This year, I presented the topic WPA3-192-bit mode at the WLAN Klassentreffen (in German) and WLPC in Prague as a 10Talk.<\/p>\n\n\n\n
This is the video recording from WLPC:<\/p>\n\n\n\n\n<\/iframe>\n<\/div><\/figure>\n\n\n\n<p>Here is the presentation from WLPC 2024 in Prague:<\/p>\n\n\n\n<div data-wp-interactive=\"core\/file\" class=\"wp-block-file\"><object data-wp-bind--hidden=\"!state.hasPdfPreview\" hidden class=\"wp-block-file__embed\" data=\"https:\/\/cyber-fi.net\/wp-content\/uploads\/2024\/10\/Karsten-Iwen-WPA3-192-EN.pdf\" type=\"application\/pdf\" style=\"width:100%;height:600px\" aria-label=\"Embed of Karsten-Iwen-WPA3-192-EN.\"><\/object><a id=\"wp-block-file--media-963a69db-474b-4bd4-800c-8db58fa1f0c1\" href=\"https:\/\/cyber-fi.net\/wp-content\/uploads\/2024\/10\/Karsten-Iwen-WPA3-192-EN.pdf\">Karsten-Iwen-WPA3-192-EN<\/a><a href=\"https:\/\/cyber-fi.net\/wp-content\/uploads\/2024\/10\/Karsten-Iwen-WPA3-192-EN.pdf\" class=\"wp-block-file__button wp-element-button\" download aria-describedby=\"wp-block-file--media-963a69db-474b-4bd4-800c-8db58fa1f0c1\">Download<\/a><\/div>\n\n\n\n<p>And the German version from the WLAN Klassentreffen 2024 in Hamburg:<\/p>\n\n\n\n<div data-wp-interactive=\"core\/file\" class=\"wp-block-file\"><object data-wp-bind--hidden=\"!state.hasPdfPreview\" hidden class=\"wp-block-file__embed\" data=\"https:\/\/cyber-fi.net\/wp-content\/uploads\/2024\/10\/Karsten-Iwen-WPA3-192-DEU.pdf\" type=\"application\/pdf\" style=\"width:100%;height:600px\" aria-label=\"Embed of Karsten-Iwen-WPA3-192-DEU.\"><\/object><a id=\"wp-block-file--media-4f9978aa-238f-41ba-9e78-c8ebfbff3eba\" href=\"https:\/\/cyber-fi.net\/wp-content\/uploads\/2024\/10\/Karsten-Iwen-WPA3-192-DEU.pdf\">Karsten-Iwen-WPA3-192-DEU<\/a><a href=\"https:\/\/cyber-fi.net\/wp-content\/uploads\/2024\/10\/Karsten-Iwen-WPA3-192-DEU.pdf\" class=\"wp-block-file__button wp-element-button\" download aria-describedby=\"wp-block-file--media-4f9978aa-238f-41ba-9e78-c8ebfbff3eba\">Download<\/a><\/div>\n\n\n\n<h2 class=\"wp-block-heading\">Some more information on this exciting topic:<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">The long journey to WPA3<\/h3>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"177\" src=\"https:\/\/cyber-fi.net\/wp-content\/uploads\/2024\/10\/CleanShot-2024-10-31-at-16.38.38-1024x177.jpg\" alt=\"\" class=\"wp-image-5645\" srcset=\"https:\/\/cyber-fi.net\/wp-content\/uploads\/2024\/10\/CleanShot-2024-10-31-at-16.38.38-1024x177.jpg 1024w, https:\/\/cyber-fi.net\/wp-content\/uploads\/2024\/10\/CleanShot-2024-10-31-at-16.38.38-300x52.jpg 300w, https:\/\/cyber-fi.net\/wp-content\/uploads\/2024\/10\/CleanShot-2024-10-31-at-16.38.38-768x132.jpg 768w, https:\/\/cyber-fi.net\/wp-content\/uploads\/2024\/10\/CleanShot-2024-10-31-at-16.38.38-1536x265.jpg 1536w, https:\/\/cyber-fi.net\/wp-content\/uploads\/2024\/10\/CleanShot-2024-10-31-at-16.38.38.jpg 1565w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n<\/div>\n\n\n<p>It took a long time after WPA2 was released in 2004 to see some new security with WPA3. But security still evolved in the IEEE 802.11 Standard:<\/p>\n\n\n\n<p>IEEE Std 802.11-2012 added a couple of new AKMs:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>AKM suite 3 and 4 with SHA-256 from 802.11r<\/li>\n\n\n\n<li>AKM suite 5 and 6 as an improvement of AKM 1 and 2 with a key-derivation of SHA-256<\/li>\n<\/ul>\n\n\n\n<p>IEEE Std 802.11-2016 again added new AKMs:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>AKM suite 8 with SAE authentication with SHA-256 (the main AKM in WPA3-Personal)<\/li>\n\n\n\n<li>AKM suite 9 FT authentication over SAE<\/li>\n\n\n\n<li>AKM suite 11 with SHA-256 key derivation and Suite B compliant EAP method (now deprecated in 802.11-2020)<\/li>\n\n\n\n<li>AKM suite 12 is similar to AKM 11, but the key derivation is done with SHA-384, this is what we are using in WPA3-192<\/li>\n\n\n\n<li>AKM