- Device sends Message 2
- AP sends acknowledgement frame
- AP sends Message 3
- Device sends acknowledgement frame
- Device sends Message 4
Leave a Reply