suite 13 as the FT method of AKM 12<\/li>\n\n\n\n<li>This standard also added the optional Management Frame Protection from 802.11w<\/li>\n<\/ul>\n\n\n\n<p>Quite a lot of options to choose from. But with WPA3 Enterprise, the less secure options are gone:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>No more AKM1 (Key derivation with SHA-1)<\/li>\n\n\n\n<li>Management Frame Protection is mandatory<\/li>\n<\/ul>\n\n\n\n<p>WPA3 Enterprise 192-bit mode raises the bar to a new level with restrictions for the EAP exchange between the Supplicant and the Authentication Server, which needs a 192-bit security level, SHA-384 and GCMP-256.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Security Level – Recommendations<\/h3>\n\n\n\n<p>These are the recommendations from BSI, ECRYPT, and a Wikipedia page for CNSA:<\/p>\n\n\n\n<p><a href=\"https:\/\/www.bsi.bund.de\/SharedDocs\/Downloads\/EN\/BSI\/Publications\/TechGuidelines\/TG02102\/BSI-TR-02102-1.html\" target=\"_blank\" rel=\"noreferrer noopener\"><em>BSI TR-02102-1: “Cryptographic Mechanisms: Recommendations and Key Lengths” Version: 2024-1<\/em><\/a><\/p>\n\n\n\n<p><a href=\"https:\/\/ec.europa.eu\/research\/participants\/documents\/downloadPublic?documentIds=080166e5ba203b9b&appId=PPGMS\" target=\"_blank\" rel=\"noreferrer noopener\"><em>ECRYPT \u2013 CSA: D5.4 Algorithms, Key Size and Protocols Report (2018)<\/em><\/a><\/p>\n\n\n\n<p><a href=\"https:\/\/en.wikipedia.org\/wiki\/Commercial_National_Security_Algorithm_Suite\" target=\"_blank\" rel=\"noreferrer noopener\"><em>Wikipedia: Commercial National Security Algorithm Suite<\/em><\/a><\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Security Level – Encryption<\/h3>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"470\" src=\"https:\/\/cyber-fi.net\/wp-content\/uploads\/2024\/10\/CleanShot-2024-10-31-at-16.55.44-1024x470.jpg\" alt=\"\" class=\"wp-image-5646\" srcset=\"https:\/\/cyber-fi.net\/wp-content\/uploads\/2024\/10\/CleanShot-2024-10-31-at-16.55.44-1024x470.jpg 1024w, https:\/\/cyber-fi.net\/wp-content\/uploads\/2024\/10\/CleanShot-2024-10-31-at-16.55.44-300x138.jpg 300w, https:\/\/cyber-fi.net\/wp-content\/uploads\/2024\/10\/CleanShot-2024-10-31-at-16.55.44-768x352.jpg 768w, https:\/\/cyber-fi.net\/wp-content\/uploads\/2024\/10\/CleanShot-2024-10-31-at-16.55.44-1536x704.jpg 1536w, https:\/\/cyber-fi.net\/wp-content\/uploads\/2024\/10\/CleanShot-2024-10-31-at-16.55.44.jpg 1703w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n<\/div>\n\n\n<p>The security level of WEP\/TKIP, based on RC4, is difficult to describe. But it is easy to state that it is far away from the general recommendation of 128 Bit security.<\/p>\n\n\n\n<p>The Security Level of AES-128 is sometimes described as lower than 128-bit as attacks can break it in 2<sup>126<\/sup> calculations. However, this is still irrelevant if an attack needs 2<sup>88<\/sup> chosen plaintexts.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Security Level – Key Derivation<\/h3>\n\n\n\n<p>The Security Level of Hash algorithms is not really easy to describe in the context of Wireless LANs. A Hash algorithm is considered cryptographically strong if it is resistant to all of the following:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Collision attacks: Finding two inputs with the same hash value is impossible. Here the Security strength (Security Level) is typically half the hash output length.<\/li>\n\n\n\n<li>Pre-image attacks: It is impossible to find an input to a given random hash value. The security strength is typically the hash output length.<\/li>\n\n\n\n<li>2nd pre-image attacks: It is impossible to find a second input to a given input that produces the same hash value. The security strength is the hash output length minus a component dependent on the input length.<\/li>\n<\/ul>\n\n\n\n<p>The collision resistance is not important for key-generating functions and HMACs. However, all actual recommendations suggest using only cryptographically strong hash functions.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Security Level – Authentication<\/h3>\n\n\n\n<p>Stating that the security level of personal mode authentication is “somewhere between zero and very low” sounds slightly strong. But how secure is it?<\/p>\n\n\n\n<p>The following is stated in the IEEE 802.11-2020 standard:<\/p>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p>12.7.6.8 4-way handshake analysis<\/p>\n\n\n\n<p>The following is an analysis of the 4-way handshake.<\/p>\n\n\n\n<p>This subclause makes the trust assumptions used in this protocol explicit. The protocol assumes the following:<br>\u2014 The PMK is known only by the Supplicant\u2019s STA and the Authenticator\u2019s STA.<\/p>\n<\/blockquote>\n\n\n\n<p>and<\/p>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p>If any of these assumptions are broken, then the protocol fails to provide any security guarantees.<\/p>\n<\/blockquote>\n\n\n\n<p>Especially with WPA2, where the PMK is only dependent on the passphrase and the SSID, and given that the passphrase is often known to the employees (not pushed through an MDM) this assumption is definitely broken.<\/p>\n\n\n\n<p>For WPA3-192, the relevant part is that all certificates in the chain and endpoint certificates provide a 192-bit security level. We must use RSA-3072 (or higher) or EC-384 (or higher).<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">The WPA3 Speci\ufb01cation<\/h3>\n\n\n\n<p>The WPA3 specification is far away from being specific enough. The early versions didn’t even specify the AKM suite that should be used. This is from the specification v1.0 from 2018:<\/p>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p><strong>3 WPA3-Enterprise 192-bit Mode<\/strong><\/p>\n\n\n\n<p>WPA3-Enterprise 192-bit Mode may be deployed in sensitive enterprise environments to further protect Wi-Fi networks with higher security requirements such as government, defense, and industrial.<\/p>\n\n\n\n<p><strong>3.1 WPA3-Enterprise 192-bit Mode requirements<\/strong><\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>When WPA3-Enterprise 192-bit Mode is used by an AP, PMF shall be set to required (MFPR bit in the RSN Capabilities field shall be set to 1 in the RSNE transmitted by the AP).<\/li>\n\n\n\n<li>When WPA3-Enterprise 192-bit Mode is used by a STA, PMF shall be set to required (MFPR bit in the RSN Capabilities field shall be set to 1 in the RSNE transmitted by the STA).<\/li>\n\n\n\n<li>Permitted EAP cipher suites for use with WPA3-Enterprise 192-bit Mode are:<br>\u25aa TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384<br> – ECDHE and ECDSA using the 384-bit prime modulus curve P-384<br>\u25aa TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384<br> – ECDHE using the 384-bit prime modulus curve P-384<br> – RSA \u2265 3072-bit modulus<br>\u25aa TLS_DHE_RSA_WITH_AES_256_GCM_SHA384<br> – RSA \u2265 3072-bit modulus<br> – DHE \u2265 3072-bit modulus<\/li>\n<\/ol>\n<\/blockquote>\n\n\n\n<p>Version 3.3 from 2024 is a little bit more specific:<\/p>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p><strong>3.5 WPA3-Enterprise 192-bit mode<\/strong><\/p>\n\n\n\n<p>WPA3-Enterprise 192-bit mode is well suited for deployments in sensitive enterprise environments to further protect WiFi \u00ae networks with higher security requirements such as government, defense, and industrial.<\/p>\n\n\n\n<p>When operating in WPA3-Enterprise 192-bit mode:<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>An AP’s BSS configuration shall enable AKM suite selector 00-0F-AC:12 (Suite B 192b) and shall not enable any other AKM suite selector.<br>Note: WPA3-Enterprise 192-bit mode does not interoperate with any other security mode.<\/li>\n\n\n\n<li>A STA’s Network Profile shall allow AKM suite selector 00-0F-AC:12 (Suite B 192b) and shall not allow any other AKM suite selector.<\/li>\n\n\n\n<li>An AP’s BSS configuration shall be PMF Required, i.e., AP sets MFPC to 1 and MFPR to 1 in beacons and probe responses of the BSS.<\/li>\n\n\n\n<li>A STA’s Network Profile shall be PMF Required, i.e., STA sets MFPC to 1 and MFPR to 1 in all (re)association requests to APs in that network.<\/li>\n\n\n\n<li>Permitted EAP cipher suites for use with WPA3-Enterprise 192-bit mode are:<br>\u25aa TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384<br> – ECDHE and ECDSA using the 384-bit prime modulus curve P-384 <br>\u25aa TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384<br> – ECDHE using the 384-bit prime modulus curve P-384<br> – RSA \u2265 3072-bit modulus <br>\u25aa TLS_DHE_RSA_WITH_AES_256_GCM_SHA384<br> – RSA \u2265 3072-bit modulus<br> – DHE \u2265 3072-bit modulus<\/li>\n<\/ol>\n<\/blockquote>\n\n\n\n<p>I have used EC certificates on my RADIUS servers for quite some time. Because of that, the cipher suite TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 is the one I see most often in the RADIUS server logs, also for standard WPA2\/WPA3-Enterprise.<\/p>\n\n\n\n<p>With RADIUS servers that support TLS 1.3 (for example, ISE 3.3 Patch 2), I often see the TLS 1.3 cipher TLS_AES_256_GCM_SHA384. Although not “allowed” by the WPA3-192 specification, this is even more secure.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\">The relevant RFCs:<\/h4>\n\n\n\n<p><em><a href=\"https:\/\/datatracker.ietf.org\/doc\/html\/rfc5216\" target=\"_blank\" rel=\"noreferrer noopener\">The EAP-TLS Authentication Protocol<\/a><br><a href=\"https:\/\/datatracker.ietf.org\/doc\/html\/rfc9190\" target=\"_blank\" rel=\"noreferrer noopener\">EAP-TLS 1.3: Using the Extensible Authentication Protocol with TLS 1.3<\/a><br><\/em><a href=\"https:\/\/datatracker.ietf.org\/doc\/html\/rfc8422\" target=\"_blank\" rel=\"noreferrer noopener\"><em>Elliptic Curve Cryptography (ECC) Cipher Suites for Transport Layer Security (TLS) Versions 1.2 and Earlier<\/em><\/a><\/p>\n\n\n\n<h3 class=\"wp-block-heading\">The role of the RADIUS server<\/h3>\n\n\n\n<p>One question that comes up sometimes is if the RADIUS-Server has to be WPA3-192-bit compliant. Many bright people say “yes”, but I tend to say “no” (I might be wrong). This is mainly because of two reasons:<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>To my knowledge, the Wi-Fi Alliance doesn’t certify RADIUS servers. But they certify clients and with that, I see the responsibility on the client side (and we’ll see later how bad this can be). For sure, the RADIUS server has to support the needed TLS cipher suits. But with WPA3 not being a standard but an industry certification it doesn’t have to be WPA3 compliant.<\/li>\n\n\n\n<li>The WPA3 specification does not address the transport of the MSK to the Authenticator. This is plain RADIUS, which heavily depends on MD5. Because of that, the security level of this transport is far away from a 192-bit level. We should consider securing the RADIUS transport with RADsec, RADIUS over DTLS, or other security measures for a secure system.<\/li>\n<\/ol>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"577\" src=\"https:\/\/cyber-fi.net\/wp-content\/uploads\/2024\/10\/CleanShot-2024-10-31-at-17.14.43-1024x577.jpg\" alt=\"\" class=\"wp-image-5647\" srcset=\"https:\/\/cyber-fi.net\/wp-content\/uploads\/2024\/10\/CleanShot-2024-10-31-at-17.14.43-1024x577.jpg 1024w, https:\/\/cyber-fi.net\/wp-content\/uploads\/2024\/10\/CleanShot-2024-10-31-at-17.14.43-300x169.jpg 300w, https:\/\/cyber-fi.net\/wp-content\/uploads\/2024\/10\/CleanShot-2024-10-31-at-17.14.43-768x432.jpg 768w, https:\/\/cyber-fi.net\/wp-content\/uploads\/2024\/10\/CleanShot-2024-10-31-at-17.14.43-1536x865.jpg 1536w, https:\/\/cyber-fi.net\/wp-content\/uploads\/2024\/10\/CleanShot-2024-10-31-at-17.14.43.jpg 2016w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n<\/div>\n\n\n<p>For the RADIUS attributes, I wrote about this in a previous blog-post:<br><a href=\"https:\/\/cyber-fi.net\/index.php\/2022\/08\/17\/tuning-the-cisco-ise-for-meraki-networks\/\" target=\"_blank\" rel=\"noreferrer noopener\"><em>Tuning the Cisco ISE for Meraki Networks<\/em><\/a><\/p>\n\n\n\n<h3 class=\"wp-block-heading\">The impact of Quantum Computers<\/h3>\n\n\n\n<p>For the transition to algorithms that are secure against quantum computers, there is a timeline in the CNSA 2.0 specification:<\/p>\n\n\n\n<p><a href=\"https:\/\/media.defense.gov\/2022\/Sep\/07\/2003071834\/-1\/-1\/0\/CSA_CNSA_2.0_ALGORITHMS_.PDF\" target=\"_blank\" rel=\"noreferrer noopener\"><em>Commercial National Security Algorithm Suite 2.0<\/em><\/a><\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"497\" src=\"https:\/\/cyber-fi.net\/wp-content\/uploads\/2024\/10\/image-1024x497.png\" alt=\"\" class=\"wp-image-5648\" srcset=\"https:\/\/cyber-fi.net\/wp-content\/uploads\/2024\/10\/image-1024x497.png 1024w, https:\/\/cyber-fi.net\/wp-content\/uploads\/2024\/10\/image-300x146.png 300w, https:\/\/cyber-fi.net\/wp-content\/uploads\/2024\/10\/image-768x373.png 768w, https:\/\/cyber-fi.net\/wp-content\/uploads\/2024\/10\/image-1536x745.png 1536w, https:\/\/cyber-fi.net\/wp-content\/uploads\/2024\/10\/image-2048x993.png 2048w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p>The year 2030 “feels” far away, but for a transition to entirely new algorithms for asymmetric cryptography, six years is not too much time.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">The roaming problem<\/h3>\n\n\n\n<p>IEEE 802.11-2020 not only specifies AKM 12 for 192-bit security, there is also AKM 13 with FT mode:<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"380\" src=\"https:\/\/cyber-fi.net\/wp-content\/uploads\/2024\/10\/CleanShot-2024-10-31-at-18.24.05-1024x380.jpg\" alt=\"\" class=\"wp-image-5663\" srcset=\"https:\/\/cyber-fi.net\/wp-content\/uploads\/2024\/10\/CleanShot-2024-10-31-at-18.24.05-1024x380.jpg 1024w, https:\/\/cyber-fi.net\/wp-content\/uploads\/2024\/10\/CleanShot-2024-10-31-at-18.24.05-300x111.jpg 300w, https:\/\/cyber-fi.net\/wp-content\/uploads\/2024\/10\/CleanShot-2024-10-31-at-18.24.05-768x285.jpg 768w, https:\/\/cyber-fi.net\/wp-content\/uploads\/2024\/10\/CleanShot-2024-10-31-at-18.24.05.jpg 1090w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n<\/div>\n\n\n<p>The WPA3 specification 3.3 explicitly only allows AKM 12. <a href=\"https:\/\/wizardfi.com\" target=\"_blank\" rel=\"noreferrer noopener\"><em>Josh Schmelzle<\/em><\/a> from Aruba (you want to subscribe to his blog) provided the hint that the reason could be that the FT distribution process could not be 192-bit compliant.<\/p>\n\n\n\n<p>But without Fast BSS Transition support we might see quite slow roams:<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"508\" src=\"https:\/\/cyber-fi.net\/wp-content\/uploads\/2024\/10\/c9800-slow-1024x508.png\" alt=\"\" class=\"wp-image-5664\" srcset=\"https:\/\/cyber-fi.net\/wp-content\/uploads\/2024\/10\/c9800-slow-1024x508.png 1024w, https:\/\/cyber-fi.net\/wp-content\/uploads\/2024\/10\/c9800-slow-300x149.png 300w, https:\/\/cyber-fi.net\/wp-content\/uploads\/2024\/10\/c9800-slow-768x381.png 768w, https:\/\/cyber-fi.net\/wp-content\/uploads\/2024\/10\/c9800-slow-1536x762.png 1536w, https:\/\/cyber-fi.net\/wp-content\/uploads\/2024\/10\/c9800-slow.png 1738w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n<\/div>\n\n\n<p>The legacy roam mechanism could still work. For example, Sticky Key Caching, which I saw in my Meraki Roaming Analysis:<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"502\" src=\"https:\/\/cyber-fi.net\/wp-content\/uploads\/2024\/10\/Roam-I-XXX-iPhone-SKC-1024x502.jpg\" alt=\"\" class=\"wp-image-5665\" srcset=\"https:\/\/cyber-fi.net\/wp-content\/uploads\/2024\/10\/Roam-I-XXX-iPhone-SKC-1024x502.jpg 1024w, https:\/\/cyber-fi.net\/wp-content\/uploads\/2024\/10\/Roam-I-XXX-iPhone-SKC-300x147.jpg 300w, https:\/\/cyber-fi.net\/wp-content\/uploads\/2024\/10\/Roam-I-XXX-iPhone-SKC-768x376.jpg 768w, https:\/\/cyber-fi.net\/wp-content\/uploads\/2024\/10\/Roam-I-XXX-iPhone-SKC.jpg 1378w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">Screenshot<\/figcaption><\/figure>\n<\/div>\n\n\n<h3 class=\"wp-block-heading\">AP support<\/h3>\n\n\n\n<p>My first tests with 192-bit mode didn’t work at all. Obviously, the Supplicant, Authenticator, and also the Authentication server need to support this. My Cisco ISE is fine, as all required EAP ciphers are supported. But when configuring it, the WPA3-192 SSID did not get announced.<\/p>\n\n\n\n<p>The reason was stated in the <a href=\"https:\/\/www.cisco.com\/c\/en\/us\/products\/collateral\/wireless\/catalyst-9100ax-access-points\/wpa3-dep-guide-og.html\" target=\"_blank\" rel=\"noreferrer noopener\"><em>Cisco WPA3 Deployment Guide<\/em><\/a><a href=\"https:\/\/www.cisco.com\/c\/en\/us\/products\/collateral\/wireless\/catalyst-9100ax-access-points\/wpa3-dep-guide-og.html\"><em>:<\/em><\/a><\/p>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p>Note: SuiteB192-1X is not supported in C9120\/C9105\/C9115 APs and in Flexconnect Mode. <\/p>\n<\/blockquote>\n\n\n\n<p>I was using my C9120 in FlexConenct for this test.<\/p>\n\n\n\n<p>Luckily, my mid-range Meraki MR36 and MR44 support 192-bit mode and also the CW916x does. But sadly, there is no visibility into the negotiated parameters in the Meraki-Dashboard. But still better than nothing.<\/p>\n\n\n\n<p>My tests with Juniper Mist also failed. After reading the <a href=\"https:\/\/www.mist.com\/documentation\/march-29th-2024-updates\/\" target=\"_blank\" rel=\"noreferrer noopener\"><em>Product Updates from 2024-03-29<\/em><\/a>, I updated my Mist APs to the required version and configured 192-bit mode, but the SSID was not announced. Later, I discovered that WPA3-192 is only supported on Wi-Fi 6E APs, but my APs are only Wi-Fi 6. Mist Support told me they plan to add support for WPA3-192 on Wi-Fi6 APs later.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">The misbehaving clients<\/h3>\n\n\n\n<p>When I configured my first SSID for 192-bit mode, my iPhone, iPad, Mac Studio, and MS Surface with Windows 11 connected without problems. Only my Pixel 6a with Android (I think it was version 13 back then) refused to connect. The problem was that I reused my existing certificates. All of these (root, intermediate, server, and endpoints) used keys with 256-bit Elliptic Curves, which only gives a 128-bit security level. My Apple devices and Windows didn’t care. Only Android behaved correctly and refused the connection.<\/p>\n\n\n\n<p>The next problem was the Key Exchange. The Apple devices all announce support for many cipher suits, which are not only disallowed by the WPA3 specification but also provide a security level far below 128 Bit:<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"662\" src=\"https:\/\/cyber-fi.net\/wp-content\/uploads\/2024\/11\/CleanShot-2024-11-02-at-11.14.03-1024x662.jpg\" alt=\"\" class=\"wp-image-5672\" srcset=\"https:\/\/cyber-fi.net\/wp-content\/uploads\/2024\/11\/CleanShot-2024-11-02-at-11.14.03-1024x662.jpg 1024w, https:\/\/cyber-fi.net\/wp-content\/uploads\/2024\/11\/CleanShot-2024-11-02-at-11.14.03-300x194.jpg 300w, https:\/\/cyber-fi.net\/wp-content\/uploads\/2024\/11\/CleanShot-2024-11-02-at-11.14.03-768x497.jpg 768w, https:\/\/cyber-fi.net\/wp-content\/uploads\/2024\/11\/CleanShot-2024-11-02-at-11.14.03.jpg 1320w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n<\/div>\n\n\n<p>My Xiaomi Mi11 was equally bad with the sent cipher suits, my Pixel 6a was much better, but was also not compliant with the WPA3 specification:<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"717\" height=\"439\" src=\"https:\/\/cyber-fi.net\/wp-content\/uploads\/2024\/11\/CleanShot-2024-11-02-at-11.19.12.jpg\" alt=\"\" class=\"wp-image-5673\" srcset=\"https:\/\/cyber-fi.net\/wp-content\/uploads\/2024\/11\/CleanShot-2024-11-02-at-11.19.12.jpg 717w, https:\/\/cyber-fi.net\/wp-content\/uploads\/2024\/11\/CleanShot-2024-11-02-at-11.19.12-300x184.jpg 300w\" sizes=\"auto, (max-width: 717px) 100vw, 717px\" \/><\/figure>\n<\/div>\n\n\n<p>Although the supported group is right (and this is what practically matters), the WPA3 specification prohibits three of these cipher suits. I would not complain for practical reasons, as this selection of cipher suits is still highly secure.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">PCAP or it didn’t happen<\/h3>\n\n\n\n<p>The only interesting frames for the 192-bit mode are:<\/p>\n\n\n\n<h4 class=\"wp-block-heading\">The Beacon<\/h4>\n\n\n\n<p>Quite boring … This is the RSN Information:<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1015\" height=\"453\" src=\"https:\/\/cyber-fi.net\/wp-content\/uploads\/2024\/10\/CleanShot-2024-10-31-at-17.44.53.jpg\" alt=\"\" class=\"wp-image-5656\" srcset=\"https:\/\/cyber-fi.net\/wp-content\/uploads\/2024\/10\/CleanShot-2024-10-31-at-17.44.53.jpg 1015w, https:\/\/cyber-fi.net\/wp-content\/uploads\/2024\/10\/CleanShot-2024-10-31-at-17.44.53-300x134.jpg 300w, https:\/\/cyber-fi.net\/wp-content\/uploads\/2024\/10\/CleanShot-2024-10-31-at-17.44.53-768x343.jpg 768w\" sizes=\"auto, (max-width: 1015px) 100vw, 1015px\" \/><\/figure>\n<\/div>\n\n\n<p>The relevant parts are (based on the WPA3 specification and the 8002.11 standard):<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Only AKM 12 is included<\/li>\n\n\n\n<li>The Pairwise and Group Cipher Suite is GCMP-256<\/li>\n\n\n\n<li>Same as with “normal” WPA3, MFP is required and the used cipher suite is BIP-GMAC-256.<\/li>\n<\/ul>\n\n\n\n<h4 class=\"wp-block-heading\">The EAP-Key Exchange<\/h4>\n\n\n\n<p>This is already covered above.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\">The 4-Way handshake<\/h4>\n\n\n\n<p>Here, only two elements are of interest as they change from “normal” WPA2\/WPA3 to 192-bit-mode:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>The Key Descriptor Version<\/li>\n\n\n\n<li>The Key Length<\/li>\n<\/ul>\n\n\n\n<p>This is Message one of the 4-Way Handshake with WPA3-Enterprise:<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"688\" height=\"330\" src=\"https:\/\/cyber-fi.net\/wp-content\/uploads\/2024\/10\/CleanShot-2024-10-31-at-17.36.58.jpg\" alt=\"\" class=\"wp-image-5653\" srcset=\"https:\/\/cyber-fi.net\/wp-content\/uploads\/2024\/10\/CleanShot-2024-10-31-at-17.36.58.jpg 688w, https:\/\/cyber-fi.net\/wp-content\/uploads\/2024\/10\/CleanShot-2024-10-31-at-17.36.58-300x144.jpg 300w\" sizes=\"auto, (max-width: 688px) 100vw, 688px\" \/><\/figure>\n<\/div>\n\n\n<p>This is Message one of the 4-Way Handshake with WPA3-Enterprise in 192-bit-mode:<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"520\" height=\"344\" src=\"https:\/\/cyber-fi.net\/wp-content\/uploads\/2024\/10\/CleanShot-2024-10-31-at-17.36.04.jpg\" alt=\"\" class=\"wp-image-5652\" srcset=\"https:\/\/cyber-fi.net\/wp-content\/uploads\/2024\/10\/CleanShot-2024-10-31-at-17.36.04.jpg 520w, https:\/\/cyber-fi.net\/wp-content\/uploads\/2024\/10\/CleanShot-2024-10-31-at-17.36.04-300x198.jpg 300w\" sizes=\"auto, (max-width: 520px) 100vw, 520px\" \/><\/figure>\n<\/div>\n\n\n<p>The Key length changes from 16 to 32 as we use AES-256 instead of AES-128.<\/p>\n\n\n\n<p>The IEEE 802.11-2020 standard defines the Key Descriptor version:<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"252\" src=\"https:\/\/cyber-fi.net\/wp-content\/uploads\/2024\/10\/CleanShot-2024-10-31-at-17.40.27-1024x252.jpg\" alt=\"\" class=\"wp-image-5654\" srcset=\"https:\/\/cyber-fi.net\/wp-content\/uploads\/2024\/10\/CleanShot-2024-10-31-at-17.40.27-1024x252.jpg 1024w, https:\/\/cyber-fi.net\/wp-content\/uploads\/2024\/10\/CleanShot-2024-10-31-at-17.40.27-300x74.jpg 300w, https:\/\/cyber-fi.net\/wp-content\/uploads\/2024\/10\/CleanShot-2024-10-31-at-17.40.27-768x189.jpg 768w, https:\/\/cyber-fi.net\/wp-content\/uploads\/2024\/10\/CleanShot-2024-10-31-at-17.40.27.jpg 1105w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n<\/div>\n\n\n<h3 class=\"wp-block-heading\">Start Now! – The conclusion<\/h3>\n\n\n\n<p>192-bit mode is certainly not for everyone. The missing Fast BSS Transition is a huge drawback in times when people run around while doing Teams calls. Employees from Juniper and Meraki also told me that the adoption of the 192-bit mode is very low.<\/p>\n\n\n\n<p>However, the first step in implementing WPA3-192 should be done regardless of the WPA3 security we plan to use: building a Public Key Infrastructure (PKI) that supports a 192-bit security level. I would go with EC-384 certificates as I consider RSA to be legacy. The recommendations referenced from BSI and ECRYPT see the security of RSA-3072 higher than that of EC-384; this should also be considered.<\/p>\n\n\n\n<p>And this PKI will not only be the reqirement for the 192-bit mode of WPA3. This will also be a requirement for many advanced security challenges in the future.<\/p>\n\n\n\n<p><strong>Conclusion 2<\/strong>: IEEE 802.11-2024 introduces the new AKMs 22 and 23 with similar security. They also use SHA-384 and GCMP-256, and AKM 22 uses FT key management. This could be a better solution for high security in the future.<\/p>\n\n\n\n<p>Have fun implementing the best security possible!<\/p>\n\n\n\n<p><\/p>\n","protected":false},"excerpt":{"rendered":"<p>This year, I presented the topic WPA3-192-bit mode at the WLAN Klassentreffen (in German) and WLPC in Prague as a 10Talk. This is the video recording from WLPC: Here is the presentation from WLPC 2024 in Prague: And the German version from the WLAN Klassentreffen 2024 in Hamburg: Some more information on this exciting topic: <\/p>\n<div class=\"read-more-text\"><a href=\"https:\/\/cyber-fi.net\/index.php\/2024\/11\/03\/wpa3-192-bit-mode\/\" class=\"read-more\">continue reading<\/a><\/div>\n","protected":false},"author":2,"featured_media":5767,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"twitterCardType":"","cardImageID":0,"cardImage":"","cardTitle":"","cardDesc":"","cardImageAlt":"","cardPlayer":"","cardPlayerWidth":0,"cardPlayerHeight":0,"cardPlayerStream":"","cardPlayerCodec":"","footnotes":""},"categories":[717],"tags":[747,750,741,494,746,749,748,715,712,745],"class_list":["post-5642","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-wireless","tag-cnsa","tag-eap-tls","tag-ieee-802-11","tag-radius","tag-suite-b-192","tag-wi-fi-alliance","tag-wlan-klassentreffen","tag-wlpc","tag-wpa3","tag-wpa3-192"],"_links":{"self":[{"href":"https:\/\/cyber-fi.net\/index.php\/wp-json\/wp\/v2\/posts\/5642","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/cyber-fi.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cyber-fi.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/cyber-fi.net\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/cyber-fi.net\/index.php\/wp-json\/wp\/v2\/comments?post=5642"}],"version-history":[{"count":31,"href":"https:\/\/cyber-fi.net\/index.php\/wp-json\/wp\/v2\/posts\/5642\/revisions"}],"predecessor-version":[{"id":5692,"href":"https:\/\/cyber-fi.net\/index.php\/wp-json\/wp\/v2\/posts\/5642\/revisions\/5692"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cyber-fi.net\/index.php\/wp-json\/wp\/v2\/media\/5767"}],"wp:attachment":[{"href":"https:\/\/cyber-fi.net\/index.php\/wp-json\/wp\/v2\/media?parent=5642"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cyber-fi.net\/index.php\/wp-json\/wp\/v2\/categories?post=5642"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cyber-fi.net\/index.php\/wp-json\/wp\/v2\/tags?post=5642"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